Tor Browser Bundle 3.0alpha3 Released

The third alpha release in the 3.0 series of the Tor Browser Bundle is now available from the Tor Package Archive:

https://archive.torproject.org/tor-package-archive/torbrowser/3.0a3

This release includes important security updates to Firefox. Here is the complete ChangeLog:

  • All Platforms:
    • Update Firefox to 17.0.8esr
    • https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#f...

    • Update Tor to 0.2.4.15-rc
    • Update HTTPS-Everywhere to 3.3.1
    • Update NoScript to 2.6.6.9
    • Improve build input fetching and authentication
    • Bug #9283: Update NoScript prefs for usability.
    • Bug #6152 (partial): Disable JSCtypes support at compile time
    • Update Torbutton to 1.6.1
      • Bug 8478: Change when window resize code fires to avoid rounding errors
      • Bug 9331: Hack a correct download URL for the next TBB release
      • Bug 9144: Change an aboutTor.dtd string so transifex will accept it
    • Update Tor-Launcher to 0.2.1-alpha
      • Bug #9128: Remove dependency on JSCtypes
  • Windows:
    • Bug #9195: Disable download manager AV scanning (to prevent cloud
      reporting+scanning of downloaded files)
  • Mac:
    • Bug #9173 (partial): Launch firefox-bin on MacOS instead of TorBrowser.app
      (improves dock behavior).

As usual these binaries should be exactly reproducible by anyone with Ubuntu and KVM support (though there are some issues in LXC).
To build your own identical copies of these bundles from source code, check out the official repository and use git tag tbb-3.0alpha3-release (commit 49db54d147bd0bccc26f1d4f859cf9fe97e5f14c).

These instructions should explain things from there. If you notice any differences from the official bundles, I would love to hear about it!

XML Parsing Error: unexpected parser state
Location: jar:file:///C:/Tor%20Browser/Tor%20Browser/FirefoxPortable/App/Firefox/omni.ja!/chrome/toolkit/content/global/netError.xhtml
Line Number 311, Column 58:
&netInterrupt.longDesc;

---------------------------------------------------------^

i updated it, then i was going to a lix.in site to see if works and this message appears.
i had my chrome opened as well as tor and this was shown in tor. what the damn is this???????????? never ever saw at least like this. is dangerous??!

are you gonna answer this or is beyond you?

I'm hoping somebody else will pipe up here.

In the mean time, the usual questions: Is this repeatable? What can other people do to repeat it?

i didnt launched tor again after this message was shown in red. i have no idea of what any of that code means, all i wanted to know is if anything looks dangerous. or what does it mean at all.

@arma
I have seen this before, and no it is not repeatable.

This error message appears often, but not always, in conjunction with the "The proxy server is refusing connections" error.

I speculate that the "XML Parsing Error: unexpected parser state" error is caused by a timeout exception that is not caught in upstream Mozilla code. But I repeat: it is undeterministic and therefore not repeatable.

On a side-note: I believe that I have found the root cause to the "The proxy server is refusing connections" error and posted it here:
https://trac.torproject.org/projects/tor/ticket/9413#comment:5

crashes on startup immediately after install. windows 8 (not 8.1) 64bit with all updates. I installed it onto a non-default directory on a secondary hard drive.

Add this line to your prefs.js file when TorBrowser is not running. Prefs.js is created only after the first run of TorBrowser.

Tor Browser > FirefoxPortable > Data > profile > "prefs.js"

user_pref("gfx.direct2d.disabled", true);
user_pref("layers.acceleration.disabled", true);

Hi, I'm new to the Tor Browser. Is Tor updated when I re-download the Tor Bundle and overwrote "Start Tor Browser.exe." The exe file I saved is now dated 8/8/2013 10:44 am.

Best approach is to throw away your old directory and start a-fresh.

The 32-bit bundle tor-browser-linux32-3.0-alpha-3_en-US.tar.xz won't run at all ...

