After 8 months of development, a significant release of the specialized browser Tor Browser 11.5 is presented, which continues the development of functionality based on the Firefox 91 ESR branch. The browser is focused on providing anonymity, security and privacy, all traffic is redirected only through the Tor network. It is impossible to contact directly through the regular network connection of the current system, which does not allow tracking the real IP of the user (in the case of a browser hack, attackers can access the system network settings, so products such as Whonix should be used to completely block possible leaks). Tor Browser builds are prepared for Linux, Windows and macOS.
For additional security, Tor Browser includes the HTTPS Everywhere add-on, which allows you to use traffic encryption on all sites where possible. To mitigate the threat of JavaScript attacks and plugin blocking by default, the NoScript add-on is included. To combat blocking and traffic inspection, fteproxy and obfs4proxy are used.
To organize an encrypted communication channel in environments that block any traffic other than HTTP, alternative transports are proposed, which, for example, allow you to bypass attempts to block Tor in China. The WebGL, WebGL2, WebAudio, Social, SpeechSynthesis, Touch, AudioContext, HTMLMediaElement, Mediastream, Canvas, SharedWorker, WebAudio, Permissions, MediaDevices.enumerateDevices, and screen APIs are disabled or restricted to protect against tracking user movement and highlighting visitor-specific features. orientation, as well as the means of sending telemetry, Pocket, Reader View, HTTP Alternative-Services, MozTCPSocket, "link rel=preconnect", modified libmdns.
In the new version:
- Added the Connection Assist interface to automate the configuration of bypassing the blocking of access to the Tor network. Previously, in the case of traffic censoring, the user had to manually obtain and activate bridge nodes in the settings. In the new version, blocking bypass is configured automatically, without manually changing the settings - in case of connection problems, blocking features in different countries are taken into account and the best way to bypass them is selected. Depending on the user's location, a set of settings prepared for his country is loaded, a working alternative transport is selected, and a connection is established through bridge nodes.
To load the list of bridge nodes, the moat toolkit is used, which uses the "domain fronting" technique, the essence of which is to access via HTTPS with a fictitious host specified in the SNI and the actual transmission of the name of the requested host in the Host HTTP header within the TLS session (for example, delivery networks can be used content to bypass blocking).
- The design of the section of the configurator with the settings of the Tor network parameters has been changed. The changes are aimed at simplifying the manual configuration of bypassing locks in the configurator, which may be required in case of problems with automatic connection. The section with Tor settings has been renamed to "Connection settings". At the top of the settings tab, the current connection status is displayed and a button is provided to check if the direct connection (not through Tor) is working, allowing you to diagnose the source of connection problems.
Changed the design of information cards with bridge nodes data, with which you can save working bridges and share them with other users. In addition to the buttons for copying and sending the bridge node map, a QR code has been added that can be scanned in the Android version of Tor Browser.
If there are several saved maps, they are grouped into a compact list, the elements of which are expanded upon clicking. The bridge in use is marked with a "β Connected" icon. For a visual separation of the parameters of the bridges, βemojiβ pictures are used. The long list of fields and options for bridge nodes has been removed, the available methods for adding a new bridge have been moved to a separate block.
- The main structure includes documentation from the site tb-manual.torproject.org, to which there are links from the configurator. Thus, in case of connection problems, the documentation is now available offline. Documentation can also be viewed through the menu "Application Menu > Help > Tor Browser Manual" and the service page "about:manual".
- By default, the HTTPS-Only mode is enabled, in which all requests made without encryption are automatically redirected to secure page options ("http://" is replaced by "https://"). The HTTPS-Everywhere add-on, previously used to redirect to HTTPS, has been removed from the desktop version of Tor Browser, but remains in the Android version.
- Improved font support. To protect against system identification by enumerating available fonts, Tor Browser ships with a fixed set of fonts and blocks access to system fonts. Such a limitation led to a violation of the display of information on some sites using system fonts that were not included in the set of fonts built into Tor Browser. To solve the problem, the built-in font set has been expanded in the new release, in particular, fonts from the Noto family have been added to the composition.
Source: opennet.ru