Jump to content

Search the Community

Showing results for tags 'tor browser'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Categories

  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions

Categories

  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 16 results

  1. Tor Browser adds new anti-censorship feature, V2 onion warnings The Tor Project has released Tor Browser 10.5 with V2 onion URL deprecation warnings, a redesigned Tor connection experience, and an improved anti-censorship feature. Last year, the Tor Project announced that they were deprecating the use of V2 onion URLs in favor of the newer V3 URLs to provide more robust cryptography, longer URLs to prevent brute-forcing of hidden sites, and cleaner code. As part of this announcement, Tor warned that V2 URLs would be deprecated using the following timeline: September 15th, 2020: 0.4.4.x: Tor will start warning onion service operators and clients that v2 is deprecated and will be obsolete in version 0.4.6. July 15th, 2021: 0.4.6.x: Tor will no longer support v2 and support will be removed from the code base. October 15th, 2021: We will release new Tor client stable versions for all supported series that will disable v2. To warn Tor website admins of the upcoming changes, the Tor Browser will now display a message when visiting version 2 Onion sites that their URLs would soon be deprecated, and the site will soon be unreachable unless they upgrade to version 3. V2 URL warnings in Tor 10.5 For website administrators of Tor sites using V2 URLs, you should read the Tor V2 Onion Services Deprecation FAQ for more information on how to upgrade to V3 URLs. Snowflake added as a Tor bridge The Tor Browser allows users to utilize 'Bridges' to bypass government or ISP censorship in various countries. Bridges are Tor relays operated by volunteers that are not added to the public Tor directory. Users can then request a bridge to use in the Tor browser to bypass censorship in their country. Tor users can now configure the Bridges features to utilize the SnowFlake proxy network to bypass censorship. Tor Browser 10.5 adds Snowflake as a bridge option Snowflake is a pluggable transport that allows users to create Tor Bridges that bypass censorship easily. Unlike other Tor Bridges, Snowflake proxies can be made by simply installing a Chrome or Firefox extension, allowing a much larger audience to help people get access to the Internet under government censorship. "Snowflake uses the highly effective domain fronting technique to make a connection to one of the thousands of snowflake proxies run by volunteers. These proxies are lightweight, ephemeral, and easy to run, allowing us to scale Snowflake more easily than previous techniques," explains Tor's censorship FAQ. "For censored users, if your Snowflake proxy gets blocked, the broker will find a new proxy for you, automatically." If you want to try out these features, simply use the Tor Browser autoupdate feature to upgrade to version 10.5 or download it directly from the Tor Browser download page. Tor Browser adds new anti-censorship feature, V2 onion warnings Frontpaged: Tor Browser 10.5
  2. Tails OS 4.15 released with updated Tor Browser Tails OS 4.15 has been released today bringing with it updates for the Tor Browser, the Linux kernel and fixes for several issues including USB tethering not working with devices running iOS 14 or later. Luckily, there are no new issues introduced with this version of the privacy-oriented OS but it’s still affected by long-standing issues. According to the release notes, there are no new major changes in this update outside of updated software. The only new feature is that you now have the option to press “Don’t Show Again’ on the security notification that pops up when you attempt to run Tails on a virtual machine. This update does come with several critical software patches for things like the Tor Browser which is now on version 10.0.9 (based on Firefox 78.7), Thunderbird has been bumped to 78.6.0, and the Linux kernel now sits on version 5.9.15 bringing support for newer hardware. The new kernel update also addresses a bug that prevented iOS 14 devices from being used for tethering. To install Tails 4.15, you’ll either need to follow the guide to setting up a Tails USB to perform a clean install or you can upgrade an existing Tails install. When you’ve booted up your Tails 4.2 or above USB and connected to the internet, you will be offered the upgrade. If you choose to update, the new version will download and begin to install. If you would like to see what’s planned in future updates, check out the Tails roadmap. Tails OS 4.15 released with updated Tor Browser
  3. First Tor Browser Alpha for Android based on new Firefox is now available Tor Browser is based on Mozilla's Firefox web browser both on the desktop and on Android. Mozilla released a redesigned version of the Firefox web browser for Android recently, and the developers of the Tor Project worked on migrating Tor Browser to the new core on Android as well. The first version of Tor Browser for Android, based on the new Firefox web browser, is now available for testing. Bugs and issues are to be expected because of the alpha status of the release. The Tor Browser release is based on Firefox 81 for Android, released in late September 2020. The current version of Tor Browser for Android is based on Firefox 68 ESR. The move to the new Firefox version required adjustments, a proxy audit, re-implementation of the user interfaces and other changes; it took the team four months to reach the current status. Interested Android users may download the alpha version of the new Tor Browser from the official download page. The alpha should not be used in production environments or for important tasks, as it may have bugs and other issues. The full changelog highlights numerous changes and improvements: The built-in NoScript add-on was updated to the latest version. Telemetry collection is disabled. Intermediate CA preloading is disabled. TLS 1.0 and 1.1 are disabled. DNS Leak protection implemented. Add-on blocklist update URL sanitized. Crash Reporter disabled. Connect screen and Network Settings screen redesigned. Make sure the system download manager is not used. "Only Private Browsing Mode" on Android. Default search engine changed to DuckDuckGo. Verify that Sentry, Adjust, LeanPlum, Google Ads ID, InstallReferrer are disabled. Push functionality disabled. Security level settings implemented. Disallow Cleartext traffic. Disable PWA Tor Browser removes several built-in features of the Firefox web browser for Android as it is designed with privacy and security in mind. The new Firefox core improves web compatibility and performance, and Tor Browser users should benefit from these changes as well; maybe even more so as it is a heavily modded version of Firefox that is designed specifically for privacy and security purposes. Some of the issues, e.g. limited add-on support, that users have with the current Firefox Stable for Android may not matter that much to Tor Browser users. First Tor Browser Alpha for Android based on new Firefox is now available
  4. Tor Browser 9.5 is out with major usability improvements Tor Browser 9.5 has been released on June 3, 2020. The new version of the web browser includes security updates and several usability improvements. Tor Browser 9.5 can be downloaded from the official download page; the Android version is available on Google Play already and should arrive soon on F-Droid as well. Tor Browser is based on Firefox ESR, and as such, incorporates security updates whenever they are made available by Mozilla. The new release focuses on usability improvements, or, as the team behind the browser puts it, "on helping users understand onion services". Websites can announce onion support Websites may add information about onion support to HTTP headers to announce that the site is accessible via the network. Users may use the information to connect to the site using the onion service. A click on "always prioritize onions" makes connections via the onion network the default choice so that Tor Browser will connect to sites that support it automatically (provided they reveal the info). Tor users may change the setting in the options by loading about:preferences#privacy in the web browser's address bar. There they may switch between "always" and "ask every time" under onion services. Error pages for Onion Services Previous versions of Tor Browser displayed Firefox's error pages when a site could not be loaded or other errors occurred in the browser. Tor Browser 9.5 comes with Tor-specific error pages that better highlight why something did not work correctly, e.g. why an onion address could not be loaded in the browser instead of just displaying that the site could not be reached. Onion names Just like IP addresses, onion addresses are not easily memorable for the majority of users. Imagine having to remember a -- rather short -- onion address such as http://expyuzz4wqqyqhjn.onion/index.html. The introduction of Onion names changes that for the better and works similar to how DNS works. Instead of having to load http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion/, you can now load http://theintercept.securedrop.tor.onion/ instead. Onion names are currently being tested and evaluated, and only a small number of sites has been selected for participation in the test. It is very likely that support will become available publicly at one point in time, and that means that any onion site may use these easier to read and remember names. Security Indicators in the URL Bar have changed Major browsers like Firefox or Chrome have changed security indicators in the address bar in recent time. The main idea was to shift