Tor Browser 3.6 is released

The Tor Browser Team is proud to announce the first stable release of the 3.6 series. Packages are available from the Tor Browser Project page and also from our distribution directory.

For users upgrading from Tor Browser 3.5.x, the 3.6 series features fully integrated Pluggable Transport support, including an improved Tor Launcher UI for configuring Pluggable Transport bridges. The Pluggable Transport code is also fully disabled for users who do not configure them. The 3.6 series also changes the MacOS archive format from zip to DMG, which should improve installation usability for Mac users.

This release also includes important security updates to Firefox.

Please see the TBB FAQ listing for any issues you may have before contacting support or filing tickets. In particular, the TBB 3.x section lists common issues specific to the Tor Browser 3.x series. We also maintain a list of frequently encountered known issues in our bugtracker.

Here is the complete changelog since TBB 3.5.4:

  • All Platforms

    • Update Firefox to 24.5.0esr
    • Include Pluggable Transports by default:
      • Obfsproxy3 0.2.4, Flashproxy 1.6, and FTE 0.2.13 are now included
    • Bug 11586: Include license files for component software in Docs directory.
    • Bug 9010: Add Turkish language support.
    • Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion.
    • Update NoScript to
    • Update Tor Launcher to
      • Bug 9665: Localize Tor's unreachable bridges bootstrap error
      • Bug 10418: Provide UI configuration for Pluggable Transports
      • Bug 10604: Allow Tor status & error messages to be translated
      • Bug 10894: Make bridge UI clear that helpdesk is a last resort for bridges
      • Bug 10610: Clarify wizard UI text describing obstacles/blocking
      • Bug 11074: Support Tails use case (XULRunner and optional customizations)
      • Bug 11482: Hide bridge settings prompt if no default bridges.
      • Bug 11484: Show help button even if no default bridges.
    • Update Torbutton to
      • Bug 11242: Fix improper "update needed" message after in-place upgrade.
      • Bug 10398: Ease translation of about:tor page elements
      • Bug 9901: Fix browser freeze due to content type sniffing
      • Bug 10611: Add Swedish (sv) to extra locales to update
      • Bug 7439: Improve download warning dialog text.
      • Bug 11384: Completely remove hidden toggle menu item.
    • Backport Pending Tor Patches:
      • Bug 9665: Report a bootstrap error if all bridges are unreachable
      • Bug 11200: Prevent spurious error message prior to enabling network.
      • Bug 5018: Don't launch Pluggable Transport helpers if not in use
      • Bug 9229: Eliminate 60 second stall during bootstrap with some PTs
      • Bug 11069: Detect and report Pluggable Transport bootstrap failures
      • Bug 11156: Prevent spurious warning about missing pluggable transports
  • Mac:

    • Bug 4261: Use DMG instead of ZIP for Mac packages
    • Bug 9308: Prevent install path from leaking in some JS exceptions on Mac and Windows
  • Linux:

    • Bug 11190: Switch linux PT build process to python2
    • Bug 10383: Enable NIST P224 and P256 accel support for 64bit builds.
  • Windows:
    • Bug 9308: Prevent install path from leaking in some JS exceptions on Mac and Windows

Here is the changelog since the 3.6-beta-2:

  • All Platforms
    • Update Firefox to 24.5.0esr
    • Update Tor Launcher to
      • Bug 11482: Hide bridge settings prompt if no default bridges.
      • Bug 11484: Show help button even if no default bridges.
    • Update Torbutton to
      • Bug 7439: Improve download warning dialog text.
      • Bug 11384: Completely remove hidden toggle menu item.
    • Update NoScript to
    • Update fte transport to 0.2.13
    • Backport Pending Tor Patches:
      • Bug 11156: Additional obfsproxy startup error message fixes
    • Bug 11586: Include license files for component software in Docs directory.
  • Windows and Mac:
    • Bug 9308: Prevent install path from leaking in some JS exceptions on Mac and Windows builds

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

why was not updated HTTPS Everywhere ?

HTTPS-Everywhere 3.5.x switched to using SQLite for storing rulesets, and the build process that generates this sqlite db is not yet reproducible/deterministic (See Bug 11630). We had to build+include the 3.4.5 version for TBB 3.6 builds to be reproducible.

We're trying to decide what to do about this, and should have some form of fix or stopgap by the next TBB release.

HTTPS-Everywhere will try to update automatically to latest version after Tor-Browser first run

Yes, default behavior of TBB is "Update add-ons automatically", so...
- HTTPS-Everywhere was updated from 3.4.5 to 3.5.1
- NoScript from to

Turkish bundle is not listed in

[warn] Controller gave us config lines that didn't validate: You have configured more than one proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy|ClientTransportPlugin)

every time I try to connect through proxy it gives this... why?

Looks like a bug:

The workaround for now is the one suggested by mcs in

I get this type of error during configuration:

Unable to save Tor settings.

Unacceptable option value: You have configured more than one proxy type.

I have obfs2,3 standard, fte, and flashproxy in my custom bridges list.
While obfs3,2, standard work fine, I can't make fte & flashproxy bridges to work under "custom bridges" option. Why is this?

Where did you get the FTE bridges from? AFAIK, BridgeDB doesn't give out FTE bridges yet. Are you sure the FTE bridges work?

Do you get some kind of error when you try to add FTE bridges?

AND, yet again, "important security updates to Firefox".

Many of which fix bugs that allow arbitrary code execution, and therefore give away your real IP address, MAC address, and whatever else can be found on the computer.

Just like every other release so far. That Firefox change log is red all over.

You have had years with the TBB. During that time, Firefox, like every other browser, has had a continuous stream of critical vulnerabilities. Those have been exploited to unmask Tor users in very public incidents and presumably in many more non-public incidents.

You have never had a single secure release, ever.

You have never had a single release that couldn't be broken with ONE single exploit.

How long is it going to take you to realize that relying on the browser alone to prevent Web sites from finding the user's identity can never work?

Your whole approach is broken. You are putting your users at risk. The browser WILL be subverted. You are going to have to find a reliable way to hide the computer's identity from the browser. Preferably more than one layer. You can't trust ANYTHING to not have bugs.

No web browsers are free of security bugs. Should TOR stop shipping any web browser?

TAILS and Whonix also use Firefox, protected by read only media and firewalls. Is that what you want? Or should TAILS and Whonix not ship a web browser either?

Same person here.

I didn't say "don't ship Firefox". I said "don't rely on the browser alone" and "hide the computer's identity from the browser".

Whonix is an improvement. It's not perfect, but it's an improvement.

With the TBB, if you break out of the Web browser, you immediately get the user's real IP address, MAC address, etc. One zero-day and the user is owned. Tails is basically the same; it gives you additional protection against local attacks, but nothing much against attacks from the network.

On the other hand, if you break out of the Web browser in Whonix, you may get information about the user's anonymous activities, but it's anonymous information about anonymous activities.

Unless the user has actively (and unwisely and against advice) put identity information inside the Whonix "workstation" VM, you get nothing identifiable until you ALSO break out of the "workstation" VM or compromise the "gateway" VM. You have to be able to break either VirtualBox, Tor, or the kernel on the Whonix "gateway" VM. And even that attack surface can be reduced with hardware isolation.

It takes TWO bugs in TWO different pieces of software to find the user's identity in Whonix, versus ONE bug in TBB or Tails. That is a radical improvement. Qubes with a Tor-based network VM is similar to Whonix.

It's true that really tough opponents may have libraries of zero-days in both browsers and kernels/Tor, but a lot more opponents are going to have just a zero-day in Firefox.

Whonix is at least giving security a real try. I can't say that for the TBB or TAILS. As far as I can tell, they're emphasizing ease of use, and just turning off their brains to avoid thinking about how easy they are to break. That excessive emphasis on ease of use just encourages people who don't understand the risks to expose themselves.

There are other things you could do to lock things down, too, mostly involving confining the browser more, so it's harder to use it to attack VMs or whatever. Tails could do them. I don't think the TBB is architecturally able to do them, because you're going to need kernel support.

Yes, I'd love to have more people looking into Whonix, WiNoN, etc. Seems like one nice way forward would be for Tails to put more things into VMs if you have hardware virtualization support (and not do it if you don't). Another option to explore is how to do this from within Windows, for those who feel they need to stick to it, though of course having yours Windows OS underneath everything, with all your spyware/etc already installed, is not a great situation.

The Tor Browser team is all full up trying to keep the serious privacy issues under control in Firefox. We need help from others to try to make these other pieces usable for normal people. Please help!

Meanwhile, it seems like usually no more than several days pass between the time that Firefox ESR releases a new version with one or more critical security fixes and the time that a new TBB based on this is released.

This does NOT, however, appear to be the case for Tails, with its 6-week release cycle.

I realize it is not realistic or even fair to expect Tails to come out with new releases any more often than this (and even every six weeks seems rather impressive). But how secure is using Tails more than a few days after one or more critical vulns in its Firefox/Iceweasel version (or any of the other software Tails runs) have been reported?

Perhaps the Tails folks should include a warning along these lines, urging people to continually follow the security disclosures and make risk-benefit decisions accordingly.

What about working on a TBB based on a text-only browser and encouraging/educating people (those at high risk, at least) to recondition themselves into making-do with text-only?

Wouldn't a text-only browser eliminate MANY of the threats that every full-fledged browser is rife with?

In the meantime, by the time a given Tails release is, say a week or two old, perhaps the option of using TBB within an ordinary just-released or updated live system should be considered as a potentially safer alternative. (Depending, of course, upon specific usage case and threat model.)

Yes, just like there has never been a completely secure operating system. By adding additional layers, you're just increasing the attack surface; you're just increasing the number of possible vulnerabilities to exploit.

You are never going to get 100% safety using Tor; even Whonix (an isolating proxy) can't insure for certain your IP isn't leaked. An bugs in the VM could de-anonymize you. But if you're looking to be completely safe, the only way to do that is not to use a computer at all.

I've been downloading TBB releases for a while now, and this is the first time I've gotten this message on my Mac:

“” can’t be opened because it is from an unidentified developer.
Your security preferences allow installation of only apps from the Mac App Store and identified developers.

Are you guys aware of this issue?

Right click and press opein

But why is this happening now? I've never received this message on previous releases. What has changed?

Because it now ships in a .DMG

Proxy setting don't work for TBB 3.6 on Linux (32 bit - haven't tried on the 64 bit machine.)

If I try to configure the proxy setting at startup I get this error:

Unacceptable option value: You have configured more than one proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy|ClientTransportPlugin)

I'm back to using the last version which works flawlessly.

Yes, see

The version you went back to, which "works flawlessly", has an old version of Firefox in it and is thus bad news.

How come change zip to DMG? I don't like mounting disk image.

Can't please all the people all the time, I guess.

There were many users clamoring for DMGs and uncertain what to do with zips, before. Many of the Apple users I've talked to are happy we've finally moved to DMGs, since they're "the standard" and "what everybody expects".

As a Mac user, it's cool and all you did that, but it's hardly an important feature. If there are Mac users out there who don't know how extract a zip, perhaps they have no business using Tor or even computers at all.

It's more simpler using zips than DMG. DMG you have to double click, wait, then drag the application to wherever you want, then eject DMG. ZIP just double click then drag wherever you want, its easier.

The target audience of Tor isn't restricted to those who are computer wizards. It aims to serve those who aren't as well; everyone uses a computer these days no matter their skill level, and not all of them want governments and/or corporations finding out their activities online.

Who made you God and think only some people should use a browser or use a computer, How else would they learn if they cant log on.

What does "Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion. " do in ELI5?

First read:

It turns out that a) some parts of Firefox's JavaScript engine are responsible for a lot of its JavaScript security vulnerabilities, and b) you can disable those parts without actually disabling JavaScript. It makes things slower (because Firefox uses slower but more secure versions to do everything instead), but it doesn't actually disable the functionality.

