The 3.5.1 release of the Tor Browser Bundle is now available on the Download page. You can also download the bundles directly from the distribution directory.

Please see the FAQ listing for any issues you may have before contacting support or filing tickets.

This release features an update to OpenSSL to fix a denial of service condition, and to fix the NoScript whitelist to remove addons.mozilla.org.

This release also features Tor 0.2.4.20, as well as a support for screen readers for the blind on Windows.

Here is the list of changes since 3.5.1. The 3.x ChangeLog is also available.

• All Platforms
  • Bug 10447: Remove SocksListenAddress to allow multiple socks ports.
  • Bug 10464: Remove addons.mozilla.org from NoScript whitelist
  • Bug 10537: Build an Arabic version of TBB 3.5
  • Update Torbutton to 1.6.5.5
    • Bug 9486: Clear NoScript Temporary Permissions on New Identity
    • Include Arabic translations
  • Update Tor Launcher to 0.2.4.3
    • Include Arabic translations
  • Update Tor to 0.2.4.20
  • Update OpenSSL to 1.0.1f
  • Update NoScript to 2.6.8.12
  • Update HTTPS-Everywhere to 3.4.5
• Windows
  • Bug 9259: Enable Accessibility (screen reader) support
• Mac
  • misc: Update bundle version field in Info.plist (for MacUpdates service)

Update 12/20: Test builds of Pluggable Transport bundles are now available. See inline and see the FAQ link for more details.

The 2.x stable series of the Tor Browser Bundle has officially been deprecated, and all users are encouraged to upgrade to the 3.5 series.

Packages are now available from the Tor download page as well as the Tor Package archive.

For now, the Pluggable Transports-capable TBB is still a separate package, maintained by David Fifield. Download them here: https://people.torproject.org/~dcf/pt-bundle/3.5-pt20131217/. We hope to have combined packages available in a beta soon.

For people already using TBB 3.5rc1, the changes are not substantial, and are included below.

However, for users of TBB 2.x and 3.0, this release includes important security updates to Firefox. All users are strongly encouraged to update immediately, as we will not be making further releases in the 2.x or 3.0 series.

In terms of user-facing changes from TBB 2.x, the 3.x series primarily features the replacement of Vidalia with a Firefox-based Tor controller called Tor Launcher. This has resulted in a vast decrease in startup times, and a vast increase in usability. We have also begun work on an FAQ page to handle common questions arising from this transition -- where Vidalia went, how to disable JavaScript, how to check signatures, etc.

The complete changelog for the 3.x series describes the changes since 2.x.

The set of changes since the 3.5rc1 release is:

• All Platforms
  • Update Tor to 0.2.4.19
  • Update Tor Launcher to 0.2.4.2
    • Bug 10382: Fix a Tor Launcher hang on TBB exit
  • Update Torbutton to 1.6.5.2
    • Misc: Switch update download URL back to download-easy

The first release candidate in the 3.5 series of the Tor Browser Bundle is now available from the Tor Package Archive:
https://archive.torproject.org/tor-package-archive/torbrowser/3.5rc1/.

This release includes important security updates to Firefox.

Moreover, the Firefox 17esr release series has been deprecated by Mozilla. This means the imminent end of life for our 2.x and 3.0 bundle series. All 3.0 users are strongly encourage to update immediately, as we will not be making further releases in that series. If this release candidate survives the next few days without issue, this release candidate will be declared stable, and we will officially deprecate the current stable 2.x Tor Browser Bundles and declare their versions out of date as well.

