Index of /tor-package-archive/torbrowser - Tor-im-browser-1.1.10_en-us.exe download

Looking for:

Tor-im-browser-1.1.10_en-us.exe download 

Click here to DOWNLOAD

    ❿  

Tor-im-browser-1.1.10_en-us.exe download

 

Well that's what's going to happen to your entire lifespan. I'm really not sure if you will get it until you one day find situation in a preterminal state or worse a slave till you die. Hope being frank is tolerated. Otherwise ta. So basically if someone had JS enabled but had updated their TBB within the last month they wouldn't have been affected by the malicious JS? And TBB would have shown a red or yellow warning on the home page in the last month telling us to update?

Yep, although there is one specific build of TBB with FF version 10 that for some reason did not mention that.. But part of this Javascript attack was that it checked to see if you were running version The script checks for "document. It also checks as an OR for "window. So the script doesnt give a damn what version you have. Every mozilla-based browser is targeted not only firefox. It works for every single FF version under the updated one.

That's only the injected javascript. I'm sorry but I'm very tech illiterate cant read code. Are you saying that the TBB released after June 26 are also vulnerable to the attack?

This seems to go against everything I have read regarding this attack. You are half-correct. You are talking about the script that injects the iframe. The actual exploit loaded into the iframe only attacks Firefox To be redundant here, Well, that makes me feel much better.

I highly recommend it:. Honestly, same goes for Windows users, why not use tails? Like many others, I use Tails whenever possible. Simple enough to answer.

Connections and bandwidth. Not everybody in the world, and especially in rural areas of one country in particular that prides itself on being a leader in technology, has access to broadband or even reasonably fast internet. Oh, when you have broadband, it's easy to say why would someone use the smaller option when the larger one is better, but look at the other side of the digital divide and the answer becomes quite clear.

The large developer and security analysis community around Tails, compared to the voice-in-the-wilderness aspect of Whonix? If only they would pull their heads out of their asses and disable javascript by default.

They were warned, they just wouldn't listen, even now. Spot on mate. It's minor annoyance for those of us who're happy to dive into noscripts settings, but potentially life changing for those out there who trust the bundle to have everything covered out of the box.

Can't help but think that when there's no good reason to have it so, the reason for having it so must be 'no good'. I believe Firefox 10 does not trigger the attack, but I also expect it's vulnerable if somebody were to attack it.

I always forget to update Tor. It would be nice if Tor had an auto update option. It appears as if the exploit was cut down from a broader attack. How sure are you of that, are you one of the experts who tried it themselves, or could you link a source please? There are many people who are worried and very interested in this, from what I'm reading here and on other sites.

In fact, get anything including index. It does not specifically check for a version. It even executes on FF If the malware can go through though.. I dont think anyone can actually test that practically. That's only the server-side injected code, there's a ton more code and the actual exploit that's loaded in the iframe.

The iframe is injected in any mozilla-browser. The exploit in the iframe only runs on Firefox Cautiously assume all Firefox versions since 3. Here's a simple rule-of-thumb for any piece of software that is subject to critical vulnerabilities such as web browsers; email and chat clients, etc.

Make sure that you: - are checking for security updates whether automatically or manually at LEAST once-a-day - are downloading and installing said updates as soon as they become available - discontinue using anything as soon as security updates are no longer issued for it. I'm not sure if automatic updates are the best strategy, but before the browser even opens you should check for updates, and if it finds any security updates, the user should have to click through an insane series of warnings before they can use the old version.

Also, updating should be a one-click affair. You shouldn't have to download a new app and install it which I think is currently necessary on Mac at least. This is going to keep happening, and given tor's usefulness, some of its users will not be very sophisticated, and won't understand the implications of not updating. You've got a duty to protect them. Please help! Forced updates are very, very bad as they can be exploited. Just think somebody breaking into the update mechanism could then attack all users successfully.

One-click is about as bad. Security comes with some effort you need to invest and some level of constant vigilance. Still, many people will still not update unless forced to, even if there are very clear warnings that are hard to overlook.

