Hacker News new | past | comments | ask | show | jobs | submit login
Tor Browser 8.5 (torproject.org)
181 points by rahiel 25 days ago | hide | past | web | favorite | 94 comments

Allow me to send a big shoutout and my deepest thanks to the maintainers and volunteers of both the Tor Browser and the Tor Project in general. You make the world a better place, even if the majority of the population don't realise they should pay more attention to your work. You're the real MVPs!

more people ought to use TOR so that the users who _need_ tor gets the protection of anonymity in a crowd.

If nobody uses TOR, then TOR users immediately becomes suspicious and nothing prevents the real world investigation from uncovering them.

I make everybody smile when I open Tor to watch some technical documentation. Still gave my boss a pause when I asked him if we were ever going to consider Google a competitor in any field (which we were in a niche field) and if he would be comfortable with a competitor owning the search history of all his employees.

Nitpick, but it’s Tor not TOR

Aren't large internet providers blocking TOR from working or am I confusing that with something else security related being prevented?

I'm rooting for Mozilla and the Tor Project to uplift Tor into Firefox. Imagine a world where people need to opt in to get less privacy.

I'm not. I prefer the Tor Project to make their decisions independently of Mozilla, which has a worse track record in most areas.

Additionally, tor isn't something that every Internet user should be using. I say this because when they get 10 ReCaptchas in a row, then try to log into their bank and have their credit card automatically frozen, then wonder why google search isn't working, then give up and just use Facebook all day anyway, they will definitely not be appreciating the 'anonymity' that we gave them.

The usability drawbacks are there because companies can afford to discriminate against Tor users. Once more people use Tor, it becomes expensive to not support them, and the usability issues present today are solved through innovation.

Regarding decision making, Mozilla integrating Tor into Firefox does not mean that the Tor Project has to give up its autonomy.

The reason to have a Tor browser is that regular browser features aren't well suited to secure anonymous browsing.

The reason to have a regular browser is that you want those features, and the low latency of a direct connection.

It's interesting, the only way that would work is if they also turn every browser into a through node, which would be both highly controversial while also a great boon to the Tor network as a whole

Why would that be the only way it would work? Because integrating Tor into Firefox is currently planned and making clients Tor nodes is not part of that plan.

Using "Tor mode" instead of "private mode" in regular Firefox would be nice.

Are there any casual users of Tor around? Someone who does it not for the sake of safety, but just privacy?

I'd happily use Tor, but the last time I used it (which was ~5 years ago), it was terribly slow for regular browsing (not streaming, or anything considered bandwidth heavy).

I use Tor/Tor Browser quite often. I use it mostly for privacy, but also to test a few thing like price of plane tickets and such.

The speed is much better nowadays. Unless your unlucky and you circuit has a slow node in it (which the protocol try to avoid if i remember correctly), you should have a decent web browsing experience. Sure, it will be slower than your "normal" connection, but usually not by that much.

Although, if you plan on downloading large files via Tor, you will hit a bandwidth cap fairly quickly. You can look in detail here: https://metrics.torproject.org/torperf.html

Available bandwidth quadruple since 2014: https://metrics.torproject.org/bandwidth-flags.html?start=20...

I use Tor fairly regularly, though I am a bit annoyed that the default add-ons on the Tor Browser are so outdated (no uBlock Origin and questionably-set-up NoScript). And if you want to remain anonymous it'd be a bad idea to add new extensions since that changes your fingerprint. The main annoyance is not the bandwidth (it's okay for most things, videos can be a bit painful) but the CAPTCHA you have to keep completing. If I have to see one more photo of traffic lights where the boxes don't line up with the poles I'm going to scream.

Sure. I'm even a casual host of TOR hidden services. Every time I make a clear text website I'll also host a tor hidden service for it. Things like amateur radio sites. In a lot of ways once you get passed the controversy tor is more like the 1990s web than any evil underground. And at least on TOR you own your domain rather than lease it from some entity on a whim.

I use it (Tor, not the browser as much) just to bust NAT to my local computer when sharing stuff. It's so easy to create an onion service that links to a local web server.

Is that just sharing stuff with yourself, or sharing with others, because the recipient would also need to be using Tor to access it?

