New Tor Browser Bundles with Firefox 17.0.3esr

We've updated all of the bundles with Firefox 17.0.3esr. This includes significant changes to Torbutton and its interaction with Firefox, in addition to many new patches being added to Firefox, which are outlined below.

Very important: if you've been using the Tor Browser Bundles with Firefox 10.0.x, you must not attempt to overwrite it with the new bundle. Open these into their own directory and do not copy any profile material from older TBB versions.

https://www.torproject.org/download

Tor Browser Bundle (2.3.25-4)

  • Update Firefox to 17.0.3esr
  • Downgrade OpenSSL to 1.0.0k
  • Update libpng to 1.5.14
  • Update NoScript to 2.6.5.7
  • Firefox patch changes:
    • Exempt remote @font-face fonts from font limits (and prefer them).
      (closes: #8270)
      • Remote fonts (aka "User Fonts") are not a fingerprinting threat, so
        they should not count towards our CSS font count limits. Moreover,
        if a CSS font-family rule lists any remote fonts, those fonts are
        preferred over the local fonts, so we do not reduce the font count
        for that rule.
      • This vastly improves rendering and typography for many websites.
    • Disable WebRTC in Firefox build options. (closes: #8178)
      • WebRTC isn't slated to be enabled until Firefox 18, but the code
        was getting compiled in already and is capable of creating UDP Sockets
        and bypassing Tor. We disable it from build as a safety measure.
    • Move prefs.js into omni.ja and extension-overrides. (closes: #3944)
      • This causes our browser pref changes to appear as defaults. It also
        means that future updates of TBB should preserve user pref settings.
    • Fix a use-after-free that caused crashing on MacOS (closes: #8234)
    • Eliminate several redundant, useless, and deprecated Firefox pref settings
    • Report Firefox 17.0 as the Tor Browser user agent
    • Use Firefox's click-to-play barrier for plugins instead of NoScript
    • Set the Tor SOCKS+Control ports to 9150, 9151 respectively on all platforms
      • This fixes a SOCKS race condition with our SOCKS autoport configuration
        and HTTPS-Everywhere's Tor test. Firefox 17 appears to cache proxy
        settings per URL now, which resulted in a proxy error for
        check.torproject.org if we lost the race.
  • Torbutton was updated to 1.5.0. The following issues were fixed:
    • Remove old toggle observers and related code (closes: #5279)
    • Simplify Security Preference UI and associated pref updates (closes: #3100)
    • Eliminate redundancy in our Flash/plugin disabling code (closes: #1305)
    • Leave most preferences under Tor Browser's control (closes: #3944)
    • Disable toggle-on-startup and crash detection logic (closes: #7974)
    • Disable/remove toggle-mode code and related observers (closes: #5279)
    • Add menu hint to Torbutton icon (closes: #6431)
    • Make Torbutton icon flash a warning symbol if TBB is out of date (closes: #7495)
    • Perform version check every time there's a new tab. (closes: #6096)
    • Rate limit version check queries to once every 1.5hrs max. (closes: #6156)
    • misc: Allow WebGL and DOM storage.
    • misc: Disable independent Torbutton updates
    • misc: Change the recommended SOCKSPort to 9150 (to match TBB)

The following Firefox patch changes are also included in this release:

  • Isolate image cache to url bar domain (closes: #5742 and #6539)
  • Enable DOM storage and isolate it to url bar domain (closes: #6564)
  • Include nsIHttpChannel.redirectTo API for HTTPS-Everywhere (closes: #5477)
  • Misc preference changes:
    • Disable DOM performance timers (dom.enable_performance) (closes: #6204)
    • Disable HTTP connection retry timeout (network.http.connection-retry-timeout) (closes: #7656)
    • Disable full path information for plugins (plugin.expose_full_path) (closes: #6210)
    • Disable NoScript's block of remote WebFonts (noscript.forbidFonts) (closes: #7937)

Tor Browser Bundle (2.4.10-alpha-2)

