Tor Browser 3.5.3 is released

The 3.5.3 stable release of the Tor Browser Bundle is now available on the Download page. You can also download the bundles directly from the distribution directory.

This release also includes important security updates to Firefox.

As a reminder, this is the stable series of the Tor Browser Bundle. It does not include the Pluggable Transport support mentioned in the 3.6 release post, and in this release MacOS archives are still in zip format. If you would like those features, we encourage you to use 3.6-beta-1 instead, and report any issues you encounter.

Here is the complete changelog for 3.5.3:

  • All Platforms
    • Update Firefox to 24.4.0esr
    • Update Torbutton to
      • Bug 9901: Fix browser freeze due to content type sniffing
      • Bug 10611: Add Swedish (sv) to extra locales to update
    • Update NoScript to
    • Update Tor to
    • Bug 10237: Disable the media cache to prevent disk leaks for videos
    • Bug 10703: Force the default charset to avoid locale fingerprinting
    • Bug 10104: Update gitian to fix LXC build issues (for non-KVM/VT builders)
  • Linux:
    • Bug 9353: Fix keyboard input on Ubuntu 13.10
    • Bug 9896: Provide debug symbols for Tor Browser binary
    • Bug 10472: Pass arguments to the browser from Linux startup script

A list of frequently encountered known issues with the Tor Browser can be found on our bugtracker. Please check that list and help us diagnose and arrive at solutions for those issues before contacting support.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Why don't you make a distribution in zip format for windows?

Because they're all working on other bugs.

Maybe you will do it?

You don't need a zip package, the installer doesn't write anything to registry.
I've checked it with RegShot before and after running the installer.

why has this update still saying need update ? is there some sort of spoofing attack in progress ?

Did you unpack your new one over your old one? If you do that (to be clear, you shouldn't) then it might get confused and try to remind you about needing an update.

thank for reply... i did remove the old version and install new version as i always have done for years with no problem... btw i used the new tor browser bundle today after my reported experience and it seem the issue has gone away :D

Why don't you turn on TLS 1.1 and 1.2 in the browser?

TBB uses Firefox ESR. Current version is 24.4.0.

TLS 1.1 and TLS 1.2 were not enabled by default until Firefox 27.

Next Firefox ESR release will be 31.

Yep. See also

Thanks for TBB!

Whats wrong with you?
We dont want install TBB like a program.
We need an portable TBB!

It is portable -- the location you install to is a portable TBB. Move it around however you like.

"What's wrong with you?"

I'm afraid that the question, more appropriately, appears to be:
What's wrong with you?

This might be a total noob question, but what's the difference between exporting bookmarks to an HTML file, versus backing up bookmarks to a JSON file?

I ask because everytime I download a newer version of the TBB, I have to re-populate the bookmarks menu.

Thanks for all the work you guys do.

From what I could find, restoring from JSON will replace your bookmarks with only what is in the backup file. Using a HTML backup will just add to your existing bookmarks. (source:

It sounds like you know how to do so, but just in case: restoring bookmarks can be done the Show All Bookmarks window (Ctrl+Shift+O). To restore from JSON, use the "Import and Backup" -> "restore" -> "Choose File" and to restore bookmarks from HTML, use "Import and Backup" -> "Import Bookmarks from HTML."

Can I just overwrite the Pluggabe-TBB with this TBB?

Overwriting TBBs will have unpredictable effects currently. See the same question farther down this page.

Yeah, overwriting TBB's will cause issues ranging from wrong version of X extension to just not wanting to boot up.

I've pretty much resigned myself to "Have to go the clean installation in a new directory and just import bookmarks!" route when I am updating to a new TBB.

I download the files:

Previous version files are missing:


I run the script:

#! /bin/bash

echo "" | cat - > file.txt

sha256sum -c sha256sums.txt 2>&1 | grep OK >> file.txt

echo >> file.txt

for a in sha256*.asc ; do
gpg --verify $a sha256sums.txt >> file.txt 2>&1 ;
echo >> file.txt

echo >> file.txt

gpg --verify tor-browser-linux64*.asc >> file.txt 2>&1

echo >> file.txt

Running less file.txt I can see a singnatures mess:

gpg: Signature made Wed 19 Mar 2014 09:25:30 PM MSK using RSA key ID 63FEE659
gpg: Good signature from "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659

gpg: Signature made Wed 19 Mar 2014 09:26:01 PM MSK using RSA key ID 63FEE659
gpg: Good signature from "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659

I check "mikeperry" signature manually:

gpg --verify sha256sums.txt-mikeperry.asc sha256sums.txt

gpg: Signature made Wed 19 Mar 2014 09:25:30 PM MSK using RSA key ID 63FEE659
gpg: Good signature from "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE

Why Mike Perry signature displayed as Erinn?
Where is the other signatures?

:( I think you're right.

what does it mean "Couldn't load XPCOM."

