New Tor Browser Bundles with Firefox 17.0.11esr and Tor 0.2.4.18-rc

by erinn | November 19, 2013

Firefox 17.0.11esr has been released with several security fixes and the stable and RC Tor Browser Bundles have been updated

There is also a new Tor 0.2.4.18-rc release and the RC bundles have been updated to include that as well.

https://www.torproject.org/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.3.25-15)

  • Update Firefox to 17.0.11esr
  • Update NoScript to 2.6.8.5
  • Fix paths so Mac OS X 10.9 can find the geoip file. Patch by David Fifield.
    (closes: #10092)

Tor Browser Bundle (2.4.18-rc-1)

  • Update Tor to 0.2.4.18-rc
  • Update Firefox to 17.0.11esr
  • Update NoScript to 2.6.8.5
  • Remove PDF.js since it is no longer supported in Firefox 17
  • Fix paths so Mac OS X 10.9 can find the geoip file. Patch by David Fifield.
    (closes: #10092)

Comments

Please note that the comment area below has been archived.

November 19, 2013

Permalink

@ erinn

In previous posts, I asked whether there was communication and co-ordination among developers of Tor and Tails. I was assured there was.

This post of yours is evidence that there is none. The current version of Tails, which is 0.21, does not include TBB 2.3.25-15. The next release of Tails is scheduled for December 11, 2013.

Tell me, erinn, what shall Tails' users do in the interim?

Oh, by communication you meant that Erinn shouldn't announce her releases until Tails announces theirs? I think that's a poor plan -- the new Firefox ESR is out and public, so the clock is ticking either way.

November 19, 2013

In reply to arma

Permalink

@ arma

Let me rephrase and simplify my earlier post.

Should users continue using Tails 0.21?

November 19, 2013

In reply to arma

Permalink

Perhaps it would avoid confusion and preempt questions if Erinn were to add a statement like "an updated tails release will follow shortly" to the release announcements?

In any case thanks for the prompt Tor Browser update.

November 20, 2013

In reply to arma

Permalink

Is it SAFE for us Tails' users to continue using Tails 0.21? I use Tails every day.

Your prompt response to the above question is much appreciated.

November 21, 2013

In reply to arma

Permalink

@ arma

(note: I submitted a reply two days ago and apparently it was deemed inappropriate and was censored. I do not see why it should not appear on this page.)

Let me re-phrase and simplify my earlier post as follows:

Should users of Tails continue using Tails 0.21, knowing that it does not contain the latest version of Iceweasel 17.0.11?

Or to phrase it in another way, is it SAFE for users of Tails to continue using Tails 0.21?

November 19, 2013

Permalink

How close are we to upgrading the main TBBs to run with Tor 2.4.x? It is likely that 2.4.x contains a higher degree of security than 2.3.x, especially with the new handshake protocols, and these TBB releases seem to work pretty well. What's the timeline of the 2.4.x release?

November 19, 2013

Permalink

I'm getting a bad signature when trying to verify the bundle
Erinn Clark
63FEE659
8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659

November 20, 2013

Permalink

Thanