Tor Browser 3.6.3 is released

The third pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Here is the complete changelog:

  • All Platforms
    • Update Firefox to 24.7.0esr
    • Update obfsproxy to 0.2.12
    • Update FTE to 0.2.17
    • Update NoScript to 2.6.8.33
    • Update HTTPS Everywhere to 3.5.3
    • Bug 12673: Update FTE bridges
    • Update Torbutton to 1.6.11.0
      • Bug 12221: Remove obsolete Javascript components from the toggle era
      • Bug 10819: Bind new third party isolation pref to Torbutton security UI
      • Bug 9268: Fix some window resizing corner cases with DPI and taskbar size.
  • Linux:
    • Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
    • Bug 12249: Don't create PT debug files anymore

The list of frequently encountered known issues is also available in our bug tracker.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

good

Thanks Mike!

The beta and alpha versions have security features when can we see them? Because unfortunately tor 3.6.3 is only updated not new features

What security features are you talking about? New (security) features are usually tested on alpha/beta versions but are landing eventually in the stable versions, too.

I hope obfsproxy4 (or whatever it's called) will be ready before Russia cracks down on Tor by the end of this year :(

I hope they will not succeed: http://rt.com/news/175408-russia-internet-tor-service/

unfortunately we are waiting for long time. also they should disable obfs2 and 3 once releasing 4. tor is strong but has weak points

It's obfs4proxy, though in hindsight I should have picked a better name.

Unless their crackdown is reasonably sophisticated obfs3 should work (and ScrambleSuit/obfs4 will work, assuming unblocked bridges), so there's plenty of options in that area already. Furthermore, unless something unforeseen happens, I expect obfs4 should approach being usable from test bundles sometime next month.

obfs4 progress can be tracked at:
https://trac.torproject.org/projects/tor/ticket/12130

When will TBB be updated to Firefox 31 esr?

there is no 31ESR . the ESR have number 24.7 but firefox have 31 version number

Actually there is Firefox 31 ESR but Firefox 24 ESR is going to be supported until 25th November.

The new ESR is 31 - 24.7 will be the last update to the 24.x ESR. And I guess TBB will shift to 31ESR no later than when support for 24.7ESR runs out, but I can't remember the date.

Sorry, 24.x ESR will have one more release (24.8), before being dropped for the 31.x ESR series:
https://www.mozilla.org/en-US/firefox/organizations/faq/

I'm desperately trying to lay my hands on the previous release (3.5.4 I believe). 3.6.3 simply does not connect. Where can I get the previous release from?

https://archive.torproject.org/tor-package-archive/

But really, if 3.6.3 doesn't work for you, you should report a bug and help us fix it. The old Tor Browser Bundles ship with obsolete insecure versions of Firefox.

I have the same issue. The updates on two different computers downloaded through tor will not connect. I downloaded the update without tor and it connects fine. I don't know if that should worry me. Sorry, don't see where to submit bugs, I'll keep looking.

https://bugs.torproject.org/

But that said, "my TBB doesn't work, help" is not a bug report -- it's better suited for the helpdesk:
https://www.torproject.org/about/contact#support

The bug tracker is best for things where you actually have a concrete thing that's broken and we should fix.

Thanks!

Hello, I wasn't able to connect too, but after running TBB in the terminal, I found out this message: "Our clock is 2 hours, 42 minutes behind the time published in the consensus network status document (2014-08-08 08:00:00 UTC). Tor needs an accurate clock to work correctly. Please check your time and date settings!" Then I adjusted the clock and it worked fine. I'm not an advanced user (migrated to linux recently), but maybe this info will help you.

(I think it would be better if these informations were presented to the user in the GUI too)

Last version Tor Browser 3.6.2 always crack my SUSE Linux for playing youtube in html5 mode

Huh?

i am not the person you wrote to.
On my openSUSE 13.1 TBB don't work anymore. Tails work on this Computer and the last Version worked too. If I click on connect then the TBB sometimes start sending and receiving data but stops at some point. Sometimes it even don't start to send or receiving anything. I have deactivatet the Firewall.

Hi my Problem is solved see the first comment on 8.8.14 with UTC

Can I check the Block reported attack sites and Block reported web forgeries options in Firefox/TBB: Menu Option - Security?

We still need to audit the SafeBrowsing feature, see: https://bugs.torproject.org/8557 for the issues we currently can think about. So, if you enable it keep the possible risks in mind.

given that Russia is now trying to bribe people to find tor users and grass them up, what features are gonna be incorporated to prevent this (or make it extremely difficult) and when will that be?

When starting new version in Win XP pro3 the window is only about 70 percent wide. Any way I can get it to start 'maximised' ?

Not until we solve the problems we have with maximized windows: https://bugs.torproject.org/7255
https://bugs.torproject.org/7256

muito bom esse browser...uso ele constante.

Just wanted to say great work on "catching up" to Mozilla's ESR release cycle!

