Tor Browser issueshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues2021-07-09T18:24:30Zhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/2854012/11 release Banner text2021-07-09T18:24:30ZSarah Stevenson12/11 release Banner textPlease create the following 6 banners where:
[Line 1, non-variable] Tor: Strength in Numbers
[Line 2, variable]
1. Keep Tor strong. Give today, and Mozilla will match your donation. https://marvelapp.com/a131e34/screen/48876408
2. ...Please create the following 6 banners where:
[Line 1, non-variable] Tor: Strength in Numbers
[Line 2, variable]
1. Keep Tor strong. Give today, and Mozilla will match your donation. https://marvelapp.com/a131e34/screen/48876408
2. Mozilla is matching every donation until 2019. Give now, and your gift becomes twice as strong.
^^ please notice that the 'Give today, and Mozilla will match your donation" phrase will change here and be: "Give now, and your gift becomes twice as strong."
3. Support internet freedom. Give today, and Mozilla will match your donation.
4. Defend the open web. Give today, and Mozilla will match your donation.
5. Support privacy and freedom online. Give today, and Mozilla will match your donation.
6. We need your support. Every dollar counts. Give today, and Mozilla will match your donation.
[Button]:
“Count me in.” To be used in English.
“Donate now.” To be used for all other languages.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/164418-month-old Tor Browser offers to "Reset Tor Browser", removes extensions2023-08-24T18:57:11ZDavid Fifielddcf@torproject.org8-month-old Tor Browser offers to "Reset Tor Browser", removes extensionsI started an old copy of Tor Browser 4.0 I had in a directory. From file times it looks like it was last run on 2014-10-21, 8 months ago (today is 2015-06-24). When I started it, the about:tor page showed a banner at the bottom
It look...I started an old copy of Tor Browser 4.0 I had in a directory. From file times it looks like it was last run on 2014-10-21, 8 months ago (today is 2015-06-24). When I started it, the about:tor page showed a banner at the bottom
It looks like you haven't started Tor Browser in a while. Do you want to clean it up for a fresh, like-new experience? And by the way, welcome back!
with a button that says "Reset Tor Browser..."
When I click on the button, the browser restarts and gives me the plain Firefox start page, with the Firefox logo and everything. It looks like all the extensions are gone (HTTPS-Everywhere, NoScript, Torbutton, Tor Launcher). check.torproject.org says the browser is using Tor. I also got a banner offering to update to 5.0a2.
I was trying the instructions from [[doc/TorBrowser/Hacking#UsinganExistingTorProcess]] so I had run
```
export TOR_SOCKS_PORT=9050
export TOR_SKIP_LAUNCH=1
./start-tor-browser
```
I don't know if that had anything to do with it.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/24309Activity 4.1: Improve how circuits are displayed to the user2022-10-28T16:23:15ZIsabela FernandesActivity 4.1: Improve how circuits are displayed to the user## Problem we are trying to solve:
Many users expect the guard node to change when asking for a new circuit.
There is nothing on circuit display that tells the user the first node is a guard, what guards are, and how it works when Tor c...## Problem we are trying to solve:
Many users expect the guard node to change when asking for a new circuit.
There is nothing on circuit display that tells the user the first node is a guard, what guards are, and how it works when Tor creates new circuits for the user.
## Expected behavior
If no other condition, guards will only change for a client every 3 months. Even if the user pick 'new identity' the guard should stay the same.
## Proposed solution:
First of all we need to update the Tor Browser User Manual to have an explanation about how the guard selection works, it should be in this section:
https://tb-manual.torproject.org/en-US/managing-identities.html
All the solutions below will link to the manual, this will allow us to send the user to a place with more information. And not necessary have to explain everything in the display or UI.
Managing users expectations:
I believe that for now we are better served if we managed user expectation about what will change when they request such change, not in the circuit display.
The current places where the user will be asking for a new circuit are:
1 - Tor Button -> New Identity
At this action, Tor Browser will open a confirmation window (see screenshot: https://trac.torproject.org/projects/tor/attachment/ticket/24309/new_identity_confirmation_window.png)
We should change the text here to set the right expectation about guards.
