The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2024-03-26T16:07:58Zhttps://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/200Build system installer for Mullvad Browser on Windows2024-03-26T16:07:58ZrichardBuild system installer for Mullvad Browser on WindowsCurrently Mullvad Browser inherits Tor Browse's portable-only installer on Windows. We should either:
1. Add support to existing installer to support portable OR system `%PROGRAMFILES%` installs
2. Create a second installer which can in...Currently Mullvad Browser inherits Tor Browse's portable-only installer on Windows. We should either:
1. Add support to existing installer to support portable OR system `%PROGRAMFILES%` installs
2. Create a second installer which can install to a system location, separate from the portable installer
3. Update existing installer to be a classic system installer and instead ship portable as a zip archive
Some things to consider:
- System installation requires Admin/Elevation privileges on Windows. NSIS installers can be built such that the elevation prompt happens automatically on launch, but this will likely/possible prevent portable installation on systems which the user does not have admin access (such as in library/univeristy/corporate terminals). I don't know if you can conditionally elevate in an NSIS installer based on install location.
- A second installer to counter the previous constraint would work, but could cause user confusion
- Providing a zip bundle may make it easier for dowstream package maintainers if any were to appear (eg for [chocolatay](https://chocolatey.org/))Pier Angelo VendramePier Angelo Vendramehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41870Modern firewall-penetration protocols for Tor in China2023-07-07T10:01:53ZcomputerscotModern firewall-penetration protocols for Tor in ChinaReports on https://github.com/net4people/bbs/issues and https://forum.torproject.org say that both obfs4 and snowflake are blocked by the GFW. There are also doubts about whether the new WebTunnel pluggable transport will work. The GFW d...Reports on https://github.com/net4people/bbs/issues and https://forum.torproject.org say that both obfs4 and snowflake are blocked by the GFW. There are also doubts about whether the new WebTunnel pluggable transport will work. The GFW detects and blocks WebSocket-based proxies.
This is a proof-of-concept for more modern firewall-penetration protocols.
To test these protocols in action, set up an Xray server and client using the latest techniques, for example, https://cscot.pages.dev/2023/07/02/xray-reality-h2. If you follow the sample configuration in that article, you will have a SOCKS5 proxy listening on port `10808` on your client.
Download and install the Tor Browser from https://www.torproject.org.
When you run the Tor Browser for the first time, click **Configure Connection**.
Scroll down and click the **Settings** button at the bottom to configure how you connect to the internet. Check **I use a proxy to connect to the Internet**. The type is **SOCKS5**, the address is `127.0.0.1`, and the port is `10808`. Click **OK**.
I have found it more reliable to click **Select a Built-In Bridge**. This should not be necessary, since the Xray server is already outside the GFW. Perhaps it helps because built-in bridges are faster than random entry nodes. Select **obfs4**. Click **Connect**.
Now you can test your connection by trying to reach a Tor-only site.
BBC News in simplified Chinese:
```
https://www.bbcweb3hytmzhn5d532owbu6oqadra5z3ar726vq5kgwwn6aucdccrad.onion/zhongwen/simp
```
DW News in simplified Chinese:
```
https://www.dwnewsgngmhlplxy6o2twtfgjnrnjxbegbwqx6wnotdhkzt562tszfid.onion/zh/?zhongwen=simp
```
New York Times in simplified Chinese:
```
https://cn.nytimesn7cgmftshazwhfgzm37qxb44r64ytbb2dj3x62d2lljsciiyd.onion
```
![dw-onion-simplified-chinese](/uploads/c696b775dc1f976880b42e8100342f54/dw-onion-simplified-chinese.png)meskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/network-health/onbasca/-/issues/156add support for webtunnel bridges2024-02-12T12:46:44Zmeskiomeskio@torproject.orgadd support for webtunnel bridgeshttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40883Verification issues with the new Windows code signing certificate2023-08-17T21:35:26Zcypherpunks1Verification issues with the new Windows code signing certificateThe new certificate cannot be verified on two systems that I tried it.
A comparison of the 12.0.4 and 12.5a7 installers:
![cert](/uploads/eceecebe2d7a455900271857d7484f25/cert.png)The new certificate cannot be verified on two systems that I tried it.
A comparison of the 12.0.4 and 12.5a7 installers:
![cert](/uploads/eceecebe2d7a455900271857d7484f25/cert.png)cypherpunks1cypherpunks1https://gitlab.torproject.org/tpo/tpa/team/-/issues/41222Is the web ui disabled for our VictoriaMetrics version?2023-06-13T12:37:36ZHiroIs the web ui disabled for our VictoriaMetrics version?I see the web ui for VictoriaMetrics at https://metrics-db.torproject.org/vmui/ is returning a 404.
\@gkI see the web ui for VictoriaMetrics at https://metrics-db.torproject.org/vmui/ is returning a 404.
\@gkSponsor 112 : Combating Malicious RelaysJérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41829Error after run make build, trying to build tor browser from source2023-07-06T18:15:47ZwaterglassError after run make build, trying to build tor browser from sourceI am trying to build tor browser from source according wiki. I get the following error when run `make build`.
```
./build.sh /home/$USER/tor-browser/tools/torbrowser/../..
0:00.37 Clobber not needed.
Config object not found by mach.
...I am trying to build tor browser from source according wiki. I get the following error when run `make build`.
```
./build.sh /home/$USER/tor-browser/tools/torbrowser/../..
0:00.37 Clobber not needed.
Config object not found by mach.
0:00.46 Using Python 3.10.6 from /home/$USER/tor-browser/obj-x86_64-pc-linux-gnu/_virtualenvs/build/bin/python
0:00.46 Adding configure options from /home/$USER/tor-browser/mozconfig
0:00.46 --enable-application=browser
0:00.46 --enable-official-branding
0:00.46 --enable-optimize
0:00.47 --enable-rust-simd
0:00.47 --enable-verify-mar
0:00.47 --enable-nss-mar
0:00.47 --enable-base-browser-update
0:00.47 --enable-bundled-fonts
0:00.47 --disable-tests
0:00.47 --disable-debug
0:00.47 --disable-crashreporter
0:00.47 --disable-webrtc
0:00.47 --disable-parental-controls
0:00.47 --disable-eme
0:00.47 --enable-proxy-bypass-protection
0:00.47 --disable-system-policies
0:00.47 --disable-backgroundtasks
0:00.47 MOZ_TELEMETRY_REPORTING=
0:00.47 --without-wasm-sandboxed-libraries
0:00.47 --with-relative-data-dir=TorBrowser/Data/Browser
0:00.47 --with-distribution-id=org.torproject
0:00.47 --with-branding=browser/branding/tb-nightly
0:00.47 --enable-default-toolkit=cairo-gtk3
0:00.47 --disable-strip
0:00.47 --disable-install-strip
0:00.47 --with-base-browser-version=dev-build
0:00.47 --disable-base-browser-update
0:00.47 --enable-artifact-builds
0:00.47 MOZILLA_OFFICIAL=
0:00.47 checking for vcs source checkout... git
0:00.58 checking for a shell... /usr/bin/sh
0:00.60 checking for host system type... x86_64-pc-linux-gnu
0:00.60 checking for target system type... x86_64-pc-linux-gnu
0:00.66 checking whether cross compiling... no
0:00.71 Traceback (most recent call last):
0:00.71 File "/home/$USER/tor-browser/configure.py", line 349, in <module>
0:00.71 sys.exit(main(sys.argv))
0:00.71 File "/home/$USER/tor-browser/configure.py", line 131, in main
0:00.71 sandbox.run(os.path.join(os.path.dirname(__file__), "moz.configure"))
0:00.71 File "/home/$USER/tor-browser/python/mozbuild/mozbuild/configure/__init__.py", line 516, in run
0:00.71 self._value_for(option)
0:00.71 File "/home/$USER/tor-browser/python/mozbuild/mozbuild/configure/__init__.py", line 621, in _value_for
0:00.71 return self._value_for_option(obj)
0:00.71 File "/home/$USER/tor-browser/python/mozbuild/mozbuild/util.py", line 1061, in method_call
0:00.71 cache[args] = self.func(instance, *args)
0:00.71 File "/home/$USER/tor-browser/python/mozbuild/mozbuild/configure/__init__.py", line 688, in _value_for_option
0:00.71 raise InvalidOptionError(
0:00.71 mozbuild.configure.options.InvalidOptionError: --enable-optimize is not available in this configuration
*** Fix above errors and then restart with "./mach build"
make: *** [Makefile:26: build] Error 1
```waterglasswaterglasshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41817Add more color aliases that take dark mode into account2023-09-19T03:31:18ZPier Angelo VendrameAdd more color aliases that take dark mode into accountWe should add a few new aliases for our colors, e.g., `--purple-60` and `--purple-30`, to remove more media queries.
They're needed for example in the pereferences (see https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_...We should add a few new aliases for our colors, e.g., `--purple-60` and `--purple-30`, to remove more media queries.
They're needed for example in the pereferences (see https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/660#note_2909188).
We already do it for `--tor-branding-color`, but it's tied to the release channel.henryhenryhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41811Connect buttons in bridge modals should be purple2024-01-30T22:03:42ZdonutsConnect buttons in bridge modals should be purple`Connect` buttons are always purple in our UI, however all other confirmation buttons (e.g. "OK" and "Save") should remain the primary theme color.
See this Figma file for reference: [Figma link](https://www.figma.com/file/RS584DcR4emXr...`Connect` buttons are always purple in our UI, however all other confirmation buttons (e.g. "OK" and "Save") should remain the primary theme color.
See this Figma file for reference: [Figma link](https://www.figma.com/file/RS584DcR4emXrw1F8g3l5x/Tor-Browser-12.5?type=design&node-id=62%3A10116&t=BJbn9R4EgNRt9Tq3-1)henryhenryhttps://gitlab.torproject.org/tpo/network-health/sbws/-/issues/40155Lower advertised bandwidth/consensus weight on relays with "higher latency"2023-07-03T13:14:12ZNeel Chauhanneel@neelc.orgLower advertised bandwidth/consensus weight on relays with "higher latency"I run four middle relays on a CenturyLink Gigabit connection in Seattle, WA: https://metrics.torproject.org/rs.html#search/neeltorrelay
I noticed that the consensus weight is lower if the latency is generally higher, with four instances...I run four middle relays on a CenturyLink Gigabit connection in Seattle, WA: https://metrics.torproject.org/rs.html#search/neeltorrelay
I noticed that the consensus weight is lower if the latency is generally higher, with four instances on a connection I get ~25 MB/s (~200 Mbps). "higher latency" means generally higher latency from most of the other relays, namely relays in Europe.
I can get around this temporally by pushing large file downloads between my relay instances, with two client instances and relays closer to my area (namely Emerald Onion, Telus, and Ziply Fiber). Right now the advertised bandwidth/consensus weight is lower than it could be.
For a while it seemed fixed, but it came back for some reason.jugajugahttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41177fix billing for joker.com domain names2024-02-20T16:22:07Zanarcatfix billing for joker.com domain namesIt seems like our domain names have always been manually renewed, and then sent as expenses to be reimbursed to accounting. we recently realized this as we noticed `tor.network` was expiring. the domain was hosted outside of our normal j...It seems like our domain names have always been manually renewed, and then sent as expenses to be reimbursed to accounting. we recently realized this as we noticed `tor.network` was expiring. the domain was hosted outside of our normal joker.com account and has since been migrated there (#41148). we were mistakenly thinking this would solve the renewal issue, but we actually realized instead that none of our domains are actually configured to be automatically renewed and billed to accounting.
in #41148, have credited the joker.com account by 100$USD, without realizing that is actually problematic for accounting. @sue wants to figure out another way to pay for those domains, and this ticket aims at cleaning that up and regularizing the domain billing at Tor.
note that all domains are marked for autorenewal and `tor.network` *has* been renewed, so there is no more an ~Emergency for this, but it would still be nice to regularize billing.