Hello,

I've got a problem with cookie management in recent versions of TorBrowser. Can anyone help me please??

The problem can be reproduced with these steps:

1.: Download and start-up a fresh instance of TorBrowserBundle.

2.: Go to "Edit" → "Preferences" → "Privacy", and uncheck "Accept cookies from sites".

3.: Go to "Edit" → "Preferences" → "Privacy" → "Exceptions" and add an exception for a website where you can log in.

4.: Open a new tab and navigate to that website that you've added in step 3, and log in.

5.: While you're still logged in, go to "Edit" → "Preferences" → "Privacy" → "Exceptions", and click "Remove All Sites". This will remove the exception that you've added in step 3.

6.: While you're still logged in, go to "Edit" → "Preferences" → "Privacy" → "Show Cookies", and click "Remove All Cookies". Notice the number of cookies that are actually displayed.

7.: Refresh the tab from step 4. You are logged out now.

8.: Go to "Edit" → "Preferences" → "Privacy" → "Exceptions" and add an exception for the same website as in step 3.

9.: Refresh the tab from step 4. Notice whether you're logged in or logged out.

EXPECTED BEHAVIOUR:

In step 6: At least one cookie is displayed.

In step 9: You are logged out.

ACTUAL BEHAVIOUR:

In step 6: Zero cookies are displayed.

In step 9: You are logged in.

If this is a bug, then please fix this as soon as possible.
If this isn't a bug, then please explain to the world how reasonable software can behave this way.

Thanks!

I have not verified this behavior in TBB, but I'm pretty sure it's an upstream issue with Firefox, which doesn't display cookies properly in that part of the UI and hasn't for a while. Given Mozilla's recent marketing push around "fighting surveillance," this feature breaking over several Firefox releases--along with the Firefox 31.0 privacy degradations around similar features--make one question whether there's a disconnect between what Firefox wants to be seen as and how it actually functions.

In either case, I would encourage you to file a bug report upstream with Firefox's bugzilla, unless I'm wrong about this not being an upstream issue.

See also https://trac.torproject.org/projects/tor/ticket/10353

It does indeed appear to be a Firefox bug.

This is the first time I've used bugzilla:

https://bugzilla.mozilla.org/show_bug.cgi?id=1046771

Hoping they fix it...

Just wanted to say GOOD ON YOU for filing this bug report!

In the process you've brought additional attention to an important policy question: is Mozilla for real when it comes to making sure Firefox privacy/security features actually work as describe, or is it rolling over in every way possible that's not obvious to the user in order to help preserve the tracking capabilities of Google, its major funder?

Thanks for this because it's good to know that I'm not the only one annoyed by that.

Unfortunately I just realised that this bug is now open since more than 1½ years, and it seemingly didn't make much progress in that time.

So, I'm afraid that Tor project can't count on Mozilla devs when it comes to resolving privacy issues.
@Tor devs
Can you estimate whether it would be feasible to fix this in Tor Browser if upstream continues to ignore/delay this issue?

Because, as things are right now, there's no possibility to do cookie management in Tor Browser. :-(

Tor Browser 3.6.3 can be opened only one time. When it is closed you cannot open it again.

Well, that's not true for the rest of the people here. Perhaps you should contact the help desk and see if they can help you figure out what you're doing wrong? And ideally you can generate a bug report so we can help future people in your situation.
https://www.torproject.org/about/contact
[Edit: actually, it *does* appear true for more people here. Please help debug!]

Can you try Mike's new Tor Browser 4.0 alpha builds? Maybe they fix the issue for you?

https://people.torproject.org/~mikeperry/builds/4.0-alpha-1/

when I search for stuff an pop into a search to check it out by the time ive checked a 3rd seach im cut off with a response im an automated computer an I have to do a captcha to continue on start page on others it just flat out denys me usage now im not looking up anything illegal immoral or bad last seach I used was banned youtube vids for games an stupid look at me vids people doing dumass stuff an posting it an getting banned because its too dangerous it kept kicking me off means no longer are we able to surf anonumously if some1 or something is watching our searches an I did like 3 in 7 mins so I wasn't flipping thru it like no machine unless its 1 from the 1970s whats the deal with this sorry for the lack of punctuation.

There is at least one area where Firefox ESR desperately needs to catch-up with its more fast-moving sister (regular Firefox): The ability to highlight and copy text from the "Certificate viewer". (And this functionality is especially important for Tor Browser) (And this functionality was long overdue when it came to regular Firefox. Chrome had already had it for some time.)

Without this, the only way to verify the hashes for SSL/TLS certificates is manual visual examination, carefully and tediously matching each digit of a displayed hash.

We are starting the transition to Firefox ESR 31 now. So, this feature will be available in Tor Browser soon, too.

Great to hear, thanks.

@gk / arma:

Any timeframe for ESR 31 as of yet?

