New Tor Browser Bundles with Firefox 17.0.9esr

The stable and beta Tor Browser Bundles have been updated with Firefox 17.0.9esr. This release of Firefox has many important security updates and all users are strongly encouraged to upgrade.

The beta version includes an updated HTTPS Everywhere which fixes the problems many users were having with the google.com OCSP meltdown.

https://www.torproject.org/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.3.25-13)

Tor Browser Bundle (2.4.17-beta-2)

  • Update Firefox to 17.0.9esr
    https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#f...
  • Update LibPNG to 1.6.3
  • Update HTTPS Everywhere to 4.0development.12
  • Update NoScript to 2.6.7.1
  • Remove extraneous libevent libraries (closes: #9727)
  • Enable GCC hardening for Tor
  • Firefox patch changes:
    • - Disable filtered results in Startpage omnibox (closes: #8839)
  • Add missing geoip file to Linux bundle
  • (entry missing from regular changelog)

And, again, no source tarball seen on Tor website for either version.

Sorry about that. They were on the server but not synced to the mirrors. Fixed now.

When I boot my computer, it tells me that there is a newer version of Tor available, and so I went to Tor website, and seen about the 2.4.17-beta-2, but I believe I installed one that had an "rc" in it, and I have installed the beta also, I think. However when I boot up, it stills shows a warning that a newer version is available. I don't understand what I am doing wrong. Also, I tried re-installing it, and it still warns. Also, I have 17.0.8esr and now I am reading about 17.0.9esr and don't see it anywhere. I even click on "update" in my browser and it says I am up to date. I am getting confused here. what is the current version, and can I download it all in one place and install.

The current version is at https://www.torproject.org/projects/torbrowser.html.en#downloads and you can download it from there.

In the not too distant future, I hope, everybody will be using TBB 3.x, which has a much more reliable, and easier to understand, notification when you need to upgrade.

that is the link I went to when downloading the newer version. However, it doesn't seem to update the broweser, it is still on 17.0.8esr, so I don't know what to make of this. I'm still getting notification to update, have gone to right place and downloaded right file, but still leaves me wanting ? perhaps someone can do a test run through, and provide steps to follow ?

Sounds like you're doing something wrong. I suggest contacting the helpdesk people and asking for help.

https://www.torproject.org/about/contact#support

Tails v0.20.1 was released two days ago. It includes Tor 0.2.4.17-rc.

1. Is Tor 0.2.4.17-rc equivalent to 2.4.17-beta-2?

2. Why did Tails not include 2.3.25-13, which is the stable release?

3. Can Tails and Tor developers work as a team, seeing that new releases of Tails are made on this blog?

1) 2.4.17-beta-2 is a Tor Browser Bundle version.

0.2.4.17-rc is a Tor version.

The two versions do look quite similar, and that's not a coincidence. It's meant to be helpful.

2) Tails moved to Tor 0.2.4.17-rc because of the advice in
https://blog.torproject.org/blog/how-to-handle-millions-new-tor-clients

3) We do collaborate. That's how I know the answer to question #2. :)

when's the new version of the pluggable transports TBB coming out?

In the meantime, how do we upgrade the firefox in the PT 2.4.16-beta bundle?

I believe David has a new version built now, and is sorting out how to get it onto the website. (I used to do it for him each time, but I'm trying to stop being the bottleneck there.)

how long do we need to wait?

In the meantime, can we update the bundled Firefox directly to 17.09 ESR without breaking the bundle?

You can build them yourself, using the vanilla TBB:
https://trac.torproject.org/projects/tor/ticket/8416

(If you try to stick Mozilla's Firefox 17.0.9-esr into the TBB, things will go bad pretty quick. Tor Browser is a modified Firefox.)

Here are the corresponding pluggable transports bundles.

https://blog.torproject.org/blog/pluggable-transports-bundles-2417-beta-...

Which is better to use, the stable or the beta?

I think the beta is probably faster, but it might have more unexpected bugs. So it depends how comfortable you are with that tradeoff.

1. Why is Tor still using SSL 3.0? and not TLS only?
2. Why aren't Tor and Tails' Iceweasel identical? Doesn't Tor heavily depend on "security thru obscurity"?
3. Why is Tor still using weak cipher suites for SSL connections instead of the stronger ones?
Thanks for your great work btw.

