cross-posted from: https://futurology.today/post/4000823
And by burned, I mean “realize they have been burning for over a year”. I’m referring to a bug in the Tor Browser flatpak that prevented the launcher from updating the actual browser, despite the launcher itself updating every week or so. The fix requires manual intervention, and this was never communicated to users. The browser itself also doesn’t alert the user that it is outdated. The only reason I found out today was because the NoScript extension broke due to the browser being so old.
To make matters worse, the outdated version of the browser that I had, differs from the outdated version reported in the Github thread. In other words, if you were hoping that at least everybody affected by the bug would be stuck at the same version (and thus have the same fingerprint), that doesn’t seem to be the case.
This is an extreme fingerprinting vulnerability. In fact I checked my fingerprint on multiple websites, and I had a unique fingerprint even with javascript disabled. So in other words, despite following the best privacy and security advice of:
- using Tor Browser
- disabling javascript
- keeping software updated
My online habits have been tracked for over a year. Even if Duckduckgo or Startpage doesn’t fingerprint users, Reddit sure does (to detect ban evasions, etc), and we all know 90% of searches lead to Reddit, and that Reddit sells data to Google. So I have been browsing the web for over a year with a false sense of security, all the while most of my browsing was linked to a single identity, and that much data is more than enough to link it to my real identity.
How was I supposed to catch this? Manually check the About page of my browser to make sure the number keeps incrementing? Browse the Github issue tracker before bed? Is all this privacy and security advice actually good, or does it just give people a false sense of security, when in reality the software isn’t maintained enough for those recommendations to make a difference? Sorry for the rant, it’s just all so tiring.
Edit: I want to clarify that this is not an attack on the lone dev maintaining the Tor Browser flatpak. They mention in the issue that they were fairly busy last year. I just wanted to know how other people handled this issue.
You must log in or register to comment.
I would never install Tor via the flatpak or whatever. Just download from the website, run ./start-tor-whatever.sh and in the browser, check for updates. It’s the official source.
It sounds like most other users install it that way too. Which surprises me, since I had thought the Linux community had started to move towards Flatpaks. But anybody who searched Flathub for Tor Browser, would have seen the flatpak with the Tor Project author listed as verified, and there would be no indication that this was in fact an unstable installation.
Well, for Tor Browser even AUR isn’t recommended. Just download it from official website and put it under somewhere like
~/.local/opt.never knew that
There might not be problems with other packaging but the point here is to not trust anything other than the official sources for maximum privacy I believe.
So the notification that is in the browser that directs you to update it wasn’t enough? Because that totally works with the flatpak version of tor, because all the flatpak version of tor does is download a copy of the browser to your home directory and run it. There’s a little notification dot on the hamburger menu of tor that directs you to the about page where you can download and update.
Because that’s what I’ve been doing.
Afaik the notification was suppressed, see the linked github issue in the post, or this one. I can guarantee the notification wasn’t there on my end or else I would have noticed it
How do you even access Reddit from Tor? I always see the message saying that my attempt was blocked by “Network Security”.
switch to the old.reddit.com site (onion version tends to work more often), and if that doesn’t work, switch Tor circuits (the option is under Tor Browser menu bar, I have it pinned to the top-bar for convenience)
I tried old.reddit.com as well. I think it used to work but it no longer does.
Lately they’ve been rate-limiting more heavily but if I wait and refresh enough times, or change circuits enough times, it tends to work
The only way of getting Tor browser is through Tor project website
Dont go download anything from anywhere else, dont matter if its flatpak snap, deb, whatever
i just use pacman, mean it has checksum tests after downloading since youre only really downloading the launcher
Just don’t use flatpaks. Let your distribution handle updates like it is supposed to do.
This was an official Flatpak from Tor Browser, so there’s no reason why it should be less reliable than the packages from distribution maintainers. Not to mention for atomic distros, flatpaks are the official way to install software.
