See https://en.wikipedia.org/wiki/Do_not_track_header

If enabled, possibly also send older "X-Do-Not-Track: 1" and "X-Tracking-Choice: do-not-track" draft/variant headers.

Would reduce entropy (i.e. browser would likely be identifiable based on HTTP headers) but would be optional and could be disabled automatically when spoofing user-agent.

Updated 2016-08-18: Progress is being made on a "tabbed browsing" interface, via totally-rewritten version of Onion Browser, based on https://github.com/jcs/endless Leaving this ticket open as a meta-ticket until that gets closer to release (and we get some public commits and some issues specific to the implementation).

I just run build-tor.sh, waiting for 2 minutes, but I get the error"Couldn't connect to host". My network runs well.

Not the same issue as having to relaunch the browser to reconnect after sleep issue.

Basically, I've noticed some links will not trigger when clicked on. Images, links to other sites, etc. for example, on an image board the navigation/pagination may work, but the images themselves don't. Press and holding will sometimes allow copy of link, at which point I can paste into address bar, however some clickable links don't even give that, preventing me from following that navigation entirely.
I'm insure what the problem is, and as yet have not found the connection between working links and non responsive ones.

After killing and reopening Onion Browser, iOS will still sometimes show a screenshot from a previous browsing session in the multitasking switcher.

This means that potentially sensitive information from the browsing session is being saved by the OS after a user could reasonably expect it to have been purged.

I found a StackOverflow answer on how to solve this but I am not an iOS programmer.

I am able to reproduce this consistently on iOS 7.0.6 using the following steps:

1. Launch OnionBrowser, let it connect
2. Browse to a site containing sensitive information
3. Kill the app by double-tapping the home button and swiping up
4. Launch OnionBrowser again
5. Immediately double-tap and switch to a memory intensive app
6. Continue launching memory intensive apps until OnionBrowser is no longer running
7. The multitasking switcher image for OnionBrowser is the sensitive site.

This is especially easy to reproduce on an older device, such as an iPhone 4S running iOS 7, where only a few apps can run simultaneously.

Thank you very much for OnionBrowser, it is a fantastic piece of software for those concerned about anonymity.

Would help alleviate #2 a bit — at the very least allowing user to know that our Tor client has somehow failed, at most providing us some way to maybe re-start Tor.

Would it be possible to have a service where, to watch a video, a request is sent through Tor to a dedicated VPS-video-handler, which would download the video and stream it through Tor back to the OnionBrowser?

The DNS- and/or other leaks would merely point to the VPS. The VPS would not be aware of who's doing the requests, only that a video is requested, and its legal/privacy status would be somewhat similar to a Tor exit-node.

Such a service would of course be expensive, but possibly scalable as a $5/month service or less?

Would this be possible?

if xcode 4.3 on lion is installed, the dependency compiler scripts will fail.
make[1]: /Developer/Platforms/iPhoneSimulator.platform/Developer/usr/bin/gcc: No such file or directory
make[1]: *** [cryptlib.o] Error 1
make: *** [build_crypto] Error 1

When you use the central icon at the bottom and access the about page or the home page before the connection is complete, it seems to stop the connection process, leaving you with no other option than exiting, killing and restarting the app to perform a new connect.
Also, when you do so, the home page reads "Now connected" even if you are not connected at all.

Hey,
Not sure if I am doing something wrong, but I just did a build on my iPhone 4s iOS 6 and I keep crashing when ever I try to load a page.

Happens in the stimulator as well.
Notes:

• no modified files
• tried a fresh re-build from new files
• tried on other mac
• tried without the latest commits

Console output:
Jul 6 13:27:04 Jeramy-Simpsons-iPhone OnionBrowser[5257] : loading https://.onion/ URL, ignoring SSL certificate status (https://3g2upl4pq6kufc4m.onion/lite/)
Jul 6 13:27:04 Jeramy-Simpsons-iPhone OnionBrowser[5257] : [WebViewController] uncaught error: The operation couldn’t be completed. (NSURLErrorDomain error -999.)
Jul 6 13:27:04 Jeramy-Simpsons-iPhone OnionBrowser[5257] : -> NSURLErrorDomain
Jul 6 13:27:04 Jeramy-Simpsons-iPhone OnionBrowser[5257] : [WebViewController] Error: error The operation couldn’t be completed. (NSURLErrorDomain error -999.)
Jul 6 13:27:04 Jeramy-Simpsons-iPhone OnionBrowser[5257] : loading https://.onion/ URL, ignoring SSL certificate status (https://3g2upl4pq6kufc4m.onion/lite/)
Jul 6 13:27:19 Jeramy-Simpsons-iPhone OnionBrowser[5257] : [ProxyURLProtocol] Got response 200: content-type: text/html; charset=UTF-8
Jul 6 13:27:19 Jeramy-Simpsons-iPhone OnionBrowser[5257] : [ProxyURLProtocol] parsed content-type=text/html, encoding=UTF-8
Jul 6 13:27:19 Jeramy-Simpsons-iPhone OnionBrowser[5257] : *** Assertion failure in -[CKHTTPConnection dealloc], /Users/jeramy/github/local/iOsOnionBrowser/OnionBrowser/OnionBrowser/../ConnectionKit/CKHTTPConnection.m:99
Jul 6 13:27:19 Jeramy-Simpsons-iPhone OnionBrowser[5257] : (null)

Any help/ides would be awesome

Hi, and thanks for making and maintaining such a great app!

I would like to suggest a few features to add to the app:

1. Allow people to choose to configure bridges or directly connect to Tor before actually initiating the connection process, maybe through a dialog box popup.
2. Lock/broken lock icon to signify if a HTTPS page has insecure content or not.

Regards,
John-Khart

Just a heads up, OpenSSL 1.0.1f doesn't build on 7.1: http://llvm.org/bugs/show_bug.cgi?id=19179

I am working on a project to use onion to test ios web site. In some cases, we would like to visit website as a usual way , it means directly to visit the web not through ssh or tor. Is there an easy way to disable tor (like to comment some codes in the onion or something else) to visit web site as a usual way?

Thank you very much.

https sites with self-signed certificates does not works.

As the title says.

Browser history / cache / cookies get cleared, but visited links still receive a CSS highlight for ":visited" (purple by default). This could be subject to crafty attacks, but the original script-based attack of this leak does not appear work on iOS Safari — http://ha.ckers.org/weird/CSS-history-hack.html — visited links on this page get proper highlight but do not end up in the "visited" section as the JS attempts to do.

A warning message now shows up in the 1.2.6 version (should be available approx Sep. 12) when pressing the "New Identity" button.

More details in the following comments:

• #20 (comment)
• #20 (comment)

Original report:

Some links on some .onion sites seem to remain purple regardless of pressing "new identity" or indeed the complete deletion and reinstallation of the OnionBrowser.

I'm taking this as meaning there is some history being maintained?

Disclaimer in startup page links to Tor Project “Staying anonymous” tips, which are somewhat technical and also very generic. (i.e. “You need to use protocol-specific support software…”)

Might be worth writing a custom tipsheet for Tor newbies.

…and double check patches (and update them to keep the offsets up to date).

0.2.3.17-beta introduced compiler and linker "hardening" (Tor ticket 5210) which has some issues with the iOS build chain (the -pie option and a few other things don’t work for iOS Device compilation) and it looks like there has been some continuing work on that.

Hi there!
Good work in The Browser! i'd love to take my PDFs and stuff with me. If you dont want/cant add a filemanager, an "open in..." button would be nice.

https://www.torproject.org/projects/obfsproxy.html.en

Ideally this functionality would be based on the new ScrambleSuit pluggable transport that is resistant to active probing attacks, but supporting the obfs3 pluggable transport would still be highly useful.

This would allow Onion Browser to be used in countries that are employing DPI to block/detect Tor connections, which are the countries that need Tor the most.

