/tech/ - Technology★

>using CIA browser

>>966919 (OP)

Why do you care? Just use Tor with whatever browser you want.

>>966948

enjoy being fingerprinted

It's increasingly harder to backport security fixes.

>>966919 (OP)

>gazillion "firefox" child processes

I thinks you can change that behaviour with dom.ipc.processCount

Now imagine trying to lock down said browser on a extremely tight chroot, running as another user and on a nested X server. I had to spend quite a bit of time to change what I did for the previous version, mainly because of changes made in Firefox 60 and GTK3.

Also: https://trac.torproject.org/projects/tor/ticket/26146

firefug and all its forks already froze every time you do anything, but knowing mozilla whatever new version of firefug this is, it's probably 10x worse

>>966958

it's increasingly harder to use the web without punching the screen

https://blog.torproject.org/new-release-tor-browser-80

>Tor Browser 8.0 comes with a series of (((user experience))) improvements that address a set of long-term Tor Browser issues you’ve told us about. To meet our users' needs, Tor Browser has a new user (((onboarding experience))); an updated (((landing page))) that follows our (((styleguide))); additional language support; and new behaviors for bridge fetching, displaying a circuit, and visiting .onion sites.

https://trac.torproject.org/projects/tor/ticket/26146

>Tor Browser no longer uses a fixed user agent because it's too hard to implement or it violates mobile-first principles or something

>They're hoping to piggyback on Firefox's bugfixes, is that it?

Congratulations, you solved the mystery. Despite your whining, pre-60 FF was a security nightmare compared to its successor. As a consumer, that might be hard to understand, but the Tor project has bigger priorities than temporary, superficial performance issues.

>>966948

You're the same kind of person who thinks VPNs protect your identity because they conceal your IP address.

>>967032

>Despite your whining, pre-60 FF was a security nightmare compared to its successor.

You glowintheniggers resort to the "old version is insecure" FUD like clockwork. You should be specific about what made pre-60 FF a "security nightmare" if only for the sake of your own credibility.

>As a consumer, that might be hard to understand, but the Tor project has bigger priorities than temporary, superficial performance issues.

As a developer/shill, that might be hard to understand, but the Tor project will change its priorities accordingly when a more performant Tor-like alternative appears and the users will flock to it.

>>967032

nigger running a web browser period is a security nightmare. what's better in the new firefug? do they have sandboxing now? and if you're talking about web app security like preventing CSRF and clickjacking, you should just kill yourself.

>>967045

>do they have sandboxing now?

Not him, but yes.

>>967042

>when a more performant Tor-like alternative appears

The whole point of the Tor browser is that all of its users are identical to one another. It doesn't even matter what the basis of their browser is; so long as their users are indiscernibly identical, then they've achieved their intended affect. What's important is that the Tor browser piggybacks off of a project that's actively maintained. I know I came off a little condescending before, but if you're a programmer, then you of all people should understand that the technical superiority (and, frankly, a toting a technically superior browser is like lauding the winner of the Retard Olympics) of a piece of software means very little when there are bugs just sitting there with no one to address them, waiting to be exploited. Wouldn't you rather have a project that alots their time and resources doing what the set out to do--what people expect them to do–rather than maintaining an abandoned codebase in a scope and capacity that they've never encountered before, that they don't have experience with?

>>966919 (OP)

my issues with it is they use vanilla noscript now instead of their fork, also about:addons pages no longer works

>>966919 (OP)

>because fuck efficiency

I wish this weren't true. Tor Browser 8 crawls. It's not just RAM usage, either. It works the CPU harder than Rocco Siffredi works Czech girls' buttholes.

>Dillo

Dillo is a js-free browser. I regard that as an advantage, since I block all js on Tor Browser anyway, but I doubt the TBB people would be interested in using it, because they're still trying to appeal to people who insist on using at least some js, i.e. pretty much everyone (even people who use Tor and ought to know better). I don't think Dillo can use SOCKS proxies, either.

>>967011

>https://trac.torproject.org/projects/tor/ticket/26146

lol it dumps your OS now and relies completely on the (((mozilla))) setting for "resist fingerprinting". The jewish developers defend this.

The argument that "you must use tor browser with tor or muh fingerprinting" is now completely invalid. I'll bet you it still calls home to mozilla.

>>966952

>>967032

Is this a PsyOp? Some people keeps screeching about how insecure Firefox is and when you tell them “Just use Tor with a browser you consider secure.” they throw back at you a straw man.

>>967318

Configuring your own browser is generally discouraged because unless they know what they are doing, they could lose anonymity and security. They could stand out from the crowd due to fingerprinting. Not only that, but if people are sloppy they could forget to block trackers or protect themselves from harmful javascript. Maybe they open a pdf in their browser and it's bugged.

It's relying on people to do extra work and properly configure their browser themselves. Also, you really want everyone to use the same browser since it improves the anonymity of the network as a whole when more people look the same.

<EVRYTING NEW BAD EVRYTING NEW BE JOOS GLOWDARK COMIE TRANIE SJW

<IF I PUTS TREE PARENTESIS ROUND WURDS IS A ARUGMENT

<EVRYTINV OLD GOOD

Wew lad.

Firefox has simply fixed many security bugs, added new security features (like isolating processes), new privacy features and has worked with the Tor team both with development time (by adding features and bugfixes requested by the Tor team) and by donating money to the project.

You can, of course, use Tor with other browser and be the little special snowflake you want to be.

>300+ MB of RAM

Oh, no. The horror.

>>967323

found the jew

>>967329

No u

>>967323

You are truly enlightened.

I just use ice cat with the retarded add-ons disabled and proxy through tor. Funny thing is is on a mobile tablet or phone start termux up start Tour in Dayton mode back out startup U browser and point your proxy at tour and you can avoid the orbit

>>967308

>And despite this the browser still bitches if I maximize its window. You know, I don't understand why the tradition of the User Agent containing OS information is allowed to continue. In a better world the website shouldn't even care what my browser is; everything should be standardized and compatible because the days of Internet Explorer are gone. But as it is, the UA might as well contain a hash of my hardware components, I mean why not?

Tor "bitches" because websites can and do fingerprint users based on screen resolution. They recommend users to leave the screen at the default size because that way all users look the same. Congratulations, by maximizing the window you'll be one of the very few imbeciles running Tor Browser on a 1920x1080 screen.

As for why the operating system is part of the UA, it's because websites may need that information. For instance, giving users a specific .exe depending if they're on Windows 7, 8 or 10; giving them a x86 or x64 .exe or a .deb if they're on Ubuntu/Debian and a .tar.gz if they're on other "Linux" operating systems.

Not that it matters, since guessing the operating system a browser is running on is very, very easy thanks to installed fonts, supported formats, hardware acceleration, WebGL, etcetera. This is why changing the User Agent to appear as if you're using another OS is retarded and actually makes you easier to identify.

Tor Browser does a bunch of shit to mitigate all this and keep all their users with the same fingerprint. Firefox is the only browser that not only allows them to configure all that, Mozilla has actually added features and bugfixes to help them achieve this.

So yeah, stop talking out of your ass.

>>966919 (OP)

I'm pretty sure every Gecko based browser will update to the post-Quantum versions eventually, except for Pale Moon. Waterfox and Icecat are going to do it if they haven't already.

>Now I can enjoy having a gazillion "firefox" child processes with the UI freezing each time I load the catalog

Time to throw out your single core CPU.

>I'd ask what technical reasons do the Tor guys have to base their browser on Firefox and not anything else, like Midori or fucking Dillo even.

Probably because Firefox gets the most money and attention thrown at it compared to other browsers with copyleft licensing, plus it has a future of being a little safer maybe, according to the Rust rocket propaganda anyway. Another reason is they're already basing it on Firefox so why would they switch to your niche browser with 0 features?

>Midori

Godawful dogshit webkit browser that crashes nonstop.

>Dillo

Doesn't implement all the webshit (massively behind on purpose) and has zero support for extensions.

>>967359

>Not that it matters, since guessing the operating system a browser is running on is very, very easy thanks to installed fonts, supported formats, hardware acceleration, WebGL, etcetera. This is why changing the User Agent to appear as if you're using another OS is retarded and actually makes you easier to identify.

Don't all of those fingerprinting methods require JS? Anyone with common sense has it disabled anyway.

>>966971

>>967011

>>967322

If this bullshit happens I think I'll just quit the web for good.

>>966919 (OP)

>*action*

I dont even know what sort of faggots browse this dead shithole any more.

>>967376

Halfchan newfags and poltards.

>>967371

Unfortunately, there are services people want that basically have a monopoly, so, if they expect you to run js on their site for their service to function, you're basically going to run it regardless of your stance.

>>967391

No shit, but that's irrelevant you're one of the many Tor users avoids cuckflare and jewgle shit anyway or just browses .onions

>>967403

Do you even use Tor?

>>967408

Yes. I exclusively use Tails for online stuff, don't have any accounts at all, and only keep personal stuff on a separate airgapped PC.

>>967371

Nope

https://browserleaks.com/css

>>967413

Oh, I see. You're that kind of retard. Well, it's a good thing you made that known, or else I might have taken your advice seriously.

>tfw stallman was right yet again

I've always disliked noscript, but damn this update fucking sucks. And where the fuck is circuit switching? It won't even display the circuit anymore. Let me guess, they're gonna say something like "goyim will abuse it to get the best exit nodes". Fuck this new poz

How do I use Tor with other browsers?

>>967459

>-moz-os-version n/a

>screen sizes are suspiciously off if they are looking specifically for me

I don't know if this makes me more or less traceable, but I like it nonetheless. Seems to me it's worthless compared to the wealth of information you can get from JS.

polite sage for talking out of my ass

Bump!

>>967500

Run Tor as a service and set the SOCKS port as a proxy for your web browser.

>update to 60

I CAN'T SEE MY ROUTE! Anyone else? I want to know if I'm exiting in Germany or Sweden.

>>967687

click the ( i ) that's on your UR. Where the lock is on https sites.

>>967499

>>967687

The route display moved to the address bar. "New Identity" and "New Circuit" moved to hamburger menu.

>>967559

>letting your applications be aware of their routing

look who's CIA nigger here

>>967696

Oh shit, that's nice. Divided functionality and moved everything in three different buttons instead of just one, also stopped showing bridge guard country. There are a few complaints in their blog, but all their representative does is answer that it's more convenient. A shitty landing page in agile responsive Boobcrap doesn't even tell us all about these new "features", where and why they were relocated.

Wow, just wow.

>>967694

>>967696

Thanks. I was getting worried.

>>967359

ya whatever this whole argument is bullshit. i'm convinced this is only to boost Tor Browser's popularity now. Don't use any other browser with Tor goy! It's dangerous! muh fingerprinting!! You can only use (((our))) browser, which for some reason is not included in any repositories that i've seen, not even in gentoo, which means 99% of people are downloading straight binaries directly from them.

Let site's fingerprint. If you spoof the shit the browser sends to be random everytime, they can have fun with that. And even if they do manage to fingerprint, who gives a fuck, your behind 3 tor proxies, and the same people who shill "muh fingerprinting" also shill that the tor network has never been broken and all people who got burned for doing stupid shit were burned because they were fucking idiots.

>>967718

That's literally how you do it. You can't use the Tor browser because it's endorsed by (((this))), you can't use the daemon because of (((that)))--what the hell do you want? You can use Privoxy as a http wrapper, which is what I do, but that has mostly the same flaws when browsing the web.

>>967836

>not included in any repositories that i've seen, not even in gentoo

I know this post is a joke--you went too heavy on the typos--but, for the record, Gentoo ships both the Tor Browser Bundle and the Tor Browser unwrapped. Every distribution ships with Tor. It's one of the few fringe networking tools available in every distribution.

>>967011

This is what happens when you hire UX designers instead of security doods

>>967849

Isn't that the case with any silicon valley shit?

>>967894

well maybe but that is ok for some things like recreational software, media streaming and the like. however tor is a cyber security software so security should be more important than stuff like styleguides.

>>967461

>minimizing your digital footprint is retarded

Who let you in here?

>>967908

Why are you even talking to me if the only thing that concerns you is what affects you and your own lifestyle?

Works on my distribution ;^)

>>967960

i wonder how much mozilla (((donated))) to their pockets

>>967960

Because using really old builds is a security issue. See https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/

>>968003

>Exploit dropped only after the TOR browser is updated to a version that isn't affected.

>Exploit targets popular Mozilla extension but "the zero-day affects only the Tor Browser 7.x series" (I'll assume that's a typo and it affects all related browsers, not just TOR)

>Addon dev fixed exploit within 24 hours of exploit release.

Sounds like FUD to scare people in to updating to me!

>>967005

>>968071

>sounds like FUD

Yes, sounds like some type of FUD for sure although it makes me want to look into uMatrix like >>967308.

>>968121

I personally use ublock origin and umatrix with the tor browser for practically all my web browsing.

>>968129

Considering the bypass was caused by Noscript, is adding these other addons enough or do you need to uninstall Noscript too?

>>968003

>using NoScript

>not just disabling JS in about:config

I will never understand people that use NoScript. They want selective rape or something?

My computer can't even run TBB 8.* anyway.

>>968142

>selective rape

That is one way to put it, but I liked the ability to permit scripts from a handful of trusted sites while still blocking the more easily compromised third party tracking scripts etc.

>>968142

NoScript downloads scripts, but prevents them from executing. By disabling scripts in about:config, you will stand out among other Tor Browser users who put security slider on highest setting.

>>968160

tor-browser-launcher is a wrapper that downloads official browser tarballs from tor project's mirrors and checks them for validity with built-in keys. I think it's much better to trust browser developers with software delivery than random 8th-grader who maintains AUR repo.

>>968168

that's another good point

where's the "muh fingerprint" kvetching about the security slider? does your fingerprint not change when you use it? The default is minimum security, so god forbid you deviate from that you are now fingerprinted, as I imagine most people do not alter the slider setting.

>>968178

https://www.hackerfactor.com/blog/index.php?/archives/761-Exploiting-the-TOR-Browser.html

The scariest thing that comes in mind from JS fingerprinting is scrollbar width.

Although, it can be fixed with proper window manager theme.

There are different system-specific fonts, canvas, and lots of other things Tor Project declines to fix, and also there's Mozilla's backstabbing.

Should we run a browser inside different real OS VMs to make it less fingerprintable? Probably.

>>966919 (OP)

Fuck being autistic tbh, tor finally works good and I can watch my memes without any lags and other shit, it has only 2 problems

>looks kinda insecure, previous version looked more "completed"

>sometimes it has 10-20 seconds lag on any page yo

>>966971

>>967011

One of the really vile things they've done in the last few years is make the trac tickets un-searchable if you aren't a registered contributor. Without being able to search the tickets, it is near impossible to fix obscure problems.

>>967042

>You glowintheniggers resort to the "old version is insecure" FUD like clockwork.

Nigger, the three letters and their work is half of the reason why old software gets pwned at a worrrying pace.

The other half is that there's a lot of money to be made via pwning old software because a bunch of companies use outdated shit and because normies seldom update.

>when a more performant Tor-like alternative appears and the users will flock to it.

You shouldn't use Tor because it performs well, you should use it because it anonymizes you well.

>>967318

Do you even know what a strawman is?

>>967322

The reason why the ticket wasn't closed immediately is that Cloudflare can do, and is doing, more harm to Tor than all the glow-in-the-dark put together: and nobody is stopping them.

>>968460

>Cloudflare can do, and is doing, more harm to Tor than all the glow-in-the-dark put together: and nobody is stopping them.

And how would we do that? Tor's userbase is unlikely to be big enough to make a difference. I'd laugh if what finally undoes it is FBI niggers complaining to Cloudflare after realizing they can't mask their identity while performing investigations because the site they're trying to get on won't even load.

>>967042

A few days back a guy just popped up on twitter telling that Tor Browser version 7 has a huge bug that makes it basically useless.

Good guy Maone, dev of NoScript, released a new version of his addon.

This story tells alot, behind the mainframe exploits are sold like crazy and sure Tor Browser has a lot of interest from CIA Niggers and - by black market bling blings - L337 HaxXxers.

>>968505

Lol the DNS hype is like the Cloud hype 2.0

It's all CIA Nigger's synthetic hype for you use 1.1.1.1 or jew:jew:jew:jew because ITS SECURER THAN EVER AND FASTER GOYM

>>968536

>A few days back a guy just popped up on twitter telling that Tor Browser version 7 has a huge bug that makes it basically useless.

The bug allowed you to bypass noscript. if you had javascript.enabled;disabled as is recommended you were not affected.

>>968290

Now add proper cookie management with ability to delete them without restarting the whle browser, isolated website containers to remove cross-linking, media device fingerprinting, mouse acceleration spoofing, typing speed scrambler.

I also wonder how many Tor users keep the original window size and JavaScript off.

Has anybody gathered such statistics?

>>968556

>mouse acceleration spoofing, typing speed scrambler.

Don't run shady javascript in the first place

firefox is basically the new open source version of google.

>>968290

>The point of Tor is not to hide the fact that you're using Tor ... but to make every Tor user seem unique.

>HTTPS mitigates MITM attacks ... it doesn't matter if every Tor user looks the same.

>The Tor guys recommend users to disable JS and everyone should do the same.

<The security slider default does not reflect this recommendation. Does the lack of javascript not result in a different fingerprint? Muh fingerprinting!

again what's the point of fingerprinting if the network is secure? they can figure out your a unique user but they'll never find out who you are unless you tell them.

>>968679

because if they can connect your identities if the fingerprints match.

>>968556

>Now add proper cookie management with ability to delete them without restarting the whle browser

There are addons for that. If I recall correctly, there was a bug report of that some years ago and someone said that websites could check when the cookies are deleted and then make a time-based attack or something.

>isolated website containers to remove cross-linking

This is a good idea. Mozilla made something similar with Site Containers, but those are kinda bugged.

>media device fingerprinting

???

>mouse acceleration spoofing, typing speed scrambler.

I'd like to see that, too. Though it is unecessary if JS is off.

>>968679

It doesn't matter if you're Johnny Peter, the 8ch shitposter who does nothing but waste time on /pol/ and ExHentai; but when you're Juan Pedro, the Mexican reporter investigating cartel-based corruption in the government, you need to leave no trace at all, since it could lead to him being unmasked and brutally murdered eventually.

>>968505

>And how would we do that?

That's my point, nobody who cares can do anything about it.

The three letters telling cloudflare to knock it off would be wonderful, but it's unlikely to happen anytime soon: also they probably already have captcha bypasses and/or burner accounts to get around it.

>>968549

> if you had javascript.enabled;disabled as is recommended

That is not recommended by anyone but idiots, that setting means you don't even GET .js files and thus make yourself stand out.

>>968679

>again what's the point of fingerprinting if the network is secure?

Without fingerprinting, anyone controlling the sites you visit can collect data that eventually points out how those anonymous connections probably all came from the same person.

At that point they can crossreference the anonymous fingerprint with your clearnet fingerprint and bingo, you're fucked.

It doesn't matter ihow secure the network is if you're sending identifying information.

this piece of shit new

POZ Browser also FREEZES CONSTANTLY

might as well just pump Chrome with full botnet over Tor and done with it.

>>967323

300mb is an underestimation. I am using FF rn and it is using 700mb of RAM which is raping my chinkpad

>>968698

>At that point they can crossreference the anonymous fingerprint with your clearnet fingerprint

How would this be done when your using completely different browsers? If my unique full botnet fingerprint is the same or damn close to Poz Browser's fingerprint then there's clearly a problem with Poz Browser.

>>968712

actually after testing this it only freezes when you have the security slider set to anything but standard.

try it yourself, pull up a full board catalog, /pol/ is a good example, a board with a lot of shit, and turn the slider off standard, it'll freeze for fucking 5 seconds loading the page over the .onion. it will not freeze with the slider on standard.

>>968716

I have a 2012 i5 with 4 GB of RAM and I never see any slowdowns or freezes. What kinda hardware are you on?

>/pol/

I shiggy diggy.

>>968713

There is just so much that can be done for old hardware. Even the precious Firefox 3 and Opera 12 would struggle to run properly on a Pentium II with 216 MB of RAM.

>>968695

A browser should delete cookies when site circuit is refreshed or a user specifies to open a new identity for same site. Right now a user has no awareness whether a site plants a cookie or not. You can't see it, you can't delete it.

>media device fingerprinting

Properties of your sound card:

https://audiofingerprint.openwpm.com/

>unecessary if JS is off

Problem is, too many sites need JS to be on. Hiding in crowd is easy and should be done globally, but Tor niggers are busy not spoofing user agents at the moment because that's kinda problematic and non-inclusive, you see?

As far as mouse and keyboard behavior are a concern, I think it's possible to do those on OS-level, need to research into that. Or for example when mimicking a touch-screen device, mouse movements should not be registered at all.

>>968721

>>media device fingerprinting

>Properties of your sound card:

>https://audiofingerprint.openwpm.com/

How do you propose to mitigate that? Changing it may actually kill sound in TB.

>Problem is, too many sites need JS to be on. Hiding in crowd is easy and should be done globally, but Tor niggers are busy not spoofing user agents at the moment because that's kinda problematic and non-inclusive, you see?

