Tor Browser 9.5 update

The new version of Tor Browser is available for download from from the official site, version directory and Google Play. The F-Droid version will be available in the coming days.

The update includes serious security fixes Firefox.

The main emphasis in the new version is on improving the convenience and facilitating work with onion services.

Tor onion services are one of the most popular and easiest ways to establish an end-to-end encrypted connection. With their help, the administrator is able to provide anonymous access to resources and hide metadata from an outside observer. In addition, such services allow you to overcome censorship while protecting the user's privacy.

Now, when starting Tor Browser for the first time, users will be able to choose to use the default onion address if the remote resource provides such an address. Previously, some resources automatically redirected users to an onion address when Tor was detected, for which the technology was used alt-svc. And although the use of such methods is still relevant today, the new preference selection system will allow users to be notified when an onion address is available.

Onion Locator

Owners of Internet resources now have the ability to notify about the availability of an onion address using a special HTTP header. The first time a user with Onion Locator enabled visits a resource with this title and .onion is available, the user will receive a notification allowing them to prefer .onion (see photo).

Authorization

Administrators of onion services who want to increase the security and privacy of their address can enable authorization on it. Tor Browser users will now receive a notification asking for a key when they try to connect to such services. Users can save and manage entered keys in the about:preferences#privacy tab in the Onion Services Authentication section (see below). notification example)

Improved security notification system in the address bar

Traditionally, browsers mark TLS connections with a green padlock icon. And since mid-2019, in the Firefox browser, the padlock has become gray in order to better draw users' attention not to a connection that is secure by default, but to security problems (more here). Tor Browser in the new version follows Mozilla's example, making it much easier for users to understand that an onion connection is not secure (when downloading mixed content from a "normal" network or other problems, for example here)

Separate download error pages for onion addresses

From time to time, users encounter problems connecting to onion addresses. In previous versions of Tor Browser, when there were problems connecting to .onion, users would see the standard Firefox error message, which did not explain why the onion address was not available. The new version adds informative error notifications on the user, server and network side. Tor Browser began to display a simple diagram connection, which can be used to judge the cause of connection problems.

Names for Onion

Due to the nature of the cryptographic protection of onion services, onion addresses are difficult to remember (compare, for example, https://torproject.org и http://expyuzz4wqqyqhjn.onion/). This greatly complicates navigation and makes it more difficult for users to discover new addresses and return to old ones. The address owners themselves previously organically solved the problem in one way or another, but until now there was no universal solution suitable for all users. The Tor Project approached the problem from a different angle: for this release, it partnered with the Freedom of the Press Foundation (FPF) and HTTPS Everywhere (Electronic Frontier Foundation) to create the first conceptual human-readable SecureDrop addresses (see below). here). Examples:

The Intercept:

• http://theintercept.securedrop.tor.onion/
• http://xpxduj55x2j27l2qytu2tcetykyfxbjbafin3x4i3ywddzphkbrd3jyd.onion/

Lucy Parsons Labs:

• http://lucyparsonslabs.securedrop.tor.onion/
• http://qn4qfeeslglmwxgb.onion/

FPF has secured the participation of a small number of media organizations in the experiment, and the Tor Project along with FPF will jointly make future decisions on this initiative based on feedback on the concept.

Full list of changes:

• Updated Tor Launcher to 0.2.21.8
• Updated NoScript to version 11.0.26
• Firefox updated to 68.9.0esr
• Updated HTTPS-Everywhere to version 2020.5.20
• Updated Tor router to version 0.4.3.5
• goptlib updated to v1.1.0
• Wasm disabled pending proper audit
• Removed deprecated Torbutton settings items
• Removed unused code in torbutton.js
• Removed synchronization of isolation and fingerprint settings (fingerprinting_prefs) in Torbutton
• The control port module has been improved for compatibility with v3 onion authorization
• Default settings moved to 000-tor-browser.js file
• torbutton_util.js moved to modules/utils.js
• Returned the ability to enable rendering of Graphite fonts in the security settings
• Removed executable script from aboutTor.xhtml
• libevent updated to 2.1.11-stable
• Fixed exception handling in SessionStore.jsm
• Ported firstparty isolation for IPv6 addresses
• Services.search.addEngine no longer ignores FPI isolation
• MOZ_SERVICES_HEALTHREPORT disabled
• Bug fixes ported 1467970, 1590526 и 1511941
• Fixed a bug when uninstalling the disconnect search add-on
• Fixed bug 33726: IsPotentiallyTrustworthyOrigin for .onion
• Fixed broken browser when moving it to another directory
• Improved behavior letterboxing
• Removed search engine Disconnect
• Enabled support for the HTTPS-Everywhere SecureDrop rule set
• Eliminated attempts to read /etc/firefox

Source: linux.org.ru