I use Tor for about 30% of my browsing. Tor is handy if you are doing research on a topic and you don't want to leave too much of a 'data exhaust' or otherwise alert people to the fact that you are interested in certain topics.

I typically stay away from Tor when it comes to online banking or finance in general (logging into Amazon with Tor can raise some red flags for example).

In terms of speed, I have noticed personally that Tor has gotten a lot faster. Sometimes you get a slow circuit and have to spawn a new identity / rebuild a new circuit to get a faster one, sort of like 'circuit roulette'.

The rest of my surfing is for fairly innocuous subject matter and using Tor for it would be overkill. Again, Tor would be handy for privately researching general health issues, sexual health issues, mental health issues, etc

Tor is also handy for recon[0] in general too. For me privacy is how you present yourself to the world, and doing recon[0] in a certain community, or (anonymously) 'lurking' in a community is useful before you re-register an account and start posting as the 'real you'.

[0] https://en.wiktionary.org/wiki/reconnaissance

What do you mean by casual? I use it relatively often, when I want to access a website privately (I don't trust any VPN service that much). I'm pretty sure I'm not the only person doing that.

But maybe you mean if someone using it as the main browsing tool for privacy reasons? This I doubt, since it's indeed slow. I also don't think that Tor is meant to be used as your main browser really.

That's pretty much what I meant my casual -- Tor as main browsing tool.

As a sysadmin I use tor regularly as a easy and free third-party perspective. If there is a problem but it works when I test it, I then go and test in tor in order to eliminate any potential effect in my local network.

Tor is also ipv4 so it is a convenient way to get a ipv4 web view inside a ipv6 enabled network, without having to deal with browser plugins or adjust the interface on the machine.

Tor has had ipv6 exit nodes for at least 2 years.

I use orbot https://guardianproject.info/apps/orbot/ on my phone. I route most of my phone's traffic through Tor and it doesn't impact speed much, granted I mostly use my phone for messaging and not so much for browsing or working.

I use Tor in Android when lunching at Ikea Frankfurt as their free Wlan blocks some news sites such as presstv.com Via Tor I can read all world news while eating.

All the time for everything that is not very personal and sensitive. Youtube is more than fast enough.

Yes, I use it often. My Debian installations use Tor for installing updates. Just as an example.

Tor Browser might be the least mainstream safe browser on the Internet:

* It permanently tracks the lagging ESR Firefox.

* It puts its users on Tor, which "anonymizes" them but also flags their traffic as interesting.

* It collapses all those users down to a single set of browser releases, making it cost-effective to target exploits to.

Use Firefox if you really like Firefox, but use the most recent version you can possibly get. Mozilla's is not the best-hardened browser.

Use Tor if you really believe in Tor. But use it explicitly, not as part of a browser bundle. Your choice of browser has a significant impact on your operational security; don't let a bunch of volunteers at Tor make that decision for you.

Though it's important to note that using Tor directly rather than the browser bundle means that your browser fingerprint is even more distinct than it would otherwise be.

The one time I ever used the Tor Browser (at work, out of curiosity), my desk phone rang within 5 minutes: the in-house IT security team wanted to know what I was doing. So you're not kidding when you say it makes one's internet traffic more "interesting"!

> But use it explicitly, not as part of a browser bundle.

I hope you're conflating two issues here.

You surely aren't recommending users who "believe in Tor" install Tor directly and attempt to manually proxy their favorite browser traffic over it?

Not to say I disagree with your points against using TBB.

I do this, using an up-to-date chromium browser proxied through Tor for regular browsing. I do this instead of the regular Tor browser on the theory that there's less potential for 0-day exploits.

Of course, this does compromise anonymity a bit in some respects, since there are probably few people who run chromium on Tor and because it's not as resistant to fingerprinting as the regular Tor browser. That's acceptable to me, as I only use that browser on Tor, and use another browser for things that could potentially leak my real identity.

It also opens you to many subtle mis-configuration bugs that would result in your anonymity being removed completely. Are you sure you're tunneling DNS over Tor? IPv6? Are you sure that Chromium isn't phoning home with your real IP?

Tor Browser (despite its many faults) has lots of patches that are applied in order to stop these sorts of leaks. If it takes the people who develop Tor to continually patch Firefox in order to make it actually anonymous, I would argue you have a worse chance of making it work properly.