Sounds like you're using "WebRoot Internet Security" or some similarly broken antivirus thing and it is preventing your Tor from working right.

Yes, I use "WebRoot Internet Security", I just turn it off webroot and Tor is working right now. Thank you very much.

Thanks guys!

Cool :)

so the workaround for webroot?

Option 1, complain to webroot that their thing is flagging Tor when it shouldn't. Then wait for them to fix it. Apparently this worked once in the past.

Option 2, whitelist Tor in your webroot config. I don't use Windows, so I don't know what you need to click.

Option 3, stop using webroot (and optionally replace it with something else from the same protection racket genre).

Please feel free to chip in with a good option 4 here. :)

im sort of out of it but is tor able to have torrent used yet and or pirate bay

Still not a good idea.
(See my answer there, not alas the one with the green checkmark by it.)

Please DO NOT use Tor for torrenting!

It does not let me update my Tor bundle when I try to write over the same directory. Why is this? It can't extract anything and I have to abort the install.

At this point you will end up with unpredictable effects if you try to overwrite your current install. The better answer is to unpack the new TBB into a fresh location.

can not open tor in google


Windows 7 - Services

Could someone from Tor please advise if there are any 'Services' that start up automatically which, for the sake of security, users should either change to 'manual' or even 'disable'. Equally, are there any that we should not change to 'manual' or 'disable'?


I'm on Windows XP and found that this issue of Tor has repeatedly either made my PC crash and/or can't be opened at all that I have to resort to 'nude' browsing with Firefox. Is it something to do with the software? This is something very abnormal, never experienced something like this before after some 8 years and I've checked that everything else should be normal.

I'm download a file from at 1.2 MB/s using the latest version of Tor. That doesn't seem possible. Is there something wrong with my program?

1MByte or 1Mbit?

Either of them are plausible speeds to get over Tor at times these days.

That speed is unlikely, but not impossible.
Go to the below URL to verify that Tor is working as it should:

I can't open .onion websites, only "regular" websites. Why? It's a security problem?

Check clock, date, timezone settings.

Possibly. Check if Tor is working as it should:

If it says you are not running Tor, when you most likely aren't.

Just got to the new TBB but every time I try to open it, I repeatedly get "Tor Unexpectedly Exited-Please Restart This Application" with a mini window saying "Tor Launcher-Tor Unexpectedly Exited". Sorry for the noobie question, but this is the first TBB that has done this and I want to get back to my browsing!

What OS?

OS X version 10.9.2

Does help you?

I can run Tor-browser-2.3 on very old hardware: AMD K6-2 @ 500 Mhz - RAM: 384 MB.
Starting with version 3.5, Tor will not run on this old computer, it fails when trying to install it, and if I install it on a newer PC and create a zip package to extract in the old one, it also fails when launching "Start Tor Browser.exe"

Application exception occurred
Exception number: c000001d (illegal instruction)

I have Firefox 28 installed and running in this old machine, so the problem is with Tor.
Is this new version using SSE2 instructions?
Any chance to fix Tor to work again with old hardware?

Wow, I haven't seen mention of that processor family in years.

A few things:

a) The Mozilla Firefox binaries are built with Visual Studio not GCC, which does code generation differently. It is worth noting that the official binaries for Linux built with gcc target i686 and will also not execute on your processor family.

b) There is more that is lacking in K6-2 versus what is expected of a modern ia32 processor than just SSE2. The relevant instructions in this case would be CMOV/FCMOV, introduced for the Pentium Pro.

If you can convince the developers that building the bundle with an i586 target is worth the time, then it should work (for now), though it is unlikely that they can spare build engineer time for that task.

Thanks for the info., but according to this my AMD K6-2 is i686, not i586:
i386 - Intel i386/80386 (in 1985) or AMD386 / AM386 (in 1991)
i486 - Intel i486/80486 (in 1989) or AMD486 / AM486 (in 1993)
i586 - Intel Pentium (in 1993) or AMD-K5 (in 1996)
i686 - Intel Pentium Pro (in 1995) or AMD-K6 (in 1997)
i786 - Intel Pentium 4 (in 2000) or AMD-K7 (in 1999)

So, Tor Browser 3.5.3 shouldn't fail with this processor if compiled with i686 target.
Checking in about:buildconfig I see they changed the compiler from "cl 15.00.30729.01" to "gcc v. 4.6.3" since Tor-Browser 3.0.
The last TBB version I can run with this old machine is Tor-Browser 2.4.18-rc-1

No matter what Pentium family AMD K6-2 is closer, it doesn't support all i686 instructions. Compiling for i686 platform means using of CMOV instruction.
Mozilla claims needs of Pentium 4 or newer processor that supports SSE2.
It's probably bug that it's still works for AMD K6-2, in result.

