The Tor Browser Team is proud to announce the second beta in the 3.6 series. Packages are available from the Tor Browser Project page and also from our distribution directory.

This release is an important security update over 3.6-beta-1. This release updates OpenSSL to version 1.0.1g, to address potential client-side vectors for CVE-2014-0160.

The browser itself does not use OpenSSL, and is not vulnerable to this CVE. However, this release is still considered an important security update, because it is theoretically possible to extract sensitive information from the Tor client sub-process.

This beta also features a Turkish language bundle, experimental Javascript hardening options, fixes for pluggable transport issues, and a fix for improper update notification while extracting the bundle over an already existing copy.

Here is the complete changelog since 3.6-beta-1:

• All Platforms
  • Update OpenSSL to 1.0.1g
  • Bug 9010: Add Turkish language support.
  • Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion.
  • Update fte transport to 0.2.12
  • Update NoScript to 2.6.8.19
  • Update Torbutton to 1.6.8.1
    • Bug 11242: Fix improper "update needed" message after in-place upgrade.
    • Bug 10398: Ease translation of about:tor page elements
  • Update Tor Launcher to 0.2.5.3
    • Bug 9665: Localize Tor's unreachable bridges bootstrap error
  • Backport Pending Tor Patches:
    • Bug 9665: Report a bootstrap error if all bridges are unreachable
    • Bug 11200: Prevent spurious error message prior to enabling network.
• Linux:
  • Bug 11190: Switch linux PT build process to python2
  • Bug 10383: Enable NIST P224 and P256 accel support for 64bit builds.
• Windows:
  • Bug 11286: Fix fte transport launch error

A list of frequently encountered known issues with the Tor Browser can be found on our bugtracker. Please check that list and help us diagnose and arrive at solutions for those issues before contacting support.

The 3.5.4-stable release of the Tor Browser is now available on the Download page. You can also download the bundles directly from the distribution directory.

This release updates only OpenSSL to version 1.0.1g, to address potential client-side vectors for CVE-2014-0160.

The browser itself does not use OpenSSL, and is not vulnerable to this CVE. However, this release is still considered an important security update, because it is theoretically possible to extract sensitive information from the Tor client sub-process.

Here is the changelog:

• All Platforms
• Update OpenSSL to 1.0.1g

Below is a collection of resources that will help you get Tor up and running. We also discuss alternative approaches of downloading the Tor Browser Bundle and provide mirrors for all these resources in case torproject.org is blocked.

To start with, please look at Bundle Downloads and determine the best way for you to download the Tor Browser Bundle. After you have downloaded the bundle and before you install/extract it, you should also verify it to make sure the bundle you downloaded is genuine and has not been tampered with; this step is optional but recommended.

We have screencasts (video guides) that will help you with the installation and verification process on Windows, Linux and OS X.

Windows
TBBTraining-DownloadAndVerify-Windows.mp4

Mirror:
torservers.net

Linux
TBBTraining-DownloadAndVerify-Linux.mp4

Mirror:
torservers.net

OS X
TBBTraining-DownloadAndVerify-MacOS.mp4

Mirror:
torservers.net

Text guide for signature verification
https://www.torproject.org/docs/verifying-signatures.html.en

Mirrors:
EFF
torservers.net

Tor Browser Bundle Downloads

torproject.org

https://www.torproject.org/projects/torbrowser.html.en

Mirrors:
EFF
torservers.net

GetTor

GetTor is a program for serving the Tor Browser Bundle through email. This is particulary useful if you cannot access torproject.org or any other mirrors.

To request a bundle from GetTor, send a blank email to gettor@torproject.org. GetTor will then respond with links to the Tor Browser Bundle for all platforms.

Note: GetTor was earlier restricted to requests from Gmail and Yahoo!. This is no longer the case and you can request for bundles from any email address, including Outlook.

Bridges

If you are unable to reach the Tor network after installation (Tor Launcher starts, however the green progress bar stops), you need to use bridges.