> Are you sure that Chromium isn't phoning home with your real IP?

Especially given that Chromium does make startup queries to Google-owned servers. (Not sure about runtime.) Probably for perfectly reasonable usability and/or security reasons.

But I agree that Chromium manually proxied through Tor probably looks vastly superior to TBB when you do a benefit analysis. :)

Edit: added smiley to make what I'm saying slightly more obvious.

I think you underestimate how widespread ESR Firefox is.

Debian ships Mozilla's ESR releases by default. I'm sure many shops that prefer stability over latest features also deploy ESR. Judging by how often it gets updated it seems to me Mozilla is pretty diligent at backporting fixes.

My wholly-not-representative-for-the-wider-web statistics say approx. 22% of Firefox UAs are ESR release.

If 100% of the user pool for Debian, including all derivative distros (Ubuntu, etc), plus all users of the Tor Browser Bundle all used ESR Firefox, that would still make it a blip in the overall body of user internet traffic.

If you are worried about the security provided by the tor browser then you should be using projects like whonix and tails. Both of them try to block (or redirect it via tor?) all non-tor traffic, which should make it significantly more difficult to mount an attack.

I've been googling a bit and come up with Whonix, Tails and Qubes.

Can anyone advise their opinion on which one would be best to run in a VM? I'm prepared to accept the security compromise of running in a VM, but I do want the ability to store passwords in the browser and save small files in the VM.

Edit: Just signed up for this account over Tor for shits and giggles. Literally my first post and it's dead immediately.

I get that Tor has spammers but I did have to do the captcha to create an account so this seems heavy handed. Seems like there's no way to legitimately post to hn over Tor.

Qubes is a Xen-based virtualization thing, it has nothing to do with tor by itself, you can think of it as a replacement to qemu or virtualbox (but not exactly). Qubes has official support for both Whonix and Tails.

It looks like whonix is what you are looking for, from wikipedia:

> Unlike Tails, Whonix is not "amnesic"; both the Gateway and the Workstation retain their past state across reboots

Cool, thanks for the info. I think I'll try out virtualbox with Whonix.

Some of those posts get autokilled by software, but moderators review them and unkill the legitimate ones. This is how I came across and unkilled yours.

Thanks a lot, dang. I was hoping a mod would see my edit.

Well thank you, we love you muchhh

Dear lord, Windows antivir protection has gone full stupid with this.

I am on Win10 and it will not allow me to install it in Program Files. If I install it in Desktop, it will keep flagging tor.exe as a virus.

After marking 4 times that the Windows Virus and Threat Protection should restore the exe, i was able to start the browser.

Then the windows antivir went full dystopian mode, and flagged it again. Now it is asking me to reboot the computer to delete tor.exe from the device.

How is this better than Brave browser?

Sadly, most of the replies you've gotten are terribly biased or uniformed. It is a good question. I'm not connected to any of this, so this answer is solely from my own understanding.

For those that don't know, the Brave browser has Tor tabs, which route through Tor. It also has the standard private tabs. Tor support currently exists only on the desktop Brave browser.

Here is the announcement: https://brave.com/tor-tabs-beta

Brave has been supporting Tor, and running Tor relays to improve the network.

Brave is newer at the game. They have had Tor tabs less than a year. They can do fingerprinting protection and no-script, but it's still a full featured web browser, with a lot of risks. The fingerprinting protection isn't as good as the Tor Browser, and unless they changed something, Javascript wasn't disabled by default in Tor tabs.

The Tor Browser has been around for a while and is meant to be a secure web browser from top to bottom. It has had a lot of development looking to find and fix possible leaks and to ensure security. That is its primary focus, and it is pretty good at it.

If you want to use Tor casually, maybe access an onion site, or just get a big boost in your level of privacy, the Tor tabs in Brave are a nice option. They are really easy to use and give great privacy. It is good for casual Tor use.

If you want (or need) serious privacy, the Tor Browser is a better choice. That is its purpose. It is developed to be hardened for protecting the user and it will provide better protection.

It is also based on Firefox, and when possible improvements it makes to Firefox feed back into regular Firefox, strengthening their position in an ever-less competitive browser market. Not something everyone cares about, but it could be relevant.