> ./start-tor-browser: line 119: getconf: not found
> ./start-tor-browser: line 120: file: not found
> Wrong architecture? 32-bit vs. 64-bit.

... what's getconf anyway? I haven't got it.

Are you on a 64-bit platform?

(What does 'uname -m' say?)

> Are you on a 64-bit platform?

... yes, I am. It's a Pentium D-820, also known as 'the heater'. But uname identifies it as i686, and I'm not so sure about that. Shouldn't it be x86-64? I was trying out the 32-bit version because my Linux and all the applications are 32 bit.

Am I using the .asc file wrong? Is someone else signing the alpha? What's the mp-asc file for?

$ gpg --verify sha256sums.txt.asc sha256sums.txt
gpg: Signature made Thu 08 Aug 2013 07:41:59 AM PDT using RSA key ID AC3A821D
gpg: Can't check signature: No public key

$ gpg -k
------------------------------
pub 2048R/63FEE659 2003-10-16
uid Erinn Clark
uid Erinn Clark
uid Erinn Clark
sub 2048R/EB399FD7 2003-10-16

pub 4096R/C5AA446D 2010-07-14
uid Sebastian Hahn
sub 2048R/A2499719 2010-07-14
sub 2048R/140C961B 2010-07-14

Sorry for not providing much info, I don't remember having trouble with this before and I don't know what has changed. Did I just forget how to use gpg?

The 3.0alpha packages are signed by Mike Perry (that's the mp-asc file) as well as whoever else manages to reproduce them -- that's one of the main features of the reproducible build design, where several people can build packages independently and produce exactly the same output.

In this case though, Mike screwed up the signature files, putting Georg Koppen's signature in that file that's confusing you.

So then would you be kind enough to tell us how to actually verify the signature?

Thanks.

Yes, so how to verify it?

gpg --verify sha256sums.txt.mp-asc tor-browser-linux32-3.0-alpha-3_en-US.tar.xz
gpg: Signature made Sat 10 Aug 2013 01:02:14 AM HKT using DSA key ID DDC6C0AD
gpg: BAD signature from "Mike Perry "

The .mp-asc and .asc files are signatures on the sha256sums.txt file.

The sha256sums.txt file contains sha256 hashes of every file in the directory.

Run 'sha256sum file' to compute that file's sha256 hash.

Ok, understand now.
sha256sums.txt.mp-asc is for sha256sums.txt.
but what is sha256sums.txt.asc for ?? (how to use it)
thank you.

gpg --verify sha256sums.txt.mp-asc sha256sums.txt
gpg: Signature made Sat 10 Aug 2013 01:02:14 AM HKT using DSA key ID DDC6C0AD
gpg: Good signature from "Mike Perry "
gpg: aka "Mike Perry "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: BECD 90ED D1EE 8736 7980 ECF8 1B0C A30C DDC6 C0AD

Works for me on Windows 8. Only issue is NoScript still enabled javascript by default.

Help with https://trac.torproject.org/projects/tor/ticket/9387 !

For me (on Windows 7), on running Start Tor Browser.exe, the Tor Network Settings box appears, but it is empty.

It doesn't go into a "Not Responding" state, I can move it, resize it etc, but it's completely empty and nothing happens after this point.

I've filed a ticket here:
https://trac.torproject.org/projects/tor/ticket/9438

Please go there and help us make sure we resolve it. (I don't think we have enough info as-is to fix it.)

Thanks!

Add this line to your prefs.js file when TorBrowser is not running. Prefs.js is created only after the first run of TorBrowser.

Tor Browser > FirefoxPortable > Data > profile > "prefs.js"

user_pref("gfx.direct2d.disabled", true);
user_pref("layers.acceleration.disabled", true);

excuse me but i'm kinda new with tor...
i've dnled the latest tor and also the 3alpha, but what exactly do i do with the files in the 3alpha folder?
i'm using win. thanks for your time and cheers to all that are involved in this project

You might like
https://www.torproject.org/projects/torbrowser.html.en

You might also prefer to stick to the non-alpha TBB for your first try. Depending I guess on what works for you.

Thanks for the answer first of all!!

could you tell me the differences between these 2?
I mean if it's best for me to run the alpha, I'll do. although I tried the alpha yesterday and there were some glitches in the graphics when any popup menu was clicked, but I think this has to do with my pc.

Btw I use it in my android too (orbot/orweb) and they are excellent!!

1.6.1? I updated my TOR Browser Bundle and it is still on 1.6.0? What is the deal?

I don't know -- mine says 1.6.1. Details?

Tor Network Settings window comes up blank, then nothing more. Win7 64, installed in Desktop, logged in as an admin.

Looks like the same issue as https://blog.torproject.org/blog/tor-browser-bundle-30alpha3-released#comment-33380 ?

Yes, this is the SAME exact problem I told mike about for the alpha1 and apha2. I even wrote it about on Tor-talk on the blog.

The problem is BOTH of these lines have to be added to prefs.js, and Mike is choosing to only add the first, even after I told him 3 times BOTH have to be added.

Maybe Mike's distance for Windows is the reason for this carelessness?

Man, too often are the releases screwed up in some way . . . :(

If only the first is added the the blank box that these people are complaining about happens, i.e. "Tor Network Settings" is blank and the program seems to have frozen. This happens by only trying to set the "XP compatibility mode."

user_pref("gfx.direct2d.disabled", true);
user_pref("layers.acceleration.disabled", true);

https://lists.torproject.org/pipermail/tor-talk/2013-June/028564.html

Add this line to your prefs.js file when TorBrowser is not running. Prefs.js is created only after the first run of TorBrowser.

Tor Browser > FirefoxPortable > Data > profile > "prefs.js"

user_pref("gfx.direct2d.disabled", true);
user_pref("layers.acceleration.disabled", true);

To everyone having trouble running the alpha on Windows 7 and 8, add these lines ot the file "prefs.js" when TorBrowser is not running.

https://lists.torproject.org/pipermail/tor-talk/2013-June/028564.html (don't use 'XP compatibility mode')

user_pref("gfx.direct2d.disabled", true);
user_pref("layers.acceleration.disabled", true);

https://lists.torproject.org/pipermail/tor-talk/2013-June/028542.html
https://lists.torproject.org/pipermail/tor-talk/2013-June/028564.html
https://lists.torproject.org/pipermail/tor-talk/2013-June/028565.html

Can we PLEASE have a NEWNYM function in the alpha TorButton now that Vadalia GUI is gone? The "New Identity" feature in TorButton is not the same thing as NEWNYM, they do not serve the same function, not at all.

I've asked a few times and no one has responded :( I even asked Mike *directly* on Tor-talk . . .

Many times a user doesn't want to clear all their tabs and re-launch, they just want a new exit node.

Please, please, please, add the damn NEWNYM function.

Hm. Is this because the website you're trying to reach is trying to block Tor, and you're trying to find an exit relay that isn't blocked yet? Or some other issue?

I think a lot of the reasons people click newnym are somewhat harmful to the Tor network (more circuits made), so I'm torn.

Hi arma,

Thanks for your response :) And I'm very sorry for being a bit rude, it's been a long day and I'm kind of grumpy by nature. You guys are amazing for not being rude back, you're a better man than I.

The reason I like having newnym is:

a.) Try to find faster circuit, which may be "somewhat harmful to the Tor network" even though you guys added the forced delay (grayed out button) for N seconds after it was used.

b.) To prevent cross site traffic, e.g. I clear cookies and cache, then use NEWNYM when on site A, before I open a new tab to visit site B. I'm not sure if this is less 'safe' then clearing all tabs and re-lunching, but it sure is a lot better in terms of usage (being forced to close all tabs really sucks). I really dislike having to close all tabs when I want a new IP address, I often surf multiple sites concurrently, so the New Identity feature in TorButton is not an option for me.

