My TorBox on a RPi3 B+ stopped working (it was off for a while preceding this). There is a TorBox030 WiFi available and ssh connection is working, but no internet connection due to a Tor error. Every setting is on default.
Tried so far:

• previous SD image
• latest image
• updating firmware + Tor + TorBox
• resets

sudo journalctl -u tor@default shows:

Feb 04 08:45:23 TorBox030 systemd[1]: Starting Anonymizing overlay network for TCP...
Feb 04 08:45:23 TorBox030 tor[950]: Feb 04 08:45:23.825 [notice] Tor 0.4.2.5 running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1d, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.3.8.
Feb 04 08:45:23 TorBox030 tor[950]: Feb 04 08:45:23.825 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Feb 04 08:45:23 TorBox030 tor[950]: Feb 04 08:45:23.826 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Feb 04 08:45:23 TorBox030 tor[950]: Feb 04 08:45:23.826 [notice] Read configuration file "/etc/tor/torrc".
Feb 04 08:45:23 TorBox030 tor[950]: Feb 04 08:45:23.836 [notice] You configured a non-loopback address '192.168.42.1:9053' for DNSPort. This allows everybody on your local network to use your machine as a proxy.
Feb 04 08:45:23 TorBox030 tor[950]: Feb 04 08:45:23.836 [notice] You configured a non-loopback address '192.168.43.1:9053' for DNSPort. This allows everybody on your local network to use your machine as a proxy.
Feb 04 08:45:23 TorBox030 tor[950]: Feb 04 08:45:23.836 [notice] You configured a non-loopback address '192.168.42.1:9040' for TransPort. This allows everybody on your local network to use your machine as a prox
Feb 04 08:45:23 TorBox030 tor[950]: Feb 04 08:45:23.836 [notice] You configured a non-loopback address '192.168.43.1:9040' for TransPort. This allows everybody on your local network to use your machine as a prox
Feb 04 08:45:23 TorBox030 tor[950]: Feb 04 08:45:23.840 [notice] Not disabling debugger attaching for unprivileged users.
Feb 04 08:45:23 TorBox030 tor[950]: Configuration was valid
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.150 [notice] Tor 0.4.2.5 running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1d, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.3.8.
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.150 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.150 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.150 [notice] Read configuration file "/etc/tor/torrc".
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.154 [notice] You configured a non-loopback address '192.168.42.1:9053' for DNSPort. This allows everybody on your local network to use your machine as a proxy.
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.155 [notice] You configured a non-loopback address '192.168.43.1:9053' for DNSPort. This allows everybody on your local network to use your machine as a proxy.
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.155 [notice] You configured a non-loopback address '192.168.42.1:9040' for TransPort. This allows everybody on your local network to use your machine as a prox
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.155 [notice] You configured a non-loopback address '192.168.43.1:9040' for TransPort. This allows everybody on your local network to use your machine as a prox
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.156 [notice] You configured a non-loopback address '192.168.42.1:9050' for SocksPort. This allows everybody on your local network to use your machine as a prox
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.156 [notice] You configured a non-loopback address '192.168.43.1:9050' for SocksPort. This allows everybody on your local network to use your machine as a prox
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.156 [notice] You configured a non-loopback address '192.168.42.1:9053' for DNSPort. This allows everybody on your local network to use your machine as a proxy.
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.156 [notice] You configured a non-loopback address '192.168.43.1:9053' for DNSPort. This allows everybody on your local network to use your machine as a proxy.
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.156 [notice] You configured a non-loopback address '192.168.42.1:9040' for TransPort. This allows everybody on your local network to use your machine as a prox
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.156 [notice] You configured a non-loopback address '192.168.43.1:9040' for TransPort. This allows everybody on your local network to use your machine as a prox
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.156 [notice] Opening Socks listener on 192.168.42.1:9050
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.156 [notice] Opened Socks listener on 192.168.42.1:9050
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.156 [notice] Opening Socks listener on 192.168.43.1:9050
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.156 [warn] Could not bind to 192.168.43.1:9050: Cannot assign requested address
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.156 [notice] Opening DNS listener on 192.168.42.1:9053
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.156 [notice] Opened DNS listener on 192.168.42.1:9053
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.156 [notice] Opening DNS listener on 192.168.43.1:9053
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.156 [warn] Could not bind to 192.168.43.1:9053: Cannot assign requested address
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.156 [notice] Opening Transparent pf/netfilter listener on 192.168.42.1:9040
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.156 [notice] Opened Transparent pf/netfilter listener on 192.168.42.1:9040
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.156 [notice] Opening Transparent pf/netfilter listener on 192.168.43.1:9040
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.156 [warn] Could not bind to 192.168.43.1:9040: Cannot assign requested address
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.156 [notice] Opening Control listener on 127.0.0.1:9051
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.156 [notice] Opened Control listener on 127.0.0.1:9051
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.157 [notice] Closing partially-constructed Socks listener on 192.168.42.1:9050
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.157 [notice] Closing partially-constructed DNS listener on 192.168.42.1:9053
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.157 [notice] Closing partially-constructed Transparent pf/netfilter listener on 192.168.42.1:9040
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.157 [notice] Closing partially-constructed Control listener on 127.0.0.1:9051
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.157 [warn] Failed to parse/validate config: Failed to bind one of the listener ports.
Feb 04 08:45:24 TorBox030 tor[951]: Feb 04 08:45:24.157 [err] Reading config failed--see warnings above.
Feb 04 08:45:24 TorBox030 systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
Feb 04 08:45:24 TorBox030 systemd[1]: [email protected]: Failed with result 'exit-code'.
Feb 04 08:45:24 TorBox030 systemd[1]: Failed to start Anonymizing overlay network for TCP.
Feb 04 08:45:24 TorBox030 systemd[1]: [email protected]: Service RestartSec=100ms expired, scheduling restart.
Feb 04 08:45:24 TorBox030 systemd[1]: [email protected]: Scheduled restart job, restart counter is at 5.
Feb 04 08:45:24 TorBox030 systemd[1]: Stopped Anonymizing overlay network for TCP.
Feb 04 08:45:24 TorBox030 systemd[1]: [email protected]: Start request repeated too quickly.
Feb 04 08:45:24 TorBox030 systemd[1]: [email protected]: Failed with result 'exit-code'.
Feb 04 08:45:24 TorBox030 systemd[1]: Failed to start Anonymizing overlay network for TCP.

What could be the way to fix this?

Hi,

Why I can't access to .onion site when I'm connected to TorBox wifi?

GPL v3.0 summary Permissions of this strong copyleft license are conditioned on making available complete source code of licensed works and modifications, which include larger works using a licensed work, under the same license. Copyright and license notices must be preserved. Contributors provide an express grant of patent rights.

I'm using the bridges for the client scripts: meek-azure, snowflake, the 4 bridges_*.
I preserved the verbatim inside the files.
I need to add the license file somewhere in the code or the verbatim inside the files are enough?

Wonderful project! Can you add to the FAQ how getting around captive portals work?

I assume it requires logging into the PI somehow and temporarily disabling Tor and the various protections. I am interested to know in the exact process.

I have installed Torbox on Raspberry pi 4 and I have tried it with the ethernet cable, everything is good.
but when I want to run it with the modem (Huawei E3372), I receive "there is no cellular link or an USB dongle connected!"

• the modem works on the pc without a driver
  thanks

There is this solely https://github.com/radio24/TorBox#contact

• Does the project have PGP?

• If yes, can the releases be signed?

• Could you write a small security policy? This project is gaining more attention and should the clear how to report security vulnerabilities https://github.com/radio24/TorBox/new/master

Are you radio24 on Tor irc channel? If yes, I would need means to verify that.

Hi, i saved my hidden services from previously version of torbox, /var/lib/tor and torrc file, but after copy folder with hidden services and add hidden service dir records to torrc, torbox don't want to share internet, in finally internet not working anymore, what i do wrong?

My old mod: https://github.com/nyxnor/raspiblitz/blob/tor-patch/home.admin/config.scripts/tor.onion-service.sh
New mod: https://github.com/nyxnor/CLI-onion-services/blob/main/tor.onion-service.sh

Currently, the script CREATES, DELETES (optionally purge to delete the onion address), ADD and REMOVE auth, see CREDENTIALS.
My script configure client auth server side, but the client side needs to be configure manually. I explained the commands deeply when running the script with echo, but it should be shortened to only display the string necessary and a guide in torbox page or text/ folder explaining how to do so.

This post was edited for reference.
This is informational material of things to be implemented and reviewed if were. This is more a long term goal than a complete todo list. The texts were extracted from each link mentioned above them, only the most useful information.

Instructions

• Matt Traudt HS Setup

• TPO setup onion service

  • Tip: A good practice to avoid leaking an onion service to a local network is to run onion services over Unix sockets instead of a TCP socket. You will need to edit and put the following two lines in your torrc file:

HiddenServiceDir /var/lib/tor/my-website/
HiddenServicePort 80 unix:/var/run/tor-my-website.sock

(Optional) Step 5: Running multiple onion services

If you want to forward multiple virtual ports for a single onion service, just add more HiddenServicePort lines. If you want to run multiple onion services from the same Tor client, just add another HiddenServiceDir line. All the following HiddenServicePort lines refer to this HiddenServiceDir line, until you add another HiddenServiceDir line:

 HiddenServiceDir /var/lib/tor/onion_service/
 HiddenServicePort 80 127.0.0.1:80

 HiddenServiceDir /var/lib/tor/other_onion_service/
 HiddenServicePort 6667 127.0.0.1:6667
 HiddenServicePort 22 127.0.0.1:22

• If you're running multiple onion sites on the same web server, remember to edit your web server virtual host file and add the onion address for each website. For example, in Nginx and using Tor with Unix sockets, the configuration would look like this:

server {
        listen unix:/var/run/tor-my-website.sock;
        server_name <your-onion-address>.onion;
        access_log /var/log/nginx/my-website.log;
        index index.html;
        root /path/to/htdocs;
}

Or in Apache with Tor service listening on port 80:

     <VirtualHost *:80>
       ServerName <your-onion-address.onion>
       DocumentRoot /path/to/htdocs
       ErrorLog ${APACHE_LOG_DIR}/my-website.log
     </VirtualHost>

• MTigas gist ProPublica with unix socket

# /etc/tor/torrc

# Try to run Tor more securely via a syscall sandbox.
# https://www.torproject.org/docs/tor-manual.html.en#Sandbox
Sandbox 1

# Disable the SOCKS port. Not like anything else on this box is using tor.
SocksPort 0

# Set up the hidden service. propub3r6espa33w.onion -> www.propublica.org
# We're using unix sockets instead of "127.0.0.1:xxxxx". see nginx conf.
# Docs: https://www.torproject.org/docs/tor-manual.html.en#HiddenServicePort

HiddenServiceDir /var/run/tor/pp_www_hidserv
HiddenServicePort 80  unix:/var/run/nginx-pponion-80.sock
HiddenServicePort 443 unix:/var/run/nginx-pponion-443.sock

# /etc/nginx/sites-enabled/propubonion.conf
#
# Note that all of our hostnames listen to a unix socket instead
# of "127.0.0.1:xxxxx".
# Docs: http://nginx.org/en/docs/http/ngx_http_core_module.html#listen

map $http_upgrade $connection_upgrade {
  default  "upgrade";
  "" "";
}

# HTTP BARE ONION
server {
    listen       unix:/var/run/nginx-pponion-80.sock;
    server_name  propub3r6espa33w.onion;
    #allow 127.0.0.1;
    allow "unix:";
    deny all;
    server_tokens off;
    rewrite ^/(.*) http://www.propub3r6espa33w.onion/$1 permanent;
}

