Tor Browser 3.5.1 is released

The 3.5.1 release of the Tor Browser Bundle is now available on the Download page. You can also download the bundles directly from the distribution directory.

Please see the FAQ listing for any issues you may have before contacting support or filing tickets.

This release features an update to OpenSSL to fix a denial of service condition, and to fix the NoScript whitelist to remove addons.mozilla.org.

This release also features Tor 0.2.4.20, as well as a support for screen readers for the blind on Windows.

Here is the list of changes since 3.5.1. The 3.x ChangeLog is also available.

  • All Platforms
    • Bug 10447: Remove SocksListenAddress to allow multiple socks ports.
    • Bug 10464: Remove addons.mozilla.org from NoScript whitelist
    • Bug 10537: Build an Arabic version of TBB 3.5
    • Update Torbutton to 1.6.5.5
      • Bug 9486: Clear NoScript Temporary Permissions on New Identity
      • Include Arabic translations
    • Update Tor Launcher to 0.2.4.3
      • Include Arabic translations
    • Update Tor to 0.2.4.20
    • Update OpenSSL to 1.0.1f
    • Update NoScript to 2.6.8.12
    • Update HTTPS-Everywhere to 3.4.5
  • Windows
    • Bug 9259: Enable Accessibility (screen reader) support
  • Mac
    • misc: Update bundle version field in Info.plist (for MacUpdates service)

So, I want to use TOR to sign up to forums and webmail services - but I find so many of them want to use javascript. They use it for Captchas very often.

I've read bad things about javascript and TOR, that it leaks information or can be used for exploits.

Can I let NoScript allow javascript, or where can I find services that don't use it in the fist place ?

Take a look at
https://www.torproject.org/docs/faq#TBBJavaScriptEnabled

Many of us use TBB with Javascript enabled -- not because it's particularly safe to do it, but because Javascript is just one of many classes of holes that Firefox has.

For more reading, there are several feisty discussions about JavaScript on
https://blog.torproject.org/blog/tor-browser-bundle-35-released

But wait, if it's not safe, and is a hole, shouldn't you STOP using it ?!

When I give TOR the Use New Identity command, how long is it until it actually gives a new identity ? Is it immediate, or does it use the old one for a short period of time ?

As far as I know it immediately disconnects from the current exit node and builds up a new route to a new exit node.
You can check that by using https://check.torproject.org/ or different websites which show your IP. If your IP address changed you got have a new identity.

"If your IP address changed you got have a new identity."

I believe it is not quite that simple and that the only sure way to completely achieve a new identity is to close and restart TBB.

"new identity" for Tor means that new stream requests get assigned to fresh circuits.

So if for example your browser has an http 1.1 connection open to a website and it uses pipelining to keep the connection open and reuse it for future requests, then from Tor's perspective there won't be any new stream requests (it never sees any new connections), and your browser will end up continuing to use the old connection.

That's one of the huge reasons why you can't get what you (should) want out of Vidalia's "new identity" button -- it simply does not consider any of the application-level privacy issues that TorBrowserButton does.

" ...then from Tor's perspective there won't be any new stream requests..."
"...That's one of the huge reasons why you can't get what you (should) want..."

I am not the OP but a short example:
Surfing convenient with TBB&Vidalia-Tails actually not so convenient)-:.
You have a list with links you are interested and you need no
further anonymity.Only the exit shouldn't see all URLs together.
Click New Identity in Vidalia you get a new exit-more or less enough anonymity.Right?

I refer to TBB)

See, using the same exit node doesn't seem like a new identity to me, even if the info is routed through a new circuit.
With the old one I would just keep clicking new identity until I could see I had a new exit node.
Does it help protect from analysis if you keep changing exit node ?

Well, using the old version I would hit 'new identity' and often it would keep me on the same exit node but with a different route. sometimes it would seem to take a lot of attempts to get a new exit node.
I don't think there is an easy way to watch the node path on the new version ?