But forcing upgrades will put everyone at risk and is hence unacceptable. There are people that will be careless under any circumstances and nothing can be done about that, it just has to be accepted that there are people that cannot be kept safe. Forced updates when done properly are very very hard to exploit What i mean is this This is nothing new I think the solution is to simply disable javascript and make a warning dialog popup whenever you try to enable it.

If you are stupid enough to enable javascript even with a big red warning dialog that warns you that you are fucking yourself up then you just deserve it. Also the program should warn the user that a new version is available but without links to automatic download any content. So the user has to go to the official website and download the official release. How many of those who do carefully read-through all the code are expert enough to detect anything rogue in it?

And, finally, how many of those who carefully read through all the code and are expert enough to detect anything rogue in it and are looking for such would ALSO report and publicize it should they find anything suspicious?

I personally would love a hash checker that would check for several hashes. It is much harder to fool several hashes than to only fool one by the length of one hash multiplied by the other s approximately.. Anyway I wish the load would generate the hash and allow you to check the hashes of other programs and check them with those found in whatever source s you wish to point them to.

Who was it that said that difficulty directly reduces security. Yes I would consider running an update button before I would download a new version for a number of reasons.

Its not a case of doing it properly. It wouldnt be the first time, an auto updater updates malware without you knowing. And a company cant assure anyone that this wont happen any time. If they do, they simply lie to your face. Most of the updating process including verifying signatures can be easily automated, for example, using PowerShell, especially since TBB isn't really properly "installed" so much as "unzipped".

This really sounds dumb. First you want to "force" your ineptitude with technology on other users, and then want to blame Tor developers by accusing them of not fulfilling a duty to others.

Man, you just love to play the blame game and evade responsibility for your own actions. These are decisions "you" make. Learn to live within your technical means, and let the rest of us live within ours. You don't need to force people to upgrade, just have something on the homepage that tells them that the version is insecure and they should upgrade to reduce the risk of being exploited.

Apparently javascript exploits have been around before, I didn't know they were possible, if more people knew they were possible and the risks they would upgrade without being forced.

And for goodness sake - disable javascript in noscript by default, and don't leave any sites in the whitelist. This is how I start off, and I then I make decisions on a site per site basis eg. Do I really trust this site?? Disabling JavaScript by default, then allowing a few websites to run scripts, is especially bad for your anonymity: the set of websites which you allow to run scripts is very likely to uniquely identify your browser.

The idea, I think, is that since TOR has javascript enabled by default, you can hide amongst all the other TOR users running their system on default by also keeping your JS enabled.

Basically, you stay anonymous by hiding in a crowd. Keeping JS disabled everywhere makes you part of a smaller crowd of TOR users who have their JS disabled and selectively enabling for some sites and not for others makes your browser settings unique, giving you no crowd to hide in, which is very bad when you are trying to remain anonymous. From an anonymity perspective, it makes sense. But I will agree, that definitely does not make you safer, especially if you are running a Windows OS on a privileged account.

But that can also be avoided by running your OS on a low security setting, especially if that OS is not Windows. JS can deploy self-executing exploits all day long on a linux system running at a low security level and do nothing. It doesn't matter how visible a notice or warning is, some people will completely ignore it and move on. But once as much as can be reasonably expected has been done to warn, then the responsibility rests upon the user who ignores the warning.

If the warning: a is practically impossible to miss, AND, b explicitly the conveys the danger of continuing to use the deprecated TBB,. You are strongly urged to update immediately. So i am running 2. So it took "them" about 4 weeks from the patch Firefox was patched a day earlier to an implemented larger-scale attack. Not too bad for a bureaucracy. But this also clearly says the Tor project is not to blame. Being 4 weeks behind with security patches is unacceptable for something like Tor, and the mozilla folks called the vulnerability "critical".

This vulnerability does not even really qualify as 0-day, even if the mozilla advisory just says "crash, can possibly be exploited". Through TOR. Oath Keepers then notified FBI. I use the Vidalia package form last year with a FF version 10x. Is my setup at risk from this exploit? Your browser is vulnerable to this type of attack and many others indeed, but the attack implemented on Freedom Hosting sites specifically targets v17 of Firefox, thus it's likely that your identity has not been compromised if you've visited any of these sites with v10x.

