this post was submitted on 15 Mar 2025
103 points (95.6% liked)

Linux

51972 readers
902 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
AgreeableLandscape@lemmy.ml
nooter692@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
103
Was anybody else just burned by the Tor Browser flatpak? (futurology.today)
submitted 3 days ago* (last edited 3 days ago) by nikqwxq550@futurology.today to c/linux@lemmy.ml
34 comments fedilink hide all child comments
 

cross-posted from: https://futurology.today/post/4000823

And by burned, I mean "realize they have been burning for over a year". I'm referring to a bug in the Tor Browser flatpak that prevented the launcher from updating the actual browser, despite the launcher itself updating every week or so. The fix requires manual intervention, and this was never communicated to users. The browser itself also doesn't alert the user that it is outdated. The only reason I found out today was because the NoScript extension broke due to the browser being so old.

To make matters worse, the outdated version of the browser that I had, differs from the outdated version reported in the Github thread. In other words, if you were hoping that at least everybody affected by the bug would be stuck at the same version (and thus have the same fingerprint), that doesn't seem to be the case.

This is an extreme fingerprinting vulnerability. In fact I checked my fingerprint on multiple websites, and I had a unique fingerprint even with javascript disabled. So in other words, despite following the best privacy and security advice of:

  1. using Tor Browser
  2. disabling javascript
  3. keeping software updated

My online habits have been tracked for over a year. Even if Duckduckgo or Startpage doesn't fingerprint users, Reddit sure does (to detect ban evasions, etc), and we all know 90% of searches lead to Reddit, and that Reddit sells data to Google. So I have been browsing the web for over a year with a false sense of security, all the while most of my browsing was linked to a single identity, and that much data is more than enough to link it to my real identity.

How was I supposed to catch this? Manually check the About page of my browser to make sure the number keeps incrementing? Browse the Github issue tracker before bed? Is all this privacy and security advice actually good, or does it just give people a false sense of security, when in reality the software isn't maintained enough for those recommendations to make a difference? Sorry for the rant, it's just all so tiring.

Edit: I want to clarify that this is not an attack on the lone dev maintaining the Tor Browser flatpak. They mention in the issue that they were fairly busy last year. I just wanted to know how other people handled this issue.

top 34 comments
sorted by: hot top controversial new old
[–] TheChickenOfDoom@lemm.ee 1 points 2 hours ago* (last edited 2 hours ago)

So the notification that is in the browser that directs you to update it wasn't enough? Because that totally works with the flatpak version of tor, because all the flatpak version of tor does is download a copy of the browser to your home directory and run it. There's a little notification dot on the hamburger menu of tor that directs you to the about page where you can download and update.

Because that's what I've been doing.

[–] loudWaterEnjoyer@lemmy.dbzer0.com 5 points 2 days ago* (last edited 23 hours ago) (1 children)

I would never install Tor via the flatpak or whatever. Just download from the website, run ./start-tor-whatever.sh and in the browser, check for updates. It's the official source.

[–] nikqwxq550@futurology.today 2 points 1 day ago

It sounds like most other users install it that way too. Which surprises me, since I had thought the Linux community had started to move towards Flatpaks. But anybody who searched Flathub for Tor Browser, would have seen the flatpak with the Tor Project author listed as verified, and there would be no indication that this was in fact an unstable installation.

[–] cy_narrator@discuss.tchncs.de 17 points 2 days ago (3 children)

The only way of getting Tor browser is through Tor project website

https://torproject.org/

Dont go download anything from anywhere else, dont matter if its flatpak snap, deb, whatever

[–] corsicanguppy@lemmy.ca 9 points 2 days ago (1 children)

The only thing they offer is bare source?

I like they've just given up on trying to understand things like filesystem layouts and fucking systemd - which is cool - but now they own dependency hell and inconsistent installs in trade.

Nah. I'll get a package where I can confirm the contents, check the sigs, reproduce the build and then deploy it with its dependencies in a reliable, verifiably-consistent process.

https://rhel.pkgs.org/9/epel-x86_64/tor-0.4.8.14-1.el9.x86_64.rpm.html

Sources, sigs, signed BoM. Wheeee!

[–] HotChickenFeet@sopuli.xyz 1 points 2 days ago

I think it has some sort of binary already in the archive. There's a "start-tor-browser.desktop" you just double click to launch the browser.

[–] marl_karx@lemmygrad.ml 2 points 2 days ago* (last edited 2 days ago)

i just use pacman, mean it has checksum tests after downloading since youre only really downloading the launcher

[–] nikqwxq550@futurology.today 2 points 2 days ago

I get what you're saying, but at the same time if every developer released software as pre-compiled binaries on their website, installing stuff on Linux would become such a PITA. (This is different from how Windows works because apps for Windows are distributed using installers like xxx.msi, and Linux does not have a unified installation system across distros)

[–] narc0tic_bird@lemm.ee 21 points 3 days ago

Why don't they bundle the browser itself in the Flatpak and update it via the default Flatpak update mechanism?

[–] muhyb@programming.dev 22 points 3 days ago* (last edited 3 days ago) (2 children)

Well, for Tor Browser even AUR isn't recommended. Just download it from official website and put it under somewhere like ~/.local/opt.

[–] nikqwxq550@futurology.today 4 points 2 days ago (2 children)

This seems like something that Flatpak should be able to handle though. Afaik Mullvad Browser never had this issue. Flatpaks also have numerous advantages, like automatically handling desktop shortcuts.

