Is TOR 8.0 broken and insecure?

[Elrik]

My TOR browser updated itself to 8.0.
After it did so it took me a minute to realize, but noscript was not functioning despite being turned on. I restarted TOR and I toggled noscript to allow all and back to block, it still wouldnt block anything. I decided I may have put an old TOR through one too many updates so I installed a new copy of 64-bit TOR in a new directory, not only was noscript still broken but it could not restore bookmarks from either backup type. I tried 32-bit TOR, same thing. I downgraded to a new copy of TOR 7.5.6, both noscript and bookmark import worked, but when it upgraded itself to 8.0 noscript was broken again.
64 bit system with windows 10 and up to date everything.
For now I'll downgrade to 7.5.6 and disallow updates.

Anyone else having this particular problem?

 

[dreamer042]

My TOR also did the autoupdate but noscript seems to be functioning just fine for me. I haven't tried importing bookmarks but the ones that were already there came through the update just fine. I notice my little onion icon option to trace my connection route and create a new route is gone which miffed me a little bit, but it is correctly masking my ip, so everything appears to be functioning as it should.

I'm on Ubuntu 18.04. If you are concerned about security why on earth are you using windoze?

 

[Dogbark]

If youre really concerned with security TOR isnt the best choice anyway. A lot of funding for TOR comes directly from the US government: The Tor Project | Privacy & Freedom Online

Also the NSA runs a lot of tor nodes apparently. I dont have a good source for this though.

 

[Auxin]

That the US funds TOR is not proof of its insecurity.
US agencies and military use TOR because its better than their security.
If you encrypt, you no doubt use encryption algorithms that are DoD level strong. So thy not use DoD level strong proxies?
TOR alone isnt enough to make you safe, but its usually a step in the right direction and if nothing else your ISP wont know what your doing.

 

[brazilman]

Forgive my tech ignorance but isn't the idea behind TOR that you form a network of "VPN"s so there is no way to pinpoint who is actually accessing what because things pass through a bunch of people before reaching the final user? Basically mixing everybody's internet use history? You use some other guy's IP to access dmt-nexus and some other guy uses your IP to access whatever, with a few added levels sure but is that not basically how it works? If that is basically right, why would you want to have your IP linked to the TOR network?

 

[Auxin]

Thats almost right, each user is in an interconnected network of users but only people who choose to be are 'exit nodes' out into the broader internet. Like a room full of people with one person at each door relaying messages to and from the outside, and people outside of the room can only hear that guy, you can choose if your one of those doormen.

 

[○]

Please don't set your home/personal pc as a tor exit relay. A fairly bad choice. Better to just use the tor client as is. Tors website specifically talks against doing this, for obvious reasons.

There's in depth discussion on all this on stackexchange's website, specifically their information security subforum which is a massive wealth of information with constant ongoing discussion about all this.

 

[nexalizer]

Please don't set your home/personal pc as a tor exit relay. A fairly bad choice. Better to just use the tor client as is. Tors website specifically talks against doing this, for obvious reasons.

I like to imagine a world where most people would a) understand the necessity of Tor and b) not be afraid of the thought police and millions - hundreds of millions - would run exit relays at home.

 

[Nicita]

It is important to realize that the TOR exit nodes can be used to collect unencrypted data. So make sure that you don't submit unprotected data through tor.

Also you ISP can see that you are connecting to the TOR network, which raises red flags by itself and might put you on a special watch list by any agency or cooperation that occupies itself with watching internet traffic.

Regular VPNs are much less suspicious, since they are widely used and not associated with the same crowd as TOR. You can also use a VPN to hide you are connecting to TOR.

The reason that so many people use tor is that the US-military and agencies use these people as cover for themselves (TOR comes out of the US-navy intelligence). If it was their network exclusively, everyone logging into the tor network would out themself as an agent. Now it can just be someone looking to buy viagra or being paranoid of surveillance.

If you are using TOR, please read about the known security risks and what to do about them.

 

[Elrik]

8.0.1 is out, complete with a purported noscript update.
And... it still cant block script. Back to 7.5.6

 

[○]

Please don't set your home/personal pc as a tor exit relay. A fairly bad choice. Better to just use the tor client as is. Tors website specifically talks against doing this, for obvious reasons.

I like to imagine a world where most people would a) understand the necessity of Tor and b) not be afraid of the thought police and millions - hundreds of millions - would run exit relays at home.

Totally understand. Unfortunately [specifically the U.S] - it's just not the world [specifically the society] we currently live in.

Tor's great, don't get me wrong, but to set yourself up [beyond it's typical usage] unbeknownst to the potential [and fairly heightened] implications, well ..have at it then I guess.

