Tor Browser 3.6-beta-2 is released

The Tor Browser Team is proud to announce the second beta in the 3.6 series. Packages are available from the Tor Browser Project page and also from our distribution directory.

This release is an important security update over 3.6-beta-1. This release updates OpenSSL to version 1.0.1g, to address potential client-side vectors for CVE-2014-0160.

The browser itself does not use OpenSSL, and is not vulnerable to this CVE. However, this release is still considered an important security update, because it is theoretically possible to extract sensitive information from the Tor client sub-process.

This beta also features a Turkish language bundle, experimental Javascript hardening options, fixes for pluggable transport issues, and a fix for improper update notification while extracting the bundle over an already existing copy.

Here is the complete changelog since 3.6-beta-1:

  • All Platforms
    • Update OpenSSL to 1.0.1g
    • Bug 9010: Add Turkish language support.
    • Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion.
    • Update fte transport to 0.2.12
    • Update NoScript to
    • Update Torbutton to
      • Bug 11242: Fix improper "update needed" message after in-place upgrade.
      • Bug 10398: Ease translation of about:tor page elements
    • Update Tor Launcher to
      • Bug 9665: Localize Tor's unreachable bridges bootstrap error
    • Backport Pending Tor Patches:
      • Bug 9665: Report a bootstrap error if all bridges are unreachable
      • Bug 11200: Prevent spurious error message prior to enabling network.
  • Linux:
    • Bug 11190: Switch linux PT build process to python2
    • Bug 10383: Enable NIST P224 and P256 accel support for 64bit builds.
  • Windows:
    • Bug 11286: Fix fte transport launch error

A list of frequently encountered known issues with the Tor Browser can be found on our bugtracker. Please check that list and help us diagnose and arrive at solutions for those issues before contacting support.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

I thought the 3.5-4 release had openssl fixed.

TBB 3.5.4 does indeed have a fixed openssl. (3.5.3 did not.)

TBB 3.6-beta-2 also has a fixed openssl. (3.6-beta-1 did not.)

The NSA has exploited Heartbleed bug for years, Bloomberg reports.

Do you still believe in TOR!?

I'm assuming that particular article is nonsense until somebody shows up with some actual details. I guess it's hot to point at NSA conspiracies these days. But doing it in this case undermines the *actual* NSA conspiracies that we should indeed be upset about.

And yes, pretty much no matter how this particular story goes, you'll still be happier that you used Tor than that you didn't, over the past years. The Internet is a rough place without something like Tor.

what a coincidence, these "reliable sources" just reveal this astonishing information after the heartbleed bug was well known.
Plus, the snowden papers refer to TOR and the NSA try to break it, it also refers to how the NSA have its hands on a lot of ssl certificates, but it doesn't tell a word about the heartbleed bug so far.
Bloomberg is just exploiting the situation to make some buzz in my opinion.

Downloaded, installed and running on Win 8.1 Pro. 32bit. No problems so far. Thanks for the update!

TBB hangs on 'loading relay information'. I have to close TBB and restart it 3 or more times before TBB will connect. I am using PT-obfs 3. Maybe all the obfs 3 bridge relays are busy?

TBB continues to hang on 'loading relay information'. Eventually connects after several exits and restarts.

Thanks for the rapid update to 3.6-beta releases!
There used to be an annoying gap between normal releases and PT bundles.

Newbie question maybe, but I now have Norton Hotspot Privacy VPN. Since I use Tor Browser are there still benefits to using the Norton VPN?

without know the product in question i would say, in general , commercial VPN sw and services are USELESS for maintaining your anonymity.

They work for circumventing DNS/IP range blocking and thats about it.

VPNs can also be useful for protecting against eavesdroppers on public/untrusted networks, such as public WiFi.

(But remember that the VPN sees all your traffic. And if you think they won't hand over all they know about you under any pressure...)

If I use vpn then I use Tor , can vpn see my traffic

I would use just Tor Browser. Norton have worked with the NSA and there is a chance their VPN service could log all your activity.

but I now have Norton Hotspot Privacy VPN.

Ditch Norton products. Symantec/Norton is a close partner of NSA. Have you heard of Edward Snowden, NSA's whistleblower?

You are wasting your money.

Yup. Didn't know Norton connexion though. Thanks for pointing it out. What about Hidemyass for anonymous browsing? And Hushmail for email? They were mentioned in Coke Stryker's book, 'Hacking the Future".

Hidemyass is famous for turning over some kid who was maybe part of Anonymous. And when he confronted them, the conversation went something like "well, what did you expect, you did something a government didn't like" "but you're named hide my ass!"

Hushmail on the other hand is famous for turning over the mailboxes of its users to various law enforcement groups, despite claims that they technically can't do it. See e.g.

The lesson here is that all of these centralized for-profit companies that claim privacy are still in fact still centralized. It's privacy by promise, not privacy by design:

"Hidemyass is famous for turning over..."