I have found that while navigating sites,especially forums that have the next page button at the bottom, the bottom navigation bar with the back,forward,history,and settings buttons on it blocks my ability to press the next page button

Never mind please delete this

There is a new API called WKWebView that supports JIT and is now the same on iOS and OS X. It also supports user scripts via WKUserScript which could be helpful.

I am considering creating some sort of TORWebView subclass of WKWebView that transparently supports Tor via OnionKit. Would you be interested in collaborating?

There is also a new API on iOS 8 that allows full VPN control via the NEVPNManager class. If many applications depend on Tor, it could be better from a security perspective to ship a Tor VPN that is maintained separately. My only concern would be that users might not want all of their phone's traffic going over Tor, only a few select applications.

I feel like being in a dark net museum. You look, you don't touch !
Why is Onion browser the only browser in the apple store -- and the only browser I've ever met on any OS -- that allow you to browse but not to download anything? It's like walking in a super market and leaving empty handed. The Dark Net is a huge part of the whole internet and it's a real shame to discover interesting websites (everybody talk about guns, drugs and girls but illegal websites are a ridiculous part of what you can access there) without having the possibility to download any kind of file. The iOs menus are blocked. And except the "Copy" button, nothing works...
Really this app rocks but this limitation sucks. Everytime I need to download I use Vidalia back on the PC. Apple forbid you to implement a download button ? is it too complex to program ? More than the encryption and privacy part of your project ?! I'm looking forward for this cos' personnaly after 1.3.3 and 1.3.4 I don't think I'll buy any newer version that enable me to go fishing in deep sea without going home with some fish.
Thanks for the hard work. Good luck and please keep us informed wether it's an apple restriction or an improvement yet to come soon.

The libraries will download using the script, but never reach the compilation stage. Installing ccache from homebrew fixes the problem.

I imagine lines 74-81 of the build scripts are to blame, but I haven't looked into a fix yet.

Some webpages use statically compressed css files.

When visiting these sites with Onion Browser the CSS could not be loaded. I think in the defauls ios request loader there is a integrated decompress mechanism.

I tried to load the same webpage with a default UIWebview and it worked.

Best regards

Dominic

(1) Open Onion Browser (2) type 'https://google.com' (3) tap the Images link (4) tap in the search box (5) type a search term (6) tap Search (7) ##do stuff## (8) repeat 1-4 and the search history will show your previous search(es).

do stuff## includes navigating away from the page; choosing new identity; quitting and returning to Onion Browser; quitting Onion Browser, killing its task, and restarting it. It does seem to clear the search history if you power off iPhone.

Somehow, Google Images is able to track you through different identities and even killing/restarting the app, even with cookies disabled.

If choosing a new identity causes Google to redirect you to a country-specific page (eg. ...google.de), then the search history won't show up (but it's still there).

Browser settings:
block all cookies
no spoofing
pipelining enabled
no DNT header
not using bridges

Workaround: Force quit app (tap home to quit app, double-tap home, hold down on app icon in tray, and "delete" app) and then restart app. Issue does not appear to come back in later loads.

Sorry, I submit this issue again, I just run build-tor.sh, but I get the error"Downloading tor-0.2.4.23.tar.gz
location="http://www.cjb.net/"//<script>location="http://www.cjb.net/"</script>
Using tor-0.2.4.23.tar.gz
tar: Error opening archive: Failed to open 'tor-0.2.4.23.tar.gz'". Can you send the .a library to me directly? Thanks, this is my email:
[email protected]

In Share icon => Browser Settings => HOME PAGE

I set the value to https://duckduckgo.com

When I click Done and go to Share icon => Open Home Page

This URL does not load in the browser window.

Clicking "Block All" actually sets "Block Third-Party" and vice-versa.

Hi,

is it possible to integrate browser plug-in or JS Application (as main UI) within Onion Browser?

For example, it would be a really cool idea to use Onion Browser to package other applications that just need a web view and tor integrated.