# HTTPS BARE ONION
server {
    listen       unix:/var/run/nginx-pponion-443.sock ssl spdy;
    server_name  propub3r6espa33w.onion;
    #allow 127.0.0.1;
    allow "unix:";
    deny all;
    server_tokens off;
    ssl_certificate     www.propub3r6espa33w.onion.pem;
    ssl_certificate_key www.propub3r6espa33w.onion.key;
    rewrite ^/(.*) https://www.propub3r6espa33w.onion/$1 permanent;
}

• Client Auth

  • Client authorization is a method to make an onion service private and authenticated. It requires Tor clients to provide an authentication credential in order to connect to the onion service. For v3 onion services, this method works with a pair of keys (a public and a private). The service side is configured with a public key and the client can only access it with a private key.
  • Note: Once you have configured client authorization, anyone with the address will not be able to access it from this point on. If no authorization is configured, the service will be accessible to anyone with the onion address.

• If you are generating a private key for an onion site, the user does not necessarily need to edit Tor Browser's torrc. It is possible to enter the private key directly in the Tor Browser interface.

• Onion-location

  • Onion-Location is an easy way to advertise an onion site to the users. You can either configure a web server to show an Onion-Location Header or add an HTML meta attribute in the website.
  • Using an HTML attribute

Nginx

To configure an Onion-Location header, the service operator should first configure an Onion service.

Step 1. Create an Onion service by setting the following in torrc:

HiddenServiceDir /var/lib/tor/hs-my-website/
HiddenServiceVersion 3
HiddenServicePort 80 unix:/var/run/tor-hs-my-website.sock

Step 2. Edit website configuration file

In /etc/nginx/conf.d/.conf add the Onion-Location header and the onion service address. For example:

add_header Onion-Location http://<your-onion-address>.onion$request_uri;

The configuration file with the Onion-Location should look like this:

server {
    listen 80;
    listen [::]:80;

    server_name <your-website.tld>;

    location / {
       return 301 https://$host$request_uri;
    }

}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name <your-website.tld>;

    # managed by Certbot - https://certbot.eff.org/
    ssl_certificate /etc/letsencrypt/live/<hostname>/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/<hostname>/privkey.pem;

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header Onion-Location http://<your-onion-address>.onion$request_uri;

    # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    access_log /var/log/nginx/<hostname>-access.log;

    index index.html;
    root /path/to/htdocs;

    location / {
            try_files $uri $uri/ =404;
    }
}

server {
        listen unix:/var/run/tor-hs-my-website.sock;

        server_name <your-onion-address>.onion;

        access_log /var/log/nginx/hs-my-website.log;

        index index.html;
        root /path/to/htdocs;
}

Step 3. Test website configuration

sudo nginx -t

The web server should confirm that the new syntax is working:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Step 4. Restart nginx

sudo nginx -s reload

If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work.

Step 5. Testing your Onion-Location

To test if the Onion-Location is working, fetch the web site HTTP headers, for example:

wget --server-response --spider your-website.tld

Look for onion-location entry and the onion service address. Or, open the web site in Tor Browser and a purple pill will appear in the address bar.

• The identical behaviour of Onion-Location includes the option of defining it as a HTML http-equiv attribute. This may be used by websites that prefer (or need) to define an Onion-Location by modifying the served HTML content instead of adding a new HTTP header. The Onion-Location header would be equivalent to a added in the HTML head element of the webpage. Replace <your-onion-service-address.onion> with the onion service that you want to redirect.

• TPO community OpSec

  • TPO Gitlab OpSec
  • As mentioned here, be careful of letting your web server reveal identifying information about you, your computer, or your location. For example, readers can probably determine whether it's thttpd or Apache, and learn something about your operating system.
  • If your computer isn't online all the time, your onion service won't be either. This leaks information to an observant adversary.
  • It is generally a better idea to host onion services on a Tor client rather than a Tor relay, since relay uptime and other properties are publicly visible.
  • The longer an onion service is online, the higher the risk that its location is discovered. The most prominent attacks are building a profile of the onion service's availability and matching induced traffic patterns.
  • Another common issue is whether to use HTTPS on your onionsite or not. Have a look at this post on the Tor Blog to learn more about these issues.
  • To protect your onion service from advanced attacks you should use Vanguards addon, read Tor blog about Vanguards and Vanguards' Security README.

• Riseup OpSec - Leaking the real server

  • A common misstep here is server signatures, for example it is easy to determine if a webserver is thttpd or Apache, or learn about your operating system because the banner tells the version of the running service and operating system.
  • Another way that your onion address will get out is via the referrer header in browsers when a client browses a hidden service website and then clicks on a clearnet/hidden service link. The Tor browser has taken care of many of these tiny leaks, so be sure to encourage your users to use an up-to-date tor browser instead of using their own browser with Tor.
  • If the server running the onion service is also exposed to the clearnet, make sure that when you connect to either the clearnet service or the onion service, you cannot specify in the host header the other service and get a response. You should ensure the onion service is only listening on the internal IP and your external service is only listening on the external IP address. The easiest way to ensure there are no failures here is this is to run your service on a machine that has no external IP address.
  • Make sure the time on your server is correct, and is corrected automatically by NTP, so that time skews do not help identify your server.
  • Make sure you are not inadvertently exposing information, for example with PHP you may disclose the server’s real name/address if you leak phpinfo() or $_SERVER, or expose error messages!
  • Look into protecting yourself against Server Side Request Forgery (SSRF). This attack works by getting the server to perform an external connection (DNS lookup, etc.) which can expose your machine’s real location. Strict egress firewalling is one way to mitigate against this problem.
  • The longer an onion service is online, the higher the risk that its location is discovered. The most prominent attacks are building a profile of the onion service’s availability and matching induced traffic patterns.
  • There are currently ways in the protocol that a bad relay can learn about your onion address, even if you don’t tell anybody. Follow the discussion on the subject if you want to stay on top of how the Tor project is working on fixing these issues.