Have a look at https://www.mozilla.org/en-US/firefox/organizations/faq/ section "What does the Mozilla Firefox ESR life cycle look like?" We switch to ESR 31 when no update for ESR 24 is available anymore.

Ever since I started using the latest version of TBB which is 3.6.3, I have the following error message appearing in the log very frequently:

[warn] Rejecting SOCKS request for anonymous connection to private address [scrubbed]

What caused it?

How do I fix it?

Thanks in advance for your help.

Sounds like some destination (e.g. website) you're trying to access sent you to an address like 127.0.0.1. When Tor Browser asks Tor to go there, Tor decides you're better off failing to reach it and gives you this log message instead.

I get that message quite often when I connect pidgin to my Tor, since some component in Pidgin (maybe one of AIM's servers?) is trying to connect to a service those name resolves to localhost.

The message (and behavior) is harmless. If your web browsing is working as you expect, don't worry about it. The log message is there as a hint for people who are unhappy that "Tor isn't working" and want to learn why.

Does 3.6.3 go any way towards defeating the threat of deanonymisation which was the subject of the talk pulled from the BlackHat conference.

If not, has any progress been made to counter the threat?

Thanks

3.6.3 is an update to other components, like the browser. The Tor version remains the same.

Sit tight, there's another update coming. But that said, the next update won't be urgent, since the underlying issue isn't one where we need to put out a patch to the code. More details soon!

Arma,

Thanks for the quick reply. However, I am a bit confused. The announcement surrounding the cancelled Black Hat conference was that TOR users could be unmasked (easily and) cheaply.

Since the whole basis of TOR is to keep users from being unmasked, why is a solution not urgent?

I know you are busy but I am sure that all users of TOR would be interested in and grateful for a full response.

Thank you.

Love you guys! You are making the Internet a better more free place. Everbody run Relays and Bridges and save the Internet from the Threat called NSA!

Hi,
It's possible that Tor add User Agent Switcher add-ons to default add-ons that is currently available in Tor Browser bundle?

I think it's good add-ons for prevent browser fingerprinting and if be available in tor by default, it will save time to install it .

Link of uas add-ons:
https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/

Thanks.

Consider checking to see if anyone has proposed this previously at trac.torproject.org and submitting a ticket if they haven't.

While I could see how this might be useful, having a bunch of users with potentially different user agents makes them much easier to track. Part of the beauty of TBB's current UA setup is that everyone sharing the same user agent makes each person harder for adversaries to fingerprint based on their user agent.

No, this is probably a bad idea. Your best bet is to stick with the same user agent all the other Tor Browser people have. If you switch yours, and nobody else does, that's basically a way to track you over time.

(If you have in mind to prevent browser fingerprinting, you're going to have to do a heck of a lot more than just changing your user agent.)

Arma, you exactly right,

I don't know that Tor use a same user agent string for all. i think it's different for each operation system that is available in download page.

Thank you kindly.

Ah -- right, Tor Browser's user agent is the same across all platforms.

https://www.torproject.org/projects/torbrowser/design/

See also GCHQ's MULLENIZE https://s3.amazonaws.com/s3.documentcloud.org/documents/801762/mullenize-28redacted-29.pdf

Is there any news on when TBB releases can be made available via standard debian update channels?

There have been so many awesome improvements to TBB's release cycle, but bringing "conventional" update channels up to speed would be awesome, too.

If there's a way volunteers could help make this happen, please let us know.

You might like (or hate)
https://trac.torproject.org/projects/tor/ticket/3994

Micah also wrote 'Tor browser launcher' as a deb:
https://packages.debian.org/source/sid/torbrowser-launcher
but it's still kind of klunky compared to what you should want.

The fundamental issue is that Debian has a policy against overlapping code in different debs, and Tor Browser and Iceweasel overlap (but aren't the same).

So all the approaches you'll find are hacks around that issue.

Micah's project is cool and useful, but I still wish all debian users--by default--could sudo apt-get install tbb from main, or even have tbb replace iceweasel! This is what people have been saying about upstreaming tbb's patches into firefox for a while, but in a community where it seems more likely to happen. :-)

And I may be seriously overestimating the laziness of sysadmins, but I could even picture sudo apt-get install tor-relay-exit and sudo apt-get install tor-relay-non-exit with sane defaults helping to lower the barrier to entry for folks who should be running tor relays but currently don't. I can say from experience that the ease of sudo apt-get install tor-arm is one of the reasons I use arm as a relay monitor instead of synthesizing a bunch of other log/config information on my own.

And no offense intended, but working out a way to upstream TBB debs might even make TBB downloads a tiny, teensy bit more resistant to certain forms of traffic analysis (which we know NSA and probably others are already doing) while reducing your hosting bills. But again, personal biases are probably leading me to overestimate the popularity of the x86/amd64 builds of tbb.