Nice strawman. However, they do spoof the UA for MacOS and *BSD (which all appear as Linux.) All OSes, regardless of whether they are i686 or x86_64 appear as x86_64.

As I understand, they refuse to spoof User Agent because it is trivial to guess the real UA when JS is on. I'd say they should at least spoof the user agent to Windows if the user chooses to set the Torbuttom slider to "safest" as it disables JS entirely.

>>968721

>but Tor niggers are busy not spoofing user agents

i have a feeling cloudjew explicitly gives tor browser's a pass, and not just cloudjew. if you switch to a non tor browser and use it over tor it feels like you get instantly infini-captcha'd. if your running tor browser.. i haven't even seen a cloudjew captcha in a while.

>>968720

>What kinda hardware are you on?

slightly better hardware than that, and I tested this on multiple computers, happens on both, on both windows and linux. everything loads nice and smooth with js turned on and that slider on standard, you bump it to either of the two higher tiers and you get a multisecond lockup on large page loads.

>>968715

>How would this be done when your using completely different browsers?

It depends on what you do, and how you are being fingerprinted.

Remember, the NSA can see you using Tor: they can't see for what but that's already something, and allows them to do timing analysis to see if a certain anon fingerprint is online at the same times in which you use Tor

.

In general, the issue with having a fingerprint is that you are no longer anonymous: at that point you are merely pseudonymous.

If someone figures out you were browsing weirdfurryporn dot com while you are anonymous, they will know that you visited that site and no more: but if someone figures it out while you are pseudonymous, they also know everything else you did under the same pseudonym was done by you.

That's the difference between giving a three letter a laugh over your shit porn tastes and getting vanned because of something you did years before.

>>968721

>but Tor niggers are busy not spoofing user agents at the moment because that's kinda problematic and non-inclusive, you see?

Not really, they painted themselves into a corner technically and now they're trying to come up with a way out of it.

User Agents being a clusterfuck is not helping.

>>968859

The second the NSA sees you using TOR they automatically log in to your PSP / ME unit and image your drives, prove me wrong.

TOR is useful for hiding from actors OTHER THAN THE NSA. The NSA isn't currently censoring Youtube and hunting down and doxxing libertarian "nazis," other elements are.

>>968938

>The second the NSA sees you using TOR they automatically log in to your PSP / ME unit and image your drives, prove me wrong.

Imaging drives takes a lot of time, has a massive and visible performance impact, takes up a lot of storage (if they don't stream the images immediately) or a lot of bandwidth (if they do) and in the case of hard drives it also has a neat audio clue.

It's conspiratard tier bullshit, especially because that level of access would allow the NSA to simply mark you for later searches and/or get a list of what you did with tor.

>>969191

They just do it at night while you're asleep, and they'll use their own networks (the hidden ones which are everywhere these days) if necessary.

For years shills like you called everything the NSA was doing 'conspiratard bullshit' but it's obvious that the conspiratards were right all along.

Nice try though.

>>968938

>The second the NSA sees you using TOR they automatically log in to your PSP / ME unit and image your drives, prove me wrong.

Weird, since EME has no network access.

>TOR is useful for hiding from actors OTHER THAN THE NSA.

Then why does the NSA have so much trouble breaking Tor?

>The NSA isn't currently censoring Youtube and hunting down and doxxing libertarian "nazis," other elements are.

What the fuck is that even supposed to mean?

>>969292

so use an old intel/amd box as a firewall. when you shut down/sleep have a script that begins logging traffic to your dormant PC. you can blow the lid off their whole operation.

<the old chips are bugged too

>>969297

>What the fuck is that even supposed to mean?

He's saying the biggest current threat to freedom in the internet are tech companies.

Most forms of surveillance comes from people willingly giving their data to social media websites, who then give it to governments. And while the government won't infringe on free speech (at least in burgerland), private companies can choose to take action themselves and censor speech that they do not like.

PEARLS BEFORE SWINE

telling someone into tor it isn't safe is worse than arguing with a creationist, i swear to god

>>966952

torsocks + lynx/elinks/etc = good times

>>969320

Maybe if you use w3m and don't use cookies. I feel like every other primitive browser doesn't have a broad enough marketshare, even among circles that are obviously disposed to that kind of concern, to make yourself not unique. I know of at least one person who uses w3m and Tor, so, in doing so myself, I know my identity is at least partially concealed.

>>969323

use the latest torbrowser useragent. you won't have any of the soft fingerprinting from CSS media queries which will make you stand out, but I'm sure there are plenty of people who run torbrowser and block CSS.

>>968460

>The reason why the ticket wasn't closed immediately is that Cloudflare can do, and is doing, more harm to Tor than all the glow-in-the-dark put together: and nobody is stopping them.

This. I like how all the LARPers and people who "care about privacy" complained every minute for the last 8 years but never once mentioned that cuckflare has been blocking the only practical path to anonymity on the web (and there isn't even a real reason why they blocked/captchad tor).

>>967322

That was cuckflare's attempt to pretend to care about Tor.

>oh look at this cool new technology we hacked together! like us on HN!

They go in the same basket as the LARPers and people who "care about privacy".

>>969335

you need the tor user agent to browse any site period in the first place, thanks to cuckflare

>>967323

>300+ MB of RAM

>Oh, no. The horror.

It's much more than that when you have two and a half thousand tabs open.

almost two orders of magnitude more, to be precise

>>969292

>They just do it at night while you're asleep

That's the kind of shit opsec one would expect from a LARPer, not from professionals.

>and they'll use their own networks (the hidden ones which are everywhere these days) if necessary.

Do you also have a tinfoil hat to sell?

>For years shills like you called everything the NSA was doing 'conspiratard bullshit' but it's obvious that the conspiratards were right all along.

Dumb niggers like you claiming the NSA has godlike powers are what makes it so easy for the public opinion to ignore the issue.

>>969394

>(and there isn't even a real reason why they blocked/captchad tor).

The reason is money.

The NSA doesn't spy on people because they profit off it, there are simpler and less risky ways to get funding from Daddy Prez, but Cloudflare does: an anonymous user broswing normal sites doesn't really bother the NSA (they can fingerprint anyways), but bothers Cloudflare a lot.

>>969335

>but I'm sure there are plenty of people who run torbrowser and block CSS.

Great way to get fingerprinted quickly.

>>969407

Browsers are not designed to have 2500 tabs open at a time. The most that can be done is close unused tabs and open them when the user clicks on the tab, and at that point you might as well use bookmarks which can be sorted in folders.

>>969320

You got torsocks to work???

>>969407

Wh.... Why the fuck would you do that???

>>969407

That's on you, 2500 tabs open is so far away from the standard use case it's a miracle things work at all.

>>969536

nice try, NSA. why would turning off CSS make you more fingerprintable? it would just add you to the set of people who also turned off CSS, which is of course smaller

>>969572

the modern web browser crashes on 20 tabs. i usually die of wrist pain or !halt from the shitty experience of just going through one or two websites, though

>>969619

You're shitting on the first good, no-strings-attached advice in this thread, and it's always about the NSA with you. If you don't agree with the advice, just say, "Why would CSS be conspicuous?" instead of agenda pushing. Really simple.

This might not be apparent to you, but browser fingerprinting, while ultimately reliant on what the web browser requests and does, is not reliant on your disabling anything specifically. You can install uMatrix and you can disable cookies and spoof your UA, but you'd be missing the point: while those devices are useful for am mending blatant security hiccups that come with js and other things, your disabling js or css or using a bunch of ua strings is a data point in itself. Browsers, including the TBB, are in an inherently tough spot because, despite the technical efficacy of their security tactics, that isn't necessarily reflected by the identity of the browser itself, much in the same way an actual fingerprint can be characterized by an arch or a loop or by the number of ridges; but it's no harder to distinguish two arched fingerprints than it is to distinguish a loop from a whorl. Your conspicuousness isn't proportionate to the quantity of entropy you generate.

Furthermore, the post you replied to not only dismisses that concern by acknowledging that there might be several TBB users with CSS disabled by provides noteworthy device about spoofing your UA to that of the TBB, so you literally just repeated the same point as that of the post you tried to refute.

>>969651

you fucking nigger, i'm talking about using TBB and only disabling CSS. this would only add 1 bit of info which is shared among other users. yes you would belong to a smaller set of people with the same fingerprint, but that's all.

>>969317

Pearls before swine seems like a strange analogy considering you're not offering anything. Also, there have practically no references to Tor itself in this entire thread. Most of it has been about the Tor Browser and, tangentially, the Tor project, so evidently you're confused about what Tor precisely is. And of course we know TBB isn't "safe"--what you mean by "safe", though, is questionable. If you read the thread you would know that not all of us are using TBB, but rather than contribute to that conversation, you would rather illustrate superficial problems and make really vague allusions to the flaws in the direction of the Tor project.

>>969335

You're right, I am a nigger, because I was writing in defense of >>969654, who says:

>but I'm sure there are plenty of people who run torbrowser and block CSS.

Which is precisely the same point you're trying to make, which is why the NSA strawman is absurd.

>>969394

>This. I like how all the LARPers and people who "care about privacy" complained every minute for the last 8 years but never once mentioned that cuckflare has been blocking the only practical path to anonymity on the web (and there isn't even a real reason why they blocked/captchad tor).

This was actually the reason I quit 4chan. I was really astonished that no one else had the same issues I did, but then it occurred to me that the people who were probably in a position to complain also couldn't complain.

>>968679

>again what's the point of fingerprinting if the network is secure?

Enabling the correct browser exploit to be implanted in whatever website you're using.

https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html

The Snowden Leaks were very poorly reported.

>>969913

that's not how it works nigger. they'll just run the exploit and see if it worked

>>969920

You just made a supposition without opening the link.

>>969926

i read most of the link and there wasn't anything new or interesting. also describing MITM as exploiting a race condition is mega retarded. cryptojew is respectable but he says some retarded shit

>>969320

LARP detected. That method is going to give you a single ip for the whole entire session compared to the TBB which gives you a new route for every single site you visit.

Non-tech Tor user here.

Noscript is notifying me of cross-site scripting despite having "javascript.enabled" set to "false" via about:config.

Clicking on a NoScript screen for an mp4 then allowing "blocked objects" will load an image and some kind of video container and clicking play... it's starting to play after a long loading time!

This is very troubling.

Does this mean javascript is still enabled?

>>970018

Security settings is at "safest" level which means javascript is disabled but html5 videos are click to play. Since I disabled javascript, should it still play?

>>970021

videos don't require javascript

>>970026

I never knew that. Thanks.

>>969619

>nice try, NSA. why would turning off CSS make you more fingerprintable?

