Tor Browser 4.0 is released

Update (Oct 22 13:15 UTC): Windows users that are affected by Tor Browser crashes might try to avoid this problem by opening "about:config" and setting the preference "media.directshow.enabled" to "false". This is a workaround reported to help while the investigation is still on-going.

Update (Oct 25 02:32 UTC): If you are unhappy with the new Firefox 31 UI, please check out Classic Theme Restorer.

Update (Oct 16 20:35 UTC): The meek transport still needs performance tuning before it matches other more conventional transports. Ticket numbers are now listed in the post.

The first release of the 4.0 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Additionally, due to the POODLE attack, we have also disabled SSLv3 in this release.

The primary user-facing change since the 3.6 series is the transition to Firefox 31-ESR.

More importantly for censored users who were using 3.6, the 4.0 series also features the addition of three versions of the meek pluggable transport. In fact, we believe that both meek-amazon and meek-azure will work in China today, without the need to obtain bridge addresses. Note though that we still need to improve meek's performance to match other transports, though. so adjust your expectations accordingly. See tickets #12428, #12778, and #12857 for details.

This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work. Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures.

There are also a couple behavioral changes relating to NoScript since 3.6. In particular, by default it now enforces script enable/disable for all sub-elements of a page, so you only need to enable scripts once for a page to work, rather than enabling many sub-scripts. This will hopefully make it possible for more people to use the "High Security" setting in our upcoming Security Slider, which will have Javascript disabled globally via NoScript by default. While we do not recommend per-element whitelisting due to fingerprinting, users who insist on keeping this functionality may wish to check out RequestPolicy.

Note to MacOS users: We intend to deprecate 32bit OSX bundles very soon. If you are still using 32bit OSX 10.6, you soon will need to either update your OS to a later version, or begin using the Tails live operating system.

Here is the changelog since 4.0-alpha-3:

  • All Platforms
    • Update Firefox to 31.2.0esr
    • Update Torbutton to 1.7.0.1
      • Bug 13378: Prevent addon reordering in toolbars on first-run.
      • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
      • Bug 13138: ESR31-about:tor shows "Tor is not working"
      • Bug 12947: Adapt session storage blocker to ESR 31.
      • Bug 10716: Take care of drag/drop events in ESR 31.
      • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
    • Update Tor Launcher to 0.2.7.0.1
      • Translation updates only
    • Udate fteproxy to 0.2.19
    • Update NoScript to 2.6.9.1
    • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
    • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
    • Bug 13356: Meek and other symlinks missing after complete update.
    • Bug 13025: Spoof screen orientation to landscape-primary.
    • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
    • Bug 13318: Minimize number of buttons on the browser toolbar.
    • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
    • Bug 13023: Disable the gamepad API.
    • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
    • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
    • Bug 13186: Disable DOM Performance timers
    • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
    • Bug 13416: Defend against new SSLv3 attack (poodle).


Here is the list of all changes in the 4.0 series since 3.6.6:

  • All Platforms
    • Update Firefox to 31.2.0esr
    • Udate fteproxy to 0.2.19
    • Update Tor to 0.2.5.8-rc (from 0.2.4.24)
    • Update NoScript to 2.6.9.1
    • Update Torbutton to 1.7.0.1 (from 1.6.12.3)
      • Bug 13378: Prevent addon reordering in toolbars on first-run.
      • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
      • Bug 13138: ESR31-about:tor shows "Tor is not working"
      • Bug 12947: Adapt session storage blocker to ESR 31.
      • Bug 10716: Take care of drag/drop events in ESR 31.
      • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
    • Update Tor Launcher to 0.2.7.0.1 (from 0.2.5.6)
      • Bug 11405: Remove firewall prompt from wizard.
      • Bug 12895: Mention @riseup.net as a valid bridge request email address
      • Bug 12444: Provide feedback when “Copy Tor Log” is clicked.
      • Bug 11199: Improve error messages if Tor exits unexpectedly
      • Bug 12451: Add option to hide TBB's logo
      • Bug 11193: Change "Tor Browser Bundle" to "Tor Browser"
      • Bug 11471: Ensure text fits the initial configuration dialog
      • Bug 9516: Send Tor Launcher log messages to Browser Console
    • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
    • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
    • Bug 13356: Meek and other symlinks missing after complete update.
    • Bug 13025: Spoof screen orientation to landscape-primary.
    • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
    • Bug 13318: Minimize number of buttons on the browser toolbar.
    • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
    • Bug 13023: Disable the gamepad API.
    • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
    • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
    • Bug 13186: Disable DOM Performance timers
    • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
    • Bug 4234: Automatic Update support (off by default)
    • Bug 11641: Reorganize bundle directory structure to mimic Firefox
    • Bug 10819: Create a preference to enable/disable third party isolation
    • Bug 13416: Defend against new SSLv3 attack (poodle).
  • Windows:
    • Bug 10065: Enable DEP, ASLR, and SSP hardening options
  • Linux:
    • Bug 13031: Add full RELRO hardening protection.
    • Bug 10178: Make it easier to set an alternate Tor control port and password
    • Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
    • Bug 12249: Don't create PT debug files anymore

The list of frequently encountered known issues is also available in our bug tracker.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Hi,
After downloading torbrowser-install-4.0_en-US.exe from https://www.torproject.org/dist/torbrowser/4.0/, I tried to check the signature, I got this result:
gpg: Signature made 10/16/14 01:37:22 using RSA key ID 63FEE659
gpg: BAD signature from "Erinn Clark "

Thanks for providing Tor

Maybe your download got corrupted? Works for me.

You're right!
I downloaded it again, and now it verifies fine.

I can't get Tor to work. Just got the update and nada. Doesn't even boot up the browser. The programme is stopped within a few seconds of trying to open up the browser. Any idea's on how I can solve this problem?
I have downloaded the package so many times today and same result since the initial download.
I have uninstalled virus protection etc and tried to install Tor again. No luck at all. I have to give up for now because I'm out of idea's on how to get it working. Can't even find an older version of Tor to download.

Same here. I haven't had issues running earlier versions of Tor before on my PC (running Windows 7 64bit with all the latest patches) but after I install Tor 4.0 and tell it to launch or when I click on Start Tor Browser nothing happens (browser doesn't launch).

exactly the same problem for me 3.6.6 has been running great on several of my win 7 64bit machines also runs from usb stick elsewhere but no luck at all with new updated 4.0 install WHY?

Has anyone an answer to this issue? i too cannot get it to load now?

same issue - no load.

yes tor is filtered via google ..., and your big brother... once was good now is made absolute junk! Tor 4.0 is absolute crap....!

You mean can be run through google if the user so desires?

Some peoples' threat model can make that a good idea.

well, some 'people' have no any idea at all... say nothing of 'model'

Do not run....! This is an obvious flag about safety...! Untill they offer a real expanation not just a patch or go into your computer and change settings...I would advise no one concerned of safety initiate Tor...!

It looks like you're not following along. We hit a bug in Firefox.

https://trac.torproject.org/projects/tor/ticket/13443
https://bugzilla.mozilla.org/show_bug.cgi?id=1088848

Expect a 4.0.1 soon with the workaround in place, until Firefox fixes their bug. See also the 'update' at the top of this blog post.

Make sure you aren't simply unzipping the archive over an existing folder. I did that and it bombed out (Linux) within a couple of seconds. I had to delete the old folder and then unzip fresh. It worked after that.

Hope that helps.

They said not to do that.

(Ubuntu 14.04.1 running tor-browser-linux64-4.0_en-US) The new Tor Browser Bundle 4.0 indeed needs to be installed fresh. The 4.0 directory structure has been reorganized, and merging the updated files with the old folders cause it to break.

Yup same here, I initially installed over 3.6 but upon reading the release notes I removed and installed a clean version but it won't boot at all. Win7 64 bit.

I'm using Win 8.1 32 bit, and I'm having the same problem. Even when I delete 3.6 and restart my computer after installation, the the browser with 4.0 won't start at all.

Instead of clicking on the "Start Tor Browser" icon, open a terminal (Command Prompt) and type "./path/to/tor-browser_en-US/start-tor-browser" and post the output. That'll give you more information about what Tor and Firefox are trying to do.

My issue was with Trusteer Raport. I disabled it and now TOR works fine.

ditto with Trusteer on windows 8.1 pro 64-bit .. Thank you.

Quote from a user further down the page:

"The post about the conflict with Trusteer Raport appears right! I am pleased to report that I am now able to use Tor 4.0 on windows vista sp2 after disabling Trusteer Raport.
To disable, make sure firefox is closed, go to : start menu>all programs>trusteer endpoint protection>stop trusteer endpoint protection."

I've been having this exact issue and it was fixed straight away!

Fix worked for me. Thanks, well done.

yep,definitely trusteer rapport cause the problem.........tor 4.0 start to work without any problem

Thanks. Tor was bust for ages. Tried everything nothing worked. Until I shut down Rapport. Excellent thanks.

Do you have trusteer ? Shut it down and try running TOR was perplexed myself but it worked as soon as Trusteer was shutdown.

N o the Gov. got involved... Tor 4.0 firefox is broken...

My download is not corrupted , it is just incomplete..! My download has firefox deactivated! It is not working. period...1

Same fault with two downloads of TOR 4 (one to Win 7 64-bit; one to Win 7 32-bit).

Both machines had previously downloaded several upgrades of TOR up to and including 3.6.6 and all had worked without problems. What has changed in the TOR process?

Installed fine for me except for a problem with unpacking in a Truecrypt volume. The unpacking refuses to create a symiink for the starter. The Browser folder unpacks just fine however and the starter is located in it.
Thanks for your work! I just donated.

Thanks!

awesome! thanks a lot for your endless effort.
Can you please answer my question? isn't it negative to my anonymity if google and amazon know that I'm using tor, know my real ip, my first hop, and my second hop? doesn't it make it much easier to deanonmize me my the -you-know-who agency my merely requesting this data from google and amazon with a single letter to the latter? all what's left is finding out my exit node (third hop) which is pretty easy since they know all my previous hops?

Not sure I follow here but if they already know your real IP the game is over. I don't know either why you think they already know your first and your second hop. That should not be the case. And knowing that you use Tor is not singling you out with respect to Google and Amazon given that there are a lot of Tor users using these services.

as i understand meek connects to google/amazon/microsoft and so using meek-google and meek-amazon and meek-azure doesn't it make it obvious to google and amazon and microsoft that I'm using tor? and if so, they know my real ip, and since they're my first hop they know my second hop (isn't the connection to the second hop reouted thru their services?) and if I'm logged in to one of their services (from a different browser but same ip) for example to gmail, amazon, or hotmail they know my real identity and much more. isn't that denaonymizing?

Amazon/Azure/Google only know your first hop, not your second hop. Amazon/Azure/Google are not your first Tor hop; they are something you pass through on the way to your first Tor hop. Check this comment on a previous blog post and the graphic in the meek overview.

There's a proposal to, in the future, use four hops for circuits that use a bridge, so there are three client-chosen hops after the first bridge hop.

You are right that the situation is worse when you are using meek and you are also browsing Amazon/Azure/Google. Then Amazon/Azure/Google sees both your entry and your exit traffic, and they can try to do timing correlation in order to deanonymize you. (But keep in mind that the same problem exists when you are using an ordinary bridge that is running on e.g. Amazon EC2.)

Most of the people who are going to need meek aren't going to be very worried about those services finding out who they are.

Afaik meek actually uses "4 hops", the first one being google/amazon/... and the rest being Tor relays.

tor is growing strongly. we just to need how strong adversaries hunt specific users

Thanks Tor.

Meek-azure/amazon works in mainland China, but azuer bridge is so slow that it takes about 6 minutes to connect Tor network.

Thank you for trying it. Here are tickets we're working on that will make meek faster.

  • #12428 Make it possible to have multiple requests and responses in flight
  • #12778 Put meek HTTP headers on a diet
  • #12857 Use streaming downloads

How to change the tabs style to the classic? I would like the classic style of tabs. How to change it in new Tor Browser 4.0?

It's probably safe to install classic theme restorer to fix the defective Chrome like so called user interface.

https://addons.mozilla.org/en-US/firefox/addon/classicthemerestorer/

Has anyone audited that addon for security vulnerabilities or fingerprinting? Because "probably safe" doesn't really help users who depend on tor and doesn't come off as well informed about the issue.

Hey i have so big problem: ssl_error_no_cypher_overlap
How can i fix this?

in about:config set security.tls.version.min to 0. BUT: be aware this is not recommended due to the recent attack on SSLv3: https://blog.torproject.org/blog/new-sslv3-attack-found-disable-sslv3-torbrowser

How to disable Australis (hate this thing)?
Is it safe to install the theme classic theme restorer?

One thing Classic Theme Restorer did for me was it changed the window height by one pixel. Tiny thing, but still identifying information... I got around it by adding the setting "extensions.torbutton.window.innerHeight" (integer) and setting it to 901. There could be other problems too, of course.

It should be, classic theme restorer is unlikely to add anything new that could be exploitable though if you don't disable javascript it might add a new exploit path.

It may if you've got javascript enabled make you easier to fingerprint compared to those who suffer through ChromeFox.

Just wanted to add that getting back the add-ons bar is not merely a cosmetic concern.

For example, add-on bar visibility is needed for TBB users to be able to use the CipherFox extension which provides, by default, UI-visible information about the ciphers/CAs in use on a tab.

Try "The Addon Bar (Restored)" v 3.2. It's a Firefox add-on.

As for putting tabs back on the bottom where they belong :-) try this:

(1) Select Help->Troubleshooting Information
(2) For Profile Folder: push the [Show Folder] button
(3) Navigate into the chrome folder. If it is not already there, create a subdirectory called chrome and navigate into it.
(4) Edit or create the userChrome.css. Make sure these lines are in the file and save it.

@namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"); /* only needed once */

#TabsToolbar{-moz-box-ordinal-group:10000!important}

(5) Close all Firefox windows and dialogs and restart Firefox.

The above is from: http://forums.mozillazine.org/viewtopic.php?f=38&t=2825513

Very exciting! Thanks.

Regarding the following point:

"While we do not recommend per-element whitelisting due to fingerprinting, users who insist on keeping this functionality may wish to check out RequestPolicy."

Can't we retain this feature by changing the settings in NoScript? I have re-enabled the cascading scripts by going into NoScript's Settings>Advanced>Trusted and un-checking "Cascade top documents permissions".

Does this not achieve the same thing without the need for installing a new add-on?

To explain, I favor this cascading, as it means I can allow the page to work while blocking the (often extensive) tracking scripts that would otherwise load with it.

I agree completely! Such as Google Analytics can be blocked with NoScript while allowing site specific script to run.

GTK: Could you please give you input on this good question? Thanks so much

Your suggested use case was exactly what this change was supposed to make impossible; by allowing some scripts and not others you make yourself easily fingerprintable. Sites can detect when some of the javascript is running but not all of it, and your particular selection may actually be unique to you.

So what to do about GA and other things I would never let run?

This isn't a good solution. All or nothing is not really ever a good thing to offer, there should always be some fined grained control.

I for one will be using sub-scripts.

I realize Tor thinks it's helping users, but with nearly every new "feature" TB becomes less usable. Like the bullhshit about removing the NEWNYM feature and forcing using to trash an entire session just to get a new IP, even if they don't care about linking sessions... (I don't like how Tor forces me into some decisions)

Over the next few weeks I'm going to write a script to do those things Tor Project has refused to allow us to do. Usability has to be important...

We're pushed into a lot of the design decisions based on changes in Firefox. Tor Browser development is largely about triaging to make sure we get rid of all the really bad new things in each Firefox. And Tor Browser has very few developers compared to all the things that need to be done. Please help!

this made me laugh out loud.. "all the really bad new things in each Firefox" ..but it's so true.

roger, if it were up to me, you'd be running mozilla and it would only ship the tor browser bundle, for everyone, by default....and mozilla would actually be financially independent to make decisions to benefit users and devs instead of perpetuating the schizophrenia of claiming to be pro-privacy while constantly, if subtly, giving users up to Google and other advertisers on issue after issue.

hear hear!

arm -i
bang keyboard then press enter
press "N"

There, new IP without trashing browser session or preventing javascript from knowing it's really the same session with a different exit node.

Oh yea, see what I wrote in this sub-topic:
I.e. all the NoScript allowed scripts are only temporary, for that time-frame at the web site (or page). Not using white-list.

It seems unlikely to be only me considering the OP is a different person and I use it the same way.

Me again:

When allowing site specific scripts to run as the OP suggests, I only use "temporarily allow" so there is no whitelist...

In https://www.torproject.org/about/contact.html.en you never mentioned which key should be used for encryption :)

I'm wondering too which key to use.

Right -- doing a group encryption key is no fun in terms of usability.

You could mail us individually. But we might not answer, since we're flooded with people mailing us individually already.

Finding us on irc might be the best answer, but that's not so good in terms of usability for you.

Basically we need a more thorough support team, and currently we don't have the resources or people to do that well. Please help!

How to run Tor Browser without Tor?

First off, I have to wonder: why?

If you really want to do it for some reason, you might try to check the Whonix documentation to see some of their changes, but be sure you're doing what you think you're doing.

Why would you want to do that?

I do the same for two reasons:

1. To use a more secure browser without anonymity ;-)

2. To use JAP when Tor IP exits are blocked.

Firefox with NoScript and HTTPS everywhere in an identical setup provide equivalent security to TBB.

Uh, sorry, this isn't true.

See
https://www.torproject.org/projects/torbrowser/design/
and
https://www.torproject.org/docs/torbutton/en/design/
and
https://gitweb.torproject.org/torbrowser.git/tree/master:/src/current-patches/firefox

Depending I guess on what you meant by "identical setup" -- perhaps you meant identical including all the patches and config changes? :)

They may have an isolating proxy.

In about:config set extensions.torlauncher.start_tor to false

Tor browser crashes everytime I use NoScript "Temporary allow..."

Do you have steps to reproduce your problem?

I tried many times and could not. I used Huffingtonpost as the test site (lots of scripts).

After temp. allowing all scripts it loaded fine.

I get crashes like this in win8.1:
gmail
- Login
- temporarily enable scripts
- page starts loading, but tor stops working before it finishes.

Using win8.1 I get the same crash when logging into gmail. It happens right after I've logged in. I can use gmail for a little bit but then it crashes. No more than 10 seconds. I don't enable scripts and it does it.

Also using windows 8.1 here and have the same issue. I've noticed that Gmail works up until the point where gchat would load. Then it crashes. I haven't had a chance to try it using the HTML only fallback version.

Interestingly enough, on the same connection, when I booted to Linux Mint, I didn't have any issues with Gmail. It appears to be a problem only in the Windows version.

The problem is very reproducible, load gmail from the latest tor browser 31.2.0, tor browser 4.0 on windows 8.1 (and judging from other comments on windows 7 as well). As soon as google chat loads, the browser crashes. This happened on two separate machines, but did not happen when I booted into Linux Mint.

I have the same problem with Tor 4.0 on Win 7. I temporarily allow scripts on Gmail for login. Login is successful, but Tor crashes completely in about 10 seconds. Reverted to Tor 3.6.6, and it works fine as usual.

I also had this issue with Win 7. It seems to crash just as the chat/hangouts applet is loading.

Same problem here on Win7 x86

I have same problem. but when I login in basic HTML format, it works properly

AVG detection on installer and tor launcher.
http://www.avgthreatlabs.com/virus-and-malware-information/info/unknown/?name=Unknown&utm_source=TDPU&utm_medium=IDP&PRTYPE=AVF

AVG detection on Browser itself !

Yeah, if you read some of the comments on that page it's hilarious.

AVG has been detecting Tor browser for some time. That doesn't mean there's a virus, and saying Tor Browser is a type Adware called Unknown... AVG is just setting up a wide net and dumping everything that their scanner comes up as possibly questionable in unknown.

libssp-0.dll is missing from my computer.
I has windows 7, and only unzipped tor , did not install. i always use it without install.
Tried to copy libssp-0 in c:\windows\system32 but still same error...

Right -- you can't just unzip it, you have to install it. The installer rearranges the files to be in the right places.

Some people want it to be different. You should submit a patch so the zip file can be used too.

There is no reason for not running the installer.
It just extracts files, no registry entries are created.
If you run the installer, libssp-0.dll right location will be:
Tor Browser\Browser\libssp-0.dll
Tor Browser\Browser\TorBrowser\Tor\libssp-0.dll

There is no reason to USE installer! An archiver can extract files and set directories. Why force installer usage? Dumb following commercial practice? "no registry entries are created" -- now, but what about tomorrow?

I managed to make it work.
My shit windows is 64 bit, and the dll directory is c:\windows\s68wow ... something.

looks like off to shaky start on Ubuntu 14.

- menus are not there
- bookmarks button is not there.

You can enable the menu bar by right-clicking on the toolbar and you find the bookmarks button behind the Open Menu button on the right side of the toolbar.

I know how to do that but be sured that many many people does not.

They can dl and use tor browser but can't to a simple task as decorating.. pls..

No, this is a bug. See my post about Win 7 and my ticket, here: https://trac.torproject.org/projects/tor/ticket/13438

New version 4 will not even run on ubuntu 14.04 x64 for me. Tried multiple times, no luck at all. Had to return to previous version 3.6.6

I could not get it to run either if i download and run tor browser bundle but when used/install with torbrowser-launcher it works fine.

also the download and home button are missing

yes mine too

Right click next to the search bar, then click customize.

The NoScript secureCookies option breaks logins to multiple sites (see e.g.
https://trac.torproject.org/projects/tor/ticket/13332).
Are there plans to turn this off in future releases?

Not yet. We need to investigate this issue properly first.

Could some Tor experts/developers tell me whether Tor Browser 4.0 (Linux-64bit) leaked personal details when the following errors were encountered, in particular my Tor browser ID 1413456385345:

Oct 16 18:37:17.000 [notice] New control connection opened from 127.0.0.1.
console.error:
[CustomizableUI]
[Exception... "Component not initialized" nsresult: "0xc1f30001 (NS_ERROR_NOT_INITIALIZED)" location: "JS frame :: chrome://noscript/content/noscriptOverlay.js :: noscriptOverlay<._customizableUIListener.onWidgetAfterDOMChange :: line 362" data: no] -- undefined:362
Oct 16 18:46:25.000 [warn] Rejecting SOCKS request for anonymous connection to private address [scrubbed].
1413456385345 addons.update-checker WARN HTTP Request failed for an unknown reason
1413456385345 addons.update-checker WARN HTTP Request failed for an unknown reason
1413456412233 addons.xpi WARN Download of https://www.eff.org/files/https-everywhere-4.0.2.xpi failed: 2147500037
Oct 16 18:46:52.000 [notice] New control connection opened from 127.0.0.1.
console.error:
[CustomizableUI]
[Exception... "Component not initialized" nsresult: "0xc1f30001 (NS_ERROR_NOT_INITIALIZED)" location: "JS frame :: chrome://noscript/content/noscriptOverlay.js :: noscriptOverlay<._customizableUIListener.onWidgetAfterDOMChange :: line 362" data: no] -- undefined:362
console.error:
[CustomizableUI]
[Exception... "Component not initialized" nsresult: "0xc1f30001 (NS_ERROR_NOT_INITIALIZED)" location: "JS frame :: chrome://noscript/content/noscriptOverlay.js :: noscriptOverlay<._customizableUIListener.onWidgetAfterDOMChange :: line 362" data: no] -- undefined:362

No, I don't think so. This happens after all your browser state got cleared. This issue is tracked in https://bugs.torproject.org/13377 btw.

No, I don't think so. This happens after all your browser state got cleared. This issue is tracked in .......

Thanks for your reply.

Referring to my previous post, are the numbers 1413456385345 and 1413456412233 unique to my Tor browser? Will they deanonymize me?

Looks more like timestamps involved although I don't know the context to make more than a guess.

side-channel to measure have long server/client decrypt/encrypt packets

I have also seen the

"addons.update-checker WARN HTTP Request failed for an unknown reason"

error message and can confirm it's thrown at times when my browser state is not being cleared.

Do you know why this would happening, especially given all the recent attention to the updating mechanism?

Kudos on a great release!

Might be due to us pointing to https://127.0.0.1 for Tor Launcher/Torbutton updates (#10682) and there being no proxy exception for it anymore (#10419).

thanks! i somehow had not noticed the corresponding tickets earlier

same here

This is from my terminal
[code]
Oct 26 17:45:55.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Oct 26 17:45:56.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Oct 26 17:45:56.000 [notice] Bootstrapped 100%: Done
Oct 26 17:45:58.000 [notice] New control connection opened from 127.0.0.1.
Oct 26 17:51:57.000 [warn] Rejecting SOCKS request for anonymous connection to private address [scrubbed].
1414363917043 addons.update-checker WARN HTTP Request failed for an unknown reason
1414363917045 addons.update-checker WARN HTTP Request failed for an unknown reason
[\code]
what just happened?

It's harmless, but I agree it's scary-sounding.

https://trac.torproject.org/projects/tor/ticket/13129

I get these errors too man Why noone from TOR is answering here?

thsnks a lot
why you jumped to version 31 ESR, while it is still in 24.8.x branch?
please blog back an answer

Because there are no security updates provided anymore for ESR 24.

Because there are no security updates provided anymore for ESR 24.

When there are no more security updates for ESR 24, it must mean that ESR 24 has NO security vulnerabilities. It must mean that ESR 24 is THE most stable and secure version, yes?

no more security updates means they stopped providing support.

No, it means that Mozilla no longer supports the old ESR version. It's quite the opposite from what you said. :)

YOU are right, historically there are _always_ significantly more security holes in "newest exiting etc." software. Seems tor joined race for "new release every week", not ready? - push it and collect users replies.

Well, a) this isn't the newest exciting software. We have joined the FF31 extended support release part-way through its cycle. And b) indeed, we were pushed onto FF31 by having FF24 no longer supported. At least they gave us a schedule so we knew it would happen.

If you know of other better browsers out there for adapting, I'm all ears.

In the mean time, also be sure to read the bottom of
https://blog.torproject.org/blog/isec-partners-conducts-tor-browser-hardening-study

Why at least not to give user a _choice_ to select new or previous release? And as you have skilled people who know where to change code to make it more secure for FF24 why should they run for FF31...FFnn?
OK, may be hardenedTM and shinyTM versions of tbb? Isn't it a choice of compiling options? So what about such a little step? And it's fine have just "This package requires no installation. Just extract it and run." for HardenedTBB for windowz.
iSEC Partners ... they can just try to fill a bug report.
btw it's not mozilla writing browser code, it's people.

It is indeed people writing browser code, but it's hundreds of them, not the three or four that we have on Tor Browser. You'll have to take my word for it that trying to maintain an old abandoned Firefox with three or four people is a really bad move.

Or if you don't believe me, I invite you to go do it for us. :)

how do I enable the "bookmarks toolbars" I can not get to "view" menu on Ubuntu?

What a worthless ugly POS browser. There has got to be something useable out there?

What's wrong with it? If you are moaning about captchas that's not Tor's fault, if you're moaning about youtube videos not playing simply refresh the page and it works fine. Otherwise I don't know your problem.

https://addons.mozilla.org/en-US/firefox/addon/classicthemerestorer/ can give a usable interface, probably won't cause the NSA to bust you.

Different behavior between new started browser 4 and "new identify". (win 7, noscript: done: forbit settings globally)

Start 4.0. Open http://ip-check.info/ for privacy test. A window appears "Authentication request". This is a test, click cancel. Then Site loads and you can click start test. And later the result comes.

Now "new identify". Open http://ip-check.info/ for privacy test again. NO window appears anymore with "Authentication request". Most of the times it loads and don't stop. I retry with same URL. Sometimes you got on the page for the test. But no window "Authentication request".

If you close and start the browser, and open http://ip-check.info/, the window "Authentication request" appears again.

I always thought "New Identify" is the same with closing and starting the browser. As this example shows, there must be a difference. Is this a security/privacy problem? What is the difference between "New Identity" and closing/opening new browser? Best is to close and reopen the whole browser, not "New Identity" IMO.

Thanks for comments.

I always knew that it's not the same, simply by the much shorter time frame that "new identity" button took to "restart" the browser in comparison to manually restarting it (e.g. through disabling an add-on and clicking "restart now").

"While we do not recommend per-element whitelisting due to fingerprinting", but if you "revoke temporary permissions" before going to any website and then allow only the scripts that are necessary to view the page, and you do this with every website, can they fingerprint you?

Fingerprinting due to per-element whitelisting is excluded then. Not sure whether this behavior opens up new holes as you would probably be the only one doing this cumbersome ritual. Might be dependent on what you mean with "they".

Exactly what I have been writing: simply don't use a whitelist with NoScript. Allow temp. scripts per page, every time, and then revoke permissions.

I wonder if NoScript has a feature that the temp. permissions can be auto-revoked when the page is no longer loaded?

tor browser bundle 4.0 not working at all on windows 8.1 64bit, no gui pops up, tor.exe appears in task manager for a few seconds then disappears

Thank you so much for your unrelenting efforts! (So cool about Meek!)

A surprise: I am embarrassed to comment that the upgrade pooted my year's glut of bookmarks. This I did not expect because always before they remained intact, ergo, this time I did _not_ make a back-up. Heh. (Linux 32-bit english, btw.)

So be warned and be not lazy like me.

Thank you again, Tor folks!

I was surprised when mine were erased as well. I don't usually read the release notes for TBB updates before I download the newest version. If the home page tells me to update, I just automatically do it. I don't know why, but I do.
Anyway, If you still have, I think it was 3.6.6, open the browser, and export the bookmarks as an html. Then just open 4.0 and import it.

WHY????

Problem signature:
Problem Event Name: APPCRASH
Application Name: firefox.exe
Application Version: 31.2.0.0
Application Timestamp: 00000000
Fault Module Name: xul.dll
Fault Module Version: 31.2.0.0
Fault Module Timestamp: 00000000
Exception Code: 80000003
Exception Offset: 0105d1e4
OS Version: 6.1.7601.2.1.0.256.1
Locale ID: ----
Additional Information 1: --
Additional Information 2: --
Additional Information 3: --
Additional Information 4: --

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

Aero is broken again with v4.0 on Win 7. And this time so is the buttons for options, help, etc.

This is the same problem that happens some releases ago. Can you please fix TB so it correctly works with Aero?

See:
http://i.imgur.com/Fr3UyJL.png

I opened a ticket:

    TBB does not like the standard theme on Windows XP, Vista, and 7 (part 2)
    https://trac.torproject.org/projects/tor/ticket/13438

apropos "pooted bookmarks" posted above (by me):

Embarrassed again - I found them! It appears that the new TBB's "show all bookmarks" and "restore" option did not go to the right place to find the backups.

Sorry. (I do not know which comment has the greater "doh!" factor!)

Thank you again.

Remarks on :

- Torbrowser 4 functionality
.

Final extended feedback-remarks on :

- Dropping Mac support !!
- Bringing back separate tor network connection bundle

.

1) Torbrowser 4.0 browser feedback

- Media tab is still missing in page information while this tab is available in firefox ESR versions and torbrower 3.6.5 and before.

- Security tab, Technical details is still empty.

- Port management function tab is just deleted, missing

- Alternative connections, config bridge questions
a) Some bridges need Python application to connect internet.
Why is python needed, what are the extra security risks when python versions are not the latest.

b) Alternative to not using python connections is using meek-Google, meek-amazon, what about these companies using behavior analytics, device profiling in return?
What about user privacy?

c) Custom bridges, gives opportunity to manage ports but is absolutely non friendly in distributing system when people are looking for certain ports.

see remarks down

.

Quoted :

"Note to MacOS users: We intend to deprecate 32bit OSX bundles very soon. If you are still using 32bit OSX 10.6, you soon will need to either update your OS to a later version, or begin using the Tails (https://tails.boum.org/) live operating system."

.

2) Mac dropping - regarding this remarkable decision

- It seems a developer only decision that is taken by bypassing users in a sort of developer background discussion for which people had to register to take part!
Registering to take part in a discussion about a anonymous browser?
That wass not a really user friendly option, it's more a way to threshold user feedback.
.

A reason to give a final feedback on this now and here.
.

- It seems a decision that seems not to be taken on a fact basis.
About specific user usage facts per country for example to actually serve the Torbrowser user group.
Just mentioning a world wide average number does not make sense in any way at all. You cannot compare the countries you are serving in many ways an therefore not use one general statistical number.
.

- It just could be that the target group of the Torbrowser users are not all capable to buy new and fast computers.
Forcing users to buy new, newer or computers with an other os does not have anything to do with working on a realistic solution and will lead as usual to a common user solution for which some developers will not understand nor see nor recognize, working with unsupported versions of software because the user cannot upgrade anymore and does not feel the urge to throw away working hardware.
.

- Did the developers actually seriously try out their own suggested OS X solutions working with tails?
I don't believe so, take a bunch of 2006/2007 Macs and try in yourself.
Then, just invite a average computer user and ask them to do it.
Will they succeed? In how many day's?

Impression, Tails is not actually such a lightweight distro and seems not to be mend for 2006 computers to run.

Suggesting that making a bootable OS X tails usb is not so easy, or, but preferred tot do is far from every reasonable OS X user reality.
Besides, it will probably not work anyhow what makes this more like a 9th circle area exercise. Not the kind of energy people are looking for.
A exercise that OS X users are not used to, will not seriously consider, maybe also not in the least because it's far too difficult, beside pgp check troubles, and leads them to a complete change of operating system to just make one browser work?
What do you think?

The result will be in advance or again that people stay using old unsupported Torbrowser versions because they have no choice.

A supported 32 version would maybe not 99.99% secure but more secure and far more wanted than a unsupported Torbrowser.
Give people the opportunity to decide and don't push them to more insecure behavior.

.

3) 100% security dream - back to reality - real OS X threads

Dropping support arguments against real threads, what is actually the problem ?

The perception that some things in the Torbrowser are not safe?
It is a good thing to recognize, to look for and work on solving that.
So, although it seems a good idea to work on extra security it seems that the argument department is not really clear nor convincing, seems at least not in a realistic balance.

To put in in another way, there seems to be some misbalance between high advanced possibly possible risks and threads that are used as arguments to drop down support while the easier solutions or threads are still unsolved.
Why not begin with and first finish all the issues that all could be solved within the existing Torbrowser, they still had not in 3.6.6. as reported by user feedback over here and in the Torbrowser security analysis report.

.

Some examples
.

- Why taking the possible ASLR exploits as an Mac dropping support argument while not having solved the most easy basic and essential solutions in the Torbrowser and addons itself as mentioned in the report.
Javascript technique is commonly used in infection routines, could affect lots of people, and should have had more priority than this sudden sophisticated possible exploit argument which is fare more rare.
Remarkable Security risk balance.
.

- Some time ago the Torbrowser team had having a big report written about security threads for OS X and the Torbrowser.

But not having investigated the basic issue of one very uncommon Torbrowser solution in OS X that maybe could lead to bad permission privilege escalation.
Privilege escalation possibly served by placing the Torbrowser in the general applications folder, which is normal, but not really normal with a direct write permission to that environment because it is continually storing it's temporary files inside the bundle instead in a local user library like all other apps usually used to do.

It's clear why everything is in one bundle, it's not clear if placing the Torbrowserbundle in the application directory is actually really safe.
This is a big security related decision that has effects for all OS X versions and is not investigated while the security of the browser and Os X was analyzed by a security research company?

Bit remarkable to only focus on the 64 bit discussion and take Chrome as a example for 64 bit security while they even only had a beta version at that time. Firefox ESR is 64 bit and is even working on 32 bit Mac's without a problem.
Possible Privilege escalation Security risk related for all OS X versions.
.

- More security thread misbalance?
In what way is the Torbrowser protected when running from an usb stick?
It seems that any malware can change the browser files because the usb stick is running in the same local user permission area.
USB infection Security risk related for all OS X versions.
.

- In which way the Torbrowser is getting safer by enlarging the attack surface in the usage of extra processes that need internet connection?

This new Torbrowser 4.0 version even needs a python application to make access to the internet?
That makes two, or three applications connecting to the internet for the usage of one browser.
Users have to monitor the security status of their Python application as an extra, manually updating python in OS X is not a easy thing to do for average users and Apple security updates for python are not that common or taking place that often.

Besides, the big malware outbreak in 2012 with the flashback malware used Java and python functionality. The difference is that in Mac OS X there is no option to monitor the Python application or even a preferences pane like Java has.
Python and internet usage, security risk?
Anyhow related to all OS X versions, but especially for the not the newest versions.
.

- Degrading security by deleting port config options.

Why is the managing ports security option totally removed?
That was actually not a bug but a security feature.

Some people want to manage their computer ports instead of leaving them all open. So, removing a security option because some users did not understand the way it worked?
What is the balance here in the whole security discussion perspective?

To manage ports, there is a one very non practical option left.
This option is to enter custom bridges and look for addresses connected to certain ports? Thats is a lot of manual work! Especially if one wants to change the addresses once in a while.

Remarkable is that people can ask a list of bridges by email and the suggestion to use a gmail account.
Gmail? Google? Privacy?
.

- More about privacy.
What does the usage of amazon and Google Meek with the privacy of Torbrowser users?
Another new profiling addition to Google analytics, exitnode analytics, system profiling analytics?

Torbrowser seems to have a very dualistic moral and practical relationship with Google on privacy matters and actual cooperation, Google search is still asking for captcha's in return for usage for example.

.

4) Security arguments and Security threads for Mac OS X

Slightly rhetorical question, could the security researchers and developers please tell the Torbrowser Mac users what the actual realistic malware threads are for OS X an the way targeted attacks take place?
Could they please give some figures and examples in which way the threads will be much higher for the older 32 bit Mac systems compared to 64 bit and newest Mac OS X'es?

Please show these big differences with figures about infected Mac's divided in older and newer OS X'es.
One should convince the users by comparing facts and arguments, right?

You will probably not find these figures or have these available because there is probably not such a big difference in infection rates by OS X version.
And when you even would find figures about older infected compromised Mac's even then the compromising reason is usually not the older OS X version itself.

For what I see, read and know, which is maybe not enough, is that far most malware and even targeted attacks are using methods which don't actually need the safer 64 bit browser functionality that hard.
Not a reason to not work on it.

By the way the original Firefox ESR is already a 64 bit browser is there for years and also runs on 32 bit systems by the way, so why cant the Torbrowser be?

.

General, most seen, more common, simple attack surface for Mac
.

a) Social engineering

- A user has to actively install a malware application with the help of giving admin permissions, ignoring warnings and active further cooperation.
Or even like just installing a normal application.
Working all day within a admin account helps malware developers a lot, a lot of people do and it's not smart. A safer browser won't help against this.
.

b) Internet browser

- The usage of javascripts which you can manage with noscript also in Torbrowser
- The misusage of browser plugins like flash and java, which are managed already in de config of Torbrowser
- The usage of feedback information the browser is giving, which are managed in the config settings of Torbrowser.
So a Mac Torbrowser is actually telling that it is a windows system which reduces the attack surface already. Most malware attacks are based on user agent strings. Windows malware does not work on OS X.

Although it seems that there is one hidden setting that can tell the outside world that it is a Mac Torbrowser!?
One will notice when there is a update available and get a specific Mac redirect.
Wouldn't it be safer to remove that option as well before it will be misused?
People are probably smart enough to choose between the Windows, Mac and Linux download button on that same download page.
.

c) Non apple non up to date software

- adobe flashplayer plugin
- java and java plugin
- ms office for Mac, 2004 for example
- adobe reader
- fake video codec's and misusage of non up to date video players like vlc player.
.

d) Non up to date apple software

- Safari browser, take Torbrowser as long as they are supporting it, otherwise 64 bit firefox
- Java Mac versions 6 is 1.6 and earlier

.

All these threads above do not really primarily have to do with the arguments to drop support for certain Mac's or older OS X'es.
.

With one exception,
(e) that people could simply avoid because it is not necessary!
Running Mac OS X 10.5 or 10.4 on a Mac with a intel processor. Just take at least OS X 10.6 on that intel Mac.
.

(f) Learning from out of support site threads !

When not having facts and figures available about OS X versions related to malware and targeted attacks, one could also learn from Mac malware in another way.
When malware seems to have another motive than a criminal motivation and targets specific groups or organizations, the malware is especially, almost always targeting and written for older Mac's with older unpatched program's.
Mac's Torbrowser even missed to support.

It is very easy to conclude from there that there especially is a possible need for Torbrowser support on older Mac's and also direct proof of the fact that older Mac's are still in more than main average figures used by people that especially can use that extra security too.

In plain english, the customer group Torbrowser is talking about and heading for.
The group that will not have support anymore, or even did not have at all because they use even older Mac's.
The group that, according to Torbrowser team, should buy newer, other computers or just go to Windows or Linux?

Maybe they do,
a lot of them probably won't, it's just the way things will not work. Something with everlasting gap between user behavior and developers future possible functions perception.

.

5) Smart behavior before even upgrading

Mainly all above threads are to stop by good and smart behavior within every OS X and using options that are already in the Torbrowser itself.

When using the possibilities that noscript will give a user or with the built in possibilities of changing some about config settings.
You do not need the latest OS X for that,
You do not need to upgrade you OS X for that,
although it is a very good idea to do if to can on that system.

One should be prepared to other attacks an make a safe browser and that is a good goal.
.

In this specific already former dropping Mac discussion I get the impression that it's not the arguments that are counting but possibly more other wishes like having less work, don't like a fat application to distribute.
While a lot of other developers made universal applications for OS X or just served two. But Torbrowser cannot?

Further on, one can understand that it is more trendy to market and to show having a 64 bit browser available. Does not count for the ones who will be abandoned by Torbrowser.
.

This discussion is more than a slightly different argument perspective and accent.
Something that is missing everywhere in the general developer progress arguments end wishes usually ending in fat system requirements.
That is probably why we also have to buy new computers again with more heavy specs to still do the same simple things we do the most, browsing, mailing, writing, watching some fotos and video.

.

6) What is actually wrong by offering two versions, 64 bit 32 bit?

Even offering a stripped 32 bit version with higher more strict security settings and less functionality if it could have security implications.
Strong example : Browsing with no javascript activated is always better than no opportunity to browse at all!

When offering a separate version, then you can also measure the need for the 32 bit browser and make a decision, at least based on facts by usage numbers.
Which is still not a guarantee for a acceptable moral decision, but it's a far better start then just dropping without knowledge.
Better than privacy and safety for the upperclass, rich and the west. Did not get the impression that is the main goal for offering tor.

Question,
When dropping support, please do so with fair arguments and listen to your users, next time give them a real anonymous opportunity to give feedback on important anonymous browser issues.

Unfortunately a long story, just the other side in this not so open browser discussion that I wanted to point at.
I agree on working at a good security product and I do appreciate the effort of all the people who did work on that a lot, no misunderstanding for that.

.

7) Food for thought

When supporting older systems or browser versions is not an option for the tor developers anymore.
Maybe it would be an idea to give users the option back to distribute a separate app again to separately connect with the Tor network.
Vidalia download option?

In this case, the abandoned users and even users with older Mac's could use another still supported mozilla fork browser in combination with the Tor functionality.

The Torbrowser developers that are dropping support could leave the possibility open for others to create some sort of a torbrowsing fork experience by using another combination with browsers that still are supported by other enthusiastic developers for even older OS X versions and a lot of even older Macs that are in business and used in other parts of the world.

.
If this long feedback on dropping Mac support contribution is placed, I hope so, Thank you very much for placing this user feedback.
Hopefully helping anyone with it,
especially the Torbrowser developer team.

All the best,

I mark a word in this forum and right click mouse and chose "search startpage [word]". new tab opens with site startpage, but without the marked word and with alert: "noscript filtered a potial post-site-scripting (XSS) attemts from [Chrome]; technical details have been logged in console."

in the console:

[NoScript XSS] Sanitized suspicious upload to [https://startpage.com/rto/search] from [chrome://browser/content/browser.xul]: transformed into a download-only GET request

this is all new for me, what should i do? thx.

I have this same problem with vanilla Firefox. It seems to be a combination of NoScript blocking + a search engine that uses POST rather than GET. It is probably a bug in NoScript.

The mac download link on the main page gives the following error:

Not Found

The requested URL /dist/torbrowser/3.6.6/TorBrowser-3.6.6-osx32_en-US.dmg was not found on this server.
Apache Server at www.torproject.org Port 443

Apparently the link needs to be updated to point to the dmg files here: https://www.torproject.org/dist/torbrowser/4.0/
The English Mac version I downloaded from the distribution directory link works.

Yep. There was a momentary hiccup that reverted all the links, and worse, caused 4.0 users to be told to upgrade. It should be fixed now. Sorry for the fuss!

See this thread
https://lists.torproject.org/pipermail/tor-talk/2014-October/035259.html
and this ticket
https://trac.torproject.org/projects/tor/ticket/13441
for more details about what happened.

"We intend to deprecate 32bit OSX bundles very soon. If you are still using 32bit OSX 10.6, you soon will need to either update your OS to a later version"

>> Okay, but I don't see any 64 bit OS X bundles available. Where can I download them ?

They are not ready yet but will, of course, be available once we drop 32 bit support.

Hi,

I downloaded TB 4.0 and now it says that it's not updated and points me to the Torproject page, where I can only download TB 3.6.6.
Also, right now, https://www.torproject.org/download/download-easy.html only offers TB 3.6.6. Is this intended?

Yep. See the comment above.

In fact, there are like 20 of these comments below, so I'm going to prune them all to keep this comment section more reasonable.

On October 16th, 2014 Anonymous said:
...
> Is it safe to install the theme classic theme restorer?

I don't know, but ... I did it anyway, first thing, and the devs should be aware that a lot of us probably will.

The fact that a lot of us are installing it should help prevent fingerprinting from being too effective though unless a majority of us use a decent UI we'll still show up a bit when we enable js.

Feds are funding Tor?
http://reason.com/blog/2014/07/30/feds-gave-tor-project-18m-while-also-act

Government funding Tor?
http://www.theguardian.com/technology/2014/jul/29/us-government-funding-tor-18m-onion-router

Tor bugs leaked
http://www.bbc.com/news/technology-28886462

NSA targets Tor Users more!
http://arstechnica.com/tech-policy/2013/06/use-of-tor-and-e-mail-crypto-could-increase-chances-that-nsa-keeps-your-data/

Why are you posting a pile of URLs? There sure are a lot of URLs out there you can choose from.

See all the discussion at
https://blog.torproject.org/blog/being-targeted-nsa

and then also the discussion at
https://blog.torproject.org/blog/transparency-openness-and-our-2013-financials

I installed on 2 different computers running Windows 7. When I open the TOR folder there is a shortcut to "Start TOR Browser" and an application of the same name. Neither work.

Same here. I haven't had issues running Tor before on my PC (running Windows 7 with all the latest patches) but when I install it or when I click on Start Tor Browser nothing happens (browser doesn't launch).

Is there a Tor Mobile App for like the Iphone? I heard you have to set up your computer as a server for your Iphone to then access Tor.

Is there any way for Tor to auto-delete if it has been compromised? Maybe someone is tracking your Tor movements and if Tor detects some kind of suspicious tracking going on, it can automatically shut itself off? That would be great for pure defensive protection!

There's basically no way for tor to know it's been compromised and even if there were Eve could experiment on the same version as the one you're running to find a way to compromise it without triggering the auto-delete.

Why can't you go onto the Yelp site with Tor? It keeps saying blocked. How much does that suck!

It does suck.

https://blog.torproject.org/blog/call-arms-helping-internet-services-accept-anonymous-users

Cloudflare sucks even more.

Why is there post moderation before posting? I want free speech!

Because for every actual comment here there are ten times that many spam comments about shoes and Chinese herbs and so on. Trust me, you do not want to see the waves of spam comments.

Maybe someday we will have a blog that is open to anybody, and doesn't use any of those horrible centralized recaptcha things, and also doesn't have any spam on it. We're not there yet though, and we're focusing on developing Tor instead.

Feds are funding Tor...watch out for back-doors!

You might enjoy
https://www.torproject.org/docs/faq#Backdoor
and
https://blog.torproject.org/blog/transparency-openness-and-our-2013-financials
and the links that it points to.

Thanks for your wonderful and great work!

Sure, there is no update to this 4.0-version - anyways I wanted to check, where to manually activate the certificate for this: »Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option.«

I could not find this option by following your description...

If you open the main menu (the rightmost icon on the toolbar) and choose "?" and then "About Tor Browser" you'll find a button you need to press first to download an update (if there is an update available at all).

Please answer, do you no longer maintain expert bundle? The current version is 0.2.4.23 which is older than 0.2.4.24, which is older than 0.2.5.8-rc.

Another question is, do I even have to download expert bundle to use tor stand-alone? Could I just grab the tor.exe from Tor Browser? I'm asking because they have different file sizes and there might be major differences, I even guess it might be better to do so.

There is nobody who makes them currently. I don't think there's a plan for fixing that. Maybe you should step up and help?

In the mean time, yes, I think you can just grab the Tor Browser and pull the tor.exe from it.

No.
Replacing Tor.exe from TBB does not work.
The only way to make it work is to grab the complete dir
Tor Browser\Browser\TorBrowser\Tor
and run tor.exe

It works on socks 127.0.0.1:9050
Since there is no UI, the only way to close tor.exe is killing the process.

Great -- I guess you do want the libraries too, if your system doesn't already have them. Thanks for the clarification.

Crashes 100% after logging into my favorite site, page appears to load about 80% normally:

Problem Event Name: APPCRASH
Application Name: firefox.exe
Application Version: 31.2.0.0
Application Timestamp: 00000000
Fault Module Name: xul.dll
Fault Module Version: 31.2.0.0

Clean TBB 4 install. Guess I'm staying with 3.6.6 for now.

WOOHOO!

seconded!

For some reason this newer version can never connect for me

Can you further explain the reasons for changing NoScript's functionality?

I can be fingerprinted based on my particular NoScript policies? Is that the idea?

How does the suggested replacement reduce this risk?

They will fingerprint you the moment you activate the script for the website, for example if you go to https://panopticlick.eff.org/ and, if you have forbid scripts globally, choose to allow the scripts and press test me they will have a unique fingerprint for your browser, the same goes for any website. They should not have changed the settings on noscripts for the "cascade" now every script will be allowed thus not just the website you visit will be able to fingerprint you but all the other websites like those for comments or facebook, twitter will have a unique fingerprint of your browser. You should choose on a case by case which scripts you allow for all websites and just revoke temporary permissions before you go to a new website and don't make a whitelist. Regardless, go and check the website https://panopticlick.eff.org/ to see how unique your browser fingerprint is, hopefully it's not.

I understand that activating JavaScript opens up my browser to fingerprinting.

Unchecking the "cascade" options allows my setup to work the way I wish: only allowing the current site and blocking the rest until I temporarily allow each of them.

One interesting thing I noticed when visiting panopticlick at your suggestion is maximizing the browser is what fingerprints my browser more so than anything else. Keeping the browser the default size is best.

Perhaps resizing the browser should be disabled? : )

If i try to change the download folder in firefox options - firefox will crash. (WinXP SP3) Anyone else with this problem?

me too!!!
resolve this bug please!!

Yes, exactly the same as you. Reported it in bugs or someplace. I have gone back to 3.6.6. which is fine.

Reported it where?

(Also, going back to 3.6.6 is a poor idea -- see the link to Firefox security flaws in the old versions of Firefox.)

No alternative to going back to 3.6.6 if the new version crashes every time you try to change settings.

How can I reproduce this. Works for me on Windows 7.

really it is quite simple -
just have a bunch of vm-images w/ different versions of windows

I´ve tried to chance the path manually over "about:config", but it seems that some commands are missing. Here is my workaround for that problem...

1. type "about:config" (without the "") in the address field of Firefox and confirm with the button that you will pay attention not to break the browser (or so, i can´t remember the right words, but you know what i mean, if you see it)

2. type "browser.download" into the searchfield and look if you have an entry that will called "browser.download.dir"... if so go to the next point... if not, create a new one... rightclick into an empty part of the window and choose "new", then choose "string". Give it this name "browser.download.dir" and in the next part your download location. It should look like this:

browser.download.dir - changed by user (or so, but it should not be standard) - string - C:\test

3. Doubleclick on "browser.download.folderList" and change its value to "2"!

4. go into the Firefox options and choose the function, that it will save the downloads into the desired folder and not let the user everytime choose, where the download will be saved...

Now you can close Firefox and restart Tor... your desired download location will now be used for downloading... but... it will crashed again if you try to change the path over the button in the Firefox options again...

Unfortunately, I had to leave the Tor Browser Bundle. The new Firefox UI removed all usability. There is a classic theme restorer, but the Tor Project does not recommend the installation of additional extensions to the Tor Browser Bundle. Even if the Tor Project were to approve the installation of the classic theme restorer, it won't completely restore the usability level lost to the Australis interface.

Firefox has been lagging behind for years, but Australis was a step too far for me. Maybe one day sanity will return to the Firefox UI. In the meantime, the latest release of Qupzilla supports nested bookmarks (finally!). And strangest of all, Qupzilla has a sane, rational and well thought out UI. It's almost an exact duplicate of the Firefox 24 UI.

So instead of using a relatively small extension to bring Firefox mostly back to how it should be you're suggesting we use a completely different browser that almost no one uses and which hasn't even had even the most cursory auditing done to it?

Okay, so what's your alternative to Tor Browser for anonymity?

Sure Firefox has made the not so great decision to try to compete with Chrome for the average user by trying to replicate Chrome. It's a decision that kind of makes sense give Chrome's market share.
See https://en.wikipedia.org/wiki/Usage_share_of_web_browsers .

However, I'd caution against using UI as the primary factor for deciding a browser, especially for someone who has concerns that made them use Tor Browser in the first place.

Actually it's probably the wrong decision as those who want a Chrome like interface are already using Chrome, it's those who want a usable interface that they should be targeting.

Chrome's interface is usable, it's just different. When ever you get a new user interface you get old users complaining about it and frequently someone comes up with some addon/software to restore the old interface for the next five to ten years. It isn't really about having a useable interface, it's about people getting frustrated because they don't know how to use the new interface well. Of course, that hasn't stopped me from using the Classic Theme restorer addon just like I use a piece of software on my Win 7 box to restore the classic start menu.

Look, Firefox has to appeal to the general public. A web browser that appeals to only a subset of technically minded power users isn't going to get the resources (money/manpower) thrown at it to support the ever evolving web. Sure, there are web browsers around that are for that specific subset, but there are large parts of the web that they are unusable on. Even more importantly, they don't necessarily support the security features the major browsers do. For instance, forget about Lynx having certificate pinning. If it means I have less of a chance for my online banking to get hit with a MitM attack, I'll deal with a harder to use UI.

Most people don't want to clutter their screen space with unnecessary controls that they never use. For most users the simplification of the UI makes it more usable. That means they're more likely to use it. Personally, you and I and 100 other people on this blog might not like it, but the people who do like it usually don't write comments about it. Most of the people commenting on the Tor Blog tend to be power users; I don't think we can even assume they're an average cross section of tor users. We don't really have an idea what percentage of TB users dislike the UI changes as opposed to liking it, let alone vanilla Firefox.

Worked fine, updated, now -

Problem Event Name: APPCRASH
Application Name: firefox.exe

How do i fix it?

Looks like the Tor Browser team is working on it currently:
https://trac.torproject.org/projects/tor/ticket/13443#comment:14

Looks like the Tor Browser team is now waiting Mozilla to fix this
https://bugzilla.mozilla.org/show_bug.cgi?id=1088848

Options:
a) Easy Fix: Use Visual Studio
b) Wait some years until Mozilla Developers close this bug as WONTFIX
c) Release a new TBB 4.0.1 with "media.directshow.enabled" workaround

If (a) is selected you may also fix this non reported bug in CPU's with no CMOV instructions:
https://blog.torproject.org/blog/tor-browser-353-released#comment-54924

Perhaps you can learn of QupZilla Devs.
History of QupZilla Browser:
The Windows version of QupZilla was compiled using MingW, but due to a huge problem with Flash, it is now compiled with Microsoft Visual C++ Compiler 2008
https://github.com/QupZilla/qupzilla

I believe 'c' is the current plan.

Visual studio is not at all the easy fix, because they would be throwing away all the reproducible build features, and I assume it will be approximately forever until visual studio can do that. So that tradeoff sure doesn't sound worth it to me.

I just downloaded the Tor Browser from this site and when I ran it my Norton Security from Comcast told me that this file has a bad reputation and could be dangerous. I'm just wondering if anyone else had the same problem. Thanks

The antivirus answer of "bad reputation" drives me nuts. What it means is that they spy on every program that all their users run, and they haven't seen that many users run this one, "so it must be dangerous".

That will be true for all new software forever.

Also see https://www.torproject.org/docs/faq#VirusFalsePositives

Hey,
Certificates about China Internet ,eg China Internet Network Information Center EV Certificates Root ,CNNIC ROOT and Entrust.net Secure Server Certification Authority ,cann't be forbidden or deleted in TBB 4.0, WHY??????It's said that those certificates are dangerous while accessing some websites.
Thanks for comments.

Deciding which CAs to trust and which not and based on which criteria is messy. We leave that to Mozilla.

Thanks so much.

AVG detection on Browser !

https://www.torproject.org/docs/faq#VirusFalsePositives

Please report their bug to your AVG vendor.

The gullible starstruck people of the Tor project trust (and worship) lying-spying google more and more each month.

Not really, they're just trying to use tools provided by google to circumvent other types of surveillance. Look, meek is designed to make it look like you're using google/amazon/microsoft instead of tor for your ISP/government. It's a trade off of letting google/amazon/microsoft known your using tor instead of your ISP/government. Depending on your threat model, that may or may not be a good idea. For example, it's probably a better idea for people in Iran than people in Germany.

ha-ha-ha "your improvisation is quite entertaining!"
google/etc==nsa;
so for sure tor sells entry guards to nsa, now nsa will have enough data for correlation analysis/researches and tor will have more funds.
local google sell data to local govs in accordance with there legislation. any corporation exists for getting profit.

Are you complaining about meek, or Tor Browser, or the program called tor, or Google, or what? I am confused by your mushed-together concerns, so I don't know how to help you.

If your traffic going through nsa to tor entry guard, and your exit traffic going to nsa watching site isn't it quite obvious to correlate tor user ip with access to suspected site?
Can tor _recommend_ somebody like Snowden to use this channel?
Does tor deny relations between google and nsa?
And as known common users are lazy and will use what is given it will create another pattern - "common users" and "suspicious users" who will not go through google.nsa .
It's understandable these two groups of tor users have different needs - one for security and the others . In right design others should significantly lower SNR for tor links. But mass switching them to google etc. will expose security concerned users!

I think you're right that meek has different anonymity characteristics than e.g. obfsproxy, which also has different characteristics than flashproxy.

First, I should reiterate that none of these transports are enabled by default. So we're not mass switching anybody to routing their traffic through Google or Amazon or Akamai or other centralized services. These are research prototypes that users can use if they want to.

But second, I agree with you that it's worth exploring and better understanding the anonymity vs reachability tradeoffs for these transports. I think that question falls under criteria #5 at
https://lists.torproject.org/pipermail/tor-dev/2013-September/005528.html
which I'm hoping we'll have time and attention to work on now that we're ramping up SponsorS:
https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorS/PluggableTransports/Proposal

Yes, but the NSA may not be the threat that a given user of TBB is worried about.

so anonymous and anonymous@nsa! quite impressive...
lets see - anonymous@mosad, anonymous@kgb, anonymous@nwo... and sure every corp needs there owns registered/subscribed anonymous...

This new version of the browser continually crashes on win64, is this a known issue?

Problem signature:
Problem Event Name: APPCRASH
Application Name: firefox.exe
Application Version: 31.2.0.0
Application Timestamp: 00000000
Fault Module Name: xul.dll
Fault Module Version: 31.2.0.0
Fault Module Timestamp: 00000000
Exception Code: 80000003
Exception Offset: 0105d1e4

Yes....! and you are not alone..!

And yes...!!! The Navy is watching as Tor sits back and does not inform you this activity is going on!!! Tor has been hack I am afraid..! when you do not get answers ..in reality the Tor guys do not even know of you posting issues ... it is going directly.. to echelon!

Your comment has been queued for moderation by site administrators and will be published after approval. ...........O/K !!!! But I already know who is the Moderator...!

Yeah. Turns out, I am.

This may be a very dumb question, but why in the hell was the option in NoScript to "Cascade top document's permissions to third party scripts" turned on? That ENABLES a whole bunch of privacy nightmare stuff on a lot of websites like Twitter stuff, Facebook tracking, etc.
Whose....... braindead stupid idea was it to enable that setting by default?
Whoever it was, in my opinion, needs kicked off the TOR team if they did not realize how dumb it was to enable that setting.

I have always hated noscript because for the non geeky it is a nightmare to know how best to set the options for best security.

Someone else said "keep it simple". OK I appreciate the efforts the developers go to to keep us safe, but suspect there may be too many geeks involved who cannot avoid trying to fix things that don't need fixing.

No, they realized that people didn't know how dumb they were using it and expecting to be hard to track and fingerprint. Turning off scripting for trackers doesn't eliminate the ability to track you.

commit 1e64c52cbdf75863cc68f12431e6a3bb510ee695
Author: Mike Perry
Date: Thu Jun 26 18:27:48 2014 -0700

Set prefs for NoScript cascading permissions.

Also auto-reloading the current tab seems like a good plan.

I can't get Tor 4.0 to function consistently. It downloads fine, I install to a new directory (no overwriting any old version). Everything unpacks OK.

I then click "Start Tor Browser"... it loads, well, something -- "firefox.exe" and "tor.exe" appear on my running processes list. But no actual browser window appears. Any help? This happening to anyone else?

yep same here = Windows 8.1 64bit

I`m having the same problem.

I`ve downloaded it several times now and still can`t get it to open a browser.

Any suggestions?

Yes, I 'm using windows vista home premium (32bit) with service pack 2.

Have tried downloading and re-installing TBB afresh many times - can download and install, but when I click "start tor browser" nothing appears to happen. I can see Tor listed as running in windows task manager. After a little while I get Tor browser has stopped working, close program, windows is looking for a solution.

The earlier version worked fine. Currently unable to use Tor.

To the Tor developers:

Please stop with making it more complex. This meek bullshit should not be forced on to all users by default. Make it an option people can turn on if they wish to involve Google/Amazon/Microsoft in their privacy. Now by involving the best friends of the NSA you are playing a very dangerous came with peoples live.

Again, KEEP IT SIMPLE !

By making things more complex you are creating more attack vectors which are or could get a problem in the future.

That said, your work is appreciated, one more thing i do donations to the project.

Like all other pluggable transports, meek is optional and must be explicitly enabled. I'm not seeing what the problem is here.

Thanks tor, I used tor for many year, it help me view internet directly, thanks a lot

Today I use Tor Browser 4.0 sign in Gmail, the browsers automatic close and win8.1 prompting tor have problem need to close.

This is my first time comment in site, so cool!

I have the same exact problem. Win 8.1, sign into gmail, tor browser stops working.

So, does anyone know if TOR 4.0 took care of this issue:

https://www.eff.org/deeplinks/2014/05/mozilla-and-drm

If you don't want to check the link, it's about FireFox being the "last holdout" of Digital Rights Management and how F.F. folded.

It looks like no worries with the older TOR 3.x.x series, but now that TOR has shifted to the new F.F. ESR.....?

Thanks for the answer(s) if they are known.

^ ^ ^ ANYONE? ^ ^ ^

Tor project compiles Firefox themselves so it's highly unlikely that it has digital restrictions management support included.

Mozilla to their credit did mange to get a relatively benign implementation into Firefox that is optional and doesn't stuff up the rest of the browser, but will it stay that way or will the DRM lovers demand that Mozilla become more like the others?

I certainly hope the pirates put their effort into cracking the DRM on the other browsers which is implemented in a way more to Hollywood's liking than the Firefox implementation.

Thanks for your knowledge and help. I'm not a computer guy/gal so I had no idea what the deal was since now FF has caved (although, not as bad as might seem according to your post).

Thanks again for your input! I'd be lost without so much giving so much in the web community.

How about adding the github version of random-agent spoofer to Firefox to make more random of timezone and screen size and other information, it is possible I am too late to find this extension but I think many one have no notice so I'm share.

Timezone should just be UTC for everyone.

My TBB keeps crashing every time I try to read my Gmail emails. No idea why. On Win 7, 32-bit. Everything worked perfectly before on the alphas 4.0 1,2, and 3. :(

This is https://bugs.torproject.org/13443. If you can reproduce crashes on other sites, please let me know (ideally in the ticket), this might help solving the Gmail crashes as well.

Same here on Win XP:
TBB 4.0 alpha-3 works fine with gmail
TBB 4.0 crashes when loading gmail:
Dr. Watson Log (in Spanish) says:
Excepción de aplicación ocurrida:
Aplicación: E:\...\Tor Browser\Browser\firefox.exe (pid=2220)
Fecha y hora: 17/10/2014 a las 22:24:00.484
Número de excepción: 80000003 (punto de interrupción codificado)

Google translator (spanish to english):
"punto de interrupción codificado" = "coded breakpoint"

Workaround: disable javascript to force gmail "basic html view"

Hi,

does it happen sometimes that the new version thinks it's outdated?

Thanks

it happened to me too last night
i commented here but they did not approve my msg, CIA/NSA BITCHES!!

Hi
I can't import a personal .p12 certificate . What to do?

Sorry, Roger & Mike & company, but the TBB version 4.0 is buggy as all hell on Windows 7 and possibly Windows 8.1 ... when the installer unpacks the files, I think the directory tree that's made is all screwed up compared to previous versions.

On Tor 3.x, the "Start Tor Browser" was an executable file that did some juju and loaded Tor flawlessly. With Tor 4.0, "Start Tor Browser" has been changed to a shortcut file that points towards "firefox.exe" in a subdirectory. The result: clicking on "Start Tor Browser" loads firefox.exe and tor.exe into memory, into the processes list, without any actual browser window opening. Attempting to click "Start Tor Browser" again at this point gives an error message, "Firefox is already running but appears to not be responding at this time". Huh?

Seriously, take a Win7 box and run the Tor 4.0 installer. You'll get it to work once. But once you close the browser down, good luck getting it to run properly again.

Sticking with 3.6.6 until this gets sorted out. I have found one way to run Tor 4.0 properly, and that's through the just-released TAILS 1.2... there it works fine as far as I can tell. But I don't feel like having to reboot to a USB stick every time I want to do some little thing on Tor.

I am having the exact same issue with my Windows 7 (64bit) install as well. Tor doesn't launch.

Works fine here on Win 7 64bit

Two issues which have cropped up with the new version of TOR Browser 4.0:-

1) When attempting to login to a Gmail account, the browser stops working and closes. This only happens on this email account and not on others. The underlying OS is Windows 7 Pro 64-bit.

2) I have a number of installations across several machines, which are running either Windows 7 Pro 64-bit or Windows 8.1 and they all display the same characteristic, in that the browser frequently doesn't complete the start-up process. You get the little box in the corner whilst it is establishing a connection but no browser opens afterwards.

The worst issue with this second item is the fact that this error is not consistent, sometimes it works and sometimes it doesn't.

Yep, your second issue. Same thing here. Windows 7 Professional 64-bit. I'm the guy who posted the comment directly above yours coincidentally.

"The Tor Browser doesn't complete the start-up process". That's the most succinct way of putting it. It loads the browser into memory, but the actual window never opens. There have been like 10 people on this thread reporting similar issues -- how on Earth was this missed in testing?

As Kenan Thompson once said on SNL's Weekend Update, "FIX IT...! FIIIX IT!!! IT NEED TO BE FIXED!! NOW!" ;-)

I'm having the exact same issue on windows 7, I downloaded and installed and it opened first time no problem within, 5 minutes it crashed and it hasn't opened since. I've tried reinstalling and a system restore to no avail. I've emailed their help desk and awaiting a reply. It does seems strange that it hasn't been addressed here.

The new interface is confusing, but overall the bundle works.

However, the browser seems to mess with some functions on sites like flickr.com, for example, the 'fav', 'share' and 'download' buttons on the album page are missing, changing no-script rules didn't help. Also when performing a search on this site, sometimes the search result page will get stuck in an infinite 'fetching more photos' loop, no matter how long you wait, no photos will be fetched.

The aforementioned issue is not present when using version 3.6 bundle.

Thanks for the tor team's effort in trying out new things, hope some day the problem will be addressed.

TorBrowser 3.6 was lagging a lot it was barely usable, now TorBrowser 4.0 also lags but much less than 3.6, it's usable but the lag is visible and noticeable. What do you need to know and which public key should I use to send you what you need to know?

On Windows XP, Tor Browser 4.0 seems to conflict with Trusteer Rapport, which my bank requires me to use. On my system, Tor Browser 4.0 crashes without exception if Trusteer Rapport is running when I launch it. Trusteer Rapport also goes crazy, jumping to using nearly 1 GB of memory and 50%+ CPU. If Trusteer Rapport is disabled, however, Tor Browser launches and runs normally.

Tor Browser 3.6.6 does not create any issues, nor does vanilla Firefox. I will try and test it on Windows 7 when I can to see if the problem also occurs there (I currently only have access to a Win XP machine).

To clarify: Trusteer Rapport is installed on my system, and the Rapport plugin is installed in vanilla Firefox. The plugin is NOT installed in Tor Browser. So it seems like something about the background process which Trusteer Rapport runs seems to conflict with something in Tor Browser. I'm happy to run specific tests, if it will help with debugging.

I had Trusteer Rapport on my comp. Just uninstalled and Tor working fine. The Trusteer programme was definately the reason Tor was not starting up. Thanks for this. Happy downloading :)

Tor Browser 4 doesn't work for me on W8 - APPCRASH in Fault Module Name:KERNELBASE.dll. Stopped the Trusteer service and TB4 works ok.

I'll save you the time - it happens on Windows 7 and 8 if Rapport is installed.

Problem signature:
Problem Event Name: APPCRASH
Application Name: firefox.exe
Application Version: 31.2.0.0
Application Timestamp: 00000000
Fault Module Name: xul.dll
Fault Module Version: 31.2.0.0
Fault Module Timestamp: 00000000
Exception Code: 80000003
Exception Offset: 0105d1e4
OS Version: 6.2.9200.2.0.0.256.48
Locale ID: 1033
Additional Information 1: 5861
Additional Information 2: 5861822e1919d7c014bbb064c64908b2
Additional Information 3: 1a2a
Additional Information 4: 1a2aa8e38ac8adbb6fe1e594fa623c2e

Every time I'm in face book this will happen and I have to close Tor and restart it again, this is happening every time pop out news feed alerting me about my friends activity... I have no Idea what should I do, I had no problem with others Tor and this is surprising...

Got the same as you after the 4.0 update.

Does anyone know where to get the previous version's download? I want to go back.

Hi, this new version sucks keep crashing on me...
Problem signature:
Problem Event Name: APPCRASH
Application Name: firefox.exe
Application Version: 31.2.0.0
Application Timestamp: 00000000
Fault Module Name: xul.dll
Fault Module Version: 31.2.0.0
Fault Module Timestamp: 00000000
Exception Code: 80000003
Exception Offset: 0105d1e4
OS Version: 6.2.9200.2.0.0.256.48
Locale ID: 1033
Additional Information 1: 5861
Additional Information 2: 5861822e1919d7c014bbb064c64908b2
Additional Information 3: 1a2a
Additional Information 4: 1a2aa8e38ac8adbb6fe1e594fa623c2e

I have the same problem sig.

Can I go back to previous version? I deleted and need a 3.6 download site.

Anyone?

Awful update!
New FF is lame and broken Chrome, based on Chromium.
U'd better make good Tor Bundle w/o f*cking chrome-based FF and teach ppl how to configure any Chromium-based browsers (Chrome, FF. Opera).
U sold urself to the wrong browser.

Classic Theme Restorer can mostly fix that.

https://addons.mozilla.org/en-US/firefox/addon/classicthemerestorer/

Firefox isn't based on Chromium, the new UI was just designed to look like Chrome; there's significant differences in the internals. There is the unfortunate choice of "chrome" as a pseudo protocol to access browser internals, but that actually predates the Google Chrome browser. As for using any Chromium-based browser with tor, I remember reading that Chromium's doesn't handle certificates in a way that works well with tor and can break anonymity. If you really need to use a Chromium-based browser with tor, you probably should use an isolating proxy.

Also, while Opera uses the Blink layout engine which is part of Chromium, it isn't based on Chromium as a whole like Google Chrome is. Google Chrome is pretty much just repackaged Chromium with a few additional nonfree components. Like Flash.

Hi, this version is can't delete the "CNNIC" certificate, how to delete it? Thanks very much!

Certificates about China Internet ,eg China Internet Network Information Center EV Certificates Root ,CNNIC ROOT and Entrust.net Secure Server Certification Authority ,cann't be forbidden or deleted in TBB 4.0, WHY??????It's said that those certificates are dangerous while accessing some websites.

HTTPS Everywhere can check certificates to detect MITM, you just have to enable that feature.

unfortunately this sends all of your certs to Google last time I heard (SSL Observatory), which violates the threat models of many TBB users

I thought it sent them to the EFF (a non-profit committed to privacy), and it can do it over tor (hopefully it gives the ASN on the exit node you use, if not just make sure to uncheck the part about telling them what ISP you're using.

Why do you not establish a hidden service (or multiple of them) to update TBB? That doesn't rely on any CA.

Hi, I don't know if anyone is using Vidalia, Tor Bandwith Usage is always 0 when it is listening TBB 4.0 with meek-azure. I want to know why and how to view your rate TBB produced and deletet the nodes.

I would like to thanks the developers of TOR for the hard work and the steady improvement of security. But I also have to say that the foundation of TB (means: Firefox) is getting worse by every update (of FF). The continual integration of features like WebGL, social media APIs, codecs and removal on the ability to turn off JavaScript by menu should give food for thought. Plus, the new Australis UI is really dreadful. Dumbing down everything IS NOT EQUALS improving usability. Just because everything is round, not everything is more beautiful. And c'mon... Burger menu... If I want a burger Menu, I choose Chrome or go the Mac Donald's ;-).
But like said. This is not critique to the TOR developers. But maybe they should think about the future of FF. Just my 2 cents.

There doesn't seem to be much in the way of other options, though NoScript can at least kill WebGL and audio/video and plugins are blocked.

Classic Theme Restorer works well enough, something other than Firefox might be nice but what?

Use noscript to disable javascript. The end.

It is not the problem of the ability to disable. But the decision to remove the option from the FF menu is very questionable. Why? If people turn of JavaScript, web pages are not working properly anymore? So what! Why remove a well known feature from the menu and keep the functionality to turn on/off JavaScript in the back end anyway?
And there are plans to get the rid of addons. This is definitely not the reason why I switched to FF years ago.

Mozilla has done alot of shady actions this year to effectively end their reputation as "Committed to you, your privacy and an open Web"

I think FF devs rightfully think that the ppl who disable FF from the menu are the same ppl who will know how to disable it, with the same level of ease, from about:config.

on one level this appears to make sense, but in my opinion does not hold up at all once you start looking through all the other even-more-obscure options they've left UI-visible.

it's quite telling that mozilla's pages telling you about their commitment to your privacy drop google analytics on you..

While Firefox devs may make a number of bad decisions the problem with suggesting TB switch to a different browser is there needs to be a better alternative out there that more than just power users can use.

That is indeed true.
To say "make a fork of FF" seems to be a easier said than done.
Creating a own fork: Enough resources to maintain TOR and the fork?
Using an existing FF fork like Palemoon: I don't know.
Chrome: The same problem like FF.
Opera: Open enough?
Konqueror: Usable and platform independent enough?
Safari: LOL.
IE: No comment...
Year, and we are back to square one. Really a quandary...

Palemoon might be the closest though they branched it to MPL only as far as I can tell (tor project would probably want dual licensing) and there's no macintoy version.

Realistically only Gecko based browsers are likely to have the API hooks needed without lots of extra work.

huzzah! finally back to having a semi-modern firefox!

so now google street view works (without flash)!

if you miss the old google maps (which TBB users have been using until now) see http://googlesystem.blogspot.com/2013/10/classic-google-maps-url.html

linux64, gets stuck at loading -- 85% bootstrap, trying to establish first hop connection but nothing happens.
3.6.6 works fine.

Any idea what is the issue?

after installing 4.0 tor keeps telling me that something went wrong when i start it up whats the chance anyone has ideas to fix this please used tor for a while now and never had a problem

Wont work downloaded installed wont open very frustrating indeed

make sure you downloaded the right build for your operating system, and that your download is complete

Hello.
I used not to be able to play mp4 files in the tor browser (because the browser couldn't support natively mp4 codecs) but with the new 4.0 version it can. Before it used to just give me the option to download the file, now it plays. Is it intentional, and how can I choose to donwload the file? Instead of playing the video, how can I download it? Thanks.

Interestingly, I used to be able to play mp3s in 3.6.6 and earlier, but now I can't.
The browser crashes every time and notes an issue with "xul.dll"

It took a lot of headache for me to get mp4 videos to work after awhile, but I'm not even sure how that happened. The modified preferences don't seem to have anything to do with video or mpeg.

is this related to the following? re:concerns about vulnerabilities

https://trac.torproject.org/projects/tor/ticket/12212

thanks

In theory Tor Browser shouldn't play any videos other than WebM and OGG. That's because Firefox only has native support for those codecs/formats. If you play them, that's because Tor Browser is getting plugins from the system (which might be leaking sensitive information) or that Firefox has new native support for those formats (mp4 and such).
I don't know if the new version of firefox has such support.

I have finally discovered what caused Tor Browser Bundle to now be able to play mp4 files. It's because the new firefox has the ability to use gstreamer plugins (if installed in your system) to play the h264 codecs. Which makes me ask: is it safe?? Or can gstreamer plugins leak any sensitive information (like DNS requests)??
I have found a workaround to this you just go to "about:config" and search for "media.gstreamer.enabled" and set it to false. At least it prevents gstreamer from being loaded into the browser. HOWEVER IT MIGHT CAUSE FINGERPRINTING PROBLEMS, BECAUSE YOUR BROWSER WILL ACTUALLY LOAD ANY VIDEO INSIDE A WEBPAGE WHICH IS DIFFERENT BEHAVIOR FROM VANILLA TOR BROWSER BUNDLE! USE AT YOUR OWN RISK! I will open a bug concerning this.

about:downloads is not on the NoScript whitelist causing any downloads not to update in that tab until manually reloaded (unless you have JS enabled).

Why is it a good idea to include Firefox Sync? I'm sure it can be used in a secure way but it just doesn't feel right.

FireFox Sync CANNOT be used in a secure and private way because it is designed in a way to collect information. Please stop considering Mozilla FireFox to be "secure" and "cares about your privacy" because it's not, there's basic security features that are still missing 4from it, out of mere neglect, carelessness, and hypocrisy (e.g. sandboxing)

After this fix, I'm unable to move the "Refresh" button to it's normal spot, next to the back button. This is where it is in every other browser I use, so it's where I click without thinking. What is the security enhancement provided by locking the refresh button to the right of the address bar and taking away the ability to move it where I want?

Classic Theme Restorer can do that.

https://addons.mozilla.org/en-US/firefox/addon/classicthemerestorer/

Please don't suggest installing addons without mentioning that they may open users up to security flaws or deanonymization attacks.

Me here,using transport pluggable The TorBrowser 4.0 is running very well,but Three Certificates such asChina Internet Network Information Center EV Certificates Root /CNNIC ROOT/Entrust.net Secure Server Certification Authority cann't be forbidden.

Yeah, I find this bug too,I cannot forbid Chinese Certificates.Maybe a bug for newest version of firefoxESR?

Thank you for this great update. I love this interface and have been happy while using it with Firefox.

I just had one question, can I use Disconnect and privacy badger (from EFF) with tor browser?

It will make you much easier to track since you won't look like everyone else.

Simple answer: No.

Please do not discourage users from layering on additional security & privacy settings without any rhyme or reason. The primary reason it makes one "easier to track" is because everyone is discouraged from using things like the EFF's privacy badger. If people were free to decide their level of security for themselves, there would be the "it's that one person who uses Tor Browser Bundle with PB and Disconnect" risk, as there would be more people who had this setup. Furthermore Privacy Badger will change over time, so the first time you go to a site it may block different things than subsequent visits. Accounting for this in tracking software is non-trivial to say the least.

So I say, go ahead and install them if you want. You should realize that since you will not be requesting certain things (as that's the entire purpose of PB), and so a site could identify that it was the same person visiting the site multiple times, however if you're logging in with a pseudonym then this is of no concern as there's no more risk than without PB.

Simple and accurate answer: It depends on your security goals.

If you're just trying to hide your location and remain pseudonymous, then it's fine.

If you're attempting to avoid being identified as the same user with multiple visits to the same site, then it's possible that it's a bad idea. While I may be confident that the gains of PB will outweigh the negative side effects, that's for each person to decide.

When using Tor Browser 4.0, it asks me to contact system administrator. It said is blocked because of the system settings.
Kindly guide.
PS:I can use earlier version of tor though.

The exact lines are:
This operations has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.
I have installed it on the system in new directory.
Please answer..

First things first:
Huge thanks, hugs and love etc. for all the work you have done for us so far! For me personally, the TBB has been running flawlessly ever since I've started using it.
While I feel a bit dickish for adding to what I feel is more than enough clueless individuals complaining without trying to figure things out themselves, the following two things must be mentioned:

1. This Australis abomination needs to GTFO. Please make it stop if you can find the time to do it. Might have been mentioned before, will try to figure it out myself. But I wouldn't wanna mess up anything relevant to TBBs security features. It just hurts the eyes extremely bad, as I find overly round edges distasteful to say the least ;(
But enough crying and taking things for granted which clearly aren't.

2. This one might actually be relevant: on a non-Windows machine, I've been seeing error messages related to NoScript overlay. Occurs when using TorButton to acquire New Identity. Will look into it more, maybe file bug report properly if it's a thing...

This is probably https://bugs.torproject.org/13377

Yes that's the "thing" I was referring to.

Found it in mere minutes after posting and consequently hung my head in shame for 8 nanoseconds (rough estimate, but close enough).

Ultimately, however, I had a good chuckle: partly due to the fact that I could have easily found the answer before wasting valuable time and resources, but mostly because the bug number appeared even more odd considering my short bout of having "the stupids and lazies" spoke quite the contrary.

But what does 1337 even mean here on the internet in times when once "established and "respectable" printed newspapers, you could even say most media in general, consider the term "selfie" to be an actual word. In my opinion this neologism has taken the ongoing abuse of language way too far.

Oh well. Silly ranting about unimportant matters doesn't change shit, but what can you say in times like these, which are clearly governmentally insane, when fellow humans are confusing electronics-store openings with religious ceremonies.
I guess it all somehow fits the picture in the weirdest possible way. Something's off...feels wrong.

So in addition to the huge respect I already have for your tireless work and dedication, which is already saving many peoples lives and freedom,
I thank you for your patience and for taking the time to reply to my post.

But also know that the Tor Project's work has helped me personally a great deal in terms of keeping my sanity and not giving up hope for some positive change. Love ya'll.

Syndicate content Syndicate content