Tor Browser 3.6.5 and 4.0-alpha-2 are released
Tor Browser 3.6.5
The fifth pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.
This release features important security updates to Firefox.
This release also features improvements to the canvas image extraction permissions prompt, and will now log offending script urls to the browser console. It also restores the missing RELRO hardening option to the Linux bundles, and disables NTLM and Negotiate HTTP auth (which can leak sensitive information about the computer). To avoid resolution fingerprinting, popups are also opened in new tabs by default.
Here is the complete changelog for 3.6.5:
- All Platforms
- Update Firefox to 24.8.0esr
- Update NoScript to 2.6.8.39
- Update HTTPS Everywhere to 4.0.0
- Update Torbutton to 1.6.12.1
- Bug 12684: New strings for canvas image extraction message
- Bug 8940: Move RecommendedTBBVersions file to www.torproject.org
- Bug 9531: Workaround to avoid rare hangs during New Identity
- Bug 12684: Improve Canvas image extraction permissions prompt
- Bug 7265: Only prompt for first party canvas access. Log all scripts
that attempt to extract canvas images to Browser console. - Bug 12974: Disable NTLM and Negotiate HTTP Auth
- Bug 2874: Remove Components.* from content access (regression)
- Bug 9881: Open popups in new tabs by default
- Linux:
- Bug 12103: Adding RELRO hardening back to browser binaries.
Tor Browser 4.0-alpha-2
In addition, we are also releasing the second alpha in the 4.0 series, available for download on the extended downloads page.
This release also includes important security updates to Firefox.
In addition to including the changes in 3.6.5, this release also is the first Tor Browser release to enable the in-browser Firefox-based updater. This means that if all goes well, 4.0-alpha-2 users will notified of an available update via a notification similar to that in Firefox. You will then be able to download and install it directly via the browser UI. By default, neither the download nor the update will happen automatically, so if you are not feeling adventurous, you need not allow it to update in this way. Even if you are feeling adventurous, you should probably back up your Tor Browser directory before updating.
In addition to the updater, this release should also re-enable the basic hardening features on Windows, including ASLR, DEP, and SSP.
Furthermore, the NoScript behavior in this release has changed. Selecting "Temporarily allow scripts" will now automatically allow all scripts in a page. This was done for usability reasons, to make it easier for novice users to run Tor Browser with scripting disabled most of the time. This will also hopefully make it possible for more people to use the "High Security" setting in our upcoming Security Slider, which will have Javascript disabled globally via NoScript by default.
Here is the complete changelog for 4.0-alpha-2:
- All Platforms
- Update Firefox to 24.8.0esr
- Update NoScript to 2.6.8.39
- Update Tor Launcher to 0.2.7.0
- Bug 11405: Remove firewall prompt from wizard.
- Bug 12895: Mention @riseup.net as a valid bridge request email address
- Bug 12444: Provide feedback when “Copy Tor Log” is clicked.
- Bug 11199: Improve error messages if Tor exits unexpectedly
- Update Torbutton to 1.6.12.1
- Bug 12684: New strings for canvas image extraction message
- Bug 8940: Move RecommendedTBBVersions file to www.torproject.org
- Bug 12684: Improve Canvas image extraction permissions prompt
- Bug 7265: Only prompt for first party canvas access. Log all scripts
that attempt to extract canvas images to Browser console. - Bug 12974: Disable NTLM and Negotiate HTTP Auth
- Bug 2874: Remove Components.* from content access (regression)
- Bug 4234: Automatic Update support (off by default)
- Bug 9881: Open popups in new tabs by default
- Meek Pluggable Transport:
- Bug 12766: Use TLSv1.0 in meek-http-helper to blend in with Firefox 24
- Windows:
- Bug 10065: Enable DEP, ASLR, and SSP hardening options
- Linux:
- Bug 12103: Adding RELRO hardening back to browser binaries.
The list of frequently encountered known issues is also available in our bug tracker.
Comments
Please note that the comment area below has been archived.
Is automatic update secure
Is automatic update secure from man-in-the-middle or perform some kind of hash or GPG signature verification?
We pin the certificate of
We pin the certificate of the update server and planned are signed updates, too. For all the fancy things in the pipeline see: https://trac.torproject.org/projects/tor/query?status=!closed&keywords=…
PLEASE SOMEONE FIND A WAY TO
PLEASE SOMEONE FIND A WAY TO BYPASS CLOUDFLARE, THANKS
سلام چرا این
سلام چرا این فیلترین کار نمیکند
This new Tor Browser Bundle
This new Tor Browser Bundle is ignoring the ExcludeNodes and ExcludeExitNodes settings that I have put in torrc. Why is it doing this? Have you changed the syntax to exclude nodes or is something else going on here?