from a "this site is secure" announcement to a system that focuses on revealing to users if a site is not secure. Tor Browser uses a similar system. Secure sites are shown with a gray onion icon, insecure sites have a red slash that indicates that the site is not secure to the user. Onion authentication The final change adds an option layer of security to the interaction between sites and Tor users. Sites need to configure the extra layer by setting a pair of keys for authentication. Tor clients need to provide an authentication credential to connect to the site. It uses a public - private key system. Tor users may manage keys on the privacy settings page: about:preferences#privacy. Tor Browser 9.5 is out with major usability improvements [ Frontpaged here... Tor Browser 9.5 ]
  5. Tor Browser 9.0.3 Tor Browser is a privacy focused browser based on Firefox. Tor Browser isolates each website you visit so third-party trackers and ads can't follow you. Any cookies automatically clear when you're done browsing. So will your browsing history. It prevents someone watching your connection from knowing what websites you visit. It aims to make all users look the same making it difficult for you to be fingerprinted based on your browser and device information. Your traffic is relayed and encrypted three times as it passes over the Tor network. The network is comprised of thousands of volunteer-run servers known as Tor relays. With Tor Browser, you are free to access sites your home network may have blocked. Browse Privately. Explore Freely. Defend yourself against tracking and surveillance. Circumvent censorship. All with Tor Browser. Download: https://dist.torproject.org/torbrowser/9.0.3/torbrowser-install-9.0.3_en-US.exe
  6. Malicious Tor Browser Steals Cryptocurrency from Darknet Market Users A trojanized version of the Tor Browser is targeting dark web market shoppers to steal their cryptocurrency and tracks the websites they visit. More than 860 transactions are registered to three of the attackers' wallets, which received about $40,000 in Bitcoin cryptocurrency. Careful impersonation The malicious Tor Browser is actively promoted as the Russian version of the original product through posts on Pastebin that are have been optimized to rank high in queries for drugs, cryptocurrency, censorship bypass, and Russian politicians. Spam messages also help the actor(s) distribute the trojanized variant, which is delivered from two domains claiming to provide the official Russian version of the software. Cybercriminals were careful with selecting the two domain names (created in 2014) since to a Russian user they appear to be the real deal: tor-browser[.]org torproect[.]org - for Russian-speaking visitors, the missing "j" may be seen as a transliteration from Cyrillic Furthermore, the design of the pages mimic, to some extent, the official site of the project. Landing on one of these pages shows the visitor a warning that their browser is updated, regardless of the version they run. Translated into English, the message reads: "Your anonymity is in danger! WARNING: Your Tor Browser is outdated. Click the button “Update" In Pastebin messages, the cybercriminals advertise that users would benefit from anti-captcha feature allowing them to get faster to the destination. This is not true, though. Underneath this Tor Browser impersonator is version 7.5 of the official project, released in January 2018. Getting the cryptocurrency The downloaded script can modify the page by stealing content in forms, hiding original content, showing fake messages, or add its own content. These capabilities allow the script to replace in real-time the destination wallet for cryptocurrency transactions. The JavaScript observed by ESET does exactly this. The targets are users of the three largest Russian-speaking darknet markets, the researchers say. For the payload they observed (image above), the script also alters the details for the Qiwi payment service provider. When victims add Bitcoin funds to their account, the script jumps in and changes the wallet address with one belonging to the attackers. Since cryptocurrency wallets are a large string of random characters, users are likely to miss the swap. Darknet profile with altered Bitcoin address At the moment of publishing, the three cryptocurency wallets controlled by the attackers recorded 863 transactions. These are small transfers, supporting the theory that the funds came via the trojanized Tor Browser. One of them received more than $20,000 from over 370 transactions. The largest balance, though, is currently around $50 in one wallet and less than $2 in the other two. The three wallets have been used for this purpose since 2017, the researchers found. Although the amount of Bitcoins that passed through these wallets is 4.8, the total proceedings for the attackers is likely higher because Qiwi payment details are also altered. Source: Malicious Tor Browser Steals Cryptocurrency from Darknet Market Users
