firefox

New Tor Browser Bundles and Tor 0.2.4.14-alpha packages

All of the Tor Browser Bundles have been updated with the new Firefox 17.0.7esr. There is also a new Tor 0.2.4.14-alpha release and all of the packages have been updated with that as well.

https://www.torproject.org/download/download-easy

Tor Browser Bundle (2.3.25-10)

  • Update Firefox to 17.0.7esr
  • Update zlib to 1.2.8
  • Update HTTPS Everywhere to 3.2.2
  • Update NoScript to 2.6.6.6

Tor Browser Bundle (2.4.15-alpha-1)

  • Update Tor to 0.2.4.14-alpha
  • Update Firefox 17.0.7esr
  • Update zlib to 1.2.8
  • Update libpng to 1.5.16
  • Update HTTPS Everywhere to 4.0development.8
  • Update NoScript to 2.6.6.6

New Firefox 17.0.4esr and Tor 0.2.4.11-alpha bundles

We've updated the stable and alpha Tor Browser Bundles with Firefox 17.0.4esr and Tor 0.2.4.11-alpha. These releases have numerous bug fixes and a new Torbutton as well.

https://www.torproject.org/download

Tor Browser Bundle (2.3.25-5)

  • Update Firefox to 17.0.4esr
  • Update NoScript to 2.6.5.8
  • Update HTTPS Everywhere to 3.1.4
  • Fix non-English language bundles to have the correct branding (closes: #8302)
  • Firefox patch changes:
    • Remove "This plugin is disabled" barrier
      • This improves the user experience for HTML5 Youtube videos:
        They "silently" attempt to load flash first, which was not so silent
        with this barrier in place. (closes: #8312)
    • Disable NoScript's HTML5 media click-to-play barrier (closes: #8386)
    • Fix a New Identity hang and/or crash condition (closes: #6386)
    • Fix crash with Drag + Drop on Windows (closes: #8324)
  • Torbutton changes:
    • Fix Drag+Drop crash by using a new TBB drag observer (closes: #8324)
    • Fix XML/E4X errors with Cookie Protections (closes: #6202)
    • Don't clear cookies at shutdown if user wants disk history (closes: #8423)
    • Leave IndexedDB and Offline Storage disabled. (closes: #8382)
    • Clear DOM localStorage on New Identity. (closes: #8422)
    • Don't strip "third party" HTTP auth from favicons (closes: #8335)
    • Localize the "Spoof english" button strings (closes: #5183)
    • Ask user for confirmation before enabling plugins (closes: #8313)
    • Emit private browsing session clearing event on "New Identity"

Tor Browser Bundle (2.4.11-alpha-1)

  • Update Firefox to 17.0.4esr
  • Update Tor to 0.2.4.11-alpha
  • Update NoScript to 2.6.5.8
  • Update HTTPS Everywhere to 4.0development.6
  • Update PDF.js to 0.7.236
  • Fix non-English language bundles to have the correct branding (closes: #8302)
  • Firefox patch changes:
    • Remove "This plugin is disabled" barrier
      • This improves the user experience for HTML5 Youtube videos:
        They "silently" attempt to load flash first, which was not so silent
        with this barrier in place. (closes: #8312)
    • Disable NoScript's HTML5 media click-to-play barrier (closes: #8386)
    • Fix a New Identity hang and/or crash condition (closes: #6386)
    • Fix crash with Drag + Drop on Windows (closes: #8324)
  • Torbutton changes:
    • Fix Drag+Drop crash by using a new TBB drag observer (closes: #8324)
    • Fix XML/E4X errors with Cookie Protections (closes: #6202)
    • Don't clear cookies at shutdown if user wants disk history (closes: #8423)
    • Leave IndexedDB and Offline Storage disabled. (closes: #8382)
    • Clear DOM localStorage on New Identity. (closes: #8422)
    • Don't strip "third party" HTTP auth from favicons (closes: #8335)
    • Localize the "Spoof english" button strings (closes: #5183)
    • Ask user for confirmation before enabling plugins (closes: #8313)
    • Emit private browsing session clearing event on "New Identity"

New Tor Browser Bundles with Firefox 17.0.3esr

We've updated all of the bundles with Firefox 17.0.3esr. This includes significant changes to Torbutton and its interaction with Firefox, in addition to many new patches being added to Firefox, which are outlined below.

Very important: if you've been using the Tor Browser Bundles with Firefox 10.0.x, you must not attempt to overwrite it with the new bundle. Open these into their own directory and do not copy any profile material from older TBB versions.

https://www.torproject.org/download

Tor Browser Bundle (2.3.25-4)

  • Update Firefox to 17.0.3esr
  • Downgrade OpenSSL to 1.0.0k
  • Update libpng to 1.5.14
  • Update NoScript to 2.6.5.7
  • Firefox patch changes:
    • Exempt remote @font-face fonts from font limits (and prefer them).
      (closes: #8270)
      • Remote fonts (aka "User Fonts") are not a fingerprinting threat, so
        they should not count towards our CSS font count limits. Moreover,
        if a CSS font-family rule lists any remote fonts, those fonts are
        preferred over the local fonts, so we do not reduce the font count
        for that rule.
      • This vastly improves rendering and typography for many websites.
    • Disable WebRTC in Firefox build options. (closes: #8178)
      • WebRTC isn't slated to be enabled until Firefox 18, but the code
        was getting compiled in already and is capable of creating UDP Sockets
        and bypassing Tor. We disable it from build as a safety measure.
    • Move prefs.js into omni.ja and extension-overrides. (closes: #3944)
      • This causes our browser pref changes to appear as defaults. It also
        means that future updates of TBB should preserve user pref settings.
    • Fix a use-after-free that caused crashing on MacOS (closes: #8234)
    • Eliminate several redundant, useless, and deprecated Firefox pref settings
    • Report Firefox 17.0 as the Tor Browser user agent
    • Use Firefox's click-to-play barrier for plugins instead of NoScript
    • Set the Tor SOCKS+Control ports to 9150, 9151 respectively on all platforms
      • This fixes a SOCKS race condition with our SOCKS autoport configuration
        and HTTPS-Everywhere's Tor test. Firefox 17 appears to cache proxy
        settings per URL now, which resulted in a proxy error for
        check.torproject.org if we lost the race.
  • Torbutton was updated to 1.5.0. The following issues were fixed:
    • Remove old toggle observers and related code (closes: #5279)
    • Simplify Security Preference UI and associated pref updates (closes: #3100)
    • Eliminate redundancy in our Flash/plugin disabling code (closes: #1305)
    • Leave most preferences under Tor Browser's control (closes: #3944)
    • Disable toggle-on-startup and crash detection logic (closes: #7974)
    • Disable/remove toggle-mode code and related observers (closes: #5279)
    • Add menu hint to Torbutton icon (closes: #6431)
    • Make Torbutton icon flash a warning symbol if TBB is out of date (closes: #7495)
    • Perform version check every time there's a new tab. (closes: #6096)
    • Rate limit version check queries to once every 1.5hrs max. (closes: #6156)
    • misc: Allow WebGL and DOM storage.
    • misc: Disable independent Torbutton updates
    • misc: Change the recommended SOCKSPort to 9150 (to match TBB)

The following Firefox patch changes are also included in this release:

  • Isolate image cache to url bar domain (closes: #5742 and #6539)
  • Enable DOM storage and isolate it to url bar domain (closes: #6564)
  • Include nsIHttpChannel.redirectTo API for HTTPS-Everywhere (closes: #5477)
  • Misc preference changes:
    • Disable DOM performance timers (dom.enable_performance) (closes: #6204)
    • Disable HTTP connection retry timeout (network.http.connection-retry-timeout) (closes: #7656)
    • Disable full path information for plugins (plugin.expose_full_path) (closes: #6210)
    • Disable NoScript's block of remote WebFonts (noscript.forbidFonts) (closes: #7937)

Tor Browser Bundle (2.4.10-alpha-2)

  • Update Firefox to 17.0.3esr
  • Downgrade OpenSSL to 1.0.0k
  • Update libpng to 1.5.14
  • Update NoScript to 2.6.5.7
  • Firefox patch changes:
    • Exempt remote @font-face fonts from font limits (and prefer them).
      (closes: #8270)
      • Remote fonts (aka "User Fonts") are not a fingerprinting threat, so
        they should not count towards our CSS font count limits. Moreover,
        if a CSS font-family rule lists any remote fonts, those fonts are
        preferred over the local fonts, so we do not reduce the font count
        for that rule.
      • This vastly improves rendering and typography for many websites.
    • Disable WebRTC in Firefox build options. (closes: #8178)
      • WebRTC isn't slated to be enabled until Firefox 18, but the code
        was getting compiled in already and is capable of creating UDP Sockets
        and bypassing Tor. We disable it from build as a safety measure.
    • Move prefs.js into omni.ja and extension-overrides. (closes: #3944)
      • This causes our browser pref changes to appear as defaults. It also
        means that future updates of TBB should preserve user pref settings.
    • Fix a use-after-free that caused crashing on MacOS (closes: #8234)
    • Eliminate several redundant, useless, and deprecated Firefox pref settings
    • Report Firefox 17.0 as the Tor Browser user agent
    • Use Firefox's click-to-play barrier for plugins instead of NoScript
    • Set the Tor SOCKS+Control ports to 9150, 9151 respectively on all platforms
      • This fixes a SOCKS race condition with our SOCKS autoport configuration
        and HTTPS-Everywhere's Tor test. Firefox 17 appears to cache proxy
        settings per URL now, which resulted in a proxy error for
        check.torproject.org if we lost the race.
  • Torbutton was updated to 1.5.0. The following issues were fixed:
    • Remove old toggle observers and related code (closes: #5279)
    • Simplify Security Preference UI and associated pref updates (closes: #3100)
    • Eliminate redundancy in our Flash/plugin disabling code (closes: #1305)
    • Leave most preferences under Tor Browser's control (closes: #3944)
    • Disable toggle-on-startup and crash detection logic (closes: #7974)
    • Disable/remove toggle-mode code and related observers (closes: #5279)
    • Add menu hint to Torbutton icon (closes: #6431)
    • Make Torbutton icon flash a warning symbol if TBB is out of date (closes: #7495)
    • Perform version check every time there's a new tab. (closes: #6096)
    • Rate limit version check queries to once every 1.5hrs max. (closes: #6156)
    • misc: Allow WebGL and DOM storage.
    • misc: Disable independent Torbutton updates
    • misc: Change the recommended SOCKSPort to 9150 (to match TBB)

New Tor Browser Bundles and Tor 0.2.4.7-alpha packages available

All of the Tor Browser Bundles have been updated to Firefox 10.0.12esr in order to address the recent problems with TurkTrust certificates. From Mozilla's post:

TURKTRUST, a certificate authority in Mozilla’s root program, mis-issued two intermediate certificates to customers. TURKTRUST has scanned their certificate database and log files and confirmed that the mistake was made for only two certificates.

This is not a Firefox-specific issue. Nevertheless, we are concerned that at least one of the mis-issued intermediate certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. We are also concerned that the private keys for these certificates were not kept as secure as would be expected for intermediate certificates.

All users are strongly encouraged to upgrade.

There was also a new Tor 0.2.4.7-alpha release and all alpha packages have been updated with that.

A note about the Vidalia bundles:

The plain Vidalia bundles have been discontinued. We apologize for any confusion or inconvenience that this has caused for our users. In order to continue to use the Vidalia bundle as a client, download one of the available bundles, go into the Vidalia "Settings" menu and click "Run as a client only".

https://www.torproject.org/download/download-easy

Tor Browser Bundle (2.3.25-2)

  • Update Firefox to 10.0.12esr
  • Update Libevent to 2.0.21-stable
  • Update HTTPS Everywhere to 3.1.2
  • Update NoScript to 2.6.4.2

Tor Browser Bundle (2.4.7-alpha-1)

  • Update Firefox to 10.0.12esr
  • Update Tor to 0.2.4.7-alpha
  • Update Libevent to 2.0.21-stable
  • Update HTTPS Everywhere to 4.0development.4
  • Update NoScript to 2.6.4.2

New Tor Browser Bundles

All of the stable Tor Browser Bundles have been updated with the latest Firefox 10.0.9esr release.