I wish [though a pretty trite statement 'wish'] things were different, and 'maybe' one day things could change enough to the point of not having things as tapped into as they are, but then again - I don't see it happening personally, just my opinion/ime.

Cops aren't necessarily the worry - they're the last step in the process - the end result - when you get that knock. But all the chain of event before that that leads into that final step - well.. that is something to have concern over, imo/ime.

 

[Elrik]

I finally understand! :lol:
Over Here Rainner pointed out that the default has always been for noscript to be disabled. I knew that, but having it pointed out with the implication that noscript does work in TOR 8.x made me scrutinize it and I found the problem. When you click noscript it clearly shows 'Default' highlighted with the icon for blocked content. I had simply assumed default was blocked on TOR 8 [as it should be, so I didnt question it]. But, despite the icon for blocking, default is still set for allow-all. You have to go into the settings tab [above the default tab] and make all the block type selections for default match the settings for untrusted. There is no more 'forbid globally' option, but now the option to modify the properties of 'default'.
Thanks Rainner

 

[PsyDuckmonkey]

It's debatable what the default should be.

From a purists' point of view of course, everything should default to the highest level of security, ie. maximum lockdown, and every compromise toward usability would need to be enabled by hand.

From a practical point of view, having a sane compromise between security and usability is a good point to start for most, and the TOR developers assume that those in situations that require higher security will take the appropriate steps, as opposed to relying on defaults.

 

[MachienDome]

That the US funds TOR is not proof of its insecurity.

No, but the fact that they abandoned it does.

Using TOR on top of an insecure system doesn't do anything. Using an outdated version is useless :!:. Use TAILS, it provides a bit more security.

 

[dreamer042]

TAILS is just a liveboot linux session, it still uses TOR to connect.

 

[PsyDuckmonkey]

That the US funds TOR is not proof of its insecurity.

No, but the fact that they abandoned it does.

Using TOR on top of an insecure system doesn't do anything. Using an outdated version is useless :!:. Use TAILS, it provides a bit more security.

Please don't perpetuate superstition. TOR is not broken, and Tails is not particularly better than the TBB for most common threat models. In fact, it has serious drawbacks as well as benefits. Every anonymization and encryption is defeatable by an appropriate sidechannel attack. It's worth reading up how they arrested Dread Pirate Roberts.

Your opsec needs to be appropriate to your level of threat. Expecting to be targeted specifically, with people expending effort to spy on you as an individual target, and generic efforts to avoid getting caught in a dragnet data collection are two very different things, and need different levels of commitment on your part.

I won't quote how TOR should be used to browse and communicate safely, there's plenty written about that. And it's mostly not about your technology stack (though that does play a part), but about your behavior, both online and offline.

 

[Elrik]

TOR is not broken

Its unfortunate that I must correct you.
I just tested it again with a fresh TOR 8 install updated to the latest version and restarted. The current version of TOR still can not restore bookmarks from backups made before TOR 8 [I didnt try with a TOR 8 made backup].
Therefore my statement stands, its still broken.

I also checked and in the noscript drop down they are still deceptively using the block icon for default when default is allow-all and TOR browser still removes all user noscript security customization on restart without informing the user of this security altering action.
TOR is still insecure, to that extent.

 

[PsyDuckmonkey]

TOR is not broken

Its unfortunate that I must correct you.
I just tested it again with a fresh TOR 8 install updated to the latest version and restarted. The current version of TOR still can not restore bookmarks from backups made before TOR 8 [I didnt try with a TOR 8 made backup].
Therefore my statement stands, its still broken.

Lol. That's like saying that the glove compartment of your truck is stuck, therefore the truck is broken. It's not. Really. It has a minor inconvenience. The bookmark backup should be some form of html link list, so don't worry too much about it, just open it via a text editor or browser...

I also checked and in the noscript drop down they are still deceptively using the block icon for default when default is allow-all and TOR browser still removes all user noscript security customization on restart without informing the user of this security altering action.
TOR is still insecure, to that extent.

The TBB is a client bundle for TOR. TOR is secure to the extent that it does the job it is supposed to do. If users assume it does things it doesn't do, well... The TBB is secure if you use it securely.

Opsec is not a thing you can just lay on a piece of software and then forget. I mean, if it were that simple, being in a secret service wouldn't be a particularly hard job.

I am fully aware that TBB defaults to allow scripts. It's a sane default, 80% of the web no longer even displays without scripting. I don't know what you mean by "deceptively uses the block icon", I don't see any deceptive "block icon", and Security Settings under the onion button is clear enough.

If you're interested in the manner of data the TBB leaks by default, there are a number of pages online for testing it.

