Tor Browser Bundle 3.5 is released

Update 12/20: Test builds of Pluggable Transport bundles are now available. See inline and see the FAQ link for more details.

The 2.x stable series of the Tor Browser Bundle has officially been deprecated, and all users are encouraged to upgrade to the 3.5 series.

Packages are now available from the Tor download page as well as the Tor Package archive.

For now, the Pluggable Transports-capable TBB is still a separate package, maintained by David Fifield. Download them here: https://people.torproject.org/~dcf/pt-bundle/3.5-pt20131217/. We hope to have combined packages available in a beta soon.

For people already using TBB 3.5rc1, the changes are not substantial, and are included below.

However, for users of TBB 2.x and 3.0, this release includes important security updates to Firefox. All users are strongly encouraged to update immediately, as we will not be making further releases in the 2.x or 3.0 series.

In terms of user-facing changes from TBB 2.x, the 3.x series primarily features the replacement of Vidalia with a Firefox-based Tor controller called Tor Launcher. This has resulted in a vast decrease in startup times, and a vast increase in usability. We have also begun work on an FAQ page to handle common questions arising from this transition -- where Vidalia went, how to disable JavaScript, how to check signatures, etc.

The complete changelog for the 3.x series describes the changes since 2.x.

The set of changes since the 3.5rc1 release is:

  • All Platforms
    • Update Tor to 0.2.4.19
    • Update Tor Launcher to 0.2.4.2
      • Bug 10382: Fix a Tor Launcher hang on TBB exit
    • Update Torbutton to 1.6.5.2
      • Misc: Switch update download URL back to download-easy

Still no freebsd support - useless

Still no Openbsd support - useless

Still no source tarball - useless.

It's not built from a source tarball. See
https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details

and then see the "Where is the source code for the bundle?" line in the FAQ linked above.

Well, linux binary should work fine with new enough glibc and glib/gtk. Here's a port against CentOS 6 libs. One important difference with stock TBB is it stores mutable Data (firefox profile, tor cache/settings) under /tmp by default while everything else is installed under read-only directory. The data is, of course, removed upon port deinstall.

https://trillian.chruetertee.ch/freebsd-gecko/browser/trunk/www/linux-tor-browser

You should be more concerned at why Mike Perry (we all know who he works for and runs 16 TOR exit nodes for) has taken away the ability to see who you are connected to. Don't forget that UK GCHQ run their own private TOR network that sucks in traffic to analyse it.
(Newtons Cradle it is known as). Take away the ability to see what a person is connected to, switch on JAVA and SCRIPTS by default and you fall straight in to the hands of GCHQ and NSA.
No doubt they have some new exploits and needed the help of Mike Perry again. He helped them last time when Freedom Hosting was attacked. He made sure NSA could infect people by not enabling ScriptBlock and by switching JAVA on ready. Most users trusted the TOR project.
I suspect that the TOR Project are now assisting the NSA and GCHQ. They have been forced to - otherwise TOR traffic will be stopped. It is a great shame they are not honest with their users who fund them (apart from NSA sponsorship).

I guess there will always be people with conspiracy theories trying to rip the privacy community apart.

And the sad part is that there *are* conspiracies out there, and we all need help fighting them and providing tools to let people stay safe despite the massive government (and heck, corporate too) surveillance.

(To briefly respond: Mike doesn't run 16 exits, see https://www.torproject.org/docs/faq#TBBJavaScriptEnabled which I wrote (not Mike), and see the FAQ entries linked above for how to hook up a standalone Vidalia to your TBB 3.5 if you want to see your circuits, and for how to disable JavaScript in TBB 3.5.)

Well... yes, as long as there are MASSIVE numbers of docs like Snowden released, there will be "theorists." If it's actually happened / still happening, is it still just a "theory?"

The other thing that gives a great # of "experts" pause, is Tor Project's LONG standing relationship w/ U.S. armed forces. Taking large sums from them. Sure, many say, "But it's open source & anyone, anywhere can examine it."

That's absolutely true. It's also true (for human nature), that the adages are true, "Perception is reality," & "You're judged by the company you keep." People running for public office don't pal around w/ known crime bosses.

From "thinking" private users' perspective of anonymity & security , it has & always will be a stupid, stupid idea to take large sums from "one of the enemy." It MAY be that funding from other sources is hard to find, but it's still STUPID.

No one can really expect NOT to raise suspicion when organizations take large sums from (one of) the very groups that it's trying to help users avoid.

It's also true that every time we find out some new gov't (or private) agency's previously unimaginable capability, we're surprised! Why? Are we really that short on memory? I guess so.

I totally agree with you about the perception thing, and that's why we need to be extra sure to be transparent and communicate well. Also, I'd love to get some more funding so we can make our government funding sources a smaller fraction of our budget. Along those lines, also see my statements in our 30c3 talk today (video coming soon if it's not out already):
http://events.ccc.de/congress/2013/Fahrplan/events/5423.html

But let me draw a distinction between your quite reasonable (and reasonably presented) concern, and the ad hominem rant of the earlier post.

oh noes, "snowden" is part of the conspiracy.
"MASSIVE numbers of docs"

oh noes, Anonymous is part of the conspiracy.

oh noes, "I" am part of the conspiracy.

Block javascript off by default and turn "Temporarily allow" on by default and we can talk.

I don't know what you guys are thinking, but nobody who uses Tor wants to load Google analytics javascript by default, or all the other billion javascripts by default for that matter, this should be a no brainer.

Dude, exactly why do you believe the Tor staff is above reproach? Why do you have this savior mentality regarding the Tor staff?

You think they can't be bought? You think government isn't interested in buying them? You can see what government has been doing.

Do you honestly believe that they have not already tried to find ways of cracking the anonymity of such a wide-spread and popular anonymous network of internet users?

My point is, you sitting here bashing people as conspiracy nuts for simply stating their concerns and opinions regarding the integrity of an anonymous internet network makes you sound like you have a stake in people simply dismissing him as a conspiracy nut.

You have a reason to say what you say, then state it. You continue to resort to bashing those you don't want people to agree with, and you become the person suspected of lying. Well, I suppose to anyone who's liberal, the bashing thing works rather well, but still, anyone serious about anonymity, you need to give the respect they deserve and don't be bashing people. You need to give reason to refute their claims, not simply call them a conspiracy nut. It's easy to label someone, and rather childish in the face of something as serious as government's overreaching eyes. Give reason or just shut your mouth because you obviously have nothing real to say.

How can we verify *you* are not bought. At some point paranoia must take a break, and we must trust someone. Otherwise we're forever trapped in full-time paranoia.

Tor is trustworthy because it's Free Software - where many people looks carefully at how it works. I trust this web-of-trust.

You can always read the logs manually. I know it sucks hopefully they will fix the issues as the previous versions were much more sane by default

thank you for the warning, what can we do? How can we avoid those nodes?

I used to defend the tor proejct but frankly this release is a bit questionable. they offer the ARM package and even support it on the home page but to actually run it with TBB is "unsupported" by the project. Once again taking JS lightly, etc etc. I think i'll donate bandwidth to Hyperboria instead :(

If somebody wrote up instructions for hooking up arm to TBB, then people could do it. I bet it would be pretty easy -- the main issue would probably be changing the controlport, and making sure that arm knows how to do cookie authentication for the controlport.

Maybe the small changes would be made even easier by making a 'standalone arm' bundle or something like the standalone VIdalia bundle? Or maybe people who want to use arm are willing to edit text files? I'm not sure.

Shouldn't we be more concerned that he creates the Tor Browser? Also he is responsible for the path bias. And shouldn't we blame the developers of Firefox that created the security hole in the first place. They probably got paid by Google and they got paid by the NSA (National Security[?] Agency) or the NASA (North American Spy Agency).

Please let us hear even more entertaining conspiracy theories. (Well, you better don't)

I was unaware that the Tor Browser ships with Java and that Java would also be enabled, but you might have an answer on how that can happen.

Beside that you still can add Vidalia back to the Tor Browser, even though Vidalia is a bit buggy.

Instead of ranting, improve the Tor settings.
Go to www.ip-check.info, check your settings and see your exit relay. After changing a few settings I get two orange markings that are "http session" and "window size" the rest is green - as private as it gets with Tor.
If you know a different or better website to check, please add it.

Is ip-check.info still not SSL/TLS (HTTPS)?

Exit nodes can mess with any non-authenticated page.

Of course "IP check" could be also written by the NSA to pretend that you are looking very anon....

If you want vidalia back check this page:
https://sourceforge.net/projects/protorbundle

Well, I guess you could do that, but using "honest bob's tor bundles" probably isn't wise.

Better answer is to do what it says in the FAQ:
https://www.torproject.org/docs/faq#WhereDidVidaliaGo

Yes, FreeBSD should be supported. I run it on notebook after it was found that Linux has its random number generator backdoored (fixed in kernel 3.13). NSA is more productive that i ever expected.

We'd love to have some FreeBSD enthusiasts making sure TBB works and continues working on FreeBSD.

"Linux has its random number generator backdoored"

Citation needed.

I bet it will run on KfreeBSD, with experimental in your sources list, with apt-get build-dep tor, then apt-get -b source tor, then dpkg -i *.deb

Anyone can make PageInfo-Security GUI window in Torbrowser/Firefox more informative?Exact used crypto alrorithm.Like in Seamonkey -Mozilla,too.
Firefox/torbrowser GUI is going more and more the Microsoft 'dont use your brain'Mickey Mouse way.
Mozilla Company seems to have to much money.........

After update massive arrow still points to there is update. confusing

Hopefully should be resolved now?

I imagine you upgraded quicker than the https://check.torproject.org/RecommendedTBBVersions file expected.

I am having a hard time figuring out how to dictate what exit nodes to use in this new version (the mac one specifically). Vidalia had previously been helpful in not only locating the server names for specific countries and the supposed strength of the signals, but also in implementing those strict exit nodes. Will there be directions available soon to solve this issue?

