A significant release of the specialized browser Tor Browser 13.0 was formed, in which the transition to the ESR branch of Firefox 115 was made. The browser is focused on ensuring anonymity, security and privacy, all traffic is redirected only through the Tor network. It is impossible to contact directly through the standard network connection of the current system, which does not allow tracking the user’s real IP address (if the browser is hacked, attackers can gain access to system network parameters, so products such as Whonix should be used to completely block possible leaks). Tor Browser builds are prepared for Linux, Android, Windows and macOS.
To provide additional security, Tor Browser includes the “HTTPS Only” setting, which allows you to use traffic encryption on all sites where possible. To reduce the threat of JavaScript attacks and block plugins by default, the NoScript add-on is included. To combat traffic blocking and inspection, fteproxy and obfs4proxy are used.
To organize an encrypted communication channel in environments that block any traffic other than HTTP, alternative transports are proposed, which, for example, allow you to bypass attempts to block Tor in China. The WebGL, WebGL2, WebAudio, Social, SpeechSynthesis, Touch, AudioContext, HTMLMediaElement, Mediastream, Canvas, SharedWorker, WebAudio, Permissions, MediaDevices.enumerateDevices, and screen APIs are disabled or restricted to protect against tracking user movement and highlighting visitor-specific features. orientation, as well as the means of sending telemetry, Pocket, Reader View, HTTP Alternative-Services, MozTCPSocket, "link rel=preconnect", modified libmdns.
In the new version:
- The transition to the Firefox 115 ESR codebase and the stable tor 0.4.8.7 branch has been made. During the transition to a new version of Firefox, an audit of changes made since the appearance of the ESR branch of Firefox 102 was carried out, and patches that were questionable from a security and privacy point of view were disabled. Among other things, the string-to-double conversion code has been replaced, the function of exchanging recent links has been disabled, the API for saving PDF has been disabled, the service and interface for auto-hiding Cookie confirmation banners have been removed, and the text recognition interface has been removed.
- The icons have been updated and the application logo has been refined, while maintaining overall recognition.
- A new implementation of the home page (“about:tor”) is proposed, notable for the addition of a logo, simplified design and leaving only the search bar and the “onionize” switch for accessing DuckDuckGo through the onion service. Home page rendering has improved support for screen readers and accessibility features. Showing the bookmarks bar is enabled. Resolved an issue with the “red screen of death” that occurred due to a failure when checking the connection to the Tor network.
After:
It was:
- The size of new windows has been increased and now defaults to an aspect ratio that is more convenient for widescreen users. To prevent screen and window size information from leaking, Tor Browser uses a letterboxing mechanism that adds padding around the content of web pages. In previous versions, as the window was resized, the active area would resize in 200x100 pixel increments, but was limited to a maximum resolution of 1000x1000, which due to its insufficient width caused problems with some sites that showed a horizontal scrollbar or displayed a tablet version and mobile devices. To solve this problem, the maximum resolution has been increased to 1400x900 and the step-by-step resizing logic has been changed.
- A transition has been made to a new package naming scheme corresponding to the pattern “${ARTIFACT}-${OS}-${ARCH}-${VERSION}.${EXT}”. For example, the macOS build was previously shipped as “TorBrowser-12.5-macos_ALL.dmg” and is now “tor-browser-macos-13.0.dmg”.
- When selecting the "Safest" mode for searching through DuckDuckGo, the site is now accessed without JavaScript.
- Improved protection against leaks via WebRTC.
- Enabled cleaning of URL parameters used to track movements (for example, the mc_eid and fbclid parameters used when following links from Facebook pages are removed).
- Removed javascript.options.large_arraybuffers setting.
- The browser.tabs.searchclipboardfor.middleclick setting is disabled on the Linux platform.
Source: opennet.ru