• Riseup OpSec - Be careful of localhost bypasses!

  • You should take very careful care to not accidentally expose things on your server that are restricted to the local machine. For example, if you provide /server-status in apache (from mod_status which is enabled per default in debian’s apache) to monitor the health of your apache webserver, that will typically be restricted to only allow access from 127.0.0.1, or you may have .htaccess rules that only allow localhost, etc.
  • There are a few ways you can solve this problem:
    • different machine: consider running the onion service on a different machine (real or virtual) than the actual service. This has the advantage that you can isolate the service from the onion service (a compromise of one doesn’t compromise the other) and helps with isolating potential information leaks
    • isolation: similarly to the above, you can also isolate Tor and the service so it will run on a different network namespace than the service. Tails uses a Tor-or-fail packet filter.
    • public ip: configure the onion service to connect to the public IP address of the service instead of localhost/127.0.0.1, this should make Tor not pick 127.0.0.1 as the source address and avoid most misconfigurations. For example like this:

HiddenServiceDir /var/lib/tor/hidden/ftp/
HiddenServicePort 80 192.168.1.1:81

• Note: This makes your server and vhost potentially reachable to an external entity. There has been a growing number of attempts to discover the true location of sites behind cloudflare that are badly configured because they still expose their true httpd on a public IP address. People regularly use masscan and zmap to scan the entire ipv4 address space and try to connect to a publicly exposed httpd and request “high-value” onion addresses from the httpd to see if they send a Host header and make the site serve their probed vhosts content.
• Binding to a port that is different from the “true” port is a source of a potential leak on Apache. If there is a directory, e.g. foo.onion/css/ then a request to foo.onion/css will cause apache to emit a 301 redirect, but when it does issue it, it will include the port that it thinks the service is listening on. Instead of sending a 301 to foo.onion/css/ it would send a 301 for foo.onion:81/css/ this both breaks the website and reveals the port the httpd is really running on.
  • unix socket: consider using unix socket support instead of a TCP socket (requires 0.26 or later Tor) – if you do this, then the onion service will be running on the same server as the service itself. With a socket approach, you should be able to run with privatenetwork=yes in systemd unit which gets you some really great isolation, for example:

HiddenServicePort 80 unix:/etc/lighttpd/unix.sock

• But then the service itself needs to support unix sockets, otherwise you have to setup some socat redirection from tcp <→ unix (nginx, twisted, lighttpd all support this).

• audit carefully: carefully audit, and regularly re-audit your system for configurations that allow localhost/127.0.0.1, but prohibit everywhere else and configure those to work around the problem (for example make /server-status operate on a different IP; make the webserver listen on a different port for /server-status; make it password protected, etc.).

• DoS Guidelines - Vanguards done, HiddenServiceExportCircuitID seems to be the only other plausible solution.

• Onionscan - Search for vulnerabilities in the HS

  • We want to help operators of hidden services find and fix operational security issues with their services. We want to help them detect misconfigurations and we want to inspire a new generation of anonymity engineering projects to help make the world a more private place.
  • Secondly we want to help researchers and investigators monitor and track Dark Web sites. In fact we want to make this as easy as possible. Not because we agree with the goals and motives of every investigation force out there - most often we don't. But by making these kinds of investigations easy, we hope to create a powerful incentive for new anonymity technology (see goal 1)

Special note for TorBox as it acts as a relay

It is generally a better idea to host onion services on a Tor client rather than a Tor relay, since relay uptime and other properties are publicly visible.

Steps to Reproduce:

1. Open the configuration menu tool.
2. Select: Go to the configuration sub-menu
3. Select: Enable SSH access from the Internet
4. Check: Permanently until disabled again
5. Select: OK, and "press any key to continue"
6. Verify that the option now reads "Disable SSH access from the Internet"
7. Reboot the device

Expected Results: SSH is still enabled from the Internet

Actual Results: SSH is disabled after reboot

Add client mode for internet input and
Tor dhcpd output.

Wlan0 raspberry onboard> dhcpcd from ssid1 (normal iNet Input)
Wlan1 usb wlan > clientmode from ssid2 with fixed ipadress and dhcpd server

Why?
I have multiple accespoints in my home and like to use vlan2 and ssid2 for tor only without have to be in range of the raspberry

URL, ,enu parameters (height, width), terminal colors, $TORRC, activation, deactivation, removal of bridges still remain inside bridges_* , meek-azure, snowflake scripts, although most of the functions are already included in torbox.lib.
Can I remove this from inside scripts and move all of them to the lib?
This avoids changing multiple scripts when modification is needed, lib will be canonical for all scripts, as it should be being a library. I saw you already started doing this kinda of changes recently, so it is in the right track.

Approval to patch and PR this?

I am going to make different functions, it is better to call one for meek and one for snow then calling them from a single function.

In these comments in a deleted branch, we discussed the possibility of running an OBFS4 relay and using OBFS4 bridges concurrently.

The quick answer is: no, it isn't possible.

Based on DEC-entralized' report and what I saw in my case, tor reacts as it would be a configuration error and doesn't start. Unfortunately, it doesn't produce any error message - it just gets stuck at startup.

