Tor Browser Bundle 3.0alpha2 Released

by mikeperry | July 1, 2013

The second alpha release in the 3.0 series of the Tor Browser Bundle is now available from the Tor Package Archive.

In addition to providing important security updates to Firefox and Tor, these release binaries should now be exactly reproducible from the source code by anyone. They have been independently reproduced by at least 3 public builders using independent machines, and the Tor Package Archive contains all three builder's GPG signatures of the sha256sums.txt file in the package directory.

To build your own identical copies of these bundles from source code, check out the official repository and use git tag tbb-3.0alpha2-release (commit c0242c24bed086cc9c545c7bf2d699948792c1e3). These instructions should explain things from there. If you notice any differences from the official bundles, I would love to hear about it!

I will be writing a two part blog series explaining why this is important, and describing the technical details of how it was accomplished in the coming week or two. For now, a brief explanation can be found on the Liberation Technologies mailing list archive.

ChangeLog

  • All Platforms:
    • Update Firefox to 17.0.7esr
    • Update Tor to 0.2.4.14-alpha
    • Include Tor's GeoIP file
      • This should fix custom torrc issues with country-based node restrictions
    • Fix several build determinism issues
    • Include ChangeLog in bundles
  • Windows:
    • Fix many crash issues by disabling Direct2D support for now.
  • Mac:
    • Bug 8987: Disable TBB's 'Saved Application State' disk records on OSX 10.7+
  • Linux:
    • Use Ubuntu's 'hardening-wrapper' to build our Linux binaries

The complete 3.0 ChangeLog now lives here.

Major Known Issues

  1. Windows XP users may still experience crashes due to Bug 9084.
  2. Transifex issues are still causing problems with missing translation text in some bundles

Comments

Please note that the comment area below has been archived.

July 01, 2013

Permalink

"In addition to providing important security updates to Firefox and Tor, these release binaries should now be exactly reproducible from the source code by anyone."

That is huge. Thanks and congratulations.

July 02, 2013

Permalink

What's the best way to use a system-wide, already running tor process for the new TBB?

Also, congratulations on the deterministic builds!

July 03, 2013

Permalink

Hi, I'm using a version of Ubuntu Karmic discontinued. So far not had problems with it running TOR,

But from ALFA version 3.0 I get this error:

  1. Launching Tor Browser Bundle for Linux in /home/sistem/src/tor-browser_es-ES<br />
  2. XPCOMGlueLoad error for file /home/sistem/src/tor-browser_es-ES/App/Firefox/libxpcom.so:<br />
  3. libxul.so: cannot open shared object file: No such file or directory<br />
  4. Couldn't load XPCOM.<br />
  5. Tor Browser exited abnormally. Exit code: 255

July 03, 2013

Permalink

That really is huge. The people directly responsible for that should get recognition.

July 03, 2013

Permalink

I'm not sure how to act as a relay with 3.0 if Vidalia isn't included. Are there instructions somewhere?

July 04, 2013

Permalink

Hi Mike,

appears that
$4B3FED31069ED28808DF32570BF58058E1915F47
IP 37.143.8.189
hands out forged certificates for Wikipedia.

Issued to:
CN *.wikipedia.org
Serial number B0:06:A1:A3

Issued by:
main.authority.com

Issued On:
2013-06-24

Fingerprint:
SHA1 FB:33:6A:CC:0B:EE:CA:28:78:79:A1:2B:FF:2F:B2:A2:D3:F1:F0:34

July 04, 2013

Permalink

Hi Mike,

just rechecked 37.143.8.189 and got the correct Wikipedia certificate.
Seems exit nodes might have changed a moment before I checked Vidalia and therefore the forged certificate cannot be attributed to 37.143.8.189.

July 04, 2013

Permalink

Hi Mike,

this time I can confirm that it is indeed 37.143.8.189 who hands out the forged Wikipedia certificate. This time I checked while the connections to Wikipedia were still open, pending certificate approval,
and the exit node was 37.143.8.189.