Problem with AMD K6-2 began when TBB developers started building with gcc instead of cl (Visual Studio).
Up to TBB 2.4.18-rc-1 they used cl as Mozilla developers, but target never changed, also was i686 with cl, so the "bug" is due to gcc.
I've checked with "about:buildconfig" that up to Firefox 2-0-0-x target is i586, and starting with Firefox 3-0-x target is i686.
From Firefox 3.0.x to 3.6.x Minimum Hardware Requirements are the same:
Pentium 233 MHz (Recommended: Pentium 500MHz or greater)
64 MB RAM (Recommended: 128 MB RAM or greater) ...

So, if it is a bug that Firefox 28 runs perfectly with AMD K6, this bug is seven years old. ;)
Starting with Firefox 4, they only listed "Recommended" Hardware (not Minimum)
By the way, SeaMonkey still has a "Minimum" Hardware requirements page...
Pentium 233 MHz (Recommended: Pentium 500MHz or greater)...

Now I've tested latest TBB 3-5-3 with a Pentium III @ 450 Mhz and it works fine!

It's no brain to use tor with WinXP even if AMD K6, at least it's possible to find some another browser and to compile all for i586.
Try to use with i486 with almost zero ram and win98 if you want extremal experience.

"at least it's possible to find some another browser"

Using Tor with any other browser besides Firefox/Iceweasel is explicitly NOT supported and not recommended.


Windows 98 (as well as Windows 2000 and very soon Windows XP as well) has not been supported with critical security updates for years now. Using any unsupported OS is downright dangerous. (with the possible exception of a strictly NON-NETWORKED box).

win98 most usable and securest OS ever!!!!!!!!!!!

"Firefox/Iceweasel is explicitly NOT supported and not recommended."
Firefox dropped 32bit platforms actually. You need to have more than 4GB of virtual memory to build browser.
It's wrong that such browser only supported, overbloated software with kludges and security holes by design.

This is documented in

The bug in question is discussing pre-Nehemiah VIA C3, but the brain damage is the same in the K6-2. Code generated with -march=i686 by gcc will use CMOV, and will fail on your processor.

I doubt the tor build people would ever use cl (Visual Studio) to build TBB again as well, given all of the work that has been done on deterministic builds.

Interesting details about CMOV
Then why GCC so hardly tries to use CMOV? Without option to selectively disable it even.

This is orthogonal to "AMD K6-2 is a potato and is unsupported by TBB binary packages", but ok, I'll bite.

For what it's worth on Ivy Bridge Linus' synthetic benchmark is faster with CMOV, so there's that (I did increase the iteration count up since the code as is was fairly inconclusive).

There are certainly cases where CMOV would be a bad idea, and the Intel 64 and IA-32 Architectures Optimization Reference Manual has a detailed description of the tradeoffs. There's also at least one GCC bug open regarding cases where CMOV is used when it should not

There was a patch back in the 2.4.x kernel days (when not-quite Pentium Pro "i686" processors were relevant) that trapped illegal instructions and emulated CMOV in software to allow binaries to run with *terrible* performance for situations like "oh god, fsck on my rescue image is i686 targeted and I have a dinky AMD processor", but it didn't get mainlined AFAIK.

So no profit to use CMOV for such apps like Firefox.
CMOV is optional extension, after all.

Try to use Tails
It's better than no nothing, if it will work for you.

Run Tails with only 384 MB of RAM?

I don't think so.

1 GB of RAM to work smoothly. Tails is known to work with less memory but you might experience strange behaviours or crashes.

But why not to try.

If to stop no need services while to keep tor. Then possible to surf some pages even.

amnesia@amnesia:~$ free
total used free shared buffers cached
Mem: 384652 369220 15432 0 38244 137200
-/+ buffers/cache: 193776 190876
Swap: 0 0 0

If you need Tor enough to consider a change of operating system, I'd recommend Puppy Linux. Its designed for getting the best performance out of old hardware with very limited RAM and the new Tor Browser bundles work on it. Warning: default user is root - you may want to downgrade to user "spot" via command line for security.

"Warning: default user is root - you may want to downgrade to user "spot" via command line for security."

Most important warning indeed.

Have you had success running TBB as 'spot'?


You're running Windows on those specs?

Any version of Windows able to run on such old hardware, with only 384 MB RAM would be an old one that hasn't been supported with security updates for a long time.

I can only hope that your use of this box and certainly your running Tor on it, is for nothing more than testing/playing purposes.

The minimum hardware requirements for Windows XP Professional include:
At least 64 megabytes (MB) of RAM (128 MB is recommended)

WinXP supported with security updates till April 2014.

If this is correct, then I stand corrected.

But since April 2014 is mere days away, the correction is largely moot.

With an old pc windows 7 date/time, I can't connect with this bundle!

Do you mean your clock is wrong and Tor no longer works for you?

Tor needs a roughly accurate clock to work. This has been the case for years.

Are you on Daylight Savings Time?

TAILS seems have the same Browser(TBB) configuration? .Have questions:

WHY new(er) Browser version use WEAKER crypto? **WTF**
On lot off https://..........sites OLDER Browser: camellia_256 / aes_256 etc. .