Tor Browser routes all data via the Tor network. Brave is a standard browser with built in ad-ware.

This is amusingly uninformed. Saying nothing about the ad-ware comment, since that seems designed to deliberately obfuscate/obscure reality, you probably weren't aware of:


To OP - check out the issues, there's a reason it's still in beta: https://github.com/search?utf8=&q=is%3Aopen+is%3Aissue+org%3...

Brave's "Basic Attention Token" was described as replacing ads on websites with ads from Brave's own ad network[0], which I recall is a common practice among adware to go unnoticed on an infected user's machine. The homepage of the Basic Attention Token completely fails to mention that it blocks publisher's "genuine" ads and replaces it with their own ads[1].

On top of that Brave has seemingly no interest in asking for consent for this practice, while also going as far as to use people's names and photos to solicit donations to them, without those people even being aware that Brave is accepting money for them[2].

Now I believe the ad-replacement feature is opt-in, but I'm not willing to install Brave and go through the opt-in flow to determine if it goes through the proper steps in explaining that the Brave Ad money may never reach its intended recipient.

[0] https://cryptobriefing.com/what-is-basic-attention-token-int... "Brave integrated BAT into its browser to block ads at the site level, and instead serve them through the browser itself." [1] https://basicattentiontoken.org/ [2] https://twitter.com/tomscott/status/1076160882873380870

This is amusingly uninformed. Describing Brave as adware is generous to say the least, Brave is more of a scam than a business. The kind of scams you would find in tech bubbles like what happened in late 1990s.

Could you elaborate? As far as I know, Brave promises to give you a browser and it gives you a browser. Does not sound like something I would call a "scam".

Just from considering that Brave is a complete meme, like c'mon switching ads to other ads is one of the stupidest ideas I've ever heard. You are not improving anything except padding pockets of Brave developers. To make matters worse it is just Chromium with new shit on top.

Literally anything is better than Brave, well, maybe not IE.

There are a bunch of privacy-improving patches in the Tor browser (such as protections against font fingerprinting, screen size fingerprinting, and so on). Brave doesn't have those.

(There's also the fact that Tor Browser routes everything over Tor, but apparently Brave can do this too now?)

I wish people used the deep web for something besides illegal buying and child pornography

Less than 3% of Tor traffic is to onion services of any kind (which means 97% is to websites already accessible on the public internet), and the most popular onion service on the internet by a large margin is Facebook's (facebookcorewwwi.onion). More than 2 million people use Tor every day -- are they all bad people? Heck, government agents use Tor when traveling abroad.

Do bad people do bad things using Tor? Yes. Do political dissidents in oppressive regimes use Tor? Yes.

However the vast majority of people are just ordinary citizens using Tor to access the internet -- the cross-section of Tor users is the same as the cross-section of ordinary internet users.

> the most popular onion service on the internet by a large margin is Facebook's

How do you know? It shouldn't be possible to collect this sort of data.

Counting hits on HSDir(s) and extrapolating a statistic. Related: https://trac.torproject.org/projects/tor/ticket/8106

In 2016, Facebook published an article saying that 1 million people use Facebook (over their onion address) every month[1]. Comparing this with the privacy preserving statistics provided by the Tor project (based on extrapolating HSDir hits) leads you to believe that 1 million per month is the overwhelming majority of .onion site users.

Roger Dingledine mentions this in quite a few of his talks, I'm fairly sure it's an accurate statement.

[1]: https://www.facebook.com/notes/facebook-over-tor/1-million-p...

Exit nodes can track which sites are hit to a degree. CDNs make this more difficult, but it's not too hard to figure out what percentage of your traffic is Facebook. It also won't work if you're going to the Facebook onion site of course.

Exit nodes aren't used like that for .onion sites, so they cannot track usage of .onion sites.

The way it works is that the client and server pick a "rendezvous node" (the server generates 6 HSDir entries, each with 3 random nodes every day, and the client picks a random HSDir entry and a random one of those node to use). Then, they communicate through the rendezvous node which doesn't know who the client or server are (because both are connected through Tor circuits and neither reveals the .onion URL that was looked up in the HSDir).

