New Firefox 17.0.4esr and Tor 0.2.4.11-alpha bundles

by erinn | March 14, 2013

We've updated the stable and alpha Tor Browser Bundles with Firefox 17.0.4esr and Tor 0.2.4.11-alpha. These releases have numerous bug fixes and a new Torbutton as well.

https://www.torproject.org/download

Tor Browser Bundle (2.3.25-5)

  • Update Firefox to 17.0.4esr
  • Update NoScript to 2.6.5.8
  • Update HTTPS Everywhere to 3.1.4
  • Fix non-English language bundles to have the correct branding (closes: #8302)
  • Firefox patch changes:
    • Remove "This plugin is disabled" barrier
      • This improves the user experience for HTML5 Youtube videos:
        They "silently" attempt to load flash first, which was not so silent
        with this barrier in place. (closes: #8312)
    • Disable NoScript's HTML5 media click-to-play barrier (closes: #8386)
    • Fix a New Identity hang and/or crash condition (closes: #6386)
    • Fix crash with Drag + Drop on Windows (closes: #8324)
  • Torbutton changes:
    • Fix Drag+Drop crash by using a new TBB drag observer (closes: #8324)
    • Fix XML/E4X errors with Cookie Protections (closes: #6202)
    • Don't clear cookies at shutdown if user wants disk history (closes: #8423)
    • Leave IndexedDB and Offline Storage disabled. (closes: #8382)
    • Clear DOM localStorage on New Identity. (closes: #8422)
    • Don't strip "third party" HTTP auth from favicons (closes: #8335)
    • Localize the "Spoof english" button strings (closes: #5183)
    • Ask user for confirmation before enabling plugins (closes: #8313)
    • Emit private browsing session clearing event on "New Identity"

Tor Browser Bundle (2.4.11-alpha-1)

  • Update Firefox to 17.0.4esr
  • Update Tor to 0.2.4.11-alpha
  • Update NoScript to 2.6.5.8
  • Update HTTPS Everywhere to 4.0development.6
  • Update PDF.js to 0.7.236
  • Fix non-English language bundles to have the correct branding (closes: #8302)
  • Firefox patch changes:
    • Remove "This plugin is disabled" barrier
      • This improves the user experience for HTML5 Youtube videos:
        They "silently" attempt to load flash first, which was not so silent
        with this barrier in place. (closes: #8312)
    • Disable NoScript's HTML5 media click-to-play barrier (closes: #8386)
    • Fix a New Identity hang and/or crash condition (closes: #6386)
    • Fix crash with Drag + Drop on Windows (closes: #8324)
  • Torbutton changes:
    • Fix Drag+Drop crash by using a new TBB drag observer (closes: #8324)
    • Fix XML/E4X errors with Cookie Protections (closes: #6202)
    • Don't clear cookies at shutdown if user wants disk history (closes: #8423)
    • Leave IndexedDB and Offline Storage disabled. (closes: #8382)
    • Clear DOM localStorage on New Identity. (closes: #8422)
    • Don't strip "third party" HTTP auth from favicons (closes: #8335)
    • Localize the "Spoof english" button strings (closes: #5183)
    • Ask user for confirmation before enabling plugins (closes: #8313)
    • Emit private browsing session clearing event on "New Identity"

Comments

Please note that the comment area below has been archived.

March 14, 2013

Permalink

I downloaded and installed the latest update - Tor Browser Bundle (2.3.25-5), and after re-starting, the "Are you using Tor?" page still says "There is a security update available for the Tor Browser Bundle.". I re-downloaded and installed again and still get that message. I checked the dates on the various updated files and they all have 3/12/13. Seems this has happened before, but can't re-call what fixed it.

March 15, 2013

Permalink

after installing new version i still get

" There is a security update available for the Tor Browser Bundle."

March 15, 2013

Permalink

Add me to the list of still getting the message there is an update. Just to be sure, I checked the versions of all the programs update to and they all check.

March 15, 2013

Permalink

Tools / Options / Advanced / General / Browsing

[x] check my spelling as i type

Who and why someone checks my (secret) spelling as I type?

It is good for your security to have your spelling mistakes pointed out to you. One way to identify who has written something is to look for certain, recurring misspellings.

It is not a human that does this, but the browser software, of course.

March 15, 2013

Permalink

Before this and the previous stable release, the Tor Browser had its own icon and was grouped itself - please bring this back. Aside from being a bit of a PITA, it allows for the possibility of mistakenly bringing up the regular browser. It goes without saying, that wouldn't be good.