  7. Tor Browser 8.5.3 has been released to fix a Sandbox Escape vulnerability in Firefox that was recently used as part of a targeted attack against cryptocurrency companies. As this vulnerability is actively being used, it is strongly advised that all Tor users upgrade to the latest version. When starting Tor Browser, it should alert you if a new version is available. If you would like to perform a manual check, you can do so by going to Tor Browser menu -> Help -> About Tor Browser. Unfortunately, like the previous release, the Android version of Tor Browser 8.5.3 will not be available until the weekend as part of the Tor team who handles the Android signing token is away at an event. Tor 8.5.3 can be downloaded from the Tor Browser download page and from the distribution directory. The full changelog for Tor Browser 8.5.3 is: Tor Browser 8.5.3 -- June 21 2019 * All platforms * Pick up fix for Mozilla's bug 1560192 Sandbox Escape vulnerability fixed This week it was discovered that two Firefox zero-day vulnerabilities were used as part of targeted attacks against cryptocurrency firms. The two vulnerabilities used in the attack are a remote code execution vulnerability chained with a sandbox escape vulnerability. Yesterday, the Tor Project released Tor 8.5.2 to fix the RCE vulnerability, and today's release of 8.5.3 fixes the Sandbox Escape vulnerability in the bundled Firefox browser. "This release includes an important security update in Firefox, a sandbox escape bug, which combined with additional vulnerabilities could result in executing arbitrary code on the user's compute" When these two vulnerabilities were chained together, they were able to download and install information-stealing Trojans on a victim's computers as well as remote access to the computer's network. Due to this, it is imperative that users install this update immediately. Source
  8. Tor Browser for Android Officially Launched Tor Project has just announced the release of the very first stable version of Tor Browser for Android after the public preview build that landed in the fall of 2018. The Android version of TOR Browser is based on the same approach as the original desktop sibling, and it’s supposed to block trackers, keep users protected against surveillance, resist fingerprinting, and maintain a high level of privacy using advanced systems like multi-layered encryption. “When you use Tor Browser for Android, your traffic is relayed and encrypted three times as it passes over the Tor network. The network is comprised of thousands of volunteer-run servers known as Tor relays,” Tor Project explains. The interface is as simple as it could be, and while features like the ones you typically find in browsers from Google and Mozilla are missing, it’s important to keep in mind that the purpose of Tor Browser is to keep your privacy untouched when browsing the web, regardless of website. The application is obviously available free of charge on Android, and it requires at least version 4.1 of the mobile operating system.More features to comeNeedless to say, because this is just the very first stable version of Tor Browser for Android, some features available on the desktop are yet to make their way to smartphones, albeit the development team promises fast progress in this regard. “While there are still feature gaps between the desktop and Android Tor Browser, we are confident that Tor Browser for Android provides essentially the same protections that can be found on desktop platforms,” a blog post that went live this morning reads. Tor Browser for mobile devices is exclusive to Android, and iOS version won’t be released. This is because of the iOS restrictions set by Apple on the platform. Source
  9. Tor Browser 8.0.9 was released on May 7, 2019 to the public. The new version addresses a major issue in Mozilla's add-on signing platform that caused verification to fail. Tor Browser is based on Firefox ESR code, and since Firefox ESR, and any other version of Firefox, was affected by the issue, so was Tor Browser. The privacy-focused browser comes with several add-ons installed that improve privacy. One notable extension is NoScript as it blocks all (or most) JavaScript from execution. Scripts may serve legitimate purposes, e.g. provide functionality on websites, but they may also be used for fingerprinting, tracking, the serving of advertisement, and even malicious attacks or the distribution of malware. The Tor project informed users of the browser about the issue on its website. Tor users found the add-ons NoScript, HTTPS Everywhere, Torbutton, and TorLauncher disabled, and marked as legacy extensions. The same happened to Firefox users worldwide who all lost access to their installed extensions. Mozilla fixed the issue in the meantime in Firefox (including Firefox ESR), and Tor Browser 8.0.9 does the same. Means, add-ons should show up as installed again after Tor Browser is updated to the new version or installed anew. Note: The Brave browser supports Tor as well; it was not affected by the issue. Tor Browser 8.0.9 Tor users and admins can download the latest version of the web browser from the official project website. It is available for the desktop operating systems Windows, Mac OS and Linux, and the mobile operating system Android. You may run an update check by opening Menu > Help > About Tor Browser. Tor users who use the built-in extensions or others are encouraged to update to the new version to fix the issue. Add-ons should return to the enabled state automatically after the update. The entire changelog: Update Torbutton to 2.0.13 Bug 30388: Make sure the updated intermediate certificate keeps working Backport fixes for bug 1549010 and bug 1549061 * Bug 30388: Make sure the updated intermediate certificate keeps working * Update NoScript to 10.6.1 Bug 29872: XSS popup with DuckDuckGo search on about:tor Tor users who disabled add-on signing in the browser to fix the issue temporarily may want to consider enabling it again. This is done by loading about:config in the browser's address bar, searching for xpinstall.signatures.required and setting the preference to True. True means that Firefox will verify the certificate of installed extensions and extensions that are about to be installed in the browser. Extensions without valid certificate cannot be installed or used if the setting is enabled (with some exceptions, e.g. temporary add-ons). (via Born) Source: Tor Browser 8.0.9 update resolves add-on signing issue (gHacks - Martin Brinkmann)
  10. YOU PROBABLY KNOW about the digital anonymity service Tor, but for whatever reason you may not actually use it. Maybe between the nodes, traffic rerouting, and special onion URLs it seems too confusing to be worth the effort. In truth, Tor has been relatively accessible for years now, largely because of the Tor Browser, which works almost exactly like a regular browser and does all the complicated stuff for you in the background. But in 2018 a slew of new offerings and integrations vastly expanded the available tools, making 2019 the year to finally try Tor. You may even end up using the network without realizing it. "At the end of the day for Tor what we hope is that our technology becomes underlying, and everything else that happens online happens on top of it," says Isabela Bagueros, executive director of the Tor Project. "Seeing interest and adoption from for-profit companies and other organizations is a very interesting moment for us, because we are creating different examples to show how our vision can be possible." Tor's primary benefit, for the uninitiated: It encrypts your traffic and bounces it through a chain of computers, making it very difficult for anyone to track where it came from. You can see how easy access to an anonymized services like that might come in handy when you're working on anything from job hunting to political organizing. This year, it became easier than ever to do so on Android, with the introduction of Tor Browser for Android. The platform first debuted in September and is still being tested, but is now close to its final, stable release. You can download it on Google Play or directly from the Tor Project. There are also some Tor options for iOS, including an app called Onion Browser, but the Tor Project doesn't currently have its own offering. Being able to access Tor on mobile is increasingly important, as more and more browsing shifts to smartphones. Tor on desktop has gotten new options as well. The privacy-focused browser Brave added Tor routing in June as an option for its tabs. Brave makes it easy to have some tabs that are running Tor and others that aren't, letting you do all of your browsing side by side. In Brave you simply navigate to the File menu and choose "New Private Tab with Tor," or flip a Tor switch after you launch a new private tab, to add the protection. "A Brave Private Window with Tor keeps the user history secret from other people who may be using the computer, but also makes it more difficult for ISPs, employers, or guest Wi-Fi providers to track which websites a user visits," Brave said in a statement. "We're getting great feedback from users...