The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2020-06-27T14:39:51Zhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/17900Developer ID and Gatekeeper - Apple Developer2020-06-27T14:39:51ZcypherpunksDeveloper ID and Gatekeeper - Apple DeveloperTor Browser should start to be signed using Developer ID. It can't and mustn't be assumed that users of OS X understand digital signatures or that users bear understanding or permission to begin authenticatng Tor Browser using tools from...Tor Browser should start to be signed using Developer ID. It can't and mustn't be assumed that users of OS X understand digital signatures or that users bear understanding or permission to begin authenticatng Tor Browser using tools from third parties on their local computer or other computers. Standard users on OS X in particular can't do this. It also doesn't cater for Standard users unable to install Tor Browser because of a local Administrator blocking it as it's unsigned or Gatekeeper blocking it.
Tor Browser for Windows is signed using a product from DigiCert. It's inconsistent not to start doing it for OS X too and it's not difficult to get a Developer ID from Apple.
It also helps stop users starting habitual behaviors of using unsigned products and helps strengthen Tor Browser against third parties distributing it as it might be unsafe. Onion Browser for iOS has this problem despite it being on App Store and The Pirate Bay did it using a customized Tor Browser and naming it PirateBrowser.https://gitlab.torproject.org/tpo/tpa/team/-/issues/17899Mystery Buttons Appear in Trac Create New Ticket Page2020-06-27T14:19:38ZTracMystery Buttons Appear in Trac Create New Ticket PageSteps to reproduce:
Log into https://trac.torproject.org
Visit: https://trac.torproject.org/projects/tor/newticket
See mystery squares next to "wysiwyg" radio button. Example attached.
**Trac**:
**Username**: huertanixSteps to reproduce:
Log into https://trac.torproject.org
Visit: https://trac.torproject.org/projects/tor/newticket
See mystery squares next to "wysiwyg" radio button. Example attached.
**Trac**:
**Username**: huertanixJens KubiezielJens Kubiezielhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/17898Disable Firefox' new Tracking Protection in ESR 452023-01-17T10:15:20ZcypherpunksDisable Firefox' new Tracking Protection in ESR 45Firefox's new Tracking Protection includes 2 lists, 1 basic and 1 strict list with the basic enabled by default in private browsing (the mode TBB uses by default).
How will this need to be configured in Firefox 45 ESR when it lands?
T...Firefox's new Tracking Protection includes 2 lists, 1 basic and 1 strict list with the basic enabled by default in private browsing (the mode TBB uses by default).
How will this need to be configured in Firefox 45 ESR when it lands?
There's a config value that can also be toggled so protection works even without private browsing mode on for users that allow history on (= private browsing mode switched off)
Is there a way to link this in with the security slider (basic protection for lower levels and strict for high)?Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/17897Torbrowser Installer Hashes Fail to Compare.2020-06-27T14:39:51ZTracTorbrowser Installer Hashes Fail to Compare.Hello to All:
The SHA-256 hashes published for the Windows installer (en-US) do not seem to successfully compare to those calculated locally or with VirusTotal.com
Example:
My VirusTotal.com submission:
https://www.virustotal.com/en/...Hello to All:
The SHA-256 hashes published for the Windows installer (en-US) do not seem to successfully compare to those calculated locally or with VirusTotal.com
Example:
My VirusTotal.com submission:
https://www.virustotal.com/en/file/215c881d9feeda1168a0ff1d4df25189380b32591dee6e7fd933d8ed34d3fbdc/analysis/1450466585/
My MultiHasher v2.8.0.0 calculation:
215c881d9feeda1168a0ff1d4df25189380b32591dee6e7fd933d8ed34d3fbdc torbrowser-install-5.0.6_en-US.exe
versus:
https://dist.torproject.org/torbrowser/5.0.6/sha256sums.txt:
82f50e115c5a413dcaa1aea9ab5a2dde71a29388870db9b88f9e7fae75617857 torbrowser-install-5.0.6_en-US.exe
Please advise - Thank you.
**Trac**:
**Username**: onePWErinn ClarkErinn Clarkhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/17895Tor Browser Bundle installer subject to DLL hijacking2022-01-11T19:32:37ZTracTor Browser Bundle installer subject to DLL hijackingtorbrowser-install-5.0.4.exe is vulnerable to DLL hijacking.
