New Tor Browser Bundles

by erinn | May 13, 2012

The Tor Browser Bundles have all been updated to the latest OpenSSL 1.0.1c. All users are strongly encouraged to update.

https://www.torproject.org/download

Tor Browser Bundle (2.2.35-12)

  • Update OpenSSL to 1.0.1c
  • Update Libevent to 2.0.19-stable
  • Update zlib to 1.2.7
  • Update NoScript to 2.4.1

Comments

Please note that the comment area below has been archived.

May 12, 2012

Permalink

When I start TBB 2.2.35-12, the start page still says I have to upgrade.

Also, the displayed fonts for webpages has changed but the settings in the browser are the same as the earlier version I was using (TBB 2.2.35-8). Anyone know how this can be corrected?

"When I start TBB 2.2.35-12, the start page still says I have to upgrade."
Same here on Vistx64. If I then get check.torproject.org from torproject.org, the briowser displays without the upgrade notice. A bug?

First, TBB 2.2.35-13 is out, so it is right that you should upgrade.

As for the bug, Torbutton in TBB loads https://check.torproject.org/RecommendedTBBVersions and checks if its version is in the list. It then sends you to the "you need to update" page if needed. So Torbutton in TBB is the one checking if you're up to date, not some magic run on the check.torproject.org side.

May 25, 2012

In reply to arma

Permalink

"So Torbutton in TBB is the one checking if you're up to date, not some magic run on the check.torproject.org side."

Gee, that "magic" sounds crabby... I was mystified by the removal of the "check Tor" link on the home page, to which we peasants were referred to previously. As I said in my prev. comment, when I ran check.torproject from there it returned a clean browser screen, That's what led me astray - I wasted time looking for the link to check.torproject.org rather than going to the download page.

I generally run my bridge from the vidalia bridge bundle, so lose track of the TBB updates. I run the bridge from the TBB only when I need the browser, and it seemed to me that ver .13 came along right quick after .12.

BTW, the ver. no. doesn't seem to be included somewhere in the documentation of each version. Maybe it shows up in the program list in Windows control panel - I wouldn't know as I don't install either of these packages to the default locations & so they don't show up in the list.

Anyway, this blog thread has eased my overactive securityitis. live & learn.,,

May 13, 2012

Permalink

"Update OpenSSL to 1.0.1c"

If OpenSSL was updated, why does my Tor Browser Bundle
(2.2.35-12) for Linux 32-bit show:

libssl.so.1.0.0

in ~/tor-browser_en-US/Lib directory?

md5sum:

d774c0f5ea0762271a814fecdf921c97 libssl.so.1.0.0

That looks scary I agree, but I think it may be ok. It's common to not bump library so filenames, so it's easy for other applications to symlink to them and to check if they (and thus the major version they represent) are present.

In the 64-bit case, build-trees/build-alpha/x86_64/openssl-1.0.1c/libssl.so looks like a symlink to libssl.so.1.0.0, so that's a good sign. I encourage more people to investigate of course.

May 13, 2012

Permalink

Installed and re-installed 2.2.35.12, yet the Tor homepage says: "There is a security update available for the Tor Browser Bundle." Also, the minimize, maximize buttons are totally blacked out and the security details pop-out (via the URL button) doesnt't render properly.

The minimize, maximize buttons can be restored by disabling the Firefox "App Button" by right-clicking on one of the bars at the top of the browser. Doesn't solve the problem entirely, but good enough.

May 13, 2012

Permalink

I did a update from 2.2.35-8 to 2.2.35.12

There is something wrong with the graphic representation in Firefox. Close/Minimize buttons are missing.

Firefox is grey even I choose a different colour for my windows.

Win 7 / 32bit

May 20, 2012

In reply to arma

Permalink

I'm sorry arma, but that's such a poor answer I almost spit out my coffee. While it may be true, it's not acceptable. Especially considering (I'd assume from how many people use Windows, worldwide) that ~>80% of your users use Windows.