https://www.torproject.org/download/download-easy.html.en

Further notes about Tor Browser Bundle updates:

Tor Browser Bundle (2.2.39-3)

  • Update Firefox to 10.0.9esr
  • Update Torbutton to 1.4.6.3
  • Update NoScript to 2.5.7
  • Update HTTPS Everywhere to 2.2.2
  • Update libpng to 1.5.13

New Tor Browser Bundles

The Tor Browser Bundles have been updated with a bunch of new software: Tor 0.2.2.37, Vidalia 0.2.19, and we have switched to using Firefox's long-term stable release (10.0.5esr).

https://www.torproject.org/download

Tor Browser Bundle (2.2.37-1)

  • Update Tor to 0.2.2.37
  • Switch Firefox to 10.0.5esr, since we will be tracking the extended stable releases for TBB stable versions
  • Update Vidalia to 0.2.19
  • Update Torbutton to 1.4.6
  • Update NoScript to 2.4.4

Firefox security bug (proxy-bypass) in current TBBs

A user has discovered a severe security bug in Firefox related to websockets bypassing the SOCKS proxy DNS configuration. This means when connecting to a websocket service, your Firefox will query your local DNS resolver, rather than only communicating through its proxy (Tor) as it is configured to do. This bug is present in current Tor Browser Bundles (2.2.35-9 on Windows; 2.2.35-10 on MacOS and Linux).

To fix this dns leak/security hole, follow these steps:

  1. Type “about:config” (without the quotes) into the Firefox URL bar. Press Enter.
  2. Type “websocket” (again, without the quotes) into the search bar that appears below "about:config".
  3. Double-click on “network.websocket.enabled”. That line should now show “false” in the ‘Value’ column.

See Tor bug 5741 for more details. We are currently working on new bundles with a better fix.

New Tor Browser Bundles (updated for Linux again)

The Tor Browser Bundles have all been updated to the latest Firefox 11.0 as well as a number of bugfixes. Because of a very slow uplink, not all of the Mac OS X 64-bit bundles are available yet, but all of the 32-bit bundles are up, and the Farsi (sig) and English (sig) versions of the 64-bit bundles are also available.

https://www.torproject.org/download

Tor Browser Bundle (2.2.35-9), Linux only

  • Fix launch script to prevent Vidalia from running in debug mode all the time (closes: #5417)

Tor Browser Bundle (2.2.35-8)

  • Update Firefox to 11.0
  • Update OpenSSL to 1.0.0h
  • Update NoScript to 2.3.4
  • Update HTTPS Everywhere to 2.0.1
  • Always build to with warnings enabled (closes: #4470)
  • Disable HTTPS Everywhere SSL Observatory screen (closes: #5300)

Windows

  • Remove tor-resolve from the Windows bundle (closes: #5403)

Mac OS X

  • Give OS X users below 10.5 an incompatibility message (closes: #4356)
  • Linux

    • Don't attempt to load the default KDE 4 theme from Vidalia, because that fails when the Qt versions don't match (closes: #5214)

    New Tor Browser Bundles

    The Tor Browser Bundles have been updated to Firefox 9.0.1. Originally they were updated to Firefox 9 and both changelogs are listed below.

    https://www.torproject.org/download

    Tor Browser Bundle (2.2.35-3)

    • Update Firefox to 9.0.1

    Tor Browser Bundle (2.2.35-2)

    • Update Firefox to 9.0
    • Update Torbutton to 1.4.5.1
    • Update Noscript to 2.2.4
    • New Firefox patches
      • Provide client values only to CSS Media Queries and disable several Mozilla extensions that seem fingerprintable

    New Tor Browser Bundles

    The Tor Browser Bundles have been updated to Firefox 8.0.1 along with a new Libevent and some extension updates.

    https://www.torproject.org/download

    Tor Browser Bundle (2.2.34-3)

    • Update Firefox to 8.0.1
    • Update Libevent to 2.0.16-stable
    • Update NoScript to 2.2
    • Update HTTPS Everywhere to 1.2.1
    • Begin building Tor with --enable-gcc-warnings
    Syndicate content Syndicate content