/cc @susananarcatanarcat2024-04-07https://gitlab.torproject.org/tpo/tpa/team/-/issues/41158GSOC alias not working so well2023-05-23T14:59:46ZGabagaba@torproject.orgGSOC alias not working so wellIt seems that some people are not getting the mails we send to gsoc at torproject dot org. Can you check who is there please?
We should have nick, diziet, raya, donuts, geko, juga, hiro, al and me.It seems that some people are not getting the mails we send to gsoc at torproject dot org. Can you check who is there please?
We should have nick, diziet, raya, donuts, geko, juga, hiro, al and me.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41148renew and transfer tor.network2023-05-17T17:57:25Zanarcatrenew and transfer tor.network/cc @arma/cc @armaanarcatanarcat2023-05-25https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41742Enable IPv6 client by default2024-02-19T17:38:26Zagowa338Enable IPv6 client by defaultCurrently, the Tor Browser bundle does not enable IPv6 for connections to entry or guard nodes. This causes the tor browser to get stuck in the "Establishing a Connection" screen while claiming that internet connectivity is properly avai...Currently, the Tor Browser bundle does not enable IPv6 for connections to entry or guard nodes. This causes the tor browser to get stuck in the "Establishing a Connection" screen while claiming that internet connectivity is properly available within the settings page in IPv6-only networks with DNS64 and NAT64.
![image](/uploads/ef2fe02a28186213ecd26477fb9c1e00/image.png)
![image](/uploads/5d87348c1dc28e682742a1e416795e70/image.png)
Log:
```
2023-04-23 11:57:14.691 [NOTICE] New control connection opened from 127.0.0.1.
2023-04-23 11:57:14.691 [NOTICE] New control connection opened from 127.0.0.1.
2023-04-23 11:57:14.706 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
2023-04-23 11:57:18.065 [NOTICE] Opening Socks listener on 127.0.0.1:9150
2023-04-23 11:57:18.065 [NOTICE] Opened Socks listener connection (ready) on 127.0.0.1:9150
2023-04-23 11:57:18.072 [NOTICE] Renaming old configuration file to "D:\Tor Browser\Browser\TorBrowser\Data\Tor\torrc.orig.1"
2023-04-23 11:57:47.906 [NOTICE] Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
2023-04-23 11:58:21.158 [NOTICE] New control connection opened from 127.0.0.1.
```
Possible solutions:
1. Add `ClientUseIPv6 1` and `ClientPreferIPv6ORPort 1` to the torrc-defaults. As this only influences us using IPv6 for the connection to the entry node, and we're expecting to be on a monitored network already. It doesn't change anything. As establishing a connection with our IPv6 address is the same as someone logging all NAT44 transitions (or not having any NAT, as in, e.g., university networks) is the same threat vector. So changing this default is probably the best and easiest solution. (Also, as a side effect, it improves the performance of the tor client in CG-NAT scenarios)
2. Do #1, but not "just" within the Tor Browser (bundle) but within the tor client itself.
3. Do #1 but only as a fallback when IPv4 fails after user confirmation. I don't see why that would be preferred, but it would also improve the current situation where the tor client gets stuck without any message, and users don't know what to do. Or them assuming Tor is blocked on the network and (try to) requesting bridges where it is neither necessarily helpful nor necessary.
4. Another flavor of #3, add a distinct warning/error message when no IPv4 connectivity is possible and also add a configuration option within Tor Browser to enable IPv6 connectivity. I again don't see why this would be preferred over enabling the client to use IPv6, but ymmv.
5. Detect the presence of NAT64 using a DNS lookup of `ipv4only.arpa` and even if clientUseIPv6 is disabled use IPv6 but only to communicate with IPv4 endpoints. I consider this the worst solution, but I want to mention it, as it is still better than the status quo.
My preferred solutions are #1 and #2, as it is the simplest one to implement.https://gitlab.torproject.org/tpo/tpa/team/-/issues/41132Unable to send Nextcloud Calendar Invitations2023-05-04T19:09:38ZtylerUnable to send Nextcloud Calendar InvitationsHi there!