Just because it's hard doesn't mean Tor devs should stick with low-hanging Windows fruit. If you don't have people that want to work with Windows, then stop shipping Windows software...(and doesn't that sound asinine?)

This bug NEEDS to be fixed, and soon. Like I wrote on the bug tracker, some (most) Tor devs see the trees, but not the forest. This is a major issue, it's not only about minimize, maximize, and close; it's about SSL cert info, bookmark features, and etc.

I offered to donate more than $500 to get this fixed, and soon. Why not make some sort of bounty system for Windows bugs you all don't want to "waste" your time fixing? Kind of like what I2P2 does, wrt goals and bugs. That way you can have Windows users donate just to some Windows specific bugs some Tor devs apparently think are below them, or at least think the bugs don't matter because they don't use Windows.

Ok, I mispoke a little bit. It's not that no Tor developers care about Windows. We certainly want our software to be usable, even on Windows. It's that developing well for Windows is really hard and no Tor developers are any good at it. And it shows.

Somewhere out there are good Windows developers, but we sure haven't been good at finding them.

Not the title bar; pull down torbrowser > hover over options, to check the menu bar. I don't use the menu bar myself, but to minimize or close I just guess where in the black to click. I appreciate the work the devs do and am more about functionality than chrome.

May 13, 2012

Permalink

Just running this release of TBB for the first time right now, when I noticed the following.

Add-ons Manager says,

"HTTPS-Everywhere will be updated after you restart TorBrowser."
(Installed version of HTTPS-Everywhere is reported as 2.0.2)

Checking under "Tools for all add-ons", I find that "Update Add-ons Automatically" is indeed checked.

Is this supposed to be?

I recall past comments, from phobos* in particular, about the need for add-ons to be reviewed by the dev team in order to be sure they won't leak identifying info in any way.

(*Anyone else remember the good old days when phobos would actually answer questions people had posted to this blog about Tor Browser Bundle?)

Mike Perry, the Torbutton guy, is a developer on Https Everywhere too. So in this particular case it should be ok.

Mike is similarly keeping an eye on the other extensions that TBB includes. You're right to wonder if some update will introduce a problem, but at the same time, sometimes updates are really important. On the whole, now that Torbutton is good at forcing updates to do their update via To, I think it's better to let updates happen than to never let them happen.

In the distant future, when Thandy (the secure updater we've been working on forever, which is all ready to go except we don't have enough packaging people to get it deployed) is in action, maybe we will reconsider.

May 17, 2012

In reply to arma

Permalink

Is there a reason why HTTPS Finder is not included along with HTTPS-Everywhere, to complement it?

(And, for that matter, why there seems to be no mention of HTTPS Finder on the EFF pages for HTTPS Everywhere?)

HTTPS Finder causes a lot of websites to break, and the HTTPS Everywhere rulesets that it produces are (currently) too buggy to be included in HTTPS Everywhere in most cases.

If HTTPS Finder could be improved so that it produced rules more like the ones that human authors produce, it could be good to encourage wider use of it. But at the moment, it tends to create more hassle for us than it's worth.

Thank you for that explanation.

When you say, "us", it clearly implies that you are one of the Tor devs.

Is there a reason you didn't identify yourself as such?

May 13, 2012

Permalink

As in the previous release, "network.websocket.enabled" is set to "true".

Would a Tor dev please clarify whether or not this is cause for concern-- a number of posts asked this very question in the thread for the previous security release.

Thank you.

May 21, 2012

In reply to arma

Permalink

The Icon just bounces on the dashboard and then dissapears. I had the TBB installed before but decided to just update it and delete the old one. Bad choice on my part.

May 15, 2012

Permalink

On M$_WinXP Pro, the new version ( & the one previous ), hung the computer completely. Cold restarts the only recourse ..

Reboots yielded the same result.

