Tor Browser 60

You glowintheniggers resort to the "old version is insecure" FUD like clockwork. You should be specific about what made pre-60 FF a "security nightmare" if only for the sake of your own credibility.

As a developer/shill, that might be hard to understand, but the Tor project will change its priorities accordingly when a more performant Tor-like alternative appears and the users will flock to it.

nigger running a web browser period is a security nightmare. what's better in the new firefug? do they have sandboxing now? and if you're talking about web app security like preventing CSRF and clickjacking, you should just kill yourself.

Not him, but yes.

The whole point of the Tor browser is that all of its users are identical to one another. It doesn't even matter what the basis of their browser is; so long as their users are indiscernibly identical, then they've achieved their intended affect. What's important is that the Tor browser piggybacks off of a project that's actively maintained. I know I came off a little condescending before, but if you're a programmer, then you of all people should understand that the technical superiority (and, frankly, a toting a technically superior browser is like lauding the winner of the Retard Olympics) of a piece of software means very little when there are bugs just sitting there with no one to address them, waiting to be exploited. Wouldn't you rather have a project that alots their time and resources doing what the set out to do–what people expect them to do–rather than maintaining an abandoned codebase in a scope and capacity that they've never encountered before, that they don't have experience with?

my issues with it is they use vanilla noscript now instead of their fork, also about:addons pages no longer works

I wish this weren't true. Tor Browser 8 crawls. It's not just RAM usage, either. It works the CPU harder than Rocco Siffredi works Czech girls' buttholes.

Dillo is a js-free browser. I regard that as an advantage, since I block all js on Tor Browser anyway, but I doubt the TBB people would be interested in using it, because they're still trying to appeal to people who insist on using at least some js, i.e. pretty much everyone (even people who use Tor and ought to know better). I don't think Dillo can use SOCKS proxies, either.

>trac.torproject.org/projects/tor/ticket/26146
lol it dumps your OS now and relies completely on the (((mozilla))) setting for "resist fingerprinting". The jewish developers defend this.

The argument that "you must use tor browser with tor or muh fingerprinting" is now completely invalid. I'll bet you it still calls home to mozilla.

IMO they should use uMatrix. That said I like the new NoScript better simply because its stupid menu doesn't pop up and intercept keystrokes when the mouse hovers over the NoScript button (tl;dr: "old was a UI fuckup").
Works for me. If you upgrade 7.5 to 8.0 in-place, weird things can happen. So you might want to delete Tor Browser then clean install it (back up the "TorBrowser/Data/Tor" dir if you care about keeping your current guard node).

Pic related.

Agreed. If a browser doesn't need to work as a virtual machine for JavaScript code, it can be kept smaller and faster, and in addition should be having a smaller "attack surface" or whatever it's called. Too bad even DuckDuckGo requires JavaScript for image searches. It shouldn't be like this.

And despite this the browser still bitches if I maximize its window. You know, I don't understand why the tradition of the User Agent containing OS information is allowed to continue. In a better world the website shouldn't even care what my browser is; everything should be standardized and compatible because the days of Internet Explorer are gone. But as it is, the UA might as well contain a hash of my hardware components, I mean why not?
You know what would be funny? If at some point Tor Browser starts collecting telemetry data, you know, "to help devs improve the user experience."

Attached: the_tor_situation.jpg (640x358, 45.03K)

Is this a PsyOp? Some people keeps screeching about how insecure Firefox is and when you tell them “Just use Tor with a browser you consider secure.” they throw back at you a straw man.

Configuring your own browser is generally discouraged because unless they know what they are doing, they could lose anonymity and security. They could stand out from the crowd due to fingerprinting. Not only that, but if people are sloppy they could forget to block trackers or protect themselves from harmful javascript. Maybe they open a pdf in their browser and it's bugged.
It's relying on people to do extra work and properly configure their browser themselves. Also, you really want everyone to use the same browser since it improves the anonymity of the network as a whole when more people look the same.

They aren't far from it. there's actually discussion about adding cloudflare's add-on (((Privacy Pass))) which will give you a good-goy pass tied to what can only be a unique ID, in exchange for not getting endlessly captcha-trolled or outright blocked.

the fact that this ticket has been open for 10 months and wasn't rejected outright says something.
trac.torproject.org/projects/tor/ticket/24321

Attached: botnet.png (797x457, 31.42K)

...

found the jew

No u

You are truly enlightened.

