82 comments

[ 3.2 ms ] story [ 84.8 ms ] thread
Dont be surprised by the letterboxing
What do you mean by this?
"[letterboxing] works by adding white margins to a browser window so that the window is as close as possible to the desired size while users are still in a couple of screen size buckets that prevent singling them out with the help of screen dimensions."

These margins may be surprising (ie. look like a bug) if you don't know what they are.

It'll add some padding around the sides of the window to reduce the window size the website sees to common sizes. This reduces finger printing based on display resolution.
> Tor Browser in its default mode is starting with a content window rounded to a multiple of 200px x 100px to prevent fingerprinting the screen dimensions. The strategy here is to put all users in a couple of buckets to make it harder to single them out. That worked so far until users started to resize their windows (e.g. by maximizing them or going into fullscreen mode). Tor Browser 9 ships with a fingerprinting defense for those scenarios as well, which is called Letterboxing, a technique developed by Mozilla and presented earlier this year. It works by adding white margins to a browser window so that the window is as close as possible to the desired size while users are still in a couple of screen size buckets that prevent singling them out with the help of screen dimensions.
How often do people keep the same window size?
I think that perhaps they should have an option to report the height of the content window as Infinity, regardless of its actual height.
That would likely cause some sites to break. Also I wonder how it would interact with CSS. Also I wonder if there would be methods to detect the actual height (such as by testing if something is visible or not, or testing for mouse location, and seeing how many pixels it takes for the mouse to go off the edge).
I thought of that. Visibility testing would always report as visible, and testing the vertical scroll position would always report zero, and the user can configure in what cases mouse location can be tested and how.

(Document scripts should actually be disabled by default I think, and what features are available (and in some cases, spoofed) depends on user settings which can be global or specific to URL patterns. For example, full mouse and keyboard events might be available only for activated <canvas> elements when quote mode is active, and other than that is only used to calculate form fields, perhaps.)

Hmm. Then _every_ browser should do that. That will force website development to change over the time to a WYSIWYM approach to handling screen resolutions.
IMO they should whitelist a couple common resolutions. 1920x1080, for example, is extremely common and probably doesn't need to be letterboxed to avoid fingerprinting.
Nah sometimes you need to resize manually read a webpage. Gotta keep usability at least a little bit. Letterboxing I think is a good compromise
I don't think Ajedi32 disagrees with you. I think Ajedi32 is saying that in addition to the all the resolutions that are a multiple of 200x100, a few more resolutions should be allowed, such as 1920x1080.
Is it possible to disable, or make the page render bigger behind the scenes but scale to display, or anything to stop the massive letterboxing I seem stuck with on a very normal resolution laptop?
In about:config change privacy.resistFingerprinting.letterboxing to false.
I think GP is asking for a letterbox that is larger than the desired window size, followed by a downscaling to the desired window size.
Note that even if the screen resolution on your laptop is not unique, the resolution captured via fingerprinting can be quite unique. It was quite an eye-opener for me when I checked it against EFF's fingerprinting testing tool: https://panopticlick.eff.org/
Tried this with tor 9.0 maximized. Said my browser fingerprint is unique oops.
i just checked (latest firefox and safari) block trackers but not Tor 9

and all pf them have the same "your browser has a nearly-unique fingerprint"

Panopticlick gives you a breakdown of what's causing it to be unique. Out of all my tweaks to Firefox and Brave, fonts and resolution seem to be the biggest contributors.
It would be nice if FF would standardize on the Tor UA: Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0
I wish the letterboxing margins could be set to a color, in my case black. I've installed the Dark Reader extension but when I enable it the margins are still the default white color.
Excellent solution for pedophiles and other garbage. Not so good news for the rest of us.
Is there any reason that’s not buying drugs or worse to use this? Honest question.
(comment deleted)
(comment deleted)
Try the BBC News (mentioned the other day) at Bbcnewsv2vjtpsuy.onion
Thanks, ill get my daily propaganda from the BBC
How do I quickly check if my Tor Browser is up to date without the Onion button?

Either I'm getting old or I'm using too many different systems and programs because these little UI changes start to bother me.