Hi, maybe you can add option to use integrated OTG on Raspbery 4 as network card?
it's very easy to use eth0 for internet, and OTG for Tor sharing.
p.s also, very, very nice, to create clearly option to select sorce for internet and target for Tor.

deb https://deb.torproject.org/torproject.org buster main

torproject doesnt support armhf

N: Skipping acquire of configured file 'main/binary-armhf/Packages' as repository 'https://deb.torproject.org/torproject.org buster InRelease' doesn't support architecture 'armhf'

also keyring is expired for this repo
new key:
curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

Maybe we have an script to uninstall torbox from raspberry pi os??

can't acquire new bridges or list their status just because the domain is blocked.
Why not make the request over Tor? Possible responses for that:

questions to think of possible outcomes

1 - domain blocked

• But if Tor is not running?
  • Because connection to the network is blocked? Well, reaching torproject.org over plainnet would the worst in this case, they already block that or even store the user query.
  • Wrong config? If Tor is not running not because of this, some config might be wrong.
• But wouldn't it be a hassle to modify?
  • nah, just use: session.proxies['http']='socks5h://localhost:9050' basically, of course there is more involved. Example (1) (2)

2 - tor connection blocked

• Should try the connection any way? Well, possibly the attacker also blocks the domain, so this method shouldn't be recommended, but instructed to add manually if got no connection to the database. Is it possible to now if it is blocked without trying? If user already knows, should a parameter be set to not trying tor connections without bridges?

mapping

domain blocked

• domain blocked > cant connect to the database > instruct to add manually
• domain blocked > try to connect to the database over tor > connection established > bridges added

tor connection blocked

• tor connection blocked > cant connect to the database (domain probably blocked) > instruct to add manually
• tor connection blocked > try to connect to the database over tor > user already had bridges online and connection is established > bridges added

also, there is already preset bridges in the torrc, so shouldn't have to worry about using the defaults if needed at first

can't connect for whatever reason

• instruct to add manually
• give info about what was the cause if possible.

Planning a PR, opening discussion for this.

QUESTION
Is this type of menu suitable for this project?
If you say no, that is ok. If you say there is more menues to change, Im editing them too. (Need some more days to finish)
If not evertyhing is suitable, such as the menu type, but one change or another works, let me now.

CHANGES

• Title now includes if there is a bridge type on, not if its online, but if it is on! as configured in the torrc.
• Reworded the README bridges to explain in depth what are bridges, pluggable transport and their types. Removed how to acquire bridges from this text, as it was redundant when adding bridges with 4 Add additional bridges > Add bridges manually.
• Can move from option to option faster by typing the first letter.
• OFF and ON at the end was changed to Enable/Disable and Activate/Deactivate (variables) in the front of TOGGLE, SNOWFLAKE and MEEK

CONS
Yes, would need to rework the text for the options number to fit the option name/command.

TOGGLE BRIDGES MODE

• Yours 2 Toggle OBFS4 Bridge Mode from OFF to ON is inside obfs4, but actually it enables all bridges mode (obfs4, meek, snowflake), this does not cause problems, but can be improved as it could cause confusion or a bug in the future (works for now).
  This uncomments all of these lines, even though it is inside OBFS4 section:

UseBridges 1
UpdateBridgesFromAuthority 1
ClientTransportPlugin meek_lite,obfs4 exec /usr/bin/obfs4proxy
ClientTransportPlugin snowflake exec snowflake-client -url https://snowflake-broker.azureedge.net/ -front ajax.aspnetcdn.com ...

If you want the same methodology, one option for toggle is just setting UseBridges 0,1, for this to be global to all bridges, enable and disable bridge mode simpler, and distinguish it from OBFS4 section. With this, there would be no need to uncomment ClientTransportPlugin lines, just the Bridge transport lines.

• For now, activating obfs4 bridges are a 2 step process, toggling to on then activating. This does not need to be a 2 step process, activating OBFS4, MEEK or SNOWFLAKE should be the same structure, they check if there is other bridges active, and if not, activate them, not asking to toggle on another option.

NOTE
PS: The other options that are in the counter measure menu (bypass idle, restart tor and edit torrc) I can include in the PR, this menu-bridges I did was explicitly just bridges options.

There is already the possibility to edit the torrc file manually (in the menu), but an menu for the following options would be very helpful:

• Allow only preselected, very trustworthy, ExitNotes (e.g. those from CCC)
• Regional settings for ExitNotes

Examples from other competitors:

Hi, I've been reading through the source code but couldn't encounter anything related to sd card partition expansion. How does TorBox handle this, or does it ever?

Thanks!

Correct link from torbox.ch https://www.torbox.ch/data/torbox-20210802-v042.gz
Broken link from github release page https://www.torbox.ch/data/torbox-20210208-v042.gz

Is there a way I can configure torbox with tails

is it possible to change the distribution mechanism of the OBSF4 Bridge on Moat? I only ever see HTTPS but then my bridge is only distributed via the website and not automatically when clients request.

Hello i have problems adding Tor Exit nodes. If i add them i have no Internet connection.

Torrc:

This is the configuration file of Tor

DON'T CHANGE THE FOLLOWING 13 LINES!

######################################################

Configuration for TorBox

StrictExitNodes 1
ExitNodes $97F51AF6791AD33981CE25DC7A2618429F25B3B0, $68EC657DC8A587B38D5D7763D5C72E93C2CD456C,
$A2DD0EF31813E9B7F6DB435504A406E1AD2B76AB, $FDCFEA18CC64461455DE5EA3FC31834C6B42FEC7,
$9AD90317DDA2F898EB0AE0F20976EA97E7AF9012, $6B61EFE3AEDEB3351FD3C910443D95556316E01C,
$22296CB6AE56609A96F02FB843AB7B4B0A31CAF4, $844DC3890E4D04473D10EE65547491F200A86F89
Log notice file /var/log/tor/notices.log
VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 192.168.42.1:9040
#TransPort 192.168.43.1:9040
DNSPort 192.168.42.1:9053
#DNSPort 192.168.43.1:9053
SocksPort 192.168.42.1:9050
#SocksPort 192.168.43.1:9050
DisableDebuggerAttachment 0
ControlPort 9051
HashedControlPassword 16:E68F16640ED8C0F7601F5AA3D229D8DFD8715623CB055577F9434F7FB7

THE CONFIGURATION OF THE BRIDGE RELAY STARTS HERE!