Would be nice to have the pluggable transport bundle updated as well!

https://blog.torproject.org/blog/new-tor-browser-bundles-firefox-1709esr#comment-35112

Here are the corresponding pluggable transports bundles.

https://blog.torproject.org/blog/pluggable-transports-bundles-2417-beta-2-pt3-firefox-1709esr

Will there be an update for the 3.0 alpha version within the next few days?

https://blog.torproject.org/blog/tor-browser-bundle-30alpha3-released#comment-35110

What I really meant: Will there be soon an update for the 3.0 alpha version which uses Firefox 17.0.9 (or 24.0) ?

That's the answer.

I would like to add some dictionaries to 2.4.17-beta-2. Would I compromise my anonymity if I would do so?

ATTENTION! ALERT!

I downloaded tor-browser-2.3.25-13_en-US.exe just now. Upon clicking the executable, Symantec informed me there is a security risk. The risk has a name: it is called WS.Reputation.1

Tor developers, please verify the files uploaded to the servers have not been infected.

Thank you.

Whee. Can you tell us exactly what version of Symantec, etc?

Sounds like another case of https://www.torproject.org/docs/faq#VirusFalsePositives

Can you tell us exactly what version of Symantec, etc?

I have uploaded a screen capture. You can view it by clicking on the following link: http://i42.tinypic.com/2virxic.jpg

Wow. It looks like the security risk it's telling you about is "Not enough of Symantec's users have tried running this program yet".

I guess there's value in having that groupthink check, but... shouldn't Symantec be explaining what it's doing to its users? This does not sound like it is reporting any infection.

http://www.symantec.com/security_response/writeup.jsp?docid=2010-051308-1854-99

http://community.norton.com/t5/Norton-Internet-Security-Norton/Clarification-on-WS-Reputation-1-detection/td-p/232155

http://www.mindworkshop.info/windows/the-norton-symantec-ws-reputation-1-false-positive/

If I were you I would try to opt out of telling Symantec about everything you do with your computer.

I am running the TBB that uses Firefox 17.0.8.

This new version of TBB uses Firefox 17.0.9.

When I started up the TBB version with 17.0.8 it took me to the tor home page, but did not notify me that an update was available.

Why did I receive no update warning to update to 17.0.9?

The reason I am asking is that I always depend on the home page to notify me of updates. When the javascript exploit was used, I was sure I was using 17.0.7 because I had always updated when the home page gave me a notification. Now I am not so sure. Was a warning on the home page given to upgrade from 17.0.6 to 17.0.7?

The way TBB 2.x checks for updates is that it periodically goes to https://check.torproject.org/RecommendedTBBVersions, on its own, in the background. If that page tells it that it's out of date, it changes your homepage setting so the next time you start TBB it will go to a variant of check.torproject.org that tells you to upgrade.

So it sometimes takes a cycle or two before it will tell you. That also means that people who leave their TBB open forever take a long time to learn that they should upgrade. :(

Let's all look forward to TBB 3.x which has a better interface here.

Roger/Erinn, thanks for your work.
If you can show the following request to the Tails team, that would be appreciated:

Dear Tails team,
please consider enabling by default the option "Enable mouse clicks with touchpad", that is accessible via the menu System --> Preferences --> Mouse --> "Touchpad" tab. (Another option there, "Enable horizontal scrolling", enabled is also a good idea.)

This option is needed by all Tails laptop users without the external mouse. Currently we have to suffer or keep enabling that option by hand after every boot.
If you need to see the similar config files where it's enabled by default, please peek at the Liberte Linux: http://dee.su/liberte . It's Gentoo-based, but the mouse controls seem the same.

This would be especially appreciated by the new Tails/Linux users. (You've heard the people complaining that the "Tails touchpad doesn't work"... There was even, if I remember, Runa's Tor blog post here describing that happening at some conference, when she was give out the Tails USB sticks.)

Thank you.

This is totally the wrong place to try to reach Tails people.

https://tails.boum.org/support/index.en.html

Understood. Just mentioned because someone else here discussed Tails.

Starting Tails just to run Whisperback is a bit too involved (same with creating the Tor bug tickets). This blazing-quick blog posting, however, is much easier.

Never mind.

As a follow up to my previous question, I have always updated immediately when the update notification on the home page appeared when I started Tor.

Whenever I start Tor and it takes me to the home page with the "Congratulations you are using Tor" message in green letters, is that an assurance that I am using the latest most current version.

Great work you guys are doing, BTW.

It is not an assurance, unfortunately. There is nothing magic about "going to check.torproject.org" -- the page doesn't change what it says based on your version.

See
https://blog.torproject.org/blog/new-tor-browser-bundles-firefox-1709esr#comment-35145
for details.

Are any parts of Tor affected by the news below?
What about Tails?
-Thanks.

RSA Tells Its Developer Customers: Stop Using NSA-Linked Algorithm
http://www.wired.com/threatlevel/2013/09/rsa-advisory-nsa-algorithm/

"...RSA said that all versions of RSA BSAFE Toolkits, including all versions of Crypto-C ME, Micro Edition Suite, Crypto-J, Cert-J, SSL-J, Crypto-C, Cert-C, SSL-C were affected.
In addition, all versions of RSA Data Protection Manager (DPM) server and clients...
...RSA strongly recommends that customers discontinue use of Dual EC DRBG and move to a different PRNG.”

Ah, there is a random number generation algorithm out that there people are freaked out about now. No, Tor doesn't use it.

I regularly check Mozilla's FFesr downloads page ...

https://www.mozilla.org/en-US/firefox/organizations/all.html

... and I never saw a version 17.0.9esr there. For several weeks the latest release on that page was 17.0.8esr until it was upgraded to 24.0esr a couple of days ago. When was 17.0.9esr released and where did Mozilla publish it?

http://www.mozilla.org/en-US/firefox/17.0.9/releasenotes/

I agree that Mozilla didn't do a publicity splash for it. Good thing we're working closely with them so we hear about these things. (I agree that's not the best way for them to tell their users about updates.)

Yes, I want use 24.0 esr with TBB.

Not yet you don't:
https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~ff24-esr

When will migration to Firefox 24esr be expected? I mean time difference between Mozilla's release and TBB included one.

Mike is still trying to fix major privacy bugs in FF24. So, "real soon now because we have to", but probably right around the time FF17 goes unmaintained.

"please peek at the Liberte Linux

IIRC,

  • Liberte Linux has one release. One. A long time ago.
  • Does Liberte Linux auto-update to bring packages up to date? If not, it should not be used and you shouldn't recommend others to use it.

    TAILS releases new versions in a timely manner.

    Sure, but no one "recommended others" to use Liberte Linux.

    If you read that above post in the context, it was addressed only to the Tails developers - and only to note an example of the mouse/touchpad setting enabled by default.

    2.4.17-beta-2 uses HTTPS-Everywhere 3.3.1 instead of the newest version 3.4.1. What is the reason for this?

    A fine question. Erinn?

    Sorry, my mistake. It`s 3.0 alpha-3 which still uses HHTP-Everywhere 3.3.1.

    Hi torproject!
    Why geoip file in stable & beta bundle differ?
    Stable > old shit from May 1 2012 (!)
    Beta > fresh database from Aug 7 2013
    WTF?! Why do not you replace it with a new in stable?

    Because the geoip file comes in the Tor distribution, and the stable Tor distribution (0.2.3.25) actually is from long ago. Once Tor 0.2.4 goes stable, it should get the new one.

    I'm running the most current version of the browser, when interacting with one particular website tour browser keeps becoming unresponsive. it only happens at this website: topix.com it happens even if tour is the only application running. I'm running under Windows 7 Home Premium. Any suggestions?

    ERROR: Compiled with an old OpenSSL Version 1.0.0k
    I am using Version 1.0.1e of OpenSSL

    Error? What gives you the error?

    And you're asking this on a TBB anounce thread, so I assume it's TBB. So what do you mean "I am using"?

    Hi guys sorry for even having to ask this. but i had no problem updating from 17.0.7 to 17.0.8 but i just cant seem to get the next 1. even when i go to TorBrowser and check for updates it in the help section it saysi am up to date but it still says 17.0.8.
    any help would be great thanks

    Don't "check for updates". Go download the new one and use that.

    I am sorry if I am intruding. There is going to be a beta version of Stack Exchange questions and answers site about Tor. I am one of community supporters. If you are interested and think you can contribute to the site by asking questions or answering them you can subscibe after following this link:

    http://area51.stackexchange.com/proposals/56447/tor?referrer=s1OII2Y7WvZW0VuASrAkNA2

    Thank you, pabouk

    Some websites are still unresponsive, is this due to botnet?

    Thanks, guys

    Is the Tor 3.0 alpha version going to be updated to this?

    Real soon now, I hear.

    Hi,
    probably half off-topic but Tails have no simple open request.

    With old Tails0.20 on .onion-sites i see in Vidalia a lot of 4-circles connections.
    With 0.20.1 only the normal 3-circles.
    Whats the difference?

    Second, on lower memory PCs with new Tails0.20.1 the DVD-ROM/Writer(TAILS on DVD) is more often spinning(reading ?) as with Tails0.20.Therefore new TAILS -sometimes,e.g. Browser functions- reacts a little bit slower.The cause for this is the new Tor version(0.2.4.17-rc)? Tor0.2.4.17-rc needs more memory?

    Thanks for reading.And answering(-:

    the changelog i think it's bad write i download tor browser on monday and noscript was update in 2.6.8.1

    Whys is pdfjs.disabled set to be true?

    Good question!

    Anyone having problem with using webmail?
    I often get a message saying "Our security have detected a supsicious use of your account - chnge password immidiately or with i.e. hotmail - verify your account to continue.
    I assume that the proxy is the main problem? or is it du to hackers on some of the end-nodes?
    Its annoying to change mailprovider og password so often?
    Another issue:
    When using i.e Gmx.com's webmail I very often is disconnected and the page says that the connection is lost?
    Any suggestions?

    And not to forget: Tor is an awesome step into allowing people some privacy on the net - Thanx :-)

    My understanding is that it's mostly the website getting a list of "scary" IP addresses from somewhere and hassling you if you show up from one.

    When testing Tor proxy settings (default settings) via the Tor button I keep getting the following errors, mostly the first error:

    Local HTTP Proxy is unreachable. Is Polipo running properly?

    Tor proxy test:TorDNSEL failure. Results unknown

    Tor proxy test: HTTP error for check.torproject.org:500

    What could be causing this?.

    Also on startup https://check.torproject.org/?lang=en-US&small=1&uptodate=1 fails to load, I presume it's just overloaded or down though.

    Using Tor Browser Bundle for Windows Version 2.3.25-13

    Why http referer is not blocked by default in TBB?

    http://www.whatsmyuseragent.com/

    I have installed Tor Browser Bundle (2.3.25-13) in kubuntu and Vidalia gives me error "can not initiate firefox".
    I test with the 2.4.17 beta and the same.
    I have had to go back to the 2.3.25.12 that goes me well,without problems.
    Notes:
    1) I Delete all the 12 and put the 13 complete. (tor-browser_es-ES)
    2) In /App/tor It is not executable,is library 1,7 Mb
    Sorry By my badly english.

    Sounds like you should try TBB 3.x:
    https://blog.torproject.org/category/tags/tbb-30

    I had a very similar experience to "ATTENTION! ALERT!" (9/21, above). I downloaded 2.4.17-beta-2 and NIS (Norton Internet Security 2012) immediately quarantined it with a WS.Reputation.1. Here are the relevant details from the quarantine history:
    ____________________________
    On computers as of 10/20/2013 at 11:20:28 AM
    Last Used 10/20/2013 at 11:13:50 AM
    Startup Item No
    Launched No
    ____________________________
    ____________________________
    Few Users
    Hundreds of users in the Norton Community have used this file.
    ____________________________
    New
    This file was released 29 days ago.
    ____________________________
    Medium
    This file risk is medium.
    ____________________________
    Threat Details
    Threat type: Insight Network Threat. There are many indications that this file is untrustworthy and therefore not safe
    ____________________________

    Source File:
    tor-browser-2.4.17-beta-2_en-us.exe
    ____________________________

    [Me again:] I restored it from quarantine, but it begs the question: Norton had no problem with beta-1, what's up with beta-2? The signature was valid, by the way.

    See the rest of the thread above. The only problem it had with the new version was simply that -- it was new.

    What crummy software this norton stuff is.

    vidalia-relay-bundle-0.2.3.25-0.2.21-2.exe -- Today, the downloaded file does not have a valid signature.

    "gpg: BAD signature from "Erinn Clark "

    Using https://www.virustotal.com/, TrendMicro-HouseCall identifies this executable as containing "TROJ_GEN.F47V0801."

    Can I get a confirmation on the signature and a second opinion?

    Syndicate content Syndicate content