New Tor Browser Bundles for Linux

by Sebastian | February 20, 2012

The Tor Browser Bundles for Linux have all been updated to really include the latest Firefox, 10.0.2.

https://www.torproject.org/download

Tor Browser Bundle for Linux (2.2.35-7.2)

  • Really update Firefox to 10.0.2
  • Update libpng to 1.5.9

Please note that this time around, I made and signed the bundles as Erinn is travelling. I hope all the previous issues have been fixed, and would like to apologize for taking so long to get updated Linux bundles out. Please report any issues you find on our bugtracker.

You can find my gpg key's fingerprint on the signing keys page.

Comments

Please note that the comment area below has been archived.

February 20, 2012

Permalink

How did this roll-out error occur?

How much testing is involved with the Linux versions prior to release?

Do you have a list of users, public or private, who beta test each
new version prior to release?

Do you and/or the regular maintainer exist as the only testers prior to release?

I call for increased testing prior to releases, this was a sloppy job.

I don't know how the error occurred, probably something went wrong during the build process. I am not too familiar with the normal release process, as I'm not involved in it - I just made these bundles as the regular build engineer was unavailable. I believe the faulty bundle went through functionality testing, which it did pass fine - the wrong Firefox version just went unnoticed.

As for this bundle, it was tested by myself and a couple others before becoming the new release. Note that there is a big tradeoff here, where we need to get the bundles out asap due to the security nature of the issues patched and the potential for exploits in the wild. This explains why testing can't be as rigorous as you'd probably like.

February 20, 2012

Permalink

It's okay of we'd waited for quite some time. The important thing now is that we can already access the Tor Browser Bundles for Linux. Really excited to try it!

February 20, 2012

Permalink

Thanks for everything! Most meaningful and best tool out of the entire internet.

Also I can't believe that guy basically called you and other sloppy lol. You don't bite the hand that feeds you.

February 20, 2012

Permalink

The latest TBB version for Linux (2.2.35-7.2) doesn't work for me. Vidalia and Tor start up and connect to the tor network but Firefox won't start. When I try to run Firefox from the console I get this error ...

symbol lookup error: /home/lada/.tor-browser/App/Firefox/libxul.so: undefined symbol: gtk_widget_set_can_focus

I still have Erinn's previous version which doesn't produce this error. Any idea?

February 21, 2012

In reply to Sebastian

Permalink

Thanks for your reply, Sebastian. I've just sent you an eMail.

Which Linux distribution are you using, and what version of Gtk 2 is included in it? It sounds like you have an older version of Gtk than the one this TBB was built against.

February 21, 2012

In reply to rransom

Permalink

OS : Slitaz 3.0 32-bit customized Live CD
(stable since March 2010 but a little aging now)

GTK+: 2.16.5

... I've been using every TBB version since last September/October
with this setup and so far had no problems with this. It does look
like the problem is caused by the GTK+ version I have. Maybe
Erinn used an older version that works fine, too?

I just sent Sebastian an eMail.

February 20, 2012

Permalink

The IP: 93.114.40.75 was chosen a few times when I changed identity using the tor button, but when I checked it's status on https://check.torproject.org/?lang=en-US it always said "Sorry. You are not using Tor." what's up with that?.

Whois Server Version 2.17/2009-12-18 - whois.rotld.ro

Top Level Domain : ro
Maintainance : www.rotld.ro

Domain Name: limehost.ro
Registrar: Romarg SRL
Whois Server: http://whois.rotld.ro
Referral URL: http://www.inregistrare-domenii.ro

Name Server: ns1.voxility.com
Name Server: ns2.voxility.com

Domain Status: OK

February 20, 2012

Permalink

Can someone please instruct how to download TBB via wget?