Here is the complete changelog:

• All Platforms
  • Update Firefox to 24.2.0esr
  • Update NoScript to 2.6.8.7
  • Update HTTPS-Everywhere to 3.4.4tbb (special TBB tag)
    • Tag includes a patch to handle enabling/disabling Mixed Content Blocking
  • Bug 5060: Disable health report service
  • Bug 10367: Disable prompting about health report and Mozilla Sync
  • Misc Prefs: Disable HTTPS-Everywhere first-run tooltips
  • Misc Prefs: Disable layer acceleration to avoid crashes on Windows
  • Misc Prefs: Disable Mixed Content Blocker pending backport of Mozilla Bug 878890
  • Update Tor Launcher to 0.2.4.1
    • Bug 10147: Adblock Plus interferes w/Tor Launcher dialog
    • Bug 10201: FF ESR 24 hangs during exit on Mac OS
    • Bug 9984: Support running Tor Launcher from InstantBird
    • Misc: Support browser directory location API changes in Firefox 24
  • Update Torbutton to 1.6.5.1
    • Bug 10352: Clear FF24 Private Browsing Mode data during New Identity
    • Bug 8167: Update cache isolation for FF24 API changes
    • Bug 10201: FF ESR 24 hangs during exit on Mac OS
    • Bug 10078: Properly clear crypto tokens during New Identity on FF24
    • Bug 9454: Support changes to Private Browsing Mode and plugin APIs in FF24
• Linux
  • Bug 10213; Use LD_LIBRARY_PATH (fixes launch issues on old Linux distros)

The first release candidate in the 3.0 series of the Tor Browser Bundle is now available from the Tor Package Archive:
https://archive.torproject.org/tor-package-archive/torbrowser/3.0rc1/.

This release includes important security updates to Firefox.

Unfortunately, we have decided to remove the PDF.JS addon from this bundle, as the version available for Firefox 17 has stopped receiving updates. Built-in PDF support should return when we transition to Firefox 24 in the coming weeks.

This release should also fix a build reproducibility issue on Windows. All platform binaries should once again be identically reproducible from source by anyone using git tag tbb-3.0rc1-release.

• All Platforms:
  • Update Firefox to 17.0.11esr
  • Update Tor to 0.2.4.18-rc
  • Remove unsupported PDF.JS addon from the bundle
  • Bug #7277: TBB's Tor client will now omit its timestamp in the TLS handshake.
  • Update Torbutton to 1.6.4.1
    • Bug #10002: Make the TBB3.0 blog tag our update download URL for now
• Windows
  • Bug #10102: Patch binutils to remove nondeterministic bytes in compiled binaries
• Linux
  • Bug #10049: Fix architecture check to work from outside TBB's directory
  • Bug #10126: Remove libz and firefox-bin, and strip unstripped binaries
  • Misc: Disable Firefox updater during compile time (in addition to pref)

The first beta release in the 3.0 series of the Tor Browser Bundle is now available from the Tor Package Archive:
https://archive.torproject.org/tor-package-archive/torbrowser/3.0b1/

This release includes important security updates to Firefox, as well as a fix for a startup crash bug on Windows XP.

This release also reorganizes the bundle directory structure to simplify implementation of the FIrefox updater in future releases. This means that extracting the bundle over previous installation will likely not preserve your preferences or bookmarks, and may cause other issues.

This release has also introduced a build reproducibility issue on Windows, hence it is signed only by two keys. We should have this issue fixed by the next beta.

Here is the complete ChangeLog:

• All Platforms:
  • Update Firefox to 17.0.10esr
  • Update NoScript to 2.6.8.2
  • Update HTTPS-Everywhere to 3.4.2
  • Bug #9114: Reorganize the bundle directory structure to ease future autoupdates
  • Bug #9173: Patch Tor Browser to auto-detect profile directory if launched without the wrapper script.
  • Bug #9012: Hide Tor Browser infobar for missing plugins.
  • Bug #8364: Change the default entry page for the addons tab to the installed addons page.
  • Bug #9867: Make flash objects really be click-to-play if flash is enabled.
  • Bug #8292: Make getFirstPartyURI log+handle errors internally to simplify caller usage of the API
  • Bug #3661: Remove polipo and privoxy from the banned ports list.
  • misc: Fix a potential memory leak in the Image Cache isolation
  • misc: Fix a potential crash if OS theme information is ever absent
  • Update Tor-Launcher to 0.2.3.1-beta
    • Bug #9114: Handle new directory structure
    • misc: Tor Launcher now supports Thunderbird
  • Update Torbutton to 1.6.4
    • Bug #9224: Support multiple Tor socks ports for about:tor status check
    • Bug #9587: Add TBB version number to about:tor
    • Bug #9144: Workaround to handle missing translation properties
• Windows:
  • Bug #9084: Fix startup crash on Windows XP.
• Linux:
  • Bug #9487: Create detached debuginfo files for Linux Tor and Tor Browser binaries.

