tor browser bundle

Tor Browser 4.0-alpha-3 is released

The third alpha release of the 4.0 series is available from the extended downloads page and also from our distribution directory.

The individual bundles of this release are signed by Georg Koppen. You can find his key fingerprint on the Signing Keys page. It is:

 pub   4096R/4B7C3223 2013-07-30
 Fingerprint = 35CD74C24A9B15A19E1A81A194373AA94B7C3223



IMPORTANT UPDATER ISSUES:

  • We discovered Bug 13245 will cause non-English Tor Browsers to update to the English version. This bug has been fixed in this release, but 4.0a2 users will still be updated to the English version if they use the in-browser updater.
  • Meek Transport users will need to restart their browser a second time after upgrade if they use the in-browser updater. We are still trying to get to the bottom of this issue.

This release also features important security updates to Firefox.

Here is the complete changelog:

  • All Platforms
    • Update Tor to 0.2.5.8-rc
    • Update Firefox to 24.8.1esr
    • Update meek to 0.11
    • Update NoScript to 2.6.8.42
    • Update Torbutton to 1.6.12.3
      • Bug 13091: Use "Tor Browser" everywhere
      • Bug 10804: Workaround fix for some cases of startup hang
    • Bug 13091: Use "Tor Browser" everywhere
    • Bug 13049: Browser update failure (self.update is undefined)
    • Bug 13047: Updater should not send Kernel and GTK version
    • Bug 12998: Prevent intermediate certs from being written to disk
    • Bug 13245: Prevent non-english TBBs from upgrading to english version.
  • Linux:
    • Bug 9150: Make RPATH unavailable on Tor binary.
    • Bug 13031: Add full RELRO protection.



The list of frequently encountered known issues is also available in our bug tracker.

Tor Browser 3.6.6 is released

The sixth pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Here is the complete changelog for 3.6.6:

  • All Platforms
    • Update Tor to tor-0.2.4.24
    • Update Firefox to 24.8.1esr
    • Update NoScript to 2.6.8.42
    • Update HTTPS Everywhere to 4.0.1
    • Bug 12998: Prevent intermediate certs from being written to disk
    • Update Torbutton to 1.6.12.3
      • Bug 13091: Use "Tor Browser" everywhere
      • Bug 10804: Workaround fix for some cases of startup hang
  • Linux
    • Bug 9150: Make RPATH unavailable on Tor binary.



The list of frequently encountered known issues is also available in our bug tracker.

Tor Browser 3.6.5 and 4.0-alpha-2 are released

Tor Browser 3.6.5

The fifth pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release also features improvements to the canvas image extraction permissions prompt, and will now log offending script urls to the browser console. It also restores the missing RELRO hardening option to the Linux bundles, and disables NTLM and Negotiate HTTP auth (which can leak sensitive information about the computer). To avoid resolution fingerprinting, popups are also opened in new tabs by default.

Here is the complete changelog for 3.6.5:

  • All Platforms
    • Update Firefox to 24.8.0esr
    • Update NoScript to 2.6.8.39
    • Update HTTPS Everywhere to 4.0.0
    • Update Torbutton to 1.6.12.1
      • Bug 12684: New strings for canvas image extraction message
      • Bug 8940: Move RecommendedTBBVersions file to www.torproject.org
      • Bug 9531: Workaround to avoid rare hangs during New Identity
    • Bug 12684: Improve Canvas image extraction permissions prompt
    • Bug 7265: Only prompt for first party canvas access. Log all scripts
      that attempt to extract canvas images to Browser console.

    • Bug 12974: Disable NTLM and Negotiate HTTP Auth
    • Bug 2874: Remove Components.* from content access (regression)
    • Bug 9881: Open popups in new tabs by default
  • Linux:
    • Bug 12103: Adding RELRO hardening back to browser binaries.


Tor Browser 4.0-alpha-2

In addition, we are also releasing the second alpha in the 4.0 series, available for download on the extended downloads page.

This release also includes important security updates to Firefox.