######################################################

This will setup an obfs4 bridge relay.

#BridgeRelay 1
#ORPort 4235
#ExtORPort auto
#ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
#ServerTransportListenAddr obfs4 0.0.0.0:443
#ContactInfo [email protected]
#Nickname TorBox031

TO OVERCOME A FIREWALL, START HERE!

HOWEVER, USE IT ONLY, IF REALLY NECESSARY!

######################################################

This will allow you to run Tor as a client behind a firewall with

restrictive policies, but will not allow you to run as a server behind such

a firewall.

ReachableAddresses IP[/MASK][:PORT]…

A comma-separated list of IP addresses and ports that your firewall allows

you to connect to. The format is as for the addresses in ExitPolicy, except

that "accept" is understood unless "reject" is explicitly provided. For

example, 'ReachableAddresses 99.0.0.0/8, reject 18.0.0.0/8:80, accept *:80'

means that your firewall allows connections to everything inside net 99,

rejects port 80 connections to net 18, and accepts connections to port 80

otherwise.

#ReachableAddresses *:80, *:443

TO OVERCOME CENSORSHIP, START HERE!

######################################################

If you like to use bridges to overcome censorship, EDIT THE LINES BELOW!

.......

hi
on torbox v.40 error tor repository and EOL tor repo for armhf
please change tor repo from armhf to aarch64 for update tor.

https://github.com/Stadicus/RaspiBolt/issues/656

After burning the latest Raspbian Lite logged in via ssh and ran

cd
curl https://raw.githubusercontent.com/radio24/TorBox/master/install/run_install.sh --output run_install.zip
chmod a+x run_install
./run_install

Result:

pi@raspberrypi:~ $ cd
pi@raspberrypi:~ $ curl https://raw.githubusercontent.com/radio24/TorBox/master/install/run_install.sh --output run_install.zip

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 11577  100 11577    0     0  33556      0 --:--:-- --:--:-- --:--:-- 33459
pi@raspberrypi:~ $ chmod a+x run_install
chmod: cannot access 'run_install': No such file or directory
pi@raspberrypi:~ $ ./run_install
-bash: ./run_install: No such file or directory
pi@raspberrypi:~ $ 

Same when attempting with root user.

The installation has worked with the following syntax:

cd
wget https://raw.githubusercontent.com/radio24/TorBox/master/install/run_install.sh
chmod a+x run_install.sh
./run_install.sh

Hi, it will be nice if in main menu i can see which internal network settings, and external ip, country, city i have right now, like parse from myip or another service. Best regards

I have the following Error when I want to Install TorBox on Ubuntu:

ubuntu@ubuntu:$ sudo python2 get-pip.py
Traceback (most recent call last):
File "get-pip.py", line 24244, in
main()
File "get-pip.py", line 199, in main
bootstrap(tmpdir=tmpdir)
File "get-pip.py", line 82, in bootstrap
from pip._internal.cli.main import main as pip_entry_point
File "/tmp/tmpP45yKJ/pip.zip/pip/_internal/cli/main.py", line 60
sys.stderr.write(f"ERROR: {exc}")
^
SyntaxError: invalid syntax
ubuntu@ubuntu:$ sudo python2 get-pip.py
Traceback (most recent call last):
File "get-pip.py", line 24244, in
main()
File "get-pip.py", line 199, in main
bootstrap(tmpdir=tmpdir)
File "get-pip.py", line 82, in bootstrap
from pip._internal.cli.main import main as pip_entry_point
File "/tmp/tmpXUuPrC/pip.zip/pip/_internal/cli/main.py", line 60
sys.stderr.write(f"ERROR: {exc}")
^
SyntaxError: invalid syntax

just out of curiosity I tried to update through the menu ... however in the end there was an error and ended up not updating, also in the log I saw an error in the git of the tor. it's not serious, i'm really enjoying the project. I hope that in future updates everything will be 5 stars
continues in this fantastic project

Running testdisk on torbox-20210410-v040, selecting Intel partition table type, advanced utilities, second partition, list, /etc(for example), shows a number of leftover files that were deleted, but are still present in the slack space of the image. Fully removing these before packaging the image could make it a little smaller and reduce the risk of unintended pre-release artifacts hopping a ride in the slack space.

Mostly these files seem to be duplicates of config files, but I haven't searched too hard.

I don't know why this is happening, couldn't figure out the error.
I can only test this for the selected bridge, but remove if not existent should be buggy too.
Only happens for the ipv6, commented or uncommented, it is not removed.

Hi There,

I saw your project and it has nice concept, i was wondering if you would like to use Whonix-GateWay as the distro for Torbox, for sure you will ask why?

• Whonix-GW torified by default
• It contains many security features (not included in the pi and/or debian vanilla...etc) for e.g:

• Its own firewall which is configured to work with Tor based distro
• Hardened kernel e.g Security-misc
• Use of MAC like Apparmor
• sdwdate to prevent time leaks
  ...etc

I recommend to read Whonix Wiki:

• Clearnet:

https://www.whonix.org/wiki/Documentation

• Onion v3:

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Documentation

So instead of making a distro yourself from scratch here is one ready, just needs to be configured to on pi.