Going through the comments on this and other blog entries, I'm noticing a lack of answers to questions the above type of problem. Under the FAQ for 3.5, it states that one can access the torrc file via: "the TBB directory under Data/Tor/Torrc". Unfortunately (unless these are hidden files), such a path cannot be found for the MacOS version, which I would've thought to have been: MacintoshHD/Library/ApplicationSupport under which one would find a directory for TBB.

Should I assume the lack of an application support folder is due to the absence of a standard installation process? This seems to be supported by the fact that the only searchable trace of TBB is the unzipped application. This then still makes the editable torrc file essentially non existent on a MacOS.

Even if the torrc file can indeed be accessed, the navigation of the new online replacement for Vidalia's "View the Network", Atlas, is not quite helpful either. Will there be a function to search by country code and not just name of specific servers? The problem seems to be when one needs to exit through a specific country: if your current exit nodes don't correspond to the correct country, or the ones you have accessed are down or working at minimum efficiency, there is no clear way to research new nodes with the right specifications.

Will someone from TorProject please lend some insight to the issue?

You are right that helping people select their exit country isn't high on our (already overly long) priority list. Maybe you want to help make it easier or make some better documentation for folks who want it? Thanks!

Please can we not litter OS X with billions of trace files all over the system. Please keep ALL TBB contained to /Applications/TorBrowser_en-US/. Lets not go back to the old days of data all over the place in /var /private /etc and so on.

OS X already came out the worst in a study of any system in leaving traces of Tor:

Can we keep torrc files within the bundle:

/Applications/TorBrowser_en-US/

Please open tickets with issues, and ideally submit patches too?

yes. support the use of arm with TBB. done.

Sounds great. Make it happen! This is a community with plenty of room for more people to make things happen. If you're thinking of this as "those Tor people who make and support Tor" and "us users who just use it", you're looking at it wrong.

See https://blog.torproject.org/blog/tor-browser-bundle-35-released#comment-42406 for more thoughts.

[Edit: arm -i 9151 will do it]

Last I checked, tinkering with exit node selection was explicitly warned against.

I can't seem to find the 64-bit versions for OSX and Windows... but neither were they in the set of files for rc1. I can understand if building them takes time, and they might show up later. Or is the policy to not make them anymore (though I could not find anything indicating that - what did I miss)? If so, what is recommended for users of 64-bit systems? Stick with 2.4, or run the 32bit version 3?

You should run the 32-bit version of 3.5 for now. I've been doing some work on 64-bit Windows, and I am confident we will begin doing 64-bit OSX bundles again, but I can't give you a timeframe.

ok cool! that is a great news. Thanks for all the good work you guys are doing!! It is important in you don't know how many ways.

Is a 64-bit version for Mac in the works?

(Yes, see thread directly above)

Hi could you guys make the rc tbb downloads easier to find? thanks

TBB 3.5 is now the default download, so it should be much easier to find now. Let us know if we missed any places!

I'm frustrated about what's happened to Vidalia. I find it useful and informative and I certainly don't want to be without it. Tor Launcher refused to let me start Firefox at all until I let it connect to Tor, which I didn't want to do because (1) I wanted to examine it more before letting it connect, and (2) I use Tor separately of Firefox and didn't need Tor Launcher trying to start a second copy. So I deleted Tor Launcher from Firefox and downloaded Vidalia and found the standalone Vidalia bundle is missing libgcc_s_dw2-1.dll and mingwm10.dll, so it doesn't run at all. I had to get those DLLs from an older TBB. It does work fine now though.

In terms of startup times, the only reason Vidalia is slow is because in the GUI it redraws the list of nodes for every node it adds to it (O(n²) complexity!). If it added all the nodes and then redrew it once it would start more quickly and wouldn't periodically stall single-CPU systems every time it decides to refresh the list in the background.

Don't get me wrong: I'm really ever so grateful for Tor, but some things could use improvement.

I'm so sorry about the missing libraries -- I've uploaded fixed bundles.

I'm having same problem with with mac 3.5: NO Vidalia support!
WTF is going on? No mention of it anywhere!
Not upgrading until I get Vidaila support!

Someone should tell Tomás Touceda about the redraw issue.

Well, you could, but he was really just a friendly fellow helping out while Vidalia was unmaintained.

You could as well say that somebody should tell Matt Edman (the original Vidalia author) about it. Alas, he too has long since decided that maintaining a Qt app was no fun. Vidalia has been unmaintained for years now.

Perhaps you (yes, you) want to pick it up? :)

Glad you got it working.

Re startup times, the other big change in TBB 3.5 is that the homepage is a local file (about:tor), so 1) it comes up immediately, and 2) loading the homepage isn't racing the rest of your directory bootstrap info to use the network at the same time (making Tor seem even slower than it will be once the bootstrapping is finished).

We can do this change because Tor launcher does its own version check in the background, so we no longer need to send users to an external website (which is a bad idea for other reasons).

I installed V3.5 a few days ago, and it worked fine until today. Beginning today it brings up the start page, then tells me, "Firefox is configured to use a proxy server that is refusing connections." Without Vidalia we have no tools at all to evaluate something like this.

For the record, I turned off Windows firewall and checked to make sure the Tor Browser was still configured to use the socks 5 proxy on port 9150. It is. I shut down Tor Browser and started up a regular copy of Firefox and everything was working fine.

I can't say that having Vidalia would have allowed me to easily find and fix the problem, but I would have had some idea of what had been going on during the bootup, and I would have had to log to refer to. Was the Tor network down Saturday evening?

Something else I noticed is that a misspelled URL will launch TB off to a search engine. I haven't found a way to disable this behavior.

And yet another question is why the new TBB comes configured to automatically check for search engine updates. It also places a search engine textbox next to the URL bar. I would think that it would be better to disable address line searches. I know that at least google says they don't use those for tracking people, but they certainly could if they wanted to. I always customize those away.

Thanks for an overall great product!

Jerry

"a misspelled URL will launch TB off to a search engine."

My guess is that this was the behavior of a DNS provider, such as OpenDNS, that your node at the time happened to be using.

The other (and decidedly more sinister) possibility I can think of is that you were the victim of a MITM attack.

"And yet another question is why the new TBB comes configured to automatically check for search engine updates."

Funny, mine doesn't.

Give us a bundle with Vidalia back, or a tutorial about how to bring it back...
Right now what I had to do is to download both 2.x and this 3.5 and just merge the
newer TorBrowser to the old package

The TBB 3.5 FAQ, linked above, tells you how to fetch a standalone Vidalia and run it with your TBB 3.5.

(Unless you're on OS X, in which case, either sit tight and be patient, or help us make it work.)

The TBB 3.5 FAQ, linked above, tells you how to fetch a standalone Vidalia and run it with your TBB 3.5."

The FAQ linked above says nothing about how to get TBB 3.5 _working_ with Vidalia.

For Windows, if you follow the instructions and run "Start Vidalia.exe", then Vidalia will not connect since it can find tor. So, after adding the path to tor in the settings, Vidalia starts tor and sets up a connection. But Firefox from TBB 3.5 refuses to use that connection. So, what do I do next?

(Nor does the FAQ mention that you need to disable the new Tor Firefox Add-on to be able to start the TBB 3.5 bundle when running Vidalia.)

Yeah, don't do it that way. Let TBB start, and then after that run Vidalia. Your Vidalia should try to connect to Tor's control port, realize that it needs to authenticate, and do so.

At least, that's how it works on Linux. Hopefully it does the same on Windows.

thanks, but sadly that doesn't work.
Sooner or later there is a solution.
thanks again.

Seems to work for most of the other folks here. Perhaps some Windows user has some tips on what this person might be doing wrong?

How can we ensure if the TBB is really connected to 3 nodes? Sometimes the previous bundles used to connect to one node and I had to change the identity by closing the circuit to ensure that 3 nodes are really working.

A) You're welcome to hook up a Vidalia to your TBB 3.5. See the FAQ linked above for directions.

B) You are confused about how Tor works. Tor does indeed create one-hop circuits sometimes, to do directory fetches in a way that they benefit from encryption. But your Tor does not use those one-hop circuits for attaching actual streams. In short, this sounds like another case where if you'd left it alone it would have been safer.

Thank you for putting together a stand-alone Vidalia. Sure, it means that I have to run TBB 3.5 and then run the Start Vidalia thing as well, but that is not a major annoyance.

It will even allow me to 'refresh my identity' using Vidalia, which was the biggest annoyance with TBB 3.5, the fact that getting a new identity closed the browser totally and then reopened it.

Great!

In the future hopefully we'll have some of the more key features of Vidalia built in to Tor launcher, such as triggering a newnym without closing all tabs, and being able to see what relays are in your circuits.

One way to save having to start Vidalia up is to 'fix' the 'New Identity' button in TorButton to work the way people who actually use it think it should work. Pretty simple.

  • Go to the 'Data\Browser\profile.default\extensions' directory.

  • Rename 'torbutton@torproject.org.xpi' to 'torbutton@torproject.org.zip'.
  • Unzip this file in the extensions directory. Using the file name as the directory name might be necessary for this to work. Your zip program will probably do this automatically.
  • Go to the 'torbutton@torproject.org\chrome\content' directory.
  • Open the 'torbutton.js' file, and search for 'function torbutton_do_new_identity()'. A '{' follows this text. Add the text '/*' after the '{'.
  • Search for 'torbutton_log(3, "New Identity: Sending NEWNYM");'. Add the text '*/' just prior to this text.
  • Search for 'torbutton_log(3, "Ending any remaining private browsing sessions.");'. Add the text '/*' just prior to this text.
  • A little bit further on in the file there will be the text '// Close the current window for added safety' then 'window.close();' Add the text '*/' just after 'window.close();'.
  • Save the file and launch the TBB. You're done.

Suggest using Notepad++ rather than Windows Notepad for this, as it makes it a lot easier to see what you're doing.. but even without using Notepad++ it's just a couple minutes work all up.

