mikeperry's blog

Tor Browser 4.0.4 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Note: The individual bundles of the stable series are signed by one of the subkeys of the Tor Browser Developers signing key from now on, too. You can find its fingerprint on the Signing Keys page. It is:

pub   4096R/0x4E2C6E8793298290 2014-12-15
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7
                        DE68 4E2C 6E87 9329 8290


Tor Browser 4.0.4 is based on Firefox ESR 31.5.0, which features important security updates to Firefox. Additionally, it contains updates to NoScript, HTTPS-Everywhere, and OpenSSL (none of the OpenSSL advisories since OpenSSL 1.0.1i have affected Tor, but we decided to update to the latest 1.0.1 release anyway).

Here is the changelog since 4.0.3:

  • All Platforms
    • Update Firefox to 31.5.0esr
    • Update OpenSSL to 1.0.1l
    • Update NoScript to 2.6.9.15
    • Update HTTPS-Everywhere to 4.0.3
    • Bug 14203: Prevent meek from displaying an extra update notification
    • Bug 14849: Remove new NoScript menu option to make permissions permanent
    • Bug 14851: Set NoScript pref to disable permanent permissions

Tor Browser 4.5a4 is released

The Tor Browser team is proud to announce the release of the fourth alpha of the 4.5 series of Tor Browser. The release is available from the extended downloads page and also from our distribution directory.

Tor Browser 4.5a4 is based on Firefox ESR 31.5.0, which features important security updates to Firefox. Moreover, this release includes an updated Tor, 0.2.6.3-alpha, and switches Scramblesuit and obfs3 bridge support to a new golang-based implementation. We are especially interested in hearing any issues with using obfs3, obfs4, and Scramblesuit in this release.

The release also features several improvements to usability, following the results of the usability sprint at the end of last month. In particular, the Torbutton onion menu and related preference windows have been overhauled to provide more simplicity and more focus. The onion menu now features a much requested "New Circuit for this site" option, and the security and privacy settings window have been simplified. For censored users, the first run configuration wizard was also improved to present the choice of Pluggable Transport before the local proxy information, in an effort to avoid confusion between Pluggable Transports and local proxies. As can be seen from the changelog below, the release contains several other usability tweaks and enhancements as well.

Here is the full changelog for changes since 4.5-alpha-3:

  • All Platforms
    • Update Firefox to 31.5.0esr
    • Update Tor to 0.2.6.3-alpha
    • Update OpenSSL to 1.0.1l
    • Update NoScript to 2.6.9.15
    • Update obfs4proxy to 0.0.4
      • Use obfs4proxy for ScrambleSuit bridges
    • Update Torbutton to 1.9.0.0
      • Bug 13882: Fix display of bridges after bridge settings have been changed
      • Bug 5698: Use "Tor Browser" branding in "About Tor Browser" dialog
      • Bug 10280: Strings and pref for preventing plugin initialization.
      • Bug 14866: Show correct circuit when more than one exists for a given domain
      • Bug 9442: Add New Circuit button to Torbutton menu
      • Bug 9906: Warn users before closing all windows and performing new identity.
      • Bug 8400: Prompt for restart if disk records are enabled/disabled.
      • Bug 14630: Hide Torbutton's proxy settings tab.
      • Bug 14632: Disable Cookie Manager until we get it working.
      • Bug 11175: Remove "About Torbutton" from onion menu.
      • Bug 13900: Remove remaining SafeCache code in favor of C++ patch
      • Bug 14490: Use Disconnect search in about:tor search box
      • Bug 14392: Don't steal input focus in about:tor search box
      • Bug 11236: Don't set omnibox order in Torbutton (to prevent translation)
      • Bug 13406: Stop directing users to download-easy.html.en on update
      • Bug 9387: Handle "custom" mode better in Security Slider
      • Bug 12430: Bind jar: pref to Security Slider
      • Bug 14448: Restore Torbutton menu operation on non-English localizations
      • Translation updates
    • Update Tor Launcher to 0.2.7.2
      • Bug 13271: Display Bridge Configuration wizard pane before Proxy pane
      • Bug 14336: Fix navigation button display issues on some wizard panes
      • Translation updates
    • Bug 14203: Prevent meek from displaying an extra update notification
    • Bug 14849: Remove new NoScript menu option to make permissions permanent
    • Bug 14851: Set NoScript pref to disable permanent permissions
    • Bug 14490: Make Disconnect the default omnibox search engine
    • Bug 11236: Fix omnibox order for non-English builds
      • Also remove Amazon, eBay and bing; add Youtube and Twitter
    • Bug 10280: Don't load any plugins into the address space.
    • Bug 14392: Make about:tor hide itself from the URL bar
    • Bug 12430: Provide a preference to disable remote jar: urls
    • Bug 13900: Remove 3rd party HTTP auth tokens via Firefox patch
    • Bug 5698: Fix branding in "About Torbrowser" window
  • Windows:
    • Bug 13169: Don't use /dev/random on Windows for SSP
  • Linux:
    • Bug 13717: Make sure we use the bash shell on Linux

Note: Once again, the individual bundles of both Tor Browser series are signed by one of the subkeys of the Tor Browser Developers signing key from now on. You can find its fingerprint on the Signing Keys page. It is:

pub   4096R/0x4E2C6E8793298290 2014-12-15
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7
                        DE68 4E2C 6E87 9329 8290

Tor Browser 4.5-alpha-1 is released

The first alpha release of the 4.5 series is available from the extended downloads page and also from our distribution directory.

This release features a circuit status reporting UI (visible on the green Tor onion button menu), as well as isolation for circuit use. All content elements for a website will use a single circuit, and different websites should use different circuits, even when viewed at the same time. The Security Slider is also present in this release, and can be configured from the green Tor onion's Preferences menu, under the Privacy and Security settings tab. It also features HTTPS certificate pinning for selected sites (including our updater), which was backported from Firefox 32.

This release also features a rewrite of the obfs3 pluggable transport, and the introduction of the new obfs4 transport. Please test these transports and report any issues!

Note to Mac users: As part of our planned end-of-life for supporting 32 bit Macs, the Mac edition of this release is 64 bit only, which also means that the updater will not work for Mac users on the alpha series release channel for this release. Once you transition to this 64 bit release, the updater should function correctly after that.

Here is the complete changelog since 4.0.1:

  • All Platforms
    • Bug 3455: Patch Firefox SOCKS and proxy filters to allow user+pass isolation
    • Bug 11955: Backport HTTPS Certificate Pinning patches from Firefox 32
    • Bug 13684: Backport Mozilla bug #1066190 (pinning issue fixed in Firefox 33)
    • Bug 13019: Make JS engine use English locale if a pref is set by Torbutton
    • Bug 13301: Prevent extensions incompatibility error after upgrades
    • Bug 13460: Fix MSVC compilation issue
    • Bug 13504: Remove stale bridges from default bridge set
    • Bug 13742: Fix domain isolation for content cache and disk-enabled browsing mode
    • Update Tor to 0.2.6.1-alpha
    • Update NoScript to 2.6.9.3
    • Bug 13586: Make meek use TLS session tickets (to look like stock Firefox).
    • Bug 12903: Include obfs4proxy pluggable transport
    • Update Torbutton to 1.8.1.1
      • Bug 9387: Provide a "Security Slider" for vulnerability surface reduction
      • Bug 13019: Synchronize locale spoofing pref with our Firefox patch
      • Bug 3455: Use SOCKS user+pass to isolate all requests from the same url domain
      • Bug 8641: Create browser UI to indicate current tab's Tor circuit IPs
      • Bug 13651: Prevent circuit-status related UI hang.
      • Bug 13666: Various circuit status UI fixes
      • Bug 13742+13751: Remove cache isolation code in favor of direct C++ patch
      • Bug 13746: Properly update third party isolation pref if disabled from UI
  • Windows
    • Bug 13443: Re-enable DirectShow; fix crash with mingw patch.
    • Bug 13558: Fix crash on Windows XP during download folder changing
    • Bug 13091: Make app name "Tor Browser" instead of "Tor"
    • Bug 13594: Fix update failure for Windows XP users
  • Mac
    • Bug 10138: Switch to 64bit builds for MacOS

End of life plan for Tor Browser on 32 bit Macs

We are planning to discontinue support for 32 bit Macs for Tor Browser.

We're doing this for two main reasons. First, Apple itself no longer supports 32 bit Macs. The only remaining 32 bit Mac users are on OSX 10.6, which Apple ended support for in February of this year. Second, 64 bit software has improved security properties by way of improved address space layout randomization (ASLR), which makes exploitation more difficult.

This transition will happen in phases: First, the upcoming 4.5-alpha series will only be available as 64 bit builds. We will continue releasing 32 bit versions of the 4.0 series until the 4.5 series is declared stable. When the 4.5 release stabilizes, all support for 32 bit Macs will end. The 4.5 release series will be stable "when it's ready", but we know we need to perform at least two more releases in this series to properly exercise the new security features in the updater. This means that 32 bit Mac users likely have a month or two to decide what to do.

Current 32 bit Mac users have a few options. If your actual Mac hardware is 64 bit capable, you can upgrade to either the 64 bit edition of OSX 10.6 (which we will continue to support for a bit longer), or use the app store to upgrade to 10.9 or 10.10.

If your hardware is not 64 bit capable and won't run these newer Mac operating systems, you should still be able to use Tails, which contains the Tor Browser. You can run Tails in a virtual machine such as VirtualBox, or you can manually install it to a USB disk from the Mac OS Terminal. If you install Tails to a USB stick, you will need to reboot your Mac in order to use it.


All Mac Users: Manual Update Required

The transition from 32 bit Mac bundles to 64 bit Mac bundles means that our (currently experimental) in-browser updater will not transition any Mac users to the 64bit version automatically, even if your Mac is already running a 64 bit version of Mac OS. You must perform this update manually, as you had to do prior to the 4.0 series. This means downloading the DMG and dragging the new 64 bit Tor Browser over your old Tor Browser, and replacing the application.

Once you are running the 64 bit version, updates should function correctly again.

Tor Browser 4.0 is released

Update (Oct 22 13:15 UTC): Windows users that are affected by Tor Browser crashes might try to avoid this problem by opening "about:config" and setting the preference "media.directshow.enabled" to "false". This is a workaround reported to help while the investigation is still on-going.

Update (Oct 25 02:32 UTC): If you are unhappy with the new Firefox 31 UI, please check out Classic Theme Restorer.

Update (Oct 16 20:35 UTC): The meek transport still needs performance tuning before it matches other more conventional transports. Ticket numbers are now listed in the post.

The first release of the 4.0 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Additionally, due to the POODLE attack, we have also disabled SSLv3 in this release.

The primary user-facing change since the 3.6 series is the transition to Firefox 31-ESR.

More importantly for censored users who were using 3.6, the 4.0 series also features the addition of three versions of the meek pluggable transport. In fact, we believe that both meek-amazon and meek-azure will work in China today, without the need to obtain bridge addresses. Note though that we still need to improve meek's performance to match other transports, though. so adjust your expectations accordingly. See tickets #12428, #12778, and #12857 for details.

This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work. Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures.

There are also a couple behavioral changes relating to NoScript since 3.6. In particular, by default it now enforces script enable/disable for all sub-elements of a page, so you only need to enable scripts once for a page to work, rather than enabling many sub-scripts. This will hopefully make it possible for more people to use the "High Security" setting in our upcoming Security Slider, which will have Javascript disabled globally via NoScript by default. While we do not recommend per-element whitelisting due to fingerprinting, users who insist on keeping this functionality may wish to check out RequestPolicy.

Note to MacOS users: We intend to deprecate 32bit OSX bundles very soon. If you are still using 32bit OSX 10.6, you soon will need to either update your OS to a later version, or begin using the Tails live operating system.

Here is the changelog since 4.0-alpha-3:

  • All Platforms
    • Update Firefox to 31.2.0esr
    • Update Torbutton to 1.7.0.1
      • Bug 13378: Prevent addon reordering in toolbars on first-run.
      • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
      • Bug 13138: ESR31-about:tor shows "Tor is not working"
      • Bug 12947: Adapt session storage blocker to ESR 31.
      • Bug 10716: Take care of drag/drop events in ESR 31.
      • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
    • Update Tor Launcher to 0.2.7.0.1
      • Translation updates only
    • Udate fteproxy to 0.2.19
    • Update NoScript to 2.6.9.1
    • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
    • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
    • Bug 13356: Meek and other symlinks missing after complete update.
    • Bug 13025: Spoof screen orientation to landscape-primary.
    • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
    • Bug 13318: Minimize number of buttons on the browser toolbar.
    • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
    • Bug 13023: Disable the gamepad API.
    • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
    • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
    • Bug 13186: Disable DOM Performance timers
    • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
    • Bug 13416: Defend against new SSLv3 attack (poodle).


Here is the list of all changes in the 4.0 series since 3.6.6:

  • All Platforms
    • Update Firefox to 31.2.0esr
    • Udate fteproxy to 0.2.19
    • Update Tor to 0.2.5.8-rc (from 0.2.4.24)
    • Update NoScript to 2.6.9.1
    • Update Torbutton to 1.7.0.1 (from 1.6.12.3)
      • Bug 13378: Prevent addon reordering in toolbars on first-run.
      • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
      • Bug 13138: ESR31-about:tor shows "Tor is not working"
      • Bug 12947: Adapt session storage blocker to ESR 31.
      • Bug 10716: Take care of drag/drop events in ESR 31.
      • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
    • Update Tor Launcher to 0.2.7.0.1 (from 0.2.5.6)
      • Bug 11405: Remove firewall prompt from wizard.
      • Bug 12895: Mention @riseup.net as a valid bridge request email address
      • Bug 12444: Provide feedback when “Copy Tor Log” is clicked.
      • Bug 11199: Improve error messages if Tor exits unexpectedly
      • Bug 12451: Add option to hide TBB's logo
      • Bug 11193: Change "Tor Browser Bundle" to "Tor Browser"
      • Bug 11471: Ensure text fits the initial configuration dialog
      • Bug 9516: Send Tor Launcher log messages to Browser Console
    • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
    • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
    • Bug 13356: Meek and other symlinks missing after complete update.
    • Bug 13025: Spoof screen orientation to landscape-primary.
    • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
    • Bug 13318: Minimize number of buttons on the browser toolbar.
    • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
    • Bug 13023: Disable the gamepad API.
    • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
    • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
    • Bug 13186: Disable DOM Performance timers
    • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
    • Bug 4234: Automatic Update support (off by default)
    • Bug 11641: Reorganize bundle directory structure to mimic Firefox
    • Bug 10819: Create a preference to enable/disable third party isolation
    • Bug 13416: Defend against new SSLv3 attack (poodle).
  • Windows:
    • Bug 10065: Enable DEP, ASLR, and SSP hardening options
  • Linux:
    • Bug 13031: Add full RELRO hardening protection.
    • Bug 10178: Make it easier to set an alternate Tor control port and password
    • Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
    • Bug 12249: Don't create PT debug files anymore

The list of frequently encountered known issues is also available in our bug tracker.

Tor Browser 4.0-alpha-3 is released

The third alpha release of the 4.0 series is available from the extended downloads page and also from our distribution directory.

The individual bundles of this release are signed by Georg Koppen. You can find his key fingerprint on the Signing Keys page. It is:

 pub   4096R/4B7C3223 2013-07-30
 Fingerprint = 35CD74C24A9B15A19E1A81A194373AA94B7C3223



IMPORTANT UPDATER ISSUES:

  • We discovered Bug 13245 will cause non-English Tor Browsers to update to the English version. This bug has been fixed in this release, but 4.0a2 users will still be updated to the English version if they use the in-browser updater.
  • Meek Transport users will need to restart their browser a second time after upgrade if they use the in-browser updater. We are still trying to get to the bottom of this issue.

This release also features important security updates to Firefox.

Here is the complete changelog:

  • All Platforms
    • Update Tor to 0.2.5.8-rc
    • Update Firefox to 24.8.1esr
    • Update meek to 0.11
    • Update NoScript to 2.6.8.42
    • Update Torbutton to 1.6.12.3
      • Bug 13091: Use "Tor Browser" everywhere
      • Bug 10804: Workaround fix for some cases of startup hang
    • Bug 13091: Use "Tor Browser" everywhere
    • Bug 13049: Browser update failure (self.update is undefined)
    • Bug 13047: Updater should not send Kernel and GTK version
    • Bug 12998: Prevent intermediate certs from being written to disk
    • Bug 13245: Prevent non-english TBBs from upgrading to english version.
  • Linux:
    • Bug 9150: Make RPATH unavailable on Tor binary.
    • Bug 13031: Add full RELRO protection.



The list of frequently encountered known issues is also available in our bug tracker.

Tor Browser 3.6.6 is released

The sixth pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Here is the complete changelog for 3.6.6:

  • All Platforms
    • Update Tor to tor-0.2.4.24
    • Update Firefox to 24.8.1esr
    • Update NoScript to 2.6.8.42
    • Update HTTPS Everywhere to 4.0.1
    • Bug 12998: Prevent intermediate certs from being written to disk
    • Update Torbutton to 1.6.12.3
      • Bug 13091: Use "Tor Browser" everywhere
      • Bug 10804: Workaround fix for some cases of startup hang
  • Linux
    • Bug 9150: Make RPATH unavailable on Tor binary.



