
Tor Browser 4.0 is released - conductor
https://blog.torproject.org/blog/tor-browser-40-released
======
nemesisj
The Tor project is really important, and I'm really glad the EFF supports it.
It's come a long way in the last 10 years too. For about a year I ran a fairly
high traffic couple of exit nodes (circa 2004) and it was a really scary
experience - constant legal threats, phone calls from people screaming that
we'd hacked their servers in the middle of the night, and several
conversations with the lawyers of big media companies. People who run exit
nodes have some serious stones. It was finally too much, despite the crew at
the EFF being really helpful when we called asking if they might help us
navigate some of the more intimidating legal waters.

All this to say, I'm really impressed at the lengths the project has gone (and
continues to go) to make Tor safer, more accessible, and easier to use for
nontechnical folks. I just downloaded and installed this, and it worked, and
worked well. A far cry from the earlier days. Cheers to Tor and the people
working on it, running exit nodes, bridge nodes, and offering legal support to
those that need it.

~~~
s_q_b
I run one. I tell anyone who complains that's legal, explain Tor, and send
them the form letter, and then never respond again. Three years running, and
I've never been sued or otherwise affected.

~~~
DINKDINK
What stops someone from masking their own behavior by falsely attributing it
to a TOR user. That is, someone runs a TOR exit relay and whenever a complaint
comes in for an action actually executed by the relay host, falsely
attributing it to a TOR user.

~~~
sarciszewski
Actually, there's a very simple and elegant answer to this: Tor doesn't save
anything from relayed traffic to disk. So if forensic traces exist on the
behavior, it was PROBABLY the node operator.

(I used to have a source for this, but I think I bookmarked it on my dead
laptop.)

~~~
s_q_b
Not really, sometimes you need pcaps to diagnose network problems as an admin.
I anonymize the IPs and shred the files afterwards. But recorded == operator
is a bad heuristic.

------
csandreasen
I'm sure most of HN knows this already, but I've run in to enough people that
used Tor but weren't aware of these that I'll post anyway. Some things to keep
in mind if you're going to use Tor:

\- The exit nodes can see all traffic being routed through them[1]. Be wary of
using Tor for regular web surfing - the exit node can not only monitor any
unencrypted traffic, but can also inject browser exploits, attempt to strip
SSL[2], etc.

\- HTTPS Everywhere is only enabled for sites that the EFF has whitelisted[3].
Even if a site supports SSL, don't expect HTTPS Everywhere to automatically
send you to the encrypted version - always doublecheck.

\- NoScript is not enabled by default in the Tor Browser Bundle[4]. Don't
expect it to protect you from malicious Javascript exploits out of the box.

If you absolutely must use Tor for something, the safest way to do so is to
connect to Tor, make whatever connections you need to make (and only those
connections), then immediately get off.

[1]
[https://www.torproject.org/docs/faq#CanExitNodesEavesdrop](https://www.torproject.org/docs/faq#CanExitNodesEavesdrop)

[2]
[http://www.thoughtcrime.org/software/sslstrip/](http://www.thoughtcrime.org/software/sslstrip/)
(it's long, but the video is worth watching)

[3] [https://www.eff.org/https-everywhere/faq#automatic-
https](https://www.eff.org/https-everywhere/faq#automatic-https)

[4]
[https://www.torproject.org/docs/faq#TBBJavaScriptEnabled](https://www.torproject.org/docs/faq#TBBJavaScriptEnabled)

~~~
sroerick
What about the use case of using Tor in order to expand the network for those
that really need to use Tor?

I will take your advice to heed if I'm ever in a truly sensitive situation,
but I use Tor out of solidarity. Do you think that's unwise?

~~~
csandreasen
I was referring to using the Tor Browser Bundle or any other client to access
the internet over Tor, which has different security implications than running
an exit node or relay.

That said, feel free to use it for whatever you want - just be aware of the
tradeoffs/risks. You can't just turn on Tor and assume that you're instantly
more anonymous and secure - to achieve that, people need to completely change
their browsing habits. Surfing the web through Tor without taking extra
precautions is essentially saying "I don't trust the web site I'm visiting or
any node between it and me, but I will implicitly trust this random group of
volunteer exit node operators who have assured me that they have no malicious
intent."

~~~
justcommenting
in terms of privacy and avoiding everyday tracking of what i read, say, and
search for...i actually _do_ trust this random group of mostly volunteer exit
node operators more than i trust major internet companies or my
ISP...especially where SSL is supported. i live in the united states.

------
duckingtest
Tor Browser is an abomination. I don't know of any other software with lower
ratio of real security to expected security (by the average user). See the
Freedom Hosting story [0] for an example why. This time it was about
pedophiles, but this danger holds for everyone, from users of silkroad clones
to opposition in totalitarian countries.

Tor Browser is making tor more accessible to average computer user in the same
way selling minefields cheaply makes real estate more accessible to average
human.

The only reasonable way of using tor for even remotely illegal purposes is by
using whonix, or roughly equivalent schemes (eg. a tor-only router + tails).

[0] [http://nakedsecurity.sophos.com/2013/08/05/freedom-
hosting-a...](http://nakedsecurity.sophos.com/2013/08/05/freedom-hosting-
arrest-and-takedown-linked-to-tor-privacy-compromise/)

~~~
wyager
The vulnerability you mention either only affected or was only used against
older Windows boxes (I can't remember which).