I can't see cookies.
How do I work add-ons?
Cookies Manager+
Cookie Manager Button
Remove Cookies for Site
Thx.

https://trac.torproject.org/projects/tor/ticket/10353

McAfee is currently reporting the TROJAN that is included with Tor Browser Bundle v3.5.1, so I am unable to run it. This is the version downloaded from torproject for users in the UK.
The trojan included is a "profiler", it steals information and tracks people after giving their details to a site! Thanks for not checking before you uploaded this to the site for Windows users.
AVG and AVAST also report it and MSE stops the installation too.

Please STOP distributing this Trojan - or find out WHO has added it to your download files. The download needs to be removed until examined. Not all antivirus can be wrong and people should NOT allow the Trojan to run. NEVER EVER do that.

As I understand it, Erinn et al are looking into this currently.

But it's very likely a false positive -- there's a recurring theme with antivirus vendors where any new binary we put out is suspicious simply because not enough other users have tried running it yet.

Please let us know if you discover more concrete information than "I ran a program and it told me to be scared." :/

Here is the virustotal analysis, which says it's clean:
https://www.virustotal.com/en/file/68d00d64b8919db0d18593fee0dbcc9ff80d9b3e04f7cafd8cbdf770ebc57839/analysis/

We looked into it (including a malware analyst) and found it to be clean. A list of AV vendors was also contacted about it and the responsive ones also found it clean. Can you update your anti-virus software and let me know if you are still encountering problems?

Also, now and in the future, can you provide screenshots when you encounter this? It would be much appreciated. Thanks!

Tor Browser Bundle for Windows 8.1

The latest version for Windows is v_3.5.1 and is stopped half way through installation with the following error message -

"Profiler.gen.b"(Trojan) C:\Tor v_3.5.1\Tor Browser\Browser\Firefox.exe

I have sent the file off to be examined, so it should be stopped from installing on people's systems. Any explanation for this?
Please don't say it's a false positive because it is not. It is a virus.

Please let us know what your experts-in-the-cloud have to say.

(Your last line doesn't make any sense to me. The antivirus industry is a guessing game, and they're in a tough position because they have to detect every single scary thing without ever flagging normal things. Are you saying that you're certain that it's not a false positive, because the message from your antivirus thing sounds confident?)

can you do us a favor and upload the file to https://www.virustotal.com/ ?

I scanned my firefox.exe and got no results from any AV programs that I tried. I hate to say it but it's likely just a false positive.

3.5.1 doe NOT work on Windows 8.1 x64 Enterprise edition.

It just hangs after the connect screen.

I use it no problems on Win7

I Had this whole bundle already pretty much from debian. I build it myself

Do you build it yourself using e.g. all the patches that Tor Browser uses?
https://gitweb.torproject.org/torbrowser.git/tree/master:/src/current-patches/firefox

Don't make the mistake of thinking that this TBB is the same one from five years ago (which really was just a pile of individual components mashed together).

No patches from Debian, Ill live with the debian patches :D

you are being attacked in the press again today. It would seem some people need to be reminded this project had nothing todo with TOR mail. One article tried to make it seem as though this project hosted it and gave up info on people it was at motherboarda. I was going to post a reply but needed an NSAbook account and I dont have one, oops I mean facebook

PLEASE
rebuild the vidalia method to switch a NEW IDENTITY, it doesn't have to close the browser and reopen with all pages lost....

To use the method you're looking for, you need to install the Vidalia standalone compiled by erinn available from:

https://people.torproject.org/~erinn/vidalia-standalone-bundles/

But remember that "switching identities" this way only changes your exit point. If other tracking methods have been applied to your session, such as cookies, browser fingerprinting, or logins, switching "identities" won't help secure you that much. Restarting and clearing all session data is the closest way to actually get a "new identity" (which is why that is the new default).

