
Tor Browser 6.0 is released - ashitlerferad
https://blog.torproject.org/blog/tor-browser-60-released
======
deftnerd
I'm excited that they're now based on a Firefox branch that supports
Subresource-Integrity. This allows websites to add hashes of externally called
resources, like JS or CSS files, to let the browser determine if they've been
modified.

~~~
runeks
I'm very happy to hear this practice has become reality. It just seems so much
more convenient to refer to all these JS/CSS blobs with a universally unique
ID (a hash), rather than whichever CDN the developer has chosen to use. As an
ID, a 32 byte cryptographically secure hash really is practically the same as
[http://somecdn.com/somejslib/v0.1.js.min](http://somecdn.com/somejslib/v0.1.js.min),
except that only a single ID exists for each "shared object", plus the ID can
be derived deterministically from the object it refers to.

Perhaps each CDN could have a symlink in its root directory with the hash of
each file it serves, redirecting to that file. Then you'd be able to find any
file by its hash as long as you have the CDN host name.

EDIT: I see now this is a security measure (protection against a hostile CDN),
rather than a way to avoid dependence on a single CDN. I hope what I suggest
is still possible though.

------
subliminalpanda
Are there any privacy concerns if ublock origin extension is used with the Tor
browser?

~~~
omginternets
I'm not an expert in the field, but my understanding is that you can be
(partially?) fingerprinted based on the ads you (fail to) download. I also
believe such partially discriminating information can be combined with other
patterns (time at which you connect, sites visited, etc) to compromise your
privacy.

I have no idea if this is problematic in practice, though.

~~~
Santosh83
Considering that Tor Browser users would also on the whole want to probably
filter ads to improve their already slow latency, I'm hoping the Tor and
µBlock devs can get together and standardise µBlock on all Tor Browsers with a
preselected list of filters, which should reduce the ability to fingerprint by
analysing the downloads of ads, at least within the set of all Tor Browser
users.

~~~
Freak_NL
> µBlock

Just 'uBlock Origin'. You are probably mixing up the names of _µTorrent_ and
_uBlock Origin_.

~~~
Santosh83
Nope. But I did mean uBlock Origin and instead hastily left out the "Origin"
part of its name, which can lead to confusion with the uBlock extension
maintained by another developer. Most people though seem to prefer uBlock
Origin and that's what I use too. The spellings uBlock and µBlock seem to be
used interchangeably on different pages and sites although undeniably uBlock
seems by far the commoner variant.

------
secfirstmd
Just clicked on this link from Heathrow Airport public wifi and got a
certificate warning:

[https://twitter.com/roryireland/status/737626851749679105](https://twitter.com/roryireland/status/737626851749679105)

~~~
Cakez0r
Airports usually do SSL MITM so they can inspect the traffic. Or they redirect
all addresses to a hotspot sign-in page until the user signs in.

~~~
themartorana
Really wish this was illegal or SSL didn't have such a gaping vulnerability.

~~~
mikegerwitz
There is no gaping vulnerability.

The user will be presented with a certificate error (or denied outright,
depending on the browser). If the user decides to add an exception, only then
will a handshake succeed and the MITM be possible (in this particular
scenario).

~~~
developer2
If one doesn't understand exactly how TLS works, this is the usual question
regarding MITM. If there is "end-to-end encryption", _just how exactly_ is it
even possible to do MITM? In an ideal world, it just wouldn't be possible.

With the existing system, certificate "errors" that are really just "warnings"
should not be allowed to be bypassed. The fact that certificate errors can be
ignored is something that should never have been allowed to take place.
Unfortunately with the historical fact that legit certificates were
inexcusably expensive to obtain for internal/test projects meant that self-
signed certificates became commonplace.

We're waiting for a genius to come up with a new strategy for encryption that
doesn't rely on trust being determined by a third party entity (ie:
certificate authorities). Letsencrypt is nice and all, but it's still just a
free workaround for a system nobody really wants. "It's not possible to do it
any other way" is just pseudo-speak for "nobody has invented a better way
yet".

Why the strategy for encryption has relied on public/private keys for so long
with no real alternative strikes me as odd. After 30+ years, nobody has
thought of something else?

~~~
schoen
If sites use HSTS, browsers won't allow users to bypass the errors. See
section 12.1 of RFC 6797:

[https://tools.ietf.org/html/rfc6797#section-12.1](https://tools.ietf.org/html/rfc6797#section-12.1)

So you can encourage people to use HSTS and then get part of that behavior at
least for individual sites.

~~~
developer2
The HSTS preload list (referring primarily to Chrome's, which is also included
by other vendors) in particular is something I find really strange. The
current domain owner adds the domain to the HSTS preload list. That domain
then expires or is released by that owner, without them requesting its removal
from the preload list. Then someone else buys the domain without having
planned to use SSL/TLS.

The result? Weeks, even months, of not being able to use the domain without
encryption, all because _someone else_ previously had the domain added to the
HSTS preload list. Removal from the preload list is by request only; there is
no automation in place to detect the lack of an HSTS header to mean that the
domain is no longer to be considered a participant. Even worse, the request to
be removed can take an indeterminate amount of time to be disseminated to end
users of the browser. The preload list is not pushed to clients via something
like a daily digest; the list is hardcoded into releases of the browser. This
means it can take an absurd length of time to see a domain removed from the
list, as it depends on every individual user updating the browser to the
latest version, and only once the vendor even gets around to updating the
hardcoded list in a given release to include your domain's removal.

How such a mechanism was ever acceptable is beyond me. Domain ownership is
technically fluid, and yet the implementation was designed in such a way as to
assume that domain ownership never changes.