I just use ice cat with the retarded add-ons disabled and proxy through tor. Funny thing is is on a mobile tablet or phone start termux up start Tour in Dayton mode back out startup U browser and point your proxy at tour and you can avoid the orbit

Tor "bitches" because websites can and do fingerprint users based on screen resolution. They recommend users to leave the screen at the default size because that way all users look the same. Congratulations, by maximizing the window you'll be one of the very few imbeciles running Tor Browser on a 1920x1080 screen.
As for why the operating system is part of the UA, it's because websites may need that information. For instance, giving users a specific .exe depending if they're on Windows 7, 8 or 10; giving them a x86 or x64 .exe or a .deb if they're on Ubuntu/Debian and a .tar.gz if they're on other "Linux" operating systems.
Not that it matters, since guessing the operating system a browser is running on is very, very easy thanks to installed fonts, supported formats, hardware acceleration, WebGL, etcetera. This is why changing the User Agent to appear as if you're using another OS is retarded and actually makes you easier to identify.
Tor Browser does a bunch of shit to mitigate all this and keep all their users with the same fingerprint. Firefox is the only browser that not only allows them to configure all that, Mozilla has actually added features and bugfixes to help them achieve this.
So yeah, stop talking out of your ass.

I'm pretty sure every Gecko based browser will update to the post-Quantum versions eventually, except for Pale Moon. Waterfox and Icecat are going to do it if they haven't already.
Time to throw out your single core CPU.
Probably because Firefox gets the most money and attention thrown at it compared to other browsers with copyleft licensing, plus it has a future of being a little safer maybe, according to the Rust rocket propaganda anyway. Another reason is they're already basing it on Firefox so why would they switch to your niche browser with 0 features?
Godawful dogshit webkit browser that crashes nonstop.
Doesn't implement all the webshit (massively behind on purpose) and has zero support for extensions.

Don't all of those fingerprinting methods require JS? Anyone with common sense has it disabled anyway.

If this bullshit happens I think I'll just quit the web for good.

I dont even know what sort of faggots browse this dead shithole any more.

Halfchan newfags and poltards.

Unfortunately, there are services people want that basically have a monopoly, so, if they expect you to run js on their site for their service to function, you're basically going to run it regardless of your stance.

No shit, but that's irrelevant you're one of the many Tor users avoids cuckflare and jewgle shit anyway or just browses .onions

Do you even use Tor?

Yes. I exclusively use Tails for online stuff, don't have any accounts at all, and only keep personal stuff on a separate airgapped PC.

Nope
browserleaks.com/css

Oh, I see. You're that kind of retard. Well, it's a good thing you made that known, or else I might have taken your advice seriously.

...

I've always disliked noscript, but damn this update fucking sucks. And where the fuck is circuit switching? It won't even display the circuit anymore. Let me guess, they're gonna say something like "goyim will abuse it to get the best exit nodes". Fuck this new poz

How do I use Tor with other browsers?

I don't know if this makes me more or less traceable, but I like it nonetheless. Seems to me it's worthless compared to the wealth of information you can get from JS.
polite sage for talking out of my ass

Attached: but feathers.png (458x458, 134.08K)

Bump!

Run Tor as a service and set the SOCKS port as a proxy for your web browser.

I CAN'T SEE MY ROUTE! Anyone else? I want to know if I'm exiting in Germany or Sweden.

click the ( i ) that's on your UR. Where the lock is on https sites.

The route display moved to the address bar. "New Identity" and "New Circuit" moved to hamburger menu.

look who's CIA nigger here

Oh shit, that's nice. Divided functionality and moved everything in three different buttons instead of just one, also stopped showing bridge guard country. There are a few complaints in their blog, but all their representative does is answer that it's more convenient. A shitty landing page in agile responsive Boobcrap doesn't even tell us all about these new "features", where and why they were relocated.
Wow, just wow.

Thanks. I was getting worried.

ya whatever this whole argument is bullshit. i'm convinced this is only to boost Tor Browser's popularity now. Don't use any other browser with Tor goy! It's dangerous! muh fingerprinting!! You can only use (((our))) browser, which for some reason is not included in any repositories that i've seen, not even in gentoo, which means 99% of people are downloading straight binaries directly from them.