Create, e.g. shfolder.dll with a malicious DLL main and observe it runs when the tor installer is executed from the same downloads folder.
http://textslashplain.com/2015/12/1...torbrowser-install-5.0.4.exe is vulnerable to DLL hijacking.
Create, e.g. shfolder.dll with a malicious DLL main and observe it runs when the tor installer is executed from the same downloads folder.
http://textslashplain.com/2015/12/18/dll-hijacking-just-wont-die/
**Trac**:
**Username**: ericlawboklmboklmhttps://gitlab.torproject.org/tpo/core/tor/-/issues/17893Stop building and testing Tor twice when running distcheck2020-06-27T13:59:55ZcypherpunksStop building and testing Tor twice when running distcheckIn commit 9f6b9e28ccfdc3a96fb6e28d5121539f3cba3c55 the steps for putting out a new Tor release changed from running `make check` to `make distcheck`. With this change there is no need for the dist rule in Makefile.am:76 anymore.
The rul...In commit 9f6b9e28ccfdc3a96fb6e28d5121539f3cba3c55 the steps for putting out a new Tor release changed from running `make check` to `make distcheck`. With this change there is no need for the dist rule in Makefile.am:76 anymore.
The rule causes Tor to be built and tested twice when `make distcheck` is called (once in the current build directory and other time in the temporary distcheck build directory). This is caused by the `distcheck` rule calling our `dist` rule which calls the internal `check` rule which triggers the `all` rule.
The removal would make the workflow of testing build configuration changes faster (especially on slower machines) by not having to wait on the first compilation and testing phase which is performed by distcheck anyway.Tor: 0.2.8.x-finalhttps://gitlab.torproject.org/tpo/core/tor/-/issues/17892Make backtrace test verbose on failure2020-06-27T13:59:55ZcypherpunksMake backtrace test verbose on failureThe backtrace test prints no useful information (it just prints "BAD") when it fails which makes it impossible to debug its logs.The backtrace test prints no useful information (it just prints "BAD") when it fails which makes it impossible to debug its logs.Tor: 0.2.8.x-finalcypherpunkscypherpunkshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/17891Window classes change after update restart2022-07-20T19:12:31ZcypherpunksWindow classes change after update restartWhen Tor Browser restarts after an update its window classes change from "Navigator" and "Tor Browser" to "Navigator" and "Firefox". I've found these differences with the xprop tool.
I use the i3 window manager and have it configured to...When Tor Browser restarts after an update its window classes change from "Navigator" and "Tor Browser" to "Navigator" and "Firefox". I've found these differences with the xprop tool.
I use the i3 window manager and have it configured to make Tor Browser floating based on its window class. After the Tor Browser update restart its window was no longer floating.
The issue does not occur when Tor Browser restarts for a new identity.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/17890Separate the meek bridge backing paid CDNs from the one we tell the general p...2020-06-27T13:44:16ZDavid Fifielddcf@torproject.orgSeparate the meek bridge backing paid CDNs from the one we tell the general public to useIn source code and examples, we recommend !https://meek.bamsoftware.com/ (port 443) for use by the general public. But that's also the backing bridge for meek-azure, and it's rate-limited to reduce costs.
We should split it into two bri...In source code and examples, we recommend !https://meek.bamsoftware.com/ (port 443) for use by the general public. But that's also the backing bridge for meek-azure, and it's rate-limited to reduce costs.
We should split it into two bridges (e.g. running on different ports). Rate-limit the one behind the paid CDN, because that's the expensive one. Make the other one unlimited (if someone else is paying the CDN fees, they can use all the bandwidth they want).
This will enable more people to use the default meek-azure at the same speed, while enabling people who set up their own to go fast.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/core/tor/-/issues/17889Make ClientPreferIPv6ORPort apply to bridge clients2020-06-27T13:59:56ZteorMake ClientPreferIPv6ORPort apply to bridge clientsAfter legacy/trac#17840, clients that don't use bridges will select ORPorts using ClientPreferIPv6ORPort.
We could do this for bridges as well, by modifying the new function fascist_firewall_choose_address_base:
* use ClientPreferIPv6OR...After legacy/trac#17840, clients that don't use bridges will select ORPorts using ClientPreferIPv6ORPort.
We could do this for bridges as well, by modifying the new function fascist_firewall_choose_address_base:
* use ClientPreferIPv6ORPort to choose a preferred address for bridge clients,
* but ignore the "preferred address only setting", so that bridge users always get an address if there is one available.