NEW Browser version: max. aes_128 .............*WTF* again.
TLS 1.0 only activated? Why?
And who is responsible for that? I don't really like to now,but please change it.

Plus someone can make 'Connection Encrypted' info useable.Like Seamonkey.Or
why not?
If i would like browsing with thoughtless lollypolly Disney fastfood feeling,IE/Chrome would be my fav.

The new Firefox 30 look is......funny(-:,too

Re screen-size

Under I posted the following reply on the 17th:

Thanks for your response. I read the bug report you mentioned. Since I am a relative newcomer to this and I am not very knowledgeable about the workings of computers/browsers/Tor I didn't follow what was said very well.
All I can say is that I have used Tor for about 18 months and have always used as a test, The screen-size (ip-check calls it Browser Window - inner size) has NEVER been rounded to 100.
For Tor versions 3.5.2 and I have also checked it with Panopticlick and (with Javascript enabled) Panopticlick gives the same screen-size as ip-check. IP Check gets the screen size whether JS is enabled or disabled.
Sorry, the above may not be much help but if you can tell me what else to check or which settings to change, if any, I will.
Thanks for your help."

I have just carried out the same tests with 3.5.3 and, guess what, exactly the same results as with 3.5.2 and

If other people are getting 'rounded to 100' screen sizes it is possible that one of my settings is wrong, but I don't know what to do.
Please help.
Thanks ?

Still plain, unencrypted http. That means an exit node can tamper with the results.

If the JonDo folks behind ip-check can't or won't even bother to make the site HTTPS-encrypted and authenticated, then how can they be trusted?

As you obviously know more about these things than I do, I understand what you say.

However, as I have said, Panopticlick (with JS enabled) gets exactly the same screen-size as, so I think there must be more to it than tampering.

Also, ip-check can get the screen-size without JS.

Personally, I don't trust ip-check. Not that I think it's malicious, but aside from it's obvious commercial purpose, it makes up the unsubstantiated claim that a longer stream sessions such as the 10 minute one Tor uses is bad for anonymity, and encourages naive users to switch from Tor to JohnDonym as a solution, calling itself "stateless". In reality, a fully stateless anonymity system like that results in *less* anonymity, as it gives a passive adversary more opportunities to surveil and a greater chance of mounting a successful traffic correlation attack. If I recall, there are even several acedemic studies that show the reason why rapidly changing circuits is harmful to anonymity. JohnDonym doesn't even think to look this up before shouting to the naive masses that their commercial product is superior. It's not just problematic because it's dishonest, but because it gives that company a larger profit at the *expense* of the innocent user's anonymity. That's not all they've done to harm people. Who could forget that backdoor JohnDonym added to it's software at the request of the German government. With these points in mind, I urge people not to link to services such as ip-check because it lies to people in an attempt to sway them from a more secure alternative. Now, they aren't as bad as some companies (I'm looking at you, HMA), but they still don't deserve the extra traffic that comes to them when there are already plenty of less biased anonymity-checking websites.
/end rant

All valid points.

Additionally, the failure of JonDoNym to use HTTPS authentication by default for (and any other sites of theirs) should give pause to anyone.

I did not mean to suggest that the results you reported were the result of tampering. Nor that I had knowledge of any evidence of such tampering having ever occurred with

Rather, I was merely pointing-out that the risk exists. And even if it would be determined to be relatively low, the mere failure, whatever the reason, of the JonDoNym folks to implement SSL/TLS across all of their WWW properties seems cause for concern to me.

screensize-problem the same with me too. so no false settings with your tbb.

What OS?

Are you resizing your window (this is not working properly at the moment)? If not, you may run into If that is not plausible either, feel free to open a ticket in our bugtracker at We'd need to take a closer look at your issue then.


As I have said, I have read the bug report but don't really understand it. All I can say is that with Windows 7 and Tor 3.5.2 , and 3.5.3 I NEVER get a rounded widow size - Panopticlick (with JS enabled) gets exactly the same window size as ip-check (with and without JS enabled).
To answer your specific question: No, I am not resizing my window. I don't know how to.


As you have suggested, I have just tried to create a new ticket but when I go to the page that you have stated I just get:

"TICKET_CREATE privileges are required to perform this operation. You don't have the required permissions."

Pls let me know what I have to do.


>it is possible that one of my settings is wrong
What your settings, do you know how to reproduce never rounded widow size?

Sorry, I don't know what you mean by: "do you know how to reproduce never rounded widow size?".

If, in fact, I do understand what you mean, I don't have to "reproduce" a 'never rounded" window size, I just have to check it via with or without JS enabled and via Panopticlick with JS enabled.

If I haven't understood you correctly, could you please explain what you mea. Thanks.

Sometimes when I start the program it just refuses to open. I have to kill it ctrl+shift+esc and restart. This happens on all 3 of my computers. Has been happening since the first 3.x version. What's wrong?