[and] we're also adding more Tor functionality in Brave." Brave's integration options are convenient. And the Tor Project's Bagueros says that Brave has so far shown strong commitment to evolving its Tor implementation to be increasingly secure. While people could just use the official Tor Browser for maximum protection—something even Brave itself recommends "for users who require leakproof privacy"—Bagueros says the goal is to foster as many implementations as possible to make Tor more accessible. "We don’t want to be the only browser," she says. "If there are 20,000 browsers doing the same thing we don’t mind. We think that’s great." Other types of Tor integrations relate to creating infrastructure so that people's browsing can opportunistically route over the Tor network and have stronger anonymity protections. Facebook—which has run an "onion service" since 2014 to make connecting to Facebook on Tor even more secure—expanded its offeringsin November to make them faster and more efficient. The improvement was also aimed at making it easier for Tor users to access the most secure version of Facebook from within a platform like Tor Browser without having to remember a special onion URL. Content delivery network and internet infrastructure provider Cloudflare also launched an onion service in September that makes it easier to access the most secure versions of its client sites on Tor. Through its new setup, Cloudflare helps to extend protections on user anonymity without knowing anyone's identity, even on its own service. "If we can make it easier for more people to use Tor that's great," says Matthew Prince, Cloudflare's CEO. "Other platforms can support this to get an advanced level of security for their users." Cloudflare's Tor integration is also set up to more accurately separate legitimate Tor traffic from malicious activity, by making it more costly for hackers to mount attacks without undermining anonymity protections for legitimate users. With all this new private industry collaboration, the Tor Project's Bagueros says she thinks that more people will start using the service and be able to integrate it into their lives. The Tor Project has been working on ways to scale more efficiently in anticipation of eventually needing to meet this higher demand. But it also remains focused on the core concept of Tor as a distributed and decentralized network. "We don’t want any corporations to own a big part of the network," Bagueros says. "So we educate them on how many servers are okay for them to pitch in and if they want to add more they can donate to different nonprofits who run relays so they can still increase the network that way." The vision of Tor as the underpinning of the entire internet is still probably a long way off, if it can ever happen at all. But the options available to access the Tor network and use it more easily are rapidly expanding. This is the year to try them out. source
  11. https://dist.torproject.org/torbrowser/8.0.4/ https://dist.torproject.org/torbrowser/8.0.4/torbrowser-install-8.0.4_en-US.exe https://dist.torproject.org/torbrowser/8.0.4/torbrowser-install-win64-8.0.4_en-US.exe
  12. https://dist.torproject.org/torbrowser/8.0.3/ https://dist.torproject.org/torbrowser/8.0.3/torbrowser-install-8.0.3_en-US.exe https://dist.torproject.org/torbrowser/8.0.3/torbrowser-install-win64-8.0.3_en-US.exe Tor Browser 8.0.3 -- October 23 2018 * All platforms * Update Firefox to 60.3.0esr * Update Torbutton to 2.0.8 * Bug 23925+27959: Donation banner for year end 2018 campaign * Bug 24172: Donation banner clobbers Tor Browser version string * Bug 27760: Use new NoScript API for IPC and fix about:blank issue * Translations update * Update HTTPS Everywhere to 2018.9.19 * Update NoScript to 10.1.9.9 * Linux * Bug 27546: Fix vertical scrollbar behavior in Tor Browser 8 with Gtk3 * Bug 27552: Use bundled dir on CentOS/RHEL 6
  13. https://dist.torproject.org/torbrowser/8.0.1/ https://dist.torproject.org/torbrowser/8.0.1/torbrowser-install-8.0.1_en-US.exe https://dist.torproject.org/torbrowser/8.0.1/torbrowser-install-win64-8.0.1_en-US.exe
  14. A company that sells exploits to government agencies drops Tor Browser zero-day on Twitter after recent Tor Browser update renders exploit less valuable. Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network. In a tweet, Zerodium said the vulnerability is a full bypass of the "Safest" security level of the NoScript extension that's included by default with all Tor Browser distributions. NoScript is a browser extension that uses a whitelist approach to let the user decide from what domains the browser can execute JavaScript, Flash, Java, or Silverlight content. It is included with all Tor Browser distributions because it provides an extra layer of security for Tor Browser users. Zerodium's Tor zero-day basically allows malicious code to run inside the Tor Browser by bypassing NoScript's script-blocking ability. According to Zerodium, the zero-day affects only the Tor Browser 7.x series. The Tor Browser 8.x branch, released last week, is not affected. The reason is that the Tor Browser 8.x series switched its underlying codebase from an older Firefox core to the new Firefox Quantum platform, which uses a new add-ons API. The NoScript add-on was rewritten at the end of last year to work on the new Firefox Quantum platform, hence the reason why the zero-day revealed today does