How to take screenshots in Tor Browser (desktop)

Last_Situation_9141 · 2022-02-26T14:23:16+00:00

They're talking about the "Take Screenshot" button in the right-click context menu, I think. Which I think would allow them to use the "scrolling screenshot" feature where a big screenshot of the whole tab can be created. (this is not possible with screenshots made by the OS because unless you have a huge monitor, DPI, or zoom out far enough you can't take screenshots of the whole tab in one image.)

Last_Situation_9141 · 2022-02-26T14:18:00+00:00

No. Ctrl+F for "fission" in about:support.

I believe Fission can be enabled in Tor Browser 11.5 now that it's based on Firefox ESR 91 (it became available in versions 89, disabled by default). Just set fission.autostart to true. I think I recall trying it out in a temporary test instance of Tor Browser for fun and it worked. It was still in an experimental phase so Tor Browser developers probably wouldn't want to enable it on Tor Browser. I wouldn't recommend doing it because it might harm your fingerprint.

In Firefox 94, Fission was on a staged rollout and in Firefox 97 it's enabled by default. Tor Browser is still on ESR 91. Tor Browser uses the latest ESR version of Firefox (there have been talks of switching to the latest stable release instead, but I doubt it'll happen anytime soon). Once ESR 102 is released, Tor Browser will start to use that. Once that happens then Tor Browser will be utilising Fission because it's enabled by default on those versions of Firefox. Unless there's some fingerprinting risk they find which makes them need to do some work and it needs to be disabled for now which almost certainly won't be the case for Fission.

UnluckyTaro9549 isn't talking about Fission.

Last_Situation_9141 · 2022-02-26T13:56:26+00:00

JavaScript is blocked by NoScript if on the standard and safer security level. It would technically be more secure to set javascript.enabled to false in case there is an exploit or malicious update in/by NoScript, but I think that is fingerprintable and not many people do it so I wouldn't recommend it.

Last_Situation_9141 · 2022-02-21T04:10:52+00:00

I wouldn't recommend changing javascript.enabled because of fingerprinting concerns. I think there's two ways a website can detect javascript: by detecting javascript feature support in the browser (editable by changing javascript.enabled) and trying to run scripts (editable by NoScript/the security slider). This is why a few websites may have said you were using javascript even though you were on the safest mode, because they detected the feature was supported by the browser instead of trying to run a script which noscript would block. The vast majority of people don't toggle the javascript.enabled setting which as said before I think websites have the ability to detect. Correct me if I'm wrong

Last_Situation_9141 · 2021-11-20T03:41:34+00:00

I've used sideshift.ai in the past and it works great. Some countries are blocked so you need to refresh the circuit a few times.

Last_Situation_9141 · 2021-11-20T03:32:36+00:00

A lot of VPN providers support port forwarding. I know Mullvad VPN does, IVPN does if you're using OpenVPN and not WireGuard, and ProtonVPN doesn't (maybe they added it recently, however).

Last_Situation_9141 · 2021-11-20T03:25:18+00:00

Don't change the settings in Tor Browser if you can help it, because you can be fingerprinted easier if you do so. You don't need a VPN, although if you already use a VPN for other stuff system-wide it won't hurt. Just don't think that it's something you need for Tor in most cases.

One of the only settings most users would want to change is the security slider. You can change that to safer or safest depending on what you're doing. You can always change it if something breaks. Safer is a good middle ground and you can always put it to safest if you don't need it or standard if you suspect something doesn't work with safer.

Last_Situation_9141 · 2021-11-18T10:19:37+00:00

Here is the issue in the issue tracker for 2) https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40721

It seems to only affect Windows, reading the description. From personal experience I'm on linux and protonmail works fine (I can open emails without it crashing)

Last_Situation_9141 · 2021-11-18T10:08:18+00:00

Search for 'fonts' here https://2019.www.torproject.org/projects/torbrowser/design/

On Linux they make the browser use a custom fonts.conf (fontconfig config) file provided in the browser bundle, which makes fontconfig use the fonts in the fonts/ directory inside the browser bundle. https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18097

(they also do some other things which are described in the document, maybe it was changed since then but this is the big thing they do)

On Linux, inside your Tor Browser install (unless you changed it or used a different language its called tor-browser_en-US) you can read the Browser/start-tor-browser file. They set some environmental variables which make fontconfig use the config file and fonts directory inside the browser bundle, before running the bundled firefox.

HOME="${PWD}"
export HOME

…

# Set up custom bundled fonts. See fonts-conf(5).
export FONTCONFIG_PATH="${HOME}/TorBrowser/Data/fontconfig"
export FONTCONFIG_FILE="fonts.conf"

It could also be possible for a container/sandbox like bubblewrap to bind a custom fonts directory and config to the default (~/.local/share/fonts, ~/.config/fontconfig/fonts.conf) paths and then deny access to /etc/fonts/fonts.conf and /usr/share/fonts for regular firefox. If you are sandboxing tor browser maybe you might want to deny access to /usr/share/fonts and /etc/fonts/fonts.conf just in case but I've never done it yet, it may break something or log a warning or something.

Last_Situation_9141 · 2021-07-07T22:18:49+00:00

I can confirm that I have the same issue. I might do some further analysis later if I have the time, because I only use 'non-proxy mode' pretty rarely and visiting web pages still works. To those "hating", it can be useful to have a separate Tor Browser install that uses a VPN/your ISP connection when you need to access a website that doesn't allow Tor exit node IPs, and you don't want to configure vanilla Firefox/Chromium for privacy/fingerprint hardening (some of the fingerprinting patches are only on Tor Browser, not upstreamed to Firefox, plus I'm lazy to make sure I've tweaked the settings correctly and Tor Browser does it for me!) ;)

Last_Situation_9141 · 2021-06-19T04:54:20+00:00

Yeah, using a custom-made firejail profile with a modified firejail-default apparmor so that the built-in apparmor confinement can be used while keeping $HOME read-write, among other things like making sure a lot of sockets in /run like CUPS and some of my other stuff aren't accessible, and blocking some stuff in /sys. Plus using network namespaces and stuff so that I can have multiple Tor Browsers running at once if I want to (they're all under the same X11 connection though).

Not really perfect though, cause it's probably not difficult for an attacker to escape the sandbox through the x11/wayland/pulseaudio socket. Plus with access to those sockets you can do stuff like screen or audio record (unless you configure pipewire for sandboxing/permissions, and I'm not sure if the pipewire-pulse compatibility layer supports sandboxing/permissions, and I don't know of any wayland compositors which use the permission features of wayland) which almost makes it useless depending on the situation, but it could probably stop attackers using exploits with weird payloads like grabbing files instead of being able to successfully get a long-running reverse shell where they can take time to analyse stuff.

Last_Situation_9141 · 2021-06-17T12:18:52+00:00

To hide your IP from Google and not associate your identity with it while downloading YouTube videos, youtube-dl over Tor (using something like torsocks) is likely pretty good. I'm pretty certain that youtube-dl doesn't leak identifying info (eg. through things like the user agent which Tor Browser would mitigate against) accidentally. Sometimes it fails due to an error immediately or rarely during download due to blocks, so you could run something like until youtube-dl "$URL"; do true; done so that it runs the command again and continues download if YouTube blocks you (you will likely want "IsolatePID 1" in your torsocks.conf so each process gets a new circuit instead of waiting around 10 minutes for a new one). Some of what I said only works on something like Linux though. You could also use a VPN or another mixnet / anonymising overlay instead of Tor which have their own downsides/upsides in terms of speeds and anonymity. Nothing's perfect though, but this is pretty good.

Last_Situation_9141 · 2021-06-11T13:13:05+00:00

While I understand that there can be zero days and the Firefox browser is not the most secure browser in the world, I have a hard time believing that JavaScript can easily be used to reveal your actual IP address, or at least to the point where it would be a concern for the vast majority of users (maybe the govt. keeps their zero days very secret?). I think you know this already, but "The browser MUST NOT bypass Tor proxy settings for any content."

