Custom Query (4725 matches)


Show under each result:

Results (901 - 1000 of 4725)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Ticket Summary Status Owner Type Priority Milestone
#12683 Permissions in nsIPermissionManager aren't cleared with TorButton's "New Identity" new tbb-team defect High

When TorButton's "New Identity" button is pressed, the permissions stored with nsIPermissionManager aren't cleared, even though nsIPermissionManager.removeAll() is called. From torbutton_do_new_identity() in src/chrome/content/torbutton.js:

  torbutton_log(3, "New Identity: Clearing permissions");
  let pm = Cc[";1"].

  torbutton_log(3, "New Identity: Sending NEWNYM");

There's a ton of info stored in this thing, including how many time the site has been visited, if popups are allowed, if a site can access offline storage, etc. For me, several dozen sites are listed after clicking "New Identity". It seems to have been keeping these permissions for quite a while, as some of my sites are reported to have hundreds of visits. To reproduce, do some stuff in TorBrowser for a while, then click "TorButton > New Identity", then navigate to about:permissions.

#12686 deep web research new defect Medium
#12702 Opera now has mixed content blocking. needs_review zyan defect High

Starting with 23.0, Opera now blocks unencrypted content on encrypted pages, allowing to unblock for the current page and session only.

Platform=mixedcontent should be disabled for Opera. And maybe we could upgrade bug #6975, since all platforms supported by HTTPS-E now have mixed content blocking.

#12703 Fonts problem on the machines used for tor browser testing new boklm defect Medium

Lunar noticed that the screenshots of the fa version of the tor browser look pretty bad:

I don't have this problem when running the fa tor browser on my computer, so it seems to be a font problem on the machine used for the tests.

#12714 Akamai rule prevents voting on Steam Greenlight new zyan defect Medium

When the Akamai rule is enabled, attempting to vote on Steam Greenlight causes a loading symbol to briefly appear then disappear, without registering the vote. When disabled, voting works normally.

#12716 Make meek-client-torbrowser take the firefox command as a parameter needs_revision dcf defect Low

meek-client-torbrowser hardcodes the firefox binary and profile paths: linux mac windows. The problem is that when Tor Browser is reorganized, as it was in #11641, you need to make the corresponding change in meek-client-torbrowser, for example 178572f5.

meek-client-torbrowser already takes the full meek-client command on the command line; it looks like:

ClientTransportPlugin meek exec ./TorBrowser/Tor/PluggableTransports/meek-client-torbrowser -- ./TorBrowser/Tor/PluggableTransports/meek-client --url=

I don't know of a good clear way to encode two separate command lines into the command line of another program, except maybe to do them both as long strings and then parse the strings before calling exec.

#12717 HTTPS Everywhere Chrome Extension Crashes Silverlight new zyan defect Medium

I recently tried to play some Amazon Video (Prime) on my Windows Vista 64-bit Desktop, running the most current version of Chrome. Each and every time, it crashed Silverlight, the engine that Amazon uses to play the video. It took a fair amount of troubleshooting to discover that it is the HTTPS Everywhere extension that is the cause of this crash. No matter what I did, as long as HTTPS Everywhere was enabled, Silverlight would crash. Whenever I disabled it, Silverlight worked fine, and the Video played. I hope this can be fixed, or some type of work-around suggested. Version shows as 2014.6.26.

#12733 View the Tor log file as it updates from within the Tor Browser new tbb-team defect Medium

A user who wants to copy the current log, without knowing what it looks like, can do so by clicking on the onion-icon next to the address bar, selecting "Open Network Settings" and "Copy Tor Log To Clipboard". It would be great if there was a way to see the Tor log file - as it updates - from within the Tor Browser.

#12736 DLL hijacking vulnerability in TBB new tbb-team defect High

The current version of TBB is vulnerable to DLL hijacking. Vanilla Firefox is NOT vulnerable. Steps to reproduce: 1) Create a malicious dll (source code for example is added) 2) Rename the malicious dll to ".DLL" using the commandline tool ren.exe, because windows explorer prohibits such names 3) Place ".DLL" into a folder listed in the %PATH% environment variable 4) Start DbgView.exe (a tool from microsoft) to get text outputs from the dll 5) Start Tor Browser Bundle

You will now see something similiar to: HIJACKDLL (C:\...\.DLL) Started from: C:\...\TorBrowser\Browser\firefox.exe as user Admin

This bug will probably be also triggered when TBB is registered as a default file handler and the malicious dll is in the same folder as the file opened by TBB. See for more information about DLL load order. But I haven't confirmed it yet, because I don't know in which cases the TBB could be opened as a default file handler.Carpet Bombing might also be possible.

Possible attack scenario would be an attacker who shares an url link file in a folder along with a hidden ".DLL" and the victims opens the url link file with TBB. Native code execution can then be used to unmask the user.

".DLL" smells like sprintf(DLLToLoad, "%s.DLL", EmptyDLLString)

Tested on: Win7x64 Tor Browser 3.6.3-Windows

#12754 Problems with <video> tags when HTTPS everywhere is enabled new zyan defect Medium

I discovered that with this extension enabled, I cannot play the videos, for example here:

When it's disabled - everything works fine.

#12762 Orbot 14.0.5 causes LED to flash while it is running new n8fr8 defect Medium

Samsung Galaxy S4 / Cyanogenmod 11 M8 Orbot 14.0.5.

Problem: After upgrading to the latest version of Orbot (14.0.5) any time the screen goes to sleep and Orbot is running, the LED on the phone will flash. This draws attention to the phone due to the brightness of LED. Previous versions of Orbot did not display this behavior


  • Install Orbot
  • Run Orbot
  • Let screen go to sleep or manually put it to sleep
  • LED starts to flash
  • Wake screen and unlock, LED stops flashing

Expected outocme:

  • With orbot running if screen goes to sleep, LED should not flash
#12765 Tor fails on rooted GS4 running 4.4.2 new n8fr8 defect Medium

Orbot is starting… tor: PRE: Is binary exec? true polipo: PRE: Is binary exec? true obfsclient: PRE: Is binary exec? true xtables: PRE: Is binary exec? true updating torrc custom configuration... success. Orbot is starting… Control Port config file does not yet exist (waiting for tor): /data/data/ waiting... Control Port config file does not yet exist (waiting for tor): /data/data/ waiting... Control Port config file does not yet exist (waiting for tor): /data/data/ Connecting to control port: 9051 Error connecting to Tor local control port: failed to connect to / (port 9051): connect failed: ECONNREFUSED (Connection refused) waiting... Couldn't start Tor process:; exit=0: Tor exit code: 0 Couldn't start Tor process:

#12774 "Firefox is already running" when you select meek after bootstrapping new dcf defect Medium
  1. Let Tor Browser bootstrap without any pluggable transports.
  2. Open Network Settings and choose meek.

An alert appears:

Firefox is already running, but is not responding. To open a new window, you must first close the existing Firefox process, or restart your system.

After that you can't browse. But closing the browser and allowing it to bootstrap from scratch again (with meek) works.

Tested on 3.6.3-meek-1 and on a build of the 4.0-alpha-1 branch.

#12799 fingerprints - descriptor Space removal, case normalization new defect Very Low Tor: unspecified

cached-descriptors... fingerprint 50E9 30FB 6141 E9A7 DAD4 968E 58DE AA1B 06CF 4908 Remove the spaces from the fingerprints.

This isn't OpenPGP, no one goes around reading them off to people. You have to click-hold-carefully-drag to select the whole FP instead of a simple double-click. You have to postprocess strip them to make any use of them anywhere, including everywhere else in Tor... torctl, configs, etc. Nowhere else does Tor present/accept any fingerprints with spaces. And they currently waste about 60kB per descriptor set X all the nodes X frequency. The spaces have no substantive use whatsoever and are very annoying! Please remove them.

With that, normalize all displayed/coded fingerprints everywhere in Tor to be either upper or lower case... regardless of whether either/mixed case are supported/enforced as input. Lower case is suggested for better readability (ie: A4B8D0 vs. a4b8d0) and commonality with outputs of various hash programs.