Hamburger (≡) → Help → About?
Same as regular Firefox, right? Help -> About, and it'll tell you if it's outdated.
Depending on your system, the properties of the app may have the version, without even opening the browser. I.e. ‘Get info’ in OSX, ‘Properties’ in Windows. Dunno about Linux, but in that case people are likely to use package managers instead anyway.
More people should use tor
For normal browsing it is almost unusable thanks to Cloudflare's reCAPTCHA (autonomous vehicle training) use.
How is that?
Just about every site out there is on cloudflare these days and cloudflare has decided to consider every connection from a total exit point as suspicious activity. Hence you get a captcha for almost every site you visit. Eternally stuck in captcha hell...
Yes but if the BBC initiative starts spreading this might change in the future. No?
Major sites have been maintaining tor hidden endpoitns for some time now. For example:

https://en.wikipedia.org/wiki/Facebookcorewwwi.onion

What are the use cases for browsing Facebook through Tor? For me it sounds kind of like asking a prostitute for a hug.
People in countries with oppressive regimes that are not aligned with the US.
The emphasis was on "why Facebook", not "why Tor".
Most of the services I use are not behind Buttflare. Various blogs linked from here often are, unfortunately (and people don't even change the default captcha settings when they have static blogs that don't ever need to prevent bots from visiting!) but privacy pass sometimes works.
Agree! Also TAILS has been great during my lunch break on old corporate computers. Makes them usable again, while avoiding surveillance
Be careful though - TAILS doesn't suddenly make untrusted hardware safe. You can still be surveilled by things like keyloggers.
Does this fix any of tptacek’s issues with the Tor Browser?
tptacek´s role seems to be having a lot of concerns with many things without providing better alternatives, what makes his words not very valuable. is he a fear mongering nsa puppet?

if you really want to be safe, do not listen to hipster pseudo experts, learn the tech and decide for yourself, there is no other way to truth.

I would love to use Tor but I don't want to touch anything illegal. Ever. Is it possible?

Is there some index, directory or search engine curated with this in mind?

Edit: I didn't mean to make anyone feel offended and I sorry. I will take more care when asking questions like this in the future. Thank you all for your compression

The fact that you are afraid of a free and open internet is depressing.
I'm sorry, it's was not my intention to depress you.

Actually, the fact is I what to be able to advocate for Tor to friends and family in the future. Too much? Viable?

You seem to be a bit confused about what Tor and the Tor Browser are. Tor Browser is just a web browser with extra anonymity and tracking avoidance features (in the browser itself, and because it sends traffic through the Tor network). You visit sites you like and avoid sites you don't like, exactly like any other browser. It's not guaranteed to be anonymous: any sites you visit can record and track much of your behaviour there (just like with normal browsers), but third parties can't as easily snoop. Websites with .onion addresses are more resistant to tracking, as your traffic doesn't need to exit the Tor network to get to the destination, but Tor Browser can access most normal sites too.

I suggest you just try it.

It depends how much your friends and family care about anonymity online, because individual people's browsing behaviour can be unique and trackable - a browser cannot magically hide that. To really be confident of hiding successfully you need to do a lot more, and few people really need to or can be bothered.

E.g. I sometimes use the Tor browser at work to check whether local pages are accessible from outside the local network. There I don't care about anonymity, I just want a connection appearing to come from outside.

> any sites you visit can record and track much of your behaviour there (just like with normal browsers)

Tor Browser hides some of your information. For example it hides your IP address (that's the whole point of Tor). There are some other anti-tracking things built in.

> Websites with .onion addresses are more resistant to tracking

Tracking you or tracking the site? The point of .onion isn't to give the user any more protection, it's to give the website protection. With a .onion site you are unable to find the website's IP address.

>> Websites with .onion addresses are more resistant to tracking

> Tracking you or tracking the site? The point of .onion isn't to give the user any more protection, it's to give the website protection. With a .onion site you are unable to find the website's IP address.

True, but that's not why the BBC, Facebook, etc. have .onion hosts. I was thinking of the user, since the traffic between a Tor exit node and an open web server is exposed (modulo HTTPS).

Baloney. You are mixing up free and open internet with total and utter lawlessness. If someone posts CP as spam on the open web then I have reasonable surety the owners will swiftly deal with it because it is in their best interests to do so but on an onion site who cares. So I do have a reasonable belief I can't stumble accidentally on CP on the open web while I lack this belief with the Tor network.

Well moderated discourse is better than not because it filters out the trolls. It's not less free and open.

If someone posts CP as spam on a random onion site, it's reasonably going to get removed there too because it's disgusting and nobody wants to see that.

Moreover, knowing the passport numbers of the moderators is not a prerequisite to a site being well-moderated. It's possible to build and care enough to maintain a reputation under a pseudonym.

Meanwhile you have no actual guarantee that people won't post whatever they want on the open web. Anyone can host anything they want from any computer on the internet, including a compromised one when they don't want anyone to know who put it there. In other words, if you're willing to break the law then you can already be anonymous, so the thing Tor is enabling is for people who don't want to break the law to have anonymous communications.