The list of frequently encountered known issues is also available in our bug tracker.

Tor Browser 3.6.5 and 4.0-alpha-2 are released

Tor Browser 3.6.5

The fifth pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release also features improvements to the canvas image extraction permissions prompt, and will now log offending script urls to the browser console. It also restores the missing RELRO hardening option to the Linux bundles, and disables NTLM and Negotiate HTTP auth (which can leak sensitive information about the computer). To avoid resolution fingerprinting, popups are also opened in new tabs by default.

Here is the complete changelog for 3.6.5:

  • All Platforms
    • Update Firefox to 24.8.0esr
    • Update NoScript to 2.6.8.39
    • Update HTTPS Everywhere to 4.0.0
    • Update Torbutton to 1.6.12.1
      • Bug 12684: New strings for canvas image extraction message
      • Bug 8940: Move RecommendedTBBVersions file to www.torproject.org
      • Bug 9531: Workaround to avoid rare hangs during New Identity
    • Bug 12684: Improve Canvas image extraction permissions prompt
    • Bug 7265: Only prompt for first party canvas access. Log all scripts
      that attempt to extract canvas images to Browser console.

    • Bug 12974: Disable NTLM and Negotiate HTTP Auth
    • Bug 2874: Remove Components.* from content access (regression)
    • Bug 9881: Open popups in new tabs by default
  • Linux:
    • Bug 12103: Adding RELRO hardening back to browser binaries.


Tor Browser 4.0-alpha-2

In addition, we are also releasing the second alpha in the 4.0 series, available for download on the extended downloads page.

This release also includes important security updates to Firefox.

In addition to including the changes in 3.6.5, this release also is the first Tor Browser release to enable the in-browser Firefox-based updater. This means that if all goes well, 4.0-alpha-2 users will notified of an available update via a notification similar to that in Firefox. You will then be able to download and install it directly via the browser UI. By default, neither the download nor the update will happen automatically, so if you are not feeling adventurous, you need not allow it to update in this way. Even if you are feeling adventurous, you should probably back up your Tor Browser directory before updating.

In addition to the updater, this release should also re-enable the basic hardening features on Windows, including ASLR, DEP, and SSP.

Furthermore, the NoScript behavior in this release has changed. Selecting "Temporarily allow scripts" will now automatically allow all scripts in a page. This was done for usability reasons, to make it easier for novice users to run Tor Browser with scripting disabled most of the time. This will also hopefully make it possible for more people to use the "High Security" setting in our upcoming Security Slider, which will have Javascript disabled globally via NoScript by default.

Here is the complete changelog for 4.0-alpha-2:

  • All Platforms
    • Update Firefox to 24.8.0esr
    • Update NoScript to 2.6.8.39
    • Update Tor Launcher to 0.2.7.0
      • Bug 11405: Remove firewall prompt from wizard.
      • Bug 12895: Mention @riseup.net as a valid bridge request email address
      • Bug 12444: Provide feedback when “Copy Tor Log” is clicked.
      • Bug 11199: Improve error messages if Tor exits unexpectedly
    • Update Torbutton to 1.6.12.1
      • Bug 12684: New strings for canvas image extraction message
      • Bug 8940: Move RecommendedTBBVersions file to www.torproject.org
    • Bug 12684: Improve Canvas image extraction permissions prompt
    • Bug 7265: Only prompt for first party canvas access. Log all scripts
      that attempt to extract canvas images to Browser console.

    • Bug 12974: Disable NTLM and Negotiate HTTP Auth
    • Bug 2874: Remove Components.* from content access (regression)
    • Bug 4234: Automatic Update support (off by default)
    • Bug 9881: Open popups in new tabs by default
    • Meek Pluggable Transport:
      • Bug 12766: Use TLSv1.0 in meek-http-helper to blend in with Firefox 24
  • Windows:
    • Bug 10065: Enable DEP, ASLR, and SSP hardening options
  • Linux:
    • Bug 12103: Adding RELRO hardening back to browser binaries.



The list of frequently encountered known issues is also available in our bug tracker.

Syndicate content Syndicate content