#12800 citrix rule fail new zyan defect Medium

This link redirects as follows 302 Redirect 302 Redirect

With the Citrix(partial) rule enabled, it fails with in the url.

reproduced with chrome 37.0.2062.58 beta-m with extension dated 2014.06.26 and with firefox for android 3.5android.0

#12801 documentation and guidelines for hosting flashproxy js new dcf defect Medium

If we want more people to host flashproxy.js on their website, we should give clearer guidelines about informing their visitors what the consequences are. Here are some issues brought up by a reviewer:

<ansgar> <iframe src="//[]" width="80" height="15" frameborder="0" scrolling="no"></iframe>
<ansgar> That's what upstream suggests to do. That will *not* be very informative.
<ansgar> A 80x15 icon "Internet Freedom". Totally informative that users will not provide a proxy to the Tor network.
<infinity0> ansgar: is your problem that it doesn't specifically tell (people that host the javascript) to make it obvious to their visitors that they're running the javascript?
<ansgar> infinity0: Yes. Also I believe such things should default to "No".
<infinity0> ansgar: how do you define "such things"?
<ansgar> infinity0: Things unrelated to the web service one is interested in.
<ansgar> And things that allow third parties to track users (if you don't host the server-side part as well).
<infinity0> ok i see. so on a web page about books, it would be surprising for users to default-on to flashproxy
<infinity0> i think it's reasonable for the main flashproxy web page can be default=on though
<infinity0> but i'll raise your point with upstream
<ansgar> Well, even there I might just want to read what it does, not actually take part.

A few things we could do:

  1. tweak the badge so it's more obvious the user is being used as a proxy
  1. in the README (and maybe options.html) advise websites that embed the badge, to make it obvious what they are doing. perhaps also advise non-internet-freedom-related websites to default=no, or set this ourselves.
  1. explain the consequences of running a proxy in options.html (since the badge links to options.html).

Potential user issues might include:

  • whether the facilitator can see which website the proxy last visited (I don't believe this is the case, but we should explicitly state this, given ansgar's confusion above.)
  • whether they are legally liable for users' traffic going through their browser (I believe not, since everything is encrypted by others' keys)

I'm sure more extensive literature about this is already available, we just need to make it more obvious and accessible.

#12814 No space left in /var prevents Tor Browser from starting properly new tbb-team defect Medium

While testing 4.0-alpha I realized that Tor Browser is not starting properly on my machine. Extensions were missing and the following errors in the console showed up:

[13:29:23.748] ERROR addons.xpi-utils: SQL error 13: database or disk is full @ resource://gre/modules/XPIProvider.jsm -> resource://gre/modules/XPIProviderUtils.js:204
[13:29:23.753] ERROR addons.xpi: Failed to add add-on in app-profile to database: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [mozIStorageStatement.execute]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: resource://gre/modules/XPIProvider.jsm -> resource://gre/modules/XPIProviderUtils.js :: XPIDB_rollbackTransaction :: line 457"  data: no] @ resource://gre/modules/XPIProvider.jsm -> resource://gre/modules/XPIProviderUtils.js:457
[13:29:24.939] ERROR addons.xpi: Error during startup file checks, rolling back any database changes: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [mozIStorageStatement.execute]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: resource://gre/modules/XPIProvider.jsm -> resource://gre/modules/XPIProviderUtils.js :: XPIDB_commitTransaction :: line 442"  data: no] @ resource://gre/modules/XPIProvider.jsm -> resource://gre/modules/XPIProviderUtils.js:442
[13:29:24.941] ERROR addons.manager: Exception calling provider startup: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [mozIStorageStatement.execute]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: resource://gre/modules/XPIProvider.jsm -> resource://gre/modules/XPIProviderUtils.js :: XPIDB_rollbackTransaction :: line 457"  data: no] @ resource://gre/modules/XPIProvider.jsm -> resource://gre/modules/XPIProviderUtils.js:457

The partition where Tor Browser got extracted had enough space left. The only one that was full was /var. Fixing that fixed the start issues as well. Not sure what exactly gets written to /var but it seems a disk leak to me we need to investigate.

#12836 scramblesuit: 'State' object has no attribute 'closingThreshold' new asn defect Medium

Got this with on a bridge with obfsproxy-0.2.11:

[ERROR] Unhandled Error
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/Twisted-13.2.0-py2.7-linux-x86_64.egg/twisted/python/", line 88, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/Twisted-13.2.0-py2.7-linux-x86_64.egg/twisted/python/", line 73, in callWithContext
    return{ILogContext: newCtx}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/Twisted-13.2.0-py2.7-linux-x86_64.egg/twisted/python/", line 118, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/Twisted-13.2.0-py2.7-linux-x86_64.egg/twisted/python/", line 81, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/usr/local/lib/python2.7/dist-packages/Twisted-13.2.0-py2.7-linux-x86_64.egg/twisted/internet/", line 614, in _doReadOrWrite
    why = selectable.doRead()
  File "/usr/local/lib/python2.7/dist-packages/Twisted-13.2.0-py2.7-linux-x86_64.egg/twisted/internet/", line 215, in doRead
    return self._dataReceived(data)
  File "/usr/local/lib/python2.7/dist-packages/Twisted-13.2.0-py2.7-linux-x86_64.egg/twisted/internet/", line 221, in _dataReceived
    rval = self.protocol.dataReceived(data)
  File "/usr/local/lib/python2.7/dist-packages/obfsproxy-0.2.11-py2.7.egg/obfsproxy/network/", line 320, in dataReceived
    self.circuit.dataReceived(self.buffer, self)
  File "/usr/local/lib/python2.7/dist-packages/obfsproxy-0.2.11-py2.7.egg/obfsproxy/network/", line 161, in dataReceived
  File "/usr/local/lib/python2.7/dist-packages/obfsproxy-0.2.11-py2.7.egg/obfsproxy/transports/scramblesuit/", line 495, in receivedDownstream
    if self.drainedHandshake > self.srvState.closingThreshold:
exceptions.AttributeError: 'State' object has no attribute 'closingThreshold'
#12842 Helpdesk needs a PGP key to be able to receive encrypted help queries assigned phoul defect Medium

Couple days ago sherief mentioned we need a PGP key to be able to receive and handle encrypted help queries via RT.

I think it's a great idea as protecting our users' sensitive information is and always should be our first priority at support team.

This ticket is to help us remember we need to make this happen (hopefully in near future)

Once we have the pgp, we should start advertising and encouraging our users to use encryption if possible.

#12847 cdn rules for new zyan defect Medium

bigcommerce CDN names extend past cdn[12] and include:

and more. A more appropriate match would be:


Leaking of CDN URLs can result very detailed tracking of items people are looking to buy, purchases etc for any stores run by them. This seems to be the case even for stores that use but that use their own domain name.

#12856 avast! Online Security plug-in conflict with HTTPS Anywhere (Chrome) new zyan defect Medium

I recently installed the avast! Online Security plug-in for Chrome, and have noticed a periodic "Extension error" alert. The details provided by Chrome in my plug-in list, under HTTPS Anywhere (2014.6.26) are:

"Warning: This extension failed to redirect a network request to because another extension (avast! Online Security) redirected it to chrome-extension://gomekmidlodglbbmalcneegieacbdmki/common/mocks/ga.js."

I have "Web Tracking blocked" enabled in my avast! settings, and was told by avast tech support to either disable this feature or disable HTTPS Anywhere. Is it possible to add an exception so I can both block analytics with avast and continue to use HTTPS Anywhere without constantly throwing up an error?

#12858 routine bug report new tbb-team defect Medium

I received the following error message in the Message Log while trying to connect to Was asked to send it to "bugs" at Tor.

[Tue Aug 12 13:11:04 2014] Tor Software Error - The Tor software encountered an internal bug. Please report the following error message to the Tor developers at "microdesc_free(): Bug: microdesc_free() called, but md was still referenced 1 node(s); held_by_nodes == 1

#12863 The http_requests test sometimes only performs one request new hellais defect Medium

It has been reported by some users of ooniprobe [1] that in some circumstances (it is unclear currently exactly how to reproduce this) the report for a http_requests test will only contain one request instead of two. Moreover when this occurs the headers_match and body_length_match keys will be wrongly set to true.

Here is a sample report entry that exhibits this behavior:

agent: agent
body_length_match: true
body_proportion: 1.0
control_failure: null
experiment_failure: null
factor: 0.8
headers_diff: !!set {}
headers_match: true
- request:
    body: null
    - - User-Agent
      - ['Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2) Gecko/20100115 Firefox/3.6']
    method: GET
    tor: {is_tor: false}
    body: <h1>Bad Request (Invalid Hostname)</h1>
    code: 400
    - - Date
      - ['Mon, 23 Jun 2014 13:03:09 GMT']
    - - Connection
      - [close]
    - - Content-Type
      - [text/html]
    - - Content-Length
      - ['39']
socksproxy: null


#12865 Two installer construction instructions is one too many. assigned mttp defect Medium

Tor includes two different NSI files for building the the Tor Expert Bundle installer. One is contrib/win32build/, and the other is contrib/win32build/ The former file says right at the top:

; NOTE: This file might be obsolete. Look at instead.