Using Ubuntu 12.10 x64

March 15, 2013

Permalink

What's the point of allowing users to enable plugins? They may as well stop using Tor Browser if they don't need anonymity. Disabling all of NoScript's hardening measures only expands attack surface for browser exploits. With each new version Tor Browser gets increasingly more dangerous for users who don't adjust their settings manually and go with the default config, it will inevitably lead to a massive security disaster someday.

Well I guess the logic goes like this: you wish to watch a kinky video on YouTube, and you just can't help against the site (i.e. Google) knowing that you are watching that video, but you are still interested in not announcing it to your employer whose network you are using. Even with vulnerable plugins, but Tor still keeps all sorts of middlemen unaware of what you are doing.

And you can disable them as you wish.

March 15, 2013

Permalink

Where does one download the Tor Browser Bundle (2.4.11-alpha-1)? You can download the 2.3.x version from the Downloads page, but not the 2.4.x version.

Also, when will 2.4.11-alpha be available in the torproject RPM repo for RHEL/CentOS 6?

March 16, 2013

Permalink

any hope for flashproxy-pyobfsproxy new version?

March 16, 2013

Permalink

I am a little nervous about trying any TBB since last time I did my computer got infected with a virus after I unpacked the file. I had a heck of a time cleaning out the virus! Is the TBB safe and clean?

That might have been a false positive. One recent version of TBB trigged I think two different anti-virus programs (claiming the same kind of virus). The anti-virus companies looked into it and concluded their virus definition file was wrong and fixed it a few days later (iirc).

Of course, make sure you are downloading TBB from "torproject.org" over an HTTPS encrypted connection (https://).

SSL/HTTPS has been shown again time and again to be quite vulnerable and should not be considered a substitute for properly verifying a download by using the digital signature.

"my computer got infected with a virus after I unpacked the file."

/If/ the TBB download really was to blame, then it must have been rogue. Did you verify the signature?

March 16, 2013

Permalink

I had the same problem with recurring update prompts, but it went away the next day I started the browser.
The problem that remains is with https sites that do not have valid certificates. There seems no way to store exemption permanently as that box is grayed out.. And there seems to be no way to change private browsing mode for the same reason= grayed out.
It's a PITA to have to confirm exemption every time logging on to a site.

I have a suggestion for making things simpler for people who log on to https sites that they know well, but that do not have valid certificates - a setting in tools that once set, skips the security certificate query.
That way, no personal data need be stored, i.e. no "exceptions".

Imagine this scenario: Secret police search your pockets and find a USB key. They find TBB on it. They check to see what certificates it has saved. Now they know some of the places you browse.

March 16, 2013

Permalink

No problems here with the latest alpha update. Running Windows 8 Pro 32-bit. No virus reported. Using Avira Free, heuristics set to 'high'.

March 17, 2013

Permalink

After install I have to adjust so many settings manually to improve security that I need a to do list !!!

Well don't.

Any change in the setting you make will decrease your anonymity, so keep the changes to a minimum.

Really, the only change worth doing is disabling JavaScript using NoScript. This will also decrease your anonymity, but will increase security against exploits.

Firefox
- Disabling Java
- Activate I do not want be tracked
- Use custom settings for History and than disabling Accept cookies from sites
- Override automatic cache management: Limit cache 0MB of space

Firefox about:config
browser.cache.disk.enable; false
browser.cache.memory.enable; false
extensions.torbutton.banned_ports; 8118,8123,9050,9051,9150,9151
network.security.ports.banned; 8118,8123,9050,9051,9150,9151

Noscript
Disable Script Globally Allowed
Activate Forbid Java
Activate Forbid Adobe Flash
Activate Forbid Microsoft Silverlight
Activate Forbid Othe plugins
Activate Forbid font@face
Activate Forbid Audio/Video
Activate ABE

Installing plugin RefControl

Take a look at http://ip-check.info/?lang=en

March 17, 2013

Permalink

My Slitaz Live CD still uses gtk+ 2.16.5 and there's no way for me to upgrade gtk+ as this would mean to rebuild practically the entire distribution from scratch. Unlike TBB 2.3.25-2 this latest version of TBB no longer works for me because once again (it has happened before) someone has built the package using a later version of gtk+ ...

libxul.so: undefined symbol: gtk_widget_set_can_focus

... and I'm wondering why? Shouldn't TBB function in the greatest possible number of environments? Unless there are security issues with older gtk+ versions I see no reason why you are using a version that leaves some of your users behind. Firefox 17.0.4esr works perfectly on my computer. If Mozilla can do it, why can't the Tor-Project?