The worst thing for TBB 3.5 is Tor panel and many other functions from Tor panel!!!

What is "this website attempted to access information on an image canvs" warning? what does it mean?
And since it's already established the NSA uses ad networks and cookies to track and identify Tor users, why don't you add an Adblock addon to TorBrowserBundle? AdBlock Plus is open source.

The canvas complaint is a Firefox warning -- I'd suggest going to your favorite search engine to ask it about the phrase.

No, it is not. That warning is added by a Tor Browser patch.

Right you are! I just noticed
https://gitweb.torproject.org/torbrowser.git/blob/master:/src/current-patches/firefox/0019-Add-canvas-image-extraction-prompt.patch
and came back here to correct myself, and here you are already pointing it out. Great.

We should really try to get the TBB people to improve the phrasing on this warning -- I have no idea what it implies, or what it means I should do to correct it, or what I'm giving up or risking by not doing anything.

See
https://trac.torproject.org/projects/tor/ticket/7265#comment:12
for more details and discussion

and
https://trac.torproject.org/projects/tor/ticket/7084
for an earlier but apparently still accurate bug report.

Why so few Obfsproxy bridges? Do the operators know how to run Obfs3 on their relays? Can you help them?

Maybe because obsproxy won't run on RHEL/CentOS v5.x or v6.x systems?

I'd be happy to run obsproxy bridges if the developers went back to code that can be built by any C compiler.

I bet you can build this software on anything if you know what you are doing

In the mean time you should try Yawning's obfs3 C implementation:

https://github.com/Yawning/obfsclient
https://lists.torproject.org/pipermail/tor-reports/2014-February/000454.html

Let us know how it goes!

I have cookie problems with 3.5.1:

Tor Button 〉Cookie Protections
- does not list any cookies
- can not delete cookies
- cookies can not be deleted in Firefox menus either

Worked in 2.3.25 Linux x64

Keep an eye on (or help with! :)
https://trac.torproject.org/projects/tor/ticket/10353

I have just installed 3.5.1 and am also running McAfee. No trojan/profiler has been reported.

However I am going to uninstall it and put back 3.5 until this situation is clarified.

As a matter of urgency, could you pls investigate the above poster’s allegations so that I and all other users can be informed?

Apart from that, thanks for all your work in protecting us from spying eyes.

Great job as usual.

Can we untar this release over 3.5.0 to upgrade or does it need to a fresh one ?

I recommend a fresh one to be safe. See e.g. https://lists.torproject.org/pipermail/tor-talk/2013-June/028448.html where the Tor support team reports hearing problems from people who overwrite.

Is' https://people.torproject.org/~dcf/pt-bundle/3.5-pt20131217/torbrowser-install-3.5_en-US.exe' a final, rc, beta, alpha or experimental Pluggable Transports version? I don't see mention of any new PT other than test and beta on a recent Tor Blog?

It's a hack that David (dcf) made, using TBB 3.5.

In the not-too-distant future, TBB 3.6 will have the pluggable transports stuff built-in. That's why people haven't been scrambling to make David's temporary hack more tolerable.

Are obfsproxy bridges automatically included and enabled on this PT-TBB or do I have to configure this?

You have to configure them:
https://www.torproject.org/docs/faq#PluggableTransports

I downloaded and installed the ( dcf ) hack, put the hard-coded obfsproxy bridges that came with PT-TBB 2.4.18-rc-1-pt1_en-US and the hack runs fine. If PT is included in TBB 3.6 and millions ( if not all ) of Tor clients use the PT feature, how will 15 ( maybe more by now ) hard-coded obfsproxy bridges handle all the Tor traffic? Not everyone is going to request additional obfsproxy bridges not already hard-coded in TBB 3.6.