Right now is the only file being used to build the actual NSI. I suspect is just dead weight.

< armadev> yeah, you should confirm with erinn that nobody has any use for anything in that file, and then remove it

#12870 Not loading rulesets from HTTPSEverywhereUserRules on Firefox 31.0 / OS X 10.9.4 new zyan defect Medium

HTTPS Everywhere 5.0 development 0, does not load rulesets from XML files in the HTTPSEverywhereUserRules subdirectory in the Firefox profile directory. The same for the latest stable version 3.5.3.

#12879 Obfsproxy has incorrect Error type assigned asn defect Medium

In the file of obfsproxy there is a small bug with the csv reader.

in line 133: except csvError, err: should be except csv.Error, err:. csvError does not exist and I think its just missing the period.

#12885 Windows Jump Lists fail for Tor Browser new mcs defect Medium

This ticket is a spinoff of #6062 (which I am going to close).

Windows 7 and 8 include a jump lists feature which is used by Firefox to provide a menu of tasks that may be accessed from the Start Menu or Taskbar ("Open new tab", "Open new window", etc.) These task items fail in Tor Browser because we have disabled remoting. Similarly, clicking the main "Tor Browser" pinned item fails for the same reason if Tor Browser is already running.

For now, we should change things so we do not show the jump list items. We can do so by setting these two prefs to false:

browser.taskbar.lists.frequent.enabled browser.taskbar.lists.tasks.enabled

(we also want browser.taskbar.lists.recent.enabled = false but that is already done by default).

Also – although one would think that setting browser.taskbar.lists.enabled = false would be sufficient to turn everything off, doing that may leave old jump list menu items around. So it is better to turn off the three more specific prefs. See:

#12900 Remove config related naming stuff assigned Sebastian defect Low Tor: unspecified

We should warn users when they specify nicknames anywhere in their Tor config except for the Nickname option

#12901 Remove client-related naming stuff assigned Sebastian defect Low Tor: unspecified

Recognizing the Named flag in a consensus, related data structures.

#12902 ScribD breaks with the rule enabled new zyan defect Medium

ScribD.Com breaks when viewing a page

Using version 3.5.3, on Firefox

This bug appears, for me, when viewing a full page: this was the particular URL:

#12906 Google image search "redirect notice new zyan defect Medium

I've been using HTTPS Everywhere almost since it first came out, but one thing that has always annoyed me, a lot is how it seems to break parts of google image search. If I on the main page write something I want an image of, it comes up with the most likely image results and a load of text results.

If I then click on one of the image results, it no longer takes me directly to that result, instead it just takes me to the image search result page and I'll have to find the specific image again manually.

If I then find said image and click on it and then click "visit page" or "view image" I'm taken to a redirect notice, and this happens 100% of the time without fail.

I don't actually know if this is something you guys can fix, or if it's on googles end, it's just been annoying me for a long time so I finally decided to report it to someone. Apart from this I love HTTPS Everywhere. Have a nice day =)

P.S. my current version is 3.5.3 but I couldn't find it in the versions thingy, and my browser is firefox 31, and I'm on windows 7 if that helps anythin too.

#12911 Cloudfront Ruleset Breaks IKEA Online Catalogue new zyan defect Medium HTTPS-E next Firefox dev release

When trying to view the IKEA Online Catalogue at the Cloudfront ruleset is invoked and it prevents the catalogue interface from loading.

Using HTTS-E 5.0dev on Firefox 31

#12926 Make sure our linker gets used when compiling Tor Browser for Windows new tbb-team defect Medium

#12753 zeroed out the timestamp in the PE header but surprisingly not everywhere (e.g. not in the tor.exe). This might be due to the fact that our own linker is not used in these cases. See the hint in gitian-firefoy.yml

 XXX: the path to ld is hardcoded in mingw..

which would explain why tor.exe and the mingw-w64 libs we build in gitian-utils.yml are affected.

#12930 Someone, somewhere needs to unescape pluggable transport "SMETHOD ARGS" arguments. new asn defect Medium

Per pt-spec.txt:

      - ARGS:K=V,K=V,K=V

        If this option is set, the K=V arguments are added to Tor's
        extrainfo document. Equal signs and commas must be escaped
        with a backslash.

All of obfs4's server (extra info) document arguments end with a number of equal signs because they are Base64 strings.

goptlib does the right thing here and escapes the args, so the trailing Base64 padding passed to tor as part of SMETHOD ARGS ends with \\=. The fun here is that, tor does not unescape the ARGS line, so \\= is what ends up in the extrainfo document on BridgeDB.

The arguments that appear on obfs4 bridge lines should not be escaped, so someone, somewhere between little-t tor, and the place where the arguments appear on whatever BridgeDB frontend the end user sees, needs to unescape the arguments.

#12936 CloudFlare rule breaks new zyan defect Medium

The CloudFlare redirection rule breaks - the weather maps and 10 day forecast no longer display.

Fedora 19 Firefox 31.0 Https Everywhere 4.0.0

#12937 httpse-ruleset-bug : Zencoder flash video not playing new zyan defect Medium HTTPS-E 4 stable

The video doesn't start, it can found here

#12938 stops loading with blank screen new zyan defect Medium

Chrome Version 36.0.1985.143 m Win 8.1 EN 64 bit HTTPS Everywhere 2014.8.22

Go to The page stops loading with a blank screen.

Disable by unchecking "bet365 Group (partial)"

Page loads ok:

#12941 Firefox is already running. new tbb-team defect Medium

The full error message is reported as "Firefox is already running, but is not responding. To open a new window, you must first close the existing Firefox process, or restart your system." This happens when the user tries to Start Tor Browser after previously closing it normally. The error blocks Tor Browser from launching.

This error has been reported on both Windows and Mac.

Tor Browser is on the Desktop.

User reports that they can indeed find a lingering Firefox.exe process in task manager after Tor Browser has already been closed, and that killing the process allows them to start Tor Browser successfully.

The contents of the Data/Browser/profile.default folder are listed below:

bookmarkbackups File folder 8/22/2014 9:52:45 PM 5/22/2014 6:40:12 AM extensions File folder 8/23/2014 9:40:31 AM 5/22/2014 6:36:45 AM HTTPSEverywhereUserRules File folder 5/22/2014 6:39:55 AM 5/22/2014 6:39:55 AM preferences File folder 5/22/2014 6:36:46 AM 5/22/2014 6:36:46 AM safebrowsing File folder 8/23/2014 9:34:28 AM 8/23/2014 9:34:28 AM startupCache File folder 8/23/2014 9:38:53 AM 8/1/2014 5:02:52 AM thumbnails File folder 5/22/2014 6:40:13 AM 5/22/2014 6:40:13 AM webapps File folder 8/23/2014 9:34:24 AM 5/22/2014 6:40:12 AM blocklist.xml xml 131 KB XML Document 8/23/2014 9:42:27 AM 5/22/2014 6:46:15 AM bookmarks.html html 4 KB Opera Web Document 12/31/1999 8:00:00 PM 12/31/1999 8:00:00 PM cert8.db db 64 KB Data Base File 8/22/2014 9:52:45 PM 5/22/2014 6:39:55 AM compatibility.ini ini 1 KB Configuration settings 8/1/2014 5:02:51 AM 5/22/2014 6:39:55 AM cookies.sqlite sqlite 512 KB SQLITE File 5/22/2014 6:49:22 AM 5/22/2014 6:39:56 AM cookies.sqlite-shm sqlite-shm 32 KB SQLITE-SHM File 8/23/2014 9:34:20 AM 8/23/2014 8:35:09 AM cookies.sqlite-wal sqlite-wal 0 SQLITE-WAL File 8/23/2014 8:35:09 AM 8/23/2014 8:35:09 AM downloads.sqlite sqlite 96 KB SQLITE File 5/22/2014 6:40:24 AM 5/22/2014 6:40:24 AM extensions.ini ini 1 KB Configuration settings 7/31/2014 7:23:44 AM 7/31/2014 7:23:40 AM extensions.sqlite sqlite 448 KB SQLITE File 7/31/2014 7:23:40 AM 5/22/2014 6:39:55 AM formhistory.sqlite sqlite 192 KB SQLITE File 6/29/2014 9:30:11 AM 6/29/2014 9:30:11 AM key3.db db 16 KB Data Base File 8/22/2014 9:52:45 PM 5/22/2014 6:39:55 AM localstore.rdf rdf 3 KB RDF File 8/23/2014 6:50:53 PM 8/23/2014 6:50:53 PM marionette.log log 1 KB Text Document 8/23/2014 9:34:23 AM 5/22/2014 6:39:59 AM mimeTypes.rdf rdf 4 KB RDF File 5/22/2014 6:40:12 AM 5/22/2014 6:40:12 AM parent.lock lock 0 LOCK File 8/23/2014 9:34:19 AM 5/22/2014 6:39:55 AM places.sqlite sqlite 10,240 KB SQLITE File 8/22/2014 10:54:40 AM 5/22/2014 6:40:12 AM places.sqlite-shm sqlite-shm 32 KB SQLITE-SHM File 8/23/2014 9:34:24 AM 8/23/2014 8:35:15 AM places.sqlite-wal sqlite-wal 65 KB SQLITE-WAL File 8/23/2014 10:00:13 AM 8/23/2014 8:35:15 AM pluginreg.dat dat 1 KB DAT File 7/10/2014 8:13:56 AM 7/10/2014 8:13:56 AM prefs.js js 6 KB JScript Script File 8/23/2014 7:10:30 PM 8/23/2014 7:10:30 PM search.json json 21 KB JSON File 5/22/2014 6:40:13 AM 5/22/2014 6:40:13 AM secmod.db db 16 KB Data Base File 5/22/2014 6:39:55 AM 5/22/2014 6:39:55 AM Telemetry.FailedProfileLocks.txt txt 1 KB Text Document 8/23/2014 9:33:58 AM 7/27/2014 4:10:19 PM webappsstore.sqlite sqlite 96 KB SQLITE File 5/22/2014 6:49:22 AM 5/22/2014 6:40:14 AM webappsstore.sqlite-shm sqlite-shm 32 KB SQLITE-SHM File 8/23/2014 9:34:25 AM 8/23/2014 9:34:25 AM webappsstore.sqlite-wal sqlite-wal 0 SQLITE-WAL File 8/23/2014 9:34:25 AM 8/23/2014 9:34:25 AM

#12945 The formatting tools dissappear from this forum platform with this extension. new zyan defect Medium

Example this page:

But it needs an account to see the issue (since it's the posting formatting tools of the forum).

#12952 PBS Video broken 6 months, "Crossdomain loading denied" assigned ivanovpetr defect Medium

All PBS video has been broken here since March when I installed HTTPS Everywhere... (I never connected the events.) Recently PBS began including an error message - "Error loading skin: Crossdomain loading denied." Disable HTTPS Everywhere and the same video works.

Chrome Version 38.0.2125.8 dev-m, Win7, HTTPS Everywhere 2014.8.22

I can't tell you what your toolbar menu rules show, because every time I click it you get disabled - "This extension may have been corrupted by malware." Makes it rather hard to discover what is blocking pages...

#12959 Google APIs breaks new zyan defect Medium

Try for example Clicking on a photo should display a big photo on the same page. With HTTPS-E Google APIs enabled, it goes to a new page. And on the whole site no "JS" links work ("like" button, showing comments, ...). Firefox 31, HTTPS-E 4.0.0

#12965 Amazon CloudFront compatibility (FF / Chrome) new zyan defect Medium

Some sites fail to load external data unless EFF-HTTPS Everywhere is disabled for the CloudFront service.

#12976 Orbot's new identity feature is not mentioned anywhere in app or documentation new n8fr8 defect Medium

Nowhere in the app UI, wizard or websites can I find any mention of the Orbot's new identity feature. I only discovered it by accident and I'm sure other users will be in a similar position. I thought I'd seen a bug of someone actually requesting for a new identity feature to be added because they didn't know it already existed, but I can't seem to find it now.

I think a simple mention in the UI would be enough. Just like we already have Orbot is deactivated - long press to start -, we could simply change the string Connected to the Tor network to something like Connected to the Tor network - Swipe for new circuit -. A mention in the in-app wizard and/or in the interactive how-to on the Guardian Project website also wouldn't go a miss.

#12977 Fix Firefox's Full Screen Permissions Prompt new tbb-team defect High

It looks like it may be slightly tricky but not impossible to fix the full screen permissions prompt. The full screen code lives in nsDocument::RequestFullScreen(). It actually registers an observer ("fullscreen-approved") topic for reacting to the prompt, but then goes ahead and reparents the element and full screens anyway.

We might be able to refactor this code such that it gets called from the observer callback, after the user has interacted with the dialog.

Probably best done after FF31-ESR though.

#12987 not fully loading new zyan defect Medium

This site suddenly started failing for all the graphical parts, hover menus and the like. There were per observation no updates to https everywhere add-on 4.0 or firefox 31.0. Reported to mapmyride, but they vain ignorance. Effectively, if https everywhere is disabled, both on android tablet and windows pc, the site loads properly. Enable the add-in and is does the endless wheel spinning again where graphics or lists are supposed to appear. Dev version 5.0.0 of add-in made no difference.


#12990 route certificate errors new tbb-team defect Medium

So on August 17th, I experienced a weird error and haven't noticed it since, but thought I'd try to determine the cause. I was using the latest TBB (3.6.4) on Ubuntu 14.04 x64. Figure this was just an uber glitch, but wanted to report it just in case it happens for someone else also:

Aug 17 00:45:22.000 [warn] Tried connecting to router at, but identity key was not as expected: wanted 2F7C841C58F475EDE7C5D69393D07617BF387E99 but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.

Full session below:

griffin@mercurius:~/Downloads/tor-browser_en-US$ ./start-tor-browser

Launching Tor Browser Bundle for Linux in /home/griffin/Downloads/tor-browser_en-US

(process:29067): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed

(firefox:29067): Gtk-WARNING **: Unable to locate theme engine in module_path: "adwaita",

(firefox:29067): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::sm-connect after class was initialised

(firefox:29067): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::show-crash-dialog after class was initialised

(firefox:29067): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::display after class was initialised