I don't want to do this as part of legacy/trac#17840, because I'm not sure if it's really necessary - bridges just seem to work ok as-is.Tor: 0.2.8.x-finalhttps://gitlab.torproject.org/tpo/core/tor/-/issues/17888Fallback directories: consider disabling exit consensus weight reduction2020-06-27T13:59:56ZteorFallback directories: consider disabling exit consensus weight reductionSome exit operators[0] report their exits have light loads.
Perhaps we should disable, or reduce the severity of (50%?) the exit consensus weight reduction, particularly during the opt-in period.
[0]: https://lists.torproject.org/piper...Some exit operators[0] report their exits have light loads.
Perhaps we should disable, or reduce the severity of (50%?) the exit consensus weight reduction, particularly during the opt-in period.
[0]: https://lists.torproject.org/pipermail/tor-relays/2015-December/008365.htmlTor: 0.2.8.x-finalhttps://gitlab.torproject.org/tpo/core/tor/-/issues/17887Let fallback script use day-old data2020-06-27T13:59:56ZteorLet fallback script use day-old dataIn legacy/trac#16907, Onionoo will be updated to return a 504 error when data is more than 6 hours old. karsten also notes that Onionoo was down for 10 hours doing backups.
If we're updating fallback directories for a release, we don't ...In legacy/trac#16907, Onionoo will be updated to return a 504 error when data is more than 6 hours old. karsten also notes that Onionoo was down for 10 hours doing backups.
If we're updating fallback directories for a release, we don't want to wait for Onionoo. So if there's cached data younger than a day, or if the data is stale and younger than a day, we'll use it.
I'll post a patch to this once I have the number.Tor: 0.2.8.x-finalhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/17886Create LDAP account for Shari2020-06-27T14:19:38ZDamian JohnsonCreate LDAP account for Shari```
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Please create an LDAP account for Shari, who needs a spot for persistent
irc and possibly other things.
Name: Shari
address: ssteele@torproject.org
openpgp fingerprint: 69B4 D9BE 276...```
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Please create an LDAP account for Shari, who needs a spot for persistent
irc and possibly other things.
Name: Shari
address: ssteele@torproject.org
openpgp fingerprint: 69B4 D9BE 2765 A81E 5736 8CD9 0904 1C77 C434 1056
desired username: ssteele
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAEBAgAGBQJWcwQkAAoJEIiEBMGH8waQ8CkH/3OTVW88lX46nMP93QNkJ9TB
nDpp1UVddUvDgk6LMZhJmHoxAzXR1r/1ZCGVhDRfFj1QtqnvpwATIF8F+uQTtt8T
qUs5YecaorcVYXddk8JntMqKIGJwOxDOgqqotRUNxQl104VFp+xGVXSvb/b9dIG8
DeojaLRF6oVnJh6flyJoobaBtUA28G6GNod77rGVL7MzSZcSYA7nrFVEH8Fvse0v
Ylb0bNIFJrIEVSEwziXGPapHceOpWT/90ZbX2PsghhfWpx778zDFQfgggNqEjyxm
v588o+XjaZZbYpCkVUL4MAZOl4N9H7nimK8Ffk7Zfjud2IsL5j9idDzz7w4Wup8=
=f0Ph
-----END PGP SIGNATURE-----
```https://gitlab.torproject.org/tpo/network-health/metrics/onionoo/-/issues/17885Fix two inconsistencies between protocol and implementation2020-06-27T14:24:16ZKarsten LoesingFix two inconsistencies between protocol and implementationWe received two patches that fix two inconsistencies between protocol and implementation. I'll push a branch with those fixes as soon as I know the ticket number.We received two patches that fix two inconsistencies between protocol and implementation. I'll push a branch with those fixes as soon as I know the ticket number.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/17883Tor crashes on New York Times website2020-06-27T14:39:51ZTracTor crashes on New York Times websiteI opened the New York Times website today, right after installing Tor Browser 5.0.5, and it crashed with a 'Program stopped working' error message.
First, I opened 3 tabs and it crashed. So I went to the New York Times site to copy the ...I opened the New York Times website today, right after installing Tor Browser 5.0.5, and it crashed with a 'Program stopped working' error message.
