
Tor Browser 8.5 - rahiel
https://blog.torproject.org/new-release-tor-browser-85
======
Izmaki
Allow me to send a big shoutout and my deepest thanks to the maintainers and
volunteers of both the Tor Browser and the Tor Project in general. You make
the world a better place, even if the majority of the population don't realise
they should pay more attention to your work. You're the real MVPs!

~~~
chii
more people ought to use TOR so that the users who _need_ tor gets the
protection of anonymity in a crowd.

If nobody uses TOR, then TOR users immediately becomes suspicious and nothing
prevents the real world investigation from uncovering them.

~~~
Iv
I make everybody smile when I open Tor to watch some technical documentation.
Still gave my boss a pause when I asked him if we were ever going to consider
Google a competitor in any field (which we were in a niche field) and if he
would be comfortable with a competitor owning the search history of all his
employees.

------
dessant
I'm rooting for Mozilla and the Tor Project to uplift Tor into Firefox.
Imagine a world where people need to opt in to get _less_ privacy.

~~~
tomatotomato37
It's interesting, the only way that would work is if they also turn every
browser into a through node, which would be both highly controversial while
also a great boon to the Tor network as a whole

~~~
close04
Using "Tor mode" instead of "private mode" in regular Firefox would be nice.

------
dmos62
Are there any casual users of Tor around? Someone who does it not for the sake
of safety, but just privacy?

I'd happily use Tor, but the last time I used it (which was ~5 years ago), it
was terribly slow for regular browsing (not streaming, or anything considered
bandwidth heavy).

~~~
kodablah
I use it (Tor, not the browser as much) just to bust NAT to my local computer
when sharing stuff. It's so easy to create an onion service that links to a
local web server.

~~~
brokenmachine
Is that just sharing stuff with yourself, or sharing with others, because the
recipient would also need to be using Tor to access it?

------
tptacek
Tor Browser might be the least mainstream safe browser on the Internet:

* It permanently tracks the lagging ESR Firefox.

* It puts its users on Tor, which "anonymizes" them but also flags their traffic as interesting.

* It collapses all those users down to a single set of browser releases, making it cost-effective to target exploits to.

Use Firefox if you really like Firefox, but use the most recent version you
can possibly get. Mozilla's is not the best-hardened browser.

Use Tor if you really believe in Tor. But use it explicitly, not as part of a
browser bundle. Your choice of browser has a significant impact on your
operational security; don't let a bunch of volunteers at Tor make that
decision for you.

~~~
jancsika
> But use it explicitly, not as part of a browser bundle.

I hope you're conflating two issues here.

You surely aren't recommending users who "believe in Tor" install Tor directly
and attempt to manually proxy their favorite browser traffic over it?

Not to say I disagree with your points against using TBB.

~~~
packet_nerd
I do this, using an up-to-date chromium browser proxied through Tor for
regular browsing. I do this instead of the regular Tor browser on the theory
that there's less potential for 0-day exploits.

Of course, this does compromise anonymity a bit in some respects, since there
are probably few people who run chromium on Tor and because it's not as
resistant to fingerprinting as the regular Tor browser. That's acceptable to
me, as I only use that browser on Tor, and use another browser for things that
could potentially leak my real identity.

~~~
cyphar
It also opens you to many subtle mis-configuration bugs that would result in
your anonymity being removed completely. Are you sure you're tunneling DNS
over Tor? IPv6? Are you sure that Chromium isn't phoning home with your real
IP?

Tor Browser (despite its many faults) has lots of patches that are applied in
order to stop these sorts of leaks. If it takes the people who develop Tor to
continually patch Firefox in order to make it actually anonymous, I would
argue you have a worse chance of making it work properly.

~~~
jancsika
> Are you sure that Chromium isn't phoning home with your real IP?

Especially given that Chromium does make startup queries to Google-owned
servers. (Not sure about runtime.) Probably for perfectly reasonable usability
and/or security reasons.

But I agree that Chromium manually proxied through Tor probably looks vastly
superior to TBB when you do a benefit analysis. :)

Edit: added smiley to make what I'm saying slightly more obvious.