Let site's fingerprint. If you spoof the shit the browser sends to be random everytime, they can have fun with that. And even if they do manage to fingerprint, who gives a fuck, your behind 3 tor proxies, and the same people who shill "muh fingerprinting" also shill that the tor network has never been broken and all people who got burned for doing stupid shit were burned because they were fucking idiots.

That's literally how you do it. You can't use the Tor browser because it's endorsed by (((this))), you can't use the daemon because of (((that)))--what the hell do you want? You can use Privoxy as a http wrapper, which is what I do, but that has mostly the same flaws when browsing the web.

I know this post is a joke--you went too heavy on the typos--but, for the record, Gentoo ships both the Tor Browser Bundle and the Tor Browser unwrapped. Every distribution ships with Tor. It's one of the few fringe networking tools available in every distribution.

This is what happens when you hire UX designers instead of security doods

please, by all means, tell me where the tor browser is in the gentoo official repositories. it isn't there.
forums.gentoo.org/viewtopic-t-1028454-start-0.html
the recommended course of action is to install the binary from the tor project site
wiki.gentoo.org/wiki/Tor#Browsers

this is the closest i've found
gpo.zugaina.org/www-client/torbrowser-launcher
a random overlay which is no better than Arch's AUR.

It isn't in the official repo's.
It's not in jewbuntu's repo's either, if you want to get it that way you have to add a PPA.

Attached: 404.png (760x483, 24.56K)

Isn't that the case with any silicon valley shit?

well maybe but that is ok for some things like recreational software, media streaming and the like. however tor is a cyber security software so security should be more important than stuff like styleguides.

Who let you in here?

Why are you even talking to me if the only thing that concerns you is what affects you and your own lifestyle?

Works on my distribution ;^)

Why didn't the Jews just keep Tor Browser on the previous ESR, or better yet, switch to Pale Moon?

Attached: 19ea7250f8b0c586fba255a617174766e8964c8aac9994527b42331bcf40fb02.jpg (853x480, 47.85K)

i wonder how much mozilla (((donated))) to their pockets

Because using really old builds is a security issue. See zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/

Sounds like FUD to scare people in to updating to me!

...

Yes, sounds like some type of FUD for sure although it makes me want to look into uMatrix like .

I personally use ublock origin and umatrix with the tor browser for practically all my web browsing.

Considering the bypass was caused by Noscript, is adding these other addons enough or do you need to uninstall Noscript too?

I will never understand people that use NoScript. They want selective rape or something?
My computer can't even run TBB 8.* anyway.

That is one way to put it, but I liked the ability to permit scripts from a handful of trusted sites while still blocking the more easily compromised third party tracking scripts etc.

To spoof shit you need JS. If you have JS enabled it is trivial to guess what the real values for the shit your browser sends are. If youbhave JS disabled you can't spoof anything but User Agent, but your browser can still be fingerprinted through CSS. Plus, the Tor team makes changes to the configuration and sometimes the source code itself.
As for why it isn't in many repos, why don't you ask your repo maintainers yourself? The Tor team can't (and it isn't their responsability) maintain packages for other distros. Tor is in the Debian repos (packages.debian.org/search?keywords=torbrowser-launcher) but even Debian guys recommend to use the official tarball.

I don't know dude. Must be a conspiracy.
Security fixes added in Firefox 60: mozilla.org/en-US/security/advisories/mfsa2018-11/
Security fixes added in Firefox 60.0.2: mozilla.org/en-US/security/advisories/mfsa2018-14/

Mainly because NoScript blocks XSS requests, clickjacking, click-to-play media and other stuff. Apparently the NoScript guy has added stuff to the addon just for the Tor Browser.
See: trac.torproject.org/projects/tor/ticket/15279

Jesus Christ, what happened to this site? A bunch of retards screeching "conspiracy" at everything and wrapping words in parentheses as if those were arguments instead of lurking and discussing the topic.