(firefox:29067): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::default-icon after class was initialised
Aug 17 00:43:30.909 [notice] Tor v0.2.4.23 (git-a9ea51dc0bd48126) running on Linux with Libevent 2.0.21-stable and OpenSSL 1.0.1i.
Aug 17 00:43:30.910 [notice] Tor can't help you if you use it wrong! Learn how to be safe at
Aug 17 00:43:30.910 [notice] Read configuration file "/home/griffin/Downloads/tor-browser_en-US/Data/Tor/torrc-defaults".
Aug 17 00:43:30.910 [notice] Read configuration file "/home/griffin/Downloads/tor-browser_en-US/Data/Tor/torrc".
Aug 17 00:43:30.916 [notice] Opening Socks listener on
Aug 17 00:43:30.916 [notice] Opening Control listener on
Aug 17 00:43:30.000 [notice] Pluggable transport proxy (fte exec ./Tor/PluggableTransports/fteproxy.bin --managed) does not provide any needed transports and will not be launched.
Aug 17 00:43:30.000 [notice] Pluggable transport proxy (obfs2,obfs3 exec ./Tor/PluggableTransports/obfsproxy.bin managed) does not provide any needed transports and will not be launched.
Aug 17 00:43:30.000 [notice] Pluggable transport proxy (flashproxy exec ./Tor/PluggableTransports/flashproxy-client --register :0 :9000) does not provide any needed transports and will not be launched.
Aug 17 00:43:30.000 [notice] Parsing GEOIP IPv4 file /home/griffin/Downloads/tor-browser_en-US/Data/Tor/geoip.
Aug 17 00:43:30.000 [notice] Parsing GEOIP IPv6 file /home/griffin/Downloads/tor-browser_en-US/Data/Tor/geoip6.
Aug 17 00:43:31.000 [notice] We now have enough directory information to build circuits.
Aug 17 00:43:31.000 [notice] Bootstrapped 80%: Connecting to the Tor network.
Aug 17 00:43:31.000 [notice] New control connection opened.
Aug 17 00:43:31.000 [notice] Pluggable transport proxy (fte exec ./Tor/PluggableTransports/fteproxy.bin --managed) does not provide any needed transports and will not be launched.
Aug 17 00:43:31.000 [notice] Pluggable transport proxy (obfs2,obfs3 exec ./Tor/PluggableTransports/obfsproxy.bin managed) does not provide any needed transports and will not be launched.
Aug 17 00:43:31.000 [notice] Pluggable transport proxy (flashproxy exec ./Tor/PluggableTransports/flashproxy-client --register :0 :9000) does not provide any needed transports and will not be launched.
Aug 17 00:43:31.000 [notice] New control connection opened.
Aug 17 00:43:31.000 [notice] Bootstrapped 85%: Finishing handshake with first hop.
Aug 17 00:43:32.000 [notice] Bootstrapped 90%: Establishing a Tor circuit.
Aug 17 00:43:33.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Aug 17 00:43:33.000 [notice] Bootstrapped 100%: Done.
Aug 17 00:43:34.000 [notice] New control connection opened.
Aug 17 00:45:22.000 [warn] Tried connecting to router at, but identity key was not as expected: wanted 2F7C841C58F475EDE7C5D69393D07617BF387E99 but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.
Aug 17 00:45:27.000 [warn] Tried connecting to router at, but identity key was not as expected: wanted 527ED954F9E7800AB00BCE366542CB074B42DD2A but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.
Aug 17 00:45:29.000 [warn] Tried connecting to router at, but identity key was not as expected: wanted DDD7871C1B7FA32CB55061E08869A236E61BDDF8 but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.
Aug 17 00:45:30.000 [warn] Tried connecting to router at, but identity key was not as expected: wanted 093E76DE8EF51256E0FDC51B41237989ADA4AC2E but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.
Aug 17 00:45:31.000 [warn] Tried connecting to router at, but identity key was not as expected: wanted AB73816E5D7BC52664CBB9D005FF579BAFEAFE87 but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.
Aug 17 00:45:34.000 [warn] Tried connecting to router at, but identity key was not as expected: wanted FC9AC8EA0160D88BCCFDE066940D7DD9FA45495B but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.
Aug 17 00:45:35.000 [warn] Tried connecting to router at, but identity key was not as expected: wanted 5A16F7E31B26F286889F20027F57A5E253AF3F23 but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.
Aug 17 00:45:38.000 [warn] Tried connecting to router at, but identity key was not as expected: wanted 3B486DEC5A22694C0960B4A97A3665C617C89B1C but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.
Aug 17 00:45:38.000 [warn] Tried connecting to router at, but identity key was not as expected: wanted 95A3BC167A575964F40F251B850ABB47960A530D but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.
Aug 17 00:47:02.000 [warn] Tried connecting to router at, but identity key was not as expected: wanted 7663AD93B561AA11F40982BBDB3D3063AD28E3C7 but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.
Aug 17 00:47:04.000 [notice] Owning controller connection has closed -- exiting now.

Tor Browser exited cleanly.
griffin@mercurius:~/Downloads/tor-browser_en-US$ cd
#12993 Fastly breaks new zyan defect Medium

The Fastly rule prevents proper rendering of pages on website.

Versions in use: Firefox 31 on Mac OS 10.6.8 HTTPS Everywhere 4.0.0

To reproduce:

Install HTTPS Everywhere. Browse to

Expected results:

The web page should display as is does w/o HTTPS Everywhere, with an image and dialog boxes for data entry.

Observed results:

The web page shows text only, as if all the Javascript has been lost/blocked.

Workaround: Disable the Fastly rule in HTTPS Everywhere and reload the page.

#12995 default font seems seems to leak system locale information new tbb-team defect Medium

I recently changed the default system locale on my GNU Linux system, and I noticed that afterwards the default font used on web pages in Tor Browser had changed (I didn't change the version/language of Tor Browser).

I suppose that this means that an attacker can guess a user's locale based on the font used to display a page.

#13001 HTTPS Everywhere breaks new zyan defect High

When HTTPS Everywhere is activated, I can't properly load videos from that website.

Usually, when trying to load videos from, several rules are marked with the green mark:

YouTube (partial) Google Services AppNexus (partial) Amazon Web Services Cloudfront

One is marked with a lighter green color: Facebook

And one is marked with a red mark: (testing)

I don't know how to troubleshoot the issue with HTTPS Everywhere enabled.

It disappears if I click at disable HTTPS Everywhere.

#13005 Please document Tor Browser environment variables new tbb-team defect Medium

It's not uncommon for users to want Tor Browser to use their already running system Tor. Doing this requires familiarity with the TOR_SKIP_LAUNCH environment variable. Rather than only documenting one or some of the env variables, they should all be documented in one place. Users should be able to visit a single document, FAQ entry, or wiki page where they can read the functionality of


and how to set each. (Did I miss any?)

#13012 Reviewing Bug #3229: Make content pref service memory-only + clearable assigned boklm defect Medium

I noticed that nsContentPrefService.js can be expected to store prefs in memory, providing that any provided "loading context" has "usePrivateBrowsing" set to true, an assumption that may or may not hold for Firefox's Private Browsing (PB) mode. The patch for #3229 in addition applies to non-PB mode. Since Tor Browser uses PB mode by default, it's not entirely clear whether or not #3229 is needed.

To complicate matters, nsContentPrefService.js has been deprecated in favor of ContentPrefService2.jsm, at least in ESR31. In this new implementation, it looks like PB mode will also use an in-memory store, provided we make the same possibly dangerous assumption that loading contexts will always have "usePrivateBrowsing" set to true.

So my question is: should we drop the #3229 patch (assuming Firefox gets the loading contexts right), or should we be extra defensive and write a similar patch to apply to ContentPrefService2.jsm? Perhaps Mike has some insight here.

#13014 copy and paste trick could be used to deanonymise users new tbb-team defect Medium

This website demonstrates a trick that could easily be used to deanonymise users by tricking them into copying malicious commands into the clipboard.

Mitigating this threat might be difficult, one way would be to display a notification containing the contents of the clipboard whenever something is copied.

#13018 Math routines are OS fingerprintable new tbb-team defect Medium

The Math class now exposes high-precision versions of several mathematical functions. If these are OS-specific, they may be fingerprintable.

OS-level fingerprinting probably is not a terribly high priority. The only situation where this is high priority is if different OS versions and library versions end up producing different results for these functions.

#13030 Tor unexpectedly exited needs_information erinn defect Medium

OS: Windows Vista Home premium sp2

Just downloaded Tor browser 3.6.4, installed it fine but everytime I click 'Start Tor Browser' I get the error message

"Tor unexpectedly exited Please restart this application"

But restarting only leads to the same message being given again. I have tried uninstalling and reinstalling.

#13043 torspec lies about accepting both IPv4 and IPv6 for ORAddress lines new massar defect Medium Tor: 0.3.2.x-final

(From this comment on #9380)

tl;dr: The "a"/"or-address" lines, in implementation, only happen once each per router, and only ever contain IPv6 addresses, despite what dir-spec.txt says. The spec says:

     "a" SP address ":" port NL

        [Any number]

        The "or-address" element as specified in section 2.1.1.


   "or-address" SP ADDRESS ":" PORT NL

       [Any number]
       IPV6ADDR = an ipv6 address, surrounded by square brackets.
       IPV4ADDR = an ipv4 address, represented as a dotted quad.
       PORT = a number between 1 and 65535 inclusive.                
       An alternative for the address and ORPort of the "router" line, but with
       two added capabilities:  
         * or-address can be either an IPv4 or IPv6 address
         * or-address allows for multiple ORPorts and addresses

       A descriptor SHOULD NOT include an or-address line that does nothing but
       duplicate the address:port pair from its "router" line.

       The ordering of or-address lines and their PORT entries matter because
       Tor MAY accept a limited number of addresses or ports. As of Tor 0.2.3.x
       only the first address and the first port are used.

  • In terms of how many "a"/"or-address" lines there may be, the spec is only correct if you pay super close attention to the last sentence (this is actually the first time I've noticed it :) ).
  • In terms of whether IPv4 and/or IPv6 addresses are acceptable, the spec is currently wrong, according to the functions router_rebuild_descriptor() [source] and router_dump_router_to_string() [source] in src/or/router.c in tor's source code.