------
aunetx
Well thank you, we love you muchhh

------
rishav_sharan
Dear lord, Windows antivir protection has gone full stupid with this.

I am on Win10 and it will not allow me to install it in Program Files. If I
install it in Desktop, it will keep flagging tor.exe as a virus.

After marking 4 times that the Windows Virus and Threat Protection should
restore the exe, i was able to start the browser.

Then the windows antivir went full dystopian mode, and flagged it again. Now
it is asking me to reboot the computer to delete tor.exe from the device.

------
Tinfoilhat666
How is this better than Brave browser?

~~~
DougHaber
Sadly, most of the replies you've gotten are terribly biased or uniformed. It
is a good question. I'm not connected to any of this, so this answer is solely
from my own understanding.

For those that don't know, the Brave browser has Tor tabs, which route through
Tor. It also has the standard private tabs. Tor support currently exists only
on the desktop Brave browser.

Here is the announcement: [https://brave.com/tor-tabs-
beta](https://brave.com/tor-tabs-beta)

Brave has been supporting Tor, and running Tor relays to improve the network.

Brave is newer at the game. They have had Tor tabs less than a year. They can
do fingerprinting protection and no-script, but it's still a full featured web
browser, with a lot of risks. The fingerprinting protection isn't as good as
the Tor Browser, and unless they changed something, Javascript wasn't disabled
by default in Tor tabs.

The Tor Browser has been around for a while and is meant to be a secure web
browser from top to bottom. It has had a lot of development looking to find
and fix possible leaks and to ensure security. That is its primary focus, and
it is pretty good at it.

If you want to use Tor casually, maybe access an onion site, or just get a big
boost in your level of privacy, the Tor tabs in Brave are a nice option. They
are really easy to use and give great privacy. It is good for casual Tor use.

If you want (or need) serious privacy, the Tor Browser is a better choice.
That is its purpose. It is developed to be hardened for protecting the user
and it will provide better protection.

~~~
Vinnl
It is also based on Firefox, and when possible improvements it makes to
Firefox feed back into regular Firefox, strengthening their position in an
ever-less competitive browser market. Not something everyone cares about, but
it could be relevant.

------
HNLurker2
I wish people used the deep web for something besides illegal buying and child
pornography

~~~
cyphar
Less than 3% of Tor traffic is to onion services of any kind (which means 97%
is to websites already accessible on the public internet), and the most
popular onion service on the internet by a large margin is Facebook's
(facebookcorewwwi.onion). More than 2 million people use Tor every day -- are
they all bad people? Heck, government agents use Tor when traveling abroad.

Do bad people do bad things using Tor? Yes. Do political dissidents in
oppressive regimes use Tor? Yes.

However the vast majority of people are just ordinary citizens using Tor to
access the internet -- the cross-section of Tor users is the same as the
cross-section of ordinary internet users.

~~~
dooglius
> the most popular onion service on the internet by a large margin is
> Facebook's

How do you know? It shouldn't be possible to collect this sort of data.

~~~
jandrese
Exit nodes can track which sites are hit to a degree. CDNs make this more
difficult, but it's not too hard to figure out what percentage of your traffic
is Facebook. It also won't work if you're going to the Facebook onion site of
course.

~~~
cyphar
Exit nodes aren't used like that for .onion sites, so they cannot track usage
of .onion sites.

The way it works is that the client and server pick a "rendezvous node" (the
server generates 6 HSDir entries, each with 3 random nodes every day, and the
client picks a random HSDir entry and a random one of those node to use).
Then, they communicate through the rendezvous node which doesn't know who the
client or server are (because both are connected through Tor circuits and
neither reveals the .onion URL that was looked up in the HSDir).

The way the statistics work is that some Tor relays opt-in to sharing
statistics about how many HSDir lookups happened through them, and then those
figures are extrapolated to figure out how many .onion service accesses
happen. The relay doesn't know which service is being looked up, and the
rendezvous node doesn't know which service is being talked to.

~~~
cyphar
(Correction, 3 introduction points and the client picks the rendezvous point
-- so even a compromised introduction point is useless because the node used
for communication is different for all communications.)