Attached: 1536640482754.jpg (740x1130, 275.19K)

NoScript downloads scripts, but prevents them from executing. By disabling scripts in about:config, you will stand out among other Tor Browser users who put security slider on highest setting.

tor-browser-launcher is a wrapper that downloads official browser tarballs from tor project's mirrors and checks them for validity with built-in keys. I think it's much better to trust browser developers with software delivery than random 8th-grader who maintains AUR repo.

that's another good point
where's the "muh fingerprint" kvetching about the security slider? does your fingerprint not change when you use it? The default is minimum security, so god forbid you deviate from that you are now fingerprinted, as I imagine most people do not alter the slider setting.

hackerfactor.com/blog/index.php?/archives/761-Exploiting-the-TOR-Browser.html
The scariest thing that comes in mind from JS fingerprinting is scrollbar width.
Although, it can be fixed with proper window manager theme.
There are different system-specific fonts, canvas, and lots of other things Tor Project declines to fix, and also there's Mozilla's backstabbing.
Should we run a browser inside different real OS VMs to make it less fingerprintable? Probably.

Fuck being autistic tbh, tor finally works good and I can watch my memes without any lags and other shit, it has only 2 problems

One of the really vile things they've done in the last few years is make the trac tickets un-searchable if you aren't a registered contributor. Without being able to search the tickets, it is near impossible to fix obscure problems.

1. Taking steps to forbid or manipulate what users can do with the Tor network would inevitably make it easier for others to attack legitimate users. Other networks, like GNUNet, I2P and Freenet have had to take a similar stance sadly. There simply is no way to moderate a network while also making it impossible to censor or attack by others.
2. The point of Tor is not to hide the fact that you're using Tor (funnily enough, by enabling privacy.resist.Fingerprinting in Firefox some websites think you're using Tor), but to make every Tor user seem unique.
3. Reddit is not the place to disclose bugs.
4. HTTPS mitigates MITM attacks and makes it exponentially harder for others to read the contents of your browsing. If, and even if, what he claims about HTTPS making users easier to identify is true; it doesn't matter if every Tor user looks the same.
5. His JavaScript code fails to detect zoom and window size on the new Tor Browser. This may be part of the new patches Mozilla introduced to Firefox since enabling privacy.resist.Fingerprinting also makes that website report wrong zoom levels and window size.
6. His attack requires JS on, just like most attacks. The Tor guys recommend users to disable JS and everyone should do the same.
The only fair points he made are about the secrecy and how hard it is to report bugs to the Tor team. Everything else is literally explained in the Tor FAQ.
The Tor Browser comes with its own fonts and has taken steps to mitigate this, even then Browserleaks seems to be able to fingerprint users through fonts as long as JS is enabled.
Tor and Mozilla have taken steps to mitigate that. As you can see, Tor users have all the same fingerprint.
????
With JS on, it's possible to take a lot of info about the Tor Browser. With JS off the only bit of identifying information is the OS the browser is running on. That guy has a point: this is a problem that should be solved. I do recall Mozilla employees looking into this and coming with the conclusion that it's impossible to spoof other OSes though.
JS should always be off when using Tor.
That's the point behind Tails and Heads. And I do believe the Tor project recommends to use a VM or bootable USB instead of a regular OS as a host.

Attached: tor3.png (560x626 179.67 KB, 44.28K)

Deleted all info to avoid 1337 hax0r5 from pwning me.

Attached: tor4.png (1052x1026, 148.6K)

Nigger, the three letters and their work is half of the reason why old software gets pwned at a worrrying pace.
The other half is that there's a lot of money to be made via pwning old software because a bunch of companies use outdated shit and because normies seldom update.
You shouldn't use Tor because it performs well, you should use it because it anonymizes you well.

Do you even know what a strawman is?

The reason why the ticket wasn't closed immediately is that Cloudflare can do, and is doing, more harm to Tor than all the glow-in-the-dark put together: and nobody is stopping them.

And how would we do that? Tor's userbase is unlikely to be big enough to make a difference. I'd laugh if what finally undoes it is FBI niggers complaining to Cloudflare after realizing they can't mask their identity while performing investigations because the site they're trying to get on won't even load.

A few days back a guy just popped up on twitter telling that Tor Browser version 7 has a huge bug that makes it basically useless.

Good guy Maone, dev of NoScript, released a new version of his addon.

This story tells alot, behind the mainframe exploits are sold like crazy and sure Tor Browser has a lot of interest from CIA Niggers and - by black market bling blings - L337 HaxXxers.