I've read several different things about the exploit, one mentioned a tracking cookie that could not only reveal your IP but also every other site visited while the cookie is active. So for my question: Does the script just tell the server the site you got it from e.

Tormail and your real IP or does it track all the browsing of the current session? Sorry for the stupid question, but one thing would be interesting for me: I had an older version of TBB installed until friday, but JavaScript was globally disabled.

Can i be affected? I wish Mozilla would take memory safety more seriously. Almost all releases contain: 'Miscellaneous memory safety hazards'.

Critical infrastructure and at least a great deal of the critical data that has been placed onto the Internet should never have been.

Yet another example of what happens when you allow the "Free Market" to dictate; to be the arbiter, etc. I don't hear anything outside of the Tor Browser. What about the pluggable transport version obfsproxy for Tor? I believe that version of firefox is Is this safe, because there hasn't been an update or an announcement for this particular package?

Also, for us non-techs, would we actually know that the browser was affected, if something took place. Any explanation would help. That's because nobody's been updating it. Question: In a German newspaper they say that you tor-developers suggest not to turn off javascript.

The newspaper states that it would be more suspicous then protecting. What can you say about javascript. I disabled it for all sites because of possible attacks like this. The Tor Bundle ships with Firefox as the browser, and includes the NoScript extension to Firefox that blocks scripting if the site is not in a user-maintained whitelist. The problem is that disabling JavaScript by default breaks browsing for people who want to access sites that require JavaScript to work correctly.

Most Tor users are simply concerned with anonymity, which means not having their actual IP address available to the site they are viewing. When you go through Tor, the origin address the other side sees is your Tor exit node, not your real IP.

The Tor Project chose to enable JavaScript globally to avoid problems for the majority of users who don't care if it's enabled. I don't know of any way to get a real underlying IP address of a computer with just JavaScript. If you run the Tor bundle, click Addons. In the Addons window, select NoScipt, and click the Options button. Uncheck the "Scripts allowed globally" box.

JavaScript will now be off by default. NoScript will warn you if it has blocked JavaScript execution when you visit a site. If you trust the site, you can add it to NoScript's whitelist, and JavaScript will be permitted for that site in the future.

Great explanation, but one further note -- you say "if you trust the site", but if the site is giving you content over http, then you really mean "if you trust the site, and also the network connection between you and site".

And whether you're using Tor or no, that decision gets quite complex. Even worse, we've seen evidence lately where state-level adversaries can fabricate https certificates for other sites -- so we need to append "and if you trust the or so certificate authorities to all behave perfectly" to the list of if's.

Rough world out there. That said, raising the bar does help. Unfortunately those who trusted the sites hosted on Freedom Hosting, and added them to a white list, got caught by this exploit. After today, JavaScript must be off in TOR at all times, because new vulnerabilities like this will pop up in the future.

If you want to be private, you have to disable JS, no matter how trusted and secure a site may be. There is no way around it now. FH was a trusted, untraceable onion hidden service.. TOR must ban JS completely starting today. If you use JS you can be caught by such buffer overflow exploits, and your real identity will be revealed. And if you don't care about protecting your identity, why use TOR?

One should consider if banning JS from all browsers is not the right thing to do. If any malicious executable code can be run at will by JS, imagine what this could do in the hands of criminals. It could install a keylogger on your pc with ease and gain access to your bank accounts, or worse. It sure would be nice to have an easier interface than Noscript's, for enabling Javascript in a just-in-time way when you decide you want it.

That said, while Javascript is indeed a big vector for attacks, don't think you've solved everything by disabling it.

Another enormous vector is svg and pngs -- it is absolute crazy-talk to just blindly accept images from websites and render them. No reasonable person would allow images to load in their browser. The number of recent vulnerabilities in libpng alone should be enough to convince you. That said, I sound like a paranoid maniac in the above paragraph. But hopefully it will make you stop and think. How did we get to this point in browser security, and how do we recover from it?

Write a secure browser from scratch and don't bother cattering to people's retarded demands like being able to run the latest and stupidiest web 4. Problem is, you want a browser that the dumb masses can use in every dumb web site Looks like your problem can't be solved.