The third alpha release in the 3.0 series of the Tor Browser Bundle is now available from the Tor Package Archive:
https://archive.torproject.org/tor-package-archive/torbrowser/3.0a4/

This release includes important security updates to Firefox. Here is the complete ChangeLog:

• All Platforms:
• Bug #8751: Randomize TLS HELLO timestamp in HTTPS connections
• Bug #9790 (workaround): Temporarily re-enable JS-Ctypes for cache
  isolation and SSL Observatory

• Update Firefox to 17.0.9esr
• Update Tor to 0.2.4.17-rc
• Update NoScript to 2.6.7.1
• Update Tor-Launcher to 0.2.2-alpha
  • Bug #9675: Provide feedback mechanism for clock-skew and other early
    startup issues

  • Bug #9445: Allow user to enter bridges with or without 'bridge' keyword
  • Bug #9593: Use UTF16 for Tor process launch to handle unicode paths.
  • misc: Detect when Tor exits and display appropriate notification
• Update Torbutton to 1.6.2.1
  • Bug 9492: Fix Torbutton logo on OSX and Windows (and related
    initialization code)

  • Bug 8839: Disable Google/Startpage search filters using Tor-specific urls

As usual these binaries should be exactly reproducible by anyone with Ubuntu and KVM support. To build your own identical copies of these bundles from source code, check out the official repository and use git tag tbb-3.0alpha4-build1 (commit d1fad5a54345d9dad8f8997f2f956d3f4fdeb0f4).

These instructions should explain things from there. If you notice any differences from the official bundles, I would love to hear about it!

The third alpha release in the 3.0 series of the Tor Browser Bundle is now available from the Tor Package Archive:

https://archive.torproject.org/tor-package-archive/torbrowser/3.0a3

This release includes important security updates to Firefox. Here is the complete ChangeLog:

• All Platforms:
• Update Firefox to 17.0.8esr

https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#f...

• Update Tor to 0.2.4.15-rc
• Update HTTPS-Everywhere to 3.3.1
• Update NoScript to 2.6.6.9
• Improve build input fetching and authentication
• Bug #9283: Update NoScript prefs for usability.
• Bug #6152 (partial): Disable JSCtypes support at compile time
• Update Torbutton to 1.6.1
• Bug 8478: Change when window resize code fires to avoid rounding errors
• Bug 9331: Hack a correct download URL for the next TBB release
• Bug 9144: Change an aboutTor.dtd string so transifex will accept it
• Update Tor-Launcher to 0.2.1-alpha
• Bug #9128: Remove dependency on JSCtypes
• Windows:
• Bug #9195: Disable download manager AV scanning (to prevent cloud
  reporting+scanning of downloaded files)
• Mac:
Bug #9173 (partial): Launch firefox-bin on MacOS instead of TorBrowser.app
(improves dock behavior).

As usual these binaries should be exactly reproducible by anyone with Ubuntu and KVM support (though there are some issues in LXC).
To build your own identical copies of these bundles from source code, check out the official repository and use git tag tbb-3.0alpha3-release (commit 49db54d147bd0bccc26f1d4f859cf9fe97e5f14c).

These instructions should explain things from there. If you notice any differences from the official bundles, I would love to hear about it!

The second alpha release in the 3.0 series of the Tor Browser Bundle is now available from the Tor Package Archive.

In addition to providing important security updates to Firefox and Tor, these release binaries should now be exactly reproducible from the source code by anyone. They have been independently reproduced by at least 3 public builders using independent machines, and the Tor Package Archive contains all three builder's GPG signatures of the sha256sums.txt file in the package directory.

To build your own identical copies of these bundles from source code, check out the official repository and use git tag tbb-3.0alpha2-release (commit c0242c24bed086cc9c545c7bf2d699948792c1e3). These instructions should explain things from there. If you notice any differences from the official bundles, I would love to hear about it!