not work on the new Tor Browser 8.x series. In an interview with ZDNet, Giorgio Maone, the author of the NoScript extension, said the zero-day was caused by a workaround for NoScript blocking the Tor Browser's in-browser JSON viewer. Maone was not aware of the vulnerability before ZDNet contacted him earlier today. After successfully reproducing the issue, Maone promised an update to the NoScript add-on for later today, to mitigate the zero-day's effects. "I'm gonna release the update within 24 hours or less, like I always did in the past," Maone told ZDNet. The Tor Project replied to ZDNet's request for comment but was not prepared to issue an official statement before this article's publication. In an email exchange with ZDNet, Zerodium CEO Chaouki Bekrar provided more details about today's zero-day. "We've launched back in December 2017 a specific and time-limited bug bounty for Tor Browser and we've received and acquired, during and after the bounty, many Tor exploits meeting our requirements," Bekrar told ZDNet. "This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers. "We have decided to disclose this exploit as it has reached its end-of-life and it's not affecting Tor Browser version 8 which was released last week. We also wanted to raise awareness about the lack (or insufficient) security auditing of major components bundled by default with Tor Browser and trusted by millions of users. "The exploit by itself does not reveal any data as it must be chained to other exploits, but it circumvents one of the most important security measures of Tor Browser which is provided by NoScript component. "If a user sets his Tor browser security level to "Safest" aiming to block all JavaScript from all websites e.g. to prevent exploits, the disclosed bug would allow a website or a hidden service to bypass all NoScript restrictions and execute any JavaScript code, making the 'Safest' security level useless against browser exploits," Bekrar added. ZDNet advises Tor Browser 7.x users to update to Tor Browser 8.x, or at least make sure to install the NoScript update that Maone promised for later today. The current NoScript version included with Tor Browser 7.5.6 is NoScript 5.1.8.6. UPDATE: Minutes after this article's publication, Maone released NoScript "Classic" version 5.1.8.7, which fixes the zero-day's exploitation vector. The patch came exactly two hours after Zerodium released details on Twitter. Maone also told ZDNet that the bug was introduced in NoScript 5.0.4, released on May the 11th 2017. Source
  15. The Tor Project today released Tor Browser 8.0 with a new user onboarding experience, an updated landing page, additional language support, and new behaviors for bridge fetching, displaying a circuit, and visiting .onion sites. You can download the latest version from the project page and the distribution directory. Tor offers anonymous communication by directing internet traffic through a free, worldwide, volunteer network consisting of more than 7,000 relays. The goal is to conceal users’ location and usage from anyone conducting network surveillance or traffic analysis. The Tor Browser, which automatically starts Tor background processes and routes traffic through the Tor network, is built on top of Mozilla’s Firefox Extended Support Release (ESR), a version designed for schools, universities, businesses, and others who need help with mass deployments. Firefox ESR releases are maintained for one year. In addition to the Tor proxy, Tor Browser includes the TorButton, TorLauncher, NoScript, and HTTPS Everywhere Firefox extensions. The 8.0 release brings Tor Browser up to date with Firefox 60 ESR. It also fixes “long-term Tor Browser issues you’ve told us about.” First up is the new onboarding experience, which is designed to better explain the unique aspects of Tor Browser. Next, there is a new bridge configuration flow when you when you launch Tor. For users where Tor is blocked, the Tor Browser previously offered a handful of bridges in the browser to bypass censorship, but required sending an email or visiting a website to receive additional bridges. Now all you have to do is solve a captcha in Tor Launcher to get a bridge IP, hopefully allowing more people to bypass censorship and browse the internet freely and privately. As for language support, Tor Browser 8.0 adds resources or nine previously unsupported languages: Catalan, Irish, Indonesian, Icelandic, Norwegian, Danish, Hebrew, Swedish, and Traditional Chinese. Tor Browser 8.0 also includes Tor 0.3.3.9 with OpenSSL 1.0.2p and Libevent 2.1.8, the pure WebExtension version of NoScript (version 10.1.9.1), and 64-bit builds for Windows users. For those who want all the details, check out the full changelog. Source
  16. https://dist.torproject.org/torbrowser/8.0/ https://dist.torproject.org/torbrowser/8.0/torbrowser-install-8.0_en-US.exe
×
×
  • Create New...