Coincidence: Whonix old name called TorBOX :D

https://www.whonix.org/wiki/History#Brief_Whonix_.E2.84.A2_History

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/History#Brief_Whonix_.E2.84.A2_History

If you have further questions feel always free to ask

Thank you btw for your great work :)

torbox-20210410-v040 distributes ssh hostkeys in the image. I only booted it in QEMU, so perhaps regeneration is triggered somehow on device, but you might check if everyone, on their first attempted SSH login, sees the same ssh host key fingerprint(though also, ed25519, SSH, and DSA keys are the same way):

$ ssh-keygen -lf etc/ssh/ssh_host_ecdsa_key.pub
256 SHA256:pkPEvXktCYu9/KMTFipRxCr7K8AoFaUpULrsSZ6Lm78 root@raspberrypi (ECDSA)

hi, i have 2 eth. (1 onboard, 1 USB) i want to connect raspberry via eth0 to receive internet, and share via eth1 (USB network card) how i can configure to obtain this setup? best regards

hi
how fix error 403 on update ?
root@TorBox040:~# sudo apt -y update && sudo apt -y full-upgrade Hit:1 http://raspbian.raspberrypi.org/raspbian buster InRelease Hit:2 http://archive.raspberrypi.org/debian buster InRelease Err:3 https://deb.torproject.org/torproject.org buster InRelease Could not connect to deb.torproject.org:443 (10.10.34.35), connection timed out Could not connect to deb.torproject.org:443 (10.10.34.35), connection timed out Reading package lists... Done Building dependency tree Reading state information... Done All packages are up to date. W: Failed to fetch https://deb.torproject.org/torproject.org/dists/buster/InRelease Could not connect to deb.torproject.org:443 (10.10.34.35), connection timed out Could not connect to deb.torproject.org:443 (10.10.34.35), connection timed out W: Some index files failed to download. They have been ignored, or old ones used instead. Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. root@TorBox040:~#

Hello. I've been trying to install TorBox for almost one day and i can't figure out why it is not working.

Basically, the hotspot appears in my networks available, TOR is working according to TorBox menu, but when I am connecting to the wifi I dont have internet.
Moreover, there is an issue when booting : [FAILED] Failed to start dhcpcd on all interfaces

And during the first boot I got many issues like this (for hostapd, dnsmasq, isc-dhcpcd,...)

Which version of the Raspberry Pi and TorBox do you use?
Raspberry PI 4 and TorBox 0.3.0

Could you connect the TorBox WiFi (for example, “TorBox030”)? If no: Which clients did you try?
I can but I dont have internet access

Could you access the TorBox with an SSH client, and did you see the main menu? If no: Which SSH clients did you try?
I can not access to TorBox with using SSH (I used putty)

How did you connect your TorBox with the Internet? Did you already try with a wireless USB adapter?
I tried with ethernet, wireless with my mobile hotspot, and using usb network sharing with my mobile too

What kind of power supply do you use?
The official one

In which country did you try to connect TorBox with the Internet.
France

What else did you already try (which menu entries), and which error messages did you see?
I tried all options possible. I dont have error messages but I can not access to internet when connecting to the router from another device.

Thank you in advance for helping me.

Is it efficient for calls made from the terminal such as to wget files?
and
Does TorBox routes through socks 5 from the terminal to the internet (not to lan) if I change to DNSPort 127.0.0.1:9053 instead of the static IP address? (edit iptables.ipv4.nat too right)? (Just to be sure)

Yes, I've read that support to other platforms are experimental, but they are still linux, this is BSD and can contribute.

Why?
Linux dominates, BSD is at the bottom, need some risk minimization if there is some exploit on the kernel

Image where?
FreeBSD and OpenBSD

Ok, but how?

• FreeBSD

  • Bridge
  • Guard
  • relay guide

• OpenBSD

  • Bridge
  • Guard

Can I help?
Never tried BSD, but there is always time for learning.

Question
Viable? Any plans for that?

Hi all. Just would like to share a new logo proposal with everyone, as suggested by @radio24.
Basically, it's a purple box using the onion icon. I can create alternative versions, perhaps using green or something like that. I have the vector version (svg, ai etc) on Figma, so I can share the file if someone would like to fork it.

With TorBox v.0.4.2, automatic counteractions to avoid downtime and improve user experience with lower bandwidth are introduced. The idea behind this feature is that a routine constantly monitors the tor log file and automatically initiate counteractions if necessary. This feature is especially interesting in places with unstable networks and poor bandwidth. Tor is working very efficiently on a stable network with good bandwidth, but in places with poor Internet connectivity, tor tends to be "stuck". For example, it is starting to (re-)build circuits that take away CPU power and block clients from using the tor network. Usually, a manual restart helps in such a situation.

Currently, TorBox's automatic counteractions handle 4 situations:

1. Protection against entry guard failing and overloaded tor network
2. Protection against interrupted WiFi (wlan0/wlan1) connection with the Internet
3. Protection against an excessive number of failing tor circuits (40 failures in 2 minutes)
4. Protection against excessive connection failing with tor circuits (100 failures in 2 minutes)

The features are divided into three parts:

• log_check.py: monitors the tor log file
• log_check_config.py: configuration file in which a certain amount of log patterns in a specific time triggers an automatic counteraction
• automat: this script defines the counteraction run if triggered

What do we need to know before we could deploy TorBox's automatic counteractions by default?

• Are the pattern looking for in the tor log file good enough, and are there other/better patterns to include?
• Are the amount of counted pattern in a specific time appropriate chosen. We don't want to interfere too often with counteractions, but the feature should be effective. These counteractions should avoid the downtime of the connection to the tor network and give a better user experience, especially on connections with lower bandwidth.
• Are the defined counteractions effective, or are there other/better alternatives?
• How can we combine TorBox's automatic counteractions with Vanguards?