  • Update Firefox to 17.0.3esr
  • Downgrade OpenSSL to 1.0.0k
  • Update libpng to 1.5.14
  • Update NoScript to 2.6.5.7
  • Firefox patch changes:
    • Exempt remote @font-face fonts from font limits (and prefer them).
      (closes: #8270)
      • Remote fonts (aka "User Fonts") are not a fingerprinting threat, so
        they should not count towards our CSS font count limits. Moreover,
        if a CSS font-family rule lists any remote fonts, those fonts are
        preferred over the local fonts, so we do not reduce the font count
        for that rule.
      • This vastly improves rendering and typography for many websites.
    • Disable WebRTC in Firefox build options. (closes: #8178)
      • WebRTC isn't slated to be enabled until Firefox 18, but the code
        was getting compiled in already and is capable of creating UDP Sockets
        and bypassing Tor. We disable it from build as a safety measure.
    • Move prefs.js into omni.ja and extension-overrides. (closes: #3944)
      • This causes our browser pref changes to appear as defaults. It also
        means that future updates of TBB should preserve user pref settings.
    • Fix a use-after-free that caused crashing on MacOS (closes: #8234)
    • Eliminate several redundant, useless, and deprecated Firefox pref settings
    • Report Firefox 17.0 as the Tor Browser user agent
    • Use Firefox's click-to-play barrier for plugins instead of NoScript
    • Set the Tor SOCKS+Control ports to 9150, 9151 respectively on all platforms
      • This fixes a SOCKS race condition with our SOCKS autoport configuration
        and HTTPS-Everywhere's Tor test. Firefox 17 appears to cache proxy
        settings per URL now, which resulted in a proxy error for
        check.torproject.org if we lost the race.
  • Torbutton was updated to 1.5.0. The following issues were fixed:
    • Remove old toggle observers and related code (closes: #5279)
    • Simplify Security Preference UI and associated pref updates (closes: #3100)
    • Eliminate redundancy in our Flash/plugin disabling code (closes: #1305)
    • Leave most preferences under Tor Browser's control (closes: #3944)
    • Disable toggle-on-startup and crash detection logic (closes: #7974)
    • Disable/remove toggle-mode code and related observers (closes: #5279)
    • Add menu hint to Torbutton icon (closes: #6431)
    • Make Torbutton icon flash a warning symbol if TBB is out of date (closes: #7495)
    • Perform version check every time there's a new tab. (closes: #6096)
    • Rate limit version check queries to once every 1.5hrs max. (closes: #6156)
    • misc: Allow WebGL and DOM storage.
    • misc: Disable independent Torbutton updates
    • misc: Change the recommended SOCKSPort to 9150 (to match TBB)
Anonymous

February 21, 2013

Permalink

hi bodies.I have used flash bundle for 1 month.i am from iran! Suddenly today the line connecting between relays in "view the network" changed to an bold line.i upload it and there is it's link.please watch it and tell that it is safe and normal or it is suspect and at risk.
http://i49.tinypic.com/k170vo.jpg
thanks

Looks fine to me. The network map page is actually *supposed* to have those green lines between relays on the map. But it only draws the lines when it knows where the relays are, and it has trouble guessing where the flash proxy bridges are.

Anonymous

February 21, 2013

Permalink

I just updated to 2.3.25-4, overwriting my old files. Nothing worked until I removed the old folder (it would be good if the download page or the "There is an update" page contained a hint, not just the blog).
Now, I'm seeing a blinking yellow triangle in the onion icon of Tor Browser. What does that mean?
Vidalia's logs don't seem to contain anything special. Wireshark shows only torified traffic...

then why not have a HOW TO UPGRADE page? ffs i have to fuck about for hours scouring the net to find out how to keep my bookmarks? fucking shit program, cant it update itself and work??????????

lol i hear ur frustration man, it just happened to me last night :/
the program is security oriented, having an auto-update feature would just be another vector for attack

I have the same problem since last night when I updated to
tor-browser-gnu-linux-x86_64-2.3.25-4-dev-en-US.tar.gz

The yellow triangle keeps blinking and when the vidalia starts (Firefox ESR 17.0.3) it says there is a new update available.

I'm running Linux Ubuntu 12.04 (updated to date) 64 bit

It connects to all sites with no trouble anyway
I did set the bridges i received from tor and the problem still exists.

