The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2023-10-02T14:09:50Zhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41978QR code in bridge cards should use a pointer on hover2023-10-02T14:09:50ZdonutsQR code in bridge cards should use a pointer on hoverWhen hovering, bridge card QR codes may be displayed at a larger size in a dialog on click. Since this is a link, it should use the pointer instead of regular cursor on hover.When hovering, bridge card QR codes may be displayed at a larger size in a dialog on click. Since this is a link, it should use the pointer instead of regular cursor on hover.donutsdonutshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41895flip RFP's prefers-color-scheme to dark2023-11-01T23:10:07ZThorinflip RFP's prefers-color-scheme to darkRFP reduces this binary metric to useless (in our Tor Browser set of users) by always returning `light`. We can achieve the same FPing protection by always returning `dark`.
This is, IMO, not technically an accessibility issue, as the C...RFP reduces this binary metric to useless (in our Tor Browser set of users) by always returning `light`. We can achieve the same FPing protection by always returning `dark`.
This is, IMO, not technically an accessibility issue, as the CSS standard is arbitrary, not universal - i.e only a few websites (but arguably large popular websites) implement it. That said, I am not an accessibility expert, or knowledgeable about or experience light hurting eyes and creating migraines etc. I will say I've never heard of anyone claiming dark sites did the same (but of course the default is light and we enforce light)
In ESR115 as a major milestone, we could change test always returning `dark`. My logic for this is
- entropy is not affected
- accessibility _may_ be helped
- I strongly believe accessibility re colors is best served under existing/upcoming standards that are universal (which we could preset/harden)
- there are degrees of usefulness, and accessibility advocates indicate that this helps (maybe they're lying just to advocate their perference, but I'm inclined to agree that it can't hurt and would likely help)
We currently get RFP users (and tom will confirm), who complain about the _same few_ RFP items: it's _always_ timezone, prefers-color-scheme, and now timing (60FPS). It is my belief that no matter what we do, people will complain, but by returning `dark`, user's complaints are no longer anywhere near the validity of e.g. saying it causes migraines - in fact users who complain they get dark themed sites are just aesthetics (unless someone can prove dark themes are an accessibility problem)
In other words - flipping to dark cannot hurt fingerprinting, and can/would help usability
Class, discuss! cc @donutshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41894tor signal reload -> no more connections possible2023-07-20T15:44:06ZYetitor signal reload -> no more connections possible### Summary
After reloading TOR configuration by sending signal RELOAD (HUP) to control port no further connections are possible.
### Steps to reproduce:
1. Connect to Torbrowser/Tor control port (usually 9051), authenticate using a con...### Summary
After reloading TOR configuration by sending signal RELOAD (HUP) to control port no further connections are possible.
### Steps to reproduce:
1. Connect to Torbrowser/Tor control port (usually 9051), authenticate using a configured authentication method, and send the "signal reload" command. This is needed for example to (temporary) set a new exit node or exit country for a new browser tab without closing all other tabs and restarting Torbrowser.
2. Try to reload the current page or open a new.
### What is the current bug behavior?
Error "The proxy server is refusing connections". No more browsing is possible.
### What is the expected behavior?
The page navigation should continue working, but with the new Tor config.
### Environment
Windows 10
Torbrowser 12.5.1YetiYetihttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/128Modern firewall-penetration protocols for Tor in China2023-08-11T09:50:26ZcomputerscotModern firewall-penetration protocols for Tor in ChinaReports on https://github.com/net4people/bbs/issues and https://forum.torproject.org say that both obfs4 and snowflake are blocked by the GFW. There are also doubts about whether the new WebTunnel pluggable transport will work. The GFW d...Reports on https://github.com/net4people/bbs/issues and https://forum.torproject.org say that both obfs4 and snowflake are blocked by the GFW. There are also doubts about whether the new WebTunnel pluggable transport will work. The GFW detects and blocks WebSocket-based proxies.
This is a proof-of-concept for more modern firewall-penetration protocols.
To test these protocols in action, set up an Xray server and client using the latest techniques, for example, https://cscot.pages.dev/2023/07/02/xray-reality-h2. If you follow the sample configuration in that article, you will have a SOCKS5 proxy listening on port `10808` on your client.
Download and install the Tor Browser from https://www.torproject.org.
When you run the Tor Browser for the first time, click **Configure Connection**.
Scroll down and click the **Settings** button at the bottom to configure how you connect to the internet. Check **I use a proxy to connect to the Internet**. The type is **SOCKS5**, the address is `127.0.0.1`, and the port is `10808`. Click **OK**.
I have found it more reliable to click **Select a Built-In Bridge**. This should not be necessary, since the Xray server is already outside the GFW. Perhaps it helps because built-in bridges are faster than random entry nodes. Select **obfs4**. Click **Connect**.
Now you can test your connection by trying to reach a Tor-only site.
BBC News in simplified Chinese:
```
https://www.bbcweb3hytmzhn5d532owbu6oqadra5z3ar726vq5kgwwn6aucdccrad.onion/zhongwen/simp
```
DW News in simplified Chinese:
```
https://www.dwnewsgngmhlplxy6o2twtfgjnrnjxbegbwqx6wnotdhkzt562tszfid.onion/zh/?zhongwen=simp
```
New York Times in simplified Chinese:
```
https://cn.nytimesn7cgmftshazwhfgzm37qxb44r64ytbb2dj3x62d2lljsciiyd.onion
```
![dw-onion-simplified-chinese](/uploads/37794d56098885a7979eb2230e140737/dw-onion-simplified-chinese.png)meskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/200Build system installer for Mullvad Browser on Windows2024-03-26T16:07:58ZrichardBuild system installer for Mullvad Browser on WindowsCurrently Mullvad Browser inherits Tor Browse's portable-only installer on Windows. We should either:
1. Add support to existing installer to support portable OR system `%PROGRAMFILES%` installs
2. Create a second installer which can in...Currently Mullvad Browser inherits Tor Browse's portable-only installer on Windows. We should either:
1. Add support to existing installer to support portable OR system `%PROGRAMFILES%` installs
2. Create a second installer which can install to a system location, separate from the portable installer
3. Update existing installer to be a classic system installer and instead ship portable as a zip archive
Some things to consider:
- System installation requires Admin/Elevation privileges on Windows. NSIS installers can be built such that the elevation prompt happens automatically on launch, but this will likely/possible prevent portable installation on systems which the user does not have admin access (such as in library/univeristy/corporate terminals). I don't know if you can conditionally elevate in an NSIS installer based on install location.
- A second installer to counter the previous constraint would work, but could cause user confusion
- Providing a zip bundle may make it easier for dowstream package maintainers if any were to appear (eg for [chocolatay](https://chocolatey.org/))Pier Angelo VendramePier Angelo Vendramehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41870Modern firewall-penetration protocols for Tor in China2023-07-07T10:01:53ZcomputerscotModern firewall-penetration protocols for Tor in ChinaReports on https://github.com/net4people/bbs/issues and https://forum.torproject.org say that both obfs4 and snowflake are blocked by the GFW. There are also doubts about whether the new WebTunnel pluggable transport will work. The GFW d...Reports on https://github.com/net4people/bbs/issues and https://forum.torproject.org say that both obfs4 and snowflake are blocked by the GFW. There are also doubts about whether the new WebTunnel pluggable transport will work. The GFW detects and blocks WebSocket-based proxies.
This is a proof-of-concept for more modern firewall-penetration protocols.
To test these protocols in action, set up an Xray server and client using the latest techniques, for example, https://cscot.pages.dev/2023/07/02/xray-reality-h2. If you follow the sample configuration in that article, you will have a SOCKS5 proxy listening on port `10808` on your client.
Download and install the Tor Browser from https://www.torproject.org.
When you run the Tor Browser for the first time, click **Configure Connection**.
Scroll down and click the **Settings** button at the bottom to configure how you connect to the internet. Check **I use a proxy to connect to the Internet**. The type is **SOCKS5**, the address is `127.0.0.1`, and the port is `10808`. Click **OK**.
I have found it more reliable to click **Select a Built-In Bridge**. This should not be necessary, since the Xray server is already outside the GFW. Perhaps it helps because built-in bridges are faster than random entry nodes. Select **obfs4**. Click **Connect**.
Now you can test your connection by trying to reach a Tor-only site.
BBC News in simplified Chinese:
```
https://www.bbcweb3hytmzhn5d532owbu6oqadra5z3ar726vq5kgwwn6aucdccrad.onion/zhongwen/simp
```
DW News in simplified Chinese:
```
https://www.dwnewsgngmhlplxy6o2twtfgjnrnjxbegbwqx6wnotdhkzt562tszfid.onion/zh/?zhongwen=simp
```
New York Times in simplified Chinese:
```
https://cn.nytimesn7cgmftshazwhfgzm37qxb44r64ytbb2dj3x62d2lljsciiyd.onion
```
![dw-onion-simplified-chinese](/uploads/c696b775dc1f976880b42e8100342f54/dw-onion-simplified-chinese.png)meskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/network-health/onbasca/-/issues/156add support for webtunnel bridges2024-02-12T12:46:44Zmeskiomeskio@torproject.orgadd support for webtunnel bridgeshttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40883Verification issues with the new Windows code signing certificate2023-08-17T21:35:26Zcypherpunks1Verification issues with the new Windows code signing certificateThe new certificate cannot be verified on two systems that I tried it.
A comparison of the 12.0.4 and 12.5a7 installers:
![cert](/uploads/eceecebe2d7a455900271857d7484f25/cert.png)The new certificate cannot be verified on two systems that I tried it.
A comparison of the 12.0.4 and 12.5a7 installers:
![cert](/uploads/eceecebe2d7a455900271857d7484f25/cert.png)cypherpunks1cypherpunks1https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41829Error after run make build, trying to build tor browser from source2023-07-06T18:15:47ZwaterglassError after run make build, trying to build tor browser from sourceI am trying to build tor browser from source according wiki. I get the following error when run `make build`.
```
./build.sh /home/$USER/tor-browser/tools/torbrowser/../..
0:00.37 Clobber not needed.
Config object not found by mach.
...I am trying to build tor browser from source according wiki. I get the following error when run `make build`.
```
./build.sh /home/$USER/tor-browser/tools/torbrowser/../..
0:00.37 Clobber not needed.
Config object not found by mach.
0:00.46 Using Python 3.10.6 from /home/$USER/tor-browser/obj-x86_64-pc-linux-gnu/_virtualenvs/build/bin/python
0:00.46 Adding configure options from /home/$USER/tor-browser/mozconfig
0:00.46 --enable-application=browser
0:00.46 --enable-official-branding
0:00.46 --enable-optimize
0:00.47 --enable-rust-simd
0:00.47 --enable-verify-mar
0:00.47 --enable-nss-mar
0:00.47 --enable-base-browser-update
0:00.47 --enable-bundled-fonts
0:00.47 --disable-tests
0:00.47 --disable-debug
0:00.47 --disable-crashreporter
0:00.47 --disable-webrtc
0:00.47 --disable-parental-controls
0:00.47 --disable-eme
0:00.47 --enable-proxy-bypass-protection
0:00.47 --disable-system-policies
0:00.47 --disable-backgroundtasks
0:00.47 MOZ_TELEMETRY_REPORTING=
0:00.47 --without-wasm-sandboxed-libraries
0:00.47 --with-relative-data-dir=TorBrowser/Data/Browser
0:00.47 --with-distribution-id=org.torproject
0:00.47 --with-branding=browser/branding/tb-nightly
0:00.47 --enable-default-toolkit=cairo-gtk3
0:00.47 --disable-strip
0:00.47 --disable-install-strip
0:00.47 --with-base-browser-version=dev-build
0:00.47 --disable-base-browser-update
0:00.47 --enable-artifact-builds
0:00.47 MOZILLA_OFFICIAL=
0:00.47 checking for vcs source checkout... git
0:00.58 checking for a shell... /usr/bin/sh
0:00.60 checking for host system type... x86_64-pc-linux-gnu
0:00.60 checking for target system type... x86_64-pc-linux-gnu
0:00.66 checking whether cross compiling... no
0:00.71 Traceback (most recent call last):
0:00.71 File "/home/$USER/tor-browser/configure.py", line 349, in <module>
0:00.71 sys.exit(main(sys.argv))
0:00.71 File "/home/$USER/tor-browser/configure.py", line 131, in main
0:00.71 sandbox.run(os.path.join(os.path.dirname(__file__), "moz.configure"))
0:00.71 File "/home/$USER/tor-browser/python/mozbuild/mozbuild/configure/__init__.py", line 516, in run
0:00.71 self._value_for(option)
0:00.71 File "/home/$USER/tor-browser/python/mozbuild/mozbuild/configure/__init__.py", line 621, in _value_for
0:00.71 return self._value_for_option(obj)
0:00.71 File "/home/$USER/tor-browser/python/mozbuild/mozbuild/util.py", line 1061, in method_call
0:00.71 cache[args] = self.func(instance, *args)
0:00.71 File "/home/$USER/tor-browser/python/mozbuild/mozbuild/configure/__init__.py", line 688, in _value_for_option
0:00.71 raise InvalidOptionError(
0:00.71 mozbuild.configure.options.InvalidOptionError: --enable-optimize is not available in this configuration
*** Fix above errors and then restart with "./mach build"
make: *** [Makefile:26: build] Error 1
```waterglasswaterglasshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41817Add more color aliases that take dark mode into account2023-09-19T03:31:18ZPier Angelo VendrameAdd more color aliases that take dark mode into accountWe should add a few new aliases for our colors, e.g., `--purple-60` and `--purple-30`, to remove more media queries.
They're needed for example in the pereferences (see https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_...We should add a few new aliases for our colors, e.g., `--purple-60` and `--purple-30`, to remove more media queries.
They're needed for example in the pereferences (see https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/660#note_2909188).
We already do it for `--tor-branding-color`, but it's tied to the release channel.henryhenryhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41811Connect buttons in bridge modals should be purple2024-01-30T22:03:42ZdonutsConnect buttons in bridge modals should be purple`Connect` buttons are always purple in our UI, however all other confirmation buttons (e.g. "OK" and "Save") should remain the primary theme color.
See this Figma file for reference: [Figma link](https://www.figma.com/file/RS584DcR4emXr...`Connect` buttons are always purple in our UI, however all other confirmation buttons (e.g. "OK" and "Save") should remain the primary theme color.
See this Figma file for reference: [Figma link](https://www.figma.com/file/RS584DcR4emXrw1F8g3l5x/Tor-Browser-12.5?type=design&node-id=62%3A10116&t=BJbn9R4EgNRt9Tq3-1)henryhenryhttps://gitlab.torproject.org/tpo/network-health/sbws/-/issues/40155Lower advertised bandwidth/consensus weight on relays with "higher latency"2023-07-03T13:14:12ZNeel Chauhanneel@neelc.orgLower advertised bandwidth/consensus weight on relays with "higher latency"I run four middle relays on a CenturyLink Gigabit connection in Seattle, WA: https://metrics.torproject.org/rs.html#search/neeltorrelay
I noticed that the consensus weight is lower if the latency is generally higher, with four instances...I run four middle relays on a CenturyLink Gigabit connection in Seattle, WA: https://metrics.torproject.org/rs.html#search/neeltorrelay
I noticed that the consensus weight is lower if the latency is generally higher, with four instances on a connection I get ~25 MB/s (~200 Mbps). "higher latency" means generally higher latency from most of the other relays, namely relays in Europe.
I can get around this temporally by pushing large file downloads between my relay instances, with two client instances and relays closer to my area (namely Emerald Onion, Telus, and Ziply Fiber). Right now the advertised bandwidth/consensus weight is lower than it could be.
For a while it seemed fixed, but it came back for some reason.jugajugahttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41177fix billing for joker.com domain names2024-02-20T16:22:07Zanarcatfix billing for joker.com domain namesIt seems like our domain names have always been manually renewed, and then sent as expenses to be reimbursed to accounting. we recently realized this as we noticed `tor.network` was expiring. the domain was hosted outside of our normal j...It seems like our domain names have always been manually renewed, and then sent as expenses to be reimbursed to accounting. we recently realized this as we noticed `tor.network` was expiring. the domain was hosted outside of our normal joker.com account and has since been migrated there (#41148). we were mistakenly thinking this would solve the renewal issue, but we actually realized instead that none of our domains are actually configured to be automatically renewed and billed to accounting.
in #41148, have credited the joker.com account by 100$USD, without realizing that is actually problematic for accounting. @sue wants to figure out another way to pay for those domains, and this ticket aims at cleaning that up and regularizing the domain billing at Tor.
note that all domains are marked for autorenewal and `tor.network` *has* been renewed, so there is no more an ~Emergency for this, but it would still be nice to regularize billing.
/cc @susananarcatanarcat2024-04-07https://gitlab.torproject.org/tpo/tpa/team/-/issues/41158GSOC alias not working so well2023-05-23T14:59:46ZGabagaba@torproject.orgGSOC alias not working so wellIt seems that some people are not getting the mails we send to gsoc at torproject dot org. Can you check who is there please?
We should have nick, diziet, raya, donuts, geko, juga, hiro, al and me.It seems that some people are not getting the mails we send to gsoc at torproject dot org. Can you check who is there please?
We should have nick, diziet, raya, donuts, geko, juga, hiro, al and me.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41148renew and transfer tor.network2023-05-17T17:57:25Zanarcatrenew and transfer tor.network/cc @arma/cc @armaanarcatanarcat2023-05-25https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41742Enable IPv6 client by default2024-02-19T17:38:26Zagowa338Enable IPv6 client by defaultCurrently, the Tor Browser bundle does not enable IPv6 for connections to entry or guard nodes. This causes the tor browser to get stuck in the "Establishing a Connection" screen while claiming that internet connectivity is properly avai...Currently, the Tor Browser bundle does not enable IPv6 for connections to entry or guard nodes. This causes the tor browser to get stuck in the "Establishing a Connection" screen while claiming that internet connectivity is properly available within the settings page in IPv6-only networks with DNS64 and NAT64.
![image](/uploads/ef2fe02a28186213ecd26477fb9c1e00/image.png)
![image](/uploads/5d87348c1dc28e682742a1e416795e70/image.png)
Log:
```
2023-04-23 11:57:14.691 [NOTICE] New control connection opened from 127.0.0.1.
2023-04-23 11:57:14.691 [NOTICE] New control connection opened from 127.0.0.1.
2023-04-23 11:57:14.706 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
2023-04-23 11:57:18.065 [NOTICE] Opening Socks listener on 127.0.0.1:9150
2023-04-23 11:57:18.065 [NOTICE] Opened Socks listener connection (ready) on 127.0.0.1:9150
2023-04-23 11:57:18.072 [NOTICE] Renaming old configuration file to "D:\Tor Browser\Browser\TorBrowser\Data\Tor\torrc.orig.1"
2023-04-23 11:57:47.906 [NOTICE] Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.
2023-04-23 11:58:21.158 [NOTICE] New control connection opened from 127.0.0.1.
