
Tor Browser 9.5 - ASVVVAD
https://blog.torproject.org/new-release-tor-browser-95
======
elliekelly
I downloaded the Tor Browser a decade ago, maybe even longer, in an effort to
be privacy conscious. I used it here and there but I never made the switch to
using Tor by default. Some time later I remember reading the US government was
tracking people, or had a list of everyone, who had simply downloaded Tor. I
also vaguely remember reading about how using Tor could potentially expose you
to legal risks because of the way the information hops between user computers.
I don't really know much about networking or the nitty gritty of how Tor works
so I uninstalled it.

I don't know if any of that was true and even if it was I'm sure a lot has
changed with how Tor handles privacy and directs traffic. Are there any good
resources for average Joe internet users to read about how the browser works
so I can better understand the risks/rewards?

~~~
crdrost
I mean there are a lot of resources but they are at a very high level. I don't
think much has changed.

The basic idea is that with Tor, you make HTTPS connections to the "tor
relay", a network of volunteers who route your traffic around the world to
make it hard to track. You can use Tor in two ways: you can join the relay
network and route traffic for others, or you can just use the browser and make
queries. If you do decide to join the relay network you have an additional
decision about whether you will be an "exit node", one that does the final
request to the destination website and thus appears to be the initiator of the
request. This is an option because it can be difficult on home internet
setups: if someone uses your exit node to post a lot of stupid crap to Reddit
and Reddit tries to IP-ban them, then you are suddenly IP-banned from Reddit
at home, because you ran the exit node.

If you are just a user then the only thing you need to know is that there is a
price for your privacy, which is that routing your traffic all the way around
the world takes a little more time than sending it straight to you, and this
has two effects -- a latency jump which exists basically no matter how big the
network gets, and a slowdown in your bandwidth which depends on how big the
network is relative to the number of people trying to browse with it.

~~~
zodiakzz
How is malicious interference by exit nodes prevented for plaint-text HTTP
requests?

~~~
mrlala
I would have to say "it's not".. anything non-encrypted you risk being
manipulated by a node of the TOR network. I bet there are people who act as
relays just to try to sniff out any good non-HTTPS traffic.. although, I
suppose generally anyone using TOR is mostly aware of this so there's probably
not that much to gain.

Complete side note.. but this just reminds me of back when I was in college in
the late 90s, and our entire apartment buildings traffic was a hub (not a
switch).. so I had a packet sniffer running for fun on linux and could see
everything from everyones internet since every single packet was rounting to
every machine on the network, and lots of stuff had no encryption... nuts to
think how open stuff was back in the day.

~~~
justinclift
Pretty sure some switches (to this day) can be tricked into doing similar. eg
send them a few specially crafted packets, and they fall back into
broadcasting ~everything like a hub for some period of time.

Not from the point of view of "legal intercept" stuff, more like "switch gets
confused and doesn't know how to route, so broadcasts as a workaround".

------
junon
> For the first time, Tor Browser users on desktop will be able to opt-in for
> using onion sites automatically whenever the website makes them available.

Good. This is, in my opinion, one of the bigger pain points of the whole Tor
experience.

I don't personally think the problem is with understanding how onion addresses
work (I've explained them to my mother and she understands the concept pretty
easily), it's just the user-experience that has always been kind of a pain -
even for people that use Tor often and understand it well.

I don't use the Tor browser for a number of reasons, so I can only hope other
browsers follow suit.

------
mindfulhack
At a certain philosophical / high level, I don't like the idea of the 'human-
memorable names' .onion feature.

It's politicising software. Open-source software should never have an
official, hard-coded opinion about any of the content findable through it.

I've seen the Firefox org increasing do similar things when reading their
email newsletter. It even stopped me donating to Firefox.

A core idea of Tor is to not censor. When you give special access to some
sites, it feels like the opposite of net neutrality. That is on the censorship
spectrum.

I guess it's not too bad if they never block any content at the protocol or
software level, but at some point, giving certain content privileged features
at the software/protocol level is a two-edged sword. It means you're forced to
_deny_ supporting other content.

Indeed, once Tor starts having an official opinion about online content at the
browser level, who's to stop people starting to pressure Tor to block certain
content, since they're basically starting to be in that realm now? It can be a
slippery slope.

I'd prefer at the very least it be toned down to a third party add-on. It's
great to make onion sites easier to access, of course. But it should be in a
way that doesn't involve political or legal barriers for content creators.

\---

BTW, I highly encourage anyone with a linux box at home just sitting there
24/7 to start an obfs4 bridge relay. It's not that hard, and low on resources.
#tor-relays IRC extremely helpful in getting you set up.

I've been running one for about a year and it's provided tens/hundreds of GBs
of Tor Internet to people hopefully in Asia, South America, and the Middle
East - protesters who really, really need some help in anonymization or
gaining access to blocked content.

------
MintelIE
I use Tor Browser for most of my day to day browsing to foil all the non-
governmental corporate botnet spying. Of course I’m under no illusions that it
secures you against the government. But I don’t do anything naughty so I’m not
worried.

~~~
shadowprofile77
Why do you think it fails as basic security against the government? Honestly
curious. And what would you suggest instead. To my knowledge many dissidents
and activists around the world are specifically using TOR because it
supposedly does indeed provide protection against government tracking.

~~~
MintelIE
It’s literally funded and made by the NSA.

Dissidents and activists have been busted using Tor and there’s always a
friendly government damage control agent ready to pop up (any forum, any time
of day) to remind people that Tor couldn’t possibly be backdoored or owned, it
was always some other type of thing they used in parallel construction.

Over-shilling is what clued next in. You don’t get this kind of response
without a massive panopticon dispatching reputation managers. Why the heck
would the NSA write NSA proof software? LOL.

EDIT: this is in reply to mapgrep and his crew:

Did I say I won't use Tor Browser? Is it really necessary to put words into my
mouth to make your point? I've noticed this a lot with people who are very
very lightning fast, almost unbelievably fast, to defend Tor on any forum or
platform on the Internet. The speed at which it occurs, and the typical over-
the-top, rude, and unnecessary attempts to make people seem to say things they
100% have not.

You should apologize. Obviously the NSA has broken Tor, they made it. Forget
about current funding, where'd it originate?

And why does the Tor Project publish a list of exit nodes?

~~~
pfundstein
AES which is _the_ encryption standard for asymmetric crypto and used
_everywhere_ (including by the gubment) was designed by the NSA. So what's
your point?

~~~
dependenttypes
> is the encryption standard

Some others (such as chacha20) are pretty popular too. This is the only cipher
used by wireguard and one of the ciphers used by ssh and tls.

> was designed by the NSA

No it was not. It was designed by two Belgian cryptographers (the same ones
that did SHA3).

> for asymmetric crypto

Symmetric

No offence but you seem quite clueless.

~~~
pfundstein
Fair enough, but my point against the tinfoil hattery still stands; Just
because the gubment was involved with it's inception doesn't mean it has
backdoors.

------
SparkyMcUnicorn
"Onion Location" and "Onion Names" are very welcomed improvements.

Not having memorable names makes it tough for people that use a non-persistent
OS for Tor. I'm all for creating more accessible URLs.

~~~
Ajedi32
On the topic of using Tor with a non-persistent OS, what I'd really like to
see on that front is a federated encrypted bookmarking sync service integrated
into the browser. Would be really neat if you could "sign-in" to the browser
using a human-memorizable identifier to restore bookmarks and other settings.

Obviously that opens up additional attack surface for de-anonymization
attacks, but I think it could be done reasonably securely given sufficient
effort. (Hashing and key-stretching the login credentials, fetching bookmarks
over a separate Tor circuit, storing the encrypted payload in a distributed
database rather than a centralized server, etc.)

Done right, a system like that could potentially even lead to an open standard
for synchronizing bookmarks, passwords, and other settings across different
browsers.

~~~
firethief
Firefox Sync meets all the criteria you've described, except I don't think it
has automatic Tor integration.

~~~
Ajedi32
Firefox Sync is federated? I only ever saw an option to sync using my Firefox
account. (Which is a non-starter for Tor; since my Firefox account is tied to
my email address.)

I also didn't realize it was an open standard. Are there any other
implementations besides the one in Firefox? I couldn't find any information on
that.

------
catsdanxe
I'm amazing how well youtube works when using tor. I would have assumed it
would vomit captchas like the rest of Google but it doesn't.

~~~
justinclift
Youtube works for you using Tor?

It's never worked for me. Just shows a page with the Noscript "this is being
blocked" logo.

Maybe you turned off Noscript?

------
yasoob
Gives me a "You are not authorized to access this page." response :/

Edit: nvm it is working now.

~~~
coronadisaster
same for me: Gives me a "You are not authorized to access this page." response
:/

but you might start to get downvoted on HN when this gets fixed

~~~
markshepard
It is working now.

------
m-p-3
That will make discovery of hidden services much easier, this is great!

~~~
ASVVVAD
Indeed, this will help avoid scams too!

------
StavrosK
The Onion site autodiscovery has never worked for me when using Cloudflare's
Onion routing. My sites (e.g.
[https://www.pastery.net/](https://www.pastery.net/)) include an alt-svc
header, yet the browser never prompts me to switch to it. It does work for
ProPublica, but not for my sites for which I have CF's Onion Routing enabled.

Has anyone else had this problem (or had this work)?

~~~
Hello71
according to the blog post, alt-svc enables _invisible_ onion services, which
have been supported "for years". this new release enables "Onion Location",
which is apparently presented in the address bar.

~~~
StavrosK
Oh hmm, I thought those were the same. I did think this has been supported for
years, though I've never seen any indication that my browser is actually using
the Onion service.