Might be Does this happen randomly? Or only once? Or...?

It happens randomly. It rarely/never happens with 3.5.3, but it happens often with every other version. Might be coincidental, either way it stinks.

What happened to the stable and unstable Expert Bundles for Windows? Are we supposed to build our own now? And please don't waste my time by telling me I *should* be using the browser bundle...

The captchas in are way too hard and frustrating, please find another solution for it!

I agree 100%! I HATE difficult captchas.

Keep an eye on and the tickets it links to.

There is a bug in TBB 3.5.3.

I am using OpenVPN to connect to one of the VPN gateways/servers, the protocol is TCP.

Next in a terminal window -I am using Debian- I launched TBB.

When I surf to a website, for example, Tails, I launch a root terminal window and type in the command netstat -rn

The results are:

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface UG 0 0 0 tun0 UGH 0 0 0 tun0 UH 0 0 0 tun0 UGH 0 0 0 eth0 U 0 0 0 eth0

Notice that on eth0 and gateway, the destination corresponds to the IP address of the OpenVPN gateway/server.

The above did not happen with earlier versions of TBB.

I hope Tor developers can look into the above issue.

What? TBB is an application. It just uses your network. It has nothing to do with (that is, no influence on) what your netstat says your gateways are.

It has nothing to do with (that is, no influence on) what your netstat says your gateways are.

Thanks arma for your reply.

About the steps that I undertook in my earlier post: what IP address will the destination website see? Tor's exit node IP address? or the IP address of my OpenVPN gateway/server? or both?

Would you be able to offer some suggestions on why some websites and forums recommend Tor users to use Tor over VPN or VPN over Tor?

Bring back expert bundles for windows please

I was wondering if I need start page and Ixquick which provide proxy and encryption. I noticed in this version of TOR bundle, HTTPS Anywhere is provided. Should I just get rid of start page and Ixquick?

HTTPS Everywhere have been bundled with the Tor Browser for a long time.

You are already using Tor, so you do not need to use ixquicks/startpages proxy service. Tor provides all the anonymity you need.

If the remote website you visit does not support end-to-end encryption (HTTPS), when it doesn't matter if you are using yet another proxy (ixquick/startpage), an attacker can still inject and observe data at some point (even if they cannot trace you).

Startpage is still a good alternative to use as a search engine.

Thanks for the reply. I just noticed HTTPS Everywhere does not encrypt some sites, and what is strange is that ixquicks does allow me to encrypt the same sites that HTTPS does not encrypt, and I can see in the URL address starts with https when I get connected. Can I trust this connection?

That is because that site does not support HTTPS. Your connection to ixquicks proxy is encrypted using HTTPS, but the connection between ixquick and the actual site is not.

"If the remote website you visit does not support end-to-end encryption (HTTPS), when it doesn't matter if you are using yet another proxy (ixquick/startpage), an attacker can still inject and observe data at some point (even if they cannot trace you)."

Let's see if we can unpack this...

A web proxy, such as the one ixquick/startpage offers, could indeed tamper with any content it fetches before returning it to you. This is just as an exit node could. But ixquick is far more trusted than a random exit node that could be rogue.

True, sort of.

Also anywhere in the network between ixquick and the destination website could mess with the traffic (just as, without ixquick, anywhere in the network between the exit relay and the destination website can mess with it).

If you trust ixquick more than your exit relay, and also your destination doesn't support https, then it may make sense. This is similar to using Tor to reach your VPN, and then accessing all the destination websites via the VPN provider.

One downside though is that you're centralizing your outbound traffic, such that an adversary who watches ixquick's network gets to see all your traffic, where before maybe they wouldn't get to see it at all. Seeing the outbound side of your circuits is not the end of the world (they need to see the inbound side too in order to win), but it does get them halfway there.

Why is torrc blank??? I tried writing in it and tor doesn't open...

I overwrote 3.5.2 and running in a Trucrypt encrypted drive...


torrc is blank because it uses both torrc and torrc-defaults. Only new modifications go into torrc.

As for "I added lines to torrc and now Tor doesn't open", it sounds like you added bad lines. :)

As for overwriting, be aware that this may or may not work for you. If you get weird behavior, try doing a fresh install.

same adds---

ExitNodes {US}
StrictNodes 1
works on 3.5.2 which I am on now... I will try 3.5.3 again but please confirm this is the right ditty...

I just want to save my settings and avoid a fresh install but if I have to I will...

Thank you for your help,,, I am not a complainer just lazy :)

I'm still using tor-browser-2.3.25-1
Please fix the cookie's been old.

The last Tor version that works with cookies for me is 2.5

How do I know if the data between my server and the onion site is actually encrypted? We are told it is but how can that be proved?

Been having lots of problems with Noscript and no longer trust it.

As for how it can be proved, the whole thing is open source, and we give you a design document and spec too:
So you could look at everything and decide for yourself. Or if it's too complicated for you, you could ask anybody in the world to do it for you.