Re: How do we recover from it? The best defense is a good offense. It is probably impossible to prevent all hostile surveillance - either by government or the private sector. But, you might consider making it worthless. I don't much about spam. Send me meaningless messages, and I will just ignore and delete them. Suppose you developed an application that waited for your computer to be dormant for a certain period, then composed totally junk email using random words from a dictionary, and sent those messages to random people who use the application by using the application, you would consent to randomly receiving a bunch of junk.

You would clog surveillance servers with nonsense. Develop another application, as above, that doesn't send anything, but simply goes from one "G" rated site to another, again randomly. Again, the surveillance folks would be clogged with junk.

Now, if you want to make things interesting, search "phony research papers" and you find a site at MIT where you can enter your name and it will crank out a phony technical research paper. Total nonsense. Use those for the email messages. Want to make it more interesting, encrypt all the email with PGP. For those - like me - who are truly malicious, generate the phony research paper, then use a word processor to change one of key words in the paper to "uranium deuteride," "virtual cathode oscillator," "high purity fluorine," "10 guage, high purity aluminum tubing, 3 inch ID," etc.

Don't forget to encrypt it! And, don't do this unless you enjoy excitement because you're going to get plenty. So, just to make it "easier" to browse, TBB effectively facilitated this attack by having JS on my default despite cries for it to be disabled?

Tails devs refused point blank to even add a bootcode to start Iceweasel with javascript off! It's not that simple.

Did I not read above that if you had the most recent release of the TBB that you were immune to this attack? What it means is users should always make sure that they are using the latest release. Now this isn't a perfect solution because the government could perform a mitm attack to make users think they had the latest version when they didn't.

However if I'm not mistaken they are working on a better solution. Also- I'm not arguing javascript should be on by default although I think to say it should be off by default overlooks the issue that doing that would decrease the Tor user base which hampers security as well for all users. It might be worth developing a plug-in with a big button that says 'secure mode' and one that says 'risky mode'.

The secure mode would automatically be enabled for. The first thing you see when opening the TBB is an explanation of this 'secure mode' and the 'risky mode'. If you select the risky mode on non-Tor sites you should get a warning "Are you sure? There is a decent chance you will be putting yourself at risk" with continue, cancel options. This way it is a little more difficult to accidentally turn on 'risky mode' and at the same time non-technical users wouldn't find the TBB difficult to use.

The advice given in the final two paragraphs of the above post explicitly and completely contradicts that given in the Tor Project FAQ : all emphasis mine "we recommend that even users who know how to use NoScript leave JavaScript enabled if possible, because a website or exit node can easily distinguish users who disable JavaScript from users who use Tor Browser bundle with its default settings thus users who disable JavaScript are less anonymous.

I am absolutely appalled that arma not only effectively endorsed, in general , this post that so contradicts the FAQ maintained by her organization but actually went-on, in a subsequent post, to clearly imply endorsement, specifically , of selective enabling of JavaScript while using Tor:. Thats bullshit that if you disable JS you will be less anonymous. Just check EFF site doing browser fingerpainting. You're probably not as safe as you should be. You have roughly none of them with that set-up.

You probably won't have to be worried about this exploit but you understand privoxy can only provide HTTP proxy. There's a reason Tor has dumped it ages ago.

I'd say the question alone suggests that you should not be attempting to use Tor outside of TBB or Tails. Noscript should be enabled by default or javascript should be disabled by default in tor browser bundle. Everybody seems to think this is true but nobody can point to a version of TBB where it's true. I would also say I thought the same thing but I realized something so now I am not so sure that this was true with the TBB, but it was true with Vidalia Bundle which for some insane reason you no longer maintain and i have to add Polio in myself.

I think that is the confusion. The default home page already does detect if you are actually using TOR and if better versions are available. You could at least add a JavaScript add to detect and inform people that it is enabled. It can be easy to forget right after an update yet could cost them dearly. If they prefer it disabled then a simple how to could help yes I know it takes about 2 clicks but many users are tech impaired.