I don't know about others but I do the following.

- Create a folder "TBB", inside TBB create folder "2.3.25-4" (to store the zip file and signature file), "settings" (to backup the settings for the TBB i.e. bookmarks, about:config changes that need to be made with each new version) and "tor-browser_en-US" (this is the extracted folder from the zip file).

After doing that all I do is delete the old "tor-browser_en-US", verify the signature of the new package and extract a new "tor-browser_en-US" to the TBB folder and apply some settings that always are on to off, recover the bookmarks. In my specific case NoScript always comes out of the box allowing scripts globally which I turn it off and then I just downalod CS cookie to handle the cookies and don't touch anything else.

Funny after any update TBB complains that I need to update the system, even though is bran-spanking-new and after a few days it stops asking.

As for the blinking yellow triangle, it means we screwed up the "is there an upgrade" test at first. Then we applied a work-around, so the blinking yellow triangle should be gone. Until there actually is an upgrade available at least.

Anonymous

February 22, 2013

Permalink

Does this TBB release have new system requirements (i.e. minimum supported versions of Windows/Mac OSX?) This info might be useful for new users or users who are upgrading.

Anonymous

February 22, 2013

Permalink

I want to ask if I fill the proxy box which in the Tor setting panel with 127.0.0.1:9050, that means another Tor is running, will this method downgrade the security?

You are suggesting to send your Tor's traffic through another Tor running on the same machine? Proxying Tor through Tor will slow down all your traffic a lot. And I don't think it will improve your security any.

Anonymous

February 22, 2013

Permalink

I deleted the old folder and moved my savedbookmarks folder only, the new TBB keeps flashing and reporting new updates. whats going on?

Anonymous

February 22, 2013

Permalink

ok so i just deleted it and started again, no copy of files this time and hey guess what, yep you got it, the god damn thing still wants to update. whats going on?

Anonymous

February 22, 2013

Permalink

1.) Just downloaded, verified and extracted this (GNU/Linux).

Cannot get it to run:
When I double-click on the 'start-tor-browser' file/icon, it just opens a text file.

2.) I had been successfully using tor-browser-gnu-linux-i686-2.3.25-2-dev-en-US.tar.gz.asc

For the past several days, the message about a new version being available would always show at startup. But when I went to the download page, I never saw a newer version available.

Now, when this new version IS available, my old TBB no longer displays the new version alert!

What's going on?!

Anonymous

February 22, 2013

Permalink

Tor Browser Bundle (2.3.25-4)
torb icon keeps blinking

Anonymous

February 22, 2013

Permalink

Followup to previous post:

I noticed that "Make the file executable" was not checked, so I checked it.

Then, after double-clicking on "start-tor-browser", I got:

"Vidalia exited abnormally. Exit code: 126"

"Whatever [I] downloaded" was nothing other than this latest version of TBB that is the subject of this blog entry, directly from the Tor web site:
https://www.torproject.org/download

The file, to be exact, is:
"tor-browser-gnu-linux-i686-2.3.25-4-dev-en-US.tar.gz"

I verified the signature.

(The previous post I referred-to was "647/18793")

This is the correct architecture, 32-bit, for my 32-bit system.

The previous version, "tor-browser-gnu-linux-i686-2.3.25-2-dev-en-US.tar.gz", is still working for me (what I'm using to post now), as have all of the older versions for as back as I can recall. Both my hardware as well as software are the same.

The current release of Tails, 0.17, also works fine for me, as have the previous ones.

Okay, just after submitting my previous followup regarding "tor-browser-gnu-linux-i686-2.3.25-4-dev-en-US.tar.gz", I figured-out what the problem was and corrected it.

I had extracted the file to the same FAT 32 volume that I had downloaded to and then copied and pasted the resulting folder to the home directory of the GNU/Linux system I am running.

I have now extracted the tar.gz file DIRECTLY to my home directory, and was able to launch and run the new TBB without incident thus far.

Anonymous

February 22, 2013

Permalink

I just downloaded tor-browser-gnu-linux-i686-2.3.25-4-dev-en-US.tar.gz. On the first run, it tells me that I need to download an update. While I like the notification, is there some way to turn it off when it is in error?

