Tor Browser issueshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues2021-07-09T17:23:47Zhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/19757Make a menu to add onion and auth-cookie to TB2021-07-09T17:23:47ZNima FatemiMake a menu to add onion and auth-cookie to TBCurrently it's very difficult to add an onion address and auth cookie to Tor Browser.
It would be nice to have an option in torbutton menu where you can set `HidServAuth` and optionally `MapAddress`, instead of having to edit your TB t...Currently it's very difficult to add an onion address and auth cookie to Tor Browser.
It would be nice to have an option in torbutton menu where you can set `HidServAuth` and optionally `MapAddress`, instead of having to edit your TB torrc file.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/19508Proposal to drop Tor Browser's plugin patches2021-07-09T18:24:30ZArthur EdelsteinProposal to drop Tor Browser's plugin patchesTor Browser has three patches related to blocking plugins:
* legacy/trac#3547 adds a function that whitelists the flash plugin only and excludes loading all other plugins
* legacy/trac#8312 hides the link to "Manage plugins" when the plu...Tor Browser has three patches related to blocking plugins:
* legacy/trac#3547 adds a function that whitelists the flash plugin only and excludes loading all other plugins
* legacy/trac#8312 hides the link to "Manage plugins" when the plugin is disabled
* legacy/trac#10280 adds a UI for enabling/disabling plugins in the add-ons page
These patches were introduced when Flash was still in fairly wide use. But since then, Flash has been disabled by default in Firefox, and is replaced on a substantial number of websites by HTML5 video and JavaScript. Furthermore, we want to strongly discourage users from using Flash as there is a significant risk that it will bypass the proxy or expose the user to tracking or security vulnerabilities.
First, from what I can see, when the pref `plugin.disable` is set to true (as it is in `browser/app/profile/000-tor-browser.js`), all plugins (including Flash) are blocked from ever loading into the Firefox process. Therefore the code in our legacy/trac#3547 is never exercised.
Second, legacy/trac#10280 only makes it more likely for the user to set "plugin.disable" to false, by exposing that pref in the UI.
Finally, legacy/trac#8312 seems unnecessary because, when "plugin.disable" is true, no "Manage plugins" link appears. Instead, the only message is "A plugin is needed to display this content." Also, various popular video sites, such as YouTube and Vimeo, now use HTML5 video without any complaints about missing Flash.
So I would suggest we can drop these three patches. Instead we might consider a couple of UI tweaks to improve user safety:
1. Hide the Plugins section of about:addons altogether to prevent the user from even considering loading any plugins
2. Change the plugin failure message to "A plugin would be needed to display this content. For security reasons, Tor Browser does not support plugins."
I think both of these changes could be implemented as XUL overlays in torbutton.
Finally, for extra safety, we could add an extra C++ patch that ensures that whenever an nsPluginsDir::LoadPlugin implementation is called, the `plugin.disable` pref is checked and, if it is true, the function loads nothing and returns an error code. I think such a patch might be upstreamable.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18534dom.event.clipboardevents.enabled .. default in Torbrowser2021-07-09T17:23:47Zcypherpunksdom.event.clipboardevents.enabled .. default in TorbrowserFrom blog comments:
https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled
Torbrowser's default weakens user's anonymity. Imagine user selecting a name or address from a quer...From blog comments:
https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled
Torbrowser's default weakens user's anonymity. Imagine user selecting a name or address from a query result of many names or addresses. Server gets this information.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18311Document first party isolation for Tor researchers2021-07-09T17:23:47ZArthur EdelsteinDocument first party isolation for Tor researchersAcademics researching tor may not be aware that Tor Browser is isolating by URL bar domain (aka first party isolation), as implemented in legacy/trac#3455. We should note this somewhere in the tor documentation so this difference in beha...Academics researching tor may not be aware that Tor Browser is isolating by URL bar domain (aka first party isolation), as implemented in legacy/trac#3455. We should note this somewhere in the tor documentation so this difference in behavior between default tor and default Tor Browser is not overlooked by researchers. See also legacy/trac#5753https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16968Using ExitNodes with bridges make ExitNodes ignored without warning messages....2021-07-09T17:23:47ZcypherpunksUsing ExitNodes with bridges make ExitNodes ignored without warning messages. Comment from other cypherpunks: cant reproduceUsing ExitNodes with bridges make ExitNodes ignored without warning messagesUsing ExitNodes with bridges make ExitNodes ignored without warning messageshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16921system locale in rss view2021-07-09T18:24:30Zcypherpunkssystem locale in rss viewWhen I open an rss file from some website, the dates are shown in the locale language and format. Media files shown in rss like mp3 have the description in my system language. Do any of these get leaked somewhere? Could you block the bro...When I open an rss file from some website, the dates are shown in the locale language and format. Media files shown in rss like mp3 have the description in my system language. Do any of these get leaked somewhere? Could you block the browser the ability to reach these values in the first place whether they are currently being leaked or not?https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16620Transform window.name handling into Firefox patch2021-07-09T17:23:47ZMike PerryTransform window.name handling into Firefox patchRight now, we reset window.name in Torbutton in torbutton_check_progress(). We should rewrite this as a direct Firefox patch, as per our SponsorU Torbutton conversion deliverable.Right now, we reset window.name in Torbutton in torbutton_check_progress(). We should rewrite this as a direct Firefox patch, as per our SponsorU Torbutton conversion deliverable.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/164418-month-old Tor Browser offers to "Reset Tor Browser", removes extensions2023-08-24T18:57:11ZDavid Fifielddcf@torproject.org8-month-old Tor Browser offers to "Reset Tor Browser", removes extensionsI started an old copy of Tor Browser 4.0 I had in a directory. From file times it looks like it was last run on 2014-10-21, 8 months ago (today is 2015-06-24). When I started it, the about:tor page showed a banner at the bottom
It look...I started an old copy of Tor Browser 4.0 I had in a directory. From file times it looks like it was last run on 2014-10-21, 8 months ago (today is 2015-06-24). When I started it, the about:tor page showed a banner at the bottom
It looks like you haven't started Tor Browser in a while. Do you want to clean it up for a fresh, like-new experience? And by the way, welcome back!
with a button that says "Reset Tor Browser..."
When I click on the button, the browser restarts and gives me the plain Firefox start page, with the Firefox logo and everything. It looks like all the extensions are gone (HTTPS-Everywhere, NoScript, Torbutton, Tor Launcher). check.torproject.org says the browser is using Tor. I also got a banner offering to update to 5.0a2.
I was trying the instructions from [[doc/TorBrowser/Hacking#UsinganExistingTorProcess]] so I had run
```
export TOR_SOCKS_PORT=9050
export TOR_SKIP_LAUNCH=1
./start-tor-browser
```
I don't know if that had anything to do with it.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15933Relax domain isolation to use TLD instead of FQDN2021-07-09T17:23:47ZTracRelax domain isolation to use TLD instead of FQDNTorButton 1.9.2.2 in new TorBrowser 4.5, prevents some file host sites from functioning, such as load.to, ziifile.com, and others.
example link: http://www.load.to/StQUxNkHH4/dictionaries.7z
this download link will function in TBB 4.0....TorButton 1.9.2.2 in new TorBrowser 4.5, prevents some file host sites from functioning, such as load.to, ziifile.com, and others.
example link: http://www.load.to/StQUxNkHH4/dictionaries.7z
this download link will function in TBB 4.0.8 (with <Forbid Scripts Globally> activated)
in TBB 4.5, the same link will only loop back to the file host home page (with <Forbid Scripts Globally> activated). the download link *will* function, however, if TorButton extension is disabled.
maybe caused by the isolation of requests from same URL domain?? (file hosts frequently redirect user after the Download button is clicked. in this example, from http://www.load.to/ to http://s2.load.to)
thanks for attention
**Trac**:
**Username**: maximhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/14631Users that try to run from DMG files run into "Another copy of Firefox is run...2021-07-09T18:24:30ZArthur EdelsteinUsers that try to run from DMG files run into "Another copy of Firefox is running"Somehow we should figure out how to avoid this bug. Is it possible to write Firefox Profile files in /var/tmp or maybe not write them at all?Somehow we should figure out how to avoid this bug. Is it possible to write Firefox Profile files in /var/tmp or maybe not write them at all?https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13367Rate limit gyroscope sampling frequency on FF mobile2022-01-11T19:33:18ZMike PerryRate limit gyroscope sampling frequency on FF mobileBy the time we get around to an official mobile port, we should double-check that Mozilla has reduced the sampling rate of the gyroscope on Android:
http://crypto.stanford.edu/gyrophone/files/gyromic.pdfBy the time we get around to an official mobile port, we should double-check that Mozilla has reduced the sampling rate of the gyroscope on Android:
http://crypto.stanford.edu/gyrophone/files/gyromic.pdfhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13353TBB 3.6.6 won't import certificate2021-07-09T17:19:51ZTracTBB 3.6.6 won't import certificateIn Certificate Manager on the Servers tab I am trying to import a certificate. The GUI allows me to choose a file and the dialog closes but the certificate is not imported and no error dialog is shown.
I have tested the same certificate...In Certificate Manager on the Servers tab I am trying to import a certificate. The GUI allows me to choose a file and the dialog closes but the certificate is not imported and no error dialog is shown.
I have tested the same certificate in vanilla Firefox ESR 24.8.1 and TBB 3.6.2 (the only old version I have) and both work fine.
**Trac**:
**Username**: ZcbCkyj5https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13252Tor Browser on OS X should not store data into the application bundle2022-05-25T10:55:34ZTracTor Browser on OS X should not store data into the application bundle
The Tor application on OS X stores user data into its bundle (TorBrowser.app/Data/). This is bad. This causes various issues:
- the Tor application can't be code sign which decreases the security. See Ticket legacy/trac#13251: CodeSign...
The Tor application on OS X stores user data into its bundle (TorBrowser.app/Data/). This is bad. This causes various issues:
- the Tor application can't be code sign which decreases the security. See Ticket legacy/trac#13251: CodeSign Tor for OS X
- when installing a new version of Tor, all previous user data (bookmarks) are deleted.
**Trac**:
**Username**: torosxhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/12449Firefox is insecure, it can't used with Tor2021-07-09T18:24:30ZcypherpunksFirefox is insecure, it can't used with TorFirefox is insecure, no sense to use it with Tor. It ruins everything: privacy, anonymity.
legacy/trac#10631 + performance.now(), etc, makes browser most danger process in system that runs privacy related software.Firefox is insecure, no sense to use it with Tor. It ruins everything: privacy, anonymity.
legacy/trac#10631 + performance.now(), etc, makes browser most danger process in system that runs privacy related software.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/11154Disable TLS 1.0 (and 1.1) by default2023-08-14T22:26:56ZTracDisable TLS 1.0 (and 1.1) by defaultrunning the how's my ssl check the tor browser rated bad, the reason the tor browser is using old tls settings and old security cipers,
In the next update please set the minimum tls to 2 and the maximum to 3 in about:config for securit...running the how's my ssl check the tor browser rated bad, the reason the tor browser is using old tls settings and old security cipers,
In the next update please set the minimum tls to 2 and the maximum to 3 in about:config for security.tls.version this makes the minimum tls 1.1 and my max tls 1.2.
Also please disable use of insecure cipher suites security.ssl3.rsa_fips_des_ede3_sha in about:config
**Trac**:
**Username**: ZeroCoolhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10760Integrate TorButton to TorBrowser core to prevent users from disabling it2022-01-11T19:23:03ZTracIntegrate TorButton to TorBrowser core to prevent users from disabling itI mean integration like this with pdf.js addon, which was simply integrated to Firefox core.
**Trac**:
**Username**: RezonansowyI mean integration like this with pdf.js addon, which was simply integrated to Firefox core.
**Trac**:
**Username**: Rezonansowy