#13051 TBB 3.6.5 is ignoring ExcludeNodes and ExcludeExitNodes settings new tbb-team defect Medium

Okay, I have TBB set up to Exclude certain nodes based on country, name of node, and IP addresses. Since upgrading to the TBB 3.6.5 new version, TOR has been ignoring my settings completely. It connected to nodes in countries that I have totally blacklisted (based on nodes from them filtering things that are legal in my nation) and nodes that I specifically blacklisted by IP and name.

#13052 Torbrowser window size/rendering issue new tbb-team defect Medium


I'm using the dwm window manager (Version 6.0). If I start the Torbrowser, the window is not properly rendered (picture). As soon as I resize the window manually with my cursor, everything works properly.

I'm using the TB 3.6.5.

Kind regards, oierror

#13056 Some stack canaries are still missing on Tor Browser binaries on Linux new tbb-team defect Medium

It seems that the following binaries have missing stack canaries: TorBrowser/Tor/ TorBrowser/Tor/ TorBrowser/Tor/ TorBrowser/Tor/PluggableTransports/Crypto/Cipher/ TorBrowser/Tor/PluggableTransports/Crypto/Cipher/ TorBrowser/Tor/PluggableTransports/Crypto/Util/ TorBrowser/Tor/PluggableTransports/meek-client-torbrowser TorBrowser/Tor/PluggableTransports/twisted/python/ TorBrowser/Tor/PluggableTransports/twisted/runner/ TorBrowser/Tor/PluggableTransports/twisted/test/ TorBrowser/Tor/PluggableTransports/zope/interface/

#13059 Create bad-relays file needs_revision defect Medium Tor: unspecified

In the wake of #12899, it became apparent that redoing the approved-routers file is a good idea. It'll be replaced by a torrc-style file called bad-relays.

#13065 counter downgrade / stale mirror attacks on RecommendedTBBVersions - sign / verify tbb versions file new tbb-team defect Medium

Securely downloading solely relies on SSL, is currently neither signed, nor gets verified by Tor Button.

This is problematic, because should's web server or CA be compromised one day, applications such as Tor Button and torbrowser-launcher could be fooled into using an outdated and/or malicious RecommendedTBBVersions file.

Suggestion: could you please, 1) provide a signed version of RecommendedTBBVersions, 2) verify RecommendedTBBVersions in Tor Button.

To prevent downgrade and stale mirror attacks, the signature would have to be renewed after every X weeks, and rejected by the verification mechanism [+ user notification] if is is too old. (Similar to Valid-Until / #9810.)

#13081 Fix build with Visual Studio in Windows needs_review defect Medium Tor: unspecified

I have attached a patch to fix the missing objects during compilation.

The build process itself will have to be better documented in the future.

#13083 HTTPS Everywhere Breaks Video new zyan defect Medium

HTTPS Everywhere for Chrome v 35, 36, & 37, breaks Videos on www.usatoday websites.

Any article that has an embedded javascript video, it will fail to play unless HTTPS Everywhere is disabled. I believe it may be responsible for similar problems on other sites with embedded videos, if and when I can confirm this, I will report those issues here.

I'm not a developer, so I'm just reporting the issue to you folks.


Chuck B. 27463331 [@]

#13086 Causing wrong rendering of openstreetmap in Pale Moon new zyan defect Medium

Using the Pale Moon browser the edit page of is not properly rendered:

The background sat imagery is not shown and the dropdown menu is empty (see attachments: firefox vs palemoon)

I'm using Palemoon 24.7.1 (x86) on Windows 7 Professional SP 1.

Also reported in Pale Moon forum under

#13095 Countdown on not working new zyan defect Medium

The Apple live event countdown doesn't show numbers on

From dev console:

Tested with HTTPS Everywhere 2014.8.22 in Chrome for Mac 37.0.2062.94. Temporary plugin deactivation solves the problem.

#13110 HTTPS Everywhere with Chrome: display error on new zyan defect Medium

When HTTPS Everywhere is enable in Chrome/Chromium, some subdomains of are not properly displayed. Examples are and I will attach a screenshots of the page with http and with https.

#13112 Some things are probably broken when we advertise multiple ORPorts and only some are reachable new defect Medium Tor: unspecified

Observations on reachability testing made while fixing #12160:

  • We only have a 1-bit notion of reachability; if we get an incoming non-local connection, we assume reachability in onionskin_answer() and call router_orport_found_reachable() to publish a descriptor.
  • We should have a reachability bit per *advertised* ORPort to determine its inclusion in the published descriptor, and publish if and only if we have one or more reachable ORPorts.
  • To implement this, we need a way to link incoming testing circuits to a particular advertised ORPort; we don't know this from the port the underlying channel was listening on because reverse proxies might make this not one-to-one in general.
  • Arma suggests in IRC that netinfo cells know the IP the connection was attempted on and if they were extended with a port number they might provide a sufficient mechanism.
#13121 App Conflict new n8fr8 defect Low

Please disable this app in Android: -> settings-> Apps if you are having problems with Orbot:

#13140 ooniprobe should realise that the system is out of memory needs_review hellais defect Medium

Currently if you run a test like bridge_reachability and the system runs out of memory the kernel will start randomly killing tor processes. ooniprobe should detect that it is running out of memory and:

1) Print a warning message

2) Stop starting new measurements until the memory usage goes below the critical level

#13147 Curious debian hurd unit test failure new defect Medium Tor: unspecified
Description and master fail unit tests on the hurd.

The failing test is util/spawn_background_fail, the reported error is (line 2832 in current master): assert((expected_status) == (process_handle->status)): 1 vs 0.

This only happens when running all unit tests, when I just say src/test/test util/spawn_background_fail, the test passes.

I'm setting this for 0.2.5.x-final because it would be nice to build there for the next release (it's a regression to fail tests against 0.2.4-stable), but if nobody has any ideas I guess we'll defer it

Originally reported by weasel

#13155 I can use an extend cell to remotely determine whether two relays have a connection open new defect Medium Tor: unspecified

Send an extend cell to relay A, listing the address and identity key of relay B but the wrong port.

Relay A calls circuit_extend() for the new cell, which calls channel_get_for_extend(), which tries to figure out if there's a canonical connection already established. To do that, it asks

    if (!channel_is_canonical(chan) &&
         channel_is_canonical_is_reliable(chan) &&
        !channel_matches_target_addr_for_extend(chan, target_addr)) {

and channel_matches_target_addr_for_extend() turns into channel_tls_matches_target_method() which basically is

  return tor_addr_eq(&(tlschan->conn->real_addr), target);

It doesn't consider the port. So if there is a canonical channel open, bingo we use it.

But if there isn't one open, then off we go to make one:

      n_chan = channel_connect_for_circuit(&ec.orport_ipv4.addr,
                                           (const char*)ec.node_id);

where ec.orport_ipv4.port was set from extend_cell_parse(), i.e. it came from our extend cell. If we specify the wrong port, that connect attempt will fail. Now we can distinguish, remotely, which situation we're in.

#13160 make a deb of meek and get into Debian new dcf defect Medium


apt-get install meek

Speaking for Whonix, this would be very useful. Perhaps for Tails as well, but I am not speaking for them.

#13167 Export dirauth files via directory protocol new defect Medium Tor: unspecified

Metrics downloads a few files (consensus, descriptors, extrainfo, v3 votes) from dirauths for further processing. It'd be good if all these files could be served by Tor directly, as this would alleviate the need for the dirauth ops to take special steps to make these files available.

#13170 network.allow-experiments ~~ FALSE would be better (sane) default new tbb-team defect Medium

trac provides a "version" field, yet I don't see a suitable option

installed: torbrowser-install-3.6.5_en-US.exe help-}aboutTorBrowser: 24.8.0

I'm questioning about:config: network.allow-experiment = true which seems to be an undesirable default

#13185 Orbot still accesses the public Tor network with bridges configured new n8fr8 defect High

I configured Orbot to use bridges, and then set up my upstream firewall to block all connection attempts except to that bridge, yet Orbot still seems to try to connect to many other nodes in the public directory.

Note I have the same configuration on my laptop, and tor does not do this. If bridges are configured, Tor only connects to those IPs.

It should also be possible to observe by inspecting Orbot's connections on your Android device in OS Monitor app's "Connections" tab:

#13198 clean up torbutton use of Mozilla services new tbb-team defect Medium

Most of the invocations to Cc...getService in the torbutton JS code are unnecessary. Writing a patch to clean it up.

