New Tor Browser Bundles with Firefox 17.0.11esr and Tor 0.2.4.18-rc

Firefox 17.0.11esr has been released with several security fixes and the stable and RC Tor Browser Bundles have been updated

There is also a new Tor 0.2.4.18-rc release and the RC bundles have been updated to include that as well.

https://www.torproject.org/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.3.25-15)

  • Update Firefox to 17.0.11esr
  • Update NoScript to 2.6.8.5
  • Fix paths so Mac OS X 10.9 can find the geoip file. Patch by David Fifield.
    (closes: #10092)

Tor Browser Bundle (2.4.18-rc-1)

  • Update Tor to 0.2.4.18-rc
  • Update Firefox to 17.0.11esr
  • Update NoScript to 2.6.8.5
  • Remove PDF.js since it is no longer supported in Firefox 17
  • Fix paths so Mac OS X 10.9 can find the geoip file. Patch by David Fifield.
    (closes: #10092)

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

@ erinn

In previous posts, I asked whether there was communication and co-ordination among developers of Tor and Tails. I was assured there was.

This post of yours is evidence that there is none. The current version of Tails, which is 0.21, does not include TBB 2.3.25-15. The next release of Tails is scheduled for December 11, 2013.

Tell me, erinn, what shall Tails' users do in the interim?

Oh, by communication you meant that Erinn shouldn't announce her releases until Tails announces theirs? I think that's a poor plan -- the new Firefox ESR is out and public, so the clock is ticking either way.

@ arma

Let me rephrase and simplify my earlier post.

Should users continue using Tails 0.21?

Perhaps it would avoid confusion and preempt questions if Erinn were to add a statement like "an updated tails release will follow shortly" to the release announcements?

In any case thanks for the prompt Tor Browser update.

Is it SAFE for us Tails' users to continue using Tails 0.21? I use Tails every day.

Your prompt response to the above question is much appreciated.

@ arma

(note: I submitted a reply two days ago and apparently it was deemed inappropriate and was censored. I do not see why it should not appear on this page.)

Let me re-phrase and simplify my earlier post as follows:

Should users of Tails continue using Tails 0.21, knowing that it does not contain the latest version of Iceweasel 17.0.11?

Or to phrase it in another way, is it SAFE for users of Tails to continue using Tails 0.21?

The vulnerabilities fixed are listed in MFSA 2013-103: https://www.mozilla.org/security/announce/2013/mfsa2013-103.html

See also https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html

How close are we to upgrading the main TBBs to run with Tor 2.4.x? It is likely that 2.4.x contains a higher degree of security than 2.3.x, especially with the new handshake protocols, and these TBB releases seem to work pretty well. What's the timeline of the 2.4.x release?

Step one is for me to put out a stable Tor 0.2.4.x release. Real soon now I hope.

I'm getting a bad signature when trying to verify the bundle
Erinn Clark
63FEE659
8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659

Thanks for this great work !
Why we dont use firefox release 24.1.1esr from 2013-11-15 ?
Im glad to see and try "Pluggable Transports Tor Browser Bundle"
But Im asking why Privoxy is not inside the bundle ?

Best Regards
MrWhite

I don't believe Privoxy has ever been a part of Tor Browser Bundle, although it was once a part of the Vidalia Bundle. Something called Polipo was included when Firefox contained a bug which caused connections through Tor to timeout. That's been long since fixed, so there's no need for something like Privoxy or Polipo to use Tor.

@erinn

So glad the team is so responsive to propagating updates into TBB. Would it be possible to aim to standardize this practice across all TBB releases?

I imagine many users understand the alpha-->beta-->RC-->stable convention for releases and I can sympathize with the huge diversity of platforms the project supports, but the current set of builds makes the distinction a bit confusing:
* TBB 0.2.3.25-15, with latest FF and NoScript but a version of Tor that has remained "stable" for a bizarrely long time despite arma and nickm's comments about its handshake making it almost functionally deprecated
* TBB 0.2.4.18-rc1, which contains what's called a rc of tor that most users--and as far as I can tell, developers--are treating as stable code...especially in relation to the current "stable" build
* TBB 3.0-b1, which currently contains the OLD FF/NoScript and a slightly older version of tor itself but which isn't made easily accessible to users who don't follow the project's e-mail and announcements carefully

For modular components like tor itself, NoScript, and Firefox, it might be ideal to propagate updates to all TBB releases simultaneously. Encouraging as many TBB users as possible to converge on the latest FF/NoScript code in whatever flavor of TBB they use seems important from both a security standpoint and an anonymity standpoint. Vulnerabilities fixed in 17.0.11esr could be used to exploit the minority of TBB 3.0beta1 users without those patches, but to the extent other users running updated releases can be identified as non-vulnerable, their anonymity is also potentially reduced when component updates into different TBBs are staggered.

This new release (64 bit) crashes every few minutes on Debian 7.2 (64 bit)

Yep. Try the newer 64-bit bundle she put up a little bit ago.

Today with 2.3.25-15_en-US.

Status: Connected to the Tor network!

Message log: the usual stuff (100%).

'Sorry. You are not using Tor.

Your IP address appears to be: 72.52.91.19'

Not mine, by the way.

And it crashes often in multi-tab-use as well as -14 does.

https://trac.torproject.org/projects/tor/ticket/7342#comment:8

As for the crashes, you might be best served opening a trac ticket with more details. Also try TBB 3.0rc1.

Opened a ticket for crashes. Please add information, if you have some.

https://trac.torproject.org/projects/tor/ticket/10254

Do the Tor Browser Bundles use Perfect Forward Secrecy ( PFS )? If no, do they need to or is PFS dependent on the individual website being viewed and not the browser?

Whether you get perfect forward secrecy is a property of the handshake with a webserver. TBB supports it if the webserver you're talking to supports it.

I JUST d/l'd tor browser bundle 17.0.11 and thought I'd check the NoScript "Allow Scripts Globally" default setting. uhh...guys....it looks like scripts are allowed globally by default...if I'm reading this right. I pulled a screenshot (this is for Debian 6.0.8 Linux Kernel 2.6.32-5-amd64 Gnome 2.30.2) just to show I'm not crazy. I'm sure I MUST be reading this wrong. I'll send if you like. (Do you have a preferred public key I should use?)

In the NoScript options window on the "General" tab at the bottom of that, I see "Scripts Globally Allowed (dangerous)" and its CHECKED on. (So I unchecked it.)

Is there some old setting somewhere that does this just on MY system? Does this not apply somehow?

What don't I understand? Is my OS broke?

https://www.torproject.org/docs/faq#TBBJavaScriptEnabled

I saw this logic earlier. But it doesn't go far enough...though you're certainly right about profiling javascript off.
The trouble is that, as you know, everything is profilable using Naive Bayes and many similar. So website visits have a profile. IP exit points add to that. Absince of TOR exit adds to that. Mouse behavior/timing between clicks add to that. This is the unavoidable nature of modern machine discovery. All of us, whether we use javascript or not, have fuzzily unique profiles.
Unfortunately, this logic surrenders (by default) something huge like javascript execution. You do this to buy the absence of only a single variable!! This is in a large multi-dimensional profiling analysis offered by something as simple as Naive Bayes. You increase the profiling complexity by only 10% (if that) when you leave this front door wide open!
SUGGESTION: Issue a banner warning on the Tor "Congratulations" page that says "JAVASCRIPT IS ON". Then more people will be informed enough to make a truly intelligent decision.

noscript is a waste of time - it's well known the FH exploit bypassed it.

No, you are confused.

It depends how your noscript was configured.

The trouble is that we weren't using noscript for the thing that would have helped in that case. That doesn't mean noscript itself is a waste of time.

was it to do with some people whitelisting?

It was an iframe attack. However I tested noscript and even with iframe enabled, javascript was not executed within the frame.

There is now a little thing at the bottom of check.torproject.org. It remains for us to make check.tp.o a better page. Also, in TBB 3, that page isn't the homepage anymore.

This release of the TBB freezes and occasionally crashes whilst visiting Amazon.

Oh? If you can trigger it reliably, you should open a ticket with details.

The tor browser bundle is flashing an update info that's apparently not available. It's no bid deal but probably should be addressed as soon as possible. Your efforts are highly appreciated.

Well, maybe it is a big deal -- what version do you have?

There are alas a few bugs in the TBB 2.x update notification mechanism. You might enjoy TBB 3.x.

NoScript updated itself to 2.6.8.6

Don't recall NS updating itself in previous TBBs.

Everything ok?

Syndicate content Syndicate content