Tor Browser 3.5.4 is Released

The 3.5.4-stable release of the Tor Browser is now available on the Download page. You can also download the bundles directly from the distribution directory.

This release updates only OpenSSL to version 1.0.1g, to address potential client-side vectors for CVE-2014-0160.

The browser itself does not use OpenSSL, and is not vulnerable to this CVE. However, this release is still considered an important security update, because it is theoretically possible to extract sensitive information from the Tor client sub-process.

Here is the changelog:

  • All Platforms
    • Update OpenSSL to 1.0.1g

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Mew not updating

indeed not updating at all


"Snowden also urged members of the Council of Europe to encrypt their personal communications. He said that encryption, used properly, could still withstand "brute force attacks" from powerful spy agencies and others. "Properly implemented algorithms backed up by truly random keys of significant length … all require more energy to decrypt than exists in the universe," he said." Source:

Does this mean that we are safe to download things anonymously/without getting caught?

This means that the tor browser bundle is no longer vulnerable to the Heartbleed openssl vuln.

If you are downloading something online with tor that you are worried about being caught for, maybe you should not do it. It gives the rest of the users a bad rep.

If you are downloading something online with tor that you are worried about being caught for, maybe you should not do it.

That highly depends on what your local / national lawmakers deem illegal. Saying that you not fully agree with your country's president may be just that.

I totally agree. The entire purpose of tor is to access things online that you are worried about being caught for. If you aren't worried, why use tor? Just access it directly.

Tor is designed for online civil disobedience, which in some cases is vitally important to pursuing freedom.

No, you're not thinking big enough.

Consider how to answer the ordinary people who ask you "what do I have to hide?" and why they will wish they'd be using Tor.

In many cases people are bad at judging what they should be worried about. Being safe on the Internet isn't just about breaking (bad) laws and hiding (ethical) unpopular activities.


And see the many examples I give in the "Internet Days" talk in Stockholm, at point 'h' of

No, "Tor was originally developed..., for the primary purpose of protecting government communications"
TOR is used to protect people from Identity theft."

Does this mean that we are safe to download things anonymously/without getting caught?

Safe from whom? from what? from where?

There is no such thing as 100% safe-to-use product, especially for one that is built for use on the internet.

Having said that, please refrain from using Tor to download stuff of massive sizes as doing so will slow down the whole Tor network considerably. Be considerate.

"please refrain from using Tor to download stuff of massive sizes"

So downloading pr0n is okay as long as the calks and breasts featured aren't too large?

You da man Mike Perry!

An error for writing keeps coming up every time a try to download it

Details? (Are you trying to save it to a place that you can't write to?)

A big thanks to Tor developers for their swift response and coming up with new Tor bundles.

Secondly will Tor developers request Tails developers to come up with a fix for their current version 0.23? Since all network connections in Tails are torrified, it means Tails' users are vulnerable to the "Heartbleed" attack, yes? no?

Tails uses debian oldstable, so it is not affected by this attack. Go them. :)

Tails uses debian oldstable, so it is not affected by this attack.

Yes, I know that Tails uses Debian 6.0.9. but it uses the Tor client, yes? no? If the answer is yes, then Tails should upgrade the Tor client, which means issuing a newer version of Tails, maybe 0.23.1

Does not matter: heartbleed does not depend on tor client, it does depend on openssl. Older versions of openssl (like the one tails is using) are not affected


Not specific to this release but thumbnails on about:newtab are broken. Instead, 1933 byte blank white PNGs are generated in \Data\Browser\profile.default\thumbnails.

Interesting... This does not happen for me on my Linux box. Which operating system are you using? Does this always occur? With a clean new, say, 3.5.4? I.e. if you delete that thumbnails directory is it getting created again with the PNGs after entering about:newtab?

1. Can't guess by the slashes? (Windows 7)
2. Yes
3. Yes. It worked pre-FF24 and it works in FF24 ESR.
4. Yes, no change

I only get an empty thumbnails folder, strange... And if I delete it then it does not come back on my Windows 7 test box. Are there some special steps to reproduce your problem?