Figuring out a way to comply with the (ultimately sensible) debian policy on overlapping code is something I'm planning to set aside some time to think through more in the near future. Reading that ticket makes me wonder if an automated (and since you guys are awesome, reproducible and verifiable) build might be worth trying to cobble together as a slightly different strategy.

Thanks for posting a link to the ticket!

hi
I have problems to make 3.6.3 version connected! it just get connected for one single time and after that, it couldnt make connection process properly! restarting computer also doesnt help after 5-6 times! I am using the older version (3.6.2) right now.
could you please tell me how is it possible this happen?
thanks alot

Please contact the helpdesk and help them debug it. Thanks!
https://www.torproject.org/about/contact#support

I can't believe it! my 3.6.2 version was working fine! I installed 3.6.3 version. it didn't work. i returned to the older version. it worked fine last night. today, how many times i did try, it didn't connect at all, neither 3.6.2 nor 3.6.3 :|

As others here have noted, I also have this problem with 3.6.3, so I went back to 3.6.2.

I downloaded 3.6.3 yesterday and it worked (for one or more times.) Today, after turning on the machine, the browser window doesn't show (but TaskManager shows that tor.exe and firefox.exe are running).

BTW, I'm using Windows.

-- Thanks

Happened to me too. Going back to 3.6.2 is not a good idea because there are several security fixes for Firefox for 3.6.3.

I fixed the issue by deleting the *.lock files under the Data folder for both browser and tor.

It's also possible that you all were experiencing the recurrence of bug 11200:
https://bugs.torproject.org/11200
We've put a patch for that into the upcoming Tor Browser 3.6.4 -- when that comes out, give it a try! (In the mean time, a workaround is to delete your Tor Browser directory and unpack a fresh one.)

I see that you say:
“Bug 9268: Fix some window resizing corner cases with DPI and taskbar size”
I have the same problem as the other contributor who reported some time ago that s/he couldn’t get a screen size reading of 100s x 100s when using both Panopticlick and ip-check.info. Like him/her I get exactly the same screen size measurement, e.g. 1342 x 768, when using both of them.
This version of Tor does not help in this respect. Have you any suggestions as to how I can get a screen size of 100s x 100s, since it appears that most of your users are able to.

I am using Windows 7.

Thank you.

Not without seeing a debug log. Could you open a ticket at trac.torproject.org (you don't need to create a new account; you can use the cypherpunks one) and attach the output of the browser console (Ctrl + Shift + J) after you set the Torbutton log level to "0" (via the "extensions.torbutton.loglevel" preference you can manipulate after loading about:config in your Tor Browser)? Thanks and if you have further questions don't hesitate to ask.

IT DOESN'T WORK! IT SAYS CONNECTION TIMED OUT WHENEVER IT'S TRYING TO REQUEST RELAY INFORMATION ...HEELPP,,,
PS.I updated my tor today

yes. me as well :(

I am on a "Windows 7 Ultimate" laptop.
I have been using Tor without any problems for the past few years.
Yesterday,I downloaded 3.6.3 TBB but to my surprise and dismay,it does not connect
not even once.I downloaded a second copy and the same thing : TBB 3.6.3 does not
connect.
I deleted TBB 3.6.3 and started 3.6.2 from my saved programs on a flash stick.It worked
and still works without a problem.I am writing this comment using TBB 3.6.2.
Please address the issue and hopefully solve the problem as you have always done in the past.
May God Bless You All who help us reach the free world from a censored internet .

Which antivirus software are you using?

This might be another of those situations where the antivirus software doesn't allow something it hasn't seen much before.

My use of Tor is mostly limited to creating an obfuscated pipe for Bitcoin-Qt. I rarely use Tor to merely browse the Internet. Accordingly, I have been using Vidalia to create a connection, then running Bitcoin-Qt over that.

If I see things correctly, there no longer is a Vidalia. How now do I set up an obfuscated connection for Bitcoin-Qt?

you can get the same proxying behavior by running the new Tor Browser Bundle, waiting for it to connect, and then configuring Bitcoin-Qt use localhost:9150 as its SOCKS proxy. as long as TBB is running, bitcoin-Qt should be able to use that proxy connection.

Thanks - that worked.

Seems counterintuitive to need to run a browser session in order to obfuscate protocols other than http, but c'est la guerre.

At first, i thought i did sth wrong, but as i'm reading comments, i see some people have my problem too. it seems installing new version of tor ruined even the last version who was working nicely! what did i do?! why did i update it? damn me! now my dear tor is gone!