First, I opened 3 tabs and it crashed. So I went to the New York Times site to copy the 3 links so I could include them without opening them, and it crashed after the New York Times site had been open for about 1 minute (I had just copied one link, but had not opened it).
I am running Windows 7 Professional Service Pack 1.
I don't know if there is a Windows dump somewhere with more information. And I don't know much more. I had been browsing other websites with no problem, but the New York Times site crashed Tor 3 times in about 6 minutes, so I'm not going to try to open it again from Windows. I have Privacy set to Medium Low.
**Trac**:
**Username**: mwolfehttps://gitlab.torproject.org/tpo/core/tor/-/issues/17882Remove needless *_support_ntor()2021-09-16T14:34:35ZNick MathewsonRemove needless *_support_ntor()While reviewing legacy/trac#7144, I noticed that circuit_cpath_supports_ntor() is pointless: We no longer allow TAP-only relays on the network, IIUC.
Assuming that I've got that right, we can rip out some code.While reviewing legacy/trac#7144, I noticed that circuit_cpath_supports_ntor() is pointless: We no longer allow TAP-only relays on the network, IIUC.
Assuming that I've got that right, we can rip out some code.Tor: unspecifiedhttps://gitlab.torproject.org/tpo/core/tor/-/issues/17881Use return codes from test programs to simplify test scripts2020-07-27T18:34:18ZcypherpunksUse return codes from test programs to simplify test scriptsForwarding the exit codes from the underlying test programs can simplify the test scripts that encapsulate the test programs.
For example, the switch_id test program checks the user id and returns early when we are not root. The test_sw...Forwarding the exit codes from the underlying test programs can simplify the test scripts that encapsulate the test programs.
For example, the switch_id test program checks the user id and returns early when we are not root. The test_switch_id.sh script does the same check which is redunant code if we change the return code in the test program and let the script forward it to the test driver.
Other test scripts can be simplified in a similar way.Tor: unspecifiedhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/17879Activating the Flash Player is not working anymore since Tor Browser 5.0.52021-07-13T19:43:06ZGeorg KoppenActivating the Flash Player is not working anymore since Tor Browser 5.0.5There are a bunch of users that are complaining about the Flash Player not working anymore e.g. on sites like www.pandora.com. What is going on, I think, is the *detection* being broken which is very likely due to the fix for legacy/trac...There are a bunch of users that are complaining about the Flash Player not working anymore e.g. on sites like www.pandora.com. What is going on, I think, is the *detection* being broken which is very likely due to the fix for legacy/trac#17207. The Flash Player itself is still working for me, e.g. on Adobe's test site.
It's unfortunate that this did not get caught in our alpha series but here we are. I guess providing a preference allowing to disable the fix for legacy/trac#17207 might be worth it given that a number of users wouldn't be using Tor Browser otherwise or would be trying to shoot themselves in the foot with having different browsers opened simultaneously.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/17877Tor Browser 5.0.5 is using the wrong Mozilla build tag2020-06-27T14:39:51ZGeorg KoppenTor Browser 5.0.5 is using the wrong Mozilla build tagIt seems Mozilla decided to make a second build directly on the release day and put that out immediately without almost no QA. We missed that it seems. :(
We need to get out a 5.0.6 with that fixed.It seems Mozilla decided to make a second build directly on the release day and put that out immediately without almost no QA. We missed that it seems. :(
We need to get out a 5.0.6 with that fixed.https://gitlab.torproject.org/tpo/core/tor/-/issues/17876Connection_ap_about_to_close should call connection_edge_about_to_close.2020-06-27T13:59:56ZNick MathewsonConnection_ap_about_to_close should call connection_edge_about_to_close.In a2ad31a92, we split connection_about_to_close into separate functions. And we made connection_edge_about_to_close hold the common logic for AP_CONN and EXIT_CONN. But... we never made connection_ap_about_to_close call connection_edg...In a2ad31a92, we split connection_about_to_close into separate functions. And we made connection_edge_about_to_close hold the common logic for AP_CONN and EXIT_CONN. But... we never made connection_ap_about_to_close call connection_edge_about_to_close!
This should be harmless in 0.2.7 and earlier, since all connection_edge_about_to_close does is (possibly) generate a warning. But In 0.2.8 for legacy/trac#17590, we shoved a bunch of code in connection_edge_about_to_close that really does matter, for entry connections that are pending circuits.
Bug in 0.2.3.2-alpha.Tor: 0.2.8.x-final