Disable private browsing mode.

I see. This is now.

As always you guys fail to be clear and confuse the hell out of me. Are Vidalia Bundles updated as well? Why do they have to use different versions? Why don't you just add release dates to the download page? And why is the TOR.exe in the Browser Bundle dated 2000-01-01?

It looks like the Vidalia relay and bridge bundles were indeed very quietly updated:

Why do they have to use different versions of what?

Re dates on the download page, good idea.

Re the 2000-01-01,

By different versions I mean why does the Browser Bundle and the Vidalia bundles have to use completely different version numbering? Together with absolutely no date on the download page provided there is no chance to compare if they contain the same version / if they have both been updated.

Also, thanks for the link about the timestamps but I still dont get why TOR in the browser bundle has a filedate from 2000 while the one that comes with the Vidalia Bundle does not.

Bottom line is, make things easier to understand. If you blog about TOR Bundle updates tell us about Vidalia bundles as well. Add file/updated dates to download page. Two small changed to make things easier.


Than you guys. i appreciate the effort

A big thank you to everyone at the tor project . Thank you for your continued hard work and dedication to a free and open internet and by extension a free and open planet.

Everyone else if you can please consider a donation or run a relay. A little can go a long way

Hi, how about the beta version though? Would the 3.6-beta-1 be getting an update as well?

It will. They're working on it now.

Awesome. Thank you!

Signature please.

I don't see a torbrowser-install-3.6-beta-2_en-US.exe.asc in /dist/torbrowser/

I bugged the TBB people and they put one up. Thanks!


Google’s Safe Browsing IS AGAIN not deleted from Firefox!!!! You need to do it manualy!

This version has AGAIN a unique ID where Google can track you!!

Means, Google is able to track you any time you start using TOR!!!

Can't understand whay the developer don't take care about this...

Please show us how to manually delete Google's Safe Browsing from Firefox or Iceweasel.

Note to Tor developers: Could you please ensure that Google's Safe Browsing is deleted from future versions of TBB?


1.) it would be good if you'd supply circumstantial evidence as a basis for your statement

2.) I did check this release

and found this:

3.) however I think having these features in a privacy enabled browser is really strange even when deactivated

yes all google safe browsing urls are still existent and could be brought back into operation

Firefox today is really tainted by googlemoney, it needs a good scrubb


Snowden is a true hero, shame on NSA that is evil than communism or nazism.
Guess who is the next heartbleed: TrueCrypt, OpenSSH, PGP or Tor?

What about TorBirdy with Tor Launcher, will it get an update ?

So there is no reply to this ?

There is something very eerie about this.
It seems a little "bug" (kinda cute little word isn't it?) in the encryption software has basically rendered all supposedly secure and private internet traffic completely insecure. Golly!

Many things point to that this "lil' bug" has probably been implemented and exploited for a long time by the NSA. Gosh!

I remember thinking that the stories behind both the SR and FH busts last year seemed contrived and also overly stressed the fact that Tor wasn't compromised. Oh no! How could it be, it's open source etc.!

Think about it. IF there was (and apparently there was) a virtually untraceable way of monitoring supposedly secure traffic, the NSA wouldn't do anything less than milk it for all it's worth.
The takedown of Freedom Hosting and Silk Road was done in a manner of "we cannot let this go on" but "we still want to wait and milk more info".
I'm starting to think all traffic over Tor for the last two years is compromised.

As you know, users' privacy is most violated when they install malicious software that contains backdoors.

When will the TorProject begin codesigning the TBB with an Authenticode Certificate to raise users' confidence that the package is legitimate and hasn't been tampered with?

Today, Windows users are warned that new versions of TBB are likely malicious because there's no way to build reputation unless the downloads are properly signed.

Signing is easy to do (see and you probably could get a major CA like GlobalSign to give you a free certificate.