#13204 TOR Browser Bundle interprets 'mailto' links as downloads new tbb-team defect Medium

If a 'mailto' link (e.g. mailto:user@…) is clicked, instead of starting a new email in an email client, the TOR Browser Bundle gives the warning:

Tor Browser cannot display this file. You will need to open it with another application. Some types of files can cause applications to connect to the internet without using Tor. To be safe, you should only open downloaded files while offline, or use a Tor live CD such as Tails.

mailto: addresses are not files, and no data can be leaked from clicking on one. To be fixed, this warning should be removed for mailto: addresses and an attempt should be made to open the address in the default system mail client.

#13220 Remember window size and position new tbb-team defect Medium

Hi. Seriously, resizing it everyday gets kinda boring already. So what I'm asking is that you would resize it as you want it and next time you launch Tor Browser it stays like that.

Now it just resets to its jerky default position and size.

#13221 Misleading error messages about bind_ipv4_only and bind_ipv6_only? new defect Low Tor: unspecified
      if (bind_ipv4_only && tor_addr_family(&addr) == AF_INET6) {
        log_warn(LD_CONFIG, "Could not interpret %sPort address as IPv6",
        goto err;

Is this warn mixed up? Same with the one below it.

#13231 Tor(Windows) don't close ports when killed from service control new defect Medium Tor: unspecified

Reproduce steps:

  1. Extract Tor Browser bundle, and copy "Tor" folder to any directory.
  2. Install tor.exe as a service. Wait about 1 minute.
  3. Open "services.msc". Restart "Tor Win32 service".
  4. Tor failed to restart.

tor.exe was closed, but these sockets are still opened. So Tor can't open its ports. <unknown> PID:xxx Prot:TCP LocalP:9150

Expected result: Tor should close its ports when services.msc order him to stop.

#13234 Consensus Algorithm Causes Flip-Flopping new defect Medium Tor: unspecified

I had a relay running on It's an unmetered VPS that is NATed with other VPSes, so everyone ends up with the same IPv4 address, but on different ports with port forwarding. Everyone gets their own IPv6 address, but AFAIK, you can't run a relay without IPv4.

This was fine initially, as my relay just ran on a high-numbered port. Currently, there are two other relays using the same IP. This apparently causes the consensus algorithm to flip-flop, keeping any of the relays from becoming stable.

To mitigate this, I've disabled my relay, but this is a less than ideal situation, especially if someone else starts running a relay.

Relevant IRC discussion:

<Sebastian> well, this situation totally sucks.
<Sebastian> I think it is a Tor bug, too.
<Sebastian> because the dirauths disagree on who they think should go in the consensus
<Sebastian> so there's flopping
<pipeep> Ouch.
<Sebastian> so of the three relays doing potentially useful things, zero are useful atm
<pipeep> Sebastian, well, I can shut down my relay for now, so at least there won't be any flip-flopping.
<pipeep> And I can contact one of the two other relay operators, and we can decide based on who has the beefier box
* galex-713 has quit (Ping timeout: 480 seconds)
<pipeep> The other one didn't appear to put valid contact information
<Sebastian> that would be nice. You can also file a Tor bug with the information so other people can see that this is an issue


<pipeep> Sebastian, what's the issue exactly? That the consensus algorithm is unstable?
<Sebastian> that's one of the issues, the other issue is imo the restriction to two relays/IP itself
#13236 investigate Firefox SSL for things that might allow user tracking new tbb-team defect Medium

From a comment by Patrick McManus:

(In reply to David Keeler (:keeler) [use needinfo?] from comment #5)

mcmanus, are there other TLS features that are enabled by default that would allow tracking users? (The aim of this bug is to add an option that would prevent that sort of thing.)

sure - at various levels of granularity. None as extreme as session tickets. Anything that keeps state, right?

some that come to mind:

  • the version intolerance cache
  • our false start behavior involves "have I seen this algorithm before"
  • the hsts database
#13260 Transform code to cleaner c99 style new defect Low Tor: unspecified

For #13233, we added a loose c99 requirement for building Tor. If we decide to keep it through the 0.2.6.x series, we can beautify our code a little.

#13270 spam in wiki / consider automated spam prevention assigned hiro defect Medium

Removed this two or three times already. Manually repeating this is getting boring.

Looks like a manual rather than automated spam.

Maybe for start it would be sufficient to ban the erictenne user account.

#13297 compute_weighted_bandwidths() broken for dirauths new defect Medium Tor: unspecified

I suspect that compute_weighted_bandwidths() is broken for dirauths. All the booleans is_guard, is_exit, etc. are populated according to the node_t.

However, nodelist_set_consensus() which creates those node_ts does not fill in those fields if we are a dirauth:

    if (!authdir) {
      node->is_valid = rs->is_valid;
      node->is_running = rs->is_flagged_running;
      node->is_fast = rs->is_fast;
      node->is_stable = rs->is_stable;
      node->is_possible_guard = rs->is_possible_guard;

I don't think this has any big implications, but dirauths are probably doing the wrong path selection. Maybe it's more important if someone is doing bwauth measurements using the dirauth code (if that even makes sense).

#13304 AWS Ruleset Breaks Amazon Previews and Cart new zyan defect Medium

Enabling the Amazon Web Services ruleset breaks in the following ways:

  • cannot select different preview pictures or bring up the pictures overlay
  • quantity selection in the cart is broken
  • cannot get estimates for shipping/tax

Tested on Firefox 28.0 (HTTPS-E 4.0.1) and Chrome 37.0.2062 (HTTPS-E 2014.9.1).

#13305 infinite redirect loop new zyan defect Medium

extension redirects to https, server redirects to http, and so it goes

#13307 Tor Browser might crash on Windows if opened from a USB drive. needs_information tbb-team defect Medium

A Windows user reported to the help desk that they experienced a crash when opening Tor Browser from a USB drive, complete with "Windows is searching for a solution to the problem..." dialog (this is the default message Window gives out when any running program crashes). This person said that opening Tor Browser from the Desktop worked fine for them, and they only experienced the problem opening Tor Browser from USB. It sounded like they got this message before TorLauncher started.

#13308 Partial Rule for CNBC breaks the controld on flash video new zyan defect Medium

The partial rule for CNBC ("CNBC - partial") breaks the controls for the Flash object video. With the rule enabled, the flash video appears and starts up, but does not contain the controls, and there is no way to pause the video

Using HTTPS-Everywhere 4.0.1

Disabling the rule allows the control panel to appear

Discovered with: URL:

The video is a round table discussion

The object reports the player as

thePlatform PDK

with a version: (2014-08-28 10:04 am)

I am using updated flash:

#13309 Make it clearer that the Tor Browser update download is happening over Tor new tbb-team defect Medium

The new update download dialog in Tor Browser 4.0 looks like an operating system dialog that is making a network connection. Normally when one sees an operating system dialog making a network connection, whatever update or whatever is happening doesn't happen over Tor. With Tor Browser, that's not true, as the download does indeed take place over Tor. We should make this clear to our users to assuage doubt.

#13330 doesn't work in Tor Browser new tbb-team defect Medium

It's possible to visit the website and login, search, etc, but in Tor Browser it's not possible to download files. When clicking on the link to a file, it launches the pricing page. If you right click on a file and save as, it just downloads some html page. I tried disabling HTTPS-E in case it was some issue there, but it persists. I'm not sure if the website itself is broken, if this is specific Tor (network) behavior, or what, but the same actions do work as expected in Chrome.

(Unfortunately, I'm not sure how to give steps to reproduce this unless someone is in possession of a functional login for this website.)

#13332 Cannot log in to (SNS for language learners) using Tor Browser. new tbb-team defect Medium

I am trying to use the website Lang-8 (a social networking site for language learning) with tor browser. I can create an account but I cannot log in. Whenever I enter my user name and password on the lang-8 login page, I am redirected back to the welcome page of the site and I do not appear to be logged in.

I do not get any kind of error message, so I don't think that the site is deliberately blocking tor.

I have tried both Tor Browser version 3.6.6 and 4.0-alpha-3; the problem occurs with both versions.

First I thought that maybe https-everywhere is to blame, but disabling it does not solve the problem.

After some experimentation, I discovered that if I disable the NoScript extension in Tor Browser (via the Addons menu item in Firefox), I can log in to lang-8 successfully. So it seems that NoScript is causing the problem.

Of course, turning off NoScript is not a viable long-term solution. I tried turning on NoScript again, but adding a regexp matching lang-8 urls to the NoScript XSS protection whitelist, but this didn't help.

See also this question on tor stackexchange.