"Hushmail on the other hand is famous for turning over.."

Perhaps you meant to write, 'infamous'?

Thank you for the advice. Norton subscription cancelled.

how to create windows shortcut for new

Where can I find Vidalia's Network settings page in this version? Thank you.

This method is not work-----Linux ubuntu 12.04

Dates of certificate issuing: (05:CA:*): 2014-04-09
* (09:48:*): 2013-10-22

Are you planning to get a new cert for the latter?

Today is the first time I noticed these torproject certs.

* —
Serial Number:
Issued: 10/22/2013 Exp.: 05/03/2016 — SHA1:
Serial Number:
Issued: 04/08/2014 Exp.: 06/14/2017

If the one for * was issued back in October, why it is first being used now?

Below are the certs I had been seeing prior to today. What happened to them?


I asked Andrew, and apparently we rekeyed the cert in place. Who knew such a thing could be done?

Before fixing the openssl, what is bad made to tor user?

Is something going on with the tor network? Connecting with the normal bundle is difficult and using obs3 in the beta is slow.

yes, obfs3 is very slow.

The speed of obfs3 depends a lot on the speed of the bridge you're using.

obfs2 and obfs3 shouldn't be any slower than normal Tor, if the underlying bridges / relays are the same speed.

Maybe you should spin up your own obfs3 bridge, e.g. on Amazon cloud or some VPS somewhere, and route through it?

Any comment about the connections to IP immediately after startup ?

That looks like one of the 5000+ Tor relays.

I assume you started your Tor, it picked some guards, and now when you start your Tor again it makes some circuits for you, so they will be ready when you try to use them, and one of those circuits was to that guard.

So in short, "totally normal, and I encourage you to learn how Tor works".

I love how OpenSSL put the whole world in grave danger out of sheer incompetence and no one dared say anything to them.

Welcome to today's Internet.

I have the old version of TOR running. Can I drop in a 0.9 version of OpenSSL?

The old version? How old? It probably has other major security problems.

how do you update this so called update erases all existing settings and addons

Yeah, it's not really an update so much as an updated version.

See e.g. for details.

Were Tor Browser for Mac OSX also vulnerable? It read that Mac OS X still used Openssl 0.98.

I think the TBB on OSX used a newer openssl, so we could take advantage of the better security from the new ciphers.

So, yes, TBB on OSX was also vulnerable.

Could not connect to news media and over
exit node bandito 1AAB39E97C7E4CFCA585265D17A03F8D3390D841

Other exit node right after that no problem.

Today does not work

Offtopic: Tor does not starts on Windows 2000. Where can I get older version of Tor?

Seriously, Windows 2000? Isn't that, like, unsupported for a long time now?

I think Tor should work there, but I think Firefox (and thus Tor Browser) won't.

If the Tor binary doesn't work, you should file tickets about what goes wrong, and help us fix it. Going to an older version is likely a poor idea -- check out the changelog of things we've fixed recently.

There something wrong tor doesn't connect

It looks like 'torrc' ini file is deprecated.

Where do settings such as limiting exit nodes by country, specifying bridges etc. go now?


the beta works fine so far

Awesome! Congrats :) Is this version going to keep my local settings when I updated it to the next one (first time I'm using beta)? Thanks!

Not yet, alas.

The bug #9387 changes ("Disable JS JIT, type inference, asmjs, and ion. ") seem to involve turning off everything which is intended to make JavaScript fast.
Has there been any systematic attempt to evaluate what effect this may have on performance?
Has there, for that matter, been any systematic attempt to evaluate what additional security benefit this brings, e.g. what proportion of past Firefox vulnerabilities would users have been protected against if each of these features were disabled?

While your suggestion of going thru past issues may sound systematic and smart, the low hanging fruit for bad guys is using already disclosed -- but unfixed -- vulnerabilities. So the past is somewhat irrelevant.

Regarding speed....well that's one of the benefits of having a beta to evaluate.

I entered about:config and typed "www" or ".com" or ".org" and then there are 50 built in urls that can potentially leak information. Why are they in there?

I Remove most of them in about:config by either deleting or changing the URL. I suggest all google links are removed as those bastards are monitoring everything on the net.

what does the "experimental Javascript hardening options" do exactly?


Thank you Mr Troll for wasting our time.

(Or alternatively, please file a ticket if you find an issue.)

Not bad not bad. I see a lot of bitching and moaning ^ but also a lot of valid points which I wont point out to you again.

People moaning about speed - Learn how Tor works
People moaning about losing addons and bookmarks after updating - What do you expect?

Keep up the good work Tor. Much love.

I'm connecting thru VPN, when I first launch the TBB should I click "connect" or "configure"?

Tor is not working at all on Win 8.1 for me now . . . it worked fine before

This blog probably won't help you move forward with your problem. Try the help desk or the stackexchange forum.

Syndicate content Syndicate content