The way the statistics work is that some Tor relays opt-in to sharing statistics about how many HSDir lookups happened through them, and then those figures are extrapolated to figure out how many .onion service accesses happen. The relay doesn't know which service is being looked up, and the rendezvous node doesn't know which service is being talked to.

(Correction, 3 introduction points and the client picks the rendezvous point -- so even a compromised introduction point is useless because the node used for communication is different for all communications.)

I wish people would at least learn the difference between "deep web" and "dark web". ;) I bet you use the "deep web" multiple times each week. The "dark web" on the other hand, probably not.

Depends who you ask.

I transparently use the darknet continuously every day. Multiple home servers owned by me and my colleagues make up a VPN we share with friends and family.

Amongst the trusted recursive resolvers we use there's the DoT v3 onion from Cloudflare. A proxy redirects our traffic for Facebook and DuckDuckGo over the respective onions, same for Debian updates. A next generation firewall inspects our traffic and use Tor for some websites that are censored or geoblocked.

I do and a lot of people I know also do. Just for added privacy, or anything sensitive but legal.

Tor became such a pleasant (and fast, unlike it used to be) experience that it can be used for general anon surfing.

You have to be a little weary using tor. Anyone can run an exit node and it is trivial to rewrite and inject onto web pages. You can also on the fly intercept SSL requests and generate your own self signed certificate that fails proper verification but looks real enough if inspected that will always trick a percentage of users. If you've used tor with any frequency you've probably hit weird SSL cert errors that go away if you change routes.

To be fair I mostly use it for not overly sensitive stuff. Let me give you an idea: I prefer to not have my ISP log my requests to reddit.com/r/LSD.

Not because I do anything illegal (I don't even take acid), but in this dystopian world where every action on the internet is recorded, the last thing I want is to end up on lists purely because of my curiosity.

If I would do anything I could get into trouble for (which I won't), I would definitely research more about how to use Tor safely.

Please correct me if I'm wrong, but can't your ISP only see that you're requesting reddit.com, as long as you're using https? Now sure, if you go to lsd.reddit.com, it can be logged as a subdomain, but anything beyond reddit.com shouldn't be viewable by your ISP.

I'm not saying that you shouldn't use tor, just that as far as I understand, the whole request, including path and method, is encrypted over tls/ssl after your browser establishes a tcp connection to the server.

I do believe the url path is visible even over HTTPS. Off to do some research on this.

Edit: apparently the url is not visible, but the domain (more like IP, which can be easily resolved to domain).

Same thing still applies, perhaps not with reddit subreddits, but with specific domains/websites.

With ordinary DNS you are asking in plain text hey, what's the IP address for reddit.com and it does not take a genius to guess that's because you're visiting reddit.com

With HTTPS using TLS 1.2 or earlier the site sends its certificate in plaintext too, so even if you just remember the IP address, it will tell anybody snooping "Hi, this is reddit.com".

In TLS 1.3 the site's certificate is encrypted. However the SNI, which is used to make virtual hosting work, is not encrypted. So your ISP can see where you said you were going, but not whether they proved they were the real deal.

DPRIVE such as DNS over HTTPS cures the first thing, you use an encrypted transport to do DNS queries against somebody trustworthy who won't rat you out.

eSNI (encrypted SNI) is intended to one day cure the other problem.

Even with both these, seeing that you visited a very popular system like Facebook or Reddit is always going to be easy. So Tor remains important.

Your ISP won't log the request going to /r/LSD. It's over SSL, so the only thing your ISP sees is a request to reddit.com.

You are correct. Domains can be still sensitive though.

It is fair to say that using unauthenticated protocols like HTTP over Tor is a pretty bad idea (and there really should be more warning bells about this in the Tor Browser). However on the TLS comment -- almost all modern websites use HSTS, so sslstrip doesn't really work any more.

I mean you can intercept the request, retrieve the real cert, generate a self signed cert with the exact same details, then submit that to the user and be man in the middle. Of course the user gets the blank SSL cert error page on the browser, but a percentage of those users will override and continue. Copying the cert details increases that percentage as some will actually look at the invalid cert. It is quite blatant but it is just a numbers game at that point. If you ever hit an SSL cert error with TOR you should force a new onion path.