To clarify, the pluggable transport stuff will be there if you turn it on (unlike now, where you have to go find a totally different bundle if you want it).

https://trac.torproject.org/projects/tor/ticket/9444
https://trac.torproject.org/projects/tor/ticket/10418
https://lists.torproject.org/pipermail/tor-reports/2014-February/000438.html

We're not going to make everybody use pluggable transports by default. (At least not yet -- and one of the reasons against is the one you describe.)

Tor Browser Bundle for Windows (Version 3.5.1):

Extracting 'torbrowser-install-3.5.1_en-US.exe' with 7zip (http://www.7-zip.org) on Windows OS creates the following directories: (same as TBB 3.5 = same bug = does not work)

torbrowser-install-3.5.1_en-US
|- $_OUTDIR
|- $PLUGINSDIR

In the root directory is 'Start Tor Browser.exe'. Clicking it shows the error message 'Unable to start Tor Browser'.

What to do? Thanks.

It turns out that if you unzip the exe using 7zip, it won't put the files in the right locations for TBB to work. So you do in fact have to run the auto-extractor in order to get things set up right.

If somebody wanted to write a patch to make the self-extractor do the right thing when you use 7zip to unzip it, that would be neat. I'm not sure how complex that would turn out to be.

Why are all of these non-Tor friendly search bars included in TBB 3.5.1?

Google
Amazon
Bing
Ebay
Twitter
Wikipedia
Yahoo

Because they come with Firefox, and we're trying to minimize the number of patches that we have to maintain (and reapply every time Firefox changes).

I guess another answer is that there's no way we'd get consensus on which ones to remove. :)

What is the current opinion about fonts? In the past we have been told not to turn them off (i.e. maintain them as readable) since if they are turned off, we become visible.
Is this still the guidance?
Thanks for all your work. It is appreciated, though it may sometimes not seem to be!

From my perspective, I'd say it's still an open research question.

You could find Mike Perry at a conference, and ask him his current opinion.

Or you could help research what the better answers should be.

Step one is to read https://www.cosic.esat.kuleuven.be/fpdetective/

I know it has been mentioned before, but since about a week or two ago I can't access any .onion sites via TOR... I tried the Hidden Wiki and multiple others pretty much a few times a day every day and they just won't open... Any idea what might be the case? Thanks in advance

Try http://duskgytldkxiuqc6.onion/

If it works, hidden services are working fine for you (you just have bad taste in hidden services).

If it doesn't work, try fixing your clock/timezone/date, upgrading to the latest TBB, etc.

Thank you Tor Project team. Thank you for the good work that you do; your tools are important and valuable, and used mostly by good people, to do good.

From the many other "comments" on this page, it's obvious a few people lack basic courtesy. How shameful and disgraceful that they come here making demands, or using ugly entitled tones to complain.

A message to those delusional rude complainers: CONTRIBUTE TO THE TOR Project, with YOUR resources, be they intellectual and/or otherwise.

Don't just sit there expecting others to freely give to you, don't expect others to freely do everything perfectly for you.

And before you make any demand or complaint, HAVE THE DECENCY to express a MODICUM OF GRATITUDE for the kindly good (and often difficult) work that so many have done to help you... so obviously often without even a perfunctory "thanks."

Hear hear.

We need to get better at helping everybody understand that Tor is a community of people both working to build and analyze tools to defeat surveillance / censorship, and working to teach everybody in the world what that means and why it's important.

Please help!

An important project by fine people.

Is this for real...? Ho and please tell me how can i get rid of the NSA code in my windows .......i get this persistent processes running and i am NOT Allowd to do anything......What the Hell

I'm sorry, was this related to Tor in any way? Or did you get infected by a virus? Or are you just concerned about the security of Windows in general?

That sounds like generic malware. It's very unlikely that it's made by the NSA, otherwise you wouldn't even be able to see the process (it'd hide itself). There *is* "NSA" code in Windows, that's true (technically it may not be the NSA's code, but there are some pretty extreme vulnerabilities that only the NSA is allowed to know about, and very likely legit backdoors as well), and the only way to get rid of that is to switch to something like Linux (note that Linux is not impervious, it can still be hacked, it's just more secure, and more trustworthy). Also, there are many Linux distros ("types") out there which are designed to present a comfortable environment for Windows users (for example, Kubuntu, or Linux Mint).

