💾 Archived View for gemini.circumlunar.space › users › laur%C3%AB › browser › tor.gmi captured on 2024-08-18 at 18:12:15. Gemini links have been rewritten to link to archived content

-=-=-=-=-=-=-

TOR Browser

Auto-updating piece of trash. Enforces connections to the TOR network (which can also be done in any other browser), but will not even run if you have TorDNS enabled system-wide ("Failed to bind one of the listener ports"). UPDATE: it was reported to me that this issue can be fixed by changing the default torrc ports away from what TB uses, but I did not confirm this myself. Default addons include NoScript, which is much inferior to uMatrix. Yet, the TOR Project discourages modifying the addon setup, even though the whole basis for this has been refuted by Moonchild. Yes, a properly configured Pale Moon is better against fingerprinting than TB. TOR Browser is still dependent on the evil Mozilla - which means that when a bug like this happens (yes, the one that disabled all addons) TB is also affected, and its security laid bare. Using TOR Browser does allow you to bypass Cloudflare browser checks, but this is likely because they work together to help Cloudflare spy on people wanting to be anonymous, making TOR Browser a honeypot. This is further supported by the fact that the TOR Project deleted a ticket criticizing Cloudflare - but left all other tickets alone, proving it was not because of a "pedophile attack", like they claimed. I see no reason to use this browser, really, when PM can be configured to use TOR all the same, with all the other advantages. TB also includes a few unsolicited connections (aside from the updates) that are hard to disable. UPDATE August 2022: more requests have surfaced, and the securedrop one cannot be disabled according to a contributor.

UPDATE May 2022: it was just reported to me that, even after mitigating the spyware in this browser, it just comes back after an update - so the mitigation has to be repeated. See the danger with indiscriminate (and especially automatic) updating now?

I mean, let's be clear here about what TOR Browser even is. It is just Mozilla Firefox with a few changed settings and TOR enforcement. It is not magic. And it still makes unsolicited requests (which are violating), so it's not a hero. Look at what they say in their design document:

In general, we try to find solutions to privacy issues that will not induce site breakage, though this is not always possible.

Keystroke fingerprinting is the act of measuring key strike time and key flight time. It is seeing increasing use as a biometric.

Design Goal: We intend to rely on the same mechanisms for defeating JavaScript performance fingerprinting: timestamp quantization and jitter.

So instead of just disabling JavaScript by default, they try to submit fake data for every value that could possibly be used to fingerprint you. This is just enumerating badness and inferior to the uMatrix approach of blocking it all by default. It is impossible to have a truly mitigated browser when you allow websites to do whatever they want; but the TOR Browser - hoping to avoid "site breakage" - is trying that, regardless. When it is the bloated sites and the technology they are based on that are the problem.

How likely is it that the TB approach will continue to be fruitful (assuming that it even is now) when Mozilla keeps adding more attack vectors like WebAsm, new JS / CSS functions, etc? TB should probably be based on something lighter, with no JS support at all, maybe a Lynx derivative. But then is TB even needed in that case, instead of just hooking up Lynx to TOR? Maybe it's time to realize that there are fundamental problems with the web that can't be fixed with a bunch of bandages that TB provides.