New update addresses challenges faced by users in repressive countries
A new release of Tor Browser enables users to circumvent location-specific censorship to connect to the anonymous web browser more easily.
Introduced in version 11.5, Connection Assist automatically applies the bridge configuration deemed to be best for different locations that have blocked the privacy-first browser, including Belarus, China, Russia, and Turkmenistan.
Previously, circumventing censorship of the Tor network required users to dive into network settings and figure out for themselves how to apply a bridge.
Censorship of Tor also is not uniform. While a certain pluggable transport or bridge configuration may work in one country, it won’t necessarily work elsewhere.
“This placed the burden on censored users (who are already under significant pressure) to figure out what option to pick, resulting in a lot of trial, error, and frustration in the process,” a blog post from the Tor Project, released on July 14, explains.
The tool works by “looking up and downloading an up-to-date list of country-specific options to try using your location (with your consent)”.
It manages to do so without needing to connect to the Tor network first by utilizing moat – the same domain-fronting tool that Tor Browser uses to request a bridge from torproject.org, the blog post explains.
Also included in the latest release is the introduction of HTTPS-Only by default on the desktop version of the browser.
The HTTPS-Everywhere extension, which was previously bundled with Tor Browser, was deprecated this year by the Electronic Frontier Foundation, after the majority of sites globally were deemed to be HTTPS-secure by default.
Tor Browser, which is built on Firefox, has since introduced HTTPS-Only Mode which was released by Mozilla in November 2020.
The blog post reads: “Starting in Tor Browser 11.5, HTTPS-Only Mode is enabled by default for desktop, and HTTPS-Everywhere will no longer be bundled with Tor Browser.
“Why now? Research by Mozilla indicates that the fraction of insecure pages visited by the average users is very low – limiting the disruption caused to the user experience.
“Additionally, this change will help protect our users from SSL stripping attacks by malicious exit relays, and strongly reduces the incentive to spin up exit relays for man-in-the-middle attacks in the first place.”