I did a little research and found out that Tor Browser sometimes phoning home to “firefox.settings.services.mozilla.com”. Moreover, I backport “Icecat” browser patch to fix this, but it didn’t help. Patch fully work on Icecat 91.13.0 and Firefox 91.13.0 ESR, but does not work on Tor Browser 11.5.2, although the code and files are the same. I do not understand what the problem is and why the developers have not yet fix thes connections.
Many data. They even take measurements of how many seconds behind/fast your system clock is. Who knows what else they’re taking. You may look in about:config all pref with “clock” words. When browser never connect to firefox.settings.services.mozilla.com, there is only 3 prefs. The fourth (with data in seconds) is being created after first remote connection to they service. Sorry I`m lost site url with full list.
Ok. Little more research. Patch work fine if clean startupCache directory after aplying. Or just delete this directory and create empty file with name “startupCache”. Nothing change in Tor Browser work.
Developers should definitely implement it.
Would you consider upstreaming it to Mozilla, too?
Also, notice that 102 contains Nimbus for experiments, and we’ll need to audit and remove all its stuff.
If you are managing a fork, you will probably need to do the same.
So should TBB usage be kept to non important activities until the 102 change and audit has finished? I imagine that would be a few months perhaps? @PieroV
So should TBB usage be kept to non important activities until the 102 change and audit has finished?
We’ll try to fix this for next 11.5.x (Moz will not release any more update for 91.x, but we’re going to cherry-pick CVE fixes at every Firefox release).
Is there any way of voluntarily directing personal donations specifically to the TBB developers? And more importantly, if they had more money would it improve the software or would it ensure sustainability of further future development? Thanks
Is there any way of voluntarily directing personal donations specifically to the TBB developers
Tor Project donations can unfortunately not be directed to a specific cause.
And more importantly, if they had more money would it improve the software or would it ensure sustainability of further future development
With enough money they can of course hire more developers.
And otherwise, ensuring that the Tor Projects funding is diverse allows it to continue with less disruption if something were to happen to one source. In the past, if the grants/government money stopped being given, the Tor Project would loose nearly 100% of their funding. It’s much better today with only 55% coming from “governmental agencies” in 2019-2020 (2020 Audit, page 16). And only ~43% coming from governments (~38% being the U.S. Gov) in 2020-2021 (2021 Annual report, page 13).
It also allows the Tor Project to use more money on what they want to use it on, grants are generally earmarked for specific things and can therefore only be spent on that. General maintenance and bug-fixing is one thing where donations are important.
It’s one of the top priority issues for Android, at the moment.
Android is a difficult beast to deal with: we are working to update it on 102, which seems to work. But we’d like to solve some problems with our local dev builds, as they make new developments much easier. So stay tuned .
Thank you for thinking of donating, currently any donation to Tor Project would help the TBB team and the whole project . You can pick how you would like to donate and how much on donate.torproject.org.
The TBB team right now has resources from grants and donations like that. We just added 3 new members to the team so we have more capacity now than we had 6months-1year ago. Donations help us not only keep up with the team but possibily consider growing it over time. If you would like to have more information, feel free to reach out at isabela@torproject.org.
v.102 its a latest alpha? Nimbus its a normandy replacement? Ok.
In your place, I would pay attention to the fact that they removed the possibility of disabling Intersection Observer API. They did it for a reason. It worried me the most.
So would that mean its privacy is still questionable even once 102 is done? The fact alone that it connects to Mozilla servers is worrying enough, would Mozilla get to see which hidden services people are using?
Not the nicest workflow, but in cases of software trying to make network connections through the clearnet, the Tails devs have already done the work of enforcing tor. It’s worth borrowing their configs now and again.
If you don’t want persistent enforcement, simply save your current iptables config, then load the tor-enforcing config, and finally when you’re done using tor simply restore your normal iptables.
Does this issue cause actual problems privacy-wise or is it just about aesthetics
my understanding is each remote call needs to be addressed on it’s own merits/threat. Mostly these calls are simply not required in Tor Browser (such as updated password rules, anything on Activity Stream such as pocket news, sponsored + search suggestions, push notification checks, search engines on region change, etc - just examples, IDK if those actually happen), etc. Some stay because they are required for security reasons, and some can even be nixed in favor of just updating it once per release. Anything that reduces outgoing is always welcome, because it removes any possible threat/bug and IDK, saves on the tor network. So if it can go they probably stop it.
Everything Mozilla has added for their remote calls is not really a privacy concern: e.g. suggestions, sponsored, pocket etc are all just regional cohorts stuff, nothing PII and everyone gets the same, or large chunks of people do. Push notifications are E2E and IDs are reset.
Everyone screaming “but wah wah wah sob … unsoliticited connections” (not saying anyone here is doing that) needs to calm down and simply investigate exactly why a remote call is made and assess it. 99/100 it’s harmless for Firefox users, and 3/4 times TB doesn’t need or want it and less potential issues are always good (e.g. upcoming weather suggestions: does not make sense for a TB user whose location is obscured). Sometimes ripping it out is easier than diagnosing it. Percentages off the top of my head.