What's your antivirus, and does changing it / disabling it / reconfiguring it help any?

my antivirus is 'avast-free version' and i've had it for more than 7 years and i think most of these years i've been a Tor user too but never had an experience of any kind of interruption between Tor and Avast! anyway, I disabled it and nothing got better and Tor is still unable to make its connection properly.
could this mean maybe my ISP has changed its filtering (censoring) settings and Tor servers are filtered now? and if so, is there any chance for me to overcome these censorship by using 'configure' option in Tor connecting window? if yes, is it possible for a 'not geek user' to do that or not?
thakns

Which country (or ISP) are in you in? (Or are you the below poster from Iran?)

as information I've received from some of my compatriots, it seems Tor servers has been blocked in Iran by some ISPs and nothing is wrong with new version of Tor. just some a**holes have decided to tighten the boundaries of the last resorts of freedom around here! so sad ...
p.s. so sorry about untrue (but right) comments about Tor's malfunction. I didn't mean to comment untrue feedback. i just didn't know the origin of the problem. thanks a lot for being so helpful and patient dear Tor guys :)
p.s.2 is there any chance to change some settings to overcome this situation (while Tor servers are blocked by local ISPs) that a 'not geek user' could do it personally? if so, is there any guide for that in Tor site or on the internet that is confirmed and endorsed by Tor?
thanks again
a big fan

https://trac.torproject.org/projects/tor/ticket/12727 is the bug that talks about the recent Iran blocks.

As for overcoming it, vanilla bridges work fine. (obfsproxy bridges also work fine.)

https://bridges.torproject.org/

Did Andrea Shepard leave the Tor Project? It kind of looks like she spends most of her time tweeting instead of writing code. Even though she's listed as a core tor dev, her last commit was like 6+ weeks ago... https://gitweb.torproject.org/tor.git/search?s=Andrea+Shepard;st=author And at risk of getting inappropriately personal, I can't help but wonder what this person was being paid 10k+ for over the past few months. From an outsider's perspective, it looks like you could've funded a slew of contributions via BitHub for that kind of money....

If her role--or roles similar to it--for working on tor's core code base are going to be available again, could you please let us know?

STOP DISTRIBUTING AS .EXE FILE!
GIVE ME A .ZIP

I've checked the anouncement and this whole comments page carefully. How annoying, can't seem to find VERSION NUMBER for the Tor core itself (so, tor.exe on Windows) anywhere !

Tor's version number - should be something like 0.2.??? or 0.3.??? is essential information (to me at least), much more than any other bundled software, including a browser's one.
Pray, answer here anyone! and, (Mike:) consider updating the above as well as any future announcement to include Tor's version.

https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/HEAD:/Bundle-Data/Docs/ChangeLog.txt

Roger, I'll spare you from a copy & pasting from the link you provided, but the part concerning the TBB 3.6.3 (changelog lines 27-42) make NO mention of Tor.

Does this mean that Tor (on Windows, tor.exe) was NOT updated from the previous TBB ? Namely, would that be
Tor 0.2.4.22 ?

Really this info should be explicit even if it has not changed, and we shouldn't have to do guess work !
Unless you don't agree "Tor" is an essential component of the
"Tor browser bundle" or whatever it's now being called :=)

Regards !

The ChangeLog only mentions what changed.

Tor Browser 3.6.3 has the same Tor as Tor Browser 3.6.2 did. (That's 0.2.4.22.)

Actually, while we're at it, it's 0.2.4.22 with Tor Browser's patches to it:
https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/HEAD:/gitian/patches

which is kind of crummy from a maintenance perspective, but here we are.

Thank you ! As I use only Tor, and none custom browser stuff, may I ask whether the patches in question are security related and should I get the "patched"
tor.exe_0.2.4.22_patched_for_TB-3.6.3 ?

If so, is there a direct download for a standalone _patched_ Win32 executable ?

Please don't forget many of your users don't have broadband - more than you's think, and downloading a bundle when I may want a single exe may be a pain, not to mention having to unpack it in order to get the part(s) I want, without making an install. Yes this user can do it, but less technical ppl will be lost.

Adding to my above comment/question :
more troubling, now... the "expert" lot from the Torproject's downloads has been updated to serve :

Barring a numbering error, it's a newer update, or is it hte same thing as the "patched for TBB tor 0.2.4.22" ?

It's getting somewhat messy out there !

Argh ! For some reason your weblog software have removed the URL of the current "expert bundle" , which - this was the important point - now claims to be "0.2.4.23";

Hence my question , is .23 identical, but renamed, to the "patched .22" that Arma alluded to above ?

No, it is a new one which is not contained in any Tor Browser Bundle yet. See: https://lists.torproject.org/pipermail/tor-announce/2014-July/000093.html for its new features and bugfixes.

T.Y, gk. It's all clear now. Running 0.2.4.23 on Windows XP without problems.

Cheers

--
Noino

P.S : Posting comments from the web (blog.torproject.org/comment/...)
can't seem to be able to sign my posts other than 'anonymous'
Not a problem per se, just curious : is identifying self now reserved to the Torproject personal, or am I missing an option ?

You are not missing an option.

"Thanks Mike!"

Plus one!

"Ever since I started using the latest version of TBB which is 3.6.3, I have the following error message appearing in the log very frequently:
[warn] Rejecting SOCKS request for anonymous connection to private address [scrubbed]"

Did you check that the private address in question is 127.0.0.1 (localhost)? Does the error appear once, soon after starting TBB?

If yes to both, here is a very slightly educated guess: your OS may be trying to add TBB to a list of "recently used items". Or possibly, some watchdog utility is trying to figure out what TBB is.

Arma suggested a third possibility:

"Sounds like some destination (e.g. website) you're trying to access sent you to an address like 127.0.0.1. When Tor Browser asks Tor to go there, Tor decides you're better off failing to reach it and gives you this log message instead. I get that message quite often when I connect pidgin to my Tor, since some component in Pidgin (maybe one of AIM's servers?) is trying to connect to a service those name resolves to localhost."

I see this warning even when not using pidgin. At Stack Exchange, several people have reported that they often see it when using TBB.

"I still wish all debian users--by default--could sudo apt-get install tbb from main, or even have tbb replace iceweasel! This is what people have been saying about upstreaming tbb's patches into firefox for a while, but in a community where it seems more likely to happen."

Current Debian stable (Wheezy) appears to have some potentially exploitable geolocation sharing tools, user activity tracking tools, and more, tightly incorporated into the Gnome3 desktop and maybe others too. TBB on the other hand is installed by the user in his/her own directories and is functionally sort of "chrooted". I wonder whether this might not offer some advantages over incorporating TBB more tightly into a default Debian system?

Current Debian stable (Wheezy) appears to have some potentially exploitable geolocation sharing tools, user activity tracking tools, and more, tightly incorporated into the Gnome3 desktop and maybe others too.

Please, for the benefit of those who use the current Debian stable, list all the potentially exploitable geolocation sharing tools, user activity tracking tools..etc, etc.

"I can't help but wonder what this person was being paid 10k+ for over the past few months. From an outsider's perspective, it looks like you could've funded a slew of contributions via BitHub for that kind of money...."

No to accuse, but only just to observe:

A commonly employed JTRIG tactic is to attempt to sow internal dissension inside a targeted organization by trying to plant the seeds of mutual suspicion, jealousy, and distrust. Carping about money is a favorite ploy.

We should all be alert to such possibilities, without developing excessive paranoia, because we know that Tor is a target of NSA/GCHQ, and we know what kind of dirty tricks they often employ against their targets.

Seconded. But in this case, the gaps between nick (other core tor dev) and andrea's logged contributions--especially given Tor's transparency--does make one wonder: https://gitweb.torproject.org/tor.git/shortlog

It's certainly possible that she's working on a fork offline or went on vacation or just has unusual dev habits (maybe she passes things through other people now?), but for someone listed a "core tor developer" being a few days shy of two months with no commits to the core code base for tor seems like a significant stretch of time.

It looks like her last commit was June 3rd, and the volume of tweets she's pushed out since then could lead a reasonable person to think maybe she's pivoted to Tor Project related communications (along the lines of jake).

The public tor-reports listserv doesn't list any recent updates from her (though Jake also tends to be quite late in submitting his): https://lists.torproject.org/pipermail/tor-reports/

Nick's update for part of June, however, does mention Andrea: https://lists.torproject.org/pipermail/tor-reports/2014-June/000572.html

Hi thanks for your great efforts
whats the replacement for this type of TorBrowser?:
tor-pluggable-transports-browser-2.4.17-beta-2
that was pretty usefull; and I could use it even now but with some minor problem like the old Firefox version(3.6.3 doesn't work in my country).

3.6.3 is meant to be the replacement for that one. You have to tell it to use bridges though:
https://bridges.torproject.org/howto

It comes with some built-in bridges (which should work everywhere except China currently), or you can add your own bridges for better robustness.

Please tell us where to report bugs or error messages. Thanks.

Below is an error message when I was using TBB 3.6.3:

[quote]

(firefox:3299): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed

[end quote]

Was someone trying to hack into my internet connection when I was using TBB 3.6.3?

Probably not. That said if you want to file this gtk-related issue then a good starting point would be your Linux distro bugtracker, I think.

For me, 3.6.3 simply does work only when opened first time. After that it will not open anymore.

For the second time or later, the browser toolbar show up, but the actual browser won't.

Looks like others having same issue. Tested on three different OS X Mevericks laptops.

Please, fix this.

