Tor Browser 4.5a3 is released

by gk | January 16, 2015

The third alpha release of the 4.5 series is available from the extended downloads page and also from our distribution directory.

Note: The individual bundles of the alpha series are signed by one of the subkeys of the Tor Browser Developers signing key from now on. You can find its fingerprint on the Signing Keys page. It is:

pub 4096R/0x4E2C6E8793298290 2014-12-15
Key fingerprint = EF6E 286D DA85 EA2A 4BA7
DE68 4E2C 6E87 9329 8290

Tor Browser 4.5a3 is based on Firefox ESR 31.4.0, which features important security updates to Firefox. Its updater now contains the code for verifying signed update files and does not accept unsigned ones anymore. Moreover, this release includes an updated Tor, 0.2.6.2-alpha, an updated meek, 0.15, which is now working again, and a bunch of additional improvements and bugfixes.

Here is the changelog since 4.5-alpha-2:

  • All Platforms
    • Update Firefox to 31.4.0esr
    • Update Tor to 0.2.6.2-alpha
    • Update NoScript to 2.6.9.10
    • Update HTTPS Everywhere to 5.0developement.2
    • Update meek to 0.15
    • Update Torbutton to 1.8.1.3
      • Bug 13998: Handle changes in NoScript 2.6.9.8+
      • Bug 14100: Option to hide NetworkSettings menuitem
      • Bug 13079: Option to skip control port verification
      • Bug 13835: Option to change default Tor Browser homepage
      • Bug 11449: Fix new identity error if NoScript is not enabled
      • Bug 13881: Localize strings for tor circuit display
      • Bug 9387: Incorporate user feedback
      • Bug 13671: Fixup for circuit display if bridges are used
      • Translation updates
    • Update Tor Launcher 0.2.7.1
      • Bug 14122: Hide logo if TOR_HIDE_BROWSER_LOGO set
      • Translation updates
    • Bug 13379: Sign our MAR files
    • Bug 13788: Fix broken meek in 4.5-alpha series
    • Bug 13439: No canvas prompt for content callers

Comments

Please note that the comment area below has been archived.

January 19, 2015

Permalink

Well,meek-azure and meek-amazon are working in China,but obfs4 bridge is down.And a bug:I cannot open torbutton.

January 20, 2015

In reply to gk

Permalink

It`s torbrowser-install-4.5a3_zh-CN.exe.I downloaded it and extracted it,then I clicked "Start Tor Browser".I chose to use meek-azure and it worked normally,Tor Browser was open and I could open sites.But when I clicked torbutton,the button was not working,just no response.

January 20, 2015

Permalink

If 93298290/D40814E0 is the new signing key, TOR Developers need to post a signed message with the old key confirming this before it can be trusted.

January 21, 2015

Permalink

Can't download the 4.5a3 tor browser installation in fedora linux. It says "Either there's a network error either that you're being attacked." I downloaded it about seven times, but it continuously gives me error.

The same happens on debian jessie, using the tor browser launcher package... stating signature verification failed...You might be under attack or there might be just a networking problem...

Verifying the package in ~/.cache/torbrowser/download against the key using gpg works though...

the ingenious launcher doesn't let you choose the previous version which basically means you have to deploy this software without deb package management...

Not willing to do this... way to screw up usability tor-devs... I'm out.

January 21, 2015

Permalink

All governments in the world define a terrorist as,
A non violent peace activist,
A human rights activist,
A animal rights activist,
A property rights activist,
A climate change activist,
A government whistle blower,
A person who opposes "anti terrorist" laws,
A person who supports privacy,
A person who supports privacy on the internet,
A person who supports freedom of the press,
A person who supports freedom of speech,
A person who supports freedom of religion,
A person who supports human rights,
A person who supports animal rights,
And that is what all governments in the world define a "terrorist" as.
Also every single person who lives here in the United States is a suspect of "terrorism".

do you mean reliable as us gov documents? they rise diabolic agencies at people expenses and persecute anyone who disagree. have you ever heard about Snowden?
btw have you ever seen in spidernet headers like "tor developer officially declares that tor network is mainly used for porno distribution"??? or nobody asks for "reliable links" in spidernet?

place where big spi-ders nest? watch and catch their unaware victims?
place opposite to protected-net, family-net, safe-net...