Because as you say

>it would just add you to the set of people who also turned off CSS, which is of course smaller

That's what fingerprinting is, it's piecing together a bunch of more or less common traits to narrow down the suspects.

The more unusual traits you have, the easier it is to fingerprint you.

>the modern web browser crashes on 20 tabs.

Hilarious, but there still is no real reason to worry about the performance of 1k opened tabs because it's a use case so far past making sense it's not even funny.

>>969654

>this would only add 1 bit of info which is shared among other users.

"only 1 bit" means little when the group sizes are different.

For an extreme example, the yes/no question "is this user on IP 2.3.45.67" adds a single bit of info, yet narrows down indentification to a handful of suspects.

>>969739

>This was actually the reason I quit 4chan.

Implying 8chan is better.

Implying any community, IRL or not, can avoid the issue of hotheads talking about shit they don't understand.

>>967011

>no longer uses a fixed user agent

no longer uses a fixed user agent

How is that acceptable?

t. onion routing from TempleOS

>>971286

..and no nigger faggot, a text file should be as the document appears on the page, but in TEXT format. Not a swap for some other fucking document with markup I never asked for!

>>971286

>>971290

What the fuck did you expect?

The browser to save a plain .txt file stripped of links ?

It would be a massive loss of information, unlike all other "save as" options, and if people want to extract info from a webpage it's either on them to write a script or on the webpage host to offer an API.

>>971351

>What the fuck did you expect?

>Expecting technology to be as advanced as it was in the 1990s is wrong goy.

I expected "Save as text" to mean "a document saved as text". Totally weird and 'unprogressive' in 2018 I know.

>The browser to save a plain .txt file stripped of links ?

Yes. If I wanted links there is an option called "Save as HTML" or "Save as complete webpage" for that.

>It would be a massive loss of information, unlike all other "save as" options, and if people want to extract info from a webpage it's either on them to write a script or on the webpage host to offer an API.

>Massive loss

Says who?

The software? Yes, so it decided to include it even though it was not wanted.

Me? No, it is not what I wanted or asked for.

Once upon a time USER CHOICE mattered, and software gave the user what they wanted. This crap extends to every bit of tech - even cars decide to brake for you on a hill.

On topic, Tor is fsckd in a similar way.

>>971412

>I expected "Save as text" to mean "a document saved as text".

It works well for webpages that are text.

Most webpages are hypertext tho.

>Yes. If I wanted links there is an option called "Save as HTML" or "Save as complete webpage" for that.

HTML is a lot more than "text but with links", notice how your txt does include some formatting instead of a bunch of HTML tags.

Even the links are not formatted HTML style, no href tag.

The browser didn't simply write HTML into a txt, it did a conversion.

>Says who?

The very idea of hypertext?

>Once upon a time USER CHOICE mattered, and software gave the user what they wanted.

Only normies think software can read their minds and interpret ambiguous or unclear instructions as they want, get out REEEEEEEEEEEEEEEEEEEEEEEEEEEEE.

Also how and why the fuck would they add trim options to a "save as" prompt?

At that point just make an export menu.

>>970111

I don't really mind hotheads. I'm a hothead sometimes. Everyone is. It's par for the course, and it doesn't do much damage in moderation.

It was the filters that really did me in. I only had a few dozen regexp filters, excluding the image filters, and they were fairly complex, specific patterns, too, but if you looked in the catalog, you would see less than 20 threads at a given moment. And if you surveyed the blocked threads, they would all be justifiably blocked, so they weren't broken patterns. 4chan is literally just that repetitive. And it's especially obvious when you're doing research and you look up things in the archive. One of the nice things about the archives is that shills don't realize (or don't care, since it's a minority of the userbase) their shit gets archived, so they're very lazy about varying their pasta and spam tactics. In away, it was nice, because it was so easy to dismiss low-quality threads; thus all I had left were a few small feeds of tolerable-quality content.

But what really ruined it for me wasn't Cloudflare itself, so much as the idea that I was posting on a board with people so stupid they were ignorant to the problems Cloudflare and reCaptcha was responsible for. That I just couldn't stand. It was kind of the same with GitHub (although they ultimately blacklisted cock.li domains after the buyout, so I couldn't use it anyway): I was okay with MS with a little grain of salt, but I knew that the majority of my peers were indifferent or just blatantly ignorant, and it was annoying. That's also true of GitLab.

>>971449

By your own definition, raw html is text, so what's the matter? You told it to download the page, and it downloaded the page. Problem solved.

>>971470

>markup is not markup

See, I did tell you to stop posting.

>>971497

>ALL webpages are text nigger.

Hmm.

>>971504

>I don't understand the difference between markup and non-markup text

yet it persists.

>>971412

>Once upon a time USER CHOICE mattered, and software gave the user what they wanted.

>>971423

>Only normies think software can read their minds and interpret ambiguous or unclear instructions as they want

The issue is there's a major lack in communication and understanding between developers and the user. There's no standardization practices anymore so you have developers using the same terms, menus, icons, etc for vastly different functions. This leads to confusion among users. It really doesn't make sense to have an option "save as HTML" and a different option "save as text" where the only difference is the file extension but the content is both the same (the text markup language of the page). Not to mention that previous browsers actually would save webpages as text stripping all markup, images, and formatting with a similarly worded option.

Firefox (and by extension tor Browser) actually saves pages as text like that, with images as their Alt Text and all links between <> brackets which is about as close as you can get. IE just saves all the markup and script as a text file. Chrome doesn't even have the option to save as text.

>>966919 (OP)

How come everbody use TOR and nobody use i2p or similar software? Is i2p broken?

>>971449

>ALL webpages are text nigger.

>WTF do you think hypertext is?

An extension of text.

A text document is linear, an hypertext doc might not be.

Claiming hypertext is text is like claiming that all vehicles on wheels are bikes.

>In the past when it USED to save a TEXT file it would convert it correctly to a TEXT file WITHOUT MARKUP.

Your example has no markup tho.

Link elements are not markup.

>Stop. Just stop.

You are the dumbass that expects "save" to export to a much stricter format according to user preferences.

>>971497

>>971570

You don't understand what markup is.

Fancy text such as greentext and bold text is markup.

Non-textual elements such as images or links are not markup.

Colored links are a markup because they are colored, not because they are links.

>>972770

i2p and Freenet have no users, are harder to use than Tor, don't have all the Clearnet content Tor does and are filled with child porn. If I recall correctly Freenet even stores part of the network on the user's PC (because it's peer-to-peer) and absolutely nobody will ever use a service that may or may not store child porn on their computers automatically.

>>972801

>i2p and Freenet have no users

This isn't that big of a deal. They have enough users for anonymity to be achieved. I'm also not a big fan of Freenet btw. I think I2P is better.

>[...] are harder to use than Tor

And Linux is harder to use than Windows, but this is /tech/.

>[...] don't have all the Clearnet content Tor does

You mean documentation? Otherwise, why would they be any different for browsing clearnet?

>and are filled with child porn.

This is one of the most common arguments against Tor -- that .onion sites are basically exclusively comprised of scams, drugs, and child porn. So it's not any different. Don't go out of your way to look for hidden sites that host CP and you'll be fine.

>absolutely nobody will ever use a service that may or may not store child porn on their computers automatically.

This is fair, but it only applies to Freenet and not other anonymity software that doesn't follow its design.

>>972801

>>972814

I'm just saying that it's foolish to put all of our eggs in one basket by entrusting all of our anonymity needs to one government-funded protocol that may or may not be compromised in the future...

>>968698

>That is not recommended by anyone but idiots, that setting means you don't even GET .js files and thus make yourself stand out.

I am confused. I was under the impression that NoScript whitelists were what made TBB users stand out, and that fully disabling JS was the way to protect yourself from this.

Have I been misled?

>>972842

Downloading JavaScript is not the same as running JavaScript.

>>972814

>You mean documentation? Otherwise, why would they be any different for browsing clearnet?

>This is one of the most common arguments against Tor -- that .onion sites are basically exclusively comprised of scams, drugs, and child porn. So it's not any different. Don't go out of your way to look for hidden sites that host CP and you'll be fine.

Tor, and the Tor Browser, are mostly used to browser clearnet. People who use it either want to browse anonymously, or need to be anonymous to hide their actions from the government (like reporters and such); not to browse 1337h4x00rchan and share the latest Ultra Pepe image macros.

In fact, the drama with the User Agent comes from TBB Mac users being unable to use the Command Key in web apps such as Google Docs when spoofing the UA, since the website uses the UA to enable Command Key or Ctrl Key for shortcuts. Supposedly, they found a workaround and the next release of TBB will once more spoof the user agent in all OSes.

>>972842

What makes TBB stand out is that the browser makes no attempt to hide that the user is using TBB. Enabling the "safest" option in the Tor Button makes it so no JS is run, but it's still downloaded. In other words, the server would look at all TBB users as the same, since they all downloaded the JS files. A small subset of those users don't run the scripts (a script may report back to the server if it's running, like a live chat or something) and a way smaller subset don't even get those files.

>>966919 (OP)

No problem on TAILS for me using an ultrabook from 2014 with 8 gigs of RAM.

Is the bookmarks toolbar not working for anyone else? The bar is there, but no bookmarks and you can't drag bookmarks onto it.

>>973473

You need to click on "customize" and then add "Bookmark Toolbar Items" and "Bookmarks Menu" to the empty bar; though I believe the bookmark bar does change the area where the browser can render shit and make you easier to track. Maybe adding the Bookmark Menu right alongside the URL bar could be a solution.

>>972815

Think before posting.

Anonymity is "all your eggs in one basket" by definition, using more services measn only one needs to be compromised for you anonymity to go out of the window.

Chaining multiple services is a good way to fingerprint yourself.

>>968698

>> if you had javascript.enabled;disabled as is recommended

>That is not recommended by anyone but idiots, that setting means you don't even GET .js files and thus make yourself stand out.

Please provide a source saying you stand out from NoScripts default disabling.

The following sites don't fingerprint users that have set "javascript.enabled" to "disabled"

http://ip-check.info

https://panopticlick.eff.org/

Your claim seems to be based solely on hearsay of other mistaken people. If such a thing can be done then you should contact such sites and help everyone by showing them how you can fingerprint users based on this factor.

see: https://noscript.net/faq#qa1_7

^says nothing about dangers of this method other than javascript not working.

>>972856

>Enabling the "safest" option in the Tor Button makes it so no JS is run, but it's still downloaded.

Really? It's still downloaded(?) and the users can be fingerprinted(?) from users that have set "javascript.enabled" to "disabled"? Source? I think you are just repeating rumors without any evidence, otherwise sites like eff's panopticlick (which work closely with Tor people) would be all over that, and be able to show users that they have something that makes them stand out. Please contact the the panopticlick group at the eff and tell them how, as it would clearly help a lot of people's privacy.