We did not change anything I
We did not change anything I am aware of. Anyway, this is https://bugs.torproject.org/13051.
The alpha 64-bit version is
The alpha 64-bit version is giving the out of date browser warning. Should that just be ignored?
Still? No, it shouldn't be
Still?
No, it shouldn't be ignored. If it's still complaining now, collect more details and file a ticket?
In terms of matching
In terms of matching Mozilla's release cycle, CONGRATS to the team!!
Now when I see Firefox updates and look through the list of security vulnerabilities patched, there isn't a period of time before TBB gets updated that I'm nervous about using TBB as my primary browser.
This makes a difference for TBB users' safety--thanks!
Thanks so much for your
Thanks so much for your selfless dedication,Tor is working very well in china now.
Well, great! Do you mean
Well, great!
Do you mean using a pluggable transport like meek, or does it work out-of-the-box for you?
not meek,but scramblesuit
not meek,but scramblesuit etc!!
very nice improvement i hope
very nice improvement i hope we see it stable very soon with obfs4 enabled :)
Since it was just profiled
Since it was just profiled in Wired yesterday, here's an invite link to the Agora Dark Market:
http://pastebin.com/4Kat4twA
Almighty Perry™ & Almighty Dingledine™, keep this post up and I will donate $10 in bitcoins. Oh yeah, keep up the excellent work. :^)
it's called Agora like tor
it's called Agora like tor project staff's pseudonym isis Agora lovecruft? coincidence?
To complement the new
To complement the new upgrade functionality, was thinking how nice it could be to have a changelog summarizing features added and new features listed automatically after upgrades occured.Since this information gets always listed on blogs and in git would you be willing to allow volunteers to build this functionality?
Where should that changelog
Where should that changelog get added and the new features get listed? In a new browser window or...?
Currently
Currently https://check.torproject.org/RecommendedTBBVersions gives
but https://www.torproject.org/projects/torbrowser/RecommendedTBBVersions gives
It sais I should download a
It sais I should download a new version of TBB, but the download page only gives me 3.6.4, which results in a 404. 3.6.5. is downloadable, but only if you change the url...
Try now.
Try now.
On the download page, there
On the download page, there is still the TBB version 3.6.4 available. Please fix that. I do not want to download an old version, I want the new one! By the way, such errors are a little bit embarrassing for such advanced developers like you.
Should be resolved (have
Should be resolved (have been resolved) earlier today.
What the hey is Tor doing on
What the hey is Tor doing on start-up?
1) In the first few minutes, it hogs 50% of CPU. At the same time, Firefox 32 coasts by on only 5% CPU with ten tabs open. Tor Browser only has one tab open, namely about:tor. Why so CPU-hungry?
2) In the first minutes, hundreds and hundreds of kilobytes are being UPloaded by Tor Browser, apparently to "entry guards". Vastly more uploading than downloading. Why is this happening?
3) I am right now downloading the TBB 3.6.5. Apparently, this download comes not from torproject.org but from a site called toastworld.org. (According to the network monitoring function in my Task Manager.) Who or what is toastworld and why is Tor Browser downloading from it?
I have only ever downloaded TBB from torproject.org, never from a third party site. Every time a new version is issued, I delete the entire Tor Browser folder and create a new one.
My computer is running Windows 7 SP1, with all updates installed as they come out. Standard firewall settings. Anti-virus is Microsoft Security Essentials, I also run EMET 5.0. Never had a virus on this machine, scan of the computer comes up clean.
I connect to the Web using a HUAWEI UMTS modem (E3531).
sounds like you've been
sounds like you've been owned. i suggest you use tails instead.
Does not sound like he has
Does not sound like he has been 'owned' to me, since I got this behavior on a totally clean and fresh Windows 8 when I was looking at what TOR was sending out.
It is more TOR thrashing on first boot like any obfuscation program does.
I am the owner of
I am the owner of toastworld.org
Toastworld.org is a Tor-node like thousand others. I have no idea what you did, but it looks like you are downloading TBB via Tor through my server.
Correction to my previous
Correction to my previous post: the connection to toastworld.org was not yet the actual download but instead happened after I clicked on "Download Tor Browser Bundle Update..." in the drop-down menu from the blinking onion icon. (No page was loaded.)