Anonymous

February 22, 2013

Permalink

Emsisoft, current release, has flagged the tbb-firefox.exe with Gen:Variant.Kazy.31094

Sent to them for review.

Virus Total finds 1/41; F-Secure rather than Emsisoft this time.

Zen

Anonymous

February 22, 2013

Permalink

Downloaded 2.3.25-4

Bitdefender 2013 says virus in the tbb-firefox.exe

Gen:Variant.Kazy.31094

Anonymous

February 22, 2013

Permalink

i wish you would stop this gawd damn thing flashing at me before i throw it out the f'ing window. torbutton whats going on?

If you dont sort it today then i'll be having a word with Beelzebub and you wouldn't want that would yer!!!

Anonymous

February 22, 2013

Permalink

If you want something done then you've just gotta do it by yerself.

flashing torbutton update requests

about:config

extensions.torbutton.updateneeded
toggle to 'false' results in annoyingly flashing torbutton being turned off.

not that I had the flashing torbutton problem myself, but I just checked that setting and mine is already set to false which is it's default setting, so has it been disabled by default in the last few days?

Anonymous

February 22, 2013

Permalink

My antivirus software has detected Variant.Kazy.31094 in tbb-firefox.exe (v2.3.25-4). Might be false alarm as it seemed to be last year.

Anybody else having this issue?

Anonymous

February 22, 2013

Permalink

FSecure's saying tbb-firefox is infected with Gen:Variant.Kazy.31094

Surely just a false positive, but you ought to be informed

I also have that problem.
Bit Defender destroys tbb-firefox as soon as I decompress the bundle.
Previous versions run without any problem but of course they immediately warn me about the update I need to install.

Anonymous

February 22, 2013

Permalink

The latest TBB for Linux has a bug where Torbutton always flashes saying TBB is out of date when I am running the latest version.

Anonymous

February 22, 2013

Permalink

Are the browser bundles clean? When I ran the new alpha bundle I got a virus.

Anonymous

February 22, 2013

Permalink

Thanks!
Version 2.3.25-4 - Windows 8, 7, Vista, and XP:

torrc: SocksPort 9050

but

TorButton Proxy Settings: port 9051

so that didn't work :)

Anonymous

February 22, 2013

Permalink

I have been using TOR for a while now with no issues. However, today after I ran the previous version it notified me to download the latest version because of a security issues. So I downloaded and installed
Version 2.3.25-4 for Windows (I am running Windows 7 64bit). I deleted my old install of the Tor Bundle before installing the new one.

I clicked on the Start TOR Browser.exe as usual and the Vidalia Control panel launches, the status says it connected to the TOR network, but the Browser never launches and after about 12 seconds Vidalia control panel just closes.

I tried reinstalling it and the same thing keeps happening. Any ideas?

I get this exactly on my Windows 8 64-bit as well. I'm pretty sure its down to the new Firefox 17 included, Does anyone know where I can get the last version containing Firefox 10 ?

I have Firefox 19 general release installed, I wonder if it is having an effect?

I'm on win XP 64-bit (because I'm old) and having the same issue with the new release.
I initially overwrote the previous installation, but have since tried deleting the directory and starting from scratch. The browser just won't launch. Seems like all the previous comments are from 64-bit windows users also.

Little help?

exact same thing, here, usin win 7 64 bit as well.. vidalia boots up and says im connected but the browser doesnt appear, and then when i force it to open by going into the bundle folders whenever i try to connect to something it gives me an error message saying "the proxy server is refusing connections"

Win7/64 bit here as well. Vidalia control panel opens up fine and connects to Tor, but when I open the browser I also get "proxy server is refusing connections". Any help would be greatly appreciated.

The problem still persists:
"unable to find proxy server"
"Firefox is configured to use a proxy server"

Changing the network advanced settings for Firefox to No Proxy or Automatic makes no difference.

I just looked up and here the DoNotTrack is enable by NoScript by default, it is not enable by Firefox.

The only question I may have is what happens if I turn both on?
Would they create a conflict?

Don't know. Anybody knows how to test that?