New Tor Browser Bundles

The Tor Browser Bundles have all been updated to the latest OpenSSL 1.0.1c. All users are strongly encouraged to update.

https://www.torproject.org/download

Tor Browser Bundle (2.2.35-12)

  • Update OpenSSL to 1.0.1c
  • Update Libevent to 2.0.19-stable
  • Update zlib to 1.2.7
  • Update NoScript to 2.4.1
Anonymous

May 12, 2012

Permalink

When I start TBB 2.2.35-12, the start page still says I have to upgrade.

Also, the displayed fonts for webpages has changed but the settings in the browser are the same as the earlier version I was using (TBB 2.2.35-8). Anyone know how this can be corrected?

"When I start TBB 2.2.35-12, the start page still says I have to upgrade."
Same here on Vistx64. If I then get check.torproject.org from torproject.org, the briowser displays without the upgrade notice. A bug?

First, TBB 2.2.35-13 is out, so it is right that you should upgrade.

As for the bug, Torbutton in TBB loads https://check.torproject.org/RecommendedTBBVersions and checks if its version is in the list. It then sends you to the "you need to update" page if needed. So Torbutton in TBB is the one checking if you're up to date, not some magic run on the check.torproject.org side.

"So Torbutton in TBB is the one checking if you're up to date, not some magic run on the check.torproject.org side."

Gee, that "magic" sounds crabby... I was mystified by the removal of the "check Tor" link on the home page, to which we peasants were referred to previously. As I said in my prev. comment, when I ran check.torproject from there it returned a clean browser screen, That's what led me astray - I wasted time looking for the link to check.torproject.org rather than going to the download page.

I generally run my bridge from the vidalia bridge bundle, so lose track of the TBB updates. I run the bridge from the TBB only when I need the browser, and it seemed to me that ver .13 came along right quick after .12.

BTW, the ver. no. doesn't seem to be included somewhere in the documentation of each version. Maybe it shows up in the program list in Windows control panel - I wouldn't know as I don't install either of these packages to the default locations & so they don't show up in the list.

Anyway, this blog thread has eased my overactive securityitis. live & learn.,,

Anonymous

May 13, 2012

Permalink

"Update OpenSSL to 1.0.1c"

If OpenSSL was updated, why does my Tor Browser Bundle
(2.2.35-12) for Linux 32-bit show:

libssl.so.1.0.0

in ~/tor-browser_en-US/Lib directory?

md5sum:

d774c0f5ea0762271a814fecdf921c97 libssl.so.1.0.0

That looks scary I agree, but I think it may be ok. It's common to not bump library so filenames, so it's easy for other applications to symlink to them and to check if they (and thus the major version they represent) are present.

In the 64-bit case, build-trees/build-alpha/x86_64/openssl-1.0.1c/libssl.so looks like a symlink to libssl.so.1.0.0, so that's a good sign. I encourage more people to investigate of course.

Anonymous

May 13, 2012

Permalink

Installed and re-installed 2.2.35.12, yet the Tor homepage says: "There is a security update available for the Tor Browser Bundle." Also, the minimize, maximize buttons are totally blacked out and the security details pop-out (via the URL button) doesnt't render properly.

The minimize, maximize buttons can be restored by disabling the Firefox "App Button" by right-clicking on one of the bars at the top of the browser. Doesn't solve the problem entirely, but good enough.

Anonymous

May 13, 2012

Permalink

I did a update from 2.2.35-8 to 2.2.35.12

There is something wrong with the graphic representation in Firefox. Close/Minimize buttons are missing.

Firefox is grey even I choose a different colour for my windows.

Win 7 / 32bit

I'm sorry arma, but that's such a poor answer I almost spit out my coffee. While it may be true, it's not acceptable. Especially considering (I'd assume from how many people use Windows, worldwide) that ~>80% of your users use Windows.

Just because it's hard doesn't mean Tor devs should stick with low-hanging Windows fruit. If you don't have people that want to work with Windows, then stop shipping Windows software...(and doesn't that sound asinine?)

This bug NEEDS to be fixed, and soon. Like I wrote on the bug tracker, some (most) Tor devs see the trees, but not the forest. This is a major issue, it's not only about minimize, maximize, and close; it's about SSL cert info, bookmark features, and etc.

I offered to donate more than $500 to get this fixed, and soon. Why not make some sort of bounty system for Windows bugs you all don't want to "waste" your time fixing? Kind of like what I2P2 does, wrt goals and bugs. That way you can have Windows users donate just to some Windows specific bugs some Tor devs apparently think are below them, or at least think the bugs don't matter because they don't use Windows.

Ok, I mispoke a little bit. It's not that no Tor developers care about Windows. We certainly want our software to be usable, even on Windows. It's that developing well for Windows is really hard and no Tor developers are any good at it. And it shows.

Somewhere out there are good Windows developers, but we sure haven't been good at finding them.