Acquiring Bridges

One way to find public bridge addresses is to send an email (from a Gmail or a Yahoo! address) to bridges@bridges.torproject.org with the line 'get bridges' by itself in the body of the mail.

You can also acquire bridges by visiting https://bridges.torproject.org/. If you see that this page is offline, please wait for a few minutes and try again.

Bridge Usage

1. Launch the Tor Browser Bundle
2. Click "Configure"
3. Click "Next" until you reach a page that reads "If this computer's Internet connection is censored, you will need to obtain and use bridge relays"
4. Enter the bridges you received from one of the methods above into the text box
5. Click "Connect"

Pluggable Transports

If you find that using standard bridges fails for you, you can try using the 3.6-beta-1 bundle located on the same downloads page listed above. These bundles included integrated pluggable transport support, and are useful in areas where standard bridges are blocked.

To activate pluggable transports in the 3.6-beta-1 bundle, follow the bridge directions above, however simply select "obfs3" or "fte" when you reach the bridge configuration page (instead of entering bridge addresses yourself).

Support

Still need help? If you have any questions, trouble connecting to Tor network, or need to talk to a human, please contact our support team at:

help@rt.torproject.org for English
help-ar@rt.torproject.org for Arabic
help-es@rt.torproject.org for Spanish
help-fa@rt.torproject.org for Farsi
help-fr@rt.torproject.org for French
help-zh@rt.torproject.org for Mandarin

The 3.5.3 stable release of the Tor Browser Bundle is now available on the Download page. You can also download the bundles directly from the distribution directory.

This release also includes important security updates to Firefox.

As a reminder, this is the stable series of the Tor Browser Bundle. It does not include the Pluggable Transport support mentioned in the 3.6 release post, and in this release MacOS archives are still in zip format. If you would like those features, we encourage you to use 3.6-beta-1 instead, and report any issues you encounter.

Here is the complete changelog for 3.5.3:

• All Platforms
  • Update Firefox to 24.4.0esr
  • Update Torbutton to 1.6.7.0:
    • Bug 9901: Fix browser freeze due to content type sniffing
    • Bug 10611: Add Swedish (sv) to extra locales to update
  • Update NoScript to 2.6.8.17
  • Update Tor to 0.2.4.21
  • Bug 10237: Disable the media cache to prevent disk leaks for videos
  • Bug 10703: Force the default charset to avoid locale fingerprinting
  • Bug 10104: Update gitian to fix LXC build issues (for non-KVM/VT builders)
• Linux:
  • Bug 9353: Fix keyboard input on Ubuntu 13.10
  • Bug 9896: Provide debug symbols for Tor Browser binary
  • Bug 10472: Pass arguments to the browser from Linux startup script

A list of frequently encountered known issues with the Tor Browser can be found on our bugtracker. Please check that list and help us diagnose and arrive at solutions for those issues before contacting support.

The Tor Browser team is proud to release the first beta in the 3.6 series. Packages are available from the Tor Browser Project page and also from our distribution directory.

This beta features fully integrated Pluggable Transport support, including an improved Tor Launcher UI for configuring Pluggable Transport bridges. The Pluggable Transport code is also fully disabled for users who do not configure them.

We believe that this approach will allow us to quickly turn 3.6 into a stable release, perhaps as soon as the next point release of TBB.

This release also changes the MacOS archive format from zip to DMG, which should improve installation usability for Mac users.

This release also includes important security updates to Firefox.

Please see the TBB FAQ listing for any issues you may have before contacting support or filing tickets. In particular, the TBB 3.x section lists common issues specific to the Tor Browser 3.x series.