This is the output I get when I try:

  1. --2012-02-20 22:32:29-- <a href="https://www.torproject.org/dist/torbrowser/linux/tor-browser-gnu-linux-i686-2.2.35-7.2-dev-en-US.tar.gz
  2. ERROR:" rel="nofollow">https://www.torproject.org/dist/torbrowser/linux/tor-browser-gnu-linux-…</a> Cannot open directory /etc/openssl/certs.<br />
  3. Resolving <a href="http://www.torproject.org" rel="nofollow">www.torproject.org</a> (<a href="http://www.torproject.org" rel="nofollow">www.torproject.org</a>)... 38.229.72.16, 86.59.30.36, 38.229.72.14, ...<br />
  4. Connecting to <a href="http://www.torproject.org" rel="nofollow">www.torproject.org</a> (<a href="http://www.torproject.org" rel="nofollow">www.torproject.org</a>)|38.229.72.16|:443... connected.<br />
  5. ERROR: The certificate of `<a href="http://www.torproject.org&#039" rel="nofollow">www.torproject.org&#039</a>; is not trusted.<br />
  6. ERROR: The certificate of `<a href="http://www.torproject.org&#039" rel="nofollow">www.torproject.org&#039</a>; hasn't got a known issuer

You'll want to use the --no-check-certificate switch to wget (it's a known problem that wget doesn't handle certificates the same way your browser does). However, when you do that, please make sure you download and verify the signature (.asc file), because otherwise you could be man in the middled.

February 20, 2012

Permalink

I don't trust this release. You are not the one who is suppose to be signing it. I want Erinn Clark to sign it as usual. This is a potential security threat. I don't have any way of knowing if this new signature is legit.

Whether you trust it or not is your own decision. While Erinn is unavailable I don't have a way to get her to sanction the build - feel free to keep using the older bundle if it makes you feel better. It does have an insecure version of Firefox, tho...

February 22, 2012

In reply to Sebastian

Permalink

Ditto! Tor Project is getting to big for its britches! Every release there seems to be an error, and Erin seems to not be up to the job.

I filed bug reports MONTHS ago about insecure settings (e.g., white lists in NoSript) - even Mike Perry agreed with me - but STILL, MONTHS LATER Erin hasn't fixed the issue!

I feel she lacks sufficient understanding, and I will no longer use TorBrowserBundle, I will build it myself.

The bundle is far from secure, lacks needed about:config security settings (which I filed bug reports for, to no avail), and lacks important about:config settings to increase surfing speed (which I filed bug reports for and even Mike Perry agreed with my report).

I have donated hundreds of dollars to Tor, but I will never again donate until you all get your sh*t together!

You need a group of beta testers, because it quite obvious Tor project does little to no testing, especially on Windows boxes.

Does anybody actually think that there aren't major issues?

Now that we have agreed on that I want to tell you the reason.

It is a lack of funding. Even with millions of dollars these guys are experts and experts require money and incentives like the rest of us. I work with many other projects and the #1 problem is there is never enough funding. The Tor project needs someone to step up to the plate and work with them on fundraising who isn't directly involved in development, packaging, etc. A volinteer to start and an employee by the end of the year. This is easily doable given any volinteer able to bring in money to the project could be paid from the resulting increase in funding.

These guys and gals need to eat, relax, and have fun let alone save for retirement like the rest of us.

I am committing $400-$800 as a sponsor to the Linux Mint project. This is not entirely a good-will endevour. I'm far from rich. The thing is the project has eyeballs and there is a strong business case for getting your name attached to such a project.

The Tor project should start a sponsors program like Linux Mint has.

The top 3 sponsors are shown on every page of the Linux Mint website, and all sponsors contribution appear in the "monthly stats" communications, every month, on the website, the blog and the forums.

"The organization consists of many volunteers and a few employees."

Things like this could be done by a volinteer initially. I am betting that alone could easily draw in $100,000 a year. How long does it take to get such a program up and running? We are probably talking days at the most. The thing is there isn't anyone doing it right now that I'm aware of. Even if there is more people focused on this (other than the developers) would help to fix these types of issues. It shouldn't be neccessary for Erin to go on fundraising expiditions.

February 27, 2012

In reply to Sebastian

Permalink

This is a serious breach of security protocol... why bother verifying signatures then?

February 21, 2012

Permalink

Sebastian, I tried to verify your signature but was unable to locate your public key. Neither pgp.mit.edu nor subkeys.pgp.net found something in response to: gpg --search-key 0x140C961B
Where do I find your key?

This just worked for me:

$ gpg --recv-key 0x140C961B
gpg: requesting key 140C961B from hkp server keys.gnupg.net
gpg: key C5AA446D: "Sebastian Hahn " not changed

Can you try keys.gnupg.net and report back? Also I just pushed my key to subkeys.pgp.net again, not sure why it got lost.

