Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-16T01:10:37Zhttps://gitlab.torproject.org/legacy/trac/-/issues/32923Detached Tor Browser Firedox APK - Option to Customize Configuration - VPN Fu...2020-06-16T01:10:37ZTracDetached Tor Browser Firedox APK - Option to Customize Configuration - VPN Function - AndroidI can't say better than what is said here:
https://www.reddit.com/r/TOR/comments/af9brd/separate_apk_for_torbrowser_alpha_detached_from/
https://blog.torproject.org/comment/282067#comment-282067
https://trac.torproject.org/projects/tor/...I can't say better than what is said here:
https://www.reddit.com/r/TOR/comments/af9brd/separate_apk_for_torbrowser_alpha_detached_from/
https://blog.torproject.org/comment/282067#comment-282067
https://trac.torproject.org/projects/tor/ticket/28786
How are you guys paying zero attention to this critical function?
Taking away user customization cripples the fundamental principles of freedom to choose and speak freely.
Also, as Android' built in Always-on VPN can take advantage of outdated Orbot's VPN feature to tunnel everything over Tor with zero leak when user chooses Block internet without VPN option in Android network settings.
Just need a separate Tor Browser APK that can be used with good old Orbot. Or a new form of something similar that can allow users to choose.
I recently faced a major headache with Facebook's onion address. Whereby it won't allow users to upload anything. Only solution was to choose a customized IP/Node a user had used to access Facebook before. And above feature can help evade such lock downs.
I sincerely hope someone takes this seriously and does something.
Very similar report was filed 13 months before!!!
**Trac**:
**Username**: onestephttps://gitlab.torproject.org/legacy/trac/-/issues/32674Change link on 'Get involved' in about:tor to new community portal2020-06-16T01:28:33ZemmapeelChange link on 'Get involved' in about:tor to new community portalThe link to 'Get involved should not point to the old volunteer page, now that we have the new community page.
The link should be localized, as the manual and others on that page, although for the moment there are no translations enable...The link to 'Get involved should not point to the old volunteer page, now that we have the new community page.
The link should be localized, as the manual and others on that page, although for the moment there are no translations enabled, but we can do some .htacess foo meanwhile on the community portal as we plan to translate it and it has a lot of content.
![get_involved.png](uploads/get_involved.png)Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/32549NoScript makes requests to sync-messages.invalid2020-06-16T01:09:57ZcypherpunksNoScript makes requests to sync-messages.invalidUsing the latest Tor Browser release 9.0.1, my Tor gateway machine's log is full of messages like this:
>Nov 19 21:27:11.000 [notice] Have tried resolving or connecting to address 'sync-messages.invalid' at 3 different places. Giving up...Using the latest Tor Browser release 9.0.1, my Tor gateway machine's log is full of messages like this:
>Nov 19 21:27:11.000 [notice] Have tried resolving or connecting to address 'sync-messages.invalid' at 3 different places. Giving up.
I think this started in 9.0, but I am not sure.
A web search found only that it seems to be an upstream problem in NoScript:
https://forums.informaction.com/viewtopic.php?t=25779
I have not personally verified that NoScript is the culprit. Just reporting what I saw so you can track the issue and make sure to get the patched version from upstream, if/as necessary.https://gitlab.torproject.org/legacy/trac/-/issues/32224Add extensions.torbutton.use_nontor_proxy back to Tor Browser 9!!2020-06-16T01:08:45ZcypherpunksAdd extensions.torbutton.use_nontor_proxy back to Tor Browser 9!!Why did you removed it?
I NEED TO USE my proxy with tor browser and I WANT to use your browser.
Before this ugly update I was able to use my proxy with tor-disabled-torbrowser.
PLEASE DO SOMETHING. I HAD TO USE FIREFOX to make this co...Why did you removed it?
I NEED TO USE my proxy with tor browser and I WANT to use your browser.
Before this ugly update I was able to use my proxy with tor-disabled-torbrowser.
PLEASE DO SOMETHING. I HAD TO USE FIREFOX to make this comment!!https://gitlab.torproject.org/legacy/trac/-/issues/31957automate upgrades2022-11-07T15:51:01Zanarcatautomate upgradesupgrades take up a significant chunk of time every week and distract sysadmins (or at least me) from focusing on other projects.
upgrades should be therefore automated, as much as possible.
see also #31239 about auomated installs and t...upgrades take up a significant chunk of time every week and distract sysadmins (or at least me) from focusing on other projects.
upgrades should be therefore automated, as much as possible.
see also #31239 about auomated installs and this is part of the wider "ops card questionnaire", where we answered no to a question about this, see #30881.
checklist:
* [x] install needrestart everywhere, in interactive mode
* [x] switch needrestart to automatic mode
* [x] install unattended-upgrades everywhere
* [ ] fix major upgrades docs to disable unattended-upgrades during the upgrade run
* ~~[ ] automate reboots~~ see #33406 insteadHiroHirohttps://gitlab.torproject.org/legacy/trac/-/issues/31573Uncaught exception in SessionStore.jsm with Tor Browser based on ESR 682020-06-16T01:06:59ZGeorg KoppenUncaught exception in SessionStore.jsm with Tor Browser based on ESR 68During start-up I can see:
```
JavaScript error: re[//modules/sessionstore/SessionStore.jsm,](//modules/sessionstore/SessionStore.jsm,) line 1325: uncaught exception: 2147746065
```During start-up I can see:
```
JavaScript error: re[//modules/sessionstore/SessionStore.jsm,](//modules/sessionstore/SessionStore.jsm,) line 1325: uncaught exception: 2147746065
```richardrichardhttps://gitlab.torproject.org/legacy/trac/-/issues/31324Spoof the Tor Browser time displayed to websites if clocks are wrong2020-06-16T01:06:06ZcypherpunksSpoof the Tor Browser time displayed to websites if clocks are wrongJavascript can be used to get the system time of a user. This allows for fingerprinting via different clock offsets and skews. This also may allow websites to determine the user's location by seeing which country has the same time as the...Javascript can be used to get the system time of a user. This allows for fingerprinting via different clock offsets and skews. This also may allow websites to determine the user's location by seeing which country has the same time as the user.
Currently, the Tor Browser spoofs the timezone displayed to websites to UTC but this doesn't spoof the actual system time which can still be gotten with `new Date()`.
The Tor Browser should spoof the time shown to websites so all Tor Browser users have the same time or a random time.https://gitlab.torproject.org/legacy/trac/-/issues/31296simplify OpenPGP signature verification instructions2020-06-13T17:12:30Zdkgsimplify OpenPGP signature verification instructionsThe OpenPGP signature verification instructions at https://support.torproject.org/tbb/how-to-verify-signature/ are more complicated than they need to be, and more repetitive. They also are confusing!
I'll attach a revised version of th...The OpenPGP signature verification instructions at https://support.torproject.org/tbb/how-to-verify-signature/ are more complicated than they need to be, and more repetitive. They also are confusing!
I'll attach a revised version of the `contents.lr` file, but you can also see the changes with more clarity as a series of individual git commits on the `pgp-verification` branch of tor's `support` repo at https://0xacab.org/dkg/tor-support.
the main changes are:
* group GnuPG installation instructions in one place
* export the tor developer OpenPGP certificate as a "keyring"
* use `gpgv` for verification, not raw `gpg`
* remove accidentally misleading statements about "assigning a trust index" and "exchanging fingerprints"
* use fingerprints and not keyids
* bake fingerprint verification into the workflow, rather than asking humans to compare them manually.
If you disagree with any of these changes, please let me know, and why. i'd be happy to reconsider them with good reason.GusGushttps://gitlab.torproject.org/legacy/trac/-/issues/31090stop using gpg keyservers / provide OpenPGP keys for download as files from t...2020-06-13T17:28:16Zadrelanosstop using gpg keyservers / provide OpenPGP keys for download as files from torproject.org[Quote](https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f) (bold not added by me)
> **High-risk users should stop using the keyserver network immediately.**
Originator of quote, again quoting directly:
> Robert J. Hans...[Quote](https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f) (bold not added by me)
> **High-risk users should stop using the keyserver network immediately.**
Originator of quote, again quoting directly:
> Robert J. Hansen <rjh@sixdemonbag.org>. I maintain the GnuPG FAQ and unofficially hold the position of crisis communicator. This is not an official statement of the GnuPG project, but does come from someone with commit access to the GnuPG git repo.
See also:
https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html
Other reasons:
* Apart from this, keyservers have been unreliable for a long time now. This alone is a reason for at least providing an optional download of public keys.
* While https://support.torproject.org/tbb/how-to-verify-signature/ can be viewed in Tor Browser, doing networking outside of Tor Browser (gpg --recv-keys) is non-trivial to do torified. Also for that reason it would be better if users could get both, the information how to verify and the gpg public key from the same source.https://gitlab.torproject.org/legacy/trac/-/issues/31071Add a notice if we're missing data for a lookup2020-06-13T17:55:20ZKarsten LoesingAdd a notice if we're missing data for a lookupTurns out the the exit scanner had an issue between April 25 and 29, 2019. If somebody looks up their exit IP address during that time, they won't be listed in the results. I know of one case where this is now potentially an issue.
Let'...Turns out the the exit scanner had an issue between April 25 and 29, 2019. If somebody looks up their exit IP address during that time, they won't be listed in the results. I know of one case where this is now potentially an issue.
Let's think about adding a notice if we're missing data for part of a lookup period, including exit lists and maybe also consensuses. This is different from having no data at all, it's about missing some data only.
First step will be to refine the (already quite complex) query to return whether we have sufficient or insufficient data, possibly but not necessarily with exact timestamps of available data.
Second step will be to include the notice in the website, first in English and then in translated languages.
Third step will be to release and deploy all this.
I'll work on this, but I'm putting it into needs_review to discuss the idea first.https://gitlab.torproject.org/legacy/trac/-/issues/30844Update Tor Browser Manual with the extensions.torlauncher.socks_port_flags co...2020-06-13T17:11:27ZPili GuerraUpdate Tor Browser Manual with the extensions.torlauncher.socks_port_flags configSee https://trac.torproject.org/projects/tor/ticket/30803#comment:1See https://trac.torproject.org/projects/tor/ticket/30803#comment:1waywardwaywardhttps://gitlab.torproject.org/legacy/trac/-/issues/30798Develop and deploy tgen model resembling ping2020-06-13T18:04:04ZKarsten LoesingDevelop and deploy tgen model resembling pingAt last week's tor-scaling meeting we discussed developing a second tgen model that resembles a ping service and deploying an OnionPerf instance with that model.
The current default tgen model in OnionPerf makes a new download every fiv...At last week's tor-scaling meeting we discussed developing a second tgen model that resembles a ping service and deploying an OnionPerf instance with that model.
The current default tgen model in OnionPerf makes a new download every five minutes. That's a tiny request with a response of 50 KiB or 1 MiB or 5 MiB.
This new model would send a tiny request once per second for, say, five minutes, and receive a tiny response back to each of these requests.
We wouldn't have to write analysis code that produces something like a .tpf file right now but could start with analyzing the raw logs for this experiment and extract some hopefully useful visualizations.
I could deploy this new model on my local machine (if it uses an onion service).
Raising priority to high, because it would be great to ideally get this deployed before All Hands.
Thoughts?https://gitlab.torproject.org/legacy/trac/-/issues/30700Tor's Travis stem job shows debug logs from 10 minutes after the hang2020-06-13T15:41:59ZteorTor's Travis stem job shows debug logs from 10 minutes after the hangBut we need the logs from the time of the hang.
I'm not sure how to solve this issue, maybe we can grep for `date -10m` or something.But we need the logs from the time of the hang.
I'm not sure how to solve this issue, maybe we can grep for `date -10m` or something.Tor: unspecifiedDamian JohnsonDamian Johnsonhttps://gitlab.torproject.org/legacy/trac/-/issues/30394NoScript should fail closed2020-06-16T01:03:14ZcypherpunksNoScript should fail closedSoftware: Tor Browser 8.0.8 (based on Mozilla Firefox 60.6.1esr)
This started last night.
Even with Tor Browser security slider set to high, JavaScript is enabled.
This is a double-bug:
1. Bigger bug: NoScript fails OPEN
2. Immediate ...Software: Tor Browser 8.0.8 (based on Mozilla Firefox 60.6.1esr)
This started last night.
Even with Tor Browser security slider set to high, JavaScript is enabled.
This is a double-bug:
1. Bigger bug: NoScript fails OPEN
2. Immediate bug: NoScript is failing (why? no idea)
In about:addons, NoScript is listed under "Unsupported" with the following message. (The screenshot is attached.)
== Legacy Extensions
These extensions do not meet current Tor Browser standards so they have been deactivated.
[Learn more about the changes to add-ons](https://support.mozilla.org/1/firefox/60.6.1/Linux/en-US/webextensions)
⚠ NoScript could not be verified for use in Tor Browser and has been disabled.
[More Information](https://support.mozilla.org/1/firefox/60.6.1/Linux/en-US/unsigned-addons)https://gitlab.torproject.org/legacy/trac/-/issues/30175Manually whitelist extensions removed from AMO for purely political reasons i...2020-06-16T01:02:35ZcypherpunksManually whitelist extensions removed from AMO for purely political reasons in Tor Browser to fight Mozilla's censorshipMozilla recently removed the Dissenter Firefox add-on, an add-on that allows users to make comments on any web page that can be viewed only by other Dissenter users, from AMO for "hate speech" (which of course is a charge only even possi...Mozilla recently removed the Dissenter Firefox add-on, an add-on that allows users to make comments on any web page that can be viewed only by other Dissenter users, from AMO for "hate speech" (which of course is a charge only even possibly related to some of the content its users freely posted on it and not any particular sentiment expressed by the program's interface, description, etc. itself). This is similar to the charges commonly levied against the Tor Project that it promotes child pornography, drug addiction, terrorism, hate speech, etc. simply because it facilitates the creation of a free and open platform that anyone can use anonymously, even those with ill intentions.
Surely, then, we must recognize the folly in accusing the creators of the Dissenter add-on themselves of hate speech (and thus removing their extension) simply for the expressions of its users and thus that Mozilla's removal of the add-on (in coordination with Google's removal of it from the Chrome Web Store, which should tell you all you need to know about the shadowy motivations behind it) was arbitrary, unjustified, and unethical. The same logic that's been used against Dissenter could easily be turned against the Tor Project by Mozilla in order to attempt to hinder the creation and dissemination of Tor Browser.
So my question is this: When is the Tor Project going to condemn this unjust censorship of an add-on that merely attempts to aid one of the goals of the Tor Project itself (the protection of freedom of expression online) from its partner Mozilla, and when is the Tor Browser going to provide its users with a convenient means to work around this odious totalitarianism from the browser (Firefox) it is based on?
Leaving the situation as it is, where any add-ons that Mozilla deems to be insufficiently politically correct enough are demoted to "temporary add-ons" that must be clunkily reinstalled with each browser restart, is unacceptable (as is requiring users to entirely disable the protections the current system from Mozilla provides because they want to install on a permanent basis an extension that was not removed from AMO for being a security risk).
Tor Browser should take a stand against this freedom of expression-hostile action from its partner Mozilla by adding to its forked Firefox code a "whitelist" of extensions that were removed from AMO purely for politically biased reasons, allowing them to be installed in Tor Browser normally as if they came from AMO itself. This strikes the right balance between preserving the general protections that Mozilla's extension security system provides while sending a clear message to Mozilla that the Tor Project, at the very least, will not allow Mozilla to censor its users or block any extension in its fork of their browser other than those that are actively hostile to the user (as opposed to hostile to Mozilla's agenda).
If the Tor Project is truly in favor of freedom online, then it can no longer stay silent about big tech censorship. After all, what is the meaning of the Tor network if its anonymity can only be used to shout in dark isolated corners where nobody can hear you? Dissenter, which has no restrictions on accounts registering with or using the Tor network to post, opened up the web universally for comment by Tor users, even the areas of it traditionally hostile to Tor. Mozilla's actions are a direct attack on this newfound freedom. The Tor Project opposed Cloudflare when it attempted to restrict the freedom of Tor users. Now it must express that same opposition to Mozilla.https://gitlab.torproject.org/legacy/trac/-/issues/30080support portal: keep anchor when changing language2020-06-13T17:12:26Zemmapeelsupport portal: keep anchor when changing languagewhen I am for example at https://support.torproject.org/#connectingtotor and I choose another language, lets say Italian, I am forwarded to https://support.torproject.org//it
It should be better if I am forwarded to https://support.tor...when I am for example at https://support.torproject.org/#connectingtotor and I choose another language, lets say Italian, I am forwarded to https://support.torproject.org//it
It should be better if I am forwarded to https://support.torproject.org/it/#connectingtotor instead.HiroHirohttps://gitlab.torproject.org/legacy/trac/-/issues/29663Deploy /etc/puppet as a role account2020-06-13T16:56:53ZLinus Nordberglinus@torproject.orgDeploy /etc/puppet as a role accountOn our puppet master (alberti.tpo), the post-receive git hook deploys the tor-puppet repo in /etc/puppet as the user pushing. As long as umask is correct and the stars are aligned, things are good. Sometimes files end up with 0644 when w...On our puppet master (alberti.tpo), the post-receive git hook deploys the tor-puppet repo in /etc/puppet as the user pushing. As long as umask is correct and the stars are aligned, things are good. Sometimes files end up with 0644 when we need them to be 0664 in order for other accounts (in group 'adm') to be able to change existing files.