No indication that this is the ISP ( Virgin ), refusing the connection, but I think not, because latest TOR on Linux elsewhere on a Virgin ISP connection, seems fine. Same goes for all the previous versions ..

Wonderful work. Long may it continue

Please provide a snail-mail address, for a permanent subscription - better for us all, than a mere one-off donation !

The Lurker

May 15, 2012

Permalink

I have a question regarding the 10 minute interval for circuit reuse. From the wiki:

How often does Tor change its paths? ¶

Tor will reuse the same circuit for new TCP streams for 10 minutes, as long as the circuit is working fine. (If the circuit fails, Tor will switch to a new circuit immediately.)

Can Tor be configured to generate a new circuit more often, say every minute?

Thank you,
Chris

May 16, 2012

Permalink

TorBrowser doesn't seem to retain cookie exceptions (white- or blacklisting) after restarting the Tor Browser Bundle. Even if I turn on(!) all the history settings, it keeps all my history...but still my cookie whitelist is emptied the next time I start the Tor Browser Bundle.

Using the latest version.

Is this a bug or expected behavior?

May 16, 2012

Permalink

The system tray onion icon for the Tor Browser Bundle does not display on the most modern Ubuntu systems, under Unity, you might want to fix that.

Effectively this error means you'll have to make sure the Vidalia interface is checked, as it is by default, to auto-display, (and make sure not to ever close its window, or controls good bye,) as the systray icon always fails to display.

Boot out of Beanbag debian and Arch and give it a dealfixing shot, no offense of course.

See https://trac.torproject.org/projects/tor/ticket/3255 and https://trac.torproject.org/projects/tor/ticket/3058

The issue appears to be that Unity has a whitelist of applications that are allowed to show icons, and Vidalia uses Qt, and there's a bug in Unity that basically ignores all icons from Qt apps:
https://bugs.launchpad.net/ubuntu/+bug/773307

Perhaps bug your ubuntu developers to address that bug?

May 22, 2012

In reply to arma

Permalink

Sorry, I hadn't followed that, I update very sporadically, and specifically use Vidalia instead of the browser bundle.

Vidalia still has a config setting to start a proxy service, with that failing, tor starts up fine but throws an error since /Applications/Vidalia.app/Contents/MacOS/polipo doesn't exist, and neither does /Applications/Vidalia.app/Contents/Resources/polipo.conf.

Vidalia.conf in ~/Library/Vidalia, was updated, but it appears the references to Polipo were left in place. So, I'm not sure the upgrade went quite correctly. I'll do a little more digging.

May 22, 2012

In reply to arma

Permalink

Also, you may want to have someone update your documentation at https://www.torproject.org/docs/tor-doc-osx.html.en It still claims that Vidalia bundles polipo, and still says you should point your application at the SOCKS proxy at port 8118. Which, since there is no proxy bundled with vidalia anymore, isn't open.

Either way, Vidalia appears to be broken.

May 17, 2012

Permalink

When you type something (at least two words) to the address bar and enter it, it's searching google.

Previously, nothing was happening. Please at least make it Startpage

May 19, 2012

In reply to arma

Permalink

I can confirm that, on Windows, it also shows the full path when running Pale Moon Portable (12) and using FoxyProxy instead of Torbutton - doesn't appear it's isolated to the Tor Browser Bundle.
Shouldn't be an issue unless you allow scripts to run of course.

> TOR ON WINDOWS IS UNSAFE

... a glitch in TBB that can be easily amended. The elephant in the room is Windows itself. As a proprietary, closed source and partially undocumented OS, Windows is and always will be inherently unsafe. If you look around on the web pages of "Black Viper" or "The elder Geek" you'll find that even competent people are racking their brains to figure out which Windows services do what, which Windows services establish network connections without asking and without giving any indication, which Windows services can be turned off and which can't, etc. etc. Microsoft as well as Apple keep users deliberately in the dark about such matters because secretiveness is part of their business model. It is beyond me, why people would go to such lengths as to install Tor or TBB on inherently insecure operating systems like these. Standard GNU/Linux distributions have no dark corners because they are open and fully documented. If you want to be reasonably sure that Tor delivers the promised anonymity, use one of these.

