
Tor Browser 9.0 - htfy96
https://blog.torproject.org/new-release-tor-browser-90
======
darth_skywalker
>> As usual when preparing Tor Browser releases, we verified that the build is
bit-for-bit reproducible. While we managed to get two matching builds, we
found that in some occasions the builds differ (we found this happening on the
Linux i686 and macOS bundles). We are still investigating the cause of this
issue to fix it.

I find this quite fascinating. Does anyone have any ideas for how this could
happen? My understanding was that if you run the same compiler on the same
code, you get the same executables. What could be going on?

~~~
esotericn
[https://reproducible-builds.org](https://reproducible-builds.org) is a good
resource on this.

There are many, many reasons why a build process may not produce reproducible
output. Timestamps and unordered maps are two of the more trivial examples.

~~~
cjbprime
Another common one: (temporary) directory paths in debug symbols.

------
blfr
How do I quickly check if my Tor Browser is up to date without the Onion
button?

Either I'm getting old or I'm using too many different systems and programs
because these little UI changes start to bother me.

~~~
aasasd
Depending on your system, the properties of the app may have the version,
without even opening the browser. I.e. ‘Get info’ in OSX, ‘Properties’ in
Windows. Dunno about Linux, but in that case people are likely to use package
managers instead anyway.

------
agumonkey
Dont be surprised by the letterboxing

~~~
dddddaviddddd
> Tor Browser in its default mode is starting with a content window rounded to
> a multiple of 200px x 100px to prevent fingerprinting the screen dimensions.
> The strategy here is to put all users in a couple of buckets to make it
> harder to single them out. That worked so far until users started to resize
> their windows (e.g. by maximizing them or going into fullscreen mode). Tor
> Browser 9 ships with a fingerprinting defense for those scenarios as well,
> which is called Letterboxing, a technique developed by Mozilla and presented
> earlier this year. It works by adding white margins to a browser window so
> that the window is as close as possible to the desired size while users are
> still in a couple of screen size buckets that prevent singling them out with
> the help of screen dimensions.

~~~
Ajedi32
IMO they should whitelist a couple common resolutions. 1920x1080, for example,
is extremely common and probably doesn't need to be letterboxed to avoid
fingerprinting.

~~~
tfha
Nah sometimes you need to resize manually read a webpage. Gotta keep usability
at least a little bit. Letterboxing I think is a good compromise

~~~
Thorrez
I don't think Ajedi32 disagrees with you. I think Ajedi32 is saying that in
addition to the all the resolutions that are a multiple of 200x100, a few more
resolutions should be allowed, such as 1920x1080.

------
ape4
Try the BBC News (mentioned the other day) at Bbcnewsv2vjtpsuy.onion

~~~
dewey
When I click on "Sport" there it redirects me to
[https://www.s5rhoqqosmcispfb.onion/sport](https://www.s5rhoqqosmcispfb.onion/sport)
and it just loads a blank page. I guess that's a bug on BBC's side?

------
octocop
More people should use tor

~~~
unicornporn
For normal browsing it is almost unusable thanks to Cloudflare's reCAPTCHA
(autonomous vehicle training) use.

~~~
Ajedi32
How is it with Privacy Pass? [https://support.cloudflare.com/hc/en-
us/articles/11500199265...](https://support.cloudflare.com/hc/en-
us/articles/115001992652-Can-I-use-Privacy-Pass-with-Cloudflare-)

~~~
Boulth
It doesn't have any significant effect in my experience. Maybe it's my
browsing habits that I frequently visit a large number of sites that are new
(think sites linked from HN).

------
JumpCrisscross
Does this fix any of tptacek’s issues with the Tor Browser?

~~~
cpeterso
I don't think so. IIUC tptacek's concern is that the Tor Browser is a
monoculture: Tor Browser users are running the same version and thus all
vulnerable to the same exploits. Or were there other concerns?

[https://news.ycombinator.com/item?id=13623821](https://news.ycombinator.com/item?id=13623821)

------
hartator
It's working way better than a couple of years ago. Even Google seems to load.
Congrats!

------
aasasd
> _Clarified the amount of locales we support. It 's 32_

Wait a minute, does TB use a 5-bit number to enumerate the locales? You'd
think that nowadays they would opt for something larger.

------
user7261
I would love to use Tor but I don't want to touch anything illegal. Ever. Is
it possible?

Is there some index, directory or search engine curated with this in mind?

Edit: I didn't mean to make anyone feel offended and I sorry. I will take more
care when asking questions like this in the future. Thank you all for your
compression

~~~
gatherhunterer
The fact that you are afraid of a free and open internet is depressing.

~~~
user7261
I'm sorry, it's was not my intention to depress you.

Actually, the fact is I what to be able to advocate for Tor to friends and
family in the future. Too much? Viable?

~~~
mkl
You seem to be a bit confused about what Tor and the Tor Browser are. Tor
Browser is just a web browser with extra anonymity and tracking avoidance
features (in the browser itself, and because it sends traffic through the Tor
network). You visit sites you like and avoid sites you don't like, exactly
like any other browser. It's not guaranteed to be anonymous: any sites you
visit can record and track much of your behaviour there (just like with normal
browsers), but third parties can't as easily snoop. Websites with .onion
addresses are more resistant to tracking, as your traffic doesn't need to exit
the Tor network to get to the destination, but Tor Browser can access most
normal sites too.

I suggest you just try it.

It depends how much your friends and family care about anonymity online,
because individual people's browsing behaviour can be unique and trackable - a
browser cannot magically hide that. To really be confident of hiding
successfully you need to do a lot more, and few people really need to or can
be bothered.

E.g. I sometimes use the Tor browser at work to check whether local pages are
accessible from outside the local network. There I don't care about anonymity,
I just want a connection appearing to come from outside.

~~~
Thorrez
> any sites you visit can record and track much of your behaviour there (just
> like with normal browsers)

Tor Browser hides some of your information. For example it hides your IP
address (that's the whole point of Tor). There are some other anti-tracking
things built in.

> Websites with .onion addresses are more resistant to tracking

Tracking you or tracking the site? The point of .onion isn't to give the user
any more protection, it's to give the website protection. With a .onion site
you are unable to find the website's IP address.

~~~
mkl
>> Websites with .onion addresses are more resistant to tracking

> Tracking you or tracking the site? The point of .onion isn't to give the
> user any more protection, it's to give the website protection. With a .onion
> site you are unable to find the website's IP address.

True, but that's not why the BBC, Facebook, etc. have .onion hosts. I was
thinking of the user, since the traffic between a Tor exit node and an open
web server is exposed (modulo HTTPS).