I think the Tor-Project should be using a well specified, standardized build-box to produce its browser bundles so that the outcome no longer depends on who happens to run the build procedure. It would also be a good idea to publish minimum requirements together with the change log for each new TBB.

March 17, 2013

Permalink

I noticed that NoScipt is not enabled by default in this version. I don't get that. Scripts are flagged in the usage guidelines as being potentially dangerous, but the system inside Tor Browser designed to keep them at bay is disabled unless you enable it?

What about people who believe what it says on the Tor download page about the Browser Bundle being "ready to go"? Correct me if I'm wrong on something here, but really - where's the logic in that?

Disabling JavaScript using NoScript is not required to make Tor Browser safe. Tor Browser includes its own patches and special configuration that blocks the dangerous parts of JavaScript, while still allowing the safe JavaScript to work.

Disabling JavaScript altogether breaks many more sites than it need to. This is bad for the less computer literate users.

You're wrong. TBB is safe and *meant* to be used with NoScript to globally allow all scripts. This issue comes up, well, at least once every week.

I think TBB should launch a window explaining all the FAQ's people post here without doing a simple search on the topic before they post . . . [rolls eyes]

"I noticed that NoSc[r]ipt is not enabled by default in this version."

NoScript /is/ enabled but set to enable scripts globally. This is addressed in the FAQ:
https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled

(NoScript still provides at least /some/ protection with this setting.)

This is how its been in TBB for as long as I can recall. What was the last version of TBB you tried?

March 17, 2013

Permalink

Wow. I just clicked on a youtube video and it played.

Is this a bug or a feature?

Did I lose anonymity?

Could be life-threatening for me.

I'm using

tor-browser-gnu-linux-x86_64-2.3.25-5-dev-en-US.tar.gz

Hope this is the right place to post this...

OK, it looks to be related to recent change:

"...
Firefox patch changes:

Remove "This plugin is disabled" barrier
This improves the user experience for HTML5 Youtube videos:
They "silently" attempt to load flash first, which was not so silent
with this barrier in place. (closes: #8312)
Disable NoScript's HTML5 media click-to-play barrier (closes: #8386)

..."

Recently work have been done towards supporting HTML5 video (which unlike flash video is safe to use inside Tor Browser). At least some videos on YouTube works using HTML5 too, without flash.

See the changelog posted in the top of this thread for more information.

March 17, 2013

Permalink

Maybe you tell us the reason why you don't can't or want support PowerPC-Macs …

Do you think, that these machines will stop they're work soon or what?

March 18, 2013

Permalink

Can anybody tell me why I keep getting a warning ("external application needed...") everytime I try to download a file by right-clicking on the link and selecting "Save link as" ? I'm using the latest official version of TBB.

I'm not talking about opening the file in the browser, only downloading. It's scary because it happens most of the times, but not always, even with the same file. It simply makes no sense.

Opening the file in the browser is safe. Downloading means you have to open the file with another application (external application), which may not be safe.

For example, say you download a .mp3 audio file. This should be safe by itself, but when you later start playing this file in your media player, your media player might think it is a good idea to download additional metadata for this .mp3 file (look for artist/album info, cover image, song lyrics, etc). Your media player is an external application, and will not be using Tor. And anyone observing your connection can see you has this file.

Make sure to either configure your external applications so they do not use Internet, or use the Tails live system or similar there someone have done the configuration for you.

Not really. Actually opening a file in the browser might be dangerous, if it is done by another application (i.e., the browser doesn't play video files by itself, even if it displays the output).

Instead, downloading should actually be safe, as long as the user right-click and selects "save files as". There's really no reason why TOR should display the "launch application" warning in this case, especially if one is using TBB, which should already be safely configured.

I found many other users complaining about the same problem.

March 18, 2013

Permalink

I think torproject disabled NoScript and enabled "Flash" beacuse the TBI OWNED TBB or maybe i am wrong ? and how many relays / nodes / servers are HONEYPOTS ?

NoScript is not disabled, but safe JavaScript is allowed.

Flash *is* disabled. If it isn't for you, it is a bug, report it.

Tor is designed to keep its anonymity properties even if there is a few "honeypots".

March 18, 2013

Permalink

TOR Internet connection was working fine in version 2.3.25-2 with the Internet connection selection set to “Manual proxy configuration” and Socks: 127.0.0.1 set to port 9050.