Start using a role account instead of individual admin accounts for deploying to /etc/puppet.anarcatanarcathttps://gitlab.torproject.org/legacy/trac/-/issues/29641Tor Browser fails to bootstrap on IPv6-only access networks2020-06-16T01:03:50ZTracTor Browser fails to bootstrap on IPv6-only access networksMy internet connection is IPv6-only, although DNS64+NAT64 is available.
When I try to use Tor Browser, it fails to open correctly. It also prints log messages like this:
```
[NOTICE] Opened Socks listener on 127.0.0.1:9150
[WARN] Prob...My internet connection is IPv6-only, although DNS64+NAT64 is available.
When I try to use Tor Browser, it fails to open correctly. It also prints log messages like this:
```
[NOTICE] Opened Socks listener on 127.0.0.1:9150
[WARN] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Network is unreachable; NOROUTE; count 3; recommendation warn; host x at 1.2.3.4:9001)
[WARN] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Network is unreachable; NOROUTE; count 4; recommendation warn; host x at 2.3.4.5:443)
[NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
```
Note that most (non-Tor) things work perfectly fine on my connection, as long as the application is capable of resolving AAAA records and/or connecting over AF_INET6.
I acknowledge that Tor tends not to be DNS-based (hence DNS64 doesn't help in this case). But I would expect Tor to have a list of IPv6 directory servers to try to connect to in lieu of IPv4.
Until Tor tries to connect to IPv6 directory servers, Tor Browser will be completely unusable for people on IPv6-only internet connections.
Version: Tor Browser 8.0.6 on mac OS 10.14.3.
**Trac**:
**Username**: jeremyvisserhttps://gitlab.torproject.org/legacy/trac/-/issues/28888The Relay Search Results table doesn't show the IPv6 capability of a bridge2020-06-13T18:08:20ZtoralfThe Relay Search Results table doesn't show the IPv6 capability of a bridgeThe ORPort is reachable (tested from another IPv6 system in a different network segment), the torrc looks like:
```
# torrc
#
SocksPort 0
ORPort auto
ORPort [<snip>]:auto
BridgeRelay 1
Exitpolicy reject *:*
RunAsDaemon 1
ControlPort 9...The ORPort is reachable (tested from another IPv6 system in a different network segment), the torrc looks like:
```
# torrc
#
SocksPort 0
ORPort auto
ORPort [<snip>]:auto
BridgeRelay 1
Exitpolicy reject *:*
RunAsDaemon 1
ControlPort 9051
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ContactInfo replace k with c : kontakt @ zwiebeltoralf . de
Nickname zwiebeltoralf3
Log warn file /var/log/tor/warn.log
# for arm
#
DisableDebuggerAttachment 0
```
The metrics link is: https://metrics.torproject.org/rs.html#details/662D4E4DE2C883625C543DFA3C4EE466899E6C85https://gitlab.torproject.org/legacy/trac/-/issues/28876tbb-testsuite: fix the noscript test2020-06-13T17:41:18Zboklmtbb-testsuite: fix the noscript testThe noscript test is currently failing, because it is trying to use the `noscript.global` pref to enable/disable noscript, which is not used anymore by the new version of noscript.
To test the different states of noscript, we can instea...The noscript test is currently failing, because it is trying to use the `noscript.global` pref to enable/disable noscript, which is not used anymore by the new version of noscript.
To test the different states of noscript, we can instead change the security level.cypherpunkscypherpunks