Here is the complete changelog:

• All Platforms
  • Update Firefox to 24.4.0esr
  • Include Pluggable Transports by default:
  • Obfsproxy3 0.2.4, Flashproxy 1.6, and FTE 0.2.6 are now included
  • Update Tor Launcher to 0.2.5.1
  • Bug 10418: Provide UI configuration for Pluggable Transports
  • Bug 10604: Allow Tor status & error messages to be translated
  • Bug 10894: Make bridge UI clear that helpdesk is a last resort for bridges
  • Bug 10610: Clarify wizard UI text describing obstacles/blocking
  • Bug 11074: Support Tails use case (XULRunner and optional customizations)
  • Update Torbutton to 1.6.7.0:
  • Bug 9901: Fix browser freeze due to content type sniffing
  • Bug 10611: Add Swedish (sv) to extra locales to update
  • Update NoScript to 2.6.8.17
  • Update Tor to 0.2.4.21
  • Backport Pending Tor Patches:
  • Bug 5018: Don't launch Pluggable Transport helpers if not in use
  • Bug 9229: Eliminate 60 second stall during bootstrap with some PTs
  • Bug 11069: Detect and report Pluggable Transport bootstrap failures
  • Bug 11156: Prevent spurious warning about missing pluggable transports
  • Bug 10237: Disable the media cache to prevent disk leaks for videos
  • Bug 10703: Force the default charset to avoid locale fingerprinting
  • Bug 10104: Update gitian to fix LXC build issues (for non-KVM/VT builders)
• Mac:
  • Bug 4261: Use DMG instead of ZIP for Mac packages
• Linux:
  • Bug 9353: Fix keyboard input on Ubuntu 13.10
  • Bug 9896: Provide debug symbols for Tor Browser binary
  • Bug 10472: Pass arguments to the browser from Linux startup script

A list of frequently encountered known issues with the Tor Browser can be found on our bugtracker. Please check that list and help us diagnose and arrive at solutions for those issues before contacting support.

The 3.5.2.1 release of the Tor Browser Bundle is now available on the Download page. You can also download the bundles directly from the distribution directory.

This release fixes the localization of the non-english bundles.

Please see the TBB FAQ listing for any issues you may have before contacting support or filing tickets. In particular, the TBB 3.x section lists common issues specific to the Tor Browser 3.x series.

Here is the list of changes since 3.5.2. The 3.x ChangeLog is also available.

• All Platforms
  • Bug 10895: Fix broken localized bundles
• Windows:
  • Bug 10323: Remove unneeded gcc/libstdc++ libraries from dist

The 3.5.2 release of the Tor Browser Bundle is now available on the Download page. You can also download the bundles directly from the distribution directory.

This release includes important security updates to Firefox.

Please see the TBB FAQ listing for any issues you may have before contacting support or filing tickets. In particular, the TBB 3.x section lists common issues specific to the Tor Browser 3.x series.

Here is the list of changes since 3.5.1. The 3.x ChangeLog is also available.

• Rebase Tor Browser to Firefox 24.3.0ESR
• Bug 10419: Block content window connections to localhost
• Update Torbutton to 1.6.6.0
  • Bug 10800: Prevent findbox exception and popup in New Identity
  • Bug 10640: Fix about:tor's update pointer position for RTL languages.
  • Bug 10095: Fix some cases where resolution is not a multiple of 200x100
  • Bug 10374: Clear site permissions on New Identity
  • Bug 9738: Fix for auto-maximizing on browser start
  • Bug 10682: Workaround to really disable updates for Torbutton
  • Bug 10419: Don't allow connections to localhost if Torbutton is toggled
  • Bug 10140: Move Japanese to extra locales (not part of TBB dist)
  • Bug 10687: Add Basque (eu) to extra locales (not part of TBB dist)
• Update Tor Launcher to 0.2.4.4
  • Bug 10682: Workaround to really disable updates for Tor Launcher
• Update NoScript to 2.6.8.13

Update 12/20: Test builds of Pluggable Transport bundles are now available. See inline and see the FAQ link for more details.

The 2.x stable series of the Tor Browser Bundle has officially been deprecated, and all users are encouraged to upgrade to the 3.5 series.

Packages are now available from the Tor download page as well as the Tor Package archive.

For now, the Pluggable Transports-capable TBB is still a separate package, maintained by David Fifield. Download them here: https://people.torproject.org/~dcf/pt-bundle/3.5-pt20131217/. We hope to have combined packages available in a beta soon.

For people already using TBB 3.5rc1, the changes are not substantial, and are included below.