Bring the old format back as I want to ensure that all nodes are working properly.

Thanks.

See the first question in the TBB 3.5 FAQ linked above.

is there any way to check bandwidth used when as there was on Vidalia? It was useful and pleasant to check how much I sent and how much i received.

See the first question in the TBB 3.5 FAQ linked above.

Now that Vidalia is gone, is there any graphical way to configure relaying? I saw the TorLauncher in add-ons but it has no "Preferences".

You've got three options.

First, if you're on Linux, you can install the system Tor package (e.g. apt-get install tor) and then set it up to be a relay. You can then use TBB independent of that.

Second, if you're on Windows, you can fetch the separate "Vidalia relay bundle" from the download page and then use that (again you can use TBB independent of it).

Third, you can either hook your Vidalia up to TBB (as described in the FAQ above) or edit your torrc file directly. This option is pretty klunky right now, e.g.
https://trac.torproject.org/projects/tor/ticket/10449
but I'm hoping it will become an easy option in the future.

Thanks!

QUOTE:

"First, if you're on Linux, you can install the system Tor package (e.g. apt-get install tor) and then set it up to be a relay. You can then use TBB independent of that."

Pretty please with a cherry on top provide a 'step by step' tutorial for that for us newb Linux converts :)

https://www.torproject.org/docs/tor-relay-debian (works on Ubuntu too)

If you have further questions, I suggest either asking on irc ( https://www.torproject.org/about/contact#irc ) or asking for specific help on the tor-relays list ( https://www.torproject.org/docs/documentation#MailingLists ).

Thanks for wanting to run a relay!

Actually, the better answer is probably to point you at the FAQ:
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#HowdoIconfigureTorasarelayorbridge

I want to start only TorBrowser, without Tor. I alredy have to running on my machine. How do I do that?

https://trac.torproject.org/projects/tor/ticket/6009#comment:14

extensions.torlauncher.start_tor=false in about:config

thank you tor devs.

Advice to those launching the Start Tor Browser.exe of TBB 3.5 FINAL for the first time.

You will have to wait at least 10 minutes for the loading of the relay circuits, something that never happened with TBB 2.x series.

At first I thought TBB 3.5 FINAL was still buggy and was about to revert to using TBB tor-browser-2.3.25-15_en-US.exe when after about 10 minutes, the former launched successfully.

Now whenever I launched TBB 3.5 FINAL, it starts up way faster than tor-browser-2.3.25-15_en-US.exe ever did.

Thanks to Tor developers for this software. We users certainly hope that it will provide greater anonymity and be more robust than the deprecated software.

Actually, it's not supposed to take 10 minutes. I assume you had a hiccup on one of your directory fetching circuits or something. Sorry for the troubles.

You could try blowing away your current TBB and unpacking a new one, and see how the second attempt fares?

Mine does this every time. It doesn't seem to be creating any data in my data directory either. What is it supposed to be doing and why doesn't it save the result?

Did you unpack your Tor Browser into a directory that you don't have write permissions for?

Suggestion to Tor developers of TBB 3.5 and above series

Could you please state clearly on the appropriate web pages who sign(s) the TBB bundle?

For TBB 2.x series, it was stated clearly that Erinn was the only signer.

As for TBB 3.5 and above series, who is the signer? Is it still Erinn?

Erinn still signs the .asc files that you're used to checking.

But there's actually a smarter way to check the signatures as of TBB 3.5, which resists a few subtle attacks that probably don't matter currently but might matter in the future.

See the "How do I verify the download (sha256sums.txt)?" question in the FAQ linked above.

"Manage cookie protection" don't work (windows version). How can I see and delete cookies? In old version all cookies was there and I saw them.

Confirmed. Keep an eye on (or help with! :)
https://trac.torproject.org/projects/tor/ticket/10353

Hi all I want to link Vidalia to the new 3.5 TBB, I downloaded & extracted the stand alone package to a seperate folder, now how/where do I put the start script in so the open and are linked, I want map and abillity to new ID without browser refresh ass I use many tabs, Thanks

Step one, start TBB. Step two, start your Vidalia.

Sounds fishy to me, for some reason they want you to run the browser naked first, easier for the browser to phone home through some backdoor bypassing tor maybe?

Sorry, but the idea doesn't fit with the facts. Vidalia isn't some magic thing that lets you check whether your browser is making connections that bypass Tor. You can use some other tool for that (and you should!), whether you are attaching a Vidalia to your TBB or not.

bring back vidalia this is total bullshit version

why dosint the browser start trough vidalialia like it used when i use it to start 3.5 trough that standalone bundle , it greenlights but no browser

Step one, start TBB. Step two, start your Vidalia.

The startup time improvements in 3.5 are massive but there is some work to do. In TBB 2.3.x I used Vidalia to reconfigure and run as a Relay. Now TBB by default is running as Client-Only that is less secure (IMHO because it does not obfuscate the traffic I generate by mixing it into relay traffic). I also want to torrify other apps such as Bitcoin. I know about editing Torcc but I want to do it "in proper way".

Vidalia Standalone Bundle is not a real solution. TBB 3.5 uses cookie as control port auth, Vidalia wants to use random password. The Vidalia also now throws out uncensored .onion addresses in it's log claiming it is not supported.

I think I will need to run Vidalia Relay Bundle for all my other apps together with TBB for browsing. If they don't attempt to interfere with each others instance.

The new Tor is great with its fast circuits. The rest is meh as usual.

Give me Vidalia or give me death!

(I know about the FAQ but I had to say that.)

* With all due respect: Without Vevida it really sucks *

- Unable to see network connections. or if any connections are established in the first place.
- Unable to instantly check to which countries or nodes you are connected.
- Firefox’s preferences content is dramatically reduced until pretty unusable.

I’m losing my trust rapidly. What are you doing?
From now on Tor is for kids and foolish people only?

Download page says: "This package requires no installation. Just extract it and run." but I get an .exe file that I must install. If I extract and try to run I always get an error message. What am I doing wrong?

You say "This package requires no installation. Just extract it and run." but download is an .exe ...wft?

I opened https://trac.torproject.org/projects/tor/ticket/10452 for the issue -- please help!

Using the 63 Bit Linux version...I go into settings and cannot locate where to disable JAVA...option is gone in this new release...

Yep. https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#HowdoIdisableJavaScript

Please try not to confuse Java*Script* with Java.

Thanks.

The censored users
- MUST see the Tor circuits,
- MAKE SURE the excluded country nodes are not in the circuits, and
- SEE the Tor ststus/error messages.
Without Vidalia this is all taken away. Do you suppose now we need to blindly trust everything and always? Or we need to dig in the files to return Vidalia manually?

OK, Vidalia is bad (per mentioned above FAQ), but please develop a modern informative substitute. Come on.

It's in the works -- faster if you help.

In the mean time, feel free to use the standalone Vidalia workaround.

Thank you for all your hard work.

FYI-- GET INFO tells me that I have downloaded Tor Browser Bundle 1.0, copyright 2010 instead of the 32-bit Mac version of 3.5, copyright 2013. Assume it was a labeling oversight.

Looks like https://trac.torproject.org/projects/tor/ticket/10444

With 3.5 the message "Tor unexpectedly exited" appears when adding to torrc
SocksPort 127.0.0.1:9999
Or any address and port.

Also, TorBrowser crashes on exit when setting in options
"Show my windows and tabs..."

And when re-opened, it of course does not set the window size properly if the size has been altered before closing. Is this intended behaviour?

For the SocksPort part, that looks like https://trac.torproject.org/projects/tor/ticket/10447

If you can repeat the Tor Browser crash, please open a ticket about it at bugs.torproject.org. Thanks!

Javascript is enabled by default.

Quote: "We configure NoScript to allow JavaScript by default in the Tor Browser Bundle because many websites will not work with JavaScript disabled."

Okay fine, what happened to the option to shut it off, its not longer under content.
Wtf is going on?

Alas, Mozilla decided to remove that option in Firefox 24. Here's the recommended fix:

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#HowdoIdisableJavaScript

Why is there no longer an option and no mention of the removal of enabling/disabling javascript from FF options? Also, "allow scripts globally" is enabled by default in noscript.

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#HowdoIdisableJavaScript

https://www.torproject.org/docs/faq#TBBJavaScriptEnabled

Just like to say thanks for the new bundles - in particular the stand alone Vidalia. I too had a few problems with the two missing dlls but I managed to locate them in the previous Tor bundle and put them in my System32 folder.

Now everything works fine.

Thanks again.

Tor Browser 3.5-MacOS
Javascript is on by default, with no obvious way to it turn off.

Why has the option been removed from preferences, and where has it been moved to?

Also, may I please have a link to *correct* article(s) on Javascript and cookies when using tor. There is much to much conflicting information out there.

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#HowdoIdisableJavaScript
is the short answer.

As for correct articles, the story is alas complex and changing.

I recommend
https://www.torproject.org/projects/torbrowser/design/
and
https://www.torproject.org/torbutton/en/design/
as good reading.

In all the previous TBB versions Javascript needed to be manually disabled.

I'm no techie so I ask Is Javascript now permanently disabled in TBB 3.5 - otherwise how would I go about doing this please.

TIA

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#HowdoIdisableJavaScript

TBB-3.5 not started without tor from TBB. To use transparent torification with Linux system tor, first remove tor-browser_en-US/Data/Browser/profile.default/extensions/tor-launcher@torproject.org.xpi,
then go to Torbutton preferences and select "Transparent Torification (Requires custom transproxy or Tor router)". Press OK and restart TBB.

How do you turn off Javascript in tor browser and why is it on by default? I have heard many bad things about Java. please advise

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#HowdoIdisableJavaScript

Also, be sure not to confuse Java (generally a really bad idea) with JavaScript (not a particularly good idea either, but sure does break a lot of websites if you disable it).

It is more accurate to state that many websites break themselves by relying on javascript, and expecting visitors to enable js to fix the defective website.
Proper website design requires testing the site then adding frills such as js later.

that is correct

vidalia is more user friendly that new tor launcher

the new version might be good for pro. users but i'm afraid it's not user friendly and isn't easy to me to set it up! i have no idea abt the information it wants me to enter! setting proxies?! is my isp open for tor servers or not?! are you kidding? how could a non-professional user could know these? i hope "tor" could be as helpful as always again :)

Please help us make it easier.

What make you click 'configure' rather than 'connect' on the opening page?

you are absolutely right man! I've gone to the wrong direction. today i tried again and i must correct what i said yesterday (in the comment above) and apologize for that of course :)
the new Tor software is really great! faster and lighter than older ones and i have nothing to say but thank you "Tor" guys for making a way for us to connect to the web securely; specially in Iran that you have no idea about the largeness of its filtering system formed by the gov.!

How to disable javascript in TBB 3.5?

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#HowdoIdisableJavaScript

This new version doesn't start and always tells me Firefox is already running, but I don't even have Firefox installed.....

Fun. What version, what OS, how are you installing it, etc?

Well, the 3.5 Version of Tor.
I'm using Windows 8 and installed it normally into program files.
I'm starting the Tor exe then and get this weird error message.

Any Windows 8 users have any hints here?

I have seen this behavior with firefox in other versions and other platforms (when firefox is closed ten reopen attempted. It seems firefox doesn't always close cleanly. Check task manager and close any instances of firefox and try launching again. In Linux the "kilall firefox" command always does the trick.

Yeah, but I don't have FF installed. xD
Well, but I feel stupid know. I got around the problem by just opening Tor as an administrator. I only didn't thought of that because the error was me directing in a totally different direction.

Ah ha. I bet if you unpack TBB into some directory that you have permissions to, you won't have to run it as administrator. (Doing that seems wiser all-around.)

Why is there no safe, separate, zip file to extract and run apart from my regular installation? I'm not going to run an installer, I want everything separate and with no changes applied to my main machine!

Actually, the installer just sticks stuff in a self-contained directory, just like unzip did.

I've opened https://trac.torproject.org/projects/tor/ticket/10452 as a central point of discussion on making things clearer. Please help!

WTF ? We've gone back to days of installers ?????

How does TBB 3.5 install on OS X? It's not gonna ask me for username/password is it ? It used to be just a zip you unpacked then a file you dragged to /Applications/

Do you know what ? I really think a lot of bad design decisions have been made with 3.5, they are just plucked out of thin air and undermine trust in the product. And trust is critical here. You can't make this kind of software just from the point of what works for devs mechanically, and I wonder anyone is learning this by now.

No, the OS X one is still just a zip file.

We only added the installer for Windows users, because they were the ones we consistently saw unpacking it wrong.

Why is the new Tor asking for a file in my user folder called "geoip6"?

Sounds like https://trac.torproject.org/projects/tor/ticket/10425

why the new bundle exe file and not a zip file ?

See above discussion pointing to https://trac.torproject.org/projects/tor/ticket/10452

Thanks!

"But smart users don't *know* that that's all it's doing. We should a) make it clearer in the installer text itself that TBB remains self-contained in just the directory they specify, and b) make it clearer on the download webpage when they're fetching it."

smart users don't want to be infected by some shit by exit-node (fake exe)

Well, this is why you must check the signature on the thing you download, whether that thing is a zip or an exe.

If you're worried about getting a fake Tor bundle, and you're happy with a zip file but not happy with an exe installer, but inside the zip file is an exe file that you'll happily run... you're doing it wrong.

All of that said, checking signatures in Windows is horrible. Maybe somebody here will write up some better instructions on how to do it more easily?

To make it easier for the NSA to inject virus into the exe files some (not all) people download.

New version is bad. Can't use it to log into ebay. Downloads don't show in download tabs.

I don't know about the ebay part (works for me? ebay is blocking logins from some Tor exits?), but the second issue is because this is Firefox 24 not Firefox 17. Firefox 17 is unmaintained now. Sorry you're railroaded into a newer browser, but Mozilla hasn't left people much choice.

Where is the option to disable javascript on the windows version? It is not in the same spot in the options menu that is normally is, and I can't find it. Someone pls respond.

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#HowdoIdisableJavaScript

And when NoScript fails to block JS due to some bug in it, an exploit will gladly run on targetted system.

Yep. I just added an extra note to https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#HowdoIdisableJavaScript suggesting disabling it via about:config too.

what is "about:config" ?? I cannot find that anywhere.

http://kb.mozillazine.org/About:config

(in the future, try your favorite search engine)

Which is most likely the address bar. Which answers the question immediately. Heck even the start page of TBB 3.5 is about:tor

"And when NoScript fails to block JS due to some bug in it"

How likely is that to happen? Has it ever?

Meanwhile, JavaScript is but one attack surface out of MANY others.

Minor issue but it was a nasty surprise when the new identity button closed down all my tabs and restarted the browser instead of just fetching a new identity as it used to. At least a warning before it does that should be there. It's not easy to recover things on a browser that does not and should not recover history, forms etc. Let's not make this worse. Is the restart absolutely necessary? Thanks for the great work so far.

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#WhydoesNewIdentitycloseallmyopentabs

How do I manually disable javascript in the FF browser? I see a thing for Java, but not JS?

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#HowdoIdisableJavaScript

I don't know how to set up my relay without vidalia.

Why isn't there a simple package without installer available? All the descriptions still say "just unzip", which is clearly wrong since you need to run an .exe now.

I opened
https://trac.torproject.org/projects/tor/ticket/10452
and
https://trac.torproject.org/projects/tor/ticket/10454
for the two pieces. Thanks!

When i install this 3.5 version, all the files in the folder are dated 1999

is this normal?

Yes, it's normal.

I added a FAQ entry for it:
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#Whyarethefiletimestampsfrom1999

What happened to the content tab in FF? There is no javascript enable button thing there anymore. How do we reliably disable JS in the browser?

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#HowdoIdisableJavaScript

Don't have the 'new identity' button that's on Vidalia.
For some reason, download progress doesn't show on firefox.
Only good about this is the startup speed. Very fast!

There actually is a 'new identity' -- click on the green onion in the browser, near the address bar.

*But*! You may be surprised by its behavior. See
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#WhydoesNewIdentitycloseallmyopentabs

wheres vidalia ?

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#WheredidtheworldmapVidaliago

Where have you been?

Read TFB(log)P(ost)

I still cannot find where to disable JAVA????

TBB disables plugins like Java automatically.

*But*, I assume you are confusing Java and JavaScript. They are different things.

You might like
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#HowdoIdisableJavaScript

What happened to Load images automatically and Enable JavaScript options in Edit > Content? May I disable JavaScript thru about:config?

I'm too very interested to find the answer!

WTF? It's most important options and no info about how to handle this through the config file or menu interface! Maybe NSA/CIA pressured you to delete this options???

If you want your conspiracy theory, you should wonder if NSA/CIA pressured Mozilla to delete the options from Firefox. That's just how the new Firefox is, and TBB contains to be based on Firefox because it's still the best browser for us to be able to fix all the privacy issues in:
https://www.torproject.org/docs/faq#TBBOtherBrowser

I found the solution!

You need to go about:config, find "permissions.default.image" and change the value from 1 to 2.

TorButton > Cookie protections not working, no cookies there (Linux 32 and 64 bit tested, Win/Mac not tested).

Modifications on TBB:
start-tor-browser.sh: add "export TOR_SKIP_LAUNCH=1"
TorButton > Preferences > Socks Proxy to 127.0.0.1:9050; No proxy for 127.0.0.1, 192.168.0.0/24
NoScript > Disable Scripts Globally
Bookmarks > Show All > Restore ...

https://trac.torproject.org/projects/tor/ticket/10353 might be what you're looking for?

How to disable javascript now? There's no option anymore in "content". How to get rid of tab bar?

And is it now right way to put proxy in "preferences" 'cause there is no vidalia anymore? Generally have to say that I don't like these changes.

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#HowdoIdisableJavaScript

A lot of the changes you don't like may well be from Firefox 24 vs Firefox 17 (which is now unmaintained).

For configuring the browser's proxy settings, click on the green onion and select "preferences" (which brings you to the browser proxy settings page).

For configuring Tor's proxy settings (e.g. if you need to go through a proxy to reach the Internet), click on the green onion and select "open network settings".

how to disable javascript in this version?

Two questions for the new TBB:
- how to disable Javascript in Firefox? The option is not there anymore.
- how to set Tor as a non-exit relay without Vidalia?

Thanks.

downloaded torbrowser 3.5 for mac today but it does not work. cant connect to any webpage at all. never had such problems with any tor package before in years and have not changed any other spec on my mac running latest build mavericks.switching back to previous tor-vidalia package works as always. whats wrong here with 3.5 ?

with vidalia no more i cant even start to figure out where to start getting tor 3.5 working....

The same thing is happening to me! It lets me access the public web, and only a very limited amount of .onion sites -- basically only hidden wiki or torsearch sites. How can I fix this?

I'm having the same problem. TBB 3.5 on latest OS X does not connect to any websites. I opened a bug ticket. Hopefully we OS X users get some love from the Tor community.

I have a problem with a new versions of TOR browser last few months.
It seems that there is some problem with the CPU priority now with tabs.
With old versions ( In the first half of this year ) when tab was downloading a new site - other tabs was run smoothly - they work with no brakes and lags .
But in a last 3 or 4 month new TOR browser versions have a nasty habit - when some page is downloading other tabs are lagging and works very slow.
Сan you fix so that other tabs don't slowing down when one tab opening or refreshing something?
PLEASE!
p.s. sorry for my terrible english, i hope you can understand me and get optimal performance browser back to normal.

I use Tor with other applications. I have been utilizing TBB to initiate the tor connection. With the new bundle closing firefox now closes the tor connection. Where can I find a stand-alone tor application for Linux.

If you're on Debian or Ubuntu, apt-get install tor

See also
https://www.torproject.org/download/download-unix.html.en

But be sure to use TBB when you want to browse over Tor:
https://www.torproject.org/docs/faq#TBBOtherBrowser

Can you bring back the control panel, please?, and there's a big problem when getting some new identity: all of my tabs are erased and we have to start from zero.
Thanks for this awesome and useful service!
Kind regards.

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#WheredidtheworldmapVidaliago
and
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#WhydoesNewIdentitycloseallmyopentabs
Thanks!

The sha256sums.txt was not on the download page but it is in the archive.

Great point. I've opened
https://trac.torproject.org/projects/tor/ticket/10455
Thanks.

Where is the documentation for running Arm? It looks like it will provide some of the functionality/information I'm used to seeing in Vidalia. I cannot find any documentation or tutorial about how to use it.

https://www.atagar.com/arm/download.php

Your main challenge will be hooking it up to the control port, with the control port authentication, that Tor Launcher configured Tor to use.

If you pick a control port of 9151, it might just work, if it knows how to do cookie authentication.

That said, be sure you've looked at https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#WheredidtheworldmapVidaliago

Thank you for the response. However, I'm looking for general documentation about how to configure and use it. I've switched to using the daemon.

Once you've installed the tor-arm deb, look in /usr/share/doc/tor-arm/ for e.g. the README.

If you still have questions I suggest catching atagar on irc -- he's often happy to help, even though he's mostly moved on to working on Stem.

The close all tabs functionality is a very inconvenient feature. Scrubbing application level data is a great idea but losing the tabs introduces other problems like having to store the urls and half-completed e-mail texts on temporary files elsewhere. Huge problem for people running the tor bundle from encrypted containers. It's also a huge pain in the rear to do that often, it introduces unneeded reloads of pages which might provide some extra traffic analysis data and it also increases bandwidth usage on the tor network.

That may also be related to a bug which makes dictionaries unusable on some sites which wasn't present in the previous version.

Yep -- see the tickets linked from https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#WhydoesNewIdentitycloseallmyopentabs

As for the dictionaries issue... maybe that's a Firefox 24 issue? Or maybe it's a Tor Browser patches issue? Or maybe those sites started blocking Tor exits between then and now? You should maybe file a ticket (bugs.torproject.org).

Where is Vidalia!?
There isent a control panel anymore why!?
You dont have the worldmap with a transparent view of the connections anymore.

This version hides something in the inner core.
Sorry but the new version is bullcrap!

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#WheredidtheworldmapVidaliago

At that link it says:

"Where did the world map (Vidalia) go?

Vidalia has been replaced with Tor Launcher, which is a Firefox extension that provides similar functionality. Unfortunately, circuit status reporting is still missing, but we are working on providing it. "

My strong suggestion and humble request is that you provide it again very, very soon because without allowing users ther transparency to physically see the built circuits, userrs will feel nothing but suspicious of torproject having been pawned by the evil NSA deamons who seek to destroy the liberty of billions....

Keep reading the FAQ entry, so you get to the part where there's a workaround that lets you hook up Vidalia to TBB 3.5.

Idea about new install package (I mean Nullsoft Install System) - IT'S VERY VERY BAD IDEA. Not portable - S**K. Please make 7z.
P.S. Sorry for my bad English.

I've opened the general issue as https://trac.torproject.org/projects/tor/ticket/10452

Please help with making a solution that you'll be happy with!

I'm using Tor 3.5 Windows version.

I can't get the Tor browser settings to work as they should, it won't save any cookies at all or if it does I can't view them (I see that part has already been mentioned) but also if I set the Tor browser options to Use custom settings for history and then also set Accept third-party cookies to "Never" it won't save the setting, it just resets back to never remember History the next time I check the setting, *After saying that I now can't get it to save the setting back to "Never remember history" so I don't know what's going on with it.

For the cookie issue, see https://trac.torproject.org/projects/tor/ticket/10353

I just checked perfomance of TOR browser on XP with two different versions of TOR browser
2.3.25-13 - work smoothly and fast
3.5 - work laggy, heavy load of processor

Why new TOR browser now works so badly ?

I wonder if this is related to https://trac.torproject.org/projects/tor/ticket/9084 -- we disabled a few hardware performance features on XP because it was causing crashes.

Windows XP?

Isn't support ending very soon?

Hope you are prepared.

The new bundle is very snappy. Thanks. :)

As someone who is not a techie, this new version is a nightmare. I deleted the old tor browser on my computer when told there was an updated version (I run fedora) and downloaded the new one. When I open Tor Browser, it instantly says "Tor unexpectedly exited" and I know no way to fix this. I cannot re-install the old packages. Now I have no way to be anonymous online without spending hours banging my head against a screen and probably failing anyway because I am not literate in the technical conversations taking place here. I essentially have no way to use tor now. This is so frustrating.

Are you running some Tor thing already?

Are you sure you picked 32-bit vs 64-bit correctly?

This was happening to me too... but I realized I'd quit the old browser but still had Vidalia open. As soon as I quit everything else, it worked fine.

I have the same problem. Using a live USB running Precise Puppy v5.4 on a 32 bit PC I was very comfortable installing the frequent Tor updates over the last couple of years. This v3.5 downloads ok, but says "Tor unexpectedly exited" when you try to start it. I am not a techie and cannot fix this, or find an answer on the web. Any ideas anyone?

I upgraded to Precise Puppy v5.7.1 and the problem went away.

why everytiime i download the version 3.5 i am getting the tor but when i check the application to start it say made in 1999 or its old as fuck someone help me out here i have been trying to get this update for a couple of days now

The timestamp is fine. See https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#Whyarethefiletimestampsfrom1999

Old versions here:
https://archive.torproject.org/tor-package-archive/torbrowser/

September or october...

Feel free to use older bundles if you really want to, but be sure to consider the lesson from
https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html
when considering running an unmaintained version of Firefox.

This just in...

The release of Tor 3.5 (aka New Coke, Windows 8, etc.) has many users baffled where the Vidalia control panel as gone. Many users seem blind-sighted (aka struck by surprise from an unexpected direction). With all the confusion and frustration being expressed by it's user base, it waits to be seen if the developers will be soon releasing a Classic Tor or Tor Blue version within the coming weeks.

More news at 11...

Well, maybe you like the Vidalia standalone bundle?

Or maybe you would like to help maintain a bundle you prefer better, starting with fixing the growing set of bugs in Vidalia, which has alas been unmaintained for years?

Also, it's "blind-sided", not blind-sighted -- but let me take this opportunity to tell everybody to read Peter Watts's great book "Blindsight". :)

HA!. this guy!

Vidalia Control Panel can still be manually loaded AFTER connection is established with Tor 3.5.
Download Vidalia Standalone from:
https://people.torproject.org/~erinn/vidalia-standalone-bundles/

The Tor Project has replaced Vidalia with a Firefox Plugin known as TorLauncher. A major reason being cited is because Tor loads faster this way, and indeed it does seem to. I still like Vidalia and still use it to view my Network Map, Tor bandwidth, to switch relay services on/off, and change other settings.

The new version seems also to make trouble on sites with crappy old/weak TLS logins. Maybe an issue of FF or its cookie handling??? TBB Refuses connection without warnings or errors. So what are the options if you want to use a login on these particular sites? Using the old version of TBB with support of "bad cryptography" or using the new TBB with no cryptography (using unsecured http login)? Bruce Schneier has his personal opinion about this topic.

More details needed. Maybe this is an issue with Firefox 24 vs Firefox 17?

It seems to be more like a problem with cookie handling in private mode. After unchecking the Torbutton options "Don't record browsing history or website data (enables Private Browsing Mode)" all seems to be OK. Also the FF option under Privacy "Accept cookies from sites" have to be checked. 3rd-party cookies can be disabled. Is it also possible, that this preference is not corresponding with the Torbutton option "Restrict third party cookies and other tracking"?
If the FF option (also Privacy) "Always use private browsing mode" is checked no cookies are listed under "show Cookies...", if unchecked cookies are listed.

Is https://trac.torproject.org/projects/tor/ticket/10353 related?

This whole FF issue with removing the javascript preference in the content tab, coupled with the cookie "haze", should be viewed with suspicion. Sure, you can supposedly still disable JS by doing the about:config thing, but a lot of, if not most, people are going to trust in Tor or Noscript or whatever.

One can rightly say that not all exploits and other crap use javascript to execute, but JS is the easiest vector to manipulate to unmask people. That is Exactly why the NSA and the UK people use it.

Perhaps the tor project should look into partnering with other browsers that don't make it hard for the ordinary layperson to disable JS and cookies.

It was always understood as a FUNDAMENTAL thing - if you wat to surf safe, disable JS and cookies. Any org that makes it more and more difficult to do these basic things should be viewed suspiciously.

The other browsers lock down extensions even more in terms of what they can do to change browser behavior -- so a lot of the contortions that Tor Browser Button goes through:
https://www.torproject.org/torbutton/en/design/
https://www.torproject.org/projects/torbrowser/design/
are downright impossible in things like Chrome without a huge amount of rewriting (which in turn means that when they change their code your patch breaks).

https://www.torproject.org/docs/faq#TBBOtherBrowser
points to
https://blog.torproject.org/blog/google-chrome-incognito-mode-tor-and-fingerprinting
which lists some Chrome bugs that remain blockers for moving TBB to Chrome.

Unless you had a different free-software browser in mind?

Isn't it kind of funny how people have such an emotional attachment to a simple utility like Vidalia? For years it's served as their assurance that everything is right in onionland and taking it away is like removing a baby from his mother's nipple. A valuable lesson for software projects...

In all seriousness arma deserves a round of applause for dealing with very frustrated people in such a friendly way.

... and users deserve to be able to see for themselves that a three hop circuit has been built over three different continents as apposed to not being able to see... leaving open the possibility of a one or two hop circuit with entry and exits both within the USA's cess pool of a country along with the inherrant likihood that the NSA will own one or both of those servers.

Unless I have been allowed the opportunity by the developers to see for myself the built cuirciuts (as used to be the case), I cannot have any confidence in tor because transparency is essential to trust.

First, you're welcome to hook up Vidalia and resume watching your circuits (see above FAQ). I hope we'll have that functionality in Tor Launcher soon too.

Second, you should learn more about Internet routing -- if you think that "has three relays in US" is unsafe and "has not all three relays in US" is safe, you're doing it wrong. :( The question is what networks the *links between relays* traverse. For example, traffic from Ecuador to Peru often goes through Miami. The Internet is centralized in a really scary way.

See also
http://freehaven.net/anonbib/#feamster:wpes2004
which led to
http://freehaven.net/anonbib/#ccs2013-usersrouted
which led to
https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters

"if you think that "has three relays in US" is unsafe and "has not all three relays in US" is safe, you're doing it wrong."

And pathetically deluded.

Thanks.

What you're not seeing here is all the frustrated people who have been dealing with all the Vidalia bugs over the years (yes, actually years) that it's been unmaintained and rotting.

The only way to see, which exit I am using, is to visit https://atlas.torproject.org - but this site requires JavaScript. I'd think, there should be a non-JS version for security reasons?

Totally agree.... torproject should lead by example in not forcing surfers to enable JavaScript.

I for one prefer to NEVER enable JS if at all possible for obvious reasons such as the NSA's MITM attacks seamlessly redirecting you to a Foxacid server to be fuggin owned regardless of the fact that the site you were attempting to view might have had a harmless JS script, the JS that that MITM page contains or calls may well not be benign and in fact likely will be malicious if it is from the NSA (Never Serve America).

In simple terms, leaving JS enabled even for sites you trust like Goggle (if your a dumb F@%K) or even DuckDuckgo or torproject leaves you completely open to the most malicious and 0-day JS out there if the NSA uses their fraudulent, stolen and illegitimate privileged positions on the WWW backbone to MITM or MOTS you.

Therefore torproject should NOT publish html pages with functionalities that are essential to users of the software that ONLY operate if JS is enabled.

Come on, get serious guys, not only should you lead by example with your own site by rejecting mandatory JS functionalities, you should adopt the policy of recommending to all your industry peers to do the same with their websites.

First, as far as I understand the Quantum attacks don't rely on Javascript in any way. Though I'll grant you that some of the Foxacid exploits use them -- but seriously, if that's your adversary, these people have like a 7 or 8 figure budget for buying browser exploits. We need way way better sandboxing in general before we can have those conversations.

As for whether atlas or globe use Javascript... they were both written by nice volunteers, and now we point people at them because we don't have better ones. If you want them to work better without Javascript, become one of the nice volunteers!

I guess we could throw them away, but there would be a lot more people yelling about "what did you do with atlas" than there are currently yelling about "omg atlas uses javascript".

Also, throwing away things written by nice volunteers is not a good way to have a community.

I understand and appreciate your point, it's a valid point, throwing away things written by nice volunteers is not a good way to have a community.

However I think that you are dangerously misplaced in so far as your assessment of the potential and actual harms in the situation being discussed.

Yes, the NSA is my and every bodies adversary because they are the predominant force committing these illegal and damaging hacks.

You might have given up any hope of defending from them, but thank god that many/most of us have not and never will.

Whatever can be done to defend, should be done, simple.

Even if it is just to defend against the NSA finding out one little minor piece of personal info that is not really vital or damaging because it is NONE OF THEIR DAMN BUSINESS and they are doing both minor and major infractions of privacy to MILLIONS of individuals daily adding up to untold and gargantuan suffering/hurt/harm amongst unsuspecting innocent humans both men, women and children.

Therefore, such things as a few hurt feelings that may be felt by a volunteer who's creation is removed or modified simply pales in comparison to the truly deeply damaging outcomes that can and do occur when the NSA gets root on a Linux box or drops a Trojan on a Winblows box.

I'm thinking of a activist who is working to promote knowledge amongst the general population of the systematic yet semi-covert stripping of the few remaining civil rights of the citizen against the unlimited power of the state.

The NSA identifies this individual via the repeated keywords of interest like 'civil liberties', 'protest', 'freedoms', 'tyrannic' etc etc that it keeps pulling from data steams of this individuals internet activities via Deep packet inspection using its fiber splitters in its secret rooms at the major ISP's

It then performs a MITM on this individual, redirecting them to a Foxacid server and uses a 0-day to compromise their OS.

From there, analysts pour over the PC's contents, determine that this individual is indeed a determined champion of personal liberties and is actively taking daily measures to work towards thwarting Big Govts Orwellian agenda.

The NSA then decides that this individual is a true threat to the Govt's planned totalitarian dictatorship and so contacts the FBI and hands over a dossier of info from the compromised PC (planted illegal materials) along with giving the FBI the PC's encryption key that they obtained from RAM.

They instruct the FBI to use 'parallel construction' to recreate the investigation trail to say that they obtained the password voluntarily from the PC's owner in a their word against ours scenario and proceed to federally prosecute the poor individual for whatever they planted on the PC.

They successfully remove the threat to their most evil plans.

All that is not to mention, senators whos PC's are breached and secrets stolen and used to blackmail them into silence and compliance in voting for whatever bills the blackmailers want them to vote on or reject.

Why do you think that congress recently just gave the NSA an additional 60 MILLION to spend on tightening security against whistle blowers ? No senator is going to vote for that of their own free will, just look at the slow turn of the tide of opinion amongst congressmen towards wanting to rein in the NSA. Knowing it is wrong and wanting to rein it in is their true desire from day one and is naturally showing through in time, voting to give the NSA an additional 50 Million to secure against future leaker's was blackmail.

Then there is journalists being blackmailed to maintain silence of sensitive issues that the public needs to know, political dissidents in cruel regimes being exposed and jailed or killed, there is non-violent drug users being prosecuted and jailed as a result of NSA snooping and subsequent FBI 'parallel construction' to recreate the investigation trail.

All that stuff is not conspiracy theories any more, it is known to be occurring as a matter of course on a daily basis, its info that is in the public domain now owing to the numerous and various disparate articles from both the mainstream media such as the guardian and WSJ and the independent media that is taking over, pulled together, the picture is that the articles show its all been going on for over a decade to the point where FBI sources have even been quoted normalizing it as routine.

And not surprisingly,sweet bugger all terrorists are being caught planning to commit terrorist acts other than those that the FBI has created themselves via solicitation and then entrapment.

So you see, a blanked avoidance on JS because of the NSA ability to perform MITM attacks in an automated fashion en mass is a critical and mandatory action that the entire WWW community need to adopt ASAP.

I don't see it as a choice, but a fundamental necessity to curtail the NSA's abilities.

No time to proof read this now, gotta run.

These things keep me up at night too. They're a big part of why many people work on Tor.

If turning off atlas.torproject.org would have any real impact on them, I would totally do it. But that makes no sense.

Um, I think that turning off atlas.torproject.org is only one action recommended as a part of a much wider plan strategy

It seems to me, and I agree with him/her on this wholeheartedly, that what they are trying to get across is that the very existence of and use of JS in web browsers is the major facilitator allowing the NSA to exploit innocent persons computers.

He/she then states "So you see, a blanked avoidance on JS because of the NSA ability to perform MITM attacks in an automated fashion en mass is a critical and mandatory action that the entire WWW community need to adopt ASAP. I don't see it as a choice, but a fundamental necessity to curtail the NSA's abilities."

I think the word 'blanket' rather than 'blanked' was intended in the quote above, but anyway, this person appears not only to be saying that atlas.torproject.org should be removed or a non JavaScript version implemented,but that JavaScript should be black banned and consciously shunned universally, by all WWW users, webmasters, and so on until it can be removed entirely as a specification from the Internet and web browsers for the express purpose of destroying a large percentage of the attack surface that the NSA uses to compromise systems.

That appears to me to be a great idea because it is one of very few actually effective measures that could be taken if we have the collective will.

In that sense, removing atlas seems like a desirable step amongst many millions of additional similar desirable steps..

Makes sense.

That said, I'm still unconvinced that this is where the fight is. For example, Flash has way more problems than JavaScript. The world is slowly winning the fight to make websites not expect that users will run Flash, but we have a long way to go.

*That* said, you have reminded me of another reason why the relay-search feature is useful: it does a bit of what atlas and globe do without demanding Javascript. I've added that point to the thread:
https://lists.torproject.org/pipermail/tor-talk/2013-December/031310.html

And see also
https://trac.torproject.org/projects/tor/ticket/10407

I know this is getting way off topic, so I'll make this my last comment here...

I think that YOU arma should use YOUR influence as being an insider within torproject to convince others that what the person above said needs to happen, and needs to happen ASAP.

Meaning, the torproject in collaboration with EFF and Mozilla and perhaps others could campaign to the rest of the WWW the critical importance of ridding the WWW of JS and Flash as a first priority above all else !

It is no secret that most of the technologies comprising the WWW were developed informally, outside governing bodies and in a ad-hock manner and by multiple different organizations. The WWW like most older cities in the world is a mess because it was not 'planned' from the beginning, but rather just developed piecemeal as it grew.

It need to be fixed properly, broken technologies need to be scrapped. The WWW will NEVER be able to be corrected by applying patches upon patches to technologies that are fundamentally flawed.

We got along just fine before JS and Flash were implemented into the WWW and could do so again by replacing them with style sheets and using only 'server side' scripting that stays out of the web browser until a properly developed and secured alternative using technologies that were not around when JS and Flash were created like strong sand-boxing, crypto and VM's or similar.

JS and Flash cannot now have these new technologies easily built into them given they were not in existence when JS and Flash's architectures were created so JS and Flash MUST GO, they're usefulness is over and they are now nothing but a serious liability that are very obviously undermining the WWW across the board.

Thinking about it, bandwidth has increased 100 fold over the last decade, so there is no reason that ALL scripting could not be done server side because nowadays any delays are virtually negligible for such small data streams as the output from a script run on a remote server. This would completely bypass an entire category of security vulnerabilities that now exist because these technologies are parsed within the browser on the clients PC.