There is a tor relay running
There is a tor relay running on toastworld.org (79.140.41.117) which has the "guard" flag: https://atlas.torproject.org/#details/7DB67BE87F87525D5792CEC0F8A0011F5…
It looks like your computer has picked this as one of your guard nodes. Hence the download through tor happens via a connection to toastworld.org.
Thanks, that answers
Thanks, that answers question #3. Now can I please have an answer about the first two questions... especially the second?
What about disabling rc4 to
What about disabling rc4 to force the browser to use stronger ciphers by default ? Jake has warned repeatedly that rc4 is broken . Has there been any discussion on this
I know it could make users more susceptible to fingerprinting but if it can be broken in real time it is no protection anyway. Also some sites may only allow rc4 still so maybe a fallback mode could be implemented to re-enable rc4 on a site if all other ciphers are rejected first assuming you can catch the failed cipher negotiation attempts for the stronger ciphers .
I would be interested to hear your thoughts on this
Thank you to all the team. You all are hero's. You are enabling change and saving lives. I can't emphasize this enough! You all rock!
I have warned tor repeatedly
I have warned tor repeatedly that RSA 1024 is broken. They refuse to change it.
- BlackSam
isn't mozilla retiring
isn't mozilla retiring 1024-bit certs in FF32? not sure about the latest ESR build upon which TBB is based, but please consider trying the cipherfox add-on
I can't enter in ask.fm
I can't enter in ask.fm
I have the same problem,
I have the same problem, when I ever use tor browser I get blocked by ask.fm with the message (No robots allowed !).
Still looking for a solution.
When the "canvas image"
When the "canvas image" popup appears, should we click the "x" in the corner, "not now" option, or "never for this site (recomended)"? Choosing the never option would create a fingerprinting problem, woudln't it? But if we click the x in the corner, does it protect us?
Thanks
Clicking the "x" and "not
Clicking the "x" and "not now" should give you the same result. So both is fine. Why should the "never" option create a fingerprinting possibility? Because there is much less latency involved when using this option than clicking "x" or "not now"?
Several months ago i noticed
Several months ago i noticed that Tor has a very handy RPATH... implying a vulnerability that affects all TBBs.
$ objdump -x tor | grep RPATH
RPATH /home/ubuntu/install/openssl/lib:/home/ubuntu/install/libevent/lib
It's easy to create a home directory /home/ubuntu readable by all, and use it to inject dynamic linking libraries (shared objects) into the Tor process. Just by recompiling OpenSSL or libevent with some extra code... Then whoever launches an instance of the tor process from the local machine will execute that injected code, without noticing anything.
Funny thing, is that only the Tor software will have the code injected. So that it isn't the same thing as replacing the system's libc.
You made the perfect honeypot. Any other system administrator could have exploited this bug as i did. I wonder what the NSA is able to do against such a toy. Programmed by unskilled monkeys and checked out by the iSEC Partners... the most handicapped tards ever. Thanks.
Without recompiling anything here's a simple demo, just to prevent the TTB from starting.
gcc -shared -fPIC src.c -o /home/ubuntu/install/libevent/lib/libevent-2.0.so.5
Thanks for your courtesy and
Thanks for your courtesy and your concern. I have filed https://trac.torproject.org/projects/tor/ticket/13062 for this issue.
There is no RPATH available
There is no RPATH available anymore in tor since https://bugs.torproject.org/9150 landed a couple of days ago. Thus, this will be fixed in the next release.
Thats likely the reason why
Thats likely the reason why it was posted in the end.
For the record I got to know that Firefox has at least a yet to be "publicly discovered" exploit that allows remote code execution through javascript. I don't know which OS is affected nor whether DEP+ASLR are able to mitigate said exploit (who knows, perhaps they can). However the Tor Browser is yet to keep javascript off by default. I believe that Tor Project's refusal to start the browser with javascript off is the only bug (but really a backdoor) that the Tor Project has consciously left in Tor.
I tried Vidalia i686
I tried Vidalia i686 downloaded from https://people.torproject.org/~erinn/vidalia-standalone-bundles/ and find it slowly start when the TBB successfully connected to Tor Network, It will be faster start before the TBB has done connection
I noticed this same issue.
I noticed this same issue. Start up Vidalia at the same time or soon after TBB starts and it will connect quickly to the TOR instance running.