In addition to including the changes in 3.6.5, this release also is the first Tor Browser release to enable the in-browser Firefox-based updater. This means that if all goes well, 4.0-alpha-2 users will notified of an available update via a notification similar to that in Firefox. You will then be able to download and install it directly via the browser UI. By default, neither the download nor the update will happen automatically, so if you are not feeling adventurous, you need not allow it to update in this way. Even if you are feeling adventurous, you should probably back up your Tor Browser directory before updating.

In addition to the updater, this release should also re-enable the basic hardening features on Windows, including ASLR, DEP, and SSP.

Furthermore, the NoScript behavior in this release has changed. Selecting "Temporarily allow scripts" will now automatically allow all scripts in a page. This was done for usability reasons, to make it easier for novice users to run Tor Browser with scripting disabled most of the time. This will also hopefully make it possible for more people to use the "High Security" setting in our upcoming Security Slider, which will have Javascript disabled globally via NoScript by default.

Here is the complete changelog for 4.0-alpha-2:

  • All Platforms
    • Update Firefox to 24.8.0esr
    • Update NoScript to 2.6.8.39
    • Update Tor Launcher to 0.2.7.0
      • Bug 11405: Remove firewall prompt from wizard.
      • Bug 12895: Mention @riseup.net as a valid bridge request email address
      • Bug 12444: Provide feedback when “Copy Tor Log” is clicked.
      • Bug 11199: Improve error messages if Tor exits unexpectedly
    • Update Torbutton to 1.6.12.1
      • Bug 12684: New strings for canvas image extraction message
      • Bug 8940: Move RecommendedTBBVersions file to www.torproject.org
    • Bug 12684: Improve Canvas image extraction permissions prompt
    • Bug 7265: Only prompt for first party canvas access. Log all scripts
      that attempt to extract canvas images to Browser console.

    • Bug 12974: Disable NTLM and Negotiate HTTP Auth
    • Bug 2874: Remove Components.* from content access (regression)
    • Bug 4234: Automatic Update support (off by default)
    • Bug 9881: Open popups in new tabs by default
    • Meek Pluggable Transport:
      • Bug 12766: Use TLSv1.0 in meek-http-helper to blend in with Firefox 24
  • Windows:
    • Bug 10065: Enable DEP, ASLR, and SSP hardening options
  • Linux:
    • Bug 12103: Adding RELRO hardening back to browser binaries.



The list of frequently encountered known issues is also available in our bug tracker.

Tor Browser 3.6.4 and 4.0-alpha-1 are released

The fourth pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features an update to OpenSSL to address the latest round of OpenSSL security issues. Tor Browser should only be vulnerable to one of these issues - the null pointer dereference. As this issue is only a DoS, we are not considering this a critical security update, but users are advised to upgrade anyway. This release also features an update to Tor to alert users of the RELAY_EARLY attack via a log message, and a fix for a hang that was happening to some users at startup/Tor network bootstrap.

Here is the complete changelog for 3.6.4:

  • Tor Browser 3.6.4 -- All Platforms
    • Update Tor to 0.2.4.23
    • Update Tor launcher to 0.2.5.6
    • Update OpenSSL to 1.0.1i
    • Backported Tor Patches:
      • Bug 11654: Properly apply the fix for malformed bug11156 log message
      • Bug 11200: Fix a hang during bootstrap introduced in the initial
        bug11200 patch.
    • Update NoScript to 2.6.8.36
      • Bug 9516: Send Tor Launcher log messages to Browser Console
    • Update Torbutton to 1.6.11.1
      • Bug 11472: Adjust about:tor font and logo positioning to avoid overlap
      • Bug 12680: Fix Torbutton about url.

In addition, we are also releasing the first alpha of the 4.0 series, available for download on the extended downloads page.

This alpha paves the way to our upcoming autoupdater by reorganizing the directory structure of the browser. This means that in-place upgrades from Tor Browser 3.6 (by extracting/copying over the old directory) will not work.

This release also features Tor 0.2.5.6, and some new defaults for NoScript to make the script permissions for a given url bar domain automatically cascade to all third parties by default (though this may be changed in the NoScript configuration).