I suggest you look up the process name on Google (or preferably Startpage), and take action from there. I do NOT recommend using the computer until it is free of this malware. If you have to, just backup your (non executable) files that you may need, and do a fresh re-install (if you are unwilling to switch to Linux, that is).

I was vacationing from before Jan. 27 until today (Feb. 3) and so hadn't known about the new release until now. I'm using 3.5, but the welcome page did not inform me about the 3.5.1 update (I just happened to check this blog to see what's new and found out that way). I know there is usually some lag between when a release comes out and when TBB informs users about it, but a week seems like rather a long time. Is this worth opening a ticket about?

https://check.torproject.org/RecommendedTBBVersions
still lists 3.5 as well. So Mike hasn't yet chosen to have all the 3.5 users get told to upgrade.

Me too I was deceived by this, because the new version contains fixes to security issues, it _should_ be advertised to the TBB user as soon as possible.

And BTW there is already a ticket for this, though it seems it was ignored: https://trac.torproject.org/projects/tor/ticket/9915

installed 3.5.1 browser bundle, however when I click on 'start tor browser' a firefox error window appears saying "couldn't load XPCOM"
I've uninstalled firefox and reinstalled it, deleted the tor folder and reinstalled the bundle multiple times... help?

Tor browser bundle hangs for certain web sites

Here's one, and there are more:

http://www.linkedin.com/company/sephora/careers?trk=top_nav_careers

Symptom:
Tor Browser immediately gets very slow. After 50 minutes, it runs out of memory.

info output:

Could not check applicable rules for about:tor
Could not check applicable rules for about:blank
###!!! ABORT: OOM: file ../../dist/include/nsTHashtable.h, line 172
###!!! ABORT: OOM: file ../../dist/include/nsTHashtable.h, line 172
Feb 03 12:20:51.000 [notice] Owning controller connection has closed -- exiting now.
Segmentation fault (core dumped)
Tor Browser exited abnormally. Exit code: 139

(I don't know how to open a ticket)

I use this thing 24/7:

The one feature you could implement for me would be multiple cookie sessions, so I can log in to the same site, using different identities, concurrently. I believe firefox is unable to do multiple instances.

Could we please have an urgent response from Erinn regarding the allegation that 3.5.1 contains a trojan?
We are told that we should have the latest Tor version, but I am sure that a lot of users are still using 3.5 for fear that there really is a trojan in the latest version.
I too would like to express my gratitude for all the hard work that you do on our joint behalf.
Thanks

Copying from a comment I wrote above --

Here is the virustotal analysis, which says it's clean:
https://www.virustotal.com/en/file/68d00d64b8919db0d18593fee0dbcc9ff80d9b3e04f7cafd8cbdf770ebc57839/analysis/

We looked into it (including a malware analyst) and found it to be clean. A list of AV vendors was also contacted about it and the responsive ones also found it clean. Can you update your anti-virus software and let me know if you are still encountering problems?

Tor seems to connect to ports other than 443 or 80. Doesn't this give away its presence? I mean instead of subtlety or confusion to observers before, now Tor seems to use completely different ports. Please note that I'm just trying to understand.

Anyone has experienced this? My system osx 10.9.1. I want to use TBB when I need anonymity. I download TBB for osx on an intelmac and start to use TBB straight away. it works very well. Thank you.

But I notice in the Finder window where it is located The Date Modified is shown as "1 January 2000". Is this correct? I click on the Torbutton icon and on to its preferences to do a 'Test Settings": The result is "Tor proxy test successful".