"Standard GNU/Linux distributions have no dark corners because they are open and fully documented. If you want to be reasonably sure that Tor delivers the promised anonymity, use one of these."

Two questions:

1.) What about BSD?

2.) Does all open source code really get scrutinized that well? How many people actually analyze all it?

+1

Amazing how it's assumed that there is this large shadow crew of MIT geeks burning a candle seven days/nights each week analyzing open source software.

My guess is that the answer to "2)" is "not much and not well"

Geeks f**k around on Twitter and Facebook too.

I have java script off and scripts off, the site just shows blank for me. Do you think it finds my username but just can't show it? Or do you think the javascript off and scripts set to be off globally is blocking it from finding the data?

I also turn off off cookies but had to turn it on to post here.

No offense, but you have to be pretty dense to use a computer with a username suggestive of your own to browse anonymously. In Windows 7, one can easily change the username by opening "User Accounts." I would suggest a generic username like "Admin." But definitely this should be fixed so it doesn't give snoopers one more data point for identification.

May 19, 2012

Permalink

I'm getting codesigning failures on 64-bit OSX for the latest bundles (2.2.35-12):

  1. $ codesign -vv TorBrowser_en-US.app<br />
  2. TorBrowser_en-US.app: a sealed resource is missing or invalid<br />
  3. resource modified: /Volumes/xxxx/TorBrowser_en-US.app/Contents/Resources/Docs/changelog

Was the changelog changed after the bundle was signed?

May 20, 2012

Permalink

The TorBrowserBundle is most definitely codesigned:

  1. $codesign -dvv TorBrowserBundle<br />
  2. Executable=/private/tmp/TorBrowser_en-US.app/Contents/MacOS/TorBrowserBundle<br />
  3. Identifier=org.torproject.TorBrowserBundle<br />
  4. Format=bundle with generic<br />
  5. CodeDirectory v=20100 size=160 flags=0x2(adhoc) hashes=1+3 location=system<br />
  6. Signature=adhoc<br />
  7. Info.plist entries=19<br />
  8. Sealed Resources rules=4 files=13<br />
  9. Internal requirements count=1 size=92

As is Vidalia.app:

  1. $codesign -dvv Vidalia.app<br />
  2. Executable=/private/tmp/TorBrowser_en-US.app/Contents/MacOS/Vidalia.app/Contents/MacOS/Vidalia<br />
  3. Identifier=net.vidalia-project.vidalia<br />
  4. Format=bundle with Mach-O thin (x86_64)<br />
  5. CodeDirectory v=20100 size=34976 flags=0x2(adhoc) hashes=1742+3 location=system<br />
  6. Signature=adhoc<br />
  7. Info.plist entries=16<br />
  8. Sealed Resources rules=4 files=9<br />
  9. Internal requirements count=0 size=12

(The Vidalia.app code signature verifies correctly)

But not TorBrowser.app:

  1. $codesign -dvv TorBrowser.app<br />
  2. TorBrowser.app: code object is not signed at all

The code signatures are not signed via using any certificate. I think a "codesign" build rule was inadvertently enabled.

May 21, 2012

Permalink

From Jondo Forum Conceptual Questions and discussions:

Tor bundle ‘browser.cache.memory.enable’ will not stay reset

Not strictly a JD problem but when the Tor bundle (Vidalia 0.2.17) browser (Firefox 12) is opened and the exit is checked with IP Check ( http://ip-check.info/ ) it rates the Cache (E-Tags) as bad. Ok, so you do the thing and the rating changes to good. Next time you launch a Tor session the cache is enabled again. Whats going on?

Checked the regular browser and it stays reset every session every time. Unless you’re aware of the problem you’re broadcasting your identity. Feels like a bug in the bundle?

The fix suggested is not available under windows?

May 22, 2012

Permalink

Using Windows 7.

I dowloaded the Tor browser update. When I change identity, then use duckduckgo ('cause that's what I saw on the Tor site) to find out "what's my ip" (I need to know where the ip is located and I need the IP # to ensure I don't use duplicate IPs in one session) I keep getting:

"IP [ip number] - Anonymous Proxy"

Only very rarely, maybe 1 out of 20 new identities, does is show a city/country.

I've tried editing the torrc to restrict exitnodes to specific IPs, and even when including StrictExitNodes 1, that's being ignored and I still get "Anonymous Proxy."

I have a lot of the IPs written down, which I know used to show locations, but now they aren't, they show "Anonymous Proxy" instead. I have others who use Tor-they as well as I-need to get an identifying location. No other search engine is showing me a location as well as duckduckgo has been able to.

What is the final recipient of my data seeing? "Anonymous Proxy"? I need for the final recipient to believe the data is coming from a real location, and not a proxy.

Also, I tried getting rid of the Tor Browser bundle and cleaning my registry, downloading the obsfproxy (obsfproxy is the actual product I'd like to use) and it's happening with that as well.

Can I get any kind of help on this issue? Sure would appreciate some enlightenment and maybe a way to get the identity to show a location - maybe someone can suggest a better search engine than duckduckgo?

Thanks in advance!

Just a guess, but I believe most of your exit nodes have had a Tor exit notice webpage, DirPort or something else listening on port 80 (HTTP) and DuckDuckGo determines whether to display "anonymous proxy" or a location based on that.

Note: the final recipient CAN potentially find out if you're using Tor, since the list of exit nodes is public info. No way around that other than chaining an additional proxy after Tor but I don't think there's a simple way to do that with Tor Browser Bundle.

To check which country your current exit node is located in: open up Vidalia's network map, load a page, watch which circuit in the list opens up new connections, then click on it and scroll to the last node shown on the right. You could also try other websites that show your location such as geoiptool.com (first result searching DDG for "geoip").

Thanks for the response.

Are you saying the final recipient does or does not see "Anonymous Proxy"? That's what I need to know :) Or does the recipient see just the IP?

FYI--this did not start happening until I downloaded the newest update for Tor Browser. Then I switched over to the obsfproxy and the same occurs there, when it did not the last time I had it downloaded.
I'd prefer to use the older versions if they are available.

And I'm also having trouble making the obsfproxy to NOT show up as my using Tor when I use the link supplied by your organization to test it: https://check.torproject.org/?lang=en-US&small=1&uptodate=1 . Why does that say I'm using Tor when obsfproxy is supposed to make it look like regular traffic, not Tor traffic? I understand the recipient can find out if I'm using Tor, but if using obsfproxy, something changes, right, so it looks more like regular traffic?

I haven't changed a thing, just downloaded the newer version(s) of Tor Browser, then deleted it and downloaded the obsproxy, and still get the same "Anonymous Proxy" results. I never have both downloaded at the same time.

I'd prefer to use the obsfproxy so my traffic looks like regular traffic but can't get that link to ever say that I'm NOT using Tor.

Thanks so much for all your help and all the work you do :) .

As far as I know, by default they only see the IP address of the exit node, but depending on where the data ends up (say, website visitor logs, e-mail message headers) the IP may be checked for more info such as reverse DNS (which often has "tor" or "proxy" written all over it to help shift blame from relay operators in case of abuse) or if it has the HTTP port open, as proxies usually do (which is what I guess DDG does). Tor exits can also be automatically detected with the help of scripts using the public list.

Basically, any recipient could theoretically use at least the same methods as DuckDuckGo does to find out whether the IP should be called "anonymous proxy" or not — whatever those methods are more specifically.

Obfsproxy only attempts to hide Tor usage on your end of the circuit: from your ISP, a spying wireless operator, local proxies and routers etc. From the first hop onwards there is no difference to standard Tor, which also means there should be no difference in what the exit node or final recipient sees.

May 23, 2012

Permalink

Ik heb tor browser bundle gedownload met windows 7 maar kan hem niet openen.

Wat moet ik doen? Kan iemand mij helpen?

dank u

sandra

May 23, 2012

Permalink

HOW TO CHECK OUTGOING TRAFFIC AND SOME SECURITY ISSUES!

Sometimes we have to configure some applications like yahoo messenger and other instant messengers or browsers with TOR, but we want to know some fool-proof method to know as to where our outgoing traffic is going and whether the application is currently routing the whole traffic through TOR or not.

When I configure any application, I reply on freeway tools like cports or PROCESS HACKER or PROCESS EXPLORER to see where my application is connected. Is it an authentic way to do the same?

1. Please give us some method to check all that. Most of the social activists are not well versed in techniques.

2. Why TOR or TAILS doesn't maintain connection to 4 or 5 nodes instead of just 3 nodes? I think that creating something to route the data through 4 or 5 nodes of different countries will be more secure because it will more likely to be 100% anonymous over internet.

3. Today someone suggested me to your a new TOR/TAILS based application called "AdvOR" or "AdvTOR" or "Advanced Onion Routing" which routes our all internet traffic to any number of nodes (subject to maximum of 10 nodes and that too all belonging to different countries). But since this AdvOR is not certified by your, nor by TOR, we can't rely on that because we can not believe in their claims unless duly recommended by your team. What's your take on it? If they can give us an option to set any number of nodes to route our traffic, why can't you do the same? You are doing a lot of hard work to ensure security of life and liberty to social activists and we want something more and more secure.

4. We have to use many addons on Firefox while using "TAils" and "TOR"; how can we know which addon is safe and doesn't reveal our real IP address?

The problem with TAILS is that it is based on linux which we generally do not use because we are using Windows operating system since our childhood.

Kindly discuss in detail as all the users of TAILS and TOR are supposed to read this thread. Discuss more and more in this thread (post).

5. Facebook has started blocking the profiles of users who are using TOR/TAILS due to constant change in IP address. They compel the users to verify their profiles with cellphone numbers which we can not do because giving cellphone number means giving each and every verified details of ours to facebook and we can be traced easily within a few minutes.

May 24, 2012

Permalink

My Exit node seems to be:
Amunet5 (Online)
Location: United States
IP Address: 199.48.147.39
Platform: Tor 0.2.3.13-alpha (git-de73e3692a6d8377) on Linux x86_64
Bandwidth: 7.49 MB/s
Uptime: 42 days 13 hours 7 mins 59 secs
Last Updated: 2012-05-24 15:07:51 GMT

BUT torstatus.all.de shows:
You do not appear to be using Tor
Your IP Address is: 199.48.147.46

Can someone possibly explain this? Thank you.

199.48.147.39 is the IP address that Amunet5 listens on. 199.48.147.46 appears to be the IP address that Amunet5 makes *outbound* connections on.

This "multihome" approach, where big servers like Amunet have a bunch of IP addresses, is quite common.

If websites like torstatus.all.de just look through the list of IP addresses that Tor relays *listen* on, it will never know about 199.48.147.46.

Tools like TorDNSEL and the upcoming TorBEL (see https://gitweb.torproject.org/) aim to do active checks through each exit relay to see where the outbound connections come from, and then export that data at http://exitlist.torproject.org/. That's how check.torproject.org is usually able to recognize multihomed Tor exit relays.

Of course, there's always a small gap between when an address changes and when the exitlist lists it, so the system will never be perfect.

May 31, 2012

Permalink

I downloaded Tor from this site & set it up. But I can not use it properly. Please give me using processes.