[–] Asparagus0098@sh.itjust.works 5 points 2 days ago (1 children)

I'd like to add that you can setup desktop shortcuts pretty easily for Mullvad and TOR browser manual installs. For TOR browser simply run this after opening a terminal in the folder it was extracted to:

./start-tor-browser.desktop --register-app

Same thing should work for mullvad.

[–] nikqwxq550@futurology.today 3 points 2 days ago (1 children)

Wow nice. Still not really friendly to beginners, since this is something they would have to dig into documentation to find, but it's good to know

[–] Asparagus0098@sh.itjust.works 2 points 2 days ago

Yeah. I just found out about it by accident when I ran it with the --help flag.

[–] muhyb@programming.dev 1 points 2 days ago

Normally there shouldn't be a problem with packaging but Tor documentation recommends it like that to ensure security and authenticity. Even though it's self-updating, they also recommend to delete and re-install it time to time, instead of just updating.

[–] Mwa@lemm.ee 3 points 2 days ago (1 children)

never knew that

[–] muhyb@programming.dev 5 points 2 days ago (1 children)

There might not be problems with other packaging but the point here is to not trust anything other than the official sources for maximum privacy I believe.

[–] Mwa@lemm.ee 2 points 2 days ago (1 children)

Ohh okay I had to use a mirror to download it if that's fine.

[–] muhyb@programming.dev 1 points 2 days ago (1 children)

Mirrors are fine since the official website is not accessible on every country. They just suggest verifying the file signature.

[–] Mwa@lemm.ee 1 points 2 days ago

Ohhh okay should've done that but prob later

[–] bad_news@lemmy.billiam.net 7 points 2 days ago (1 children)

Tor "installed" via non-flatpak updates via the same manual mechanism, so it's no worse than the non-flatpak. The flatpak is just the installer. Also, the point of tor is not to avoid fingerprinting, it's to blend in. You are no more tracked by Reddit than you would be with up to date tor. A publicly traded company is not going to actively try to exploit your browser with a hack to fingerprint you extra via an exploit. You should never use tor for 1-1 you things comingled with anything you don't want associated with you. That's why there's an easy to use new identity button. Tor is not magic, its on YOU to engage in best practices or not.

[–] nikqwxq550@futurology.today 3 points 2 days ago

the point of tor is not to avoid fingerprinting, it’s to blend in

Fingerprinting and blending in are the same thing. You can't blend in if you have a unique fingerprint. The Tor Project goes to great lengths to mitigate fingerprinting using their custom browser, it's one of their main goals. It's pointless to use Tor with a regular browser that doesn't have those protections, because websites can just identify you by your fingerprint even when you are obfuscating your IP using Tor.

You are no more tracked by Reddit than you would be with up to date tor

Browser version is a major part of your fingerprint. It's in your user agent, but that can be faked so there are additional mechanisms that check what javascript features your browser supports to get a more reliable read of your browser version. Use https://coveryourtracks.eff.org/ to learn more.

And fingerprinting is not a hack or exploit. It's something that websites use for tracking, just like cookies. And I'm almost certain that Reddit fingerprints users to detect ban evasions.

[–] m33@theprancingpony.in 7 points 3 days ago

@nikqwxq550 I was about to advocate for the flatpak packager-maintainer being a random guy volunteering for the job. But no, it's official flathub.org/apps/org.torprojec…

[–] lemel@lemmy.ml 2 points 2 days ago (1 children)

How do you even access Reddit from Tor? I always see the message saying that my attempt was blocked by "Network Security".

[–] nikqwxq550@futurology.today 2 points 2 days ago (1 children)

switch to the old.reddit.com site (onion version tends to work more often), and if that doesn't work, switch Tor circuits (the option is under Tor Browser menu bar, I have it pinned to the top-bar for convenience)

[–] lemel@lemmy.ml 1 points 1 day ago (1 children)

I tried old.reddit.com as well. I think it used to work but it no longer does.

[–] nikqwxq550@futurology.today 1 points 22 hours ago

Lately they've been rate-limiting more heavily but if I wait and refresh enough times, or change circuits enough times, it tends to work

[–] Vincent@feddit.nl 2 points 3 days ago (1 children)

So... How do we do we're running an outdated version, and what is the fix that requires manual intervention?

[–] nikqwxq550@futurology.today 7 points 2 days ago* (last edited 2 days ago) (1 children)

You can check the Tor Project blog to figure out the latest release, and go to your Tor Browser's menu > Help > About Tor Browser to see if it matches. It should be version 14.0.7. If it is not, the fix is detailed in the Github issue I linked in the post

[–] Vincent@feddit.nl 3 points 2 days ago* (last edited 2 days ago) (1 children)

It was collapsed for me at first, and buried under a lot of other comments, but a workaround is mentioned here. Unfortunately, that didn't seem to work for me, but deleting the Flatpak and deleting all associated data, and then reinstalling it, I think did the trick.

Although it does now show this warning, which doesn't sound great.

Edit: actually, I think that was the reason I concluded the first workaround didn't work, but looking at that URL, this might just have been introduced in Firefox 128, which is newer than the old version of Tor was based on. So it looks like both worked.

[–] nikqwxq550@futurology.today 1 points 2 days ago (1 children)

You are right I should have linked directly to the workaround, sorry. Glad you got it sorted out though.

[–] Vincent@feddit.nl 2 points 2 days ago

No worries, thanks again!

[–] hummingbird@lemmy.world -5 points 3 days ago (1 children)

Just don't use flatpaks. Let your distribution handle updates like it is supposed to do.

[–] nikqwxq550@futurology.today 20 points 2 days ago

This was an official Flatpak from Tor Browser, so there's no reason why it should be less reliable than the packages from distribution maintainers. Not to mention for atomic distros, flatpaks are the official way to install software.