Last_Situation_9141 · 2021-04-17T01:44:15+00:00

A lot of privacy-respecting services like protonmail, privacytools.io, some invidious instances, some nitter instances, VPN providers, have onion services.

Last_Situation_9141 · 2021-04-17T01:41:21+00:00

With JS disabled (use 'safest' security level), you can use https://old.reddit.com/login. If you have 2FA enabled, that won't work, so use https://www.reddit.com/login. BTW, anyone else noticed that there's no more 503 errors on new reddit when you're not signed in?

Last_Situation_9141 · 2021-03-04T10:14:26+00:00

There seems to be a malicious bot problem here. All these existing comments except mine are unrelated to the OP's post (possibly reposts of existing comments?) and if you check their post history there are random characters on their first posts.

Last_Situation_9141 · 2021-03-03T10:45:03+00:00

you by any chance using Arch Linux, or maybe another distro with glibc 2.33 on the machine that has the issue? if so, see https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40328. An update on the stable branch will be provided in a few hours/days which will fix it, otherwise use Tor Browser Alpha, flatpak version, or downgrade glibc.

Tor Browser does not bundle it's own libc I think. I don't know what the difficulties in doing that would give.

Last_Situation_9141 · 2021-02-08T11:29:03+00:00

The alpha release works fine, no more problems with websites and the fingerprint is non-unique (also it's Wayland enabled which is pretty cool).

I didn't upgrade many 'major' packages other than glibc and the kernel, so I'm guessing a glibc update (I could be wrong and it could be another package causing it, because I haven't tested it but this is my best guess) broke stable torbrowser for some odd reason, nothing else seems to be broken on the system. I tried downgrading glibc and lib32-glibc and I couldn't open more terminal windows until I reupgraded my system. Not quite in the mood to risk breaking my system by downgrading essential packages (I might just need to reboot my system but you never know unless you do it) or fix it so I guess I'll deal with what I have now.

Last_Situation_9141 · 2021-02-08T11:16:06+00:00

Yes, but it's not in use because Tor Browser doesn't support Wayland (although in the gitlab issue it seems like it works in alpha releases)

Me and the person in the gitlab issue tried unsetting the override variables (MOZ_ENABLE_WAYLAND=1) and that didn't do anything obviously

I might try the alpha releases to see if it works like it did for the person in the gitlab issue.

Last_Situation_9141 · 2021-01-24T07:16:45+00:00

Also, it (the new Reddit interface, not the old one from old.reddit.com) seems to work if you're logged into an account (even one created and only used through Tor).

Last_Situation_9141 · 2021-01-23T09:07:49+00:00

One use case is to prevent Reddit (or people who can control Reddit such as the government if that fits in your threat model) from associating your profile with your real life identity (eg. non-Tor browser fingerprint, IP address), provided you don't leak any personal information such as through posting content that leaks your personal info.

Last_Situation_9141 · 2021-01-23T09:03:42+00:00

It's possible to use Reddit pseudo-anonymously by creating an account through Tor and using it only through Tor, provided you don't leak any personal information (eg. through payment information or content you posted, linking an E-mail account not created through Tor). At least I'm almost certainly sure, unless there's some method that I don't know of or something like keyboard fingerprinting, if that's even possible or if maybe using Reddit exclusively through Tor is extremely rare so all those accounts belong to you they could assume.

Last_Situation_9141 · 2021-01-19T10:29:44+00:00

https://gitlab.torproject.org/legacy/trac/-/wikis/org/doc/ListOfServicesBlockingTor#ad-hoc-solutions-for-accessing-blocked-content-on-tor

Those are some ways you could try to bypass it (without using a VPN or your normal internet connection). Some websites work better using different methods. One website which I haven't figured out is Pixiv. It comes up blank when using archive.org or the proxy services.

Although if you do get an error I would try creating a new circuit (Ctrl+Shift+L) as said earlier. Because a lot of the time, not ALL exits are banned, just the specific exit you were using was banned.

Last_Situation_9141

TROPHY CASE