#27769 closed task (wontfix)

How to update Tor core only on TBB 7.5.6?

Reported by: Luddite Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version: Tor: unspecified
Severity: Normal Keywords: XP, compatability
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I'm unable to run TBB 8.0 on my old system because it's based on Quantum. Is there a way to at least update only Tor in TBB 7.5.6? Simply overwriting the files from an unzipped TBB 8.0 didn't work.

Like 10% of internet users I'm still using XP. I'd rather risk a slim chance of pwnge by a windows vulnerability than a certain chance of pwnge by Microsoft and PRISM on a modern OS. Upgrading my machine isn't an option either because 8th gen intel drivers are only supported on Windows 10.

I respect Tor's decision to move to Quantum but since XP is the only option for privacy conscious users who can't migrate to Linux please provide us with a way to keep Tor core updated.

Child Tickets

Change History (7)

comment:1 Changed 10 months ago by boklm

Resolution: wontfix
Status: newclosed

Privacy conscious users should not continue to use Tor Browser 7.5.6. It has known vulnerabilities (in the browser part, so updating Tor wouldn't fix that), and most users have updated (or are going to update) to Tor Browser 8.0, so remaining 7.5.6 users are going to stand out from the other Tor Browser users.

If you cannot change the operating system on your machine, an option might be to boot a Tails USB key when you need to use Tor Browser: https://tails.boum.org/

comment:2 Changed 10 months ago by Luddite

Resolution: wontfix
Status: closedreopened

Unfortunately as an amnesic OS Tails is not practical when the user needs to continuously save and edit files. Also many useful Windows applications still do not run properly under WINE.

The most serious vulnerability was not in Firefox ESR 52.9 but rather in Noscript and has already been fixed in the new version 5.1.8.7. Also please consider that Linux users comprise only 2% of active OSs yet they get their own version.

If the support criteria is helping as many people as possible then XP should receive at least as much attention as Linux, and if the criteria is only supporting secure operating systems then once we factor in Microsoft and its government partners spying, we'll find that under some threat models legacy operating systems remain more secure despite their vulnerabilities.

I'm already considering running the core with a custom ports 7.5.6 but I'm likely to break something. And because tenth of Tor users, an estimated 200000 people are in the same situation, I would go as far as suggesting that maintaining 7.5.6 with an updated core is a reasonable request, and yet I'm only asking for manual instructions.

Thank you.

comment:3 Changed 10 months ago by traumschule

I'm unable to run TBB 8.0 on my old system because it's based on Quantum.

What's the exact error you get? Probably worth to look into that instead of using an unsupported version with publicly known vulnerabilities. Please help to convince the 10% to upgrade as well.

comment:4 in reply to:  2 ; Changed 10 months ago by boklm

Resolution: wontfix
Status: reopenedclosed

Replying to Luddite:

Unfortunately as an amnesic OS Tails is not practical when the user needs to continuously save and edit files. Also many useful Windows applications still do not run properly under WINE.

The most serious vulnerability was not in Firefox ESR 52.9 but rather in Noscript and has already been fixed in the new version 5.1.8.7. Also please consider that Linux users comprise only 2% of active OSs yet they get their own version.

Noscript is not the most serious vulnerability. Each new firefox update is fixing several vulnerabilities. We don't have resources to maintain ourselves an entire browser codebase, most of this work is done by Mozilla, and they decided to stop support for esr52 and move to esr60 so we have to do the same.

If the support criteria is helping as many people as possible then XP should receive at least as much attention as Linux, and if the criteria is only supporting secure operating systems then once we factor in Microsoft and its government partners spying, we'll find that under some threat models legacy operating systems remain more secure despite their vulnerabilities.

I'm already considering running the core with a custom ports 7.5.6 but I'm likely to break something. And because tenth of Tor users, an estimated 200000 people are in the same situation, I would go as far as suggesting that maintaining 7.5.6 with an updated core is a reasonable request, and yet I'm only asking for manual instructions.

Spending time to maintain 7.5.6 with an updated tor does not make much sense to me as the most critical issues are in the browser.

comment:5 in reply to:  4 Changed 10 months ago by boklm

Replying to boklm:

I'm already considering running the core with a custom ports 7.5.6 but I'm likely to break something. And because tenth of Tor users, an estimated 200000 people are in the same situation, I would go as far as suggesting that maintaining 7.5.6 with an updated core is a reasonable request, and yet I'm only asking for manual instructions.

Spending time to maintain 7.5.6 with an updated tor does not make much sense to me as the most critical issues are in the browser.

Anyway, if that's really what you want to do, then you could just download the Tor expert bundle from https://www.torproject.org/download/download.html.en, run tor, and then configure your browser to use an existing tor process by setting the TOR_SKIP_LAUNCH, TOR_SOCKS_PORT and TOR_CONTROL_PORT environment variables:
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#UsinganExistingTorProcess

comment:6 Changed 10 months ago by Luddite

Resolution: wontfix
Status: closedreopened

@traumschule https://support.mozilla.org/en-US/kb/end-support-windows-xp-and-vista

@boklm Thanks for the instructions. Tor core runs fine but I don't know exactly how to execute these so called environment variables. Is it something in the torrc file?

My idea was to run the latest Tor core along with TBB 7.5.6. For this I need to somehow launch TBB without its outdated core, and also make it use the latest core from the expert bundle. I believe the second step works by changing TBB's port from 9150 to 9050. Am I heading in the right direction?

comment:7 in reply to:  6 Changed 10 months ago by boklm

Resolution: wontfix
Status: reopenedclosed
Note: See TracTickets for help on using tickets.