For example it would be possible to integrate:

• CryptoCat www.crypto.cat
• GlobaLeaks www.globaleaks.org

that both need to run as local javascript application, communicate with the web anonymous and use the web browser as their main UI.

Onion Browser may so became a base SDK to build Mobile Anonymized applications, much like the current goal of APAF (but for Desktop applications) http://github.com/globaleaks/APAF

What do you think about that possible direction of Onion Browser?

The User Agent header still shows iOS 5.1.1 and iPad in the string. Anonymity websites do detect the browser as Mozilla, but you can still see traces from the old User-Agent. This would make for easy fingerprinting.

Developer note: (mtigas) Onion Browser occasionally fails to connect to Tor after app initialization. I (developer) have not been able to reproduce this issue, but have since added Tor Check on the start page (similar to how Tor Browser Bundle double-checks the Tor connection as it's homepage) for the benefit of users.

Original issue: (vinnyx)

When onion connects it congratultes me and states my IP address appears to be ____
However if I do an ip lookup using onion, it gives me my actual IP address. Which address is actually seen by sites.

Workaround: Force quit app (tap home to quit app, double-tap home, hold down on app icon in tray, and "delete" app) and then restart app.

Hard to recreate issue when running app for more than a few minutes.

Seems to happen regardless of if app has gone into background or if network has gone up/down. (In fact, app does send HUP to Tor in those circumstances, causing Tor to reload & build new connections.)
#3 would help (and is related), but this is a more specific issue than that.

User reports that IDN addresses don't work when typed in the address bar.

I own http://·.ws/ — aka http://xn--uba.ws/ — which could be a decent test case.

https://github.com/Wevah/Punycode-Cocoa looks promising as a punycode solution.

IT missing all library Files

I understand that the app store limits what your app is able to do but I was wondering if there was a way using this compiling process here to also add some kind of Noscript?

I just thought I'd let you know that the workaround in build-tor.sh is actually a bug in Tor's configure script, which I just opened a ticket for here with a patch.

(was "Decouple Tor management from AppDelegate" -mtigas)

It would be tremendously useful for other developers in this space if we could agree on a standard implementation for Tor on iOS that can be bundled more easily. I originally created OnionKit as a way to "library-ify" your Tor management code, but I'm not particularly happy with it and your socket-based solution might be better than Tor.framework's approach from a maintainability perspective.

The main changes that need to be made are removing the references to AppDelegate.h from TorController and TorWrapper so other projects can include this code without breaking their own apps. Down the road, moving the management code to a separate repo and shipping it as a library (or even better, a Cocoapod) would make it a lot easier for all of us to collectively maintain.

Like the Tor Browser launcher, TAILS, etc.

Honestly should've done this from the start.

I just purchased this app onto my iPad3. When I selected "New Identity", the screen "squeezed"over to the right and covered the icons in the toolbar below so that I cannot use them at all, and there is a big black empty space on the right side almost covering half of the screen. I read one of the closed threads and saw that one year ago, a couple people complained about this very same thing and that the problem was fixed. Is there a way to take care of this problem, or could I be missing something extremely obvious? (If this is the case, then I am sorry!!)

Noticed in your comments that Javascript couldn't be disabled and that location tagging couldn't be disabled either. Perhaps a viable option would be to include PCRE into the mix (currently used in Safari, and may even be able to be used in the API) If you could run the inbound buffer through a series of Perl Regular Expressions to filter out things like script tags and such forth.

Running on an iPad 3/new iPad with latest iOS
Clicking New Identity changes the viewport, so that there is a large empty space on the right side, and it extends over the buttons vertically

Have tried using iOS 8.0.1 / 8.0.2 on an iPhone 5S, iPad 3 and iPad Mini 1st gen, to access my own web server which uses a self-signed SSL cert. An alert view pops up with the title "Cannot Verify Website Identity" with the buttons "cancel" and "continue" - however, when I tap on continue the app crashes.

I can email crash logs upon request.

Using tor-0.2.4.18-rc.tar.gz
tar: Unrecognized archive format