After installing either of releases -4 and -5 the TOR browser will not allow connection to the Internet, and gives the message: The proxy server is refusing connections.

After running Test Settings from the TOR Button, the test is successful.

Attempting to connect to the Internet gives the message:
What changed from -2 to -4 and 2 to -5 to cause the connection to stop working with settings that worked in version -2?

I had the same problem, and the reason was that I had edited my torrc file.
Solution:
Check the torrc file you are using.
Make sure that your file has these values:

  1. ControlPort 9151<br />
  2. SocksPort 9150<br />

If not, edit them after you have stopped Tor in the Vidalia Control Panel.
Then try again.

Hope this advice was useful to You.

I got the same problem, and this does NOT fix it (my torrc was downloaded with the package, and contains the correct ports.
Anyone has a suggestion? Someone can indicate which programs are supposed to be running, and where they are supposed to be listening?
Thanks

March 19, 2013

Permalink

Control port is strict and the same not automatic on the last two Linux TBB versions so it prevents the starting of two TBB simultaneously with default settings, is it because of the bug?

March 19, 2013

Permalink

Windows 7 64
Tor Browser Bundle (2.3.25-4) has been working for 2 weeks but today tor connects and starts firefox port but it closes immediately. I disabled antiv and set exclusions same behavior. Close all non essential programs same behavior. I downloaded alpha same behavior. I tested an old version of the tor-browser firefox port 3.6 and it runs

Thoughts

March 20, 2013

Permalink

You should add Cryptocat to the list of default addons in TBB. It's really a match made in heaven: CC encrypts and anonymizes the chat conversation, TBB obfuscates the IPs of the participants.

March 25, 2013

Permalink

Just downloaded the new tbb, my configure controlport automatically is already unchecked and the port is automatically 9151. Is this ok? I am trying to torify my bitcoin app? Are there any beginners guide to this new version of tbb?

Thanks

March 29, 2013

Permalink

why the tbb's version firefox is slow than normal firefox a lot?
(even both use same profile)
anyone have this (slow) problem?
thank you.

If you mean the time it takes pages to load, then the answer is probably simply the bouncing between nodes that is the very function of Tor itself.

no, I mean is tbb slow that (tor + normal firefox).
on my system, the tbb version firefox startup time need +10sec,
and normal firefox startup need +5sec,

Me too.
When I open a local html file (written by myself) in TBB it scrolls soooo slowly.
Opening the same file in normal firefox (with more addons) it scrolls fast and nice.
What gives?

March 31, 2013

Permalink

Hi, is it safe to attach files or pictures to an email you are sending from a webmail client? Or can the attaching of files to an email (through tor) lead to revealing of your IP to the webmail server (such as gmail?)

When you attach a file to an email, the little windows explorer opens up and you look through your computer to find the file. Gmail then spends a couple of seconds uploading the file to the actual email. Can this uploading of a file to an email reveal identity? Or does this uploading (attaching files to an email) also happen through the tor network and is 100% safe?

The upload should happen through Tor, but that still doesn't make it 100% safe. (Not least because Tor far from being "100% safe".) You should check your files carefully for potentially deanonymizing meta-data. A lot of cameras these days automatically tag images with GPS data, for instance. With that said, barring any metadata-associated privacy leaks, sending pictures via Gmail over Tor is likely no riskier than sending plaintext emails via Gmail over Tor.

March 31, 2013

Permalink

Ever since upgrading to FF 17 ESR bundle (now on 17.0.4) my fonts seem to be readable. Never had this problem with the older bundles. This is all according to ip-check.info. Any information on this?

April 02, 2013

Permalink

Firefox ESR 17.0.5 is out, ONLY Security fix

Changelogs:
https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html

Fixed in Firefox ESR 17.0.5
MFSA 2013-40 Out-of-bounds array read in CERT_DecodeCertPackage
MFSA 2013-38 Cross-site scripting (XSS) using timed history navigations
MFSA 2013-36 Bypass of SOW protections allows cloning of protected nodes
MFSA 2013-35 WebGL crash with Mesa graphics driver on Linux
MFSA 2013-34 Privilege escalation through Mozilla Updater
MFSA 2013-32 Privilege escalation through Mozilla Maintenance Service
MFSA 2013-31 Out-of-bounds write in Cairo library
MFSA 2013-30 Miscellaneous memory safety hazards (rv:20.0 / rv:17.0.5)