That happens sometimes here too , OSX Torbrowsers 3.6.1/3.6.2/3.6.3

(and some other strange behavior, I'll take that for a separated 2nd post here)

1) Possible solutions
What has helped me (could be coincidence) in pre Mavericks OS X's and what you could try :

Option A) Mozilla function : Safe boot modus / Quit / Normal boot

Steps:
* Force Quit the Application with "ctrl" + mouse Click, choose "Force Quit"
yes, your application dock will be even frozen for 10 or 20 seconds, had that problem as well with certain firefox versions some time ago, just wait a moment.
* When the dock is responding again, restart the Torbrowser with the "Alt" key pressed (safe boot browser start) and close down the application again (you cannot browse in safe modus anyway, it's just to hopefully clean all the left caches that maybe are causing a problem. Standard Firefox solution)
* Normal restart the Torbrowser
* Try to restart it again and see if it's still working (usually works for me, if not I'll go to/use myself this tweak option C)

Option B)
* Easy easy way, reinstall the Torbrowser bundle

Option C) Tweak - Reset the given 3 or 4 start connections of the Torbrowser bundle

It's a found out 'Tweak' way and a bit faster way throw away some files from the package contents, new ones will be given in place, no harm done.
Just found out by having some experiments with the browser, it did work for me all de OS X 3.6 versions.
Please developer give me your opinion if you think there are better ways.

Steps:
* Go to the TorBrowser bundle
* "Ctrl" mouse click on the application an choose "show package contents" from the little menu
* Open the "Data" folder (not "Contents", "Docs", or "Tor")
* Open "Tor" folder
* Select the following files "cached*certs", "cached*microdesc*consensus",
"cached*microdescs", "cached*microdescs.new" and throw them away ("cmd" key and "backspace key" or just drag them to the throw away basket (and empty the basket! A lot of people don't empty it, that doesn't make sense, to me)).
The files are usually already on alphabetical order and easyli to select. I for me usually always clean/throw away the "State" file away too.
* Close the windows and startup the browser again, you even could consider first taking a "Safe boot" and then a normal boot.

Again, this works for me, if the developers have another thought about this, and I can imagine there must be better solutions someway somehow, please let me know.
Hopefully it'll work for you.

Using Tor Browser 3.6.3-Linux, all seems to work, but more slow.
(Ubuntu 12 with Lubuntu. All updates current.)
thankyou for the whole damn system/discussion.
Questions:
Do you update software through 'automatic updates'?
2 days in a row i have the following pending updates:
* anonymizing overlay network for TCP tor (size 1.1 MB).
* GeoIP database for TOR tor-geoipdb (Size 816 kB)
Are these part of the tor browser?
if okay, please point me to info.
btw: i can NOT have any other software but the browser bundle.
Do i need to remove anything?

Does my mac address still show?
Is there a way of changing it on every request or even every new tab?

thankyou for your time

The Tor Browser is not updated through automatic updates yet. But that feature is coming: https://bugs.torproject.org/4234.

The updates you see are not part of the Tor Browser but part of the tor you get via your Ubuntu. You should install those updates.

You don't need to remove anything although I have to admit that I don't understand your question pretty well.

Your MAC address is not touched by tor/Tor Browser. That said it is not visible outside of your local network either. I.e. nobody on the Internet should be able to see it but an attacker in your local network (e.g. at home) is still able to.

Half off-topic but there is no simple open request for TAILS questions:

If i want a custom additional torrc setting,is it safe to inject this with
Vidalia-->Settings-->Advanced-->Edit current torrc ?
Delete all in this torrc window and set my additional setting(custom exit or something else) only. Is this overriding all TAILS special config(BAD) or inject this a additional command only(SAFE)??
Please no discussion additional setting is useful or not.

it is strange! after some 'totally off' days with blocking TOR servers in Iran, now my 3.6.2 version starts to work fine but my 3.6.3 still doesn't work. is it normal?! and also, is it safe to use that version?
thanks a lot TOR guys :)

3.6.2 is not safe to use -- it includes an old version of Firefox which has several known vulnerabilities.

That said, if you're having problems with 3.6.3, you might try Mike's new Tor Browser 4.0 alpha builds. Maybe they fix the issue for you?

https://people.torproject.org/~mikeperry/builds/4.0-alpha-1/

you mean this one? https://people.torproject.org/~mikeperry/builds/4.0-alpha-1/torbrowser-install-4.0-alpha-1_en-US.exe or this? https://people.torproject.org/~mikeperry/builds/4.0-alpha-1/TorBrowser-4.0-alpha-1-osx32_en-US.dmg

Yes. Depends if you're on Windows or OSX. Also there are Linux ones.

Arm says that tor in tor broswer bundle is 0.2.4.22 and thus obsolete. Also, it behaves weirdly with firefox sync: it syncs bookmarks almost instantly and takes about a minute to sync history, but add-ons almost don't sync up (not all of them do, anyway).

You have configured your Tor in your Tor Browser to be a relay I guess? If so, arm is right that 0.2.4.22 is obsolete -- it is no longer recommended for relays, since we want relay operators to upgrade to 0.2.4.23.

If your Tor is just a client, perhaps arm is mistakenly reading the recommended relay versions, and it's an arm bug?

As for the firefox sync weirdness, you should gather more details and file a ticket if you can identify what's wrong.