So we've turned those parts off, and we'll see what users think.

That's why TBB 3.6 is so sloooooooower compared to TBB 3.5.4?

Tested on not-so-new hardware (Pentium IV @ 2.4 GHz), with this ugly results:

Your SPEED-BATTLE result*:

TBB 3.6
Calculate / Store / Render / OVERALL SCORE
3.01 / 1.88 / 6.92 / 11.81

TBB 3.5.4
Calculate / Store / Render / OVERALL SCORE
30.57 / 309.13 / 6.02 / 345.72

(Similar results for TBB 3.6 on Dual Core 2.00 GHz)

TBB 3.6 is unusable for me! :-(

Well, that test is explicitly measuring JavaScript speed. Therefore, it is no surprise that 3.6 is not as good as 3.5.4 in this regard. That said whether that matters and is responsible for the slowness you describe is hard to tell. We tested these settings quite a bit and did not recognize a slowdown during day-to-day browsing. What sites do you have issues with?

Hi, I can't access using Tor Browser.

I tried several times, it says Untrusted Connection and there is only one option, "Get me out of here!" and the Technical Details. Nothing else. I can't continue to website. Is this normal?

(Details: uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided.)

Thanks for the new release. Two questions about your distribution process: 1. do you provide the sources to your changes to Firefox and your launcher, and 2. could you provide a Windows version that can be extracted without user interaction, either as command line parameters to the installer or as an alternative ZIP distribution?


For the patches, it looks like we moved from "have a directory with diffs in it" to "have a git repo that you can see the commits on". Here it is:

2) Several people have asked for this. The best way to make it happen is to open a trac ticket and write a patch. (Thanks in advance! :)

Unfortunately I received this error after download

"Could not load XPCOM"

Using Windows 7 64 Bit


Ask Google about your phrase. The problem is with "webroot" (your antivirus program) and how it can't handle newer browsers well.

I did all the things people suggested with this problem and it still doesn't seem to fix anything whatsoever... I don't get why this is such a huge problem... I disable my webroot like it suggested with everything closed down and try using the new browser and still get the same message... then turn my web root back on and scan and have adware... Lol lovely... would love to here a solution to this that's guaranteed to work and doesn't involve putting my computer at risk with no antivirus

I can't to any pages since this new release on my Mac however my Torbutton is green

Hi What exactly is "Tor Launcher" ?

It's the new (new as of TBB 3.x) Firefox extension that Tor Browser uses to launch and configure Tor. If it helps, you can think of it like a replacement for Vidalia.

Does the Torproject have .onion site(s) ?

Thanks for another great release.


Can't remember the answer to this, but why isn't TBB also distributed via default (i.e. non aptitude repositories for ubuntu/debian?

TBB needs a debian/ubuntu maintainer for it to be in apt repositories.

I have no real need for anonymity. I haven't downloaded Tor to hide spurious web browsing or for financial or business protection. My last browser became buggy. I looked over the various browsers on offer & found Tor. I don't do social networking, and although I have nothing to hide I resent the ever present Gestapo feel of information mining today.
I am not technically aware. I can't be certain that Tor is more secure than a plasticine padlock, but the thought that it just might be a thorn in the side of Big Brother is good enough reason for me.

Half off-topic but ! : says
"...Import TorBrowser profile. This was forgotten in Tails 0.23 and even though..." .

Now says
"Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion. ".

In Tails1.0 JS JIT, type inference, asmjs, and ion is ENABLED.

And TLS is 1.0 maximum(default).


Tails left out the patch about disabling js jit and so on for the 1.0 release, to see if it worked out well in TBB first. Expect it in the next Tails release.

Upgrading on OS X 10.6.8 from 2.3.25-14 (which works fine, not an option to go back obviously); connecting to Tor network claims to be successful but browsing all connections time out. Tried obvious settings things, not figuring it out here.