Having NoScript disabled by default does make a certain sense in that is more usable by the tech impaired, yet there is a disconnect here when you consider the current method of PGP checking not that I recall noticing much good instruction on your site to begin with. Sure it is easy enough for the technically inclined like myself, but what is the point of the average user getting into TOR while being so vulnerable to a compromised client?

Not all these people will understand how to know the difference and good luck to the non-English speaking activists trying to figure out how to use PGP. I am working on this myself - mentally at this point. I may slap something good together that will help the less tech adept.

It would be better though more trustworthy if you guys handed this. It would not really be that hard. Another thing you might consider is an installer which ASKS people if they prefer things more secure or more compatible with websites. Depending on the question, pre-configure TBB as they have chosen.

As for "it would not be that hard" for the PGP thing, consider that our current instructions for WIndows users start with "download gnupg. Windows users are screwed at a very deep level.

If you have good answers, the world wants to know them. Waaait a minute. You acknowledge that TBB never shipped with Javascript disabled, but then you say that the old Vidalia bundle did?

The Vidalia bundle never included a browser! And the old Torbutton Firefox extension never shipped with Javascript disabled by default. I think a lot of the confusion stems from people very long ago being confused between Java and Javascript.

Also, very long ago before Torbutton , there were open questions about what privacy-invasive things Javascript could using the legitimate API, I mean do to you. Torbutton addressed many of them. NoScript is is enabled by default in both Tor Browser Bundle as well as Tails but set to allow scripts globally. Even in this configuration, NoScript still provides certain protections, such as blocking cross-site scripting XSS attacks[1].

Obviously, allowing scripts globally cannot provide anywhere near the same level of protection as the selective whitelisting model that is the normal default behavior of NoScript. The primary reason that has been given is usability; the functionality of many-- if not most web sites-- is heavily dependent upon JavaScript, often critically so.

An additional reason that has been given both by Tor as well as Tails officials concerns "fingerprintability". I believe-- but am not certain-- that NoScript would protect against this threat-- even in the default Tails and TBB configuration where scripts are allowed globally. If you're running off Firefox 10 i. Please fix this because people who rely on this to find out if it's current won't know about this vulnerability. And unfortunately, 'check for updates' means 'go ask Firefox if there are updates', which we've disabled in TBB since that's not where your updates come from.

Not sure if I am right about this, but over the past few months, I have been closely watching the following conversations -- all quite public in blog. Maybe there is a need for a public funding campaign, perhaps, to address certain ongoing security issues discussed in that post? Supposedly Tor is looking for a lead software engineer and would like to hire more people. People are asking questions about Tor's past and present funding. People ask questions about Dingledine. I think one way to address this meaningfully is for the Tor project to lean more on crowdfunding mechanisms to and more frequent appeals to the user base through social fora to participate in financing efforts to support and fix Tor.

Or perhaps you did not read the context of my post above, which had nothing to do with whether or not someone is updating something and everything to do with the issues of torbugs of all kinds and the problem of how to fund the fixing of them over time whenever they occur, whatever they are.

Also, I suggest reading this -- just for fun relevant to both java and javascript issues, which I think will be a long running discussion and are in no way settled :. How is Javascript different than Java? What is NoScript? TBB is designed to be standalone and not care what else is on your system. If you mean "I hacked up some Chrome thing and hooked it up to Tor, am I safe?

I have the latest TBB. Any idea what is going on? I have a 2. Or perhaps you don't have a real Tor bundle at all? I am a spaz. Thank you for your prompt reply and kind assistance. There was a message up about server maintenance, but that is gone. Any idea what's going on? I read that the exploit only effected versions 17 and 18 of FF - I am running Is this a browser that would be effected by the exploit?

It seems that the US police state has learned the ip addresses of people all over the world who committed the non-crime of visiting a bunch of websites. From a technical point of view that's a big failure for the Tor project. They are responsible for the browser they bundle, aren't they? Now, what's the legal side of things? The US police state has hacked into computers of people living all over the world. What is the US state planning to do with the information they stole? We do try to keep up with browser updates for TBB, yes.