The security of the TBB is generally limited by the security of Firefox, which
is not awful.

~~~
duckingtest
Security of firefox is beyond awful [0]. The same is true of all currently
used browsers - almost certainly each has several unpatched remote code
execution holes. The overwhelming majority of professional bug finding people
are either working for the government(s) or selling bugs/exploits to them.
These bugs aren't getting reported to the vendor. The occasional ones that
are, are either reported by hobbyists, or professionals for marketing
purposes.

You're the perfect example why tor browser is so bad.

>was only used against older Windows boxes

It was only used against windows systems, but it was a firefox exploit.

[0] [http://www.cvedetails.com/vulnerability-
list/vendor_id-452/p...](http://www.cvedetails.com/vulnerability-
list/vendor_id-452/product_id-3264/year-2014/opec-1/Mozilla-Firefox.html)

~~~
neoCrimeLabs
None of the CVE's listed affect the current version of Firefox.

Many of the vulnerabilities fixed are discovered by Mozilla's security team as
well as community members, so while there may have been a vulnerability in the
browser and it was fixed, it does not mean the vulnerability was known or used
maliciously previous to being disclosed.

This is why you cannot judge the security of a product based upon the number
of CVE's published. If the vendor in question has an open security program
they will publicly disclose all security vulnerabilities they discovered
internally. This is a common practice will most (all?) of the major browser
vendors.

For example, look at the history of Google Chrome CVE's. You will notice huge
spikes in the number of vulnerabilities. A little research, and you will find
that was when the Chrome Security team started heavily fuzzing their code and
fixing vulnerabilities before most of them were discovered by outside parties.

What you have to worry more about is vendors who don't publicly disclose
security vulnerability information, so the only CVE's you see are the ones
that independent parties published.

------
mrinterweb
This may be stupid, but I am slightly concerned about visiting anything
related to Tor or security because of my fearful suspicion that the NSA will
flag me for closer observation. That said, me frequenting a site called
"Hacker" News probably sets off some red flags somewhere anyway.

~~~
scrollaway
You're on their list for that comment alone.

The TLDR of the situation is that you shouldn't worry about what the NSA flags
you as. They flagged everyone. Just assume you're on their list because you
probably are anyway.

~~~
kissickas
The Snowden releases have done exactly that - in a perverse way, they make me
take many more risks online. "Everything I do is already being tracked, so I
might as well search for that new Daesh (IS) video."

~~~
Goopplesoft
Yikes, it really irks me that this sort of deserved paranoia is what we've
come to...

------
netheril96
Maybe there are not many Chinese here on ycombinator, but Tor is mainly used
by us to bypass the Great Firewall. And I do not mean to read articles or
profess opinions that are antithetical to Chinese government, but simply to
access many useful resources. Many tech blogs are blocked, for example,
because they are hosted on blogspot.com

For me, at least, I don't really care about security, but usability and
stability.

~~~
TazeTSchnitzel
Would you get in trouble with the government if they knew you circumvented the
firewall?

~~~
gedrap
They already know and don't seem to mind a lot. They just disable all VPN
traffic, etc during sort of special political periods e.g. Tienanmen square
events anniversary.

~~~
kaybe
It is probably better for the government to know how it is done so it can be
stopped at will, rather than the people in question constantly finding new
ways.

------
guipsp
I really like the style guide of MEEK.

[https://trac.torproject.org/projects/tor/wiki/doc/meek#Style...](https://trac.torproject.org/projects/tor/wiki/doc/meek#Styleguide)

------
WhitneyLand
Really nice to hear about out-of-the-box uncensored web browsing in China.
It's probably only temporary in the ongoing cat and mouse game, but still good
to have the win.

------
edwinyzh
I'm not sure if I was doing anything, but it failed to connect to the Tor
network (both direct and bridged mode) in my country - China...

~~~
dobbsbob
Try connecting to an obfsproxy3 bridge
[https://www.torproject.org/projects/obfsproxy.html.en](https://www.torproject.org/projects/obfsproxy.html.en)

Can get bridges here:
[https://bridges.torproject.org/bridges?transport=obfs3](https://bridges.torproject.org/bridges?transport=obfs3)

------
caio1982
Can someone running an exit node in Brazil comment on how difficult it is (if
it is at all) to do so given crazy local cable companies and the country's
legal system? Any troubles so far? Worth the risk?

~~~
rcamera
I didn't have the guts to deal with all the possible legal problems that an
exit relay could spawn, and no lawyers I could find could help me with that
question.

I suggest you run a non-exit relay instead, like I did for almost a year (at
home). About to put it up again, after 3 months offline, now that I got better
hardware to do it. Didn't have any trouble from my ISP, which was Tim, but I
think that the biggest reason for that is that they are new in the business
and they are trying to make things as painless as possible. It was a heavy
traffic relay, I was limiting it to 4gb per day up/down bandwidth, which is
quite alot, and never heard any complaints from Tim.

~~~
caio1982
Thanks!

------
geekam
Question: What are the benefits one gets to run a Tor exit or relay node? Is
it plain humanitarian deed or is there anything for profit as well, even a
minor one.

~~~
devicenull
You get to respond to a continuous stream of DMCA and abuse complaints!

~~~
middleclick
I don't know how true this is? I have talked to someone who runs one of the
bigger exit nodes and he said that he used to get barely one or two abuse
complaints in months.

~~~
devicenull
We have customers that try to run exits from time to time. We can usually tell
pretty quickly, because the abuse complaints start coming in within a few
days.

It seems that if you _don 't_ run the limited exit policy, you'll be hit with
DMCAs pretty much instantly.

If you _do_ run the limited exit policy, you'll get hit with abuse
notifications (you hacked my site, you're posting spam, etc) pretty quickly.

------
arj
The ability to update easily is a very nice addition

~~~
Cakez0r
And a nice attack vector