January 22, 2015

Permalink

sometimes i'm using Tor on some websites it says:"we Detected you are using Adblock Addon on your browser"

while i didn't install any addons on Tor browser?

ofcourse when i Refresh Page after Few seconds it works True .indeed it seems it happen in some ips .

why does it happen? due to sharing computers? or something goes wrong?

i have the same poblem on some sites like :

http://www.receive-sms-online.info

We've detected that you're using AdBlock Plus or some other adblocking software. Please be aware that this is only contributing to the demise of the site. We need money to operate the site, and almost all of that comes from our online advertising. Please disable AdBlock Plus and refresh webpage!

but even when i refresh page for several times it happen nothing

i guess it's about bridges (some bridges)

Most ads display by using Javascript.I guess you activate NoScript ,and choose "globally prevent JS loading".Then ads in website cannot load normally,it looks like you are using adblock(or other addons that block ads) .And the website treat you as a adblock user.

Because that's one place of many that intelligent people get their news. If you get all your news from sources that think alike then your opinions are not yours.

January 26, 2015

Permalink

Reminder:

"Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript."

https://github.com/diafygi/webrtc-ips

January 26, 2015

Permalink

My Mozilla-browser blocks downloading "*.exe" and generates entries in
"SiteSecurityServiceState.txt". seems to be a new........ innovative feature.

Can anyone explain how to switch OFF this f*cking sh*t?
It's irritating and strange.

January 27, 2015

Permalink

Of course you won't publish this but it answers others concerns as to why TOR is built on Firefox.!!
------------------------------------
http://www.forbes.com/sites/timworstall/2013/01/22/so-why-is-google-fun…

For pretty much all of Mozilla’s money comes from Google. Some $300 million a year at present, a payment for Google being the default search page on any Firefox download. But Google already has an OS in the smartphone space. So, why is Google paying for the development of a competitor to its own product?
----------------------------------------------------
TOR developers are in bed with Mozilla staff, Mozilla is in bed with Google, Google are another arm of the NSA. Likewise Yahoo run by ex NSA staff. Think on!!

First of all, Let's be clear: Tor Browser is built on Firefox, but the Tor relay software itself isn't. If you have the technical know how, nothing is stopping you from using Tor with other browsers. It's not recommended because Tor Browser's patches to the Firefox code help with privacy and anonymity, but it's certainly possible.

Second, what do you suggest other than Firefox? Most commonly I've seen requests for Google Chrome (which is a bad idea for several reasons,) and exotic browsers for Linux that I've never been able to get confirmed even run under Windows (which limits the user base even further.) So, unless we decide to give up and hide under rocks we're going to have to accept the option that has the fewest negatives, and at the moment that seems to be using Firefox.

January 28, 2015

Permalink

Hey, i've posted to have problems to download *.exe, ALL files NAMED .exe, TBB too. Thats wasn't a troll posting.
May i should write "i have a serious problem" but that would be to exaggerated. I have alternatives respectively i can cheat around, name .exe to .txt or something else[sic!].
*.exe files get blocked.???WTF
CAN anybody help?
I was using zip version of an mozilla browser on windows7, enough info(-:, and it logs this blocking in
"SiteSecurityServicesState.txt".

NO.Defender(Microsoft) only!
"SiteSecurityServicesState.txt" is in the browser directory.
In "SiteSecurityServicesState.txt" something like "HSTS:0".
It seems DEFINITELY a BROWSER problem. Mis-configuration?

Strange if i am the only affected one.

January 28, 2015

Permalink

What's it with thepiratebay using that 'Cloudfare' crap. 'thepiratebay' is 'blocked' in totalitarian countries, so they is no avoiding it if you have to 'tunnel' your way out to the free net and free world.

I think the eventual plan is to have it be part of the "configure" choices for the initial bootstrap screen.