If people like you and others in positions of influence don't get behind these principles, we will continue to have an insecure and broken WWW that unimaginably evil entities like the NSA can continue with impunity to exploit to inflict damage upon innocent persons en-mass in an completely automated fashion.

Can you imagine what a victory for individual and collective liberty it will be if we can stop the NSA dead in its tracks within only a couple of short months !

...you may say I'm a dreamer.... but I'm not the only one... i hope some day you'll join us.... and the world will be as one :) !

RT

See https://trac.torproject.org/projects/tor/ticket/10407 for discussing the atlas issue.

Another way to learn your exit relay is to install the standalone Vidalia bundle and run that with your TBB 3.5:
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#WheredidtheworldmapVidaliago

What does "Average packaged cell fullness" mean? I'm interested.

Tor cells are 512 bytes, and Tor data cells use 498 of those 512 bytes for payload (that is, application-level traffic). So if you're sending an http get request and it takes 100 bytes, Tor still sends that in a 512-byte cell, leading to around 20% fullness in that data cell.

If most people are fetching medium to large things then the exit relays will generally see an average cell fullness near 100%, since most of the time there's a whole cell worth of data waiting to be "packaged".

I suggest asking for more details on irc, since the blog comments here aren't a great medium for this sort of question.

I used to monitor the logs output from the control panel to confirm that my custom torcc file was parsed correctly and to confirm no other errors occurred that may concern me during startup and the building of a circuit etc.

I am not pleased to lose that ability... perhaps a little more brainstorming the consequences is in order before removing functionality from the software.

If you're launching TBB from the command line, it leaves Tor's log going to stdout (i.e. the terminal). I use that feature on Linux and hopefully it works on OS X too.

To see logs after startup, hooking up Vidalia to your TBB should work:
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#WheredidtheworldmapVidaliago

But to see logs *during* startup, it probably won't do what you want. In that case your best bet for now is to add log lines to your torrc manually:
https://www.torproject.org/docs/faq#Logs
and in the long run to help encourage the Tor Launcher developers to make it easier for you to view messages and events from Tor.

Oh, and I should add that Tor launcher already has a "copy the logs to the clipboard" button, which you can use and then paste them into a text file to read. Not a great UI I agree, but it's there now.

@arma I appreciate the humility and mirth with which you've fielded so many user comments on this issue, but I have a question the FAQ doesn't speak to:

For users seeking to reduce their attack surface, it seems as though exclusively relying on NoScript to disable javascript functionality may or may not defend against all javascript-based Firefox exploits, which seems to be what most grumpy users are concerned about.

So if a users wants to *completely* disable javascript, is there any potential value in *also* going to about:config in TBB, then typing in javascript.enabled, and then toggling the option to "disabled"?

Defense in depth is always good. So, sure, go for it.

(Ok, ok, often good. But it seems fine in this case. :)

I installed the Quick Java add on to enable single click control over my JAVA, JAVAScript, Flash, Silverlight, Image, Animated Image and CSS controls.

Very handy.

Just enable Add-On Bar after your install and you can customize what button you have on the bottom right of your browser.

For safety and speed I disable all plugins except image and CSS style.

To be safe, I've also got the Better Privacy LSO persistent flash cookies add on to remove all flash cookies created upon exit.

My COMODO defense kept pestering me Firefox.exe to access my COM section of my registry. Didn't have this issue in my last TOR Browser bundle.

Re the registry issue, that sounds like yet another FF24 thing that TBB needs to disable. Can you try to collect more details and open a ticket about it? Thanks!

The main bundle has improved lots and is fast so thanks for all the hard work.

As many of the users have mentioned their frustration with lack of graphic controller (Vidalia) I also have to say, it is very frustrating.

Vidalia is more than just world map. It gives a much better control over functionality of every thing. Which the little button in Firefox does not.

I think it should have stayed until a better alternative with "ALL" same functions is made, instead of first removing it and then pointing to an FAQ for getting it back. A bit of a round about way to do it.

That being said all future bundles should still be compatible with Vidalia (standalone) and support control through it. Also keep Vidalia around for it.

As for start up times. You can just start browser as is in 3.5 and then automatically start Vidalia after Firefox has started. Instead of users doing it manually. That way you get both speed for main browser connection and graphic controller. And you dont have to change much for it to work.
Also may be add it to the main bundle package for download so people don't have to go around looking for answers.

I'd like to keep the Vidalia workaround working for as long as we can, yes.

The main rush here was getting something with FF24 working and out, because FF17 is no longer maintained. And our FF24 work didn't include getting Vidalia working with it.

One of the other big reasons for switching to Tor Launcher is that it will make secure updates much much easier (since it's only a browser and Firefox already has a way to do updates).

I'm not really excited to put Vidalia back into TBB3.5 by default -- maybe you have figured out all the things not to click because they are broken in confusing ways, but all the folks who think they can edit the torrc graphically (you can't, it's mostly broken) or set up a hidden service graphically (also broken), etc? There are a lot of Vidalia haters out there too, and for a good reason since it's been unmaintained for years now.

[...] all the folks who think they can edit the torrc graphically (you can't, it's mostly broken) [...]

Other things being harder, yes, you can edit torrc in Vidalia. Have been doing it until now... Working around that Vidalia torrc editor's "Save" bug is easy: simply remove the commented lines in torrc (those starting with the # symbol) before saving it.

'kay Mike Perry and ama

Yeah, I'm that non-techie type from above.

Y''all kindly put me onna right track by pointing out that Javascript was now controlled by NoScript and that disabling Java is also a good idea.

And the test drive was an enormous success! Thank you...

Vidalia had, imho, many interesting features to play with but I ain't gonna miss it.

I'm still using XP and thus also IE8. To me, TBB 3.5 is now more like IE8 than it eva was before. Once installed one can now forget about it.

I'm sorry to see these youngers resist change so vehemently - they'll soon grow out of it and become more flexible in their ways as they start getting older and more mature. LOL

Seasonal blessing to you and all yer cronies. Thanks for the efforts to keep us safe - we are all very grateful even though we like to complain a lot.... more LOL

Great, thanks!

One question though -- I hope "Once installed one can now forget about it" doesn't mean that you're using it wrong, e.g. running your IE and thinking that you're using Tor? :)

@ arma
LOL .

I use IE8 without Java or Javascript enabled. I stuffed my "hosts" file" with verboten cookie urls. I also use the IE8 "InPrivate" nonsense only from force of habit. No add-ons or accelerators permitted. Google "basic" used as search engine. No "flash" nonsense either.

TBB3.5 loads, for me, in a wink - as does IE8. I can access all my favourite sites even with NoScript activated. Using Duck whatever as a search engine. My isp can now only verify the time and length of my browsing sessions.

Although I live in a third world community where internet speeds and bandwidth are reckoned in kb/sec I get a more robust and constant download speed with TBB3.5. Let's see if this persists?

Mozilla is, for me, unnecessarily complex and too many bells and whistles.

What's more to want - y'all provided me with the best seasonal present for 2014. Heaps of gratitudes...

But like I say - 'parently the youth are too hidebound in their choices and werry resistant to change - double LOL.

Y'all at Tor enjoy the break, hear!

Return refreshed for the 2014 fray. Who be knowing what surprises to expect next...

What about relay configuration in 3.5? How to set up a relay in absence of Vidalia? I actually have no clue how to do it on Windows right now! I've always done it the easy way, graphically that is, thanks to the manual on site ( https://www.torproject.org/docs/tor-doc-relay.html.en ). In fact, the Tor browser sends me right there ( ->"Run a Tor Relay Node" ), even though this is still targeting the previous version(s), cum Vidalia. But now it won't be of much help anymore, or am I missing something? Is standalone Vidalia the only option left or is there some achievable way to set it up manually on Windows too? At least the website doesn't mention, it only describes how to do it on Linux. :-(

Thanks!

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#HowdoIconfigureTorasarelayorbridge

For Windows, I'd say give the Vidalia relay bundle a try?
https://www.torproject.org/download/download

Vidalia Relay Bundle is indeed what does the trick! I should've checked the options. Thanks a lot.

Great!

downloaded the latest build of Tor Browser Bundle 3.5 to this update, I used the same assembly and organized output node network. I do not see in the assembly Vidalia, how do I turn on the relay? OS Linux mint

See https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#HowdoIconfigureTorasarelayorbridge

Your best bet with Mint is probably to install the system Tor daemon and configure that as a relay. Then run TBB3.5 when you want to use Tor as a client.

Thank you for all the fine work that you all do at torproject !

All of us users owe all of you developers/volunteers/etc a great deal of gratitude and I guess a great deal more seeing as we get to use this liberty safeguarding software for absolutely free...

I have a question.

Do the instructions provided by torproject for setting up torchat with linux still apply now that V 3.5 is out ? (which were almost impossible to follow BTW)

If not, can someone update the tutorial on how to set it up please ?

And just how dangerous (ball park, I know you cannot be specific) would it be to use TC with the older version of tor installed via apt get seeing as TC is end to end encrypted as apposed to using exit nodes ?

Thx

I'm afraid there are no instructions provided by torproject for setting up torchat -- in fact, none of the Tor people wrote or evaluated Torchat. Sorry for the confusion from the name. As to how dangerous it is to use, even with the new Tor... who knows? Somebody should do a security audit of its design and code.

Creating a new identity stops running downloads. The older version kept downloading processes and provided a new identity as well. Will this feature come back?

Sounds like you want to contribute to https://trac.torproject.org/projects/tor/ticket/10426

This one is a real ball-breaker for me and everyone I know who uses TBB. I wish I were technical enough to contribute.

This ticket describes exactly what I was looking for.
https://trac.torproject.org/projects/tor/ticket/10426

Please consider to implement it.