Not the title bar; pull down torbrowser > hover over options, to check the menu bar. I don't use the menu bar myself, but to minimize or close I just guess where in the black to click. I appreciate the work the devs do and am more about functionality than chrome.

Anonymous

May 13, 2012

Permalink

Just running this release of TBB for the first time right now, when I noticed the following.

Add-ons Manager says,

"HTTPS-Everywhere will be updated after you restart TorBrowser."
(Installed version of HTTPS-Everywhere is reported as 2.0.2)

Checking under "Tools for all add-ons", I find that "Update Add-ons Automatically" is indeed checked.

Is this supposed to be?

I recall past comments, from phobos* in particular, about the need for add-ons to be reviewed by the dev team in order to be sure they won't leak identifying info in any way.

(*Anyone else remember the good old days when phobos would actually answer questions people had posted to this blog about Tor Browser Bundle?)

Mike Perry, the Torbutton guy, is a developer on Https Everywhere too. So in this particular case it should be ok.

Mike is similarly keeping an eye on the other extensions that TBB includes. You're right to wonder if some update will introduce a problem, but at the same time, sometimes updates are really important. On the whole, now that Torbutton is good at forcing updates to do their update via To, I think it's better to let updates happen than to never let them happen.

In the distant future, when Thandy (the secure updater we've been working on forever, which is all ready to go except we don't have enough packaging people to get it deployed) is in action, maybe we will reconsider.

Is there a reason why HTTPS Finder is not included along with HTTPS-Everywhere, to complement it?

(And, for that matter, why there seems to be no mention of HTTPS Finder on the EFF pages for HTTPS Everywhere?)

HTTPS Finder causes a lot of websites to break, and the HTTPS Everywhere rulesets that it produces are (currently) too buggy to be included in HTTPS Everywhere in most cases.

If HTTPS Finder could be improved so that it produced rules more like the ones that human authors produce, it could be good to encourage wider use of it. But at the moment, it tends to create more hassle for us than it's worth.

Thank you for that explanation.

When you say, "us", it clearly implies that you are one of the Tor devs.

Is there a reason you didn't identify yourself as such?

Anonymous

May 13, 2012

Permalink

As in the previous release, "network.websocket.enabled" is set to "true".

Would a Tor dev please clarify whether or not this is cause for concern-- a number of posts asked this very question in the thread for the previous security release.

Thank you.

Anonymous

May 15, 2012

Permalink

On M$_WinXP Pro, the new version ( & the one previous ), hung the computer completely. Cold restarts the only recourse ..

Reboots yielded the same result.

No indication that this is the ISP ( Virgin ), refusing the connection, but I think not, because latest TOR on Linux elsewhere on a Virgin ISP connection, seems fine. Same goes for all the previous versions ..

Wonderful work. Long may it continue

Please provide a snail-mail address, for a permanent subscription - better for us all, than a mere one-off donation !

The Lurker

Anonymous

May 15, 2012

Permalink

I have a question regarding the 10 minute interval for circuit reuse. From the wiki:

How often does Tor change its paths? ¶

Tor will reuse the same circuit for new TCP streams for 10 minutes, as long as the circuit is working fine. (If the circuit fails, Tor will switch to a new circuit immediately.)

Can Tor be configured to generate a new circuit more often, say every minute?

Thank you,
Chris

Anonymous

May 16, 2012

Permalink

TorBrowser doesn't seem to retain cookie exceptions (white- or blacklisting) after restarting the Tor Browser Bundle. Even if I turn on(!) all the history settings, it keeps all my history...but still my cookie whitelist is emptied the next time I start the Tor Browser Bundle.

Using the latest version.

Is this a bug or expected behavior?

Anonymous

May 16, 2012

Permalink

The system tray onion icon for the Tor Browser Bundle does not display on the most modern Ubuntu systems, under Unity, you might want to fix that.

Effectively this error means you'll have to make sure the Vidalia interface is checked, as it is by default, to auto-display, (and make sure not to ever close its window, or controls good bye,) as the systray icon always fails to display.

Boot out of Beanbag debian and Arch and give it a dealfixing shot, no offense of course.

See https://trac.torproject.org/projects/tor/ticket/3255 and https://trac.torproject.org/projects/tor/ticket/3058

The issue appears to be that Unity has a whitelist of applications that are allowed to show icons, and Vidalia uses Qt, and there's a bug in Unity that basically ignores all icons from Qt apps:
https://bugs.launchpad.net/ubuntu/+bug/773307

Perhaps bug your ubuntu developers to address that bug?

Sorry, I hadn't followed that, I update very sporadically, and specifically use Vidalia instead of the browser bundle.

Vidalia still has a config setting to start a proxy service, with that failing, tor starts up fine but throws an error since /Applications/Vidalia.app/Contents/MacOS/polipo doesn't exist, and neither does /Applications/Vidalia.app/Contents/Resources/polipo.conf.

Vidalia.conf in ~/Library/Vidalia, was updated, but it appears the references to Polipo were left in place. So, I'm not sure the upgrade went quite correctly. I'll do a little more digging.