I guess another option is to have it be part of that very initial screen, where you can choose to configure or connect. I think it's going to take some iterations before we get the UI part right.

January 31, 2015

Permalink

obfs4 is now blocked in china. they are so fast.. is it possible to bring it back?

February 02, 2015

Permalink

Does Tor work on Windows 8.1?
When you go to the Download Tor page, it say's,
Tor browser 4.0.3 for Windows 8,7,Vista and XP.

February 05, 2015

Permalink

Could someone please enumerate what exactly the positions in the security slider are doing at this point, and perhaps where they'll be headed? From https://trac.torproject.org/projects/tor/ticket/9387 Mike Perry explained his initial thoughts...

Position 0: Current TBB defaults (Most usable)
Position 1: Javascript is disabled for all non-https URLS
Position 2: HTML5 media and fonts click-to-play/disabled
Position 3: All scripts and media are disabled (Most secure)

...but it is unclear this is all that's going on. For example, specific object and HTLM5 canvas blocking seem to be happening at positions 1-3, even if the user allows the domain in NoScript. This is quite different than the traditional method of forbidding JavaScript globally and then decidedly allowing, say, YouTube -- which is something I imagine many users do. To enable HTML5 video the user must either use Position 0 (sub-optimal) or finesse other positions (risking fingerprinting). I worry this will have negative outcomes in other areas as well.

Yes, this is on my ToDo list. Alas, it won't make it into 4.5a4 due next week but the release after that one should have some explanation on the slider as well. The best we currently have is comment 43 in the ticket you mentioned.

Canvas blocking is a different beast as it can be used to track you with an identifier cross-domain.

February 06, 2015

Permalink

Hi torproject
give this free for all only when you think its ok.

In the past i've tested some guard nodes with downloading bigger files.

In a graphical interface i have seen maybe conspicuous behaviour.
At one node reproducible.All few seconds a big Zig Zag, high low KB/s in the graph.
Only with one guard node.I dont know his present behaviour.It was a not spanish provider located in spain.

Reminds me at a comment in the NSA(?) docs that a flat continuous download stream
would be harder to hunt down.

February 06, 2015

Permalink

Hi, is it javascript, flash or is it Tor that has changed?
this might be a hell of coincident or new updates on made by
many at same time.
however, there has never been any problems with opening videos
from youtube or addons with tor in in firefox before.
but since the 4.0.3 release i get a clickjack varning on every
square or video i hit on. so what i need to do IF i am able to see
the name of that add or video is to go to youtube and manually
search for it and THEN open in up. this happen on ALMOST
every site that i try starting a video on.

another thing is that sites i've never had any problems starting up before
now suddenly became a problem. in other firefox, none tor based browser
it will open up, but not with tor. for example, thehackernews never been
a issue before until version 4.0.3 and it just says that The connection was interrupted.

another thing i've also noticed is that on earlier versions of the TBB
is that html5 videos on youtube for example loaded really quickly.
but now it starts and stops every 2-5 second. it's really annouying.

could any of these reasons have accured because of the raid
on the exit nodes?

i'm really greatfull and thankfull for all of the work and effort you guys put
into this. best regards

February 07, 2015

Permalink

Hi guys,
Have you heard the Episode #493 of "Security Now!" from 03 Feb 2015 titled Tor: Not so Anonymous: After catching up with a few important security events of the week, Leo and I revisit and dissect the anonymity promises of TOR in light of scores of academic papers which have questioned its anonymity guarantees"?

You may read a transcription of the show here: https://www.grc.com/sn/sn-493.htm

I wander if tor developers can comment on that one.

Haven't watched the episode, but the mention of scores of academic papers questioning its anonymity sure sounds like somebody who doesn't understand how science works.

The scores of academic papers are exactly the *great* thing about Tor. It's the system that all the researchers want to look at, because it's the thing to beat (and because we put so much energy into presenting it to them in a way that makes it easy for them to analyze it).