Is it just me or is 8ch's hidden service down?

Did the tor browser update break https on the onion site? Other than the update, the only thing I changed was my DNS server. I can't connect with https for this site, but some other onion sites still work with it.

I'm a dummy. halp pls

>>974599

just you

>>974643

are you connecting via https? I can't access it that way

I'm tech illiterate, can someone explain how to properly use this browser safely after this update?

>>974646

https is redundant for tor hidden services as tor is already encrypting the connection.

w3m + Tor is the future.

>>974768

As mentioned previously, w3m does not create a new identity per site. Your whole entire browsing session will use the same identity.

>>968698

>That is not recommended by anyone but idiots, that setting means you don't even GET .js files and thus make yourself stand out.

The alternative for 7.X would have been that any exit node can inject JavaScript over plain HTTP connections. Even if you GET .js files, but don't execute them in your browser, it can still make you stand out.

>>973655

>Please provide a source

I'll provide easy reproduction steps.

Have javascript enabled in about:config.

Open the dev tools (F12), and go to the "network" tab.

Load https://panopticlick.eff.org/, and look for GETs with a .js file: you should see several, such as one for DeployJava.js.

You might notice how cached resources are still listed, so that won't be a concern.

Now disable javascript in about:config, reload the page, and notice how there are no GETs for .js files.

>>974855

Thanks for the easy reproduction steps. But I don't see any js files in the network tab in either of the tests. Maybe some other users could try it and report here? That might be helpful. We are looking for differences between "normal noscript's no javascript" method and noscript's no javascript+plus about:config's javascript disabled methods. If users can be fingerprinted between these two that is bad.

I have F12 pressed on "All" sub tab (also I have persist logs checked, and trash the logs between tests).

In none of my tests did I ever enable javascript in noscript or whitelist anything. My Tor Browser settings was always set to highest security. However my TBB is not a default install, so that could be factor, as I remember someone saying the security settings was not showing the correct default so you might have to change it and then change it back to whatever you actually wanted, however this info was not verified by me.

I also tried "http://ip-check.info" but got no js files from there either. (both with about:config javascript.enabled true and with it false)

"DeployJava.js" is not shown as any GET in the network tab. Are you testing with TBB with security slider at highest?

It is strange we would be getting different results with javascript.enabled set to true in about:config. I'll try a default install of TBB if you want me to, but please verify your settings and the reproduction steps in case I was doing it wrong. Thanks for the feedback and helping me and all the potentially dumb users who are standing out from the crowd with this setting set to false manually.

If you are sure of your findings please leave feedback at

https://www.eff.org/about/contact

and at

https://anonymous-proxy-servers.net/bin/contact?lang=en

so these services can tell users they are appearing differently to them.

>>967011

>https://trac.torproject.org/projects/tor/ticket/26146

>Tor Browser no longer uses a fixed user agent because it's too hard to implement or it violates mobile-first principles or something

Looks like 8.0.1 returned to Windows UA on desktop machines. That is probably for the best, but it sucks that the last weeks server logs and my previous and future user behavior will reveal I am actually not on Windows due to 8.0.0's temporary revealing OSs. Pretty bad on Tor Project imho. Still the browser seems like it is the best thing that is moderately well tested, so we are probably stuck with it.

Supposedly the tabs are isolated now (since 8.0.0)? which is partly why this firefox version runs so much more ram hungry and slower. It's good that it is more secure, but bad my old computer runs worse now. I like that the tab shape switched back from the curvy and ugly tabs to the boring nice rectangles.

>>968160

>your browser can still be fingerprinted through CSS.

True, but that kind of CSS fingerprinting is easy to see. You can tell a website is trying to fingerprint using CSS when it loads hundreds of CSS parameters trying to reveal your exact pixel window's size. You would have to look as the page source you download, but should be easy to see. I have never noticed it in the wild, but maybe it is common? Or can it be done in a stealthy way? And can more than window size be determined using CSS? I would love to hear about what can be done. Links?

>>974773

Actually, this isn't true for Emacs' frontend of w3m, w3m.el. Obviously this is only pertinent to w3m's UA, but prior to 25, Sacha Chua made a good article illustrating how to cycle w3m's user agent according to an alist. Nowadays, this is actually defined in w3m-user-agent-alist and w3m-user-agent-site-specific and can be altered every session.

>>974996

Who cares about user agents. I'm talking about the fact that all your traffic is coming from the same ip. With the TB you have a different ip for every site you visit.

>>975010

>with tor browser you have a different ip for every site you visit

Unless they've changed it recently, this is false. Every tab shares a circuit, and thereby an ip

>>974746

Wrong. Tor encrypts traffic between tor nodes, but whatever you send shows up on the clearnet. If you don't encrypt, then the exit nodes and any three-letter friends can see your message.

>>966919 (OP)

You should strictly limit other applications that are open when using Tor.

>>966952

If you don't cross-browse then you'll be fine.

>>975017

Incorrect. Connections to the same website will share the same route. Different websites will have different routes. Feel free to check this out for yourself.

>>975019

Wrong. Please reread my post. I am talking about hidden services.

>>975079

What is your reasoning behind this?

>>975091

You reduce the attack surface when minimizing other running applications. It's easiest to just use tails os

>>975010

Do you understand how Tor works?

Anyone here have any actual proof this is dangerous? All I'm seeing are idiots complaining and people using (((echos))) on words they don't like. Tor Browser 8.0.1 still looks solid, while I'm not a fan of FF Quantum and I want the tor project to maybe adopt a new browser or commit time to developing their own. The important thing is having an up to date browser, security patches, and a current UA string.

>>975284

Do you?

Just buy a vpn you cheap jew.

>>>975468

>just pay money for something that's worse in every way

>>975350

I know reading threads is hard, but you might want to try. There have been several issues pointed out and guess what you'll have to go looking if you want them.

>The important thing is having an up to date browser, security patches

Unless those "security patches" and the "up to date browser" are not as they seem which has been the thread conclusion up to now. Sure you can't prove anything but you also have a bunch of (((coincidences))) piling up at once which is worrisome.

<and a current UA string.

Got me there but if that's the only benefit might as well stay downgraded until Tor gets their shit together or it's no longer feasible.

>>975503

You might want to read the thread yourself and notice all the "Valid" issues brought up already have tickets or were patched in 8.0.1

Upgrading to quantum was planned ages ago, I'm seriously confused how anyone is surprised that the tor project followed their roadmap to upgrade to the new ESR since 52 is losing support at the end of the month.

>>975505

>already have tickets

Is that what being fixed means now?

>>975512

Not >>975505, but yes, tickets are often the first step in getting something fixed. For example, the user agent is back to Windows in TBB 8.0.1.

>>974921

>Maybe some other users could try it and report here?

I'm getting the js files in one case (old install that updated via auto updater) but not in another (fresh install in VM)

Fug.

>>975519

"Being fixed" as in "has been fixed". Poor choice of wording.

>>975612

>>968168

That's not good. We need more users to check and write a bug report (https://trac.torproject.org/) and for the Tor Project / Mozilla / NoScript-addon-devs to make sure users are not identifiable from the web servers based upon .JS files downloading or not.

having "javascript.enabled" set to "false" via about:config

and

having "javascript.enabled" set to "true" via about:config

shouldn't change NoScript's default no JavaScript behavior, nor sure some users download .js files and others not.

Tor Browsers highest security slider/setting should also make sure JavaScript is truly disabled.

>>975519

you mean like that firefux ticket with 400 replies where the option to disable popups doesn't work, and they finally took it out after 15 years instead of fixing it.

you can sort of turn off popups by setting "dom.popup_allowed_events" to an empty string though, but most faggots here rather use some trendy addons which they have no idea what their for (for example noscript fags think it's for disabling JS when it's really about "fixing" CSRF/XSS/clickjacking/etc)

>>975350

main thing is that the browser now gives away user agent

>>967005

https://hooktube.com/watch?v=89od8TqQBIs

https://blog.torproject.org/new-release-tor-browser-801

>on desktop platforms Tor Browser will send a Windows User Agent at the network level now while still allowing to query the unspoofed User Agent with JavaScript.

>>976193

The option to enable javascript is for normalfags who just want their site to work correctly. I really wish the the Tor browser project didn't take this attitude.

>>976203

Tor needs to be inclusive and diverse. Trannies want to use Javascript by default and that's their human right.

>>976203

Cutting off support for most web content would be shortsighted, and would eventually lead to the almost complete death of the project in less than a decade.

Attempting to harden the javascript engine is the smarter choice, it's not easy work but it has to be done.

>>976193

what the fuck

>>976389

Calm down goy it's just for compatibility reasons, same as leaving JS on by default. You got nothing to fear unless you maximize your browser window! Then we'll flash a huge fucking warning about it!

>>976342

>support for most web content

End this meme, the only sites that don't work are Web 2.0 abominations and these are either not worth visiting in the first place or make no sense to use over Tor (think banking).

JS is BY FAR the largest security hazard on the web. Fixing the engine to block a dozen of the ten million attack vectors is a colossal waste of effort. Meanwhile, the technical side of the project (esp. wrt hidden services) stagnates because all the effort is bound on a stupid Firefox fork.

>>971412

>I expected "Save as text" to mean "a document saved as text". Totally weird and 'unprogressive' in 2018 I know.

But it isn't a text document, a website is a representation of HTML/JS/CSS.

So if you save it as 'Text' You will get the site in text form which will be HTML/JS/CSS

It doesn't matter, whore won't keep you safe from spooks. It's not designed for that. You use it for other reasons, like I am right now.

Does it still randomly freeze for no reason?

>>976741

>Does it still randomly freeze for no reason?

Yes.

>>976741

please hold on your decrypted keystrokes will be sent to ISIS shortly

>>976431

Unacceptable. Change it, now

what's a good .onion site to read on? there it used to be a chan that was somewhat developed and a bbs that was fucking awesome and fun but they either died or went dark.

>>976829

http://oxwugzccvk3dk6tj.onion

>>976741

>Does it still randomly freeze for no reason?

Yes, but that's your fault, goy. Why don't you upgrade your hardware to the latest and greatest newest backdoors and just throw away your old stuff? Because nowadays efficiently displaying text and images requires an up to date computer with 256 GB of RAM, 32 core 128-bit processor and naturally 3D hardware acceleration. /s

The UI freezing during page load still boggles my mind. Old devs fixed this problem back in the days of Windows XP. Now the new devs unfixed it somehow.

>>976425

> and these are either not worth visiting in the first place

Ah, the age old tale of the fox and the grapes, free software edition.