  • Tor Browser 4.0-alpha-1 -- All Platforms
    • Ticket 10935: Include the Meek Pluggable Transport (version 0.10)
      • Two modes of Meek are provided: Meek over Google and Meek over Amazon
    • Update Firefox to 24.7.0esr
    • Update Tor to 0.2.5.6-alpha
    • Update OpenSSL to 1.0.1i
    • Update NoScript to 2.6.8.36
      • Script permissions now apply based on URL bar
    • Update HTTPS Everywhere to 5.0development.0
    • Update Torbutton to 1.6.12.0
      • Bug 12221: Remove obsolete Javascript components from the toggle era
      • Bug 10819: Bind new third party isolation pref to Torbutton security UI
      • Bug 9268: Fix some window resizing corner cases with DPI and taskbar size.
      • Bug 12680: Change Torbutton URL in about dialog.
      • Bug 11472: Adjust about:tor font and logo positioning to avoid overlap
      • Bug 9531: Workaround to avoid rare hangs during New Identity
    • Update Tor Launcher to 0.2.6.2
      • Bug 11199: Improve behavior if tor exits
      • Bug 12451: Add option to hide TBB's logo
      • Bug 11193: Change "Tor Browser Bundle" to "Tor Browser"
      • Bug 11471: Ensure text fits the initial configuration dialog
      • Bug 9516: Send Tor Launcher log messages to Browser Console
    • Bug 11641: Reorganize bundle directory structure to mimic Firefox
    • Bug 10819: Create a preference to enable/disable third party isolation
    • Backported Tor Patches:
      • Bug 11200: Fix a hang during bootstrap introduced in the initial
        bug11200 patch.
  • Tor Browser 4.0-alpha-1 -- Linux Changes
    • Bug 10178: Make it easier to set an alternate Tor control port and password
    • Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
    • Bug 12249: Don't create PT debug files anymore

The list of frequently encountered known issues is also available in our bug tracker.

Tor Browser 3.6.3 is released

The third pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Here is the complete changelog:

  • All Platforms
    • Update Firefox to 24.7.0esr
    • Update obfsproxy to 0.2.12
    • Update FTE to 0.2.17
    • Update NoScript to 2.6.8.33
    • Update HTTPS Everywhere to 3.5.3
    • Bug 12673: Update FTE bridges
    • Update Torbutton to 1.6.11.0
      • Bug 12221: Remove obsolete Javascript components from the toggle era
      • Bug 10819: Bind new third party isolation pref to Torbutton security UI
      • Bug 9268: Fix some window resizing corner cases with DPI and taskbar size.
  • Linux:
    • Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
    • Bug 12249: Don't create PT debug files anymore

The list of frequently encountered known issues is also available in our bug tracker.

Tor Browser 3.6.2 is released

The second pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features a fix to allow the configuration of a local HTTP or SOCKS proxy with all included Pluggable Transports.

In addition, this release also features important security updates to Firefox, as well as an update to OpenSSL 1.0.1h to address the latest round of OpenSSL security issues.

This release also updates the Tor client software to version 0.2.4.22, which blacklists directory authority keys that were created prior to fixing the Heartbleed attack.

  • All Platforms
    • Update Firefox to 24.6.0esr
    • Update OpenSSL to 1.0.1h
    • Update NoScript to 2.6.8.28
    • Update Tor to 0.2.4.22
    • Update Tor Launcher to 0.2.5.5
      • Bug 10425: Provide geoip6 file location to Tor process
      • Bug 11754: Remove untranslated locales that were dropped from Transifex
      • Bug 11772: Set Proxy Type menu correctly after restart
      • Bug 11699: Change &#160 to   in UI elements
    • Update Torbutton to 1.6.10.0
      • Bug 11510: about:tor should not report success if tor proxy is unreachable
      • Bug 11783: Avoid b.webProgress error when double-clicking on New Identity
      • Bug 11722: Add hidden pref to force remote Tor check
      • Bug 11763: Fix pref dialog double-click race that caused settings to be reset
    • Bug 11629: Support proxies with Pluggable Transports
      • Updates FTEProxy to 0.2.15
      • Updates obfsproxy to 0.2.9
    • Backported Tor Patches:
      • Bug 11654: Fix malformed log message in bug11156 patch.
    • Bug 10425: Add in Tor's geoip6 files to the bundle distribution
    • Bugs 11834 and 11835: Include Pluggable Transport documentation
    • Bug 9701: Prevent ClipBoardCache from writing to disk.
    • Bug 12146: Make the CONNECT Host header the same as the Request-URI.
    • Bug 12212: Disable deprecated webaudio API
    • Bug 11253: Turn on TLS 1.1 and 1.2.
    • Bug 11817: Don't send startup time information to Mozilla.