~~~
nitrogen
_How such a mechanism was ever acceptable is beyond me._

They probably wanted to encourage the new owner to use TLS as well.

~~~
developer2
That makes little sense. Far more likely they just didn't take into account
the fact that not every domain is a long-term "google.com" owned by a single
entity for its lifetime.

------
akerro
Could anyone elaborate why tracking protection was removed?

[https://trac.torproject.org/projects/tor/ticket/17167](https://trac.torproject.org/projects/tor/ticket/17167)

~~~
TazeTSchnitzel
As mentioned in the ticket, Tor is opposed to filter lists:
[https://www.torproject.org/projects/torbrowser/design/#philo...](https://www.torproject.org/projects/torbrowser/design/#philosophy)

Firefox's “Tracking Protection” is one of these.

~~~
akerro
That's stupid and inconsistent, I read the ticket and philosophy section. At
the same time they add 3rd party NoScript extension that blocks JS, suggest to
turn it on to 'safe' level that breaks 80% of websites and a lot of
functionality on other websites, and they remove core functionality that
blocks tracking, improves security and privacy and breaks less sites...

------
martin1975
Might be the only one here, but I'm looking forward to a day when Tor Browser
is Servo based.

~~~
thiht
What would be the advantages for Tor Browser?

~~~
martin1975
too many to list.

------
needusername
> But for a while now Disconnect has no access to Google search results
> anymore which we used in Tor Browser. Disconnect being more a meta search
> engine which allows users to choose between different search providers fell
> back to delivering Bing search results which were basically unacceptable
> quality-wise. While Disconnect is still trying to fix the situation we asked
> them to change the fallback to DuckDuckGo as their search results are
> strictly better than the ones Bing delivers.

Ouch

------
djsumdog
Tor/Mozilla still haven't gotten the FBI to reveal how their pulled of their
most recent Tor attack have they (not the CMU one, but the kiddy-fiddlers
one).

Many have put forth those users were using flash, plugins or were convinced to
download and execute something, but we don't know do we? And until developers
do, the Tor Browser bundle could have a vulnerability that could compromise
its main purpose.

~~~
nikcub
Firefox exploit similar to the 2013 attack[0]

The zerodium price list has Firefox 0day at $30k[1] a pop - compared to $100k+
(today ~$1M) for Chrome

The long term solution for Tor Browser is to build on Chromium + Containers/VM
+ Isolating proxy

[0] [https://www.wired.com/2013/09/freedom-hosting-
fbi/](https://www.wired.com/2013/09/freedom-hosting-fbi/)

[1] [https://www.wired.com/2015/11/heres-a-spy-firms-price-
list-f...](https://www.wired.com/2015/11/heres-a-spy-firms-price-list-for-
secret-hacker-techniques/)

~~~
e12e
> The long term solution for Tor Browser is to build on Chromium +
> Containers/VM + Isolating proxy

Surely text-mode gopher would also be more secure? (Only half-joking)

~~~
nisa
> Surely text-mode gopher would also be more secure?

I guess early nineties, late 80ies network C code is wonderful for security!
On the plus side it let's less to audit. And you rewrite it in a secure
language.

------
robinduckett
I often wonder why Tor is bundled within Firefox, would it not be easier to
release an app that changes the proxy settings / network routing at a system
level?

That would let you use your preferred browser, rather than being forced to use
the browser Tor chose to bundle.

~~~
onecooldev24
Also you wont be able to access .onion sites.

~~~
y7
I don't think this is true. See
[https://www.torproject.org/docs/faq.html.en#AccessHiddenServ...](https://www.torproject.org/docs/faq.html.en#AccessHiddenServices)
any SOCKS4a capable browser should work.

------
vaadu
How do you deal with corp computers that quarantine tor.exe with something
like McAfee? I can copy in a renamed version of tor.exe but I'm not sure what
file(s) to change to use the new filename.

~~~
sudojudo
Boot to a live CD/USB based OS.

Keep in mind that even outside of a corporate environment, Windows is not
private.

------
iamgopal
In alternate world, where Tor is a dominantly used browser, How will
hypothetical google works ? ( i.e. Autonomous content discovery ? )

~~~
kerkeslager
There's nothing hypothetical about tor search engines. A small list can be
found here: [http://www.thehiddenwiki.net/deep-web-directories-search-
eng...](http://www.thehiddenwiki.net/deep-web-directories-search-engines/)

------
elsen
Tor Browser... You mean Loki?

------
Razengan
It's still super slow, as in the UI (especially the scrolling) on OS X on a
Retina Macbook (Early 2015). I wonder if it's my DownThemAll add-on.

~~~
na85
>OS X on a Retina Macbook (Early 2015).

Why do apple users do this? Do you really not know what's under the hood of
your macbook? Honest question.

~~~
ajoy39
Sure I do. So, likely, do you and most other people reading it, or at least
have a general idea. So what's the point of typing out my specs? Should I also
type out the specs of my Nexus 6P or just tell you I have a Nexus 6P?

~~~
na85
I don't memorize the specs in Apple products, so I actually have no idea
what's under your laptop's hood.

I can tell you that my thinkpad is an i7 with 16GB of memory, so if it ran
slow on my machine I'd blame the browser.

My point was that you spend just as many keystrokes to tell the reader it's a
late 2015 model macbook pro as you would to type out "i5/8GB" or whatever, but
the phrase "late 2015 macbook" means literally nothing to some readers.

------
mtgx
It's a shame Firefox still lacks sandboxing even in version 45, even though
they've been promising it for version 42 or 43. I hope Mozilla does end up
making a new browser in Rust, so Tor could use a safer platform.