>>976927

>The UI freezing during page load still boggles my mind. Old devs fixed this problem back in the days of Windows XP. Now the new devs unfixed it somehow.

Well said. The trend seems to be for most people to be using the latest mobile devices for web surfing, so I don't see this trend reversing anytime soon.

>>975700

>We need more users to check and write a bug report (https://trac.torproject.org/) and for the Tor Project / Mozilla / NoScript-addon-devs to make sure users are not identifiable from the web servers based upon .JS files downloading or not.

It's probably already bugged and marked as won't fix.

>>976757

But why? So that CIA glow-in-the-dark niggers have more time to snoop around my machine?

>>967359

>operating system is part of the UA

>websites may need that information

>need

>specific .exe depending if they're on Windows 7, 8 or 10

>giving them a x86 or x64 .exe or a .deb if they're on Ubuntu/Debian and a .tar.gz if they're on other "Linux" operating systems

>need

convenience isn't a "need."

tell us again why o.s. NEEDS to be in the u.a.

>>977061

Because tech-illiterates now use computers

>>977062

stop enabling them. if they have to figure out what cpu they have, what operating system, etc, they will either stop being tech illiterate or they will go back to television, where normans belong

>>977061

but we "need" funding

>>977066

I agree, this UA debacle shows either incompetence, irrationally, or economic incentive.

Once a project gets enough funding it gets big. Once people in a organization or project relay on the funding and donations for daily living their actions are influenced strongly by incentives. The Tor Project wants to grow and get more people using it. That might be good for funding. Money is a strong incentive, and that become apparent in large organizations. The Tor Project isn't entirely evil nor entirely good, nor is it probably even evil or good, just a group of people who are doing what they do for their own reasons. For their sake, I hope it is not incompetence or irrationally, as those are harder to fix than simple economic interests working against their user's privacy.

>>976810

What the weed I'm ordering? Surely getting pizza off someone is more exciting..

>have to reinstall operating system

>"I'll install an older version"

>"oops, forgot to turn off auto-update"

>set everything up the way I like it

<HEY THERE IS A NEW BROWSER UPDATE PLS INSTALL THANKS

>"ugg, no"

<5 minutes later

<HEY THERE IS A NEW BROWSER HEY THERE IS A NEW BROWSER HEY THERE IS A NEW BROWSER HEY THERE IS A NEW BROWSER HEY THERE IS A NEW BROWSER HEY THERE IS A NEW BROWSER PLS INSTALL THANKS

old versions now nag the shit out of you if you don't (((upgrade)))

the exact same version I am using now I WAS using before and it didn't nag me like this

>>974855

Sure you just don't just have javascript enabled from noscript?

I tested it and am not seeing any javascript files in the network tab.

TBB 8.0.1 (based on Mozilla Firefox 60.2.0esr) (64-bit)

>>977859

In Gentoo you can block package versions with you package.accept_keywords file

>>976927

>>>/leddit/

>>978654

You mean package.mask

package.accept_keywords is for accepting stable and unstable versions of packages.

>>967285

>I'll bet you it still calls home to mozilla.

Yes. It send linux kernel version to mozilla.

>>980884

https://trac.torproject.org/projects/tor/ticket/6734

https://trac.torproject.org/projects/tor/ticket/16931

>>980884

Still, don't you fucking dare maximize the browser window! You don't want an attacker knowing what screen resolution you use! I've always wondered though, would I instantly become fingerprintable if I resized the browser window by a few pixels from its default?

Anyway, installing extensions should be disabled by default, same as scripts. Should be.

>>980934

>would I instantly become fingerprintable if I resized the browser window by a few pixels from its default?

what if we just resize our browsers every time we open a new webpage?

>>980934

Yes if you enable javascript you must use privacy.resist.Fingerprinting, which does not work correctly in older Firefox versions.

Is being fingerprinted really that big of an issue? Every time someone mentions using tor in any capacity besides the default setup it's mentioned. I'd rather not browse the internet without umatrix and other quality of life addons. I'm just a laymen retard trying to get some extra layers of anonymity and security here and there. Considering making my own router so I can have a VPN at that level and not need to worry about JS leaks as well. So I guess my question is having a finger printable tor browsing session better than having a finger printable non-tor browser? I need the internet to be functional on every website.

>>980934

>I've always wondered though, would I instantly become fingerprintable if I resized the browser window by a few pixels from its default?

Not instantly, but very quickly: almost no other tor user in the world will be browsing with a browser window of the exact same size as yours, so visiting a few sites and going through a few exit nodes would give you a 100% unique fingerprint for that session.

>>981180

if you close all open pages before each resize, in theory you will not be fingerprintable easily.

>>986776

>Is being fingerprinted really that big of an issue?

Yes, because it means you are no longer anonymous.

If you don't care about that go for it, but if you want to hide from big comapnies or governments fingerprinting cannot be ignored.

>>987072

>If you don't care about that go for it

I just want to be as anonymous as possible without sacrificing the fundamental functionality of my browser. Seems pretty regressive and retarded that tor doesn't even have umatrix.

>>987072

>if resize you're no longer anonymous

If this is true, why is it even allowed to resize the window? Why is the maximize button not greyed out? And why couldn't the browser SPOOF the dimensions of the window if it's so fucking important for anonymity?

Bonus question: what happens if I run Tor Browser on a screen that has 800x600 resolution? All my anonymity instantly goes *poof*, it does?

This whole window size BS is retarded IMHO. Should be spoofed just like the user agent should be spoofed. Otherwise if it's critical that the window NOT be resized, then make the damn browser window a non-resizable non-maximizable dialog. Meanwhile, the OS info is leaked in the UA. But I guess THAT's not fingerprintable is it!

>>987094

>without sacrificing the fundamental functionality of my browser.

Depends on what is your idea of fundamental functionality.

>Seems pretty regressive and retarded that tor doesn't even have umatrix.

No it doesn't, if you know a little about that stuff works.

Adblockers make your browser not send certain requests a page is telling them to send, so that you never load the ads, but not making requests everyone else makes is going to get you fingerprinted and thus deanonymized.

Consider how different users might subscribe to different adblock lists and things get even worse.

>>987109

>If this is true, why is it even allowed to resize the window?

Because resizing is hard to block, doubly so if you must do it cross platform, without side effects, and without people accidentally bypassing it by pressing "maximize" on a video.

>And why couldn't the browser SPOOF the dimensions of the window if it's so fucking important for anonymity?

Because window size tracking is based on simple HTML+CSS, no JS required, and "spoofing" it in any way I can think of would break rendering at any size but the default window size.

Best case scenario you lock in viewport size and put black bars all around it.

>what happens if I run Tor Browser on a screen that has 800x600 resolution? All my anonymity instantly goes *poof*, it does?

It's bad but not as bad as slightly resizing by a few pixels.

Multiple people still have 800x600 monitors, so you could kinda blend in with them.

No one has a 803x600 monitor, on the other hand.

>Should be spoofed just like the user agent should be spoofed.

You can't really spoof it.

Spoofing UA at worst results in you getting a page with some non-functional parts, intentionally breaking the HTML specs is much riskier.

>Meanwhile, the OS info is leaked in the UA. But I guess THAT's not fingerprintable is it!

It's an issue, but again multiple people use the same OS while no one else has a window that's just this many pixels off the default.

>>987115

>Best case scenario you lock in viewport size and put black bars all around it.

You know what, that doesn't even sound so bad IMHO. It should be done.

Not only would it get rid of the stupid "don't maximize the window" warning (here "stupid" means UI fail) but it would also prevent the users from (accidentally) changing the default (say... 1024x768) viewport size and thereby becoming fingerprintable.

>not knowing that (((incident))) where they framed a tor senior developer for (((sexual harassments))) and killed Ian Murdock because he did not agree with the agents then later had a twitter meltdown then later (((suicide)))

>still using sorosfox 1984 browser

>not using goanna/XUL master race

>inb4 furry fork

>>987138

they *cough* killed him due to the fact he wanted to remove tbb off of the debian repo. the timing is also perfect like right after Soros acquired mozilla (before the public announcement) the version immediately switched to the soros pozilla version and that is where Ian got suspicious and contacted by the niggers.

RIP my man. you will never be forgotten.

>>987134

>It should be done.

If it can be done, sure.

Keep in mind that even small details such as scrollbar width could fuck up the whole plan, that the faking needs to work even if the window size is too small for the viewport, and that zoom levels and media elements must be handled too, so it would not be an easy PR.

>>987138

>not using goanna/XUL master race

What does it do to prevent fingerprinting?

>>987140

The conspiracy theories surrounding Ian Murdock's death are stupid. Ian Murdock wasn't a Debian dev for years. While the whole ordeal is fishy, it probably had to do with Docker and not Debian.

DO NOT UPDATE TO TorBrowser 60. It's a trap

also this shit version is supported only on backdoored botnet Windows (Windows 7 and later). I doesn't support safe Windows versions (2000, XP)

>>967285

>lol it dumps your OS now and relies completely on the (((mozilla))) setting for "resist fingerprinting". The jewish developers defend this.

(((Tor Project))) has been compromised by SJWs and jews.

>>967308

>So you might want to delete Tor Browser then clean install it (back up the "TorBrowser/Data/Tor" dir if you care about keeping your current guard node).

I am not going to delete anything as it will erase my browsing history and bookmarks.

>Too bad even DuckDuckGo requires JavaScript for image searches. It shouldn't be like this.

https://startpage.com doesn't require javascript for image searches

>>967359

>Not that it matters, since guessing the operating system a browser is running on is very, very easy thanks to installed fonts, supported formats, hardware acceleration, WebGL, etcetera. This is why changing the User Agent to appear as if you're using another OS is retarded and actually makes you easier to identify.

isn't Tor Browser supposed to block giving out fonts, formats, HW accel, WebGL, etcetera?

>>967361

>Time to throw out your single core CPU.

No, thanks jew, I don't need compromised CPU with Intel ME or AMD PSP, that sends all my keystrokes to israel.

>>967391

>Unfortunately, there are services people want that basically have a monopoly, so, if they expect you to run js on their site for their service to function, you're basically going to run it regardless of your stance.

a few special letters sent to them (Ted Kaczynski style) could make them change their policy

>>968142

>using NoScript

>not just disabling JS in about:config

>I will never understand people that use NoScript. They want selective rape or something?

how do you want to buy things online without javascript? order by email?

>>968160

>If youbhave JS disabled you can't spoof anything but User Agent, but your browser can still be fingerprinted through CSS.

How? Prove it

>>968720

>I have a 2012 i5 with 4 GB of RAM and I never see any slowdowns or freezes. What kinda hardware are you on?

Your modern intel shit sends all your keystrokes to israel anyway. Why bother with Tor?