Tor isn't perfect, but it's better than all the other systems out there. For more on why Tor is so appealing to academics, check out Section 1.2 of this NSF proposal:
https://svn.torproject.org/svn/projects/roadmaps/2009-07-24-measurement…

...Ok, I went and read the transcript in more detail. It sounds like Steve is shocked that Tor doesn't protect against traffic confirmation attacks. You can read more about those here:
https://blog.torproject.org/blog/one-cell-enough

And he trots out the "81%" paper that was (is) so thoroughly misunderstood:
https://blog.torproject.org/blog/traffic-correlation-using-netflows
(This paper didn't actually attack real Tor traffic, and the author himself said that the technique probably wouldn't work as-is against actual Tor traffic.)

But all of that said, many of Steve's underlying points are indeed probably correct. Tor isn't perfect. It's just better than our other options.

February 08, 2015

Permalink

hi,

a question please :

i am using tor quite regularly.

now i think about sign up to a vpn service.
(dont know which one yet, though, gut to check it out a while)

my question :

does it male sense using a VPN - AND tor (parallel)?
or do they disturb one another, maybe not work with oe another ?

(f.e. i use a service called premiumize.me for faster downloads at one.click-hosters
(like rapidgator,share-online.biz,uploaded etc.pp.
this service., according to their support, does NOT work with tor (probably because in browsers they use a script or addon, which Tor doesnt allow/suggest).

is it the same problem with VPN (a vpn service)?

thanks

7stone

February 14, 2015

Permalink

I don't like the new Tor.... It seems to select the country ip for me rather than letting me have an option to chose.

February 21, 2015

Permalink

Not use latest firefox he spy on you. Outgoing auto links to Amazon can't turn off.

February 24, 2015

Permalink

something's gone wrong in 4.5a3? using gpg suite

gpg --fingerprint 0x416F061063FEE659
pub 2048R/63FEE659 2003-10-16
Key fingerprint = 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659
uid [ unknown] Erinn Clark
uid [ unknown] Erinn Clark
uid [ unknown] Erinn Clark
sub 2048R/EB399FD7 2003-10-16

gpg --verify /Users/anon/Downloads/tor/TorBrowser-4.5a3-osx64_en-US.dmg.asc
gpg: Signature made Fri Jan 16 03:09:34 2015 EST using RSA key ID D40814E0
gpg: Good signature from "Tor Browser Developers (signing key) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0

gpg --verify /Users/anon/Downloads/tor/TorBrowser-4.5a3-osx64_en-US.dmg.asc /Users/anon/Downloads/tor/sha256sums.txt{.asc}
gpg: Signature made Fri Jan 16 03:09:34 2015 EST using RSA key ID D40814E0
gpg: BAD signature from "Tor Browser Developers (signing key) " [unknown]

March 03, 2015

Permalink

I've been having an issue with 4.0.3 as well as the newest releases (stable and alpha).
There's nothing wrong with the builds, but I've been dealing with problems on my end after I was having memory (leak?) issues. I tried to see if it could be resolved in about:memory, but I screwed something up.

Whenever I close TBB and try to "start t0r browser" again later, I've been unable to connect to the network and receive an (win64) error message that includes:

Problem Event Name: APPCRASH

Fault Module Name: d2d1.dll

(I took a screen-grab, but was concerned about embedded exif data, so changed my mind about uploading the image)

Everything works as expected on the first run during installation: browser opens, t0r connects to the network etc.; but after closing and running it again, I get the fault event notification Appcrash and have to re-install the t0rbrowser-install-#.exe for it to work (again, only through "run t0rbrowser" prompt during installation).

I thought with 4.0.4 and 4.5a4, it would be resolved, but I'm dealing with the same problem for the new releases.

I don't know if anyone that could help, arma or gk maybe, looks at old release blog comments, but if you could help it would be greatly appreciated.

aside: I'm not sure why my fuckery in about:memory would affect that specific d2d1.dll in the system folder, but I'm an idiot so I donno. If I could swap it for a new one, do you know any reputable place where I could obtainin it? I didn't create a system back-up disc or set a restore point because, as I said before, I'm a dumbass.

Thanks in advance