I am also having the same problem. I even tried using older versions of tor but it still not working, I keep getting connections time out

Hi i downloaded the update for my Tor browser but wen i try to open it, i get this msg " This app can't run on your pc, please check with the software publisher for a compatible version" I'm using windows 8.1 on my Toshiba Dynabook.
Can you advise please....

Great question. Short answer, no idea, and this blog isn't a good place for questions like that one. You might try IRC, or the helpdesk, or the mailing lists, or the stackexchange forum.

Stack Exchange sucks, your question gets modified there.

And the blog sucks, because your question gets ignored and/or nobody sees it. Maybe you should write your question better? :)


Screen size

I can understand that you are busy but I am disappointed that I have not yet had a reply to my post of the 16th of last month.

As I reported, I tried to comply with your: “Could you test the latest .xpi attached there and report back whether it fixed your issue?” but I got the results that I reported in the said post.

I accept that I may not have done things correctly but, quite frankly, I don’t know how to “test the latest xpi”. I would like to do so but, as I suspect would be the case with many people who use Tor, without instructions, I don’t know how to.

As one other user also reported that he cannot get a ‘rounded’ screen-size, it seems that I am not alone.

Without your help I will not be able to solve the problem I have and, indirectly, help the Tor developers to decide if there is a bug in the programme.

Thank you

I am sorry about this. But these blog comments are probably the worst way to keep in contact. I'd suggest using Trac as I get notified when a bug gets updated. That said reading your old comment I think you did everything correctly. Sad that it did not work. I might find some time until the next release comes out to implement a better stopgap. A proper solution is not possible without patching Firefox.

i cant save proxy setting in new version

Where are the public keys downloads for Tor 0.2.41 and Tor

Since the public keys are necessary for installation to verify the signing, why is their location a state secret?

The installation instructions for Linux for Tor- on the Tor wiki doesn't even mention the words public key or verify.

There should multiple servers to download the public key files.

And no, I don't trust key servers in the wild.

At least the fingerprints can be found from (and any mirrors thereof). If you trust them to be correct, a key that has a matching fingerprint should be correct, no matter where it was downloaded from.

Yep. See also the last two paragraphs of

Pluggable transports don't start, Vidalia log reports warning "Failed to create child process Tor/Pluggable Transports/obfsproxy". I know it's because of firewall, but you understand that advice "Turn off firewall at all" can't be a decision. Tell about the detailes of launch: which process is parent for obfsproxy, if only obfsproxy needs allowing policies, should I provide to obfsproxy the access to defined registry keys, libraries, etc.
It would be nice if you tested the bundles with most popular security software on different systems and published resulting rulesets.

I agree with you about that last sentence in particular, except we don't have a big testing lab for that. Please help!

Tor is suck
Update process difficult not without problems

after update can't connection :(
"Unacceptable option value: You have configured more than one proxy
type. (Socks4Proxy|Socks5Proxy|HTTPSProxy|ClientTransportPlugin)

TBB 3.6.1 (see later blog post) should fix this one. Sorry about the mess!

Unacceptable option value: You have configured more than one proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy|ClientTransportPlugin)

[Bug Report]

It would seem that GeoIP in TBB 3.6 is mis-configured to be located in the sytem folder (windows 7).

"[WARN] Failed to open GEOIP file C:\Users\USERNAME\AppData\Roaming\tor\geoip6. We've been configured to use (or avoid) nodes in certain countries, and we need GEOIP information to figure out which ones they are."

The following torrc setting is ignored:

GeoIPFile C:\Users\USERNAME\Desktop\Tor Browser\Data\Tor\geoip


See: The reason for this warning is not an issue with the geoip file but the missing geoip6 file which is needed for this feature (as the warning says).

after downloaded Tor B.B. everything looks good,but i can´t open the sites i would like too...i dont know what to do,i am really not good with computers!!! It was easy to download the "old" Tor browser...

Hi, apparently there's already a version 3.6.1 today. No changelog for it? Also, how come my torbutton didn't have that blinking warning thingy that used to alert me when there is a new version available? TIA

You can look at for the list of versions that are still considered safe to run.

