New Tor Browser Bundles with Firefox 17.0.6esr

There is a new Firefox 17.0.6esr out and all of the Tor Browser Bundles (stable and alpha branches) have been updated. The new stable TBBs have a lot of new and updated Firefox patches, so those of you who were experiencing crashes should no longer be seeing that behavior. Please let us know if you do by opening a ticket with details.

The stable Tor Browser Bundles are available at their normal location.

The alpha Tor Browser Bundles are available here.

Tor Browser Bundle (2.3.25-8)

  • Update Firefox to 17.0.6esr
  • Update HTTPS Everywhere to 3.2
  • Update Torbutton to 1.5.2
  • Update libpng to 1.5.15
  • Update NoScript to 2.6.6.1
  • Firefox patch changes:
    • Apply font limits to @font-face local() fonts and disable fallback
      rendering for @font-face. (closes: #8455)
    • Use Optimistic Data SOCKS handshake (improves page load performance).
      (closes: #3875)
    • Honor the Windows theme for inverse text colors (without leaking those
      colors to content). (closes: #7920)
    • Increase pipeline randomization and try harder to batch pipelined
      requests together. (closes: #8470)
    • Fix an image cache isolation domain key misusage. May fix several image
      cache related crash bugs with New Identity, exit, and certain websites.
      (closes: #8628)
  • Torbutton changes:
    • Allow session restore if the user allows disk actvity (closes: #8457)
    • Remove the Display Settings panel and associated locales (closes: #8301)
    • Fix "Transparent Torification" option. (closes: #6566)
    • Fix a hang on New Identity. (closes: #8642)
  • Build changes:
    • Fetch our source deps from an https mirror (closes: #8286)
    • Create watch scripts for syncing mirror sources and monitoring mirror
      integrity (closes: #8338)

    Tor Browser Bundle (2.4.12-alpha-2)

    • Update Firefox to 17.0.6esr
    • Update NoScript to 2.6.6.1

This release has again been built with a rather 'modern' version of GTK ... too modern for me! Shame, really. I haven't been able to use any of the TBBs since 2.3.25-2 came out. Are there any plans to do something about this?

Why don't you open a ticket?

> Why don't you open a ticket?

I will. But first I have to figure out how to do this :-) It's probably best to suggest that future browser bundles will be built with the same GTK version that Mozilla use for their ESR releases.

I just noticed that it is impossible to open a ticket without registering first. Since I don't want to do that ... can someone who has already registered please open a ticket regarding the GTK version? Thanks!

You can make tickets anonymously, using the login listed on the front page of the wiki.

https://trac.torproject.org/projects/tor

Multiple tickets already exist, and in fact, have existed for quite a while, for this. See 8352, 8401.

Thank you! downloading :D

Fixed in Firefox ESR 17.0.6

MFSA 2013-48 Memory corruption found using Address Sanitizer
MFSA 2013-47 Uninitialized functions in DOMSVGZoomEvent
MFSA 2013-46 Use-after-free with video and onresize event
MFSA 2013-44 Local privilege escalation through Mozilla Maintenance Service
MFSA 2013-42 Privileged access for content level constructor
MFSA 2013-41 Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6)

https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html

Thanks to all of you for your hard work and dedication. You make the world a better place

What about the slow UI performance of Tor Browser Bundles on Linux 32-bit systems? People will be using older versions of TBB (those built on Firefox 10) until they are fixed.

Please open a ticket with details.

There are multiple tickets that have been filed regarding this issue many months ago, to no avail.

See: https://trac.torproject.org/projects/tor/ticket/8352 and https://trac.torproject.org/projects/tor/ticket/8401

Isn't it dangerous to use a deprecated version of TBB?

Hi. What are the pros and cons of HTTPS and HTTP .onion sites?

Onion sites are already encrypted from your Tor process to their Tor process, and some have said that the additional HTTPS encryption is unnecessary. However, I think it can help in some cases. If their services are on a network behind a Tor gateway, I'd be concerned that they could have an eavesdropper. Also, if you already know their certificate, that's another layer of verification in addition to their .onion.

no chinese language now?