>>968938

>The second the NSA sees you using TOR they automatically log in to your PSP / ME unit and image your drives, prove me wrong.

>TOR is useful for hiding from actors OTHER THAN THE NSA. The NSA isn't currently censoring Youtube and hunting down and doxxing libertarian "nazis," other elements are.

NSA cannot log into my PSP / ME because I don't have one. Only total idiots and dumbasses bought CPU with ME/PSP.

>>976425

>End this meme, the only sites that don't work are Web 2.0 abominations and these are either not worth visiting in the first place

Any online shop requires jewscript

>or make no sense to use over Tor (think banking).

what? it makes huge sense to visit banking over Tor. if you visit with clearnet, bank and NSA will know your true IP and physical location, every time you login into bank site

>JS is BY FAR the largest security hazard on the web. Fixing the engine to block a dozen of the ten million attack vectors is a colossal waste of effort.

and the thing is, JS is not needed for 99% websites if they were properly designed for non-js. banks, online shops, even reddits and facebooks, could totally work without javascript

>>987115

>Because window size tracking is based on simple HTML+CSS, no JS required

how? how do you send that size to the server?

>>987138

TOR PROJECT is compromised and jew'ed

>not using goanna/XUL master race

and how do you have separate Tor circuit for each website in goanna?

>>987140

>they *cough* killed him due to the fact he wanted to remove tbb off of the debian repo.

how to we know he wanted to remove tbb from debian repo?

and why would they kill him for such shitty reason? nobody uses debian, so why would it matter? 99% people use Windows or Mac, CIA doesn't even know that debian exists

>>976829

http://es2adizg32j3kob5.onion/

list of quality onion sites

:)

>>987160

get your meds

>>987160

>DO NOT UPDATE TO TorBrowser 60. It's a trap

>safe Windows

You already lost all credibility with this post with this trash about safe windows visions existing. Like previous versions, TBB 60 might be compromised with bugs or hard to detect open source backdoors, but if you are trying to fit in with the anonymous crowd of average people you better use a version that helps you lower identifying information can fingerprints your usage. Using outdated firefox/tor/windows versions with publicly disclosed is folly, and encouraging others to follow your advice makes me think you lack intelligence and/or enough morality to avoid shilling.

>(((Tor Project))) has been compromised by SJWs and jews.

The project has not changed hands or direction. If you don't like where it is, you probably didn't like where it was at any point in its history.

>doesn't require javascript for image searches

http://ozmh2zkwx5cjuzopui64csb5ertcooi5vya6c2gm4e3vcvf2c2qvjiyd.onion/

also works for image search without javascript, and I think it is run by riseup.net

Searchs are not as good as startpage and have a lot of dupes, but maybe mess with the options to tweak the results.

>No, thanks jew, I don't need compromised CPU with Intel ME or AMD PSP, that sends all my keystrokes to israel.

Close source hardware at the root of CPUs are concerning, but if they are automatically active they do an amazing job of sending their compromising traffic back to headquarters and not being detected by system admins en route. It is wise to avoid using compromising hardware, but the evidence suggests this attack vector is selectively used and not a part of the dragnet surveillance.

>how do you want to buy things online without javascript? order by email?

The context of this thread and post should be clear that the user in question is using Tor Browser, which is blocked by most web store fronts. Your response is nonsense, as it assumes that shopping on JS web store fronts is anything a Tor user is doing. You might be able to find a few sites that allow Tor+JS+banking+credit info to work, but it is just a bad idea considering MITM and getting your bank/credit fraud checks that would accompany such attempts. Bitcoin+Tor+noscript works on darknet sites, as long as the sites are not scams, which most are.

>your browser can still be fingerprinted through CSS.

>How? Prove it

A website can make 1x1 and 1x2 and 1x3 and 1xN CSS scripts that ask your browser to only load the image from the CSS script for the width of your browser. Once all that CSS codes hits your browser the CSS image in the script will be requested by your browser, and once that happens the web server will know the width of your browser at the time you loaded the webpage. I remember seeing examples of the code many years ago, but have never knowing ran into it on a live website, but also never looked for it, as just keeping the default size of the TBB size is easy enough.

>>987160

>NSA cannot log into my PSP / ME because I don't have one. Only total idiots and dumbasses bought CPU with ME/PSP.

>Your modern intel shit sends all your keystrokes to israel anyway. Why bother with Tor?

Your speculation is just that. There hasn't been any documentation cases by security researchers of Intel ME sending (or even collecting) data. It is best not to use close source CPU infrastructure, but it is likely not a dragnet surveillance utility. It might use steganographic methods to hide its network traffic, but more likely your overestimating its use by SIGINT. But even it is doesn't send all your data to Intel's buddies your likely still going to see plenty of good reason to use Tor. Censorship resistance, if nothing else.

>or make no sense to use over Tor (think banking).

>what? it makes huge sense to visit banking over Tor. if you visit with clearnet, bank and NSA will know your true IP and physical location, every time you login into bank site

Ok. Go use Tor for your bank login. Enjoy your visit to the bank explaining that that really was you and you want to give them all your documents and prove your identity so you can have permission to use jewscript over clearnet to access it again. If you bank allows Tor access without JS, please tell me what bank it is, as I would sign up.

>Because window size tracking is based on simple HTML+CSS, no JS required

>how? how do you send that size to the server?

I would love to know too, CSS with the width code hack I mentioned earier is the only think I know of, but web development is changing daily, so it wouldn't surprise me if there were new methods invented/implanted.

>TOR PROJECT is compromised and jew'ed

Compromised how? If it is because members are jewish and speak in favor of globalism, that is not enough to make the open source code compromised. The fact that any codebase as huge as tor/TBB could have serious backdoors/bugs is a concern, but again, you are going to be using NO software at all if you avoid using software you haven't fully understood and audited for bugs/backdoors.

>how to we know he wanted to remove tbb from debian repo?

I also would like to know if there is any source to this rumor. If nothing else it would be interesting.

>why would they kill him for such shitty reason?

Agreed, seems dubious.

>nobody uses debian, so why would it matter?

>99% people use Windows or Mac, CIA doesn't even know that debian exists

The majority of any government organization are fools, just like any organization or any group of people for that matter. It is the few people that know and understand that matter. If memory serves the Wikileaks leaks on SIGINT tools included plenty of specialized software for attacking Linux systems.

>>987115

>but not making requests everyone else makes is going to get you fingerprinted and thus deanonymized.

>different adblock lists

Ship adblock list with Tor Browser. Problem solved.

>Spoofing UA at worst results in you getting a page with some non-functional parts

Only if this page shitcoded by webmonkeys.

>intentionally breaking the HTML specs

UA doesn't matter, if webmonkey don't break HTML specs.

>>987195

>Only if this page shitcoded by webmonkeys.

This

>Ship adblock list with Tor Browser. Problem solved.

Just install uBlock or uMatrix. The "addons will deanonymize you" shit is totally overhyped imao

Simply don't install spyware garbage like Stylish or however that was called or Ghostery.

>>967032

>security nightmare

Stop installing random addons. I am sick and tired of this fucking stupid excuse. The only reason XUL got deprecated is because Mozilla got infected with the OOH SHINY virus and are too lazy to spend their time writing quality software that does right by their users.

>>987241

This. If you install malware you get malware.

Addons aren't supposed to be websites. They're full programs that extend the browser where needed.

YT wouldn't have been a thing back in the day because without flash your browser wouldn't have been able to play videos to begin with.

>>987172

>You already lost all credibility with this post with this trash about safe windows visions existing.

No I didn't.

I work for CIA and I have insider info that Win2000/XP contains near zero privacy issues and backdoors compared to WinVista and later. Win10 is obviously the worst.

>but if you are trying to fit in with the anonymous crowd of average people you better use a version that helps you lower identifying information can fingerprints your usage.

with TBB 60 you won't fit into crowd, because they removed User Agent fingerprinting. So you won't fit into crowd even with JavaScript disabled

>The project has not changed hands or direction. If you don't like where it is, you probably didn't like where it was at any point in its history.

It did changed a lot during years. They framed one dev into sexual misconduct. They bribed some of TorProject people. They also put their agents inside.

TorProject has been compromised from the inside.

> It is wise to avoid using compromising hardware, but the evidence suggests this attack vector is selectively used and not a part of the dragnet surveillance.

>evidence

>muh goy show (((evidence))) we are fucking you

you don't get clear evidence for many things until many years after it was used to murder thousands of people. in the past, humans thought that smoking is healthy.

and for Intel ME / AMD PSP there is enough evidence to stay as much away from it as possible.

>is using Tor Browser, which is blocked by most web store fronts.

it isn't. some block some not, boycott the ones that block.

>You might be able to find a few sites that allow Tor+JS+banking+credit info to work, but it is just a bad idea considering MITM

ever heard of SSL?

>Bitcoin+Tor+noscript works on darknet sites, as long as the sites are not scams, which most are.

It's not hard to know which sites and vendors are legit, been buying drugs and weapons from darknet and never been scammed

>A website can make 1x1 and 1x2 and 1x3 and 1xN CSS scripts that ask your browser to only load the image from the CSS script for the width of your browser. Once all that CSS codes hits your browser the CSS image in the script will be requested by your browser, and once that happens the web server will know the width of your browser at the time you loaded the webpage.

why is this even allowed by CSS and web browsers? that's botnet

CSS should be fully passive and do not leak any info, should not have any conditional loading of images or anything

>>987173

>There hasn't been any documentation cases by security researchers of Intel ME sending (or even collecting) data

It's enough that there is possibility. You won't get evidence until thousands of people will get to jail because of ME.

Nobody sane should have CPU with ME / PSP.

>Ok. Go use Tor for your bank login. Enjoy your visit to the bank explaining that that really was you and you want to give them all your documents and prove your identity

If they do that to you, you should sue them and report to reddit so people will boycott them. I do not know any law that would allow them to block account for using Tor

>Compromised how?

by getting SJWs, CIA agents, jews on their team.

>>987195

>Ship adblock list with Tor Browser. Problem solved.

Tor Project won't include adblock list because:

-it is bribed by google and corporations (adblock = loss profit for those companies)

-google and other sites would block Tor for having adblock built-in

-it is not the job of Tor to block ads, but to provide privacy and anonymity (though ads are often violating privacy)

>>987196

>Just install uBlock or uMatrix. The "addons will deanonymize you" shit is totally overhyped imao

>Simply don't install spyware garbage like Stylish or however that was called or Ghostery.

it's not about spyware. it's about different fingerprint. If you will have adblock with some list, while other Tor user will have different adblock list or no adblock, your browsers will request different files from webpage etc, you will stand out from them

>>987430

>I work for CIA

Neat.