The list of frequently encountered known issues is also available in our bug tracker.

Tor Browser 3.6.1 is released

The first pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features a fix for a regression with using a proxy for normal Tor usage. It does not yet allow the configuration of proxies for pluggable transports. We hope to fix that issue in the following point release.

This is not a security release — feel free to keep using TBB 3.6 if it's working for you.

Here is the complete changelog:

  • All Platforms
    • Update HTTPS-Everywhere to 3.5.1
    • Update NoScript to 2.6.8.22
    • Bug 11658: Fix proxy configuration for non-Pluggable Transports users
    • Backport Pending Tor Patches:
      • Bug 8402: Allow Tor proxy configuration while PTs are present
    • Note: The Pluggable Transports themselves have not been updated to support proxy configuration yet.

Tor Browser 3.6 is released

The Tor Browser Team is proud to announce the first stable release of the 3.6 series. Packages are available from the Tor Browser Project page and also from our distribution directory.

For users upgrading from Tor Browser 3.5.x, the 3.6 series features fully integrated Pluggable Transport support, including an improved Tor Launcher UI for configuring Pluggable Transport bridges. The Pluggable Transport code is also fully disabled for users who do not configure them. The 3.6 series also changes the MacOS archive format from zip to DMG, which should improve installation usability for Mac users.

This release also includes important security updates to Firefox.

Please see the TBB FAQ listing for any issues you may have before contacting support or filing tickets. In particular, the TBB 3.x section lists common issues specific to the Tor Browser 3.x series. We also maintain a list of frequently encountered known issues in our bugtracker.

Here is the complete changelog since TBB 3.5.4:

  • All Platforms

    • Update Firefox to 24.5.0esr
    • Include Pluggable Transports by default:
      • Obfsproxy3 0.2.4, Flashproxy 1.6, and FTE 0.2.13 are now included
    • Bug 11586: Include license files for component software in Docs directory.
    • Bug 9010: Add Turkish language support.
    • Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion.
    • Update NoScript to 2.6.8.20
    • Update Tor Launcher to 0.2.5.4
      • Bug 9665: Localize Tor's unreachable bridges bootstrap error
      • Bug 10418: Provide UI configuration for Pluggable Transports
      • Bug 10604: Allow Tor status & error messages to be translated
      • Bug 10894: Make bridge UI clear that helpdesk is a last resort for bridges
      • Bug 10610: Clarify wizard UI text describing obstacles/blocking
      • Bug 11074: Support Tails use case (XULRunner and optional customizations)
      • Bug 11482: Hide bridge settings prompt if no default bridges.
      • Bug 11484: Show help button even if no default bridges.
    • Update Torbutton to 1.6.9.0:
      • Bug 11242: Fix improper "update needed" message after in-place upgrade.
      • Bug 10398: Ease translation of about:tor page elements
      • Bug 9901: Fix browser freeze due to content type sniffing
      • Bug 10611: Add Swedish (sv) to extra locales to update
      • Bug 7439: Improve download warning dialog text.
      • Bug 11384: Completely remove hidden toggle menu item.
    • Backport Pending Tor Patches:
      • Bug 9665: Report a bootstrap error if all bridges are unreachable
      • Bug 11200: Prevent spurious error message prior to enabling network.
      • Bug 5018: Don't launch Pluggable Transport helpers if not in use
      • Bug 9229: Eliminate 60 second stall during bootstrap with some PTs
      • Bug 11069: Detect and report Pluggable Transport bootstrap failures
      • Bug 11156: Prevent spurious warning about missing pluggable transports
  • Mac:

    • Bug 4261: Use DMG instead of ZIP for Mac packages
    • Bug 9308: Prevent install path from leaking in some JS exceptions on Mac and Windows
  • Linux:

    • Bug 11190: Switch linux PT build process to python2
    • Bug 10383: Enable NIST P224 and P256 accel support for 64bit builds.
  • Windows:
    • Bug 9308: Prevent install path from leaking in some JS exceptions on Mac and Windows