When updating to this new bundle (I am a Mac user) do I need to delete and replace my previous version of TorBrowser_en.US in the Applications folder? When launching from that location even after updating, I am still being notified of an available update from the home page and the 'About' screen is showing Firefox ESR 17.0.5 ("up to date" when I run update check).

I too am getting this as a Windows user

I unzipped the TBB zip file, and then dragged the TorBrowser.app into my Applications. Was prompted to overwrite, which I did, and then I launched from Applications as usual - I'm now running Firefox 17.0.6 and the update notification is gone.

Basically, if you have a TBB in Applications, then yes overwrite it with the new one. I suppose you can also execute the new one outside of Applications, but keeping a new release outside Applications and an old release inside Applications sounds like a recipe for confusion!

yes, you might want to export any bookmarks you have first though: menu Bookmarks -->Show All Bookmarks. then click the star icon drop down on top of the "library" window that opens. Select Backup. Save the .json.

Then drag your Tor Browser Bundle to the trash. Replace with new one you d/led. Then restore the .JSON file the same way.

My IP doesn't seem to change much (if at all), when I click on "Use a New Identity" and then go to the torcheck page.

I'm using the latest TorBrowserBundle in Windows 7 64bit.

The TorButton has never worked for me in the past (left and right clicks did nothing), and I always deleted the entire Tor Browser folder before installing the new one. But now with the latest version, the TorButton is functional - but here's the catch: I'm unable to move it from the Navigation Toolbar! :(

Hi
I have Tried to contact with the new version several times, but it did not work ..!!

Hi
tor does not work anymore in iran from weeks ago..
even all bridges or ....
even changing every tweaks and tricks are no use..
If u have a way u should release a special version for Iran... plz..
tks

how about Iran?

tor has stopped working in Iran from months ago..

all bridges and other tor software no more working..

we tried all tricks and tweaks no use..
if u have any way plz release a special version for Iran so that al can use it easily.. plz.....
we need it ..even psiphon 3 and freegate doesnot work..
by psiphon we can connect to youtube but after two minutes it disconnects..
all socks and vpn and port 443 are no more able to open youtube.. even by adding https to youtube the site can be open but can't play videos..

please help Iranian
tks
mah_deh@yahoo.com

Previous stable TBB version was 2.3.25-6

Why did you skip 7?

Forgive me if I sound like an idiot, but to update to the latest Tor Browser do you just delete the folder titled "Tor Browser" and download this file, then follow the same procedures as before (extracting, etc.)?

Yes, thats what I do

I suggest renaming the outdated "Tor Browser" folder to "Old Tor Browser" or something like that before extracting the new Tor Browser. This way, if there are any unforeseen problems with the new Tor Browser, you can go back to the outdated version without losing bookmarks and extensions.

Hi,
I downloaded the new version but doesn't connect , while the other version works normally

i have a new problem with tor bundle browser, after clicking start tor browser the vidalia control panel starts and within a second it connected with tor network but tor's modified firefox browser did not open. if i mannually starts tbb-firefox it shows unable to connet network,proxy settings changed.even installing new one the behaviour not changed. Can you please answer the reasons?

i have same problem

Are the default values of the Tor Firefox Browser different than what they are for the non-Tor Firefox Browser? For example, according to the MozillaZine website, the default value of "network. http. keep-alive. timeout" is 300 seconds, but the Tor Firefox Browser indicates in "about:config" the default value is 20.

Hey man
HELP IRANIAN USER
THERE IS NO WAY HERE LEFT CONNECTING TOR
even obfs can't connect
even with new bridge
plz show new trick
WHat are u waiting for?

I have been using TOR for a while now with no issues.So I downloaded and installed new one
for Windows (I am running Windows 7 64bit). I deleted my old install of the Tor Bundle before installing the new one.

I clicked on the Start TOR Browser.exe as usual and the Vidalia Control panel launches, the status says it connected to the TOR network, but the Browser never launches.
i installed previous one but same problem persists.
I tried reinstalling it and the same thing keeps happening. Any ideas?

How long did you wait?

It takes considerably longer for TBB to start than it does for a regular browser.

Chinese how to download it ?

Thanks!

The only bad thing that happened to me with this release is that the RequestPolicy extension -- https://www.requestpolicy.com -- now makes the browser crash. I don't know if that happens in Firefox 17.0.6esr (neither did I contact the extension's developer yet). Could anyone confirm that?

Thanks again for continued updates! Is it possible to post the MD5 for quick verification rather than using gnu sigs?

SHA256SUMS:
https://people.torproject.org/~erinn/qa/stable/2.3.25-8/sha256sums-2.3.25-8.txt.asc

But without verifying the signature of the TXT file with the hashes, its only as trusted as as the SSL connection.

To verify the file containing the SHA256 sums:

1.) Download the following two files from
https://people.torproject.org/~erinn/qa/stable/2.3.25-8/

- sha256sums-2.3.25-8.txt
- sha256sums-2.3.25-8.txt.asc

2.) Follow the instructions for verifying TBB ( https://www.torproject.org/docs/verifying-signatures.html.en ), replacing the TBB file with the sha256sums file:

gpg --verify sha256sums-2.3.25-8.txt.asc

BTW, why do the Tor Project signature files not end in .gpg as the Debian, Ubuntu and (apparently most others) do?

According to the Tor FAQ, Google search engine is just fine with TorBrowser. The reality is somewhat different. Every 10 mins or so Tor changes nodes to create a new identity and, if you are using Google, it is meant to provide you with a simple CAPTCHA page to go on. However, most of the time it does not and instead produces one of two dreaded "Google Screens of Death" with no CAPTCHA option at all. This has been increasingly the case of late to the point where now most new Google sessions in Tor are effectively being barred. Creating a fresh new identity and deleting all Google's cookies doesn't help much either (and causes other problems in itself).

It seems Google is quietly suppressing Tor/anonymous traffic--which doesn't exactly fit into their revenue model--while maintaining that they are not anti-tor because they (sometimes) provide a simple CAPTCHA. Well, actions speak loudest, and Google is definitely blocking most Tor sessions now.

And before people start recommending Startpage/DDG, they are all well and good but only up to a point. Google has monopolized most of the world's data which these small companies do not have access too. That is our (the world's) data Google is hoarding and we need access to it.

This is an issue you guys really need to take up with Google before they've quietly suppressed most of the anonymous traffic. Yet I see absolutely no discussion of this issue on the blog besides the misleading information mentioned above.

While Startpage "scrapes" from Google, the results often differ from those obtained from Google directly. And it is not uncommon, alas, for the latter to be absolutely necessary.

  1. Yes. Google doesn't play nice with TorBrowser.
  2. Yes. Google makes money from displaying directed ads based on identifying a users search terms and search history, and if Google allows anonymous usage the value of an advertisers dollar decreases.
  3. Yes. Google is hoarding our shared knowledge and thoughts.

Conclusion: Google IS EVIL.

What to do?
Vote with your feet: use Startpage/DuckDuckGo.
In time (I hope) their search results may improve.

I fully agree. However, in the meantime (while access is still needed to a good deal of that Google hoard), the resistance still needs to press Google hard for continued (and much improved) anonymous/Tor access to it, in addition to supporting the alternatives whenever we can.

It would also be a good idea to directly test Tor against Google in a systematic way, and to update the Tor FAQ accordingly (i.e. to establish a successful:unsuccessful Tor sessions ratio to determine how the average success rate is changing over time, and then to use this as ammunition to throw at Google when they inevitably come up with their disingenuous, half-baked counter claim).

DON'T (admit to) BE(ing) EVIL.

I've been trying all day to search on Google and almost every single request (out of dozens) is being blocked with the "Google sorry" screen (no CAPTCHA in sight). The page just says "We're sorry... but your computer or network may be sending automated queries (NOT!!) To protect our users, we can't process your request right now. See Google Help for more information. © 2009 Google - Google Home". Absolutely no CAPTCHA. Same's been true last few days. Looks like Google has definitely clamped down very recently and is locking up all its stolen treasure.

Another important point that people seem to have overlooked is that if people know they can't use Tor with Google then an awful lot of people will not bother using Tor at all. The whole point of Tor is for as many people to adopt it as possible, i.e. this is a significant marketing blow for Tor.

I've noticed Google seems to be very sensitive to pressing the Enter button with tor (it actually asks you to do this with its "instant suggestions"). If you just let it produce searches without pressing enter it often comes up with a captcha, wheras pressing Enter almost always gets the Google Sorry page with no captcha. Pretty weird. It does seem to have got worse recently though. Never used to be this bad.

Have you tried 'https://encrypted.google.com/'? Or does it matter?

How do you torify applications that give you a proxy option to set an IP address and a port now that Polipo has been removed?

I used to put
127.0.0.0 8118

in the applications config

but now I don't know what the heck to put there.

If I open up advanced/network settings, I do not see anything for TBB http config, only a socks port.

So what do I put in the apps proxy config now?
i.e. filezilla, a/v update via proxy

Thanks

If you're using the Vidalia package, then I think every port passes through Tor. So I think you'd set your proxy to no proxy (delete any proxy settings).
However I use TBB, and as Vidalia starts up, my software firewall alerts shows many communications through many ports, including IMAP. This implies that even the TBB 'torifies' all ports.
But I'm not sure about this.

First time user and lets say it works out of the box so far !

Though has problems To start with I do have installed version of firefox and was concerned about this and firefox settings or other from this upsetting the system this I haven't checked so far.

I unpacked to c:\program files\ on winxp sp3 os as is made a shortcut for Start Tor Browser to the desktop so can start it easy. The rest is to now...

Though I do never use tabs and have never been able to get along using them with firefox. I have used the setting and unselected all tab setting boxes yet after Tor close and restart tabs are back !! Why ! Meanwhile the tab settings are all unselected though why starts with tabs. Maybe another restart is needed ?

Second issue before closing I did select to look at https everywhere and decided not to while page was loading. So then after restart why did https everywhere page load. This is not something I'm sure should not happen as privacy=privacy no page load on start unless is the start page. No cache I have checked is zero which is best for any browser, so unknown why it did this maybe though it had crashed but it hadn't

Ok so it is alpha but the version tor-browser-2.3.25-8_en-US is so far behind this version it is a joke why don't you make more releases so we don't have to resort to using alpha versions that contain bugs. Security alone means I need to use latest version. Heck knows what security holes are with and since tor-browser-2.3.25-8_en-US

Am I happy not with tabs, alpha version and page load where should never happen

Start page is Startpage if need to know. Everything is as installed nothing has been changed except tab settings for tor-browser-2.4.12-alpha-2_en-US

Excuse transmitting feedback here as you make it difficult to do so by any other means. Email=no | irc=no i don't | register to bug=never have anywhere or likely to make it available for everyone to post with registration I will post there.

Or use a web form that is easy to find to give feedback. Though you actually need to read the webform. This not to have people who scan webform without reading and relay poorly to you or robot to doing similar

So far everything looks ok not sure about https everywhere if that is intelligent so to add https everysite for every web site. Maybe that is how it works I don't know I did read the page but didn't see quick about to say this. Though it seems vastly slow to even the slowest internet. I realize bouncing around relays maybe you can speed it up. Also would like to choose country such as when download you need to have an ip for that country. Maybe with country chosen the relays stay for that country so speed up the connection vastly which it need to do

Please pass this on to developers if you are not directly connected to tor development. Or post this to bugs and feedback where necessary

reading the above for google it is not the https that google complains for it is more likely it has problem with ip address or tor is seen as a problem maybe a certificate or similar issue

This is known because firefox itself for a while now makes sure all google https is used

As google no matter how big has the most information it is needed for any browser to use it. Tor would then need to add certificate that is needed as firefox has for it to work. Or is it some setting that google dislikes, totally no cookie allowed or similar ?

I'm almost certain that there are many Tor users. For that reason, Google often sees too many searches from exit node IPs.
But Google should ignore the massive searching, because Google should also see the header that tells that the IP is Tor.

This makes me think that person running the exit node must:
Run the exit node on another IP than their own browsing IP.
Or accept that they won't browse using Google.
But I'm not sure about this.

"I'm almost certain that there are many Tor users."

But that many still makes-up only a tiny fraction of total Internet users, doesn't it?

With the recent revelation that the U.S. NSA has been sweeping information from 9 major ISPs for the last 7 years on U.S. citizens and foreign nationals alike, maybe the use of Tor will increase. Provided Tor actually works regarding state security agencies. If it doesn't, state security agencies aren't likely to make that knowledge public, are they? Can you say, "honey pot"?

Unless I'm missing something, any major ISP could fairly trivially unmask its users who run Tor simply by operating enough exit nodes (and I'm not even sure it would take that much).

Call me paranoid but I think you'd have to be pretty naive not to think it highly likely that ISPs are doing this at the behest of TLAs.

And besides this, the original comment about Google (several comments above) is pointing out that Google, whatever the case, should just present its simple CAPTCHA screen, but instead terminally blocks the tor session by presenting a "Google Screen of Death" which doesn't even provide the option of entering a CAPTCHA code. It's clear Google just doesn't want Tor/anonymous traffic, which no doubt is upsetting the "shareholder interest". Why don't they just admit it and come clean . . .

Tor Browser Bundle (2.4.12-alpha-2)

Crashes before it loads

Problem signature:
Problem Event Name: APPCRASH
Application Name: tor.exe
Application Version: 0.0.0.0
Application Timestamp: 5177f094
Fault Module Name: tor.exe
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 5177f094
Exception Code: 40000015
Exception Offset: 00064e01
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 2057
Additional Information 1: 887a
Additional Information 2: 887aa873844d1dd3f3e0257c981e4448
Additional Information 3: 0794
Additional Information 4: 0794aa118029c056c38da9365d5d92be

http://www.ethicalhack3r.co.uk/ssh-too-many-open-files-burp/

Can you tell me why changing these parameters breaks the Tor browser bundle on Mac OS X? I'm having the same issue, and the only difference from the "stock" Mac OS X 10.8 setup is:

/etc/launchd.conf reads:
limit maxfiles 10000 150000
limit maxproc 1000 2500

Recently, Tor does not work in Iran due to government attempts on blocking the internet.
It's a real shame we, Iranians, can't find a way to connect the world wide web freely.I hope you find a way to solve this problem. :)

Tor Project urges use of HTTPS/SSL but fact is that vast majority of WWW sites are regular HTTP.

Doesn't every current and potential user of Tor need to have some idea of how safe Tor can be considered for at least merely *viewing* non-SSL sites?

This is not at all clear to me from either the "Warning" at https://www.torproject.org/download/download-easy.html.en#warning, the Overview at https://www.torproject.org/about/overview.html.en or anywhere else in the documentation.

Specifically, how great are each of the following potential threats from exit node operators:

  • Subtle, not readily apparent tampering of content on pages
  • E.g., an article with critical details changed.

  • Malicious code injected into a page that appears indistuingishable from a trusted, familiar one
  • While this risk can be greatly reduced by disabling JavaScript, doing so presents its own set of problems. These include greatly reduced functionality and possible increased risk of profiling. A good intro/overview to this topic might be a recent thread in the Tails forum:
    https://tails.boum.org/forum/JavaScript_and_NoScript/

  • Increased risk of profiling/ correlation by one or more exit node operators?
  • Could the far more specific, detailed traffic that is so easily sniffed over unencrypted HTTP provide an otherwise missing piece of the puzzle that could prove critical?

How concerned should the typical or average Tor user be over each of these potential threats?

An official response from the Tor devs to these questions would be most welcome and appreciated.

Thank for all you do to make Tor a reality.

I agree! Tor needs to make this clear!

When is this version coming to the experimental obfsproxy browser bundle?

WHY is Prefetching not disabled in the Tor Brower? While I can see that the Tor developers have disabled DOM storage and GEO location, why did they leave prefetchig enabled? This is a huge security flaw!

"Firefox has a feature called Prefetching that downloads pages (in the background) that it thinks you are going to click on in the future. This is a serious security flaw since in order to make this guess it’s saving lots of information of your previously visited sites."

Please, people who use Tor, follow the instructions below in order to protect yourself, by turning prefetching off (until the tor devs realize their huge mistake and make the new TBB with the function off):

Type: about:config into the address bar of Firefox and press enter.
Agree to the warning about making changes to the system.
Type: network.prefetch-next into the search bar
Right click on the option and select Toggle to change the setting to False.

Assuming that's true, it seems to me that prefetching would add more network load to the Tor network.

And what if prefetching uses different Tor circuits? Would that be a way to connect different circuits to an individual user?

I concur.
Prefetching should be disabled.

I have also wondered about this.

Checking now, I see that not only is network.prefetch-next set to true but also network.dns.disablePrefetch is as well.

When was the latter changed? I recall it being set to to true. Or was that (only) in Tails?

Your second paragraph is in quotation marks but lacks an attribution.

Has anyone seen anything relating to whitelisted domains not saving between sessions of the windows install of this version of TBB?

I have to re-add sites to the cookie whitelist every time I open the TBB.

To the Tor developers: Is it really true that disabling javascript in tor browser puts you at risk for profiling and can in that way be riskier than the risk which comes from javascript running bad scripts and revealing your true identity???

Just an anon here...

Start w/ this:
https://tails.boum.org/forum/JavaScript_and_NoScript/

Which threat is greater would depend upon individual use case: Who your adversaries are, the type of sites you visit, etc.

Note that the risk of profiling is greatest when JavaScript is enabled *selectively* for certain sites but not others. The rule seems to be: either block all or allow all.

I always get this error when I start Tor browser for the first time: "Your Computer's Clock is Potentially Incorrect - Tor has determined that your computer's clock may be set to seconds in the future compared to the source..... If your clock is not correct, Tor will not be able to function. Please verify your computer displays the correct time." Does this mean that Tor isn't working correctly and I shouldn't use it?

You may need to replace your CMOS/BIOS battery.

im using the latest tbb. a multi-lingual forum doest not display correct on windows version of tbb but displays correct on linux version of tbb.
on windows tbb the character encoding is set to "unicode utf-8" but reverts back to "western iso-8859-1" on every refresh or click.
how do i force windows tbb to use "unicode utf-8"?
ive asked support@mozilla but no solution.

We are all (or should be) Tor users now. I like the browser in the TBB; it's just like iceweasel. I would like to make it my default browser. How can (should?) this be done? I have lots of applications that pop open URLs in the default browser, but there doesn't appear to be a way to pass a command-line parameter such as a link to display into the start-tor-browser script. Is there any other way to open a new tab in the Tor Browser?

I have Tor but when I check IP-Check it still shows my IP address and current location....Why is this happening?

I have tor and am running it...I think...when checking IP-Check I still see the same IP address and my current location...How do I fix this?

You will always get your real IP address when running those tools within your own network, Your intelligent router or OS's has figured out that you are asking from within.
This is the basic explanation, you can search the net if you want more detailed info on this.

I'd like to use my old mac mini power pc G4 running osx 10.5.8 as a tor relay. I can add a solid state 32GB disc to it if needed ( preferred) However, I cannot load Tor ( 32 bit version)

Normally that mini runs 10.4.8 - but with some effort I was able to convert one partioned part of the main disc to 10.5.8 as an alternate startup.

Any suggestions ??

Syndicate content Syndicate content