After ten months of development significant release of a specialized browser , in which the development of functionality based on the ESR branch is continued . The browser is focused on providing anonymity, security and privacy, all traffic is redirected only through the Tor network. It is impossible to contact directly through the regular network connection of the current system, which does not allow tracking the real IP of the user (in the case of a browser hack, attackers can access the system network settings, so to completely block possible leaks, you should use products such as ). Tor Browser builds for Linux, Windows, macOS and Android.
For additional protection, the composition includes the addition , which allows you to use traffic encryption on all sites where possible. To mitigate the threat from JavaScript attacks and block plugins by default, an add-on is included . To combat blocking and traffic inspection, и .
To organize an encrypted communication channel in environments that block any traffic other than HTTP, alternative transports are proposed, which, for example, allow you to bypass attempts to block Tor in China. The WebGL, WebGL2, WebAudio, Social, SpeechSynthesis, Touch, AudioContext, HTMLMediaElement, Mediastream, Canvas, SharedWorker, Permissions, MediaDevices.enumerateDevices, and screen.orientation APIs are disabled or restricted to protect against tracking user movement and highlighting visitor-specific features. and also disabled telemetry sending tools, Pocket, Reader View, HTTP Alternative-Services, MozTCPSocket, "link rel=preconnect", modified libmdns.
In the new release:
- The panel was reorganized and access to the protection level indicator, which is moved from the Torbutton menu to the main panel. The Torbutton button has been moved to the right side of the panel. By default, the HTTPS Everywhere and NoScript add-on indicators have been removed from the panel (you can return them in the panel settings interface).
The HTTPS Everywhere indicator has been removed as it doesn't provide any useful information and the redirect to HTTPS is always applied by default. The NoScript indicator has been removed because the browser provides switching between basic security levels, and the NoScript button is often misleading with warnings that appear due to Tor Browser settings. The NoScript button also provides access to extensive settings, without a detailed understanding of which changing settings can lead to privacy problems and inconsistencies in the security level set in Tor Browser. JavaScript blocking control for specific sites can be done through the additional permissions section in the address bar context menu (“i” button);
- The style has been corrected and Tor Browser is compatible with the new design of Firefox, prepared as part of the project "". The design of the “about:tor” start page has been changed and unified for all platforms;
- New Tor Browser logos introduced.
- Updated versions of browser components:
Firefox 60.7.0esr, Torbutton 2.1.8, HTTPS Everywhere 2019.5.6.1, te OpenSSL 1.0.2r, Tor Launcher 0.2.18.3; - Assemblies are formed with the flag "", used for official Mozilla builds.
- The first stable release of the mobile edition of Tor Browser for the Android platform has been prepared, which is built on the Firefox 60.7.0 codebase for Android and allows operation only through the Tor network, blocking any attempts to establish a direct network connection. Includes HTTPS Everywhere and Tor Button add-ons. In terms of functionality, the Android edition still lags behind the desktop version, but provides almost the same level of protection and privacy.
Mobile version on Google Play, but also in the form of an APK package from the project website. Publishing in the F-droid catalog is expected soon. Supports devices with Android 4.1 or newer version of the platform. Tor developers note that they do not intend to create a version of Tor Browser for iOS due to restrictions introduced by Apple and recommend a browser already available for iOS developed by the project .
Key differences between Tor Browser for Android and Firefox for Android:
- Blocking code for tracking movements. Each site is isolated from cross-requests, and all cookies are automatically deleted after the session ends;
- Protection against interference in traffic and monitoring of user activity. All interaction with the outside world occurs only through the Tor network, and in case of interception of traffic between the user and the provider, the attacker can only see that the user is using Tor, but cannot determine which sites the user opens. Protection against interference is especially relevant in an environment where some domestic mobile operators do not consider it shameful to wedge into unencrypted user HTTP traffic and substitute their widgets () or advertising banners ( и );
- Protection from visitor-specific detection and user-tracking methods identification ("browser fingerprinting"). All users of Tor Browser look the same from the outside and are indistinguishable from each other when using advanced methods of indirect identification.
For example, in addition to storing an identifier through Cookies and the Local Storage API, identification may take into account a user-specific list of installed , time zone, list of supported MIME types, display options, list of available fonts, when rendering using canvas and WebGL, options in headers и , the manner of working with и ; - The use of multi-level encryption. In addition to HTTPS protection, user traffic passing through Tor is additionally encrypted at least three times (a multi-layer encryption scheme is used, in which packets are wrapped in a series of layers using public key encryption, in which each Tor node at its processing stage reveals the next layer and knows only the next stage of transmission, and only the last node can determine the destination address);
- The ability to access resources blocked by the provider or centrally censored sites. By of the Roskomsvoboda project, 97% of sites currently blocked in the Russian Federation are blocked illegally (they are located on the same subnets with blocked resources). For example, 358 Digital Ocean IP addresses, 25 Amazon WS addresses, and 59 CloudFlare addresses are still blocked. Under illegal blocking, including many open source projects including bugs.php.net, bugs.python.org, 7-zip.org, powerdns.com and midori-browser.org.
Source: opennet.ru