The downloads are already signed using a HTTPS certificate, the whole Tor's homepage and download directory from which you get Tor is HTTPS. I believe this would give at least the same security as Windows codesigning would.

On top of that, every release from Tor is also properly signed using PGP, which (although tricky to verify on Windows) does provide better authentication than HTTPS or Windows codesigning does then used right.

But besides that, one more way to verify the authenticity, that Windows users are familiar with, would be good. Maybe you should file a ticket about this (assuming one doesn't already exist), on:

What happened to Noscript?

More details? I'm using TBB 3.5.4 and my noscript and https-everywhere (I assume you're the below commenter too) seem to be working fine.

What happened to https everywhere?

Bro, what happened to NetZero? That was going to be the future, man.

I still have an account with NetZero for emergency purposes.



I have installed 3.5.4 but, as I have reported regarding earlier Tor versions, both ip-check (with and without JS) and Panopticlick (with JS) can get my screen size - and they still get EXACTLY the same one.

If it is a bug, I would like to report it but I do not have the necessary permissions to do so.

Help !!!!! (Please)

What do you mean with "necessary permissions"? You can use the cypherpunks account if you like. See: the Welcome section. That said, bug 9268 is probably what you want. Could you test the latest .xpi attached there and report back whether it fixed your issue?

EDIT: And, no, neither maximizing nor resizing the browser window is currently working properly wrt to hiding your screen size. So, if you do one of those things or both you probably won't see the expected multiple of 200x100...


Re 'necessary permissions' - In a previous post (re 3.5.3) you said: " feel free to open a ticket in our bugtracker at".

I went there, went to "Choose New Ticket to create a new bug report or feature request", chose 'New Ticket' and got the message: "Error: Forbidden
TICKET_CREATE privileges are required to perform this operation. You don't have the required permissions."

I'll do what you say.



I tried to do what you said. I probably did everything wrong but, as I suspect is the case with many people who use Tor, I didn’t/don’t really understand what is being said.

Anyway, what I did is:

I downloaded Bug Report 9268 and read it.
I downloaded the xpis: torbutton- and torbutton-
I read the instruction: “You need to patch torbutton.js file inside of” under Comment 13, but do/did not know how to do it. As there are no instructions I had to guess, as follows:

I added the above xpis in turn – starting with - to the ‘extensions’ folder found at:
C\user\My Name\desktop\Tor browser\data\Browser\Profile default\Extensions.

Via (Yes, I know that at least one contributor does not think much of this checking site, but –with JS enabled or disabled - it manages to detect the same screen size (not rounded) as Panopticlick does with JS enabled) I scrolled down to screen-size. It showed a rounded size. Success!!! I thought.

I closed the browser and turned off the computer. I then turned it on again, to check if I would get a rounded screen-size again. No, it was back to the original screen size. I turned the computer on and off again three times but each time I could not reproduce the rounded screen-size.

I then removed xpi and put in its place and then checked the screen-size with ip-check. I got the rounded size. I turned the computer on/off three times and still got the rounded size. Was this success??? To make sure that the rounded size was being ‘detected’ and not just being brought back from some sort of cache, I cleaned the computer with Glary Utilities 4 and then with CCleaner 410 and then re-opened the browser and checked the screen-size with ip-check. I was back to the non-rounded screen-size. I also checked with Panopticlick and got the same non-rounded screen-size.

I don’t know what to do.

Maybe my problem started with my not understanding the instruction: “You need to patch torbutton.js file inside of” but I don’t know how to do that. If you (or someone) will enlighten me, I will do it and report back.

Should I now file a bug report?

Thanks for the assistance

I0m running a debian 64bit wheezy kde.
When run start-tor-broswer appear "Tor unexpectedly exited." It happens since this version. with older don't happens! I try in many users sesion and try "killall tor", restart and nothing. I tryed delate, and donwload again. Also with check user owner.
Also I can execute older tor!

What can I do???

Best answer is to try the helpdesk or irc. A comment in a blog post is not a good place to track down your issue.

Is Tor still using 1K RSA?
And are bad relays mentionned here excluded by default in TBB?

A) For relay identity keys yes, but not for circuit encryption keys or for link encryption.

B) blutmagie just tells you what's in the Tor networkstatus consensus, so yes.

What do you think of this

The erratasec person sure does like blurring details and getting attention. His math was wrong, because he computed the chance of picking a single 0.2.3 relay, not picking solely 0.2.3 relays for your whole circuit.

I think it's unlikely that NSA breaking 1024-bit RSA is the low-hanging fruit here. Especially given all the code security issues in libraries and browsers we've been seeing lately.

All of that said, the Tor release (published February 28 2014) should put these issues to rest:

That awkward moment when doesn't comply with EFF's HTTPS deployment recommendations

Hm? Details please?

For example, uses AES_128_CBC_SHA, eff recommends using GCM instead of CVC, and SHA256 instead of SHA, read the link...

Fantastically fast response to heartbleed! Thanks guys. Just one thing:

Have you updated the EC2 AMI (to include OpenSSL 1.0.1g) for bridges-in-the-cloud? Or do we have to 'sudo apt-get install openssl' for each bridge?

I have linux Tor browser 3.5.4 insalled, but it's reporting "Browser out of date". Only version on the download page is 3.5.4

The Tor Cloud bridges are self-updating, though the older ones based on Ubuntu Lucid will not get the latest OpenSSL update. That said, Tor Cloud operators should manually generate new keys, if possible.

Well my Tor cloud bridges have not updated themselves. (They are running Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-52-virtual i686).) sudo apt-get fails: "disk full" (even though it isn't). In fact even sudo apt-get update fails trying to update Tor: "Err experimental-precise/main i386 Packages 404 Not Found [IP: 80]"

Wonder if it's possible to replace one AMI with a new one, without incurring any charges ....

To clarify the previous comment; Tor Cloud bridges running Ubuntu Lucid will not be able to update to the latest OpenSSL, but they are not running the vulnerable version either. The version in Lucid is 0.9.8, heartbleed was introduced in 1.0.1.





Yeah, I bet there's a way, but I don't know what it is either. I recommend either reading the Tor Launcher code, or participating in irc and becoming helpful and then hoping somebody will look it up for you. It's easy to do with Tor, but I bet the Tor Launcher folks didn't think to make it easy.

Screen size

I am rather concerned that I was invited by GK to lodge a bug report re the inability of the Tor browser to round my screen size to 100, but when I try to do so I am refused access as I don't have the necessary permissions..

Another contributor said that he/she has the same problem, so it does not appear to be a problem with just my machine - running Win 7.

So that I know if I and the other contributor are unique, could I trouble people to report, stating their operating system, whether Tor 3.5.4 does or does not round their screen size to 100.

In the meantime I would be grateful if GK could tell me how I can lodge a bug report.


You can find a login on the front page ( if you don't want to make an account of your own.

(If you make an account of your own though, you can give it an email address, and it will mail you when the ticket updates. That might be nice if we need you to respond to questions / suggested patches / etc.)

Have executable "naked" Tor versions 0.4.21 (stable) and (alpha) been compiled for MS-Windows & uploaded to the distribution platforms ?

Maybe just me, couldn't find them on the site :-(
Can you please make a conspicuous link to both ?

You might like the "expert bundle" in the Windows section of

Torproject is now officially a sad joke. Goto about:config and type "www" or ".com" or ".org" and look at the staggering number of potential built-in leaks.

And you can't even see what nodes you're connected to anymore, that means you can't even tell if all 3 nodes you're using are all in the same country owned by the NSA.

It was fun while it lasted, but looks like it is time to start a new anonymous browsing project.

Sounds great. You'll probably want to use Tor in your anonymous browsing project, and you'll probably find the Tor Browser design document useful too.

...and once you're on that track, maybe you'll find it more fun to write patches for Tor Browser?

My tor doesnt work after the last update. I keep getting thi error message. Can't load xpcom.