I posted a comment yesterday, but for some reason it's not showing here... I read that some people were experiencing the same problem I had right after downloading Tor: the conection progress bar gets stuck and it doesn't conclude the connection. In my case, I ran tor by terminal and found a message which told me my clock was delayed and in order to connect I had to adjust it to the UTC time. So, after fixing it, Tor connected ok. Even if your clock is OK, maybe running TBB in the terminal can give you a clue about what is happening.

I am a beginner user, but I think it would be better if TBB showed these messages that appear on prompt in the GUI too.

Thank you very much!!!
I was the poster about openSUSE 13.1 above; you solved my problem.

I am having problem connecting to any .onion pages. Tor connects and I can go to like lets say google.com or any regular website. But any .onion I am trying to go to is not working. And I have changed nothing since I connected last. Is anyone else having this ?. I even tried to connect from a diff cpu same problem

A) Your clock, date, timezone, etc is wrong.

B) You've got a bad list of hidden service addresses, and they are indeed all down or unstable.

If http://duskgytldkxiuqc6.onion/ doesn't work for you, I'd vote (A).

Can't get 3.6.3 to connect to anything on Mavericks - currently 10.9.4. It loads OK and according to my LittleSnitch there is apparently some brief two-way communication as the initial page displays, but then nada, zero, zip., can't navigate to any webpages, and no network activity shows in LS...makes no difference if the Mac's firewall is activated or not, it just sits there like a lump. Seems I had the same problem with all versions since the release of Mavericks. The only way I can use Tor at all is by dragging the old version (with vidalia control panel) back out of the trash.

----UPDATE: It was my SOPHOS antivirus. There are two "web protection" options, if either of them is enabled for some reason Torbrowser doesn't even seem to communicate with the socks proxy.

Yep!

https://www.torproject.org/docs/faq#SophosOnMac

2nd contribution OS X questions as 'promised' by Anonymous August 1st, 2014

'Other open questions regarding the Torbrowser pre config & Addon functions' :

1) Why is the NoScript function after installing the Torbrowser bundle practically (or almost fully) disabled?
Shouldn't be there an explicit warning for that on the download page; "Want Tor to really work?"

I am under the impression that not all users / people realize that that is not a safe manner of using the Tor browser because they actually accept a lot of javascripts that could be dangerous for there computer (viruses&malware) or their privacy.

(Or) Why not at least activate NoScript in advance, with sone very special attention to the "Embeddings" (& Appearance) section.
Embeddings section; why not mark them 'all' in advance, or at least maybe the first 12 options + "ask confirmation.." ?
Seems necessary an good for privacy and your computer health/security, wouldn't it be fare more better having possibly a bit to strict browser policies then the other way around?

An other option could be a 'little visual screenshots manual' with advised privacy/security settings somewhere on the site.
Because NoScript is for most people a pretty tough/difficult addon to understand and configure, which could leave to people leaving the settings completely untouched (with unused necessary functionality the addon doesn't actually have a good reason anymore to be there, while it has actually essential necessary functionality).

2) Firefox has a lot of hidden functions. A lot of them you could consider as unwanted functionality because it can affect you privacy for example.
People who are aware of that change these settings in the about:config preferences of the browser.

I see, some (even maybe a lot more) about:config prefs/settings in The Torbrowser bundle unchanged. Wouldn't it a good idea too have a good look at all those settings for optimizing privacy (dom-settings for example to start with, reconsidering standard available search-engines?, and so on).

3) Certificate management/validation.

The standard available option "When an OCSP server connection fails, threat the certificate as invalid" is not activated.
Why not?

The SSL observatory function under HTTPS Everywhere has the unchecked option "Use the Observatory" with two functions.
Why is it unchecked?

When activating the Observatory the first option "Check certificates using To for anonymity (requires Tor)" is not really an option because you just can't activate it.
Why is that?

The other option "Check certificates even if Tor is not available" is given as the standard option.
To me that seems a bit odd from privacy reasons, but/and would it even work? The browser needs the Tor network, you can't browse without it so why is the option actually there?

4) Question for other users, is it just me or do other people have this too?
When starting the Torbrowser it will first shortly open a little torbutton pane/window, then the main browser window, and then the Torbutton window in the back is vanishing.

Sometimes the Torbutton window is completely Black before it is vanishing. ??
Sometimes after booting with the black Torbutton window/pane there is also a visual red cross-mark in de Torbutton itself, giving a warning about a not established Tor connection.
Do others have the black Torbutton window too, and if, what does that mean?

5) OS X release 3.6.3 Tor Button is/was not warning (yet/so far) for the new available release 3.6.4.
Is/was that a Bug?
Hopefully it is working again in 3.6.4 to warn users for the update after that.

6) Las but not least (after all this questions ;-)
thank you again for the good work on this browser.

The 3.6.4 TorBrowser version seems stable on OS X and even a bit faster/more responsive,
it's working fine so far.

Syndicate content Syndicate content