 

[Elrik]

I'm not a security IT professional and I'm not a paranoid that checks every setting every time TBB starts, nor am I a dim wit, I'm just your average TOR user who is using it for nexus type things and chemistry research. So let me walk you through my experience with TOR 8 upgrade.
TOR updated itself, no big thing it does that now and then, the color scheme was a little more ugly this time but these days most things look like a cellphone for a 12 year old japanese girl so I let it go and continued my usual routine. After logging in to several sites I noticed that scripts which I had forbidden ever since starting TOR 2 years before were running. I had gone half the way across the net with no security at all, beyond TORs inherent proxies. It was impossible to forbid scripts globally in the usual way but I eventually found where to redefine the default from allow-everything to block. I thought I had it fixed so I moved on. The next day I started it up and logged into a site and went to download a paper and russian AD panes I had never seen before popped up, thats when I discovered that, without warning the user, user customized security settings are reset on every program start- with no apparent way to fix it.
So they changed peoples security radically without clear warning, and then did it yet again. They knowingly compromised peoples usual security measures and did so more or less covertly.
That is what I call insecure.
Now that I know about these issues I can browse without being tricked by those issues again, but its very tempting to just roll back to 7.5.6 until persistent user defined security settings are allowed. I can understand their reason for changing the default, but the warnings should have been noticeable and their idea of security settings should be optional.
Your right, the bookmark glitch is a trivial thing, just back up again after upgrading to 8, but the other issues arent so trivial.

To clarify what I mean about the deceptive block icon, observe this pic. It says 'default' with the icon for block-all, while 'default' is actually the same as allow-all [a different icon].

 

[PsyDuckmonkey]

I'm not a security IT professional

Which is exactly why you shouldn't be finetuning TOR browser security settings.

and I'm not a paranoid that checks every setting every time TBB starts

If you use TOR, and the impenetrability of your anonymous identity is important to you, a certain degree of paranoia is warranted. Then again, it would seem from your posts that you show a degree of paranoia where it's not rational, and lack it where it would be rational.

nor am I a dim wit, I'm just your average TOR user who is using it for nexus type things and chemistry research.

Never said you were a dimwit, I'm just saying you're arguing about things you lack full understanding of, and therefore using flawed grounds for your arguments and actions.

After logging in to several sites I noticed that scripts which I had forbidden ever since starting TOR 2 years before were running.

And what scripts are those?

I had gone half the way across the net with no security at all, beyond TORs inherent proxies.

No security at all? That sounds like a grand statement from someone who admittedly doesn't fully understand security. I can assure you that you were protected by an adequate level of security for the use case of "nexus type things and chemistry research".

Now, federal agents wiretapping you personally, using zero-day browser exploits and government sponsored malware, that's an entirely different threat model, but let's hope you don't have that kind of heat on you.

The latest TBB is safe with its default in that no public exploit exists that would allow either high accuracy fingerprinting, or an unmasking of your real IP address, or accessing your hard drive, without active participation on your part (such as downloading and running malware outside the TOR browser).

You're safe.

Manually forbidding Russian ad scripts (perfectly harmless within the sandbox of the TOR browser) can, however, work against you by creating a unique browser fingerprint.

It was impossible to forbid scripts globally in the usual way but I eventually found where to redefine the default from allow-everything to block.

Onion button > Security settings > "Safest"
That's it. Done.

I thought I had it fixed so I moved on. The next day I started it up and logged into a site and went to download a paper and russian AD panes I had never seen before popped up, thats when I discovered that, without warning the user, user customized security settings are reset on every program start- with no apparent way to fix it.

That is a feature. Persistent unique settings will allow an attacker to generate a fingerprint of your browser, allowing you to be tracked throughout all your TOR operations. Disabling the persistence of user customizations and starting from a clean slate each time is actually very important for real (as opposed to imaginary) security.

So they changed peoples security radically without clear warning, and then did it yet again. They knowingly compromised peoples usual security measures and did so more or less covertly.

They compromised imaginary and wrong security measures in favor of implementing a real security measure.

That is what I call insecure.

And that is where you are wrong.

Now that I know about these issues I can browse without being tricked by those issues again, but its very tempting to just roll back to 7.5.6 until persistent user defined security settings are allowed.

As I said, you are again paranoid where you shouldn't be, and ignoring real danger. Old versions of the TBB may have public exploits that allow the real IP address to be unmasked by a malicious site. Not all malware can be disabled by forbidding scripts.

Also, as I said, persistent user settings are insecure.

I can understand their reason for changing the default, but the warnings should have been noticeable and their idea of security settings should be optional.

It is optional.
Again, Onion button > Security settings > "Safest"

To clarify what I mean about the deceptive block icon, observe this pic. It says 'default' with the icon for block-all, while 'default' is actually the same as allow-all [a different icon].

Yea I'm not a huge fan of NoScript's interface, I'll give you that. But in the TBB, you're not supposed to use that interface, you're supposed to use Onion button > Security settings