Your antivirus is preventing your Tor from talking to itself.

I recommend googling for the problem and its solution.

for whatever reason I didn't think about this until now, but should "httpseverywhere_ver. 3.5" be temporarily disabled or should the update to 1.0.1g take care of everything?

httpseverywhere and openssl are different things.

I know. I was wondering if I should temporarily disable httpseverywhere due to the bug in openssl. I wasn't sure if SSL connections continued to remain vulnerable (other sites not renewing certificates, etc.) I didn't want to force SSL through httpseverywhere, but if the 1.0.1g update patched the bug, then I shouldn't worry about it anymore? Sorry, if I'm not being clear.

httpseverywhere makes you opt to use https on a few sites that support it but don't switch you to it by default. It doesn't make you stop using https on the other sites.

If you're in a position where some websites might not have upgraded and you're sending them sensitive info, the best plan might be to stop using the Internet for a while. Disabling httpseverywhere won't really change the threat much for you.

RSA 1024 bit has been hacked. TOR uses RSA 1024. Isn't this a security problem? Why not use AES 256 and plug the whole?

I suggest you learn more about the various keys Tor uses, including link encryption and circuit encryption, where we've moved to curve25519.

Also, AES 256 is not a replacement for RSA 1024 -- one is symmetric crypto, the other is asymmetric crypto.

So you are right to be concerned, but there's a lot to learn, and a pile of blog comments here is probably not the best place.

In normal firefox (V28.0), can websites read each others' cookies? If so, is there a way to prevent them from doing so?

Gosh, I hope not. Why do you ask?

Also, asking about normal Firefox on a Tor blog post is not really a great place to get support.

I'm using Ubuntu 14.04LTS.
How can i run the Tor in Ubuntu14.04.

I used to run the Tor in Ubuntu12.04, very well.
(e.g; extract -> just run 'tor')

But Ubuntu 14.04 can't.

Anybody help me.

-Thnak you.

I have the same problem...

I suggest you open a question on and see if somebody there who runs that version of Ubuntu can help.

Did you try:

# aptitude install tor


This isn't going to get the person a tor browser bundle, and without the tor browser part, they're unlikely to use Tor safely.

What do you think about tails?

Just try to use it as a LiveCD with Virtual Machine.

When I update Tor 3.5.4 and re-start the browser, it tells me that I need to update. Looks like the update isn't working. I tried 3 times with no success.

This bug is fixed in TBB 3.6-beta-2:

Sorry to comment here on this, but has anyone else noticed that TOR connections are infinitely faster since the HeartBleed bug was fixed in the latest TOR packages?

I'm getting my web pages nearly 10 times faster (yes, I checked to make sure that page caching was off in my TOR Bundle) now and I'm wondering what caused the exceedingly great change in the speed of TOR.

Which Tor bundles were you using earlier?

The Tor network in general has gotten a lot faster in the past years, as more capacity has come online.

Thanks TOR proj ! A suggestion: It would be helpful to provide a search feature for your site. Also, detailed instruction or links for root access/jailbreaking for various models/operating systems. This would seem germane to the ideals and reasons for this great service.

the Apr15 post critical of the Project's course may have been snotty but your reply avoided any mention of the issues raised. this is becoming a habit, unfortunately.

Sure. Answer #1 is "because those are in Firefox" and "you can still attach Vidalia if you want".

Answer #2 is that I don't know the details of why those are in Firefox, and maybe somebody should look at it. But why do you always expect it to be me? Just because I'm the last Tor person still willing to respond to blog post comments here doesn't mean I know everything. :) You (yes, you, the one reading this) should investigate and contribute.

And the related answer #3 is that tucking your question away in the blog comments is a great way to not get a good answer. Let me direct you to three options that are more likely to help you:
A) irc:
B) stackexchange:
C) helpdesk:

Hope that helps!

How to enable save current session tabs and open webpages.
Or How to restore previous browsing session if tor browser does not close properly

Syndicate content Syndicate content