------
superkuh
Anyone know what the HTML is for adding my onion address to my page for people
visiting from the normal web entrance? I looked through the changelog for the
bit about this auto-detection but didn't see it. Is it some sort of link tag
thing in the <head> like,

<link rel="alternate" title="my site but on tor" href="superkuhbitj6tul.onion"
/>

~~~
ASVVVAD
It's HTTP headers not HTML as far as I could tell.

The article didn't say the exact name of the header but it mentions
support.torproject.org uses it so looking into its headers:

    
    
        $ curl -I https://support.torproject.org/
        [redacted]
        Onion-Location: http://4bflp2c4tnynnbes.onion/index.html
        [redacted]

~~~
superkuh
Thanks! That was easy to implement.

------
modzu
brave browser has a "tor private window". such a great idea, since most people
dont realize a private window is only private to their own browser. anyone
know how updates to tor affect brave? it seems crucial it is kept to to date

~~~
ASVVVAD
updates to the tor library gets updated in brave most likely (if they care
about its security) updates to the Tor Browser shouldn't affect it mostly
unless they like a feature and they want to add it.

------
techntoke
Has anyone had any luck or done any experiments using OnionCat with Multicast?
I've heard people can get 200MB/s+ doing this but potentially sacrificing some
anonymity.

------
Ajedi32
I'm confused about how the human-readable domain names work. Are they just
hard-coding certain addresses in the browser itself?

~~~
renegading
I believe they are being done with rule sets for HTTPS Everywhere which is
shipped with Tor Browser Bundle.

[https://trac.torproject.org/projects/tor/ticket/28005](https://trac.torproject.org/projects/tor/ticket/28005)

------
spurdoman77
Anyone know how exactly this onion site naming scheme works? Will all those
drug markets soon have funkt accessible domains?

------
acgh213
The human readable urls are a nice touch. It's nice to see tor becoming more
user-friendly in the most recent releases.

~~~
ASVVVAD
Indeed! This release promise more focus on usability and that's really great.
human readable URLS and .onion headers can help newcomers get out to find
their way and evade scams

------
youwouldntcar
For what it's worth, Tor has been my default browser for the past 5 years to
'surf' the net and the experience is incomparable from 3 years ago to today,
so much improvement specially on news sites with the 'Toggle reader view' or
Reddit, Twitter, etc.

Give it a go if your experience wasn't great a few years back.

------
pachico
Why should I use this rather than Brave with Tor option enabled? I'm not being
rhetorical.

~~~
jerheinze
Tor Browser tries to make your browser fingerprint look the same as all other
Tor Browser users, while Brave does have some patches to try to handle that
it's still very far from what Tor Browser offers.

------
VMisTheWay
I understand the concept of Tor but since the government is actively watching,
it doesn't really fit the usecase if I understand correctly.

From a privacy point of view, couldn't you use multiple VPNs?

~~~
kanox
> From a privacy point of view, couldn't you use multiple VPNs?

I don't see what could be gained from nesting VPNs because you're identifying
yourself to the innermost VPN. Tor is designed so that exit nodes don't know
who you are.

~~~
VMisTheWay
Say you did 5 vpns, you'd need all 5 companies to respond correct?

I imagine you could pick a few Anti US government VPNs and at least 1 wouldn't
cooperate.

~~~
kanox
No, just the last one (the one which outputs your traffic).

Assuming it's a commercial VPN it has your billing data and doesn't matter
that you connected to it via another VPN.

------
earth2mars
wait! the most privacy centric iOS doesn't support Tor?! but Android does! I
wonder is privacy is just Apple's PR but far from truth. The speech to text
translation also they need to route via their servers. The contractors listen
to recordings of Siri. Its time to unmask Apple's true face.

~~~
blaser-waffle
Who cares if youre supporting Tor when the whole android platform is a mobile
data collection trap. They own you on the device level.

Yeah you can root the 'droid and ditch the Goog Play Store, but you can
jailbreak iOS.

~~~
thrwaway69
Jailbreaking is harder than rooting though and apple constantly fixes the
holes so maintanence cost.

Few android manufacturers even have instructions to change your rom or root
the phone. Lot of them support it while apple doesn't. Android is also open
source so you can push your own changes at os level and reflash it . You can't
do the same for iOS. You also have control over the hardware more than you do
on iOS - way easily. Overclocking isn't possible on iphones.

------
Buetol
My main takeaway is that Tor is introducing a new domain names suffix:
.tor.onion

For information, there was a similar initiative by Namecoin with .bit.onion:
[https://www.namecoin.org/docs/tor-
resolution/ncprop279/stemn...](https://www.namecoin.org/docs/tor-
resolution/ncprop279/stemns/)

------
Vaslo
Can I please do those horrible recaptchas on TOR browser already?

------
weewee2018
Didn’t they just lay off a bunch of people?

~~~
pixxel
Your comment sounds accusatory; perhaps I read it incorrectly. Yes they had to
let about a third of the team go. The project continues.