Here is the changelog since the 3.6-beta-2:

  • All Platforms
    • Update Firefox to 24.5.0esr
    • Update Tor Launcher to 0.2.5.4
      • Bug 11482: Hide bridge settings prompt if no default bridges.
      • Bug 11484: Show help button even if no default bridges.
    • Update Torbutton to 1.6.9.0
      • Bug 7439: Improve download warning dialog text.
      • Bug 11384: Completely remove hidden toggle menu item.
    • Update NoScript to 2.6.8.20
    • Update fte transport to 0.2.13
    • Backport Pending Tor Patches:
      • Bug 11156: Additional obfsproxy startup error message fixes
    • Bug 11586: Include license files for component software in Docs directory.
  • Windows and Mac:
    • Bug 9308: Prevent install path from leaking in some JS exceptions on Mac and Windows builds

Tor Browser 3.6-beta-2 is released

The Tor Browser Team is proud to announce the second beta in the 3.6 series. Packages are available from the Tor Browser Project page and also from our distribution directory.

This release is an important security update over 3.6-beta-1. This release updates OpenSSL to version 1.0.1g, to address potential client-side vectors for CVE-2014-0160.

The browser itself does not use OpenSSL, and is not vulnerable to this CVE. However, this release is still considered an important security update, because it is theoretically possible to extract sensitive information from the Tor client sub-process.

This beta also features a Turkish language bundle, experimental Javascript hardening options, fixes for pluggable transport issues, and a fix for improper update notification while extracting the bundle over an already existing copy.

Here is the complete changelog since 3.6-beta-1:

  • All Platforms
    • Update OpenSSL to 1.0.1g
    • Bug 9010: Add Turkish language support.
    • Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion.
    • Update fte transport to 0.2.12
    • Update NoScript to 2.6.8.19
    • Update Torbutton to 1.6.8.1
      • Bug 11242: Fix improper "update needed" message after in-place upgrade.
      • Bug 10398: Ease translation of about:tor page elements
    • Update Tor Launcher to 0.2.5.3
      • Bug 9665: Localize Tor's unreachable bridges bootstrap error
    • Backport Pending Tor Patches:
      • Bug 9665: Report a bootstrap error if all bridges are unreachable
      • Bug 11200: Prevent spurious error message prior to enabling network.
  • Linux:
    • Bug 11190: Switch linux PT build process to python2
    • Bug 10383: Enable NIST P224 and P256 accel support for 64bit builds.
  • Windows:
    • Bug 11286: Fix fte transport launch error


A list of frequently encountered known issues with the Tor Browser can be found on our bugtracker. Please check that list and help us diagnose and arrive at solutions for those issues before contacting support.

Tor Browser 3.5.3 is released

The 3.5.3 stable release of the Tor Browser Bundle is now available on the Download page. You can also download the bundles directly from the distribution directory.

This release also includes important security updates to Firefox.

As a reminder, this is the stable series of the Tor Browser Bundle. It does not include the Pluggable Transport support mentioned in the 3.6 release post, and in this release MacOS archives are still in zip format. If you would like those features, we encourage you to use 3.6-beta-1 instead, and report any issues you encounter.

Here is the complete changelog for 3.5.3:

  • All Platforms
    • Update Firefox to 24.4.0esr
    • Update Torbutton to 1.6.7.0:
      • Bug 9901: Fix browser freeze due to content type sniffing
      • Bug 10611: Add Swedish (sv) to extra locales to update
    • Update NoScript to 2.6.8.17
    • Update Tor to 0.2.4.21
    • Bug 10237: Disable the media cache to prevent disk leaks for videos
    • Bug 10703: Force the default charset to avoid locale fingerprinting
    • Bug 10104: Update gitian to fix LXC build issues (for non-KVM/VT builders)
  • Linux:
    • Bug 9353: Fix keyboard input on Ubuntu 13.10
    • Bug 9896: Provide debug symbols for Tor Browser binary
    • Bug 10472: Pass arguments to the browser from Linux startup script

A list of frequently encountered known issues with the Tor Browser can be found on our bugtracker. Please check that list and help us diagnose and arrive at solutions for those issues before contacting support.

Syndicate content Syndicate content