With HTTPS, one can verify the fingerprints of the certificate.

Is there anything comparable when it comes to .onion sites?

(A means of authenticating that is comparably simple and quick?)

Tor does it for you.

For normal https, checking the certificate makes sense, because it's signed by one of 300 or more certificate authorities, most or all of which have nothing to do with the website you're trying to reach. The traditional CA model is a disaster.

But for Tor hidden services, the addresses are self-authenticating. Tor will verify, for sure (unless the crypto is broken), that you really are reaching the site whose address you told Tor to go to.

Of course, you have to make sure to be trying to go to the right address. If you click on one from a random website that *looks* like your intended hidden service address but actually it's one letter off, then all bets are off.

disregard last comment,,, This is Trucrypt weirdness the overwrite and addition of
ExitNodes {US}
StrickNodes 1

in torrc worked outside of the trucrypt container...

I then added the lines
ExitNodes {US}
StrickNodes 1
to the torrc-default in the truecrypt drive and FF did not open but when I pulled the lines out of torrc-default the torrc addition worked as you noted...



Seems bizarre that an app that needs to be kept up to date requires manual uninstallation and reinstallation (plus bookmark migration) on every upgrade. Could the installer not handle this, hopefully including bookmark migration? Preferably via transparent automatic / approved update within the app itself, per normal browser updates.

Thanks to the team for their invaluable work!

Haven't there been comments from Tor devs stating that they are indeed working on implementing the very type of functionality that you describe?

Yes. Keep an eye on

It's gotten easier now that we've gotten Vidalia out of the way, since now it really is just a browser with some extensions. But there's still a lot of work involved in doing it right, and a lot of downside involved in doing it wrong.

"Also see EFF's interactive page explaining how Tor and HTTPS relate."

The above sentence appears on following page:

It doesn't appear on this page though:

Is this intentional?

Good catch. Should be fixed now. Thanks!

A question to TAILS. =TBB ?

Everytime you open new browser,
connections to (customs here ! ?) AND

Wikipedia , Google ! Whats that?

"Wikipedia , Google"

have seen this,too.
anyone can explain?

Thank you

My bet is that the favicons for those two sites is not bundled with the browser for some reason, but is required by the search bar. So they are downloaded on first startup.

But that is just a guess.

TTB is tor plus browser etc that you install on your HD.

Tails is a linux live disk that includes tor and much else. It is set up so it never writes anything to your HD

@ Arma,

My system date and time were old(but I didn't know that) due system problems.
But I saw this after a while, when trying to connect with Tor on the internet.
After changing the system date and time, the problem with Tor was over.


When do you release expert bundle?

when right click on the -"Start Tor Browser" (exe) icon- in windows, it says "Date Modified: Saturday, ‎January ‎01, ‎2000, ‏‎2:00:00 AM" -.... IS IT NORMAL?

but MINE DOESN'T SHOW 1999... It shows 2000!!!!!!!! HAS IT BEEN TAMPERED WITH????

Read the faq entry. It's because of time zones. It's fine.

Arma is saying that the time/date stamp in question (Saturday, ‎January ‎01, ‎2000, ‏‎2:00:00 AM) is not evidence of tampering.

But, for any download, the only way to actually answer the question,
"HAS IT BEEN TAMPERED WITH????", with any degree of certainty, is through proper verification of the downloaded file. In the case of TBB, this means following the instructions for verifying the digital signature.


A Tor Browser Bundle repository for linux would be nice. That way updates are handled automatically.

But what would be involved in implementing a sufficient degree of authentication for anything and everything obtained through said repo? is not safe!!. i cant believe you guys are using it as standard search engine on tor browser. startpage tracks your IP adress and sends it on to google. want to see the proof??? go search for a normal word. for instance you can search for a company name. then look at the top results. look at the sponsored results AND the top non sponsor results too. they are based on your IP adress. if you search from SPAIN IP adress first couple of results will be from SPAIN sites. search for same term from US IP adress. results will be from US sites. THIS DOESN'T HAPPEN FOR ALL KEYWORD. TRY IT WITHOUT USING TOR then it will be more clear. the results will be specific to your country

WTF! It's true. Startpage and ixquick show country specific results. Never using startpage or ixquick searches again.

Do you mean startpage sends a Tor IP to google or the actual IP where I am connected to my ISP?

startpage and ixquick SUCKS. They send your IP address to Google. They are the biggest online marketing fraud Ive seen. If you use TOR you should be protected. Many people dont use tor and trust them


Are you sure that startpage doesn't first deduce the location from the IP address and then forward only the location to Google?

"Are you sure that startpage doesn't first deduce the location from the IP address and then forward only the location to Google?"

they only deduce the location.... then disregard the IP.... hahaha sure.... Trust them with your data

Even if thats all they do with your ip...they are still a fraud and lie in their privacy policy

A Tor exit node IP, if you are using Tor.

