[tor-talk] TBB - most secure version?

Andrew Lewman andrew at torproject.org
Wed Aug 31 14:35:47 UTC 2011


On Tuesday, August 30, 2011 15:18:53 Netizio wrote:
> since the stable Tor 0.2.2.32 is available now I tried to find a Tor
> version which suits my beginners needs the best. 

TBB is going to be the easiest.  From a usage perspective, it is download, 
unzip, run.  Tor is not easy from the perspective of trying to understand all 
of the risks, rewards, and challenges with online privacy and anonymity. 

> Am I missing the point? I always believed alphas to be the most advanved
> versions out there, without "guaranteed" safety however. On
> torproject.org I read the usual lines about possible security risks when
> choosing alphas, but I`m pretty sure having read the opposite just
> recently on this list.
> Also, on the download page for the TBB alphas users are strongly advised
> to upgrade to the 6.0 release of Firefox. It is my understanding now
> that torbutton isn`t compatible w/ Firefox since the browsers version 4?

Torbutton 1.4.1 is compatible with Firefox 6.0.

> Accordingly, the experimental Tor browser bundles do not contain
> Torbutton anymore. However, they also seem to have included neither
> Polipo nor Privoxy. 

The TBB contain torbutton embedded in Firefox.  We're finding that allowing 
users to toggle torbutton on and off is fraught with difficulties and data leaks. 
See Mike's post for far more information, 
https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton.  

And correct, they do not contain Privoxy nor Polipo.  Privoxy is a fine 
filtering proxy, however it's slow and doesn't handle HTTP 1.1, and is complex 
to configure for 90% of our users.  When we shipped privoxy, it was a non-
filtering configuration that merely acted as glue between Firefox and Tor.  We 
needed the glue because Firefox through version 4 contained a bug in the SOCKS 
layer.  See this FAQ entry for more information, 
https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#WhydoweneedPolipoorPrivoxywithTorWhichisbetter

> In the past it was the vidalia bundle which I had in
> use that made me believe one of the concurrent proxys to be an essential
> part of Tors technical architecture. So, in short, I´m pretty much in
> confussion about the correct version of a Tor bundle to pick w/ respect
> to a maximum of security and safety.

The Tor 0.2.2-x branch is now stable.  We believe it is safe to use.  The new 
-alpha branch is very alpha and probably contains all sorts of new risks yet 
to be discovered.  The Tor Browser Bundles with 0.2.2.-stable are being 
updated and released this week. The -rc versions of 0.2.2 were also safe, but 
we wanted to make sure everything worked as planned for as many people as 
possible before declaring them -stable.

-- 
Andrew
pgp 0x74ED336B


More information about the tor-talk mailing list