It's like doing extreme sports or visiting North Korea or some such. There's risk vs benefits in every activity and browsing the "darknet" has extremely little benefit compared to the life ruining risk of CP finding its way on your laptop.
That's like arguing that going outside is too risky because you could be struck by a meteor. The probability that you accidentally stumble across CP and that somehow comes to the attention of law enforcement and they're unreasonable enough to prosecute you for it even though the evidence indicates that it was an accident, is lower than the probabilities of equally bad things happening as a result of equally innocuous things that people do on a regular basis.

Meanwhile you can still be struck by a meteor indoors. Go visit Facebook as the first person to view an image posted by a troll before it gets flagged, or on a day when Facebook was hacked but they don't know it yet.

There's nothing illegal about running Tor. Are you worried about accidentally bumping into child porn on it?
Yes, that's it
Do you usually stumble across illegal material when you browse the Internet? I don't see why it would be any different using Tor... you can still access clearweb sites via the Tor Browser.
Not only that, you can access onion sites using an ordinary browser via sites like tor2web. Using the Tor browser doesn't expose you to anything you otherwise weren't, it just makes you more anonymous.
One of the premises of the tor onion routing is traffic is routed thru intermediates. I suppose this question is about validating if being part of the onion router is controllable and secondary (an assumption) being part of the tor mesh means you are carrying traffic that is illegal or morally questionable
Tor browser won't make you a relay.

Indeed, Tor browser comes with its own dedicated tor instance. And I don't think that it can run as a relay. Maybe with some tweaking. Also, it's only running when the browser is.

This isn't BitTorrent, you don't become a part of the network by simply using it. You have to explicitly choose to become a relay.
You can use tor also for search, reading articles, and research topics that you don't want associated in any way with your traceable internet persona (no region, ip, etc) identifiers / telemetry.

There are lots of reasons to use tor that have nothing to do with illegal sites.

Anything that you want to really keep private and never creep back into your normal day-to-day browsing experience (considering divorce, medical conditions, future vacation plans, "taboo political ideologies", etc.).

Traveling to a foreign country with questionable privacy laws?

You can access normal search engines, websites, etc. Not just .onion sites. Just avoid logging into your personal accounts.

You can use Tor for all everyday browsing too, with all the personal accounts and a normal version of Firefox. Still prevents your ISP from learning which sites you visit, still prevents the sites you visit from knowing your IP address, still circumvents any local censorship (which btw is probably the biggest use of Tor, thanks to RuTracker :D). And unlike a VPN provider, you don't have to pay $$$ and don't have a central point of potential logging (don't have to rely on "i swear we don't log" policies).
I understand your concern, the answer is that the TOR browser can be used just like your normal browser.

I use it to browse reddit or make posts like these. I like my privacy and like that by using Tor for normal browsing, it makes it just a little bit less suspicious when others who need the privacy for wistleblowing, human rights, etc. purposes are using Tor.

The Tor browser will not show you anything that you do not seek out. If you just browse to the sites that you normally use, and those sites don't have any illegal content, then you're fine.

I will note however that in some countries Tor itself IS illegal, but that would be up to your local laws.

It’s funny that people have this impression that Tor = you’ll be immersed in the dark web and illegal things will just appear on your screen.

It’s like any other browser. You open it and type in an address. Your data is just encrypted and obfuscated.

>I would love to use Tor but I don't want to touch anything illegal. Ever. Is it possible?

The are 2 parts in Tor - the Tor browser and the Tor servers (relays and exit nodes).

You can use the Tor browser just like any other. Touching anything illegal can happen accidentally on the web, either because a web page downloaded a resource (image, cookie, etc) without your consent or because the definition of what is "illegal" changes from day to day and from jurisdiction to jurisdiction

>> As usual when preparing Tor Browser releases, we verified that the build is bit-for-bit reproducible. While we managed to get two matching builds, we found that in some occasions the builds differ (we found this happening on the Linux i686 and macOS bundles). We are still investigating the cause of this issue to fix it.

I find this quite fascinating. Does anyone have any ideas for how this could happen? My understanding was that if you run the same compiler on the same code, you get the same executables. What could be going on?

https://reproducible-builds.org is a good resource on this.

There are many, many reasons why a build process may not produce reproducible output. Timestamps and unordered maps are two of the more trivial examples.

Another common one: (temporary) directory paths in debug symbols.
Another reason I've heard is that when you have a multithreaded compiler, the order the threads execute could change, and that could cause the output code to be different.
> Clarified the amount of locales we support. It's 32

Wait a minute, does TB use a 5-bit number to enumerate the locales? You'd think that nowadays they would opt for something larger.

It's working way better than a couple of years ago. Even Google seems to load. Congrats!