2 - Tor Button -> New Tor Circuit for this Site
Could we have a tool tip here that helps user know that guards won't change.
Circuit display UI:
keep IP and country name. Add 'guard' to the first node - guard should be a link to manual page.
Add a link at the bottom for "Learn More" which should also link to the manual page.
I am suggesting 2 links to the manual as an intentional effort of over communicating to the user.
## Things I would like to test
* User understanding of Tor Browser User Manual explanation about how guards selection works.
* Did we managed to set the right expectation for user? Test it with New Identity flow and New Tor Circuit flow.
* Do we need both links on circuit display?
## Things I am suggesting to be left for a second iteration or not doing and why
* Suggesting to not add functionality to let user pick a different guard. I think such a feature should be deeply discussed and done as a project of it own. Not as part of this solution.
* Suggestion to leave for a second iteration making the IP addresses linkable to more information about the relay (from atlas).
* Suggestion to not use JS for the more information on the relay feature mentioned above. We should never jeopardize the user safety for 'better UX'. We should be able to deliver better UX within the limitations we have by building a product that has security by design in mind.
## Tickets related to the problem:
* Ticket: https://trac.torproject.org/projects/tor/ticket/16665
* Circuit visualizer needs a cue about guards
This is the main ticket that contains lots of information describing the user problem in the comments posted. Would recommend reading it fully for better understanding.
* Ticket: https://trac.torproject.org/projects/tor/ticket/15239
* Add hyperlinks in tor circuit display to show "more info" about relays
This ticket has some suggestions for displaying more information about the relays (using atlas). We are taking into consideration these suggestions in the hypothesis above.
* Ticket: https://trac.torproject.org/projects/tor/ticket/20805
* Circuit display does not honor or use the UI font.
This ticket is more a bug then a UX issue. Although we should make sure that we set a rule of what font to use in the display, and fall back options. Let's make sure we are aligning this with: Activity 1.2: Make sure Firefox Photon UI works with our style guidelines -- on UX Team roadmap (for March 2018)https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/31564Android bundles based on ESR 68 are not built reproducibly anymore2021-07-09T18:24:30ZGeorg KoppenAndroid bundles based on ESR 68 are not built reproducibly anymoreI compared two builds on two different machines with what is very likely our toolchain to come (armv7) and it turns out the .apk files are nor built reproducibly anymore.I compared two builds on two different machines with what is very likely our toolchain to come (armv7) and it turns out the .apk files are nor built reproducibly anymore.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/31607App menu items stop working2020-07-14T22:25:21ZMark SmithApp menu items stop workingIn the ESR68-based Tor Browser on macOS, the App menu items are not working. For example, choosing `Quit` or pressing `Cmd+Q` has no effect. Same for `Preferences` and `Cmd+,`
I observed this problem while testing the es-ES and en-US bu...In the ESR68-based Tor Browser on macOS, the App menu items are not working. For example, choosing `Quit` or pressing `Cmd+Q` has no effect. Same for `Preferences` and `Cmd+,`
I observed this problem while testing the es-ES and en-US builds from the following location on an older macOS 10.11.6 system:
https://people.torproject.org/~gk/builds/9.0a6-build4/
I will re-test on a 10.14.x system to make sure it isn't specific to macOS 10.11.x.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30846Audit activity-stream for network requests2020-07-14T22:25:22ZAlex CatarineuAudit activity-stream for network requestsIn ff68 there are some snippets network requests coming from activity stream (`re[/activity-stream/lib/ASRouter.jsm`).](/activity-stream/lib/ASRouter.jsm`).) We should make sure to disable these and any other related background requests....In ff68 there are some snippets network requests coming from activity stream (`re[/activity-stream/lib/ASRouter.jsm`).](/activity-stream/lib/ASRouter.jsm`).) We should make sure to disable these and any other related background requests.
Some relevant prefs: https://github.com/ghacksuserjs/ghacks-user.js/blob/a92c4086bbf8c4324c4369d1dc8a39338334af45/user.js#L109https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30304Browser locale can be obtained via DTD strings2020-10-16T16:22:27ZAlex CatarineuBrowser locale can be obtained via DTD stringsSee https://bugzilla.mozilla.org/show_bug.cgi?id=467035.
