New Tor Browser Bundles

The Tor Browser Bundles have been updated to Tor 0.2.2.35 which has a fix for a security critical bug. Please see the release announcement for further details. All users should update immediately.

This Tor Browser Bundle release also contains new Firefox patches which improve privacy and unlinkability.

https://www.torproject.org/download

Tor Browser Bundle (2.2.35-1)

  • Update Tor to 0.2.2.35
  • Update NoScript to 2.2.3
  • Update Torbutton to 1.4.5
  • New Firefox patches
    • Disable SSL Session ID tracking
    • Provide an observer event to close persistent connections

torbutton disabling half of drop links options even when it's off...

Thanks a lot.

Torbutton 1.4.5 seems to disable many drag & drop actions:
- customize toolbars (add, move items, move toolbar position)
- add bookmarks (by dropping onto bookmarks toolbar)
- move bookmark position
- move tab position

Maybe due to changelog #4517 "Disable external drag and drop (prevents proxy bypass)"...?

I posted a thread on identi.ca about recent releases of the TBB throwing a javascript exception consistently on startup, as torbutton loads a cookie jar selector script. Updated to this bundle version and verified Torbutton is v1.4.5. This problem persists. I posted a question as to whether cancelling the script - which does allow FirefoxPortable/Aurora to complete loading - represents a security issue. I would presume so. The question is unanswered. I don't have an account on whatever bugzilla (or whatever) you folks use. I am just duly re-reporting a problem with your software project. Hope this helps you get it fixed. Thanks.

MGKrebs

Thank you

With all due respect to the hard work of Tor developers, if Tor is supposed to be critical to communicating openly in oppressive regimes, how is anyone supposed to trust Tor if it has an update every other week which fixes yet another security bug?

Shouldn't the fact that there's so many Tor updates imply that something's not being done correctly on the part of developers in releasing such a flawed product? Especially when that flawed product can put people's lives in danger?

Internet security is constantly changing, it's a GOOD sign that we're seeing updates like this. The battle for privacy is a constant battle.

"Shouldn't the fact that there's so many Tor updates imply that something's not being done correctly on the part of developers in releasing such a flawed product?"

Actually, if anything, I think the frequent updates shows just the opposite: That the developers are staying on top of the situation and releasing patches as soon as possible after vulnerabilities are discovered.

What browser, operating system or pretty-much any other piece of software doesn't continually have holes and bugs discovered in it?

It's a constant battle, with the "bad guys" usually /at least/ one step ahead. This is the reality of IT security in general- not just of Tor.

Of course, because of the very nature of Tor, it will always be an especially enticing target.

With all due respect, I'm a coder... I know what kind of hard work a program like this takes. You have to remember there are governments paying people like myself a great deal of money to tear this code apart, pardon the pun, bit by bit.
These people, and those looking to exploit others, make up more than 80% of the people who try to run any kind of exploit on Tor. They have very deep wallets, and almost unlimited resources.
Thanks to the Patriot Act, (which in my home is referred to as the Gestapo Act,) any encrypted traffic sent to or from the US is monitored. All the exit nodes from the states, being public listings, are more than likely monitored, as well as phone calls, emails, etc., which are all stored on a few servers in places like the NSA compound in southern New Mexico, or their hq in Maryland.
I should know. I've worked for many years as a coder trying to get past a lot of the Gestapo-like blocks on the American web, such as mandatory traffic monitoring by all ISP's in the country. Whether they can read what you have openly or not, they will find out where you are going, and what you are doing, eventually.
The fact that the Tor coders are putting out updates left and right shows me they are on top of their f***ing game, NOT that this product is flawed. Tor represents one hell of a challenge for a lot of places, and they will work hard to tear Tor to hell and back.

Thank you for your work.

Is there a reason why Torbutton has an old user agent with this release?
(same as the previous release):

Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0

Most non-Tor users have upgraded Firefox to a modern version number.

Ditto this question.

Does showing an outdated user agent not make TBB users stand-out?

What about using an add-on such as "User Agent Switcher"? Would that be safe?

Or manually changing the user agent string?

add-on such as "User Agent Switcher"? Would that be safe?
i think the problem with any UA besides the tbb UA is that a "snoopy" site knows you are using tor. So any UA other than tbb's UA will distinguish you from other tor visitors.

My guess the reason for the slightly outdated UA is:
1. Tor devs acknowledge that sites which identify visitors already know when tor user visits. therefore using the same modern UA over different tor versions is least distinct among tor users (this seems weak since users should stay updated, but individual users may not know to update for many days)
2. Many modern (overly scripted) pages need to know browser and version for something non-standard, or to handle "obsolete" version. If not for this, the best UA would be an empty UA or something like, "Mozilla compatible (tor browser)"

Someday the tbb UA must be changed. Tor visitors will have only two possible UAs.
This is another type of transition problems.

I think slightly better would be a UA rotater included in TBB. The advantage of rotation is during transition period when users update to tbb that has new UA.
Assuming referer is disabled or spoofed (referer is another topic), then rotating common UAs would help mix Tor users among each other in the site's logs.

A fake example:
User A visits in newest TBB. UAs rotate between IE8, FF7, Safari 5
User B visits in older TBB. UAs rotate between IE8, FF6, Safari 5
Web logs see 4 different browsers.
Without UA rotation, logs see 2 browsers. Knowing tor doesn't rotate UAs, logs distinguish both visitors from each other. Although really, User A is 3 visitors and User B is 4 visitors :)

Why can't Linux users use the full release of the TOR browser bundle instead of the beta? I use ubuntu 11.10 as my main OS and the beta does not work properly...it crashes all the time. Why can't Linux users have the choice of the full release and a beta like windows does? wtf is going on?????????

The GNU/Linux version only first started after the Windows and Mac versions had been out for some time.

As I understand it, the GNU/Linux version simply has not advanced out of beta yet; it is not a "full release" is being kept from you, it's that such a beast simply doesn't exist yet.

Showing an attitude such as yours is unlikely to help anything. If you are impatient with the pace of the development, the only thing you can do is volunteer and/or donate in some way.

with this version of the tor browser, when torbutton is enabled, you can not customize the toolbar by dragging items on and off of it. if you remove the torbutton icon from the toolbar by clicking the "restore default set" button, you are essentially screwed and can't replace it onto the toolbar and thus can't enable/disable torbutton without creating a new profile.

What's the difference between Tor 0.2.2.34 and 0.2.2.35?

Why are there two separate download pages for TBB?

https://www.torproject.org/download/download-easy.html.en
https://www.torproject.org/download/download

I have also wondered this. The apparent redundancy can indeed be confusing.

Iam anonymous from Syria i use mac Lion Os 10.7.2 .
I've downloaded TorBrowser-2.2.35-1-dev-osx-x86_64-en-US but as try to watch youtube movie I have a message told me the adobe flash player is crushed I try to update flash player and shokewave but I have got same message adobe flash player is crushed.
So,I've downloaded TorBrowser-2.2.35-1-dev-osx-i386-en-US there is no problem.
I've downloaded the previous releases with TorBrowser-dev-osx-x86_64-en-US without any problems but with the new TorBrowser-2.2.35-1-dev-osx-x86_64-en-US I had.

It appears that httpseverywhere is broken. Using tor-browser-2.2.35-1_en-US.exe
Or was there a policy change?

A very small change to your install instructions. Some of us took forever to install and trust TOR. Then, after running it and trusting it you brought out 2.2.35. It would have been nice to have told us that the over install was as easy as NOT changing the original configuration file. (OPTION ALREADY THERE!) Sometimes new versions wipe everything out and you have to do a new config. I was one of those. I wrote down EVERYTHING, since there was no way to print the info (hint).
It would have been nice to know how EASY IT WAS to upgrade.

THANKS!

I'm getting a weird description from AnWir Task Manager when vidalia.exe tries to add itself as a startup item.
"Status: Regular entry
Description: Vidalia is a cross-platform controller GUI for CRYPTER.A TROJAN!"

See pic: http://i39.tinypic.com/t67cl5.png

This happenes when I install vidalia-bundle-0.2.2.35-0.2.15.exe, and yes - I've verified the signature.

I know there was talk about getting rid of the Vidalia bundles, is that still in the roadmap? For the meantime, is this critical update to Tor included in the Vidalia bundle download or only the browser bundle?

For basic level users the new Tor browser bundle for Mac OS 10.5.8 (using Firefox 8) is totally unuseable. Download the application. Click on the icon. Get a message saying "Vidalia was unable to authenticate to the Tor software. (Control socket is not connected.)
Please check your control port authentication settings." I don't even know what a "control socket" is. If I manage to find my "control port authentication settings" I wouldn't know what all the numbers and decimal points mean.
One shouldn't have to be a master hacker kid in order to have access to Tor-level privacy.

same problem

Same problem here, anyone got a solution?

I am having this problem too! Does anyone have an answer?

Nope. I have the same problem... Tor has always been a bit hit and miss, TBQH.

SAME PROBLEM, PLEASE ADVISE, TOR!

With this new update Vidalia crashes on startup then next startup it asks for a password. clicking ccancel then allows the proper things to happen. Also Vidalia crashes a lot on exit.

Hi, I would like to know how the Tor Team can remotely change the Home Page on my Aurora browser (in Tor Browser Bundle).

DAYS PRIOR: Under Tools->Options, homepage used to be:
https://check.torproject.org/.....uptodate=1

NOW: Under Tools->Options, Homepage has now magically been switched to:
https://check.torproject.org/.....uptodate=0

If the homepage setting in Aurora (in Tor Bundle) can be remotely edited by tor programmers, what other settings do the tor programmers have the power to change when they please?

Big problem with this latest version of the Tor Browser Bundle: it won't allow you to change any settings in about:config, change the toolbars, etc.

I've tried on Windows 7 64-bit Home Premium, Windows 8 Dev Preview, etc.: It just will not let me get to those settings.

Is this actual expected behavior for this browser? If so, I'm sticking with the older version, bad security flaw or no.

Okay, I have found out that this is not from TorButton 1.4.5, since I installed it on the older version that I kept a backup of along with the latest version of NoScript and I have no problems editing the toolbars, getting to about:config, etc.

It appears that one of the changes to Aurora for the latest version of the browser is causing this issue, not any of the extensions (since I uninstalled all extensions and I still could not change anything on the toolbars as well).

OT:

About telling users about bridges...

What about a visual captcha like system? A piece of software that generates a randomly named image, which all look kinda different - at least for some piece of software, meaning you change insignificant bits for pixel color, use some algorithm for random backgrounds, use random colors, maybe formats/format versions, random metadata (maybe allow a user to specify its own image where the relevant data will be inserted) - use image sorting software to find out if it's random enough - and contains instructions on how to connect to a bridge, maybe even how to obtain a recent version of Tor. Maybe this could even be embedded in the image (using steghide), if it's large enough.

One can then upload this picture to a website not even related to Tor, maybe a social networking site, forum, whatever... and inform users about bridges.

Of course there would be attack, so only a small portion of bridges should be used for this, but most things can be attacked.

1.) Starting just now, the NoScript bar at the bottom of the page with the info about which scripts are blocked/allowed is a turquoise colour.

I've been using this new version of TBB for a few days now and this is the first that I notice this change of color.

2.) I hope to see some answers to many of the questions that have been asked above.

With much appreciation as always for all who make TBB possible,

Another random anon

Tried to change homepage from Tor check page to another site and the homepage was switched back to the Tor check page. Very annoying. Please fix.

@Tor Developers: It's really painful to have to wait like 2 days for a comment to get approved. Then another 2 days to get a response from you. Can't you guys just start a forum already, where you allow unregistered, anonymous posting? ... and please post answers faster than 2 days.

https://blog.torproject.org/blog/new-tor-browser-bundles-12#comments

I suggest posting any replies _there_.

_____________Begin Quoted Text_______________

On December 27th, 2011 phobos said:

We're working on it, see https://trac.torproject.org/projects/tor/ticket/3592. The problem is generally twofold:

1. finding forum software that isn't filled with exploits
2. finding forum mods willing to pay attention to the forums to filter out spam and stop stupid conversations about conspiracy theories and alien invasions. Or at least moving the latter to topics out of the normal forums.

____________End Quoted Text__________________________

Default theme is BROKEN in tor-browser-2.2.35-2_en-US on Windows 7 64bit. Browser shows no themes under the themes tab and aero effects are completely off on the whole browser (but not Vidalia)

I posted this above, but I'll do it again down here.

The new TorButton prevents one from copying Firefox images to the desktop. You can drag them over ti the desktop, but they don't land there as files. Doesn't matter if Tor is engaged or disengaged. If you disable the TorButton add-on, the functionality returns to normal.

This is answered in the newer thread at:
https://blog.torproject.org/blog/new-tor-browser-bundles-12#comments

_____Begin Quoted Text_____________

On December 27th, 2011 phobos said:

Correct, this version fixed a privacy leak where if you drag images/urls from firefox to the desktop, some people noticed their systems bypassing tor and directly getting the image/url.

__________End Quoted Text_____________

I'm having the same problem using Mac OS X 10.6.8. I'm using the TorBrowser-2.2.35-3-dev-osx-i386-en-US package.

I can drag and drop selected text to the desktop, but not images. Frequent attempts to do so (or even "Save As...") will cause frequent crashes.

What is this "Aurora" browser in my Tor Browser Bundle?
Every piece of documentation online refers to some version of FireFox as the browser included in the TBB. So I downloaded it (2.2.35-3_en-US), and the browser that appears is Aurora. It looks suspicious because of all the foreign text below the URL bar, I don't trust it.
Is this legitimate, and if so, why doesn't the docs tell people to expect Aurora instead of FireFox in the Browser Bundle?

Anon,

"The precursory releases of upcoming Firefox releases are named Nightly, as this is the name of the trunk builds, and Aurora, a separate nightly branch for refining code.

Current Test Releases

Firefox 10.0 Beta 3
Firefox 11.0 Aurora
Firefox 12.0 Nightly"

From Wiki. Basically it's a stage in firefox development.

Shouldn't you be consistent in how you refer to it?

As a poster above wrote,
"Every piece of documentation online refers to some version of FireFox as the browser included in the TBB."

Surely you must see how this causes confusion.

Downloaded latest version two days ago and worked perfectly. Now it's hanging up at "establishing an encrypted directory connection". Any thoughts??

Signature verified on the Tor Browser Bundle but Prevx went ballistic when I installed it.

\Tor\Tor Browser\FirefoxPortable\App\Firefox\certutil.exe] has been removed and contained a threat of type [High Risk Worm]
\Tor\Tor Browser\FirefoxPortable\App\Firefox\TestFile.exe] has been removed and contained a threat of type [High Risk Worm]
\Tor\Tor Browser\FirefoxPortable\App\Firefox\TestOpen.exe] has been removed and contained a threat of type [High Risk Worm]
\Tor\Tor Browser\FirefoxPortable\App\Firefox\TestPipe.exe] has been removed and contained a threat of type [High Risk Worm]
\Tor\Tor Browser\FirefoxPortable\App\Firefox\ReadNTLM.exe] has been removed and contained a threat of type [High Risk Worm]
\Tor\Tor Browser\FirefoxPortable\App\Firefox\TestServ.exe] has been removed and contained a threat of type [High Risk Worm]

:/

how to upgrade flash....some online game cant play...they asking to upgrade flash to latest. please advise

The short answer is "don't use Flash with Tor."

(I guess the even shorter answer is "don't use Flash".)

See also https://www.torproject.org/torbutton/torbutton-faq.html.en#noflash

Syndicate content Syndicate content