I transfer the TBB zip file to a Macbook Air using a USB drive. I want to be able to use TBB on it too. The same "1 January 2000" appears in the Finder window. I double click the zip file and TBB launches successfully with the green screen congratulation that everything is fine and I can start using TBB.

But the problem is it will not take me on to the internet as on the intelmac. Every address I use ends up with "problem loading page". I do a "Test Settings" and the result this time is INTERNAL ERROR which is strange because I am using the SAME application on both computers.

I remove the USB key and download TBB straight from the tor projects website. The result is the same - INTERNAL ERROR.

Anyone can assist me to be able to use TBB on the laotop also. Thank you in advance. I am not a technical person & step by step instructions would be greatly appreciated. Thanks again.

Shouldn't you update the TorBrowser since Mozilla updated FF?
Thanks alot.

Looks like 3.5.2 is in testing:
https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/HEAD:/Bundle-Data/Docs/ChangeLog.txt

Where can we download it? please.

Link please

Be patient, it should be out real-soon-now.

1/2-offtopic but important:
PROBLEM with Expert Bundle. CAN NOT install on older windows(Windows 98SE). Problem not only on my pc. 0.3.25 was working.
torproject.org/download/download.html.en says
Expert Bundle
Windows 8, 7, Vista, XP, 2000, 2003 Server, ME, and Windows 98SE

Is this normal? Can anyone from Tor distributors solve this?
It's important.
Thanks for reading.

Windows 98, eh? Isn't that unsupported by Microsoft?

This is a "patches happily accepted" sort of situation.

"Windows 98, eh? Isn't that unsupported by Microsoft?
This is a "patches happily accepted" sort of situation."

right but not the point.
Old or not it would be really nice if it would run on this.

Erinn

Re the possibility of a virus in 3.5.1

Thanks a lot for putting our collective minds at ease.

what is the easiest way to transfer bookmarks to a new release? Thanks.

Bookmarks->Show->Import/Export
No onion sites available for me either including: http://duskgytldkxiuqc6.onion/.

Hi to the TOR Team and great thanks to your neverending work and patience first of all!

But today I have a severe problem: After I've downloaded the current version I see that it is somehow bugged, because in the Windows 7 systray I can't find the TOR-Icon anymore after the program has loaded. Wouldn't be a problem, as long as it is usually running fine for some time anyway.
But as we know, from time to time the connections breaks down and you have to click the "request a new identity" option in the systray to reenable a connection.

With this bug that doesn't show the tray icon you would otherwise have to restart the whole TOR / browser bundle, which isn't a real option when you have several tabs openend and don't want to relad them all manually each 20 or so minutes.

So can someone tell me please, if there is another way to demand a new /re-connection to the network without closing the whole browser? I really need this workaround until the thing with the tray icon is fixed, because I really can't reload the whole prog all the time.

Thank you in advance!

I don't see vadalia anymore with the new update . How do access it without interrupting any processes in the new browser ?

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#WheredidtheworldmapVidaliago

The only reason I asked what happened to vidalia is because I'm trying to know is there any way to choose which country you can have your network on ? For example, using only US ip addresses

Thank you Tor
Thanks for the time,efforts,and skills to date :-)

Thank you TOR for the lives you've helped change,
overcoming my own challenges would have been impossible without the work of the TP, and everyone who has contributed to it.

One Question: On the latest update of TOR (3.5.1) the onion icon is not appearing in my systray, my tor browser opens and confirms I am using TOR, when I try to open another concurrently to test if the vidallia warning would pop up it doesn't, instead it says firefox is running.

It seems we did away with Vidallia this update and I'm wondering if this is a normal change. Thanks.

We did away with Vidalia several updates ago.

But see also
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#WheredidtheworldmapVidaliago
if you are missing it.

Whats up with this? I downloaded tor and did all the shit i was supposed to, My friend said the directory is down but I didn't believe him.

"this"? "the directory"? More details needed.

Syndicate content Syndicate content