Works in Tor Browser and Firefox 67 (with a different dtd file as in the bugzilla PoC), probably also next ESR.
Did not do a PoC but it would be easy to get a specific string in ...See https://bugzilla.mozilla.org/show_bug.cgi?id=467035.
Works in Tor Browser and Firefox 67 (with a different dtd file as in the bugzilla PoC), probably also next ESR.
Did not do a PoC but it would be easy to get a specific string in all locales, and just compare with value obtained via a hidden iframe that loads an xml with the translated string.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/28809Create build-specific installer for macOS2022-07-09T18:24:42ZrichardCreate build-specific installer for macOSSimilar to legacy/trac#28546 modify macOS installer to allow Tor Browser release, alpha and nightly to be installed side-by-side.Similar to legacy/trac#28546 modify macOS installer to allow Tor Browser release, alpha and nightly to be installed side-by-side.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/25741Create tor-browser for mobile branch based on mozilla-central2023-03-02T09:57:52ZGeorg KoppenCreate tor-browser for mobile branch based on mozilla-centralTo prepare our first Tor Browser for Android alpha we need to create a separate branch in our tor-browser repo that is tracking the mozilla-central branch (rebased with our patches) we want to use in the release. Follow-up beta and stabl...To prepare our first Tor Browser for Android alpha we need to create a separate branch in our tor-browser repo that is tracking the mozilla-central branch (rebased with our patches) we want to use in the release. Follow-up beta and stable branches are later on needed as well.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/31888Create unit test in wine to validate widl's output when building IA2Accessibl...2022-05-17T22:51:59ZrichardCreate unit test in wine to validate widl's output when building IA2Accessible interfacesJust to make sure wine doesn't break us in the future. Number of points reflects both dev time and effort to get patch accepted.Just to make sure wine doesn't break us in the future. Number of points reflects both dev time and effort to get patch accepted.richardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23104CSS line-height reveals the platform Tor Browser is running on2022-05-18T00:58:57ZGeorg KoppenCSS line-height reveals the platform Tor Browser is running onDr. Neal Krawetz reported via HackerOne that it is possible to detect the platform a Tor Browser is running with the CSS `line-height` attribute: 19px is used on Linux, 19.5167px on macOS, and 19.2px or 20px on Windows.
We could think a...Dr. Neal Krawetz reported via HackerOne that it is possible to detect the platform a Tor Browser is running with the CSS `line-height` attribute: 19px is used on Linux, 19.5167px on macOS, and 19.2px or 20px on Windows.
We could think about adjusting that to 20px independent of the platform Tor Browser is running on.Igor OliveiraIgor Oliveirahttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30767Custom obfs4 bridge does not work on Tor Browser for Android2021-07-09T18:24:30ZGeorg KoppenCustom obfs4 bridge does not work on Tor Browser for AndroidWe got a report on our blog post (https://blog.torproject.org/comment/282217#comment-282217) mentioning that custom obfs4 bridges don't work on Android while they do on desktop. I tested with a bridge provided and can reproduce the issue.We got a report on our blog post (https://blog.torproject.org/comment/282217#comment-282217) mentioning that custom obfs4 bridges don't work on Android while they do on desktop. I tested with a bridge provided and can reproduce the issue.Shane IsbellShane Isbellhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21790Disable captive portal detection in Tor Browser based on ESR522021-07-09T18:24:30ZGeorg KoppenDisable captive portal detection in Tor Browser based on ESR52Firefox ships now with a captive portal detection feature. That's a thing we don't need and that phones home to Mozilla unnecessarily requesting http://detectportal.firefox.com/success.txt.Firefox ships now with a captive portal detection feature. That's a thing we don't need and that phones home to Mozilla unnecessarily requesting http://detectportal.firefox.com/success.txt.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/31457disable per-installation profiles2022-12-22T11:55:14ZMark Smithdisable per-installation profilesFirefox ESR68 includes installation-specific profiles. See: https://bugzilla.mozilla.org/show_bug.cgi?id=1474285
With our current nightly builds, this causes an extra profile directory to be created and used (and probably our bundled br...Firefox ESR68 includes installation-specific profiles. See: https://bugzilla.mozilla.org/show_bug.cgi?id=1474285
With our current nightly builds, this causes an extra profile directory to be created and used (and probably our bundled browser profile is not be used on Linux and Windows).