You can help us with answering these questions by activating TorBox's automatic counteractions with entry 12 in the Countermeasure sub-menu. Experts can play around with the settings in the files mentioned above. Please give us feedback about your findings! What is your opinion? Should we activate this feature in its final state as a default with an option to deactivate it, or should we leave the activation of that feature entirely to the users?

Hey, this project looks amazing for having tor over the network

I have downloaded the image from https://www.torbox.ch
& i have burned it on the sd card & i have a raspberry pi 3 model b+
everything is working fine i got a network called "torbox032" & its password is "CHANGE-IT"
& when i open https://check.torproject.org/ its a success
but i'm unable to ssh into the TorBox i use ubuntu machine i tried with terminal & putty by using torbox as username & pi ip address
but it does not connect
it says:
ssh: connect to host 192.168.2.5 port 22: Connection timed out

i tried using "pi" "torbox" but nothing works
even i added a blank "ssh" file into the sd card but still it doesn't connect
the raspberry pi is connected with an Ethernet cable from my WiFi router
so i tried ssh into it by being in both networks 1) on my wifi 2) on the torbox
still nothing works

& when i try to ssh into the TorBox by being in torbox wifi network it gives me this
kex_exchange_identification: Connection closed by remote host

thanks in advance for your time & help :)

There is many ways to signal newnym
new_ident.sh requires password, this can be cut off (using stem will ask for a password, using tor-prompt won't AFAIK, even though I find this strange, my tests resulted this way)

NEWNYM

sudo -u debian-tor tor-prompt --run 'SIGNAL NEWNYM'

-i 9051 does not need to be mentioned if using the default port.

Also possible to call using stem

from stem import Signal
from stem.control import Controller

with Controller.from_port(port = 9051) as controller:
  controller.authenticate(password=password)
  controller.signal(Signal.NEWNYM)

HUP

Also, restaring tor just because of editing torrc should not be done for sake of time. There should be an option to restart Tor of course, but just when necessary.

sudo -u debian-tor tor-prompt --run 'SIGNAL HUP'

or (this option below does not let you choose ControlPort)

sudo pkill -sighup tor

Also possible to call using stem

from stem import Signal
from stem.control import Controller

with Controller.from_port(port = 9051) as controller:
  controller.authenticate(password=password)
  controller.signal(Signal.HUP)

Source:

• https://stem.torproject.org/tutorials/down_the_rabbit_hole.html
• https://stem.torproject.org/faq.html#how-do-i-request-a-new-identity-from-tor
• https://stem.torproject.org/faq.html#how-do-i-reload-my-torrc

hello the torbox is not working ans it's due to this error "systemctl status [email protected]
● [email protected] - Anonymizing overlay network for TCP (instance default.serviceB)
Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled)
Active: inactive (dead)"

I want to use torbox only through ethernet cable
I try to disable torbox wlan through the appropriate menu but it doesn't work,
it is always among the available wi-fi networks

Hi, Question is, how to safety change DNS server with Adguard home installed locally in torbox?
i want to see and block some DNS queries with Adguard home.
if i correctly understand i need to modify torrc file only?
best regards

1. Enable snowflake then meek -> Bug
2. Enable meek and then try to enable snowflake -> wont permit as expected

After the 2 above, trying to deactivate snowflake when both are active, it wont work, meek needs to be the first to be deactivated then snowflake.

The menu and the torrc contains the bridges.

I did not look in depth into the bridges files meek-azure and snowflake to correct and PR now... maybe later.

Is there any chance to have an additional feature consist of "enable/disable tor daemon" menu entry and preserving network forwarding functionalities?

It could be interesting for more advanced privacy preserving use such as leveraging on torbox for network traffic analysis via tcpdump and snort.

Thanks in advance.

Uptime? Availability across the word? Common?
Any problems if changing to debian.org, gitlab.com? or google just blend in to the crowd if using on public space?

Could you elaborate on the requirements for an eligible site?

I have no 100% accurate way of verifing this, but when I ping something (from MY computer, not "TORBox OS"), the ping is very low and the same as if I ping it from my home connection. I've also figured out, that the pings are "GEO" Based on the location I'm from.. That makes me think, ping/icmp isn't "torrified" - over tor.

I don't know if this is on purpose or no perhaps is there way of making it through tor?
Please take a look, thank you so much!!

I use the latest version torbox-20200112-v030.gz

Even after deployment of the new v3 onion service protocol, the attacks facing onion services are wide-ranging, and still require more extensive modifications to fix in Tor-core itself.

Because of this, we have decided to rapid-prototype these defenses in a controller addon in order to make them available ahead of their official Tor-core release, for onion services that require high security as soon as possible.

https://github.com/mikeperry-tor/vanguards#running-this-addon-directly-from-git

This is for the controller, so I think it is good to be added.
I have a script that runs from git, creates a systemd service for vanguards to execute the python script. I still want to enhance it to be a menu option to show logs, install, remove, start, stop, but that is the last part after all things are ready.
Would be good to enhance the log check with vanguards logs

Important part:
Want this?
Default installation or optional installation?

While it is possible to install an add-on like HTTPSEverywhere in the Browser, it is not available for all devices such as smartphone browsers.

Since the TorBox routes all traffic of a device through the Tor network and not only of the browser you can easily be identified by the numerous unencrypted requests at the ExitNode.

Among them are plain text requests to telemetry servers and time synchronization services. A special danger are the attacks with sslstrip, which increased again in 2020: https://blog.torproject.org/bad-exit-relays-may-june-2020

The Tor Browser Project itself has identified this issue and blocking plain text HTTP requests is hopefully getting implemented as an option in the Tor Browser soon (there is an open issue).

In the TorBox this would be easy to implement as well. Therefore I would highly recommend this feature.