You'll notice that we put out an update in June, and this was exploited in August. People who updated were fine. As for the legal side of things, I don't think anybody has details on whether it was really the US police state? Not that I'm claiming it wasn't, but it's hard for anybody to proceed without details. Find the version you were using if you can, maybe its still hanging around somewhere - the compressed installer. Find those numbers attached to it and line them up with the content of this blog.

On or around July 30, , while I was at a certain website, my Tor Browser displayed a yellow ribbon just below the menu bar. In order to implement a crucial fix, this update resets your HTTPS Everywhere rule preferences to their default values. The version of the TBB that I was using at the time is the latest version. My OS is Microsoft Windows 8, bit. That message is completely harmless.

Same here. Interested if anyone else saw this or knows what it is about. I got the same message! Why the need to "reset to default values"? What should one do if they cant remember whether or not they used TOR over the last couple of weeks? No there isnt any way. Tor is designed not to keep logs for your own safety. But seriously. If you cant remember whether or not you have used tor in the last week you should see a doctor.

Alzheimer's can be slowed down if it's detected early. That depends. If you are using Windows then Windows uses an NTFS file system. Assuming this is turned on, it will update with the last time you accessed a file. Right click on a file and choose properties. If it is turned off - the date will be the same as the created date.

If it is turned on, it will be the last time you accessed the file. In the case of TBB, the last time you ran it. That can tell you or anyone with access to your computer when it was last ran. This is turned on by default in XP and I cannot remember if this is true of later versions of Windows.

Mine is turned off though and I suggest everyone turn theirs off. It is better that someone getting a hold of your computer does not know when the last time you access files is. But disabling this "feature" also improves Hard Drive performance and longevity since you are cutting out a write operation from every file read operation!

I expect disabling this would also help laptop battery life to some extent. It is a terrible "feature. I will add one more thing. If you use Truecrypt to protect sensitive information and you also utilize keyfiles music files are good but random recorded radio noise is better then this "feature" makes it very, very easy to figure out your keyfiles. Disable it NOW. It's disabled for performance reasons. It may even be disabled on those named OS's with the last service packs, but I am only surmising.

Great Tor I never even thought about jailbait before I found Tor but then I got curious and looked at freedom hosting site and now I go to jail and get ass raped. Thanks for entrapment asshole. Tor promised me hot teenage action and all I got was raided by the feds! Who couldn't be mesmerized by the undeniable lure of tender, smooth, taut, voluptuous youth? It depends on their age you dirty bastard! I have no sympathy for sick fuckers who get ass raped in prison for seeking child porn, not everyone who uses TOR is into this shit.

Have you not noticed that a lot of 13 year old girls look like hot 20 year old sluts? When will the pretending that they are not attractive end? When will it end putting people in prison just for looking at such hotties showing off? Let's get some sanity in this issue! Those are your thoughts in your own head and not what the actual child of 13 is thinking!

Visualization Input File PortEx. Classification TrID EXE Win64 Executable generic 8. EXE Win32 Executable generic 2. Tip: Click an analysed process below to view more details. Contacted Hosts No relevant hosts were contacted.

This program cannot be run in DOS mode. Ansi based on Dropped File torrc-defaults. Ansi based on Dropped File en-US. All Rights Reserved. Copyright c Zope Corporation and Contributors.

Ansi based on Dropped File versions. Do not edit this file. Ansi based on Dropped File extension-overrides. Hashes for packages with weak sigs or no sigs Ansi based on Dropped File versions. If non-zero, try to write to disk less frequently than we would otherwise.

To customize your Ansi based on Dropped File torrc-defaults. Which research divisions are communicating with the company's patent lawyers? A branch of the U. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently. Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.

Tor is not a VPN. Tor is a free browser similar to Chrome or Firefox , but it includes features that encrypt your IP address, making your browsing sessions private. To learn more about VPNs, you can read this article. Tor Browser Assuming we do not run into any major problems, Tor Browser How does the Tor Browser keep my internet activity anonymous?

What is Tor Browser? Who uses the Tor Browser? Is Tor better than a VPN? What's New Tor Browser Bug tor-browser Backport ESR Tor Browser Download. Fast servers and clean downloads. Tested on TechSpot Labs. Here's why you can trust us.

❿     ❿