The TBB 3.6.1 update (and there is a changelog -- see e.g. the new blog post) fixes some bugs in usability (for example, you couldn't set a proxy easily), but those aren't security issues so we don't want to force everybody to upgrade.

My Tor version has been also updated to 3.6 and get the same error.
Unacceptable option value: You have configured more than one proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy|ClientTransportPlugin)
To solve this issue, I download the latest version from the web site and 3.6.1 from
and the issue has been solved. :)


Downloaded the new release but Vidalia is not part of it. No Vidalia control panel, nothing. Tor starts but what happened to Vidalia. Is this a fake Tor?

Where have you been for the past year?

Hi guys, just now I tried to log in to Gmail, then the yellow "untrusted connection" page appears on Firefox. So please post feedback on google community forums everywhere to complain.

Why are normal users not allowed to use tor to log in?

Well, it's possible somebody actually was man-in-the-middle-ing your connection to gmail -- that could have been at the Tor exit relay, or at Google, or anywhere in between. I recommend not logging in if this happens. :)

Hi, I'd like to report 2 things
1) About Tor Browser Bundle v3.6.1
When I go to: TorBrowser --> Help --> About TorBrowser and click on "Tor Project", instead of taking me to the home page ot the Tor Project ( it opens the mozilla's home page (
A similar thing happens when I click on: TorBrowser --> Help, it takes me to intead of a similar Tor's destination

2) About Tor's website
At in "Our Projects" section where it says "Tails", there is still the old icon of Tails (sorry for reporting this here, I just didn't know where else to post it)

"At in "Our Projects" section where it says "Tails", there is still the old icon of Tails"

Not to suggest that pointing this out is not legit, but I would be far more concerned about either of the following two points-- both apparent contradictions-- (and both at least tangentially on-topic here):

1.) The apparent contradiction that Tails is listed under the "Our Projects" heading of the official web site of the Tor Project, while the Tails devs insist that they are a completely separate entity from and not affiliated with the Tor Project. (At least that's what "Tails" would say in the former forum at

2.) The discrepancy that persists to this day between TBB and Tails with regard to the AdBlock Plus add-on.

Tails includes it in the browser, TBB does not. This, when the overall general trend, from what I can see, has been to MINIMIZE the differences between TBB and the browser within Tails as much as possible.

This would appear to only make sense, wouldn't it? Tor users are already such a small minority of the total number of Internet users that the last thing we should want to do is to divide ourselves into even smaller, more easily fingerprintable sub-groups. And yet, this is exactly the effect of having Tails users browse with ABP while TBB users browse without ABP.

As has been pointed-out before (many times, in fact), there are valid reasons for including an ad-blocker. There are valid reasons for NOT including an ad-blocker. And there may even be valid reasons/arguments -- /in and of themselves/-- for Tails to do one way in this regard and TBB to do the other. But whatever such arguments may be, are they not clearly outweighed by the arguments for uniformity?

Thanks for about this theme, I'm gratest speed for that things, thanks from Chile.


Thanks another time, one most popular O.S from Tails.

Great creation, I always used this.

I am rather new to all of this, I just found out a deep web existed today. I'm not looking to conduct any criminal ways, only to explore for my own curiosity. Would you recommend that I get this browser? And if so what would I do to set it up properly so that any site i access is anonymous? Thank you

I have tor 3.6.1 on mac 10.9.3, i updated 2 days ago and i keep getting connection timed out when i try to access any websites. I also tried older version of tor, 3.5.4 and still no luck.

any help will be appreciated

Running Mac OS X version 10.7.5

Downloaded TOR, installed it, opened it.

Cannot connect to the internet; I get a time-out message after a while.

Previous versions of TOR worked fine on my machine.

Any suggestions?

For all the unhappy osx users out there, apparently the issue is that your Sophos antivirus software quietly updated itself in place, and the new one accidentally considers Tor Browser to be scary.

Syndicate content Syndicate content