We should figure out how to disable this feature or modify it to be compatible with the way we crate and use browser profiles).https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/11154Disable TLS 1.0 (and 1.1) by default2023-08-14T22:26:56ZTracDisable TLS 1.0 (and 1.1) by defaultrunning the how's my ssl check the tor browser rated bad, the reason the tor browser is using old tls settings and old security cipers,
In the next update please set the minimum tls to 2 and the maximum to 3 in about:config for securit...running the how's my ssl check the tor browser rated bad, the reason the tor browser is using old tls settings and old security cipers,
In the next update please set the minimum tls to 2 and the maximum to 3 in about:config for security.tls.version this makes the minimum tls 1.1 and my max tls 1.2.
Also please disable use of insecure cipher suites security.ssl3.rsa_fips_des_ede3_sha in about:config
**Trac**:
**Username**: ZeroCoolhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26345Disable tracking protection UI in FF67-esr2021-10-20T16:38:37ZcypherpunksDisable tracking protection UI in FF67-esrSome of its parts are already live and well in Nightly (such as the Tracking Protection switch in the hamburger menu). This makes it particularly devastating since more users may be tempted to enable it thereby harming their fingerprinti...Some of its parts are already live and well in Nightly (such as the Tracking Protection switch in the hamburger menu). This makes it particularly devastating since more users may be tempted to enable it thereby harming their fingerprinting.
https://bugzilla.mozilla.org/show_bug.cgi?id=1461743
https://www.ghacks.net/2018/06/10/mozilla-plans-to-push-tracking-protection-in-firefox/https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18311Document first party isolation for Tor researchers2021-07-09T17:23:47ZArthur EdelsteinDocument first party isolation for Tor researchersAcademics researching tor may not be aware that Tor Browser is isolating by URL bar domain (aka first party isolation), as implemented in legacy/trac#3455. We should note this somewhere in the tor documentation so this difference in beha...Academics researching tor may not be aware that Tor Browser is isolating by URL bar domain (aka first party isolation), as implemented in legacy/trac#3455. We should note this somewhere in the tor documentation so this difference in behavior between default tor and default Tor Browser is not overlooked by researchers. See also legacy/trac#5753https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18534dom.event.clipboardevents.enabled .. default in Torbrowser2021-07-09T17:23:47Zcypherpunksdom.event.clipboardevents.enabled .. default in TorbrowserFrom blog comments:
https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled
Torbrowser's default weakens user's anonymity. Imagine user selecting a name or address from a quer...From blog comments:
https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled
Torbrowser's default weakens user's anonymity. Imagine user selecting a name or address from a query result of many names or addresses. Server gets this information.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/28709Enable Fuzzyfox2021-07-09T18:24:30ZTom Rittertom@ritter.vgEnable FuzzyfoxFuzzyfox is a new timer mitigation technique currently in Nightly.
https://bugzilla.mozilla.org/show_bug.cgi?id=fuzzyfox
There are some open issues on it that would be best to solve before enabling it by default, but this bug can serve...Fuzzyfox is a new timer mitigation technique currently in Nightly.
https://bugzilla.mozilla.org/show_bug.cgi?id=fuzzyfox
There are some open issues on it that would be best to solve before enabling it by default, but this bug can serve as a tracker for either backporting it or evaluating it.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/27281Enable Reader View again2024-03-13T08:39:52ZGeorg KoppenEnable Reader View againBack in legacy/trac#18950 we flipped prefs to disable Reader View due to fingerprinting concerns. Those got essentially addressed and we can now enabled the feature again. see: https://bugzilla.mozilla.org/show_bug.cgi?id=1369327.Back in legacy/trac#18950 we flipped prefs to disable Reader View due to fingerprinting concerns. Those got essentially addressed and we can now enabled the feature again. see: https://bugzilla.mozilla.org/show_bug.cgi?id=1369327.