Discussion:
Tor Browser 14.0.1 (2024-10-29)
(too old to reply)
D
2024-10-30 03:49:17 UTC
Permalink
https://blog.torproject.org/new-release-tor-browser-1401/
New Release: Tor Browser 14.0.1
by morgan | October 29, 2024
Tor Browser 14.0.1 is now available from the Tor Browser download
page https://www.torproject.org/download/
and also from our distribution directory.
https://www.torproject.org/dist/torbrowser/14.0.1/
This version includes important security updates to Firefox.
Known Issues
The tor daemon for aarch64 macOS (M1 and friends) will crash when
visiting some onion-service sites, resulting in an inoperable Tor
Browser (you can restart Tor Browser to work around this for now,
but the particular failing onion-service sites will be inaccessible
until we develop a fix). This issue is being tracked in tor-
browser#43245
Send us your feedback
If you find a bug or have a suggestion for how we could improve
this release, please let us know.
Full changelog
*All Platforms
Updated Tor to 0.4.8.13
Bug tor-browser#43231: Rebase Tor Browser 128-based stable and
alpha onto 128.4.0esr
Bug tor-browser#43240: Backport security fixes from Firefox 132
*Windows + macOS + Linux
Updated Firefox to 128.4.0esr
*Android
Updated GeckoView to 128.4.0esr
*Build System
All Platforms
Bug tor-browser-build#41289: Fix single-browser in relprep.py
Linux
Bug tor-browser-build#41282: Add SSL to our custom Python for
MozBug 1924022
[end quote]
Allan Higdon
2024-10-30 10:02:16 UTC
Permalink
Post by D
https://blog.torproject.org/new-release-tor-browser-1401/
New Release: Tor Browser 14.0.1
by morgan | October 29, 2024
Tor Browser 14.0.1 is now available from the Tor Browser download
page https://www.torproject.org/download/
and also from our distribution directory.
https://www.torproject.org/dist/torbrowser/14.0.1/
This version includes important security updates to Firefox.
Known Issues
The tor daemon for aarch64 macOS (M1 and friends) will crash when
visiting some onion-service sites, resulting in an inoperable Tor
Browser (you can restart Tor Browser to work around this for now,
but the particular failing onion-service sites will be inaccessible
until we develop a fix). This issue is being tracked in tor-
browser#43245
Send us your feedback
If you find a bug or have a suggestion for how we could improve
this release, please let us know.
Full changelog
*All Platforms
Updated Tor to 0.4.8.13
Bug tor-browser#43231: Rebase Tor Browser 128-based stable and
alpha onto 128.4.0esr
Bug tor-browser#43240: Backport security fixes from Firefox 132
*Windows + macOS + Linux
Updated Firefox to 128.4.0esr
*Android
Updated GeckoView to 128.4.0esr
*Build System
All Platforms
Bug tor-browser-build#41289: Fix single-browser in relprep.py
Linux
Bug tor-browser-build#41282: Add SSL to our custom Python for
MozBug 1924022
[end quote]
I now have my Windows 10 Firewall set up to block outbound connections by default.
With every other browser, creating an outbound rule for the executable file is all that is needed.
The rule allows all ports, protocols, and IP addresses.
Apparently, it's not good enough for Tor Browser to connect to its network.
That's way too flaky for me to consider using it.
Lately, I've been trying out Epic Privacy Browser.
If I need a browser with extra privacy features, it looks to be a very good alternative.
https://epicbrowser.com/faq
D
2024-10-30 13:39:41 UTC
Permalink
Post by Allan Higdon
Post by D
https://blog.torproject.org/new-release-tor-browser-1401/
New Release: Tor Browser 14.0.1
by morgan | October 29, 2024
Tor Browser 14.0.1 is now available from the Tor Browser download
page https://www.torproject.org/download/
and also from our distribution directory.
https://www.torproject.org/dist/torbrowser/14.0.1/
This version includes important security updates to Firefox.
snip
Post by Allan Higdon
I now have my Windows 10 Firewall set up to block outbound connections by default.
With every other browser, creating an outbound rule for the executable file is all that is needed.
The rule allows all ports, protocols, and IP addresses.
Apparently, it's not good enough for Tor Browser to connect to its network.
That's way too flaky for me to consider using it.
Lately, I've been trying out Epic Privacy Browser.
If I need a browser with extra privacy features, it looks to be a very good alternative.
https://epicbrowser.com/faq
it's strongly recommended to test your browser against the "mainstream":

(using Tor Browser 14.0.1)
https://duckduckgo.com/?q=browser+fingerprint+test
Post by Allan Higdon
...
https://coveryourtracks.eff.org/
Test your browser to see how well you are protected from tracking and
TEST YOUR BROWSER
https://coveryourtracks.eff.org/kcarter?aat=1
Test with a real tracking company ?
Our tests indicate that you have strong protection against Web tracking.
...
How does tracking technology follow your trail around the web, even if
you've taken protective measures? Cover Your Tracks shows you how trackers
see your browser. It provides you with an overview of your browser's most
unique and identifying characteristics.
Only anonymous data will be collected through this site.
LEARN MORE ABOUT FINGERPRINTING
https://coveryourtracks.eff.org/learn
...
(cf. any browser using Omnimix' built-in Tor)
Post by Allan Higdon
Our tests indicate that you have strong protection against Web tracking.
...
(cf. any browser not using Tor)
Post by Allan Higdon
Our tests indicate that you are not protected against tracking on the Web.
[end quote]