>with TBB 60 you won't fit into crowd, because they removed User Agent fingerprinting. So you won't fit into crowd even with JavaScript disabled

It is unforgivable that Tor Project allowed that, but it is fixed now.

#26146 closed defect (fixed)

https://trac.torproject.org/projects/tor/ticket/26146

You are weeks behind on reading your CIA memos.

>They framed one dev into sexual misconduct.

dev? He was a Tor evangelist, not a dev. Framed? Allegations were made, no frame job. He is a jew. He stands for nearly everything within the Tor project that the current Tor project still encourages, so removing him isn't going to change the direction.

>They bribed some of TorProject people.

Evidence requested.

>They also put their agents inside.

Who are "they"? It is likely, as it is an open community that is funded largely by Taxes>Educational>Research-grants.

>Intel ME / AMD PSP there is enough evidence to stay as much away from it as possible.

>enough evidence

>no evidence found

Although I agree. Staying away from likely backdoored hardware is wise. Still doesn't suggest it is widely used in a dragnet surveillance as you previously suggested with the (sending all keystokes).

>ever heard of SSL?

Encryption is good (CAs might be compromised), but the sites will still flag you for using multiple Tor exits and coming from the wrong counties IPs.

>It's not hard to know which sites and vendors are legit, been buying drugs and weapons from darknet and never been scammed

Agreed, that it is easy to tell.

>why is this even allowed by CSS and web browsers? that's botnet

>CSS should be fully passive and do not leak any info, should not have any conditional loading of images or anything

People in charge of web standards are not concerned with consumer privacy. They use compromised software and hardware and think you are crazy for wanting basic freedoms. Also most people want the same thing they do, so your privacy/security voice isn't even considered.

>It's enough that there is possibility.

>Nobody sane should have CPU with ME / PSP.

Agreed. Unless they don't care about privacy or security. For example if they just want a gaming rig on Win10, which is already feeding your data over the lines.

>You won't get evidence until thousands of people will get to jail because of ME.

A jail is used to temporarily detain.

You think people working for backdoored corporations will be prisoned and you also work for CIA? They are not good enough to start detaining anyone that serves their agenda.

>TorProject has been compromised from the inside.

>Compromised how?

>by getting SJWs, CIA agents, jews on their team.

Well Mr, CIA employee, that argument isn't very compelling. Their code is public.

So, how is it compromised? In what way has this compromise resulted in changes to the software or goals?

>it is bribed by google and corporations

No need for bribes. It is simple financial incentive. One of the problems with an organization like Tor Project is that once it becomes big it starts getting full time employees. These employees, like most wage slaves need to do whatever it takes to encourage funding (common donations for non-profit). Most globalist conspiracies can be dismissed if you just see the systematic incentives already in place.

>google and other sites would block Tor for having adblock built-in

Maybe. Tails(OS) used to (and maybe still might) ship with uBlock Orgin.

>it's not about spyware.

It is a little about spyware. Plenty of reports have come forward where the add-ons were tracking users, so being at least a little wary is warranted.

>it's about different fingerprint. If you will have adblock with some list, while other Tor user will have different adblock list or no adblock, your browsers will request different files from webpage etc, you will stand out from them

Many users just leave the default adblock subscriptions, and they auto update and various times, so the fingerprint will slowly change as the auto-updates occur for various users. Interesting to think about, but probably users will be compromised by enabling javascript, which shows a lot more fingerprint data, including all add-ons installed.

Say more. Mr CIA is fun to talk to.

>>987172

>and getting your bank/credit fraud checks that would accompany such attempts.

maybe in cuckmerica. it's orwell state.

never happened to me in europe.

>>987173

>Ok. Go use Tor for your bank login. Enjoy your visit to the bank explaining that that really was you and you want to give them all your documents and prove your identity so you can have permission to use jewscript over clearnet to access it again. If you bank allows Tor access without JS, please tell me what bank it is, as I would sign up.

america = orwell

have bank accounts in few european countries, always login with Tor, never been blocked. Can even do bank wire transfer with Tor.

americans live in prison.

And I pay 0$ for wire transfers, americans pay 30$, that's why they have to use shitty payment processors like PayPal, who also steal a lot % of their money when doing payments.

>>987489

Hello my fellow european, did you get your message saying something like "Thanks to new EU anti-money laundering regulations we now have to know sources of all your money and get to know our customers." I sure got mine. Also once got interrogated by the clerks when withdrawing money. The sugar daddy EU wants to know how his bitches spend their money it seems.

>>987196

>The "addons will deanonymize you" shit is totally overhyped imao

You're a retarded LARPer with no idea about what you're talking about.

>Simply don't install spyware garbage

Even a well coded ad blocker you wrote 100% yourself will deanonymize you, because its very purpose (blocking certain connections) can be easily exploited to identify you.

>>987489

>larping as if 99.99% of europe isn't more fucked by magnitudes than anywhere else in the world when it comes to privacy and freedom

Haven't seen this kind of sliding since I used to post on cuckchan a decade ago.

>>987481

>It is unforgivable that Tor Project allowed that, but it is fixed now.

They "fix" it only for HTTP header, but javascript show real OS.

>>987668

Because there are 1001 ways besides user agent to identify OS with javascript enabled.

>>987513

Not him, but being semi-anonymous is good enough for me. The most important factors for me is not running any javascript, and not loading any other kind of botnet shit. That means using a lean browser like Links, Lynx, w3m, or similar.

The only reason I'd even use Tor in the first place is to get around blocks such as the EU might impose in the near future. Otherwise I don't need it. And actually Freenet (or even Usenet-type solution) sounds more useful, because there's no centralized website to censor.

>>987868

>but being semi-anonymous is good enough for me.

If by "semi-anonymous" you mean Google can easily identify your sessions as coming from the same person...

>The most important factors for me is not running any javascript, and not loading any other kind of botnet shit.

Do you have any definition of botnet besides "things I heard were bad once"?

This very site uses js for several things, including creating the links to replies on every post.

>>987929

I'm posting here without javascript, via one of the aformentioned browsers.

BTW, Lynx doesn't load anything at all except the HTML file you point it to. It doesn't support frames, JS or CSS at all, and you can disable cookies (even at compile time if you want to be sure). But you can still load images into an external viewer, or download them to disk and then view them. I can post here with it, and also Endchan.

The reason why we have such problems with web browsers is that it is too hard to write a web browser.

Web browsers do too many things. They are operating systems in themselves. They are MySpace when they should be Facebook. The user should define CSS not the website.

We need standardized XML schemas for all the main internet presentation formats. Imageboards would be one. Then everyone can write a web browser and nobody has to deal with (((garbage))). This can be done without any official committee or new money.

>>987941

Most, if not all, text based browsers like Lynx have so few users/developers it seems like security issues wouldn't be discovered or fixed. Without JS and CSS that would help minimize those threats, but make your fingerprint completely unique among all visitors (bad for Tor/Anonymity). See results below.

Lynx default fingerprint over Tor results from https://panopticlick.eff.org/ (accepting all cookies, as Tor default). Also using the default lync user agent.

>How well are you protected against non-consensual Web tracking? After analyzing your browser and add-ons, the answer is ...

>Yes! You have strong protection against Web tracking, though your software isn’t checking for Do Not Track policies.

>Is your browser blocking tracking ads? ✓ yes

>Is your browser blocking invisible trackers? ✓ yes

>Is your browser accepting Do Not Track commitments? ✗ no

>Does your browser protect from fingerprinting? ✗ no

>Note: because tracking techniques are complex, subtle, and constantly evolving, Panopticlick does not measure all forms of tracking and protection.

>Your browser fingerprint appears to be unique among the 2,290,000 tested in the past 45 days.

>Currently, we estimate that your browser has a fingerprint that conveys at least 21.11 bits of identifying information.

Results with: (TBB60 default Useragent) No change in results, perhaps as the browser is just too rare.

lynx -useragent="Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0"

>Is your browser blocking tracking ads? ✓ yes

>Is your browser blocking invisible trackers? ✓ yes

>Is your browser accepting Do Not Track commitments? ✗ no

>Does your browser protect from fingerprinting? ✗ no

>Your browser fingerprint appears to be unique among the 2,290,000 tested in the past 45 days.

>Currently, we estimate that your browser has a fingerprint that conveys at least 21.11 bits of identifying information.

TBB default (with highest security settings):

1 in 2000 browsers have the same fingerprint.

conveys (<11) bits of identifying information.

Being unique is great if you are trying to stand out, but not so good when trying to mask yourself within groups of other Tor users.

>>988008

Lynx was actually part of OpenBSD for some years, so it got at least a good look-through by some real experts. Now it's in the ports tree instead of base, but they've pledge/unveil'd it, which is much easier on something of that scale than something like Firefox.

I don't trust any browser that's bigger than the OpenBSD kernel source tbh.

>>987995

>The reason why we have such problems with web browsers is that it is too hard to write a web browser.

>Web browsers do too many things.

>>988021

>I don't trust any browser that's bigger than the OpenBSD kernel source tbh.

Trust is certainly an issue when big code bases for huge attack surfaces like web browsers, so I cannot blame you, but don't expect anything other than pseudoanonymity when routing through Tor. You likely will be very unique. If however you figure out how to give lynx settings that make your fingerprint closer to the TBB (less than one in 2000 by blending in with normal Tor highest security users), than I would be interested in seeing the settings and trying them myself. Lynx pages load SO much faster than the trash of bloat of firefox+TBB60.

It probably would need to download (even if not loading) CSS, images, garbage to actually look anything like TBB60 users.

This new version of Noscript is a huge downgrade from the legacy version in terms of UX and usability. It really feels to have been intentionally designed to be a huge pain in the ass. The very fact that tor devs stubbornly continue to include it and refuse to switch to the superior uMatrix speaks volumes about their dedication to best privacy and anonymity practices. Furthermore, forcing everyone to use the minimum security setting, so that you don't stand out from the rest of tor users, is pure judaism. Their kvetching over having to keep things unobtrusive to cater to normalfag usage is also a load of bullshit. The defaults are not sane from either an anonymity or usability perspective, because NoScript is a bug ridden pile of shit and there is absolutely nothing difficult about uMatrix or uBlock.

>>987767

>You can still be fingerprinted

>WHAT DO YOU MEAN YOU WANT ONE LESS WAY TO DO IT?!

t. current Tor dev

isis agora lovecruft - u prostitute daddy fucking infertile cunt - look what you have done to tor! @isislovecruft

>>967032

>pre-60 FF was a security nightmare

No it wasn't, there wasn't any security flaws after the 2013 patch.

>all the while using over 3000 MB of RAM as usual

Fix'd.

Ya niggas have no idea how no idea how bloated some websites are, even after disabled some or all of JavaScript. The horror... The horror!