Lol the DNS hype is like the Cloud hype 2.0

It's all CIA Nigger's synthetic hype for you use 1.1.1.1 or jew:jew:jew:jew because ITS SECURER THAN EVER AND FASTER GOYM

The bug allowed you to bypass noscript. if you had javascript.enabled;disabled as is recommended you were not affected.

Now add proper cookie management with ability to delete them without restarting the whle browser, isolated website containers to remove cross-linking, media device fingerprinting, mouse acceleration spoofing, typing speed scrambler.

I also wonder how many Tor users keep the original window size and JavaScript off.
Has anybody gathered such statistics?

Don't run shady javascript in the first place

They're too incompetent to write their own back doors so they rely on Chris Beard and Giorgio Maone

Attached: CIAnigger17.jpg (459x446, 121.54K)

check'em faggots

Attached: untitled.PNG (1588x957, 221.3K)

firefox is basically the new open source version of google.

...

because if they can connect your identities if the fingerprints match.

There are addons for that. If I recall correctly, there was a bug report of that some years ago and someone said that websites could check when the cookies are deleted and then make a time-based attack or something.
This is a good idea. Mozilla made something similar with Site Containers, but those are kinda bugged.
???
I'd like to see that, too. Though it is unecessary if JS is off.

It doesn't matter if you're Johnny Peter, the 8ch shitposter who does nothing but waste time on Zig Forums and ExHentai; but when you're Juan Pedro, the Mexican reporter investigating cartel-based corruption in the government, you need to leave no trace at all, since it could lead to him being unmasked and brutally murdered eventually.

That's my point, nobody who cares can do anything about it.
The three letters telling cloudflare to knock it off would be wonderful, but it's unlikely to happen anytime soon: also they probably already have captcha bypasses and/or burner accounts to get around it.

That is not recommended by anyone but idiots, that setting means you don't even GET .js files and thus make yourself stand out.

Without fingerprinting, anyone controlling the sites you visit can collect data that eventually points out how those anonymous connections probably all came from the same person.
At that point they can crossreference the anonymous fingerprint with your clearnet fingerprint and bingo, you're fucked.
It doesn't matter ihow secure the network is if you're sending identifying information.

this piece of shit new
POZ Browser also FREEZES CONSTANTLY
might as well just pump Chrome with full botnet over Tor and done with it.

300mb is an underestimation. I am using FF rn and it is using 700mb of RAM which is raping my chinkpad

How would this be done when your using completely different browsers? If my unique full botnet fingerprint is the same or damn close to Poz Browser's fingerprint then there's clearly a problem with Poz Browser.

actually after testing this it only freezes when you have the security slider set to anything but standard.

try it yourself, pull up a full board catalog, Zig Forums is a good example, a board with a lot of shit, and turn the slider off standard, it'll freeze for fucking 5 seconds loading the page over the .onion. it will not freeze with the slider on standard.

I have a 2012 i5 with 4 GB of RAM and I never see any slowdowns or freezes. What kinda hardware are you on?
I shiggy diggy.

There is just so much that can be done for old hardware. Even the precious Firefox 3 and Opera 12 would struggle to run properly on a Pentium II with 216 MB of RAM.

A browser should delete cookies when site circuit is refreshed or a user specifies to open a new identity for same site. Right now a user has no awareness whether a site plants a cookie or not. You can't see it, you can't delete it.
Properties of your sound card:
audiofingerprint.openwpm.com/
Problem is, too many sites need JS to be on. Hiding in crowd is easy and should be done globally, but Tor niggers are busy not spoofing user agents at the moment because that's kinda problematic and non-inclusive, you see?
As far as mouse and keyboard behavior are a concern, I think it's possible to do those on OS-level, need to research into that. Or for example when mimicking a touch-screen device, mouse movements should not be registered at all.

>audiofingerprint.openwpm.com/
How do you propose to mitigate that? Changing it may actually kill sound in TB.
Nice strawman. However, they do spoof the UA for MacOS and *BSD (which all appear as Linux.) All OSes, regardless of whether they are i686 or x86_64 appear as x86_64.
As I understand, they refuse to spoof User Agent because it is trivial to guess the real UA when JS is on. I'd say they should at least spoof the user agent to Windows if the user chooses to set the Torbuttom slider to "safest" as it disables JS entirely.