Browser Security

Tor Browser 7.5.1 is out

The Tor Blog just released another versions update for it’s Browser which introduced several security updates, interface changes and improvements based on user reports. As always you can find the changelog since the last stable release, 7.0.11 right here. You should get the automatic update notification already or in the coming hours.

Tor Logo: Picture Source Tor Project

What’s news

  • All Platforms
    • Update Firefox to 52.6.0esr
    • Update Tor to
    • Update OpenSSL to 1.0.2n
    • Update Torbutton to
      • Bug 21847: Update copy for security slider
      • Bug 21245: Add da translation to Torbutton and keep track of it
      • Bug 24702: Remove Mozilla text from banner
      • Bug 10573: Replace deprecated nsILocalFile with nsIFile (code clean-up)
      • Translations update
    • Update Tor Launcher to
      • Bug 23262: Implement integrated progress bar
      • Bug 23261: implement configuration portion of new Tor Launcher UI
      • Bug 24623: Revise “country that censors Tor” text
      • Bug 24624: tbb-logo.svg may cause network access
      • Bug 23240: Retrieve current bootstrap progress before showing progress bar
      • Bug 24428: Bootstrap error message sometimes lost
      • Bug 22232: Add README on use of bootstrap status messages
      • Bug 10573: Replace deprecated nsILocalFile with nsIFile (code clean-up)
      • Translations update
    • Update HTTPS Everywhere to 2018.1.11
    • Update NoScript to
    • Bug 23104: CSS line-height reveals the platform Tor Browser is running on
    • Bug 24398: Plugin-container process exhausts memory
    • Bug 22501: Requests via javascript: violate FPI
    • Bug 24756: Add noisebridge01 obfs4 bridge configuration
  • Windows
    • Bug 16010: Enable content sandboxing on Windows
    • Bug 23230: Fix build error on Windows 64
  • OS X
    • Bug 24566: Avoid white flashes when opening dialogs in Tor Browser
    • Bug 23025: Add some hardening flags to macOS build
  • Linux
    • Bug 23970: Make “Print to File” work with sandboxing enabled
    • Bug 23016: “Print to File” is broken on some non-english Linux systems
    • Bug 10089: Set middlemouse.contentLoadURL to false by default
    • Bug 18101: Suppress upload file dialog proxy bypass (linux part)
  • Android
  • Build System
    • All Platforms
      • Switch from gitian/tor-browser-bundle to rbm/tor-browser-build
    • Windows
    • Linux
      • Bug 20929: Bump GCC version to 5.4.0
      • Bug 23892: Include Firefox and Tor debug files in final build directory
      • Bug 24842: include and in debug builds

Among these changes several interface corrections were made, I’ll copy & pasta this to make it easier to understand why these user interface changes were made.

Tor Browser 8.0a3 (Beta)

  • Update Firefox to 52.7.0esr
  • Update Tor to
  • Update Tor Launcher to
  • Bug 23136: Moat integration (fetch bridges for the user)
  • Translations update
  • Update HTTPS Everywhere to 2018.2.26
  • Bug 25339: Adapt build system for Python 3.6 based build procedure
  • Bug 25356: Update obfs4proxy to v0.0.7
  • Bug 25147: Sanitize HTML fragments created for chrome-privileged documents
  •  Windows Bug 25112: No sandboxing on 64-bit Windows <= Vista

  1. Welcome ScreenOur old screen had way too much information for the users, leading many of them to spend great time confused about what to do. Some users at the paper experiment spent up to 40min confused about what they needed to be doing here. Besides simplifying the screen and the message, to make it easier for the user to know if they need to configure anything or not, we also did a ‘brand refresh’ bringing our logo to the launcher.

    Censorship circumvention configuration

    This is one of the most important steps for a user who is trying to connect to Tor while their network is censoring Tor. We also worked really hard to make sure the UI text would make it easy for the user to understand what a bridge is for and how to configure to use one. Another update was a little tip we added at the drop-down menu (as you can see below) for which bridge to use in countries that have very sophisticated censorship methods.

    Proxy help information

    The proxy settings at our Tor Launcher configuration wizard is an important feature for users who are under a network that demands such configuration. But it can also lead to a lot of confusion if the user has no idea what a proxy is. Since it is a very important feature for users, we decided to keep it in the main configuration screen and introduced a help prompt with an explanation of when someone would need such configuration.

    As part of our work with the UX team, we will also be coordinating user testing of this new UI to continue iterating and make sure we are always improving our users’ experience. We are also planning a series of improvements not only for the Tor Launcher flow but for the whole browser experience (once you are connected to Tor) including a new user onboarding flow. And last but not least we are streamlining both our mobile and desktop experience: Tor Browser 7.5 adapted the security slider design we did for mobile bringing the improved user experience to the desktop as well.

  2. We ship the first release in Tor’s 0.3.2 series, This release includes support for the Next Generation of Onion Services.
  3. On the security side we enabled content sandboxing on Windows and fixed remaining issues on Linux that prevented printing to file from working properly. Additionally, we improved the compiler hardening on macOS and fixed holes in the W^X mitigation on Windows.
  4. We finally moved away from Gitian/tor-browser-bundle as the base of our reproducible builds environment. Over the past weeks and months rbm/tor-browser-build got developed making it much easier to reproduce Tor Browser builds and to add reproducible builds for new platforms and architectures. This will allow us to ship 64bit bundles for Windows (currently in the alpha series available) and bundles for Android at the same day as the release for the current platforms/architectures is getting out.

Tor and The Firefox problem

More and more people going to realize that hardening Firefox with the old methods don’t work anymore in Firefox. Which is not incorrect, it even gets worse with Quantum releases because there several other restrictions given within the Browser eg. working with multiple profiles while hardening something with about:config might not has the effect you expect – it’s unclear at this time how Mozilla or the Tor project is going to solve this but I assume additional code needs to be integrated to face this issue.

I’m not sure if it’s because PR reasons but power users these days are really frustrated and I totally can understand it. The best advise I can give here is to simply not touch some about:config because the Tor Security Slider might not face those changes, especially in recently updated builds which might not address all the recently added configuration changes.

I can’t predict the future but I assume over the long term, since the original (non ESR) release gets more and more security features integrated that the tor project must split up from this and release their own release, I think that would be the best because we’re going to have the discussion ground that there are power users and normies which might never adjust any settings. Normally that wasn’t a problem but the browser might has unexpected crashes when you try to install new extension or change something on the default configuration – that’s a real problem and I’m really curious how there going to solve it.

Closing Words

Tor, I2P and all the other good stuff? I love it and I monitor it since years, thanks that such projects and people exist which regularly maintain the code, blog and updating us on important news.

Sadly were going to face bigger problems with Firefox more and more and a lot of people are upset about the decisions Mozilla is doing, that could be PR related but to be perfectly honest that’s my best guess – the questions is how there going to satisfy power-users without breaking things or the existent code of the ESR Firefox?!

I like to close my article with something positive, the tor project gets my full respect since years, there often several doubts about how effective they really can protect us but just ignore this and focus on the things which are really important. I see a lot of passioned people in the tor community and that’s good, a lot of people seems to woke up and realize that there is a need for security features and protection mechanism since almost everything is trying to get our data somehow with some shady techniques. Tor does definitely offer some layer of security here because the normal user not needs to tweak several things or install lots of extension to improve the browser experience and that’s what people like and what the tor project should continue to focus on.

Thanks for the update and the continue fight against the ones which trying to get us on our daily browsing habits. F3h9xqz