Startpage (or any other site for that sake) cannot learn your real IP while using Tor.

I think you are right regardless of what startpage says re/ their sending anonymous requests to google. What browser do you use with Tor bundle?

"What browser do you use with Tor bundle?"

Did you, perhaps, mean to write, 'Which search engine do you use with Tor Bundle?"

Right. Be sure to read

I just wonder;
What happen if I use "vpn gate" and "tor browser" together? I always use vpn gate and than I connect with the tor browser, is it ok? or I could get some security connection problem? Thanks for help.

I love you guys! thanks!

"and a way to prevent disk leaks when watching videos." Does this help fix which is titled: "TorBrowser creates temp files in Linux /tmp & Windows %temp% and OSX(various places) during the file downloads dialog & when using internal browser video player"

Seems to be a problem with the latest TOR and using flickr . If Javascript is enabled to sign on and view albums, with this version the comments do not show up. Tried everything with No Script to fix it but even if noscript is disabled when clicking on 'comments' it just reverts to the image. Could be a no script error or maybe a change with flickr scripts? Any ideas?

Perhaps you had disabled JavaScript via about:config and then forgotten that you had done so?

Another possibility: scripts from other domains than just likely need to be enabled for comment functionality.

(Knowing which domains one must enable scripts from in order to get a give function, such as comments, etc., can be quite a challenge.)

Finally, do you have an Ad Blocker enabled?

Downloaded the new beta version and suddenly flickr is working again.

>do you have an Ad Blocker enabled?
Not an independent program, just as part of my firewall. Anyway the beta seems to have fixed it. Thanks for response.


Just installed the latest version of Tor Browser version 3.5.3 and looking at Firefox Addons found two addons that sound interesting. I am not sure if I need them with Tor so any input is appreciated

RequestPolicy: Block images not from site you are on ( advanced privacy ) addons . mozilla . org/en-US/firefox/addon/requestpolicy/

RefControl: Customize or block referrers per site
addons . mozilla . org/en-US/firefox/addon/refcontrol/

Noscript is the only addon I am using, but I did change the value in about:config from to


Is adding more bridges adds more anonymity to my Tor session, or not?
By the way thank you for changing the captchas in the bridges page on

Adding more bridges probably hurts your anonymity if anything. The more bridges you have, the greater the chances that one of the bridges is observable by your adversary. The ideal case would be to use one very safe (i.e. well located with respect to your location and the parts of the Internet your adversary can see, and also not operated by your adversary) and very stable bridge. The tradeoff of course is that maybe you don't have one.

This question is very related to the question of how many guards you should have:

I run an hidden service using non-https connections, what are the advantages and disadvangates of switching to https (like duckduckgo's https://3g2upl4pq6kufc4m.onion)?

when i tried this link, Tor browser displayed a man in the middle warning??

If you click the warning you'll see that the certificate belongs to DuckDuckGo, verifying the connection's security and not the opposite: the server does belong to DDG and so does the ceritificate.

Copy and paste https://3g2upl4pq6kufc4m.onion and maybe you'll get the same message?

This is the message I get when trying https. I have tried a few times and the result was the same. I have tried many other https sites and all were fine except this site.


This Connection is Untrusted

You have asked TorBrowser to connect securely to 3g2upl4pq6kufc4m.onion, but we can't confirm that your connection is secure.

Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.
What Should I Do?

If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.

Prblby, you will coerce your user push one more button when the will come. Because you cert scarcely will be signed by roots.

See, there is already complete answer for your question:

Are you sure that's the correct link? it's not even remotely related to op's question

Win 7 64
Fresh clean install of Tor bundle 3 5 3 (tried multiple times)
Message from Tor:
This browser is configured to use Tor.
Test Tor Network Settings
HOWEVER, this browser is out of date.
Click on the onion and then choose Download Tor Browser Bundle Update.

Umm I am not out of date as I've downloaded and installed the latest bundle.
Any fix to this?

Sounds related to ?

Did you install over an old TBB, or to a new (empty) location?

Please make add-on updates disabled by default in clean TBB installs. I made clean install and as soon as I launched TBB it connected to Tor and updated HTTPS-Everywhere to version 3.4.5 even before I managed to open add-ons and disable automatic updates.

It is known danger that exit nodes can supply tampered add-ons. Even HTTPS is not a solution because powerful enemies can have target server private keys. Lavabit is example how they request SSL key copies.

Disabling automatic updates in TBB leads to a huge amount of users never updating their extensions which is bad. That said you should not have encountered the problem you describe in the first place as we a) ship TBBs with the latest extensions installed. Thus, if you update your old TBB in a timely fashion everything should be fine. And b) HTTPS-Everywhere is already shipped in version 3.4.5 since TBB 3.5.1.

Probably better solutions to add-on auto updates a) When updating TBB make installer install latest add-ons
b) encourage users to make clean installs (with backing up and later restoring bookmarks) as I do.

