Tor - The Onion Router

• https://blog.torproject.org/new-release-tor-browser-1357/
• https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/#CVE-2024-9680

Mozilla Firefox itself and all Mozilla Firefox forks should be updated accordingly once a new build is released.

Hi,

I'm currently struggling to connect to TOR (see my previous posts)

Therefore I'm looking in the documentation and in the support community. (and been already greatly helped trough lemmy :) )

I was considering to use also the official TOR forum

But I'm surprised that for a project that claim to protect users anonymity and freedom of WWW to use a forum that

• request an email address[^one]
• That a moderator [^two] need to approve the account
• that each new post need to be approved !

So I can't use it[^one] , hopefully their is Lemmy :D

[^one]: Do you know a lot of email service that do not require to provide a proof of ID ? (phone number, ISP email etc..) ? So hard to keep anonymous in those conditions..

.

[^two]: Moderation do not exist, it is simply censorship, see the work of Noam Chomsky
"If the freedom of expression is limited to the ideas that we like, it is not freedom of expression."

Hi,

I've just installed tor ( 0.4.5.16 )

When I launch it ( debian fork ) I'm stuck at

Opened Socks listener connection (ready) on 127.0.0.1:9050

I have a strong set of nftables maybe that what block it ?

What should open in order to have tor connect ?

Thanks.

Hi,
in etc/tor/torrc (the tor config file) we can read the following

## Entry policies to allow/deny SOCKS requests based on IP address.
## First entry that matches wins. If no SocksPolicy is set, we accept
## all (and only) requests that reach a SocksPort. Untrusted users who
## can access your SocksPort may be able to learn about the connections
## you make.
#SocksPolicy accept 192.168.0.0/16
#SocksPolicy reject *\

I don't understand, is this for the TOR network to query the local daemon ? or is it for LAN node to use the local TOR daemon ?

Thanks

Onion link

Today the Tor Project, a global non-profit developing tools for online privacy and anonymity, and Tails, a portable operating system that uses Tor to protect users from digital surveillance, have joined forces and merged operations. Incorporating Tails into the Tor Project's structure allows for easier collaboration, better sustainability, reduced overhead, and expanded training and outreach programs to counter a larger number of digital threats. In short, coming together will strengthen both organizations' ability to protect people worldwide from surveillance and censorship.

Onion link

This is a minor Desktop-only release containing (primarily) updated strings for users on legacy Windows and macOS.

Onion link

This version includes important security updates to Firefox.

Onion link

This version includes important security updates to Firefox.

It amazes me that onion sites aren't everywhere. They are easy to spin up, you don't have to pay anything and can run it from your own home. No need to purchase a domain, worry about expiration, have an open port. Built-in DoS protection. Anonymity and authentication by default. No need to configure HTTPS. Sure, uptime is on you and there is some latency/bandwidth limits to be considered, but once you are over that, onions are a solution to many problems and the benefits are enormous.

When a website can be accessed via a clearnet and a .onion url, is there a benefit to making use of the .onion url?

Context:

I am considering pointing a ".onion" url to my instance (mander.xyz).

I did some tests with and it seems like mlmym works well with JavaScript disabled. Since JavaScript is often disabled in the tor browser, I could make the .onion url point at that front-end instead.

This would be fun to do, but I wonder if there is a practical benefit to the ".onion" url as opposed to simply accessing the clearnet url via the tor browser.

EDIT: I went ahead and created an onion URL to try out, but I would still like to know if there is an actual advantage to .onion urls:

http://mandermybrewn3sll4kptj2ubeyuiujz6felbaanzj3ympcrlykfs2id.onion/

There is a 2 monero bounty ~$300USD if you can get PoW working for us

https://github.com/haveno-dex/haveno/issues/1122

Reposted from: https://lemmings.world/post/10879238

I am talking about some way to report it (without exposing my identity - using Tor browser) or let it be shutdown.

Related Tor FAQ: https://support.torproject.org/abuse/#abuse_remove-content

Report1: https://report.cybertip.org

Report2: https://www.iwf.org.uk/en/uk-report/

Report3: https://www.inhope.org/EN#hotlineReferral

Here is how to report bad site, in case you find any clearnet traces on the .onion site, incl. email address.

In this particular case, I have been able to spot the ODER/BUY NOW link which lead to a clearnet site. Within a second, it then redirected to a onion site, where I have found an e-mail address. So i had 2 ways to report this (clearnet website and an e-mail).

So run whois lookup (for example at https://who.is/whois/ for mentioned clearnet redirect domain name) and inside the output, discover which nameservers/hosting company it is using. Since it has been using Cloudflare, I have submitted the report form on Cloudflare site. Second thing is that e-mail address the paedopile worm provided on the site. I could visit that email service domain to find abuse contact. I have written steps on how i have discovered the initial link and found the e-mail so they can verify the case.