(using Tor Browser 14.0.1)
https://check.torproject.org/
Post by Allan Higdon
Congratulations. This browser is configured to use Tor.
Your IP address appears to be: ###.###.###.###
...
(cf. any browser using Omnimix' built-in Tor)
Post by Allan Higdon
Congratulations. This browser is configured to use Tor.
Your IP address appears to be: ###.###.###.###
However, it does not appear to be Tor Browser.
Click here to go to the download page
https://www.torproject.org/download/
...
(cf. any browser not using Tor)
Post by Allan Higdon
Sorry. You are not using Tor.
Your IP address appears to be: ###.###.###.###
[end quote]

Tor Browser 13.5.9 (2024-10-28; legacy update for win7/8):
https://blog.torproject.org/new-release-tor-browser-1359/

Tor Browser 14.0.1 (2024-10-29):
https://blog.torproject.org/new-release-tor-browser-1401/

OmniMix 2.7.3 (2024-05-12):
https://danner-net.de/om.htm
VanguardLH
2024-10-30 14:16:38 UTC
Permalink
Post by Allan Higdon
I now have my Windows 10 Firewall set up to block outbound connections
by default. With every other browser, creating an outbound rule for
the executable file is all that is needed. The rule allows all ports,
protocols, and IP addresses.
Why is an outbound rule needed since the purpose of a web browser is to
make connections to other hosts, including out on the Internet?

Even the stateful firewall in your router (whether separate or built
into a modem) will block unsolicited inbound connections, but allow
those you initiated via outbound connections, unless you define port
forwarding rules to punch holes through the firewall for unsolicited
connections from the outside to your intranet host (e.g., you run a VNC
server, or a web server, both hopefully inside a DMZ).
Post by Allan Higdon
Apparently, it's not good enough for Tor
Browser to connect to its network. That's way too flaky for me to
consider using it. Lately, I've been trying out Epic Privacy Browser.
The whole point of the Tor browser is to connect to the Onion network to
hide you, just like other web clients. Or, did you you mean the Tor web
browser would not connect to the Tor/Onion network with JUST an outbound
rule in the firewall on its executable (). You don't specify just what
"not good enough" means. That's like telling a car shop that your car
is broken, but not stating anything further. Was there an error
message? Once connected to the Tor network (you did get there, right?),
just what happens when you attempt to visit a web site?

Tor is a variant of Firefox. Firefox has an HTTPS-Only setting which
means it will connect only to https:// web sites. I think if you to
reach an http:// web site that Firefox will intercede with a prompt.
I'm not sure since I trialed HTTPS-only mode for a very short time (like
a couple days) to find out I had too many bookmarks to HTTP sites that
did not attempt to redirect the HTTP connection at the server to an
HTTPS web doc.

Lots of help at torproject.org. For example, it mentions manual
configuration is needed if you use a proxy. Most anti-virus software
operates a transparent proxy on your host through which web traffic
passes.

https://tb-manual.torproject.org/running-tor-browser/

That's as much guessing I'm going to spend on some "not good enough"
problem unless you return to elucidate. I don't use the Tor browser,
and I doubt this newsgroup is where to get in-depth community help on
it. If you want to actually investigate the cause of "not good enough",
perhaps the Tor forums could help you.

https://forum.torproject.org/
Post by Allan Higdon
If I need a browser with extra privacy features, it looks to be a very good alternative.
https://epicbrowser.com/faq
I prefer a locked down Firefox with the uBlock Origin (uBO) extension
which is a far better ad/content blocker than the one built into Epic,
especially with the expert mode in uBO. Epic is always in private
browsing mode. Well, configure Firefox to do the same:
about:preferences#privacy -> History, Always use private browsing mode.
Chrome and Edge-C also have the option: add the -incognito switch to the
command line to load the web browser (I don't know if there is a config
setting for "always incognito" within Chrome since I don't use it). For
Edge-C, use the inprivate command line switch.

Does Epic support DNS over HTTPS (DoH)? Firefox does. However, if a
web client doesn't support DoH, you can configure the OS to use DoH.
Since Epic and Tor run on many OSes, but you didn't mention which one(s)
you use, I won't bother giving instructions other than for Windows 10:

https://winaero.com/how-to-enable-dns-over-https-in-windows-10/

I found that once I eliminated CoPilot from Windows 10 that DoH in
Edge-C became disabled, so I'll have to look into the above article on
how to get my Win10 to use DoH.

Does Epic let you disable pre-fetching (pre-loading web docs references
by hyperlinks in the web doc you are loading)?

https://github.com/gorhill/uBlock/wiki/Dashboard:-Settings#disable-prefetching

uBO makes it easy to disable pre-fetching using a setting in the
extension (which merely changes network.dns.disablePrefetch in
about:config).

Does Epic let you disable hyperlink auditing (the site can tell on which
hyperlink you clicked in their web doc rendered in your local web
client). The above article also mentions hyperlink auditing.

Does Epic let you uncloak canonical names. The following article says
the uBO option is only available for Firefox.

https://github.com/gorhill/uBlock/wiki/Dashboard:-Settings#uncloak-canonical-names
which also refers to:
https://www.theregister.com/2021/02/24/dns_cname_tracking/

Epic's encrypted proxy which connects the web client to Epic's servers,
if enabled, is not private, by design. It can leak data. Well, it used
to. I have not kept up on Epic's proxy. Users that perform leak tests
have been disappointed with Epic's proxy. Tor exit nodes and VPN exit
nodes have been mapped. So have Epic's. The exit nodes can be
blacklisted. Just because you use Tor, a VPN, Epic's proxy, or other
public proxy doesn't mean you'll successfully circumvent geofencing.
The site may use the blacklist to reject your connection from those exit
nodes. You want to stay hidden. The site demands otherwise. Epic used
to use spotflux for a proxy service. I think now they're using Yahoo,
and why Yahoo is whitelisted in their built-in adblocker. Remember that
any entry node to Tor, a VPN, or any proxy can log your visit. The
privacy is not within those networks, but [hopefully] outside their exit
node (and hopefully they don't simply bypass their network for IPv6
traffic since some only support IPv4 traffic).

Epic is not open source. Firefox is. Epic claims they will release
code for auditing, but divert by claiming they are open source in so
much as they are a fork of the open-sourced Chromium project; however,
they aren't just a simple fork of Chromium, so there is changed or
additional code they implemented into Epic. Their proprietary code is
not open source, just the Chromium code used as a basis for their fork.
See:

https://web.archive.org/web/20210707192921/https://www.epicbrowser.com/FAQ.html

The same is true for Chrome. It is based on open-sourced Chromium, but
Google's additions are proprietary, too. For Firefox, and for HTML5
Encrypted Media Extensions (EME) which uses a proprietary DRM module
from Adobe Systems, EME is implemented in an open-source wrapper. Else,
as far as I know and have read, Firefox is wholly free open source
software (FOSS).

Because Epic is a Chromium-based web browser, and because Google directs
the Chromium project, remember that changes Google makes to Chrome are
also reflected in all Chromium forks, like Epic. For example, Google
mandated deprecation and eventual removal of support for Manifest v2 by
supplanting it with Manifest v3. MV3 cripples all ad/content blockers.
uBO came out with a Lite version for use with Chromium web browsers
(https://chromewebstore.google.com/detail/ublock-origin-lite/ddkjiahejlhfcafbddmgiahcphecmpfh).
LOTS of features in regular uBO disappeared in uBlock Lite, because of
Google foisting MV3 using unfounded and disproven claims. Blocklists
had to be severely truncated due to MV3's much smaller table size, so
there is less filtering available with MV3 of unwanted/untoward web
content. While Firefox claims they will support both MV2 and MV3
extensions, so uBO still works in Firefox, I suspect eventually Mozilla
will drop MV2 support to go the way of Google. All Chromium variants
already have, including Epic.

https://arstechnica.com/gadgets/2024/08/chromes-manifest-v3-and-its-changes-for-ad-blocking-are-coming-real-soon/

One of the effects of MV3 is Google, even in its variants, can override
any ad/content blocking by extensions. That includes overrides on block
Google sites, like their analytics service that web sites use to gain
telemetry and logistics on how their web sites are used by visitors, or
Google's tag services to assist with web site management, both of which
are used to track their visitors. And there is the Google Ads service.
With MV3, extensions can be overriden: their blocks can be unblocked.

Does Epic let you pick search engines other than Yahoo and their own?
Epic says:

As we've said many times it is impossible for us legally or ethically
to work with a company that makes privacy claims which are dubious
which it refuses to explain -- so we can't work with duckduckgo. Both
Yahoo and DuckDuckGo are powered by Bing results so they have the
exact same search results. We hope to migrate to Yahoo's transparent
private search engine soon which is actually is trustworthy.
(https://forum.epicbrowser.com/viewtopic.php?id=58957)

However, the thread notes a trick to add URLs to other search engines.
You'll have to test to see if it works. I don't use Epic.
Allan Higdon
2024-10-31 10:11:15 UTC
Permalink
I now have my Windows 10 Firewall set up to block outbound connection=
s
by default. With every other browser, creating an outbound rule for
the executable file is all that is needed. The rule allows all ports,=
protocols, and IP addresses.
Why is an outbound rule needed since the purpose of a web browser is t=
o
make connections to other hosts, including out on the Internet?
Even the stateful firewall in your router (whether separate or built
into a modem) will block unsolicited inbound connections, but allow
those you initiated via outbound connections, unless you define port
forwarding rules to punch holes through the firewall for unsolicited
connections from the outside to your intranet host (e.g., you run a VN=
C
server, or a web server, both hopefully inside a DMZ).
Apparently, it's not good enough for Tor
Browser to connect to its network. That's way too flaky for me to
consider using it. Lately, I've been trying out Epic Privacy Browser.=
The whole point of the Tor browser is to connect to the Onion network =
to
hide you, just like other web clients. Or, did you you mean the Tor w=
eb
browser would not connect to the Tor/Onion network with JUST an outbou=
nd
rule in the firewall on its executable (). You don't specify just wha=
t
"not good enough" means. That's like telling a car shop that your car=
is broken, but not stating anything further. Was there an error
message? Once connected to the Tor network (you did get there, right?=
),
just what happens when you attempt to visit a web site?
Tor is a variant of Firefox. Firefox has an HTTPS-Only setting which
means it will connect only to https:// web sites. I think if you to
reach an http:// web site that Firefox will intercede with a prompt.
I'm not sure since I trialed HTTPS-only mode for a very short time (li=
ke
a couple days) to find out I had too many bookmarks to HTTP sites that=
did not attempt to redirect the HTTP connection at the server to an
HTTPS web doc.
Lots of help at torproject.org. For example, it mentions manual
configuration is needed if you use a proxy. Most anti-virus software
operates a transparent proxy on your host through which web traffic
passes.
https://tb-manual.torproject.org/running-tor-browser/
That's as much guessing I'm going to spend on some "not good enough"
problem unless you return to elucidate. I don't use the Tor browser,
and I doubt this newsgroup is where to get in-depth community help on
it. If you want to actually investigate the cause of "not good enough=
",
perhaps the Tor forums could help you.
https://forum.torproject.org/
If I need a browser with extra privacy features, it looks to be a ver=
y
good alternative.
https://epicbrowser.com/faq
I prefer a locked down Firefox with the uBlock Origin (uBO) extension
which is a far better ad/content blocker than the one built into Epic,=
especially with the expert mode in uBO. Epic is always in private
about:preferences#privacy -> History, Always use private browsing mode=
.
Chrome and Edge-C also have the option: add the -incognito switch to t=
he
command line to load the web browser (I don't know if there is a confi=
g
setting for "always incognito" within Chrome since I don't use it). F=
or
Edge-C, use the inprivate command line switch.
Does Epic support DNS over HTTPS (DoH)? Firefox does. However, if a
web client doesn't support DoH, you can configure the OS to use DoH.
Since Epic and Tor run on many OSes, but you didn't mention which one(=
s)
you use, I won't bother giving instructions other than for Windows 10:=
https://winaero.com/how-to-enable-dns-over-https-in-windows-10/
I found that once I eliminated CoPilot from Windows 10 that DoH in
Edge-C became disabled, so I'll have to look into the above article on=
how to get my Win10 to use DoH.
Does Epic let you disable pre-fetching (pre-loading web docs reference=
s
by hyperlinks in the web doc you are loading)?
https://github.com/gorhill/uBlock/wiki/Dashboard:-Settings#disable-pre=
fetching
uBO makes it easy to disable pre-fetching using a setting in the
extension (which merely changes network.dns.disablePrefetch in
about:config).
Does Epic let you disable hyperlink auditing (the site can tell on whi=
ch
hyperlink you clicked in their web doc rendered in your local web
client). The above article also mentions hyperlink auditing.
Does Epic let you uncloak canonical names. The following article says=
the uBO option is only available for Firefox.
https://github.com/gorhill/uBlock/wiki/Dashboard:-Settings#uncloak-can=
onical-names
https://www.theregister.com/2021/02/24/dns_cname_tracking/
Epic's encrypted proxy which connects the web client to Epic's servers=
,
if enabled, is not private, by design. It can leak data. Well, it us=
ed
to. I have not kept up on Epic's proxy. Users that perform leak test=
s
have been disappointed with Epic's proxy. Tor exit nodes and VPN exit=
nodes have been mapped. So have Epic's. The exit nodes can be
blacklisted. Just because you use Tor, a VPN, Epic's proxy, or other
public proxy doesn't mean you'll successfully circumvent geofencing.
The site may use the blacklist to reject your connection from those ex=
it
nodes. You want to stay hidden. The site demands otherwise. Epic us=
ed
to use spotflux for a proxy service. I think now they're using Yahoo,=
and why Yahoo is whitelisted in their built-in adblocker. Remember th=
at
any entry node to Tor, a VPN, or any proxy can log your visit. The
privacy is not within those networks, but [hopefully] outside their ex=
it
node (and hopefully they don't simply bypass their network for IPv6
traffic since some only support IPv4 traffic).
Epic is not open source. Firefox is. Epic claims they will release
code for auditing, but divert by claiming they are open source in so
much as they are a fork of the open-sourced Chromium project; however,=
they aren't just a simple fork of Chromium, so there is changed or
additional code they implemented into Epic. Their proprietary code is=
not open source, just the Chromium code used as a basis for their fork=
.
https://web.archive.org/web/20210707192921/https://www.epicbrowser.com=
/FAQ.html
The same is true for Chrome. It is based on open-sourced Chromium, bu=
t
Google's additions are proprietary, too. For Firefox, and for HTML5
Encrypted Media Extensions (EME) which uses a proprietary DRM module
from Adobe Systems, EME is implemented in an open-source wrapper. Els=
e,
as far as I know and have read, Firefox is wholly free open source
software (FOSS).
Because Epic is a Chromium-based web browser, and because Google direc=
ts
the Chromium project, remember that changes Google makes to Chrome are=
also reflected in all Chromium forks, like Epic. For example, Google
mandated deprecation and eventual removal of support for Manifest v2 b=
y
supplanting it with Manifest v3. MV3 cripples all ad/content blockers=
.
uBO came out with a Lite version for use with Chromium web browsers
(https://chromewebstore.google.com/detail/ublock-origin-lite/ddkjiahej=
lhfcafbddmgiahcphecmpfh).
LOTS of features in regular uBO disappeared in uBlock Lite, because of=
Google foisting MV3 using unfounded and disproven claims. Blocklists
had to be severely truncated due to MV3's much smaller table size, so
there is less filtering available with MV3 of unwanted/untoward web
content. While Firefox claims they will support both MV2 and MV3
extensions, so uBO still works in Firefox, I suspect eventually Mozill=
a
will drop MV2 support to go the way of Google. All Chromium variants
already have, including Epic.
https://arstechnica.com/gadgets/2024/08/chromes-manifest-v3-and-its-ch=
anges-for-ad-blocking-are-coming-real-soon/
One of the effects of MV3 is Google, even in its variants, can overrid=
e
any ad/content blocking by extensions. That includes overrides on blo=
ck
Google sites, like their analytics service that web sites use to gain
telemetry and logistics on how their web sites are used by visitors, o=
r
Google's tag services to assist with web site management, both of whic=
h
are used to track their visitors. And there is the Google Ads service=
.
With MV3, extensions can be overriden: their blocks can be unblocked.
Does Epic let you pick search engines other than Yahoo and their own?
As we've said many times it is impossible for us legally or ethicall=
y
to work with a company that makes privacy claims which are dubious
which it refuses to explain -- so we can't work with duckduckgo. Bo=
th
Yahoo and DuckDuckGo are powered by Bing results so they have the
exact same search results. We hope to migrate to Yahoo's transparen=
t
private search engine soon which is actually is trustworthy.
(https://forum.epicbrowser.com/viewtopic.php?id=3D58957)
However, the thread notes a trick to add URLs to other search engines.=
You'll have to test to see if it works. I don't use Epic.
Since I have the Windows 10 firewall to block all outbound connections t=
hat do not match a rule, I created an outbound rule for Tor Browser.
The rule allows any port, protocol, and IP address for that file (firefo=
x.exe).
After choosing Direct Connect, I never even saw a progress indicator for=
connecting to the Tor network.
I had to allow all outbound connections for the firewall (default settin=
g) so that Tor Browser could connect.
That's what I meant by not good enough.
I would rather use a browser that needs the same firewall rule as all my=
other programs, and nothing more, for it to work.

Epic does support DNS over HTTPS (DoH). My setting is to connect with Cl=
oudflare (1.1.1.1).

The UI for the Epic AdBlocker is the same as uBlock Origin, so Epic does=
disable pre-fetching and hyperlink auditing.
I did change the default filter lists to the ones below for the Tracking=
Protection to be strong on https://coveryourtracks.eff.org/

AdGuard Cookie Notices
AdGuard Tracking Protection
EasyList
EasyPrivacy
Fanboy's Annoyance List
Online Malicious URL Blocklist
uBlock filters =E2=80=93 Ads

I was satisfied with the results on https://browserleaks.com/ for Epic.
The main reason I'm using an encrypted proxy/VPN is to continue download=
ing the Kaspersky Virus Removal Tool, which can no longer be downloaded =
in the US.
Epic allows me to do that.
It's also the best Chromium browser I've seen for Fingerprinting protect=
ion.

The forum post you provided, https://forum.epicbrowser.com/viewtopic.php=
?id=3D58957 does work for adding other search engines.
Thanks for including it.
VanguardLH
2024-10-31 12:02:51 UTC
Permalink
Allan Higdon <***@vivaldi.net> wrote:
^^^^^^^^^^^--- You are the domain registrant of
vivaldi.net to have permission to
use that domain?
Post by Allan Higdon
Since I have the Windows 10 firewall to block all outbound connections
that do not match a rule, I created an outbound rule for Tor Browser.
Ah, so that's what you are doing. You said you created outbound rules,
but not that you reversed the behavior of the Windows firewall to
default to block all outbound instead of allowing.

I remember looking at a Windows firewall control utility that monitored
the Event Viewer logs to note when a program wanted an outbound connect.
Like 3rd-party firewalls, when it saw such an event, it would prompt the
user asking for permission. However, for it to work, there was some
change, maybe a registry setting (all policies are registry entries),
that reversed the Windows firewall from allow-all (unless rule blocked)
to block-all (unless rule allowed). Apparently nowadays you can use the
policy editor (not available in Home editions of Windows) to edit or
create a GPO (Group Policy Object) under Computer -> Poliies -> Windows
Settings -> Windows Firewall with Advanced security. Another method is
shown at:



There are some scriptlets to do the same. However, if you are under a
Windows account with admin permissions to make the changes, any malware
running under the same account can make the same changes. In fact,
malware can also delete rules in Windows Firewall. When you find rules
added by an application, usually its installer, that is because it ran
with admin privileges, like under the Installer account.

One is Binsoft's Windows Firewall Control (https://www.binisoft.org/wfc)
although, I think, it was a different one I used back then. It got
acquired by MalwareBytes, same maker of MalwareBytes Anti-Malware (MBAM)
which I used for a while. Don't use either, anymore. There is almost
do documentation on this one. I don't see mention of how to reverse the
behavior of the Windows Firewall, so maybe its installer does that.
Then you have to hope, without the information, that its uninstaller
reverses behavior again to return the Windows Firewall back to its
normal behavior.

Without something like Binisoft's WFC, and by reversing Windows Firewall
to block-all on outbound connections unless there is a rule to allow,
you won't know why a web-centric app or program (which you may not know
want a web connect) no longer function. For example, any program that
has an update function will fail, because obviously its outbound
connection to an update server gets blocked. If you know what event ID
to look for in the event viewer for failed network connects, you could
see the failure, but most users don't know which event ID to look for
nor how to interpret the error.

The authors of these Windows Firewall enhancing programs created them to
allow continuing using the Windows Firewall which operates at ring 0
(kernel mode) of the Windows kernel instead of 3rd-party firewalls that
operate at ring 3 (user mode). Most malware cannot operate at ring 0.
However, as noted at the Binisoft site:

Windows Firewall is incompatible with software proxies, web filtering
modules, NDIS drivers and any other security software that may
redirect the traffic from Windows Firewall to their own filtering
module.

Those filtering modules would have to operate at ring 0 which is also
where drivers operate, and which is why a long-time recommended for
security has been to login under a non-admin Windows account as your
normal account, not under Administrator (which should never be used
except in an emergency, like when account profiles get corrupted) or
another admin-level Windows account. You need admin permissions to
install drivers.

The problem with just configuring the Windows Firewall to block-all by
default on outbound connect requests is that you won't know when a
process will fail such a request hence the purpose of the ancilliary
Windows Firewall tool to give you that prompt. The Tor browser is
failing to gain outbound connects. Have you look in event viewer to
check the error? Sorry, I'd have to research again to remember what are
the event IDs (a status code) for failed connects due to Windows
Firewall behavior. Or, you could use something like Binisoft's WFC that
will monitor the event logs to let you know what all is trying to make
outbound connects.

I don't use the Tor web browser which is a variant of Firefox. I do
know that Firefox has many background connections, plus more if you
allow a home or tab page showing recently visited web sites, because
Firefox, and other web browser with a similar feature, connect to those
sites before you choose to visit there.

How to stop Firefox from making automatic connections
https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections

I would expect the Tor Project to kill all those auto-background
connections by Firefox, but I don't know for sure since I don't use Tor.
The problem with the Tor Browser not connecting to an Onion entry node
host when there exists a lone rule on just the firefox.exe executable
file in the Windows Firewall (that is configured to block-all unless a
rule applies) might be something to ask in the Tor forums at:

https://forum.torproject.org/

Also, with the Windows Firewall configured back to its default of
allow-all on outbound connections, you could use SysInternals' TCPview,
or similar network monitors, to see where where the Tor Browser wants to
connect. Maybe, and this is just a guess, there might be something with
the Tor Browser that has to connect to an Onion directory to know where
to find an entry node in your region.
Allan Higdon
2024-10-31 15:39:36 UTC
Permalink
Post by VanguardLH
Post by Allan Higdon
Since I have the Windows 10 firewall to block all outbound connections
that do not match a rule, I created an outbound rule for Tor Browser.
Ah, so that's what you are doing. You said you created outbound rules,
but not that you reversed the behavior of the Windows firewall to
default to block all outbound instead of allowing.
I did find out at
https://superuser.com/questions/1747077/how-to-block-everything-on-windows-10s-firewall-and-slowly-allow-the-things-tha
to disable all enabled outbound rules, except the Core Networking ones.

I also use Firewall App Blocker ( https://www.sordum.org/8125/firewall-app-blocker-fab-v1-9/ )
to make it much easier to add an outbound rule, if that program's WhiteList Mode is enabled.
VanguardLH
2024-11-25 11:53:06 UTC
Permalink
Post by Allan Higdon
Since I have the Windows 10 firewall to block all outbound connections
that do not match a rule, I created an outbound rule for Tor Browser.
Sorry for getting back so late on this topic. I probably didn't revisit
this discussion since you seemed inclined to go with Epic and its VPN
with its limitations (can drop bandwidth to a quarter of non-VPN
connects along with severely increasing latency versus a commercial VPN
that uses diskless RAM-only servers, and only 8 global locations to
choose from) in trying to achieve anononmity or bypass geofencing.

To recap, other web browsers successfully connect out to the Internet
with your firewall configured to block all outbound connects by default
except for the web browsers for which you added exception rules in the
firewall. With this firewall configuration, the Tor Browser doesn't
show any progress trying to connect to an Tor network. I would think
Tor Browser would return an error if it could not connect out to reach
an entry node to whatever Tor node it was configured to find.

Is the system clock and timezone on your computer correct?

In Tor Browser, you click Connect (I see mention only of a Connect
button, not something called Direct Connect), but you see absolutely no
status showing an attempt to connect to Tor. That you see no status or
progress seems suspect. It should show it is trying even if the
firewall didn't allow a connection. After clicking Connect, you should
see a page saying "Establishing a Connection" and a Cancel button. If
Tor is blocked, you should see a "Tor Browser could not connect to Tor"
page with a "Try a Bridge" button to use the Connection Assist feature.
Apparently the first time you attempt to connect can take a couple of
minutes to complete. If you're not getting any status at all from the
Tor Browser, seems you have a defective installation ... or, as
mentioned below, you didn't define an outbound exception rule for the
Tor Browser.

https://tb-manual.torproject.org/troubleshooting/

That mentions a Test button. Tried that yet? Alongside the Connect
button is a Configure Connection button. You may have to configure Tor
Browser yourself.

You said your outbound exception rule is on firefox.exe. Does the
Firefox web browser connect out okay with your firewall blocking all
outbound connects with an exception rule for firefox.exe? For the Tor
Browser, the executable file is tor.exe, not firefox.exe. tor.exe
handles the core functions. How are you starting Tor Browser? That
the Tor Browser is a variant of Firefox doesn't mean Tor Browser uses
the same executable filename. From what I've found for Windows, you
start Tor Browser by running:

C:\Users\<user>\AppData\Roaming\tor\tor.exe -f torrc

The "-f torrc" says to read configuration settings from the "torrc" file
located in the Tor installation folder. There is also a -v (verbose)
argument to up the logging level.

https://support.torproject.org/tbb/tbb-21/
https://support.torproject.org/glossary/tor-log/

Without ANY instance of Firefox running (you exit out of all of them,
and check there are no instances of firefox.exe in Task Manager's
Processes tab), and you ONLY load the Tor Browser, do you see tor.exe or
firefox.exe processes in Task Manager?

What is tor.exe?
https://www.file.net/process/tor.exe.html

You already have an outbound exception rule for firefox.exe in the
firewall to let Firefox connect out. Did you add an outbound exception
rule in the firewall for tor.exe?
Allan Higdon
2024-11-25 13:10:52 UTC
Permalink
Post by VanguardLH
Post by Allan Higdon
Since I have the Windows 10 firewall to block all outbound connections
that do not match a rule, I created an outbound rule for Tor Browser.
Sorry for getting back so late on this topic. I probably didn't revisit
this discussion since you seemed inclined to go with Epic and its VPN
with its limitations (can drop bandwidth to a quarter of non-VPN
connects along with severely increasing latency versus a commercial VPN
that uses diskless RAM-only servers, and only 8 global locations to
choose from) in trying to achieve anononmity or bypass geofencing.
To recap, other web browsers successfully connect out to the Internet
with your firewall configured to block all outbound connects by default
except for the web browsers for which you added exception rules in the
firewall. With this firewall configuration, the Tor Browser doesn't
show any progress trying to connect to an Tor network. I would think
Tor Browser would return an error if it could not connect out to reach
an entry node to whatever Tor node it was configured to find.
Is the system clock and timezone on your computer correct?
In Tor Browser, you click Connect (I see mention only of a Connect
button, not something called Direct Connect), but you see absolutely no
status showing an attempt to connect to Tor. That you see no status or
progress seems suspect. It should show it is trying even if the
firewall didn't allow a connection. After clicking Connect, you should
see a page saying "Establishing a Connection" and a Cancel button. If
Tor is blocked, you should see a "Tor Browser could not connect to Tor"
page with a "Try a Bridge" button to use the Connection Assist feature.
Apparently the first time you attempt to connect can take a couple of
minutes to complete. If you're not getting any status at all from the
Tor Browser, seems you have a defective installation ... or, as
mentioned below, you didn't define an outbound exception rule for the
Tor Browser.
https://tb-manual.torproject.org/troubleshooting/
That mentions a Test button. Tried that yet? Alongside the Connect
button is a Configure Connection button. You may have to configure Tor
Browser yourself.
You said your outbound exception rule is on firefox.exe. Does the
Firefox web browser connect out okay with your firewall blocking all
outbound connects with an exception rule for firefox.exe? For the Tor
Browser, the executable file is tor.exe, not firefox.exe. tor.exe
handles the core functions. How are you starting Tor Browser? That
the Tor Browser is a variant of Firefox doesn't mean Tor Browser uses
the same executable filename. From what I've found for Windows, you
C:\Users\<user>\AppData\Roaming\tor\tor.exe -f torrc
The "-f torrc" says to read configuration settings from the "torrc" file
located in the Tor installation folder. There is also a -v (verbose)
argument to up the logging level.
https://support.torproject.org/tbb/tbb-21/
https://support.torproject.org/glossary/tor-log/
Without ANY instance of Firefox running (you exit out of all of them,
and check there are no instances of firefox.exe in Task Manager's
Processes tab), and you ONLY load the Tor Browser, do you see tor.exe or
firefox.exe processes in Task Manager?
What is tor.exe?
https://www.file.net/process/tor.exe.html
You already have an outbound exception rule for firefox.exe in the
firewall to let Firefox connect out. Did you add an outbound exception
rule in the firewall for tor.exe?
I download the latest portable version of Tor Browser at
https://www.torproject.org/dist/torbrowser/14.0.2/tor-browser-windows-x86_64-portable-14.0.2.exe

The Portable Installer creates a shortcut to Tor Browser.
That shortcut's executable file is firefox.exe.
I created outbound rules to allow both firefox.exe and tor.exe.
I did select the "Connect" button, not "Direct Connect", as I posted previously.
The browser did connect to the Tor Network this time.
My problem connecting the first time was because I didn't know to create an outbound rule for tor.exe.

To answer your other question, the Firefox web browser does connect out okay with my firewall blocking all outbound connects with an exception rule for firefox.exe
Allan Higdon
2024-11-25 13:18:41 UTC
Permalink
Post by Allan Higdon
Post by VanguardLH
Post by Allan Higdon
Since I have the Windows 10 firewall to block all outbound connections
that do not match a rule, I created an outbound rule for Tor Browser.
Sorry for getting back so late on this topic. I probably didn't revisit
this discussion since you seemed inclined to go with Epic and its VPN
with its limitations (can drop bandwidth to a quarter of non-VPN
connects along with severely increasing latency versus a commercial VPN
that uses diskless RAM-only servers, and only 8 global locations to
choose from) in trying to achieve anononmity or bypass geofencing.
To recap, other web browsers successfully connect out to the Internet
with your firewall configured to block all outbound connects by default
except for the web browsers for which you added exception rules in the
firewall. With this firewall configuration, the Tor Browser doesn't
show any progress trying to connect to an Tor network. I would think
Tor Browser would return an error if it could not connect out to reach
an entry node to whatever Tor node it was configured to find.
Is the system clock and timezone on your computer correct?
In Tor Browser, you click Connect (I see mention only of a Connect
button, not something called Direct Connect), but you see absolutely no
status showing an attempt to connect to Tor. That you see no status or
progress seems suspect. It should show it is trying even if the
firewall didn't allow a connection. After clicking Connect, you should
see a page saying "Establishing a Connection" and a Cancel button. If
Tor is blocked, you should see a "Tor Browser could not connect to Tor"
page with a "Try a Bridge" button to use the Connection Assist feature.
Apparently the first time you attempt to connect can take a couple of
minutes to complete. If you're not getting any status at all from the
Tor Browser, seems you have a defective installation ... or, as
mentioned below, you didn't define an outbound exception rule for the
Tor Browser.
https://tb-manual.torproject.org/troubleshooting/
That mentions a Test button. Tried that yet? Alongside the Connect
button is a Configure Connection button. You may have to configure Tor
Browser yourself.
You said your outbound exception rule is on firefox.exe. Does the
Firefox web browser connect out okay with your firewall blocking all
outbound connects with an exception rule for firefox.exe? For the Tor
Browser, the executable file is tor.exe, not firefox.exe. tor.exe
handles the core functions. How are you starting Tor Browser? That
the Tor Browser is a variant of Firefox doesn't mean Tor Browser uses
the same executable filename. From what I've found for Windows, you
C:\Users\<user>\AppData\Roaming\tor\tor.exe -f torrc
The "-f torrc" says to read configuration settings from the "torrc" file
located in the Tor installation folder. There is also a -v (verbose)
argument to up the logging level.
https://support.torproject.org/tbb/tbb-21/
https://support.torproject.org/glossary/tor-log/
Without ANY instance of Firefox running (you exit out of all of them,
and check there are no instances of firefox.exe in Task Manager's
Processes tab), and you ONLY load the Tor Browser, do you see tor.exe or
firefox.exe processes in Task Manager?
What is tor.exe?
https://www.file.net/process/tor.exe.html
You already have an outbound exception rule for firefox.exe in the
firewall to let Firefox connect out. Did you add an outbound exception
rule in the firewall for tor.exe?
I download the latest portable version of Tor Browser at
https://www.torproject.org/dist/torbrowser/14.0.2/tor-browser-windows-x86_64-portable-14.0.2.exe
The Portable Installer creates a shortcut to Tor Browser.
That shortcut's executable file is firefox.exe.
I created outbound rules to allow both firefox.exe and tor.exe.
I did select the "Connect" button, not "Direct Connect", as I posted previously.
The browser did connect to the Tor Network this time.
My problem connecting the first time was because I didn't know to create an outbound rule for tor.exe.
To answer your other question, the Firefox web browser does connect out okay with my firewall blocking all outbound connects with an exception rule for firefox.exe
I forgot to mention, as i posted on 10/31 in this same topic,
https://www.novabbs.com/computers/article-flat.php?id=22997&group=alt.comp.freeware#22997
you do need to allow the Core Networking rules also.
VanguardLH
2024-11-26 19:36:48 UTC
Permalink
The Portable Installer creates a shortcut to Tor Browser. That
shortcut's executable file is firefox.exe. I created outbound rules
to allow both firefox.exe and tor.exe. I did select the "Connect"
button, not "Direct Connect", as I posted previously. The browser did
connect to the Tor Network this time. My problem connecting the first
time was because I didn't know to create an outbound rule for
tor.exe.
Strange the shortcut points to firefox.exe instead of tor.exe, but that
must be their custom compile of Firefox, and somehow tor.exe gets called
by their Firefox variant for the core functions in tor.exe. Seems ass
backwards on what to call first, so I can see getting confused on what
file to allow in a firewall rule.

Loading...