New Tor Browser Bundles with Firefox 17.0.9esr

by erinn | September 20, 2013

The stable and beta Tor Browser Bundles have been updated with Firefox 17.0.9esr. This release of Firefox has many important security updates and all users are strongly encouraged to upgrade.

The beta version includes an updated HTTPS Everywhere which fixes the problems many users were having with the google.com OCSP meltdown.

https://www.torproject.org/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.3.25-13)

Tor Browser Bundle (2.4.17-beta-2)

  • Update Firefox to 17.0.9esr
    https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#…
  • Update LibPNG to 1.6.3
  • Update HTTPS Everywhere to 4.0development.12
  • Update NoScript to 2.6.7.1
  • Remove extraneous libevent libraries (closes: #9727)
  • Enable GCC hardening for Tor
  • Firefox patch changes:
    • - Disable filtered results in Startpage omnibox (closes: #8839)
  • Add missing geoip file to Linux bundle
  • (entry missing from regular changelog)

Comments

Please note that the comment area below has been archived.

September 20, 2013

Permalink

And, again, no source tarball seen on Tor website for either version.

When I boot my computer, it tells me that there is a newer version of Tor available, and so I went to Tor website, and seen about the 2.4.17-beta-2, but I believe I installed one that had an "rc" in it, and I have installed the beta also, I think. However when I boot up, it stills shows a warning that a newer version is available. I don't understand what I am doing wrong. Also, I tried re-installing it, and it still warns. Also, I have 17.0.8esr and now I am reading about 17.0.9esr and don't see it anywhere. I even click on "update" in my browser and it says I am up to date. I am getting confused here. what is the current version, and can I download it all in one place and install.

September 26, 2013

In reply to arma

Permalink

that is the link I went to when downloading the newer version. However, it doesn't seem to update the broweser, it is still on 17.0.8esr, so I don't know what to make of this. I'm still getting notification to update, have gone to right place and downloaded right file, but still leaves me wanting ? perhaps someone can do a test run through, and provide steps to follow ?

September 20, 2013

Permalink

Tails v0.20.1 was released two days ago. It includes Tor 0.2.4.17-rc.

1. Is Tor 0.2.4.17-rc equivalent to 2.4.17-beta-2?

2. Why did Tails not include 2.3.25-13, which is the stable release?

3. Can Tails and Tor developers work as a team, seeing that new releases of Tails are made on this blog?

1) 2.4.17-beta-2 is a Tor Browser Bundle version.

0.2.4.17-rc is a Tor version.

The two versions do look quite similar, and that's not a coincidence. It's meant to be helpful.

2) Tails moved to Tor 0.2.4.17-rc because of the advice in
https://blog.torproject.org/blog/how-to-handle-millions-new-tor-clients

3) We do collaborate. That's how I know the answer to question #2. :)

September 20, 2013

Permalink

when's the new version of the pluggable transports TBB coming out?

In the meantime, how do we upgrade the firefox in the PT 2.4.16-beta bundle?

I believe David has a new version built now, and is sorting out how to get it onto the website. (I used to do it for him each time, but I'm trying to stop being the bottleneck there.)

September 21, 2013

In reply to arma

Permalink

how long do we need to wait?

In the meantime, can we update the bundled Firefox directly to 17.09 ESR without breaking the bundle?

September 20, 2013

Permalink

1. Why is Tor still using SSL 3.0? and not TLS only?
2. Why aren't Tor and Tails' Iceweasel identical? Doesn't Tor heavily depend on "security thru obscurity"?
3. Why is Tor still using weak cipher suites for SSL connections instead of the stronger ones?
Thanks for your great work btw.

September 21, 2013

In reply to arma

Permalink

What I really meant: Will there be soon an update for the 3.0 alpha version which uses Firefox 17.0.9 (or 24.0) ?

September 21, 2013

Permalink

I would like to add some dictionaries to 2.4.17-beta-2. Would I compromise my anonymity if I would do so?

September 21, 2013

Permalink

ATTENTION! ALERT!

I downloaded tor-browser-2.3.25-13_en-US.exe just now. Upon clicking the executable, Symantec informed me there is a security risk. The risk has a name: it is called WS.Reputation.1

Tor developers, please verify the files uploaded to the servers have not been infected.

Thank you.

Wow. It looks like the security risk it's telling you about is "Not enough of Symantec's users have tried running this program yet".

I guess there's value in having that groupthink check, but... shouldn't Symantec be explaining what it's doing to its users? This does not sound like it is reporting any infection.

http://www.symantec.com/security_response/writeup.jsp?docid=2010-051308…

http://community.norton.com/t5/Norton-Internet-Security-Norton/Clarific…

http://www.mindworkshop.info/windows/the-norton-symantec-ws-reputation-…

If I were you I would try to opt out of telling Symantec about everything you do with your computer.

September 21, 2013

Permalink

I am running the TBB that uses Firefox 17.0.8.

This new version of TBB uses Firefox 17.0.9.

When I started up the TBB version with 17.0.8 it took me to the tor home page, but did not notify me that an update was available.

Why did I receive no update warning to update to 17.0.9?

The reason I am asking is that I always depend on the home page to notify me of updates. When the javascript exploit was used, I was sure I was using 17.0.7 because I had always updated when the home page gave me a notification. Now I am not so sure. Was a warning on the home page given to upgrade from 17.0.6 to 17.0.7?

The way TBB 2.x checks for updates is that it periodically goes to https://check.torproject.org/RecommendedTBBVersions, on its own, in the background. If that page tells it that it's out of date, it changes your homepage setting so the next time you start TBB it will go to a variant of check.torproject.org that tells you to upgrade.

So it sometimes takes a cycle or two before it will tell you. That also means that people who leave their TBB open forever take a long time to learn that they should upgrade. :(

Let's all look forward to TBB 3.x which has a better interface here.

September 21, 2013

Permalink

Roger/Erinn, thanks for your work.
If you can show the following request to the Tails team, that would be appreciated:

Dear Tails team,
please consider enabling by default the option "Enable mouse clicks with touchpad", that is accessible via the menu System --> Preferences --> Mouse --> "Touchpad" tab. (Another option there, "Enable horizontal scrolling", enabled is also a good idea.)

This option is needed by all Tails laptop users without the external mouse. Currently we have to suffer or keep enabling that option by hand after every boot.
If you need to see the similar config files where it's enabled by default, please peek at the Liberte Linux: http://dee.su/liberte . It's Gentoo-based, but the mouse controls seem the same.

This would be especially appreciated by the new Tails/Linux users. (You've heard the people complaining that the "Tails touchpad doesn't work"... There was even, if I remember, Runa's Tor blog post here describing that happening at some conference, when she was give out the Tails USB sticks.)

Thank you.

September 21, 2013

In reply to arma

Permalink

Understood. Just mentioned because someone else here discussed Tails.

Starting Tails just to run Whisperback is a bit too involved (same with creating the Tor bug tickets). This blazing-quick blog posting, however, is much easier.

Never mind.

September 21, 2013

Permalink

As a follow up to my previous question, I have always updated immediately when the update notification on the home page appeared when I started Tor.

Whenever I start Tor and it takes me to the home page with the "Congratulations you are using Tor" message in green letters, is that an assurance that I am using the latest most current version.

Great work you guys are doing, BTW.

September 21, 2013

Permalink

Are any parts of Tor affected by the news below?
What about Tails?
-Thanks.

RSA Tells Its Developer Customers: Stop Using NSA-Linked Algorithm
http://www.wired.com/threatlevel/2013/09/rsa-advisory-nsa-algorithm/

"...RSA said that all versions of RSA BSAFE Toolkits, including all versions of Crypto-C ME, Micro Edition Suite, Crypto-J, Cert-J, SSL-J, Crypto-C, Cert-C, SSL-C were affected.
In addition, all versions of RSA Data Protection Manager (DPM) server and clients...
...RSA strongly recommends that customers discontinue use of Dual EC DRBG and move to a different PRNG.”

September 21, 2013

Permalink

When will migration to Firefox 24esr be expected? I mean time difference between Mozilla's release and TBB included one.

Mike is still trying to fix major privacy bugs in FF24. So, "real soon now because we have to", but probably right around the time FF17 goes unmaintained.

September 21, 2013

Permalink

"please peek at the Liberte Linux

IIRC,

  • Liberte Linux has one release. One. A long time ago.
  • Does Liberte Linux auto-update to bring packages up to date? If not, it should not be used and you shouldn't recommend others to use it.

    TAILS releases new versions in a timely manner.

    Sure, but no one "recommended others" to use Liberte Linux.

    If you read that above post in the context, it was addressed only to the Tails developers - and only to note an example of the mouse/touchpad setting enabled by default.

    September 22, 2013

    Permalink

    2.4.17-beta-2 uses HTTPS-Everywhere 3.3.1 instead of the newest version 3.4.1. What is the reason for this?

    September 22, 2013

    In reply to arma

    Permalink

    Sorry, my mistake. It`s 3.0 alpha-3 which still uses HHTP-Everywhere 3.3.1.

    September 22, 2013

    Permalink

    Hi torproject!
    Why geoip file in stable & beta bundle differ?
    Stable > old shit from May 1 2012 (!)
    Beta > fresh database from Aug 7 2013
    WTF?! Why do not you replace it with a new in stable?

    Because the geoip file comes in the Tor distribution, and the stable Tor distribution (0.2.3.25) actually is from long ago. Once Tor 0.2.4 goes stable, it should get the new one.

    September 22, 2013

    Permalink

    I'm running the most current version of the browser, when interacting with one particular website tour browser keeps becoming unresponsive. it only happens at this website: topix.com it happens even if tour is the only application running. I'm running under Windows 7 Home Premium. Any suggestions?

    September 23, 2013

    Permalink

    Hi guys sorry for even having to ask this. but i had no problem updating from 17.0.7 to 17.0.8 but i just cant seem to get the next 1. even when i go to TorBrowser and check for updates it in the help section it saysi am up to date but it still says 17.0.8.
    any help would be great thanks

    September 26, 2013

    Permalink

    Hi,
    probably half off-topic but Tails have no simple open request.

    With old Tails0.20 on .onion-sites i see in Vidalia a lot of 4-circles connections.
    With 0.20.1 only the normal 3-circles.
    Whats the difference?

    Second, on lower memory PCs with new Tails0.20.1 the DVD-ROM/Writer(TAILS on DVD) is more often spinning(reading ?) as with Tails0.20.Therefore new TAILS -sometimes,e.g. Browser functions- reacts a little bit slower.The cause for this is the new Tor version(0.2.4.17-rc)? Tor0.2.4.17-rc needs more memory?

    Thanks for reading.And answering(-:

    September 26, 2013

    Permalink

    the changelog i think it's bad write i download tor browser on monday and noscript was update in 2.6.8.1

    October 01, 2013

    Permalink

    Anyone having problem with using webmail?
    I often get a message saying "Our security have detected a supsicious use of your account - chnge password immidiately or with i.e. hotmail - verify your account to continue.
    I assume that the proxy is the main problem? or is it du to hackers on some of the end-nodes?
    Its annoying to change mailprovider og password so often?
    Another issue:
    When using i.e Gmx.com's webmail I very often is disconnected and the page says that the connection is lost?
    Any suggestions?

    And not to forget: Tor is an awesome step into allowing people some privacy on the net - Thanx :-)

    October 05, 2013

    Permalink

    When testing Tor proxy settings (default settings) via the Tor button I keep getting the following errors, mostly the first error:

    Local HTTP Proxy is unreachable. Is Polipo running properly?

    Tor proxy test:TorDNSEL failure. Results unknown

    Tor proxy test: HTTP error for check.torproject.org:500

    What could be causing this?.

    Also on startup https://check.torproject.org/?lang=en-US&small=1&uptodate=1 fails to load, I presume it's just overloaded or down though.

    Using Tor Browser Bundle for Windows Version 2.3.25-13

    October 13, 2013

    Permalink

    I have installed Tor Browser Bundle (2.3.25-13) in kubuntu and Vidalia gives me error "can not initiate firefox".
    I test with the 2.4.17 beta and the same.
    I have had to go back to the 2.3.25.12 that goes me well,without problems.
    Notes:
    1) I Delete all the 12 and put the 13 complete. (tor-browser_es-ES)
    2) In /App/tor It is not executable,is library 1,7 Mb
    Sorry By my badly english.

    October 21, 2013

    Permalink

    I had a very similar experience to "ATTENTION! ALERT!" (9/21, above). I downloaded 2.4.17-beta-2 and NIS (Norton Internet Security 2012) immediately quarantined it with a WS.Reputation.1. Here are the relevant details from the quarantine history:
    ____________________________
    On computers as of 10/20/2013 at 11:20:28 AM
    Last Used 10/20/2013 at 11:13:50 AM
    Startup Item No
    Launched No
    ____________________________
    ____________________________
    Few Users
    Hundreds of users in the Norton Community have used this file.
    ____________________________
    New
    This file was released 29 days ago.
    ____________________________
    Medium
    This file risk is medium.
    ____________________________
    Threat Details
    Threat type: Insight Network Threat. There are many indications that this file is untrustworthy and therefore not safe
    ____________________________

    Source File:
    tor-browser-2.4.17-beta-2_en-us.exe
    ____________________________

    [Me again:] I restored it from quarantine, but it begs the question: Norton had no problem with beta-1, what's up with beta-2? The signature was valid, by the way.

    See the rest of the thread above. The only problem it had with the new version was simply that -- it was new.

    What crummy software this norton stuff is.

    October 30, 2013

    Permalink

    vidalia-relay-bundle-0.2.3.25-0.2.21-2.exe -- Today, the downloaded file does not have a valid signature.

    "gpg: BAD signature from "Erinn Clark "

    Using https://www.virustotal.com/, TrendMicro-HouseCall identifies this executable as containing "TROJ_GEN.F47V0801."

    Can I get a confirmation on the signature and a second opinion?