Previously after the certificate notification had shown up for the first time, I re-checked the exit node with the dot exit notation which gave me a correct Wikipedia certificate.
So it appeared the initial attribution of the forged certificate to this exit node was by mistake, but the recurrent certificate notification gave me the opportunity to confirm that the initial attribution was correct.

July 04, 2013

Permalink

I'm using Windows XP and I confirm that Tor Browser Bundle 3.0 Alpha 2 crashes on startup due to bug 9084. :(

Is _vsnprintf_s required only by the Tor patches ? Because the "vanilla" Firefox built by Mozilla works fine on my machine.

July 04, 2013

Permalink

"Remove Vidalia; Use the new Tor Launcher Firefox Addon instead"

Please provide at least one Bundle version with Vidalia.
Thank you

July 04, 2013

Permalink

May semi off-topic but TAILS has closed her forum:
disc volume name changed without mounting the disc.

Have anyone seen this strange behaviour,too ??

July 05, 2013

Permalink

It crashes on win8-64 a few seconds after start.
IRC says it does not work on Win8.

If that is "officially" so, mention it here, please.

July 07, 2013

Permalink

A small usability issue:

I was browsing a website with the 3.0a2 bundle, and after a while, my tor exit changed to one that had been banned from the website. When I used the tor button to get a new identity, the browser was restarted without any of the tabs that I had open.

My initial reaction was that changing my tor identity shouldn't close all my tabs. However, after thinking about it, changing identities without closing the page may reduce my anonymity, which would mean that it might be necessary for the new identity function to remain the way it is.

If possible, could a warning that changing the identity will close all tabs be added to the button? Or maybe an option to reduce anonymity and keep the tabs?

Thanks

July 21, 2013

Permalink

used the EN .exe tor bundle 3.0 alpha 2. Returns error that firefox is already running and I need to terminate the process, first. Task manager shows no other instances running when I click the link, but starts an instance, itself. Running windows 7 ultimate on a virtualbox vm version 4.2.16. Installed browsers are comodo ice dragon, comodo fire dragon (part of the premium internet security package) and opera.

July 25, 2013

Permalink

je télécharge browser bundle et lorsque je lance l'ordinateur un msg me dit qu'il est obsolète.

July 29, 2013

Permalink

I have a prob with Facebook login they tell me that I'm loging from other countries how can I solve this problem?

August 03, 2013

Permalink

Why would this take screen shots when running? It freezes and greys out and windows 7 says it is not responding. Zemana Antilogger pops up and says it is trying to take a screen shot, but it did this hanging before I installed Zemana.

I got my own screen shot of the 3.0alpha2 hanging with Zemana popup and more info (1999 date? why?) I'll do a fresh download and try again.

The same with a fresh download. The 3.0alpha2 browser window will hang for some time, turning grey with a (not responding) notice and then after about a minute or more resume normally. During this time Zemana Antilogger will popup saying firefox.exe is trying to take a screen capture.

Can anyone duplicate this? I've run and run antimalware programs by following the directions at majorgeeks.com. Nothing found. So could it be a bug? It can't be a conflict with Zemana because it was hanging before installing Zemana.

From the Event Log:

The program firefox.exe version 17.0.7.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

That could be because I tried blocking it in Zemana though. Apparently there are no events when it just hangs for a while and it is allowed by Zemana. Any suggestions?

Well, the only way to proceed with caution would be to unplug or do a fresh install.

I also have the 6/23 version of TBB installed and used that before 3.0alpha2
but never went to any .onion sites with it I don't think and never ever went to any Freedom Hosting sites. If that Firefox vulnerability infected the machine, maybe it was able to take screen captures of any browsers running with Tor connection, even 3.0alpha2 despite its browser being secure.

I know nothing about this stuff so any tests or ways to check would be welcome or I'd be glad to upload files for examination. The TBB screen would also freeze with a (not responding) notice. Zemana only caught it that one day and hasn't alerted since. Lucky I got that screen shot. I'll upload it too if asked.