I guess the best option here would be if Mike was able to figure out finer-grained cookie control (IIRC, that he wrote about before), e.g. per tab. Then there would be less of a need to re-launch TorBrowser when someone clicks "New Identity."

As always I defer to TPO's much greater knowledge than my own.

I really dislike having to close all tabs when I want a new IP address, I often surf multiple sites concurrently, so the New Identity feature in TorButton is not an option for me.

Then NEWNYM was providing you with a false sense of security: any cookies that had been set by a website would make it possible to link between the old and the new IP address. The Tor Browser does not close all the tabs just to annoy you, but because resetting the internal browser state is the only way to provide unlikable visits to the same site (or ad networks for that matter).

I understand this, and if you read the message, you would see I clear cookies and cache, the same thing TorBrower does by re-launching. That said, I'm aware this may not be as 'safe' as re-launching.

Regardless of WHY TorBrowser does the re-launch, it's very annoying and I won't use it.

I guess I'll just have to write a Windows script for NEWNYM to be used with TorBrowser alpha3.x and post it on Tor-talk list?

+1 Agree with this comment.

It's too bad to not have that option

Feature request ticket:

"Add NEWNYM function to TorButton for TBB alpha 3.x"
https://trac.torproject.org/projects/tor/ticket/9442

How can I observe / control the circuit and the exit-IP I am using without vidalia?

Arm?
https://www.torproject.org/projects/arm.html.en

If you're on Windows you may be SOL unless you use command line script, that's what I used in the bad ol' days (j/k) when all there was was the Tor binary (hello, Privoxy, are you there?)

I'm updating my old vbs script to issue NEWNYM command. I'll write a Tor-talk e-mail when it's done. So, if you're on Windows you can now, again, use NEWNYM.

However, the problem with my method is there is no forced delay before issuing it again, so, people can hurt the network if lots of people use this over and over again. Which is why Tor should really put the feature into TorBrowerButton.

See here: https://lists.torproject.org/pipermail/tor-talk/2006-August/001738.html

I cant log onto certain websites using TOR since update?
This started yesterday not sure why it says
"can not connect to servers at 'the-website im-trying-to-go-to.onion.to'

How can I change the exit node without closing all my tabs? I used to do it from Vidalia.

Search these comments for the comment thread about 'newnym'. (Not that it will give you an answer, but it's the same question.)

For info regarding what arma is referring to, see this thread from Tor-talk.

NEWNYM doesn't what it seems like it should do, as a rule, which is odd. Sadly, it seems the TorButton 'buckets' idea went nowhere. There really should be a command to kill all circuits and *force* a new exit node when the command is issued.

"Stricter NEWNYM?"
https://lists.torproject.org/pipermail/tor-talk/2011-March/019725.html

P.S. Arma: it would be great if you guys would ask for comments before making major changes that are going to confuse and annoy a lot of people. Sure, there's trac and bug/feature requsts, but that's not easy to follow. Big changes should come *after* a Tor-talk e-mail and blog post asking for input, in my opinion.

Yeah well the question is does it STILL enable javascript by default?

Might as well enable JAVA+Javascript by default and open every backdoor available, since the torproject team only cares about "making life easier".

Just a note, don't install the 3.0 alpha 3 over a previous bundle and expect it to work correctly. Install it to a totally new directory, import any bookmarks you might have, configure as needed, and then go.

Correct. Overwriting onto an old TBB directory will sometimes give you mysterious and confusing behavior.

Can someone *please* write a blog post defining the steps to update TBB? There is *a lot* of confusion and disagreement on method [0].

Mike has written many times over the years that he suggests simply overwriting, and it was only one time (a big update a while ago) that he suggested otherwise. However, he now seems to be suggesting people delete their old TBB dir and start fresh with the new TBB.

There needs to be a straight forward answer. And, what about bookmarks?

Even Tor people don't agree on how best to update TBB [1,2,3].

Please, have someone (Mike, ideally) write a blog post about updating TBB. I mean, it's only the most important thing a user can do . . .

[0] "Recommended method for updating an existing TBB"
https://lists.torproject.org/pipermail/tor-talk/2013-June/028674.html

[1] Andrew: https://lists.torproject.org/pipermail/tor-talk/2013-June/028675.html

[2] Mike: https://lists.torproject.org/pipermail/tor-talk/2011-November/022263.html

[3] Mike: https://lists.torproject.org/pipermail/tor-talk/2011-October/021772.html

Alpha 3.x is using the flashproxy?

No. Use the Pluggable Transport Browser Bundle if you want Flashproxy and Obfsproxy.

polish version of latest torbuton is english version!

This looks reallyreally bad.

Will it be possible to install Vidalia and let it control the tor-settings in TorBrowserBundle3?

Otherwise this update to TBB3 will be a big bad step backwards.... with this version I have no control which circuit I am using, I can't chosse a new identity, I can't modify the torrc-file...

Re: Vidalia
I agree with the 3 who have commented. A lot of people want to know through which nodes their traffic is passing and to be able to control it. For me, without Vidalia, Tor is unusable.
Pls reconsider Vidalia, or give explicit instructions (for non-technical people like me) on how to link Vidalia up with TBB3.

Thanks

Hi,

I installed 'tor-browser-linux64-3.0-alpha-3_en-US.tar.xz' to upgrade from previous release TBB-3.0-alpha-2.

After extraction when I ./start-tor-browser, it works and opens the torproject.org's congratulations page.

Then I copied my 'Data/profile' from previous version to the new Data/profile folder to restore last opened tabs and other settings.

Now TBB-3.0-alpha-3 fails to start the socks proxy at 127.0.0.1:9150,9151, and thus fails to connect to the internet.

The error I see is - The proxy server is refusing connections.

Is there a way to fix it?

Oh gawd!

Why is Edit -> Preferences -> General -> Show my windows and tabs from last time
option disabled?

How does one enable it and restore tabs from previous session?

*********************************************************
Launching Tor Browser Bundle for Linux in /home/sistem/src/tor-browser_es-ES
XPCOMGlueLoad error for file /home/sistem/src/tor-browser_es-ES/App/Firefox/libxpcom.so:
libxul.so: cannot open shared object file: No such file or directory
Couldn't load XPCOM.
Tor Browser exited abnormally. Exit code: 255
*********************************************************

O_O ???

I usually disable JS in noscript but out of curiosity I ran a test on ipcheck.info with JS on.
Even though I forbid all embeddings in noscript the results look really bad.
Tab name and local storage provide unique IDs which is not the case if I use the latest JondoBrowser with JS enabled.
No idea how relevant these leaks are but you might want to look into this.

Sorry if this is a newb question, but will it be possible to use multiple Firefox profiles in TBB 3, and what would be the recommended way to do so? Without Vidalia's config files I don't see an easy way to launch the Firefox Profile Manager.

I note the official releases of TBB have some significant security improvements to them. Will there be an update to 3 alpha soon covering these if applicable?

Soon, yes. Mike keeps finding and fixing new bugs.

I keep running into the same problem. I downloaded the tor-browser-2.3.25-13_en-US.
I run the vidalia.exe. It opens and runs until it connect to Tor. However, it closes a few
seconds after. Firefox does not open up at all. I checked my system crash reports and
found that there is a folder for every time I tried without success. But there is no report
inside the folders. I am running Windows 8, AMD processor. Any help will be greatly
appreciated.

You're posting a complaint about 2.3.25 on a blog post about 3.0alpha3.

You might try the latest 3.0 alpha tbb and see if you like that more.

Syndicate content Syndicate content