I am unable to send calendar invites from Nextcloud calendar events. I've had this problem before, but only when trying to send calendar invites from Isabela's personal NC Calendar. I haven't had this problem when trying to ...Hi there!
I am unable to send calendar invites from Nextcloud calendar events. I've had this problem before, but only when trying to send calendar invites from Isabela's personal NC Calendar. I haven't had this problem when trying to send calendar invitations created on my personal NC calendar.
Tyleranarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41123get a stable TLS private key for https://bridges.torproject.org/2023-10-05T12:59:08Zmeskiomeskio@torproject.orgget a stable TLS private key for https://bridges.torproject.org/We are considering pinning the https://bridges.torproject.org/ TLS private key in Tor Browser. Could that key be configured to don't rotate frequently and only rotate the Let's Encrypt certificate generated for it?We are considering pinning the https://bridges.torproject.org/ TLS private key in Tor Browser. Could that key be configured to don't rotate frequently and only rotate the Let's Encrypt certificate generated for it?anarcatanarcathttps://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/156For some website, i-dont-care-about-cookies.eu seems more efficient to block ...2023-08-26T05:59:58ZruihildtFor some website, i-dont-care-about-cookies.eu seems more efficient to block cookie bannersMaybe we can consider adding this list too?
URL: https://www.i-dont-care-about-cookies.eu/abp/Maybe we can consider adding this list too?
URL: https://www.i-dont-care-about-cookies.eu/abp/ruihildtruihildthttps://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/151WebRTC leaks UDP traffic outside socks5 proxy2024-02-21T13:20:46ZruihildtWebRTC leaks UDP traffic outside socks5 proxy- Connect to a socks5 proxy on port 1080 in your LAN that uses a different IP than your computer
- Create a room on meet.mullvad.net jitsi instance
- tcpdump on interface connected to internet and filter out port 1080
- observe UDP traff...- Connect to a socks5 proxy on port 1080 in your LAN that uses a different IP than your computer
- Create a room on meet.mullvad.net jitsi instance
- tcpdump on interface connected to internet and filter out port 1080
- observe UDP traffic to the remote jitsi meet peer
So this is not specific to Mullvad Browser, so not sure how/if we need to deal with it.ma1ma1https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/145Submit Feedback link in About Mullvad Browser links to connect.mozilla.org2023-03-28T09:20:32ZrichardSubmit Feedback link in About Mullvad Browser links to connect.mozilla.orgFrom the About Mullvad Dialog, the Submit Feedback link goes to https://connect.mozilla.org . Presumably this should go to some Mullvad endpoint, or we should remove the link entirely.From the About Mullvad Dialog, the Submit Feedback link goes to https://connect.mozilla.org . Presumably this should go to some Mullvad endpoint, or we should remove the link entirely.ruihildtruihildthttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41697issue 41598, "Prevent NoScript from being removed / disabled " is not working...2023-03-28T15:55:21Zcypherpunksissue 41598, "Prevent NoScript from being removed / disabled " is not working the way you are expecting.version 12.0.4 added "Prevent NoScript from being removed / disabled until core functionality has been migrated to Tor Browser" but at least in my tor browser the NoScript add-on stay `disabled`. This is a good thing because add-ons whic...version 12.0.4 added "Prevent NoScript from being removed / disabled until core functionality has been migrated to Tor Browser" but at least in my tor browser the NoScript add-on stay `disabled`. This is a good thing because add-ons which intercept/block traffic can block each other.
Let's just keep this. If you are going to enable this again without my consent I am going to use Tor with Google Chromium anyway.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/81Snowflake is Off / WebRTC feature is not detected.2023-04-23T10:27:21ZcypherpunksSnowflake is Off / WebRTC feature is not detected.I've just installed Snowflake via Chrome and it's not working. Can you confirm the process has been followed correctly? What have I done wrong - or not done at all? Thanks.I've just installed Snowflake via Chrome and it's not working. Can you confirm the process has been followed correctly? What have I done wrong - or not done at all? Thanks.