#13333 Android users visiting sites using Tor leave all kinds of incriminating evidence in the logs assigned n8fr8 defect Medium

People using Tor on Android use User-Agents with all kinds of incriminating evidence such as:

"Mozilla/5.0 (Linux; Android 4.1; Nexus 7 Build/JRN84D) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.166 Safari/535.19"

"Mozilla/5.0 (Linux; U; Android 4.2.2; es-us; HUAWEI Y320-U151 Build/HUAWEIY320-U151) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"

"Mozilla/5.0 (Linux; U; Android 2.3; en-us; GT-I9100 Build/GRH78) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"

These are examples with the least personal information in them and they may or may not be from a popular hidden service.

I am not sure who's software or project is responsible for this but it does not exactly make these people "blend in"

#13347 TicketMaster stadium view does not load new zyan defect Medium

Tried to buy tickets to FC Dallas soccer game. Most of the page loads, but the fancy graphics section that shows you the stadium map and lets you click on the seats did not load.

Disabled only HTTPS Everywhere extension and stadium view loaded fine.

Link is below. (It may not work after the game occurs on Oct 12th, 2014)

Or click under "Single Game Tickets" on

HTTPS Everywhere 2014.9.11 Chrome Version 37.0.2062.124 OSX 10.9.5

#13354 Wrong color in french flag reopened defect Medium

The blue color used in the french flag is to bright. It should be a dark blue.

#13367 Rate limit gyroscope sampling frequency on FF mobile new tbb-team defect Medium

By the time we get around to an official mobile port, we should double-check that Mozilla has reduced the sampling rate of the gyroscope on Android:

#13378 Addon icons get added/reordered in the toolbar reopened tbb-team defect Medium

In #13318, we tried to set a specific ordering of our addons by setting browser.uiCustomization.state. Unfortunately, because our addons get installed at browser first run, this pref is getting altered and addons are installing themselves into the toolbar anyway, and in an order we do not control. This causes the browser.uiCustomization.state pref to get reset.

Ideally, we'd be able to enforce this pref's original values upon addons after their installation. Unfortunately, resetting this pref to its original default value does not take effect until after browser restart. We need to somehow tell the browser to reorganize the addons back to this default state after their installation.

#13383 Building Tor-Browser fails on mac (using vagrant) because of locale parsing issue new tbb-team defect Medium

When building TorBrowser on a Mac, after building the the VM and fetching all the prerequisites, calling USE_LXC=1 TORSOCKS='' ./ reliably fails with an error like this:

+ sudo vmbuilder kvm ubuntu --rootsize 15360 --arch=i386 --suite=lucid --addpkg=openssh-server,pciutils,build-essential,git-core,subversion --removepkg=cron --ssh-key=var/ --ssh-user-key=var/ --mirror= --security-mirror= --dest=base-lucid-i386 --flavour=virtual --firstboot=/home/vagrant/gitian-builder/target-bin/bootstrap-fixup
2014-10-11 12:42:16,499 INFO    : Calling hook: preflight_check
2014-10-11 12:42:16,507 INFO    : Calling hook: set_defaults
2014-10-11 12:42:16,509 INFO    : Calling hook: bootstrap
2014-10-11 12:44:25,274 INFO    : Calling hook: configure_os
Extracting templates from packages: 100%
2014-10-11 12:44:59,169 INFO    : update-alternatives: error: no alternatives for rsh.
2014-10-11 12:44:59,298 INFO    : update-alternatives: error: no alternatives for rlogin.
2014-10-11 12:44:59,420 INFO    : update-alternatives: error: no alternatives for rcp.
2014-10-11 12:45:02,231 INFO    : Creating SSH2 RSA key; this may take some time ...
2014-10-11 12:45:02,940 INFO    : Creating SSH2 DSA key; this may take some time ...
2014-10-11 12:45:03,329 INFO    : 
2014-10-11 12:45:03,330 INFO    : Warning: Fake initctl called, doing nothing
2014-10-11 12:45:03,338 INFO    : 
2014-10-11 12:45:03,339 INFO    : Warning: Fake initctl called, doing nothing
2014-10-11 12:45:06,154 INFO    : 
2014-10-11 12:45:06,158 INFO    : Current default time zone: 'Etc/UTC'
2014-10-11 12:45:06,179 INFO    : Local time is now:      Sat Oct 11 12:45:06 UTC 2014.
2014-10-11 12:45:06,179 INFO    : Universal Time is now:  Sat Oct 11 12:45:06 UTC 2014.
2014-10-11 12:45:06,180 INFO    : 
2014-10-11 12:45:06,298 INFO    : Cleaning up
2014-10-11 12:45:07,416 ERROR   : Process (['chroot', '/tmp/tmpvvfwM9', 'locale-gen', 'de_DE.utf-8']) returned 1. stdout: , stderr: 
Traceback (most recent call last):
  File "/usr/bin/vmbuilder", line 24, in <module>
  File "/usr/lib/python2.7/dist-packages/VMBuilder/contrib/", line 216, in main
  File "/usr/lib/python2.7/dist-packages/VMBuilder/", line 84, in build_chroot
  File "/usr/lib/python2.7/dist-packages/VMBuilder/", line 67, in call_hooks
    call_hooks(self, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/VMBuilder/", line 165, in call_hooks
    getattr(context, func, log_no_such_method)(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/VMBuilder/plugins/ubuntu/", line 149, in configure_os
  File "/usr/lib/python2.7/dist-packages/VMBuilder/plugins/ubuntu/", line 351, in set_locale
    self.run_in_target('locale-gen', lang)
  File "/usr/lib/python2.7/dist-packages/VMBuilder/plugins/ubuntu/", line 327, in run_in_target
    return self.context.run_in_target(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/VMBuilder/plugins/", line 86, in run_in_target
    return util.run_cmd('chroot', self.chroot_dir, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/VMBuilder/", line 120, in run_cmd
    raise VMBuilderException, "Process (%s) returned %d. stdout: %s, stderr: %s" % (args.__repr__(), status, mystdout.buf, mystderr.buf)
VMBuilder.exception.VMBuilderException: Process (['chroot', '/tmp/tmpvvfwM9', 'locale-gen', 'de_DE.utf-8']) returned 1. stdout: , stderr: 
cp: cannot stat `base-lucid-i386': No such file or directory
i386 lucid VM creation failed

Turns out that this is an instance of bug cropping up, where a locale (in my case) of 'de_DE.utf-8' was the reason for the problem, as 'locale-gen' needs the locale to be 'de_DE.UTF-8'.

Now I'm not entirely sure what the correct fix for this is. My understanding is that the whole point of gitian is to not contaminate the build system with any of the settings from the host system. In that respect it might be the right course of action to actually filter out environment variables like this when creating the gitian images?

Or it might be that proper casing for LANG variables should be enforced? (Not sure what that means) or perhaps changing the locale parser of locale-gen to accent de_DE.utf-8 as the same as de_DE.UTF-8 might be best?

Some more info, I'm building on Darwin 13.4.0 Darwin Kernel Version 13.4.0: Sun Aug 17 19:50:11 PDT 2014; root:xnu-2422.115.4~1/RELEASE_X86_64 x86_64 via vagrant. Env shows this (filtered to lang relevant environment variables) on the virtual machine which generates the containers to build tbb inside:

$ env

which seems inconsistent at least.

#13386 "opening new log file" line goes to err-logfile despite being at loglevel notice new defect Low Tor: unspecified

Although I might image the rationale behind it, it is still confusing, that lines like

[notice] Tor (git-a64f3ab3ee5c433c) opening log file.

are in the err log file for a torrc config like this :

# logging # Log notice file /var/log/tor/notice.log Log warn file /var/log/tor/warn.log Log err file /var/log/tor/err.log

Either the prefix "[notice]" should be changed to "[err]" or probably scrubbed away completely.

#13388 HTTPS-E v4.0.1 breaks Amazon dynamic images (FF 32) new zyan defect Medium

For example, on page:

With HTTPS-E enabled, clicking on the small images to the left of the main image does nothing. Mousing over the main image does nothing. Disable HTTPS-E and functionality is restored.

#13391 Tor Cloud AMI does not install/start tor new defect Medium

Hi, Has anyone checked on the AMI lately? I'm not familiar with the internals but it looks like the automagic install/start is broken. I noticed that when I manually typed "sudo apt-get install tor" - it prompted that the packages could not be verified and I had to accept this condition so maybe that broke it?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Note: See TracQuery for help on using queries.