February 21, 2012

Permalink

I have an error:

[???????@localhost tor-browser_pl]$ ./start-tor-browser
Launching Tor Browser Bundle for Linux in /home/??????/Pobrane/tor-browser_pl
Cannot mix incompatible Qt library (version 0x40603) with this library (version 0x40704)
./start-tor-browser: line 206: 24776 Przerwane ./App/vidalia --datadir Data/Vidalia/
Vidalia exited abnormally. Exit code: 134

Sebastian

February 21, 2012

In reply to by Anonymous (not verified)

Permalink

Do you have some version of Qt installed? I suspect you might have an older version which happened to match the Qt version Erinn used, and thus didn't see the problem before. Please file a bug with more details at https://trac.torproject.org

February 21, 2012

Permalink

I use keys.gnupg.net and found the key. Then check gpg --list-sigs and view correct signatures from Erinn, Andrew and Jacob.

February 21, 2012

Permalink

7.2 starting and works fine on Debian-Squeeze. No problem with finding keys and cross-check Erinn signatures on the key. Thank you for the update!

What do you mean by you cross-checked it with Erinn's signature?

I think I know what you mean although I'm unsure how to do it. Essentially what you mean is you can check Sebation's key is legitimate using Erinn's. People may not have Sebation's key or know who he is even though they know and trust Erinn's key.

For those people who don't know maybe you can tell us how to verify that Erinn trusts Sebation's key.

February 24, 2012

Permalink

I downloaded this version and deleted my previous version however this version doesn't work for me (browser does not start).

How can I download an older version to work around this problem?

p.s. the is the 2nd time I posted this comment but the first one didn't appear.

February 25, 2012

Permalink

do you have an opinion concerning adding adblock plus to the firefox in the bundle vis-a-vis security?

March 02, 2012

Permalink

Will the Tor browser bundle be updated with HTTPS everywhere 2.0 (see the announcement at eff.org) in the near future? I see that the Tor pages recommend not adding plugins to Firefox included in the bundle, but is there any reason not to update HTTPS to version 2.0 now?

Thanks for all of the hard work!

libredrs

March 03, 2012

Permalink

Hello.

I would really like to see the tor browser itself as a seperate download, packaged as a fork of mozilla or whatever so that we can download these components from the normal linux repositories, seperately, and run it with the standalone tor.

This could also be useful for people releasing for instance, tails, or liberté, as they can package the same software.

Not to mention people that use tor for other applications like irc.

I believe there are still many people installing tor this way, and are using either other browsers, or the latest firefox with the now (unreccomended) tor button, with the about:config changes.

I think its great to leave the tbb as it is, thats fine, but for many we are installing tor via our system repositories (this keeps us updated!)...

And becaues of the fingerprinting issues we should all be using the same software, at least for now. Could you consider adding code similar to ip-check.info to https://check.torproject.org. so people also know their configurations are set up properly?

Therefore, please release the aurora tor browser as a seperate project/build/whatever, so we can download it via our OS.

I would go so far as to say to eventually make the tor browser a seperate project, specifically, a "privacy browser," so that people using vpn's and jondonym would also benifit from using it. The increased user pool would also help with maintainance.

Please make a list of the specific configs that are now becoming "reccomended" as far as the tbb--including the polipo config file so people who have their own polipo can use the same setup as the tbb, and also the reccomended about:config changes.

Until this is done, for those using firefox, I have the latest firefox and the torbutton, but where is the list of the specific changes? Are any of the "patches" made to firefox potentially distiguishing fingerprint-wise compared to a non-patched firefox running the torbutton/no script?

There has been some discussion of this issue here:
http://ci3hn2uzjw2wby3z.onion/talk/27y

Thanks

March 10, 2012

Permalink

My biggest question is: Is there a way to Not use tail or a non-torified application? I frequent two IRC networks that block most of the tor exit nodes, and I have to keep shuffling identities until either one works, or the ops let me in.
I also frequent a popular forum that has a habit of merging accounts if the accounts use the same/similar IPs consistently. I just don't want my account merged with another tor user's, although the owner has consistently stated that using IP maskers such as VPNs and Tor is at out own risk.
Still, I digress. Is there a way around torifying my irc client and maybe an instance of Ice Weasel, on tails?2