```
Possible solutions:
1. Add `ClientUseIPv6 1` and `ClientPreferIPv6ORPort 1` to the torrc-defaults. As this only influences us using IPv6 for the connection to the entry node, and we're expecting to be on a monitored network already. It doesn't change anything. As establishing a connection with our IPv6 address is the same as someone logging all NAT44 transitions (or not having any NAT, as in, e.g., university networks) is the same threat vector. So changing this default is probably the best and easiest solution. (Also, as a side effect, it improves the performance of the tor client in CG-NAT scenarios)
2. Do #1, but not "just" within the Tor Browser (bundle) but within the tor client itself.
3. Do #1 but only as a fallback when IPv4 fails after user confirmation. I don't see why that would be preferred, but it would also improve the current situation where the tor client gets stuck without any message, and users don't know what to do. Or them assuming Tor is blocked on the network and (try to) requesting bridges where it is neither necessarily helpful nor necessary.
4. Another flavor of #3, add a distinct warning/error message when no IPv4 connectivity is possible and also add a configuration option within Tor Browser to enable IPv6 connectivity. I again don't see why this would be preferred over enabling the client to use IPv6, but ymmv.
5. Detect the presence of NAT64 using a DNS lookup of `ipv4only.arpa` and even if clientUseIPv6 is disabled use IPv6 but only to communicate with IPv4 endpoints. I consider this the worst solution, but I want to mention it, as it is still better than the status quo.
My preferred solutions are #1 and #2, as it is the simplest one to implement.https://gitlab.torproject.org/tpo/tpa/team/-/issues/41132Unable to send Nextcloud Calendar Invitations2023-05-04T19:09:38ZtylerUnable to send Nextcloud Calendar InvitationsHi there!
I am unable to send calendar invites from Nextcloud calendar events. I've had this problem before, but only when trying to send calendar invites from Isabela's personal NC Calendar. I haven't had this problem when trying to ...Hi there!
I am unable to send calendar invites from Nextcloud calendar events. I've had this problem before, but only when trying to send calendar invites from Isabela's personal NC Calendar. I haven't had this problem when trying to send calendar invitations created on my personal NC calendar.
Tyleranarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41123get a stable TLS private key for https://bridges.torproject.org/2023-10-05T12:59:08Zmeskiomeskio@torproject.orgget a stable TLS private key for https://bridges.torproject.org/We are considering pinning the https://bridges.torproject.org/ TLS private key in Tor Browser. Could that key be configured to don't rotate frequently and only rotate the Let's Encrypt certificate generated for it?We are considering pinning the https://bridges.torproject.org/ TLS private key in Tor Browser. Could that key be configured to don't rotate frequently and only rotate the Let's Encrypt certificate generated for it?anarcatanarcathttps://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/156For some website, i-dont-care-about-cookies.eu seems more efficient to block ...2023-08-26T05:59:58ZruihildtFor some website, i-dont-care-about-cookies.eu seems more efficient to block cookie bannersMaybe we can consider adding this list too?
URL: https://www.i-dont-care-about-cookies.eu/abp/Maybe we can consider adding this list too?
URL: https://www.i-dont-care-about-cookies.eu/abp/ruihildtruihildthttps://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/151WebRTC leaks UDP traffic outside socks5 proxy2024-02-21T13:20:46ZruihildtWebRTC leaks UDP traffic outside socks5 proxy- Connect to a socks5 proxy on port 1080 in your LAN that uses a different IP than your computer
- Create a room on meet.mullvad.net jitsi instance
- tcpdump on interface connected to internet and filter out port 1080
- observe UDP traff...- Connect to a socks5 proxy on port 1080 in your LAN that uses a different IP than your computer
- Create a room on meet.mullvad.net jitsi instance
- tcpdump on interface connected to internet and filter out port 1080
- observe UDP traffic to the remote jitsi meet peer
So this is not specific to Mullvad Browser, so not sure how/if we need to deal with it.ma1ma1