However, for users of TBB 2.x and 3.0, this release includes important security updates to Firefox. All users are strongly encouraged to update immediately, as we will not be making further releases in the 2.x or 3.0 series.

In terms of user-facing changes from TBB 2.x, the 3.x series primarily features the replacement of Vidalia with a Firefox-based Tor controller called Tor Launcher. This has resulted in a vast decrease in startup times, and a vast increase in usability. We have also begun work on an FAQ page to handle common questions arising from this transition -- where Vidalia went, how to disable JavaScript, how to check signatures, etc.

The complete changelog for the 3.x series describes the changes since 2.x.

The set of changes since the 3.5rc1 release is:

• All Platforms
  • Update Tor to 0.2.4.19
  • Update Tor Launcher to 0.2.4.2
    • Bug 10382: Fix a Tor Launcher hang on TBB exit
  • Update Torbutton to 1.6.5.2
    • Misc: Switch update download URL back to download-easy

The first release candidate in the 3.5 series of the Tor Browser Bundle is now available from the Tor Package Archive:
https://archive.torproject.org/tor-package-archive/torbrowser/3.5rc1/.

This release includes important security updates to Firefox.

Moreover, the Firefox 17esr release series has been deprecated by Mozilla. This means the imminent end of life for our 2.x and 3.0 bundle series. All 3.0 users are strongly encourage to update immediately, as we will not be making further releases in that series. If this release candidate survives the next few days without issue, this release candidate will be declared stable, and we will officially deprecate the current stable 2.x Tor Browser Bundles and declare their versions out of date as well.

Here is the complete changelog:

• All Platforms
  • Update Firefox to 24.2.0esr
  • Update NoScript to 2.6.8.7
  • Update HTTPS-Everywhere to 3.4.4tbb (special TBB tag)
    • Tag includes a patch to handle enabling/disabling Mixed Content Blocking
  • Bug 5060: Disable health report service
  • Bug 10367: Disable prompting about health report and Mozilla Sync
  • Misc Prefs: Disable HTTPS-Everywhere first-run tooltips
  • Misc Prefs: Disable layer acceleration to avoid crashes on Windows
  • Misc Prefs: Disable Mixed Content Blocker pending backport of Mozilla Bug 878890
  • Update Tor Launcher to 0.2.4.1
    • Bug 10147: Adblock Plus interferes w/Tor Launcher dialog
    • Bug 10201: FF ESR 24 hangs during exit on Mac OS
    • Bug 9984: Support running Tor Launcher from InstantBird
    • Misc: Support browser directory location API changes in Firefox 24
  • Update Torbutton to 1.6.5.1
    • Bug 10352: Clear FF24 Private Browsing Mode data during New Identity
    • Bug 8167: Update cache isolation for FF24 API changes
    • Bug 10201: FF ESR 24 hangs during exit on Mac OS
    • Bug 10078: Properly clear crypto tokens during New Identity on FF24
    • Bug 9454: Support changes to Private Browsing Mode and plugin APIs in FF24
• Linux
  • Bug 10213; Use LD_LIBRARY_PATH (fixes launch issues on old Linux distros)

The Tor Project has two browser-related job openings available!

We are looking for a C++ browser developer to work on our Firefox-based browser, and a Firefox extension developer to work on our growing number of Firefox extensions. Our ideal candidates would be comfortable in both roles, but we are also interested in hearing from people with either skillset.

On the C++ side, your tasks would include implementing new Firefox APIs and browser behavior changes; looking for and resolving web privacy issues; fixing bugs; responding on short notice to security issues; and helping to merge patches upstream.

On the extension development side, your primary tasks will include writing patches and UI improvements for Tor Birdy, Torbutton, HTTPS-Everywhere, Tor Launcher, and an OTR plugin for InstantBird. These improvements will primarily revolve around improving usability, Tor configuration, and security for our users.

Instructions on how to apply to the C++ position can be found on the browser hacker job posting. If you would prefer to focus on extension development, you should apply to the extension developer position.