Yes, you could do that but then your node would be kicked off the Tor network (because you'd need to do it indiscriminately since you don't know who the user is you're trying to target). In addition, relays are load-balanced based on trustworthiness and bandwidth so in order to attack a significant portion of users you'd need to be running a large and trusted node (which would be hard to do if you're just doing this to attack people).

I wasn't aware that Tor tested services and had a trustworthiness score but an attack like that could still be quite useful for certain purposes and possibly stay well hidden. If you set something up that only did it for Google IP blocks for example it might go undetected. If you actually got shut down you could refine it by only targeting a small percentage of those users. There would be some rate of account collection, however small.

How about sslstrip2 ([1], check demo)? A weakness of HSTS is that is stored per domain and the exit node can also control your DNS traffic. I wonder how hard it is to pull this off as a Tor exit node, for local networks there are tools like bettercap [2].

[1] https://github.com/byt3bl33d3r/sslstrip2

[2] https://www.bettercap.org/legacy/

That is a pretty neat attack, but I disagree it would be useful against Tor.

DNS traffic is funneled through a different Tor circuit than the web traffic. You'd need to apply the bad DNS to all users, which would almost certainly in your exit node being dropped from the network.

I'm also not sure how this would be handled with HSTS preload lists -- HSTS preload applies to all subdomains so you'd need to come up with a completely different domain (and protections against homograph attacks mean that avenue is restricted). It'd probably be simpler to just set up an actual website with LetsEncrypt than to bother with stripping the TLS in this manner.

You are right. With different Tor circuits, the attacker needs to control a lot of exit nodes to correlate the initial HTTP request to ssl-stripped page and the DNS query (to be a global adversary).

They do, not everybody enjoy democraty.

Unfortunately, such cases will always be less appealing to write about compared to "assassins for hire on the dark web", leading to this wrong generalization of what Tor is about.

If using the definition for the dark/deep web that I think, then it includes traffic to and from any networked entity that does not have a URL (or otherwise public frontend).

This could then include stored data, VPNs or other company/govt/organisational data that is not accessible via normal web traffic.

I believe thats just the definition for deep web.

Both terms are just stupid.

Deep web: stuff not indexed by search engines. Private forums, non-public social media accounts, Telegram rooms, Discord servers etc. are technically "deep web".

Dark web: a subset of deep web that requires specific software or configuration to access. Slightly more precise, but still includes every possible use case for IPFS, Dat, ".onion" etc. Note that this is nowhere close to what people usually mean when they use the term "dark web". They're referring to the subset of a subset of deep web that's used for criminal activities.

There are gateways to onion services and IPFS, so those are "indexed by search engines" without any change necessary. Furthermore, any search engine has to be adapted to the medium used, and there are specialized search engines for pretty much anything including Freenet and I2P etc, so saying that the "dark web" is a subset of the "deep web" is incorrect. There is some overlap, but it's not a "part of" relationship.

The problem is that there is one (academic) definition of "deep web", but many incompatible definitions of "dark web", invented by the media basically for whatever they want it to be.

I host all kinds of completely normal websites (ie, amateur radio) as tor hidden services. TOR is great because you actually own your domain instead of just leasing it on the whim of some corporation.

Once you get past the controversy TOR hidden services are more like the 1990s web than what you describe.

I've used it to maintain normal(ish) internet service for myself when visiting places like China.

When I went to China I expected problems so I setup my laptop with an SSL tunnel on port 443 to a virtual server and then routed openvpn over that. It worked like a charm. My favorite feature of openvpn is it can maintain state, so even if the tunnel resets and openvpn has to reconnect all the tcp connections just pick up where they left off.

This will work for a short while, but consistent long term openvpn-matching packets are now seen the the GFW's automated dpi systems, eventually the IP of your non-china VPN endpoint will get blocked.

That sounds much more prepared than I was, I arrived and then wanted a quick solution on the fly, Tor fit the bill nicely.

I would probably use my StrongSwan IPSEC VPN setup to home now that I have one.

What is the difference between this and just having a normal SSH tunnel; for example, how does this differ from using sshuttle?

Openvpn allows you to connect to and have a routable IP on the network. SSH tunnels are great for some things but being logically on a network is another thing.

For one, openvpn can use udp unlike ssh, which means the annoying overhead of double tcp is gone

Thank you for your service.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact