Was anybody else just burned by the Tor Browser flatpak?
cross-posted from: futurology.today/post/4000823
And by burned, I mean "realize they have been burning for over a year". I'm referring to a bug in the Tor Browser flatpak that prevented the launcher from updating the actual browser, despite the launcher itself updating every week or so. The fix requires manual intervention, and this was never communicated to users. The browser itself also doesn't alert the user that it is outdated. The only reason I found out today was because the NoScript extension broke due to the browser being so old.To make matters worse, the outdated version of the browser that I had, differs from the outdated version reported in the Github thread. In other words, if you were hoping that at least everybody affected by the bug would be stuck at the same version (and thus have the same fingerprint), that doesn't seem to be the case.
This is an extreme fingerprinting vulnerability. In fact I checked my fingerprint on multiple websites, and I had a unique fingerprint even with javascript disabled. So in other words, despite following the best privacy and security advice of:
- using Tor Browser
- disabling javascript
- keeping software updated
My online habits have been tracked for over a year. Even if Duckduckgo or Startpage doesn't fingerprint users, Reddit sure does (to detect ban evasions, etc), and we all know 90% of searches lead to Reddit, and that Reddit sells data to Google. So I have been browsing the web for over a year with a false sense of security, all the while most of my browsing was linked to a single identity, and that much data is more than enough to link it to my real identity.
How was I supposed to catch this? Manually check the About page of my browser to make sure the number keeps incrementing? Browse the Github issue tracker before bed? Is all this privacy and security advice actually good, or does it just give people a false sense of security, when in reality the software isn't maintained enough for those recommendations to make a difference? Sorry for the rant, it's just all so tiring.
Edit: I want to clarify that this is not an attack on the lone dev maintaining the Tor Browser flatpak. They mention in the issue that they were fairly busy last year. I just wanted to know how other people handled this issue.
Was anybody else just burned by the Tor Browser flatpak?
And by burned, I mean "realize they have been burning for over a year". I'm referring to a bug in the Tor Browser flatpak that prevented the launcher from updating the actual browser, despite the launcher itself updating every week or so. The fix requires manual intervention, and this was never communicated to users. The browser itself also doesn't alert the user that it is outdated. The only reason I found out today was because the NoScript extension broke due to the browser being so old.To make matters worse, the outdated version of the browser that I had, differs from the outdated version reported in the Github thread. In other words, if you were hoping that at least everybody affected by the bug would be stuck at the same version (and thus have the same fingerprint), that doesn't seem to be the case.
This is an extreme fingerprinting vulnerability. In fact I checked my fingerprint on multiple websites, and I had a unique fingerprint even with javascript disabled. So in other words, despite following the best privacy and security advice of:
- using Tor Browser
- disabling javascript
- keeping software updated
My online habits have been tracked for over a year. Even if Duckduckgo or Startpage doesn't fingerprint users, Reddit sure does (to detect ban evasions, etc), and we all know 90% of searches lead to Reddit, and that Reddit sells data to Google. So I have been browsing the web for over a year with a false sense of security, all the while most of my browsing was linked to a single identity, and that much data is more than enough to link it to my real identity.
How was I supposed to catch this? Manually check the About page of my browser to make sure the number keeps incrementing? Browse the Github issue tracker before bed? Is all this privacy and security advice actually good, or does it just give people a false sense of security, when in reality the software isn't maintained enough for those recommendations to make a difference? Sorry for the rant, it's just all so tiring.
Edit: I want to clarify that this is not an attack on the lone dev maintaining the Tor Browser flatpak. They mention in the issue that they were fairly busy last year. I just wanted to know how other people handled this issue.
Update: I just noticed that based on this comment, the flatpak was only verified by Tor Project after this particular issue had been fixed. So perhaps I should have waited before installing the flatpak. Sigh...
Older Tor Browsers Breaking, Update Now! | Tor Project
The expiration on March 14 2025 of a root certificate can cause breakages Tor Browser version 13.0 and below. Users should updgrade immediately.blog.torproject.org
like this
DudeImMacGyver and Auster like this.
don't like this
catloaf doesn't like this.
Ⓜ3️⃣3️⃣ 🌌
in reply to nikqwxq550 • •like this
gonzo-rand19 likes this.
catloaf doesn't like this.
Linux reshared this.
hummingbird
in reply to nikqwxq550 • • •like this
DudeImMacGyver likes this.
don't like this
Nathan doesn't like this.
nikqwxq550
in reply to hummingbird • • •like this
Sickday, gonzo-rand19 and Nathan like this.
muhyb
in reply to nikqwxq550 • • •~/.local/opt.nikqwxq550
in reply to muhyb • • •Asparagus0098
in reply to nikqwxq550 • • •Same thing should work for mullvad.
nikqwxq550
in reply to Asparagus0098 • • •Asparagus0098
in reply to nikqwxq550 • • •--helpflag.muhyb
in reply to nikqwxq550 • • •Mwa
in reply to muhyb • • •muhyb
in reply to Mwa • • •Mwa
in reply to muhyb • • •muhyb
in reply to Mwa • • •INSTALLATION | Tor Project | Tor Browser Manual
tb-manual.torproject.orgMwa
in reply to muhyb • • •narc0tic_bird
in reply to nikqwxq550 • • •Vincent
in reply to nikqwxq550 • • •nikqwxq550
in reply to Vincent • • •Not possible to upgrade (older) TB using internal updater · Issue #5 · flathub/org.torproject.torbrowser-launcher
GitHublike this
gonzo-rand19 likes this.
Vincent
in reply to nikqwxq550 • • •It was collapsed for me at first, and buried under a lot of other comments, but a workaround is mentioned here. Unfortunately, that didn't seem to work for me, but deleting the Flatpak and deleting all associated data, and then reinstalling it, I think did the trick.
Although it does now show this warning, which doesn't sound great.
Edit: actually, I think that was the reason I concluded the first workaround didn't work, but looking at that URL, this might just have been introduced in Firefox 128, which is newer than the old version of Tor was based on. So it looks like both worked.
Not possible to upgrade (older) TB using internal updater · Issue #5 · flathub/org.torproject.torbrowser-launcher
GitHubnikqwxq550
in reply to Vincent • • •Vincent
in reply to nikqwxq550 • • •cy_narrator
in reply to nikqwxq550 • • •The only way of getting Tor browser is through Tor project website
torproject.org/
Dont go download anything from anywhere else, dont matter if its flatpak snap, deb, whatever
The Tor Project | Privacy & Freedom Online
torproject.orgcorsicanguppy
in reply to cy_narrator • • •The only thing they offer is bare source?
I like they've just given up on trying to understand things like filesystem layouts and fucking systemd - which is cool - but now they own dependency hell and inconsistent installs in trade.
Nah. I'll get a package where I can confirm the contents, check the sigs, reproduce the build and then deploy it with its dependencies in a reliable, verifiably-consistent process.
rhel.pkgs.org/9/epel-x86_64/to…
Sources, sigs, signed BoM. Wheeee!
HotChickenFeet
in reply to corsicanguppy • • •nikqwxq550
in reply to cy_narrator • • •xxx.msi, and Linux does not have a unified installation system across distros)marl_karx
in reply to cy_narrator • • •lemel
in reply to nikqwxq550 • • •nikqwxq550
in reply to lemel • • •lemel
in reply to nikqwxq550 • • •nikqwxq550
in reply to lemel • • •LoudWaterHombre
in reply to nikqwxq550 • • •nikqwxq550
in reply to LoudWaterHombre • • •TheChickenOfDoom
in reply to nikqwxq550 • • •So the notification that is in the browser that directs you to update it wasn't enough? Because that totally works with the flatpak version of tor, because all the flatpak version of tor does is download a copy of the browser to your home directory and run it. There's a little notification dot on the hamburger menu of tor that directs you to the about page where you can download and update.
Because that's what I've been doing.
nikqwxq550
in reply to TheChickenOfDoom • • •Tor Browser (Flatpak) Auto update doesn't work anymore after i think 13.0 update · Issue #721 · torproject/torbrowser-launcher
GitHub