Wait a few minutes or start it up minutes after TBB starts running and it can take 2 minutes to load.
where can we download orfox
where can we download orfox from for testing?
https://guardianproject.info/
https://guardianproject.info/builds/OrfoxFennec/
Dear Tor
Dear Tor developers,
recently I read an interview with a Tor dev on BBC's website in which he says that sometimes some NSA employees leak bugs to developers. The interview can be found here:
http://www.bbc.com/news/technology-28886462
I wouldn't trust people who work for intelligence agencies at all. According to a document leaked by Edward Snowden, that's exactly what the NSA wants. Since they cannot break it, they try to "shape" and influence Tor's design, and I couldn't think of a better way to do it:
http://arstechnica.com/security/2013/10/nsa-repeatedly-tries-to-unpeel-…
Maybe they pretend to be privacy-conscious NSA employees and reveal purely theoretical bugs or weaknesses in order to persuade you to change Tor's design in a way that opens the doors to more serious vulnerabilities, that you're obviously not aware of. Please, be careful with these "tips" coming from those NSA's "good samaritans". They aren't good samaritans, otherwise they wouldn't work for the NSA.
There Are No Friendly
There Are No Friendly Intelligence Services.
Okay, I hate to say this but
Okay, I hate to say this but perhaps it is time to put a minimum speed allowed on nodes? There are a TON of nodes showing using Vidalia's Network Map function that have 1KB as the limitation for the node.
This is an obvious attempt at a denial of service attack against TOR and these nodes need to be banned. An example is NotAVirus, frenchfrog, EdwardSnowden41, default, and dalton.
Those 5 have 0KB's as their node limitation and at least 20 in the list above them have 1KB as their node limitation. Maybe it is time to limit running a node to having 300KB's minimum available for the node.
To respond to my earlier
To respond to my earlier post, better than 1/2 of the nodes currently have bandwidth limitations of <10KBps. Yes, K not M. This is obviously a denial of service attack attempt.
So I can't find the NoScript
So I can't find the NoScript button on the Mac version, where did it go?
CloudFlare is showing up
CloudFlare is showing up more and more resulting in entering 50 captcha challenges a day. Is there anything to prevent this?
what's even more annoying is
what's even more annoying is when you--as a real human just trying to read the news, for example--get served repeated captchas for the same page! after a few tries, i often given up.
cloudflare is messing with people's right to read, and that is vastly uncool.
Some "tricks" to help you
Some "tricks" to help you deal with too frequent recaptcha requests:
1) Ignore the easy word - you don't need to type it in at all.*
2) On the difficult word, don't worry about the case - it doesn't matter.
3) Typically one character mistake per word is acceptable, so if you can't read everything perfectly, give it your best shot.
4) Use your browser's "Zoom in" button (+) to make the captcha easier to read - it really does help!
* I know that typing in the "easy" word is supposed to help increase the scanning accuracy of actual docs, but forcing me to deal with recaptchas every 5 minutes makes me less sympathetic to that project. Get CloudFlare to scale back their aggressiveness, and I'll go back to entering in both words!
Several websites block users
Several websites block users of TBB 4.0a2 and TBB 3.6.5 as robots while they work fine with TBB 3.6.4. Addon versions and settings appear to be identical, what else could cause this behavior?
I noticed this as well. It
I noticed this as well. It is more common with websites that use CloudFlare (CloudFlare absolutely HATES TOR for some reason and insists 99% of the time that you 'verify that you are a human').
CloudFlare is totally
CloudFlare is totally ruining my everyday use of TBB. See Roger's other recent blog post...the call to arms.
A lot of cloudy mystery
A lot of cloudy mystery about cranky CloudFlare?
I have seen this silly sh*t with Torbrowser ONLY.
It would be great if Yawning
It would be great if Yawning Angel would add obfs4 to Tor Browser 4.0-alpha-2! The updated Firefox ESR on TB 4.0a2 makes me security leery of using TB 4.0a1.
Thanks for your interest in
Thanks for your interest in obfs4.
I did rebase my integration branch when switching the build process to use the obfs4proxy-0.0.1 tag (instead of a WIP commit), but the bundle build process hung due to unrelated issues with OSX builds, and since my rebase and tag switch was what I was interested in testing, I haven't retried making another set of snapshots.
I wasn't planning on making new snapshots since I got testing on the aspects I wanted to (build integration, obfs4 UI integration, and basic functionality), and the things holding up deployment are all on the bridge side (specifically, there needs to be more obfs4 bridges).
If there's unexpected substantial delays in deployment later, or I make major code changes I may make snapshots again.
Hope that clarifies things.
NOTE AND WARNING: Could the
NOTE AND WARNING:
Could the TOR developer eradicate Google from Mozilla Firefox?!!!
As soon you open TOR and Firefox is running, its conected to the monster of mountain view and they get your IP -- Google service: Google Safe Browsing.
Are you sure about this? I
Are you sure about this? I believe this behavior is disabled by default.
I do know that in order to
I do know that in order to get CloudFlare to display the captchas (so you can visit the site you want to get to) you need to enable google.com with NoScript (as well as enabling cloudflare.com).
So while Google may be blocked initially, getting TBB to work with CloudFlare forces you to unblock Google. Now I don't know if that compromises your anonymity with TBB - any ideas?
All you need to do is
All you need to do is disable noscript, httpseverywhere & adblock.
PLEASE eradicate Google from
PLEASE eradicate Google from Mozilla Firefox!!!!
I have been seeing this
I have been seeing this WARNING in the message log a lot recently:
"Rejecting SOCKS request for anonymous connection to private address [scrubbed]"
What does it mean?
GeKo finally helped me track
GeKo finally helped me track this one down:
https://trac.torproject.org/projects/tor/ticket/13129
In short, it's harmless but maybe we should still do something about the log message.
"All you need to do is
"All you need to do is disable noscript, httpseverywhere & adblock"
A....... really..... good idea.
>Here is the complete
>Here is the complete changelog for 3.6.5:
>
> All Platforms
> Update Firefox to 24.8.0esr
I have downloaded 3.6.5 tor browser bundle for linux64 but Help->About Tor browser say I have 24.7.0 version
What does it mean?
32-bit Linux version shows
32-bit Linux version shows 24.8.0... I'm still curious when they'll move away from ESR
There are no plans for that
There are no plans for that at the moment.
It means you have downloaded
It means you have downloaded the wrong bundle.
The problem with CloudFlare
The problem with CloudFlare and other services blocking Tor users is really annoying. Enabling cookies and disabling noscript is no solution, this way I can stop using Tor as well.
Whilst there are now several powerful tools to overcome censorship at ISP level via bridges, I miss options to circumvent the blocking of Tor users on the destination server side.
The question is - what makes us look like robots and what can be done against it?
Not much in the real world.
Not much in the real world. Some people have been using TOR-enabled robot browsers to download stuff that CloudFlare helps host/protect, so it is actually reasonable for CloudFlare to say "Okay, anyone coming from a TOR IP address has to put in a captcha!"
just as "Some people have
just as "Some people have been using" (internet or proxy) "-enabled robot browsers...".
And btw do you think google manually collect their dbs???
There is publicly available
There is publicly available helper file with all tor exit ip in I(brainless)Net. !!You don't even need to use tor to get near real-time status!!
This info can be downloaded and used by website to treat incoming connections differently.
So IF connection comes from TorExitIp THEN treat it as robot.
It's published for "to make live simpler for ..." not as hidden service. I believe, nobody here will help you to hide your tor usage from destination server.
So help yourself and use tor to connect to (anonymous)proxy.
Strange interaction with
Strange interaction with Youtube. No matter which exit node you're on, always goes to the Youtube of Country X (not the exit node you're on), after changing identities several times, repeats several times, then goes to the Youtube of Country Y (not the exit node you're on), repeats . . . persistent after reinstall etc.
could this be because tor
could this be because tor relies on google for DNS?
Hi, I recently downloaded
Hi,
I recently downloaded tor 3.6.5 for windows and Linux and used the successfully. However today, neither will connect to the tor network. However, Orbot on my phone works fine, as well as an older version of tor that I had sitting on a rarely used computer (I don't know the version)
Any ideas?
Now tor browser bundle 3.6.5
Now tor browser bundle 3.6.5 is running very well in iran,i love you--tor project members so much ,if i am a girl,i will marry one of members!
A really hard WTF? Tried
A really hard WTF?
Tried downloading addons ( .xpi ) on https://addons.mozilla.org with Torbrowser ( Iceweasel ).
CRAZY: the Download window has NO entry.
Whats going on ? Whats the error ? Could anybody explain ??
This is strange.
"CRAZY: the Download window
"CRAZY: the Download window has NO entry."
Solved.
Most likely custom noscript.default .
Widely observed by many, but
Widely observed by many, but to add one more voice, Cloudflare is now an impediment to many, many sites. Major hit to practical functionality of Tor.
Please someone find a way to
Please someone find a way to bypass the most annoying shit called CloudFlare. The creators of unreadable captchas should kill themselves