I will be writing a two part blog series explaining why this is important, and describing the technical details of how it was accomplished in the coming week or two. For now, a brief explanation can be found on the Liberation Technologies mailing list archive.

ChangeLog

• All Platforms:
• Update Firefox to 17.0.7esr
• Update Tor to 0.2.4.14-alpha
• Include Tor's GeoIP file
• This should fix custom torrc issues with country-based node restrictions
• Fix several build determinism issues
• Include ChangeLog in bundles
• Windows:
• Fix many crash issues by disabling Direct2D support for now.
• Mac:
• Bug 8987: Disable TBB's 'Saved Application State' disk records on OSX 10.7+
• Linux:
• Use Ubuntu's 'hardening-wrapper' to build our Linux binaries

The complete 3.0 ChangeLog now lives here.

Major Known Issues

1. Windows XP users may still experience crashes due to Bug 9084.
2. Transifex issues are still causing problems with missing translation text in some bundles

Update 2013/6/28: Describe workaround for the Windows d2d1.dll crash.

After almost 6 months of solid development, the Tor Project is proud to announce the first alpha in the 3.0 series of the Tor Browser Bundle!

The 3.0alpha1 bundles are downloadable from the Tor Package Archive.

Release Highlights

Here are the major highlights of the 3.0 series:

1. Usability, usability, usability!

   We've attempted to solve several major usability issues in this series, including:

   1. No more Vidalia

      The Tor process management is handled by the new Tor Launcher Firefox extension. If you want the Vidalia map and other features, you can point an existing Vidalia binary at control port 9151 after Tor Browser has launched, and it should still work (and even allow you to reconfigure the TBB Tor as a bridge or a relay).

   2. Local homepage with search box

      The browser now uses a local about:tor homepage instead of https://check.torproject.org. A local verification against the Tor control port is still performed, to ensure Tor is working, and a link to https://check.torproject.org is provided from the about:tor homepage for manual verification as well.

   3. Guided Extraction for Windows

      For Windows users, an NSIS-based extractor now guides you through the TBB extraction and ensures the extracted bundle ends up on your Desktop, or in a known location chosen by you (but make sure you have permissions on that location). Hopefully this will mean no more losing track of the extracted bundle files!

2. Email-sized bundles

   The bundles are all under the 25M gmail attachment size limit, so direct email and gettor attachments are once again possible.

3. Improved build security and integrity verification
   We now use Gitian to build the bundles. The idea behind Gitian is to allow independent people to take our source code and produce exactly identical binaries on their own. We're not quite at the point where you always get a matching build, but the remaining differences are minor, and within a couple more releases we should have it fully reproducible. For now, we are posting all of the builds for comparison, and you can of course build and compare your own.

Known issues

Of course, being an alpha release (in fact, the first alpha release of this series), we expect these bundles to have some issues. Here's the major user-facing issues that we know about so far:

1. Crash Issue: Windows Permissions

   On Windows, if you install the bundle to anywhere other than the Desktop, permissions issues can cause the bundles to crash at startup.

2. Crash Issue: Windows Software Conflict(s)

   There appears to be an issue with direct2d rendering acceleration that affects some video cards, and has a crash report with a module d2d1.dll. The simplest workaround is to right click on 'Start Tor Browser' and select "Properties->Compatibility->Run in Windows XP Compatibility mode".

3. Extraction: Delete or rename your old TBB directory first!

   These bundles are significantly different than the previous alphas or stable releases. You must not extract this bundle on top of a previous TBB directory, or multiple things will break. If you want to preserve your bookmarks and history, you can do so by copying only the places.sqlite file from your old bundle directory into the new one. The good news is that the elimination of Vidalia should make it much simpler for us to finally deploy an autoupdater, but please bear with us until we can finally complete that important usability work.

4. Misc: Missing Translations

   Some of the translations strings for the Tor Launcher startup got munged by Transifex. In particular, the Farsi and the German builds both have missing button labels and strings.

If you experience any other issues, please let us know and/or file a bug!