Updating TBB by writing over older versions can lead to various unexpected problems in addition to easier browser fingerprinting (various custom settings accumulated from previous versions that cold distinguish from clean install of latest TBB).

I can't see the saved cookies in Browser.
How can i change this odd Browser behaviour??

doesn't help.

Alas, there is not much we can do currently besides fixing the Mozilla bug mentioned in But this will definitely take a while.

On all tor 3.5 versions, if choose option "use hardware acceleration", tor crushes (exit with error message) at next restart. Such behavior is detected on windows 7/8.

I suspect that the video driver is bad. Install best driver from video card manufacturer website and see what happens. If the crush (lol!) still exists then come back here.;true

Looks like you have a rat. Would you please track it down?

Hi, I'm getting:

gpg: Signature made Wed 19 Mar 17:25:31 2014 GMT using RSA key ID 63FEE659
gpg: BAD signature from "Erinn Clark "

for the Mac version

Sounds like you might have not downloaded it fully, or it got corrupted, or you're checking the signature on the wrong one, or something.

no return to connect screen after hitting "open settings" button at start.

i miss the message log from vidalia control panel. it was very helpful if u ve a very slow inet connection.

I miss it too. Maybe somebody here will help add something like it to Tor Launcher?

I just installed TBB 3.5.3 on a WIn 7 box by clicking on the downloaded file. However, the installer (1) didn't place anything in the START menu; (2) did not make any type of shortcut on the desktop; and most importantly (3) is not listed as being "installed" in the Windows Control Panel. Is TBB 3.5.3 some sort of a stand-alone product that isn't subject to a normal installation process? If this is the case, where and what executable do I click in order to start the TBB?

Thank you.


Correct, TBB is a standalone program. The installer helps you choose where to put it. You run it by going into whatever folder you installed it to, and running "Start Tor Browser".

update but still say HOWEVER, this browser is out of date.

I have two issues I frequently run into when installing TBB, as I did today on Mac OS X 10.9.2: First, TBB ignores the "normal" OS X way of installing as admin only (possibly additionally permitting them for others, too, as I was sometimes asked), but later using the applications as non-admin user, too. This doesn't work with TBB, but it forces me to install while logged in as the non-admin, who later wants to run TBB, but of course only with admin pass. Just weird.

Second: I have a local Apache webserver at
which serves for local development, and it is defined as homepage in all my browsers, but every new TBB refuses to connect.

Hi dear Tor Team, You're SO great. Thank You, I mean it.

I would want to run two instances of Tor in the same system at the same time, because: I got running some music online flash sound site under Tor in my Linux Mint, but of course, using flash is only good for visual content and so mostly for video and or audio sites, and flash has "low security" in that sense, that in can betray one's IP adress. I would want to run another instance of Tor, where I blog. I already realized, that Tor starts slowly to maybe not at all, if the with mostly "US" ending directory, to which Tor is extracted under Linux, is renamed to anything else. But, the directory can be anywhere. So, I put the "Tor2", as I call it, by desktop link merely, into another directory, and if Tor1 from my normal Tor directory is not running, all is well, Tor2 works, and I can have two (or nor so many) sets of "profiles", so to speak, simply by cloning the first normal directory, copying it, into other directories, and always running, which as of now is only so possible, always only running ONE instance at a time. Because: I tried it out just before. It said, "Tor exited in an abnormal fashion", and it EVEN disturbed fundamentally the running Tor(2, as I call it) sound session with that flash site. Though, that the sound, the next playlist item running, on that flash sound site, did not ensue, can be another reason also, since it just now again stopped. Under Tor, okay, I do take some, well, A LOT of respect to Tor, AND I do hope, that loading youtube vids over Tor does not disturb the Tor servers, by the way, since that soundsite is accessing youtube vids, but of course, by going on that other site, I don't have to go directly on youtube. But, also a bug on that other site, which loads no playlist items anymore after any error occured like "not allowed in your country" (not funny I hate it as we all do!) is displayed, so I'll have to bug the maker of that sound site. What I would find great, is, if we could run at least two sessions, instances of Tor, at the same time, and those two Tor sessions being able to have fully different settings, different activated, installed plugins and all settings. Would be GREAT. Also, do tell people if the Tor Team does not wish people, Tor surfers, to use Tor for youtube-videos accessed by non-youtube sites, since the traffic amount stays the same. I'd say, there are at least 1000 Tor servers worldwide, and Tor MUST announce it BIGTIME on the FIRST upper part of their website, if people should not overload the Tor servers by accessing youtube or other video sites. Thank You, Tor Team, like Assange, we who are for him and You too in a different, technical way, we are the good Ones. Skol. Cheers.

If getting "can't load XPCOM and you are using Webroot --
You just need to 'allow' xul.dll
In Webroot go to:
Identity Protection
Application protection
Allow - xul.dll
See more here:

Syndicate content Syndicate content