Do you know other way when you do not find any clearnet traces?

I just got an update from the Guardian project here recently for the Tor Browser version 13.5 on Android. Before, there always used to be a notification in the notification tray that would say the download and upload speed and have a new identity button to switch circuits if one was lagging. But I do not see that anymore. So how do I change circuits now without completely closing the browser and reopening it which would be a total pain in the ass?

Onion link

In that respect, Tor Browser 13.5 feels like a milestone: in addition to the dozens of bug fixes and minor improvements noted in the changelog below, this release features major changes to Android's connection experience in preparation for the future addition of Connection Assist, including full access to Settings before connecting and a new, permanent home for Tor logs.

For desktop, we're continuing our efforts to improve the user experience of Tor Browser's fingerprinting protections. Following the changes we introduced to new window sizes in Tor Browser 13.0 for Desktop, this release features welcome design changes to letterboxing, including new options to remember your last used window size and adjust the alignment of the letterbox in General Settings. Bridge users will also discover a myriad of improvements to bridge settings, including a complete redesign of bridge cards with improved sharing features, and a new section designed to help you find more bridges elsewhere. Lastly, the design of onion site errors has received a visual refresh aimed at making them consistent with the other kinds of Network Errors you can find in Tor Browser.

Onion link

Hi all! A group of researchers from two major U.S. universities is seeking to understand how people act on Darknet forums and markets. We would very much appreciate your responses. Our anonymous survey can be found here: https://blocksurvey.io/darknet-decision-making-survey-Cqozn_nrQbOr65TV2OEK9A?v=o (supports Tor) or here https://neu.co1.qualtrics.com/jfe/form/SV_02IV26Gkdf4IuQm (supports all other browsers). You can also use our Telegram bot (@OnlineMarketSurveyBot). We know your time is valuable, so the survey will only take 2-3 minutes of your time.

Although we will not log your IP address or ask any identifying questions, please do not share any identifying information while filling out our form. Your responses will be analyzed in groups; no individual responses will be used in data analyses.

Please note that this post has been kindly reviewed by the lemmings.world admin.

A huge thanks to the administrators, moderators, and all participants from our research group! #research #darknet #decisionmaking #survey #Markets

I'm looking for search engines for tor, what do you recommend? Besides that, I'm also looking for the link to time to confess, the one I have stopped working, will the website still be active?

Hi,

Since ~two days I noticed drastic slowdown on the TOR network :/

Is this happening for you too ?

Do you know a website (or other) where we can see if the network have a problem ?

BTW, I wanted to post this on their forum but at the end of registration I got:

A moderator must manually approve your new account before you can access this forum. You'll get an email when your account is approved!

Never got the email :/ , for a project that protect user and anonymity I don't see why they use such a huge filter to create account.

https://mastodon.social/@torproject/112394788781178752

Trying to access this https://web.archive.org/web/https://www.dataguidance.com/news/czechia-%C3%BAoo%C3%BA-fines-avast-czk-351m-gdpr-violations got a 403. Never had that before with the WayBackMachine. Then I tried to load it directly and got a "You are blocked!". Does the WBM not really make a full copy ? Not very Tor friendly !!!

TLDR:

If I use SSH as a Tor hidden service and do not share the public hostname of that service, do I need any more hardening?

Full Post:

I am planning to setup a clearnet service on a server where my normal "in bound" management will be over SSH tunneled through Wireguard. I also want "out of bound" management in case the incoming ports I am using get blocked and I cannot access my Wireguard tunnel.

I was thinking that I could have an SSH bastion host as a virtual machine, which will expose SSH as a a hidden service. I would SSH into this VM over Tor and then proxy SSH into the host OS from there. As I would only be using this rarely as a backup connection, I do not care about speed or convenience of connecting to it, only that it is always available and secure. Also, I would treat the public hostname like any other secret, as only I need access to it.

Other than setting up secure configs for SSH and Tor themselves, is it worth doing other hardening like running Wireguard over Tor? I know that extra layers of security can't hurt, but I want this backup connection to be as reliable as possible so I want to avoid unneeded complexity.

Onion link

This is an unscheduled emergency release with important security updates to Firefox for Desktop platforms. Android is unaffected.

I can't figure out which one it is. Does the service actually still get all the ddos flood and just drop them until a request comes in with the correct PoW level, or does the browser/daemon somehow calculate the PoW and only send the request when its reached. I don't see how the second one would work because your browser would not know if the service was under attack. But the first option still requires the service to get the request and then spend a little time dropping it instead of serving it.