Roger, you're a kind soul for answering so many questions patiently and respectfully. Something for the rest of us to aspire to, especially during the holiday season :-)

It's also kind of amazing how many people appear to have scrolled past various comments/questions on this post, only to ask basically the same question or make the same comment...

Thanks for thinking about the human behind the words. :)

help needed: downloaded tor 3.5. for osx. it starts fine, seems to connect to tor network ( 8 serves show up as being contacted in little snitch) but does NOT connect to any website. means: no websurfing at all. previous tor bundles with vidalia never had any problems at all on same osx installation.

where to start here ? no vidalia log that could indicate and provide info which could be posted here for guidance. guidance appreciated.

There's the 'copy Tor log to clipboard' option, and then you can paste it into a file or notepad or whatever you like and read it and see if there are any hints.

My first thought is to wonder if you're running some sort of security or anti-virus or something program that prevents some part of Tor Browser from talking to itself.

i am running "little snitch" but have set rules to allow enabled TOR 3.5. to make in and outgoing connection without restrictions.

also running sophos anti-virus for mac

in osx firewall had TOR 3.5 entered with permission to incoming and outgoing connections

the above security programs are running since long time. they never obstructed any previous tor version , so why should they now ?

littl snitch shows tor connecting to some servers on start-up m but then no further broweser request to connect to the world wide web show any change in little snitch TOR 3.5 connection window. cant even connect to tor pages or use startpage serach from TOR start window.

TOR 3.5 log shows "time out" with any of the failed url connection attempts , no further comments in the log

no idea whats going on here ( or better whats NOT going on here)

Little different, but same problem here. Sophos seems to be blocking TB. I tried back and forth and when you switch off Sophos (which is not really an option) TB goes through. Have not yet found any workaround...
C.

Same issue herre! Haven't found any fix or work around for this anywhere.

I am having the exact same problem. If I turn Little Snitch OFF, Tor works. But I need to keep Little Snitch running. I never had problems before running Tor while Little Snitch was active. Hopefully someone has the answer - or someone can tell me where I can find previous versions of Tor.

Fixed! Just double check you rules "affecting" LS Agent. You can turn off outgoing connections - you will get windows asking permission for Tor to connect, allow it to do so. Other apps / processes will NOT automatically be allowed to connect to anything etc, you will be asked and simply deny. A bit of a hassle but it works fine, especially if you're not running a bunch of other apps in the bg.

sophos antivirus for mac appears to be the culprit here. switching it OFF made TOR 3.5. work at least with tor websites. sophos anti virus has several scanners, one called "web protection" the other download protection and what the call "on-acces" scan.

not sure which one is the tor-block as switching them off appears to have a delay.

so, why and how to have virus protection and still run TOR ?

interesting enough, sophos anti virus did NOT obstruct any previous tor editions.

You are right. The recent (free)) version of Sophos (9.0.6) has "Web Protection" switched on by default. But both have to be switched off in order to work with TB. I tried all other combinations. My other, previous version (8.02.1) on my macbook works perfectly with sophos because it lacks "Web Protection". Contacted Sophos-Support...
C.

Ditto - this is a new problem - Sophos on-access scanning can be left running but both the "malicious websites" AND the "malicious downloads" blockers in Sophos Anti-Virus>Preferences>Web Protection>General must be toggled off for TBB 3.5 to run on Mavericks 10.9.1

Can someone please answer the following question regarding the upgrade to a new Firefox version in TBB 3.5. ?

Looking at this vulnerability located here:
https://www.mozilla.org/security/announce/2013/mfsa2013-116.html

and which is linked to from here:
https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#firefox24.2

The 'brief description' given reads:

"Description
Google security researcher Michal Zalewski reported issues with JPEG format image processing with Start Of Scan (SOS) and Define Huffman Table (DHT) markers in the libjpeg library. This could allow for the possible reading of arbitrary memory content as well as cross-domain image theft. "

There is a link to the full details at the URL I pasted above.

.....does this vulnerability description convey what I think it does ?

I.E. that a suitably crafted .JPG file could read arbitrary memory locations including encryption keys in RAM ?

Holy cow !!

Holy cow indeed. Every Firefox update includes fixes for issues like this. :(

All the more reason for you to stay up-to-date with your TBB's -- and for us to get TBB's secure updater working.

As a non-programmer it strikes me that that their appears to be a preponderance of incompetent and/or malicious computer programmers out there for it to end up being the case that such blatantly dangerous exploits exist in the code for the most fundamental WWW features like simple .JPG renderers that have been available for security review/hardening for literally decades.

The programming community should be ashamed and lift their game and professional standards and root out the vast numbers of incompetents among them that seem to exist.

There is no excuse for this level of utter uselessness, it would not be tolerated in any other industry even if it did occur and in any case it doesn't occur in other industries to any great extent.

You don't see mechanical or civil engineers designing bridges or buildings with such fundamental design floors that undermine them such that they collapse or sway and snap or other such critical faults.

They need to be held accountable for such pathetic trade-craft and much, much higher standards need to be implemented and strictly adhered to or we will continue to have an insecure internet and therefore consumers cannot have confidence and ultimately e-commerce is restricted.

Grrrrr this preventable madness makes me furious !

The other industries you mention produce much smaller systems.

Things like Firefox are enormously complex compared to a bridge or even a building.

I guess a better comparison might be to our financial system, which has sure grown its share of complexity (and security bugs).

Anyway, this one is pretty far off-topic by now. Suffice to say that they're not idiots, and making large computing systems safe actually is hard to do right even for smart people. But that said, I think it would be fair to say that maybe Mozilla hasn't been putting their energy into the direction that would produce the most benefit security-wise.

Downloaded 3.5. (windows) installed. run. connect.

"Congratualtions you are using Tor"

but no connectivity. cannot navigate to any site.

previously this was instal and play - now what?

This Cloudflare blocking is getting ridiculous. 99% of Tor exit nodes have been blocked for at least four days out of the week and continuing. What can the Tor community do about this? Would Tor ever consider switching to a design that tries to hide exit node IPs? Websites just get more and more hostile to Tor.

Hiding exit IPs doesn't seem like a workable strategy.

I think the right answer is that we need to grow an outreach campaign to a) teach websites why it's valuable to hear from Tor users, and b) teach them how to handle abuse issues better at the application level rather than at the "well just block bad IPs and hope that's good enough" level.

This issue is indeed growing in importance, but there aren't enough core Tor people to work on it. Please help!

1. New relays would be seeded into being either an exit relay or entry node (to start) according to their preference.

2. Only after a long period of trust would entry nodes move up to being middle nodes.

3. Middle nodes would only be allowed to connect to a small subset of exit nodes so that compromising them won't compromise all exit nodes. Users would use middle guards instead of entry guards.

4. The exit node's IP plus other random IPs will be censored out of all traffic returning along a circuit ending with it.

5. zk-SNARKS* (http://eprint.iacr.org/2013/507) will be used to guarantee that your SSL traffic isn't modified beyond that.

6. Clients will be restricted to using a limited number of exit nodes via proof-of-work or some other proof-of-something to prevent them from harvesting exit node IPs using websites that they run.

Then you have somewhat hidden proxies. Genius, or crazy?

*I know that most of this post is crazy but I've wondered about this part. If you can use cryptography to prove that somebody has executed a program in particular way via a zero-knowledge proof (without them learning the inputs) then can't you use it to prove that a node has routed your traffic correctly without knowing what it is? Wouldn't this make mix networks obsolete and make single-hop connections safe? It could be the next step in anonymous communications. I know Tor has cryptographic geniuses on hand so I thought I'd bring it up.

If I'm a Mac OX X user and I have the Tor Browser Bundle 3.5 running, does that mean I'm running a relay, or do I need to do something special to run a relay?

You're just a client by default.

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#HowdoIconfigureTorasarelayorbridge

(Running a relay with TBB3.5 is a bit klunky on OS X currently, but it is doable. Hopefully it will get easier once we fix some Tor launcher bugs, and once we get a standalone Vidalia bundle for you.)

What happened to the icon on notification area ?

What?

The tor icon next to the clock on the notification area ,, doesn't appear any more

Anyone else finding the TBB (3.5) just doesn't work? Windows 32bit version on a win7 64bit machine. Running from USB installation. Start up but that's it. Can't even find torproject.

Check prefs No Polipo - do I need it? Thought the TBB put an end to all that.

Or is TOR itself in difficulties today?

um. Tor Browser Bundle doesn't (browse). dl'd today 3.5 and tor starts (checked firewall and is allowed) but no browsing. No sites available.

The old version stopped browsing onion sites a few hours ago. I upgraded to 3.5 and can browse everything but onion.

Serious leak in TBB 3.5 FINAL

    Relevant info:

Microsoft Windows 64bit
OpenVPN client 2.3.2-I003 64bit
tor-browser-2.3.25-15_en-US.exe
torbrowser-install-3.5_en-US.exe

    Scenario #1

I launched OpenVPN and connected to my VPN service provider via either TCP or UDP protocol. Next I launched Start Tor Browser.exe of tor-browser-2.3.25-15_en-US.exe

I surfed to some websites and launched a command prompt with admin privilege. In the command prompt window, I typed netstat -bn

Both openvpn.exe and openvpn-gui.exe showed 127.0.0.1:port number for both local address and foreign address

    Scenario #2

Same procedures as in Scenario #1 above except that I launched Start Tor Browser.exe of torbrowser-install-3.5_en-US.exe

Local address for both openvpn.exe and openvpn-gui.exe showed 127.0.0.1
However the foreign address for both of them showed 49.59.199.107

To Tor developers: Please fix the leak in TBB 3.5 FINAL as soon as possible to prevent NSA's hacks. Thanks.

I'm confused. Is this a bug report on your openvpn configuration, where you were hoping it would capture outgoing TCP streams but it didn't capture all of them?

49.59.199.107 looks like it's in Korea. I don't think it's a Tor relay of any sort. Perhaps it's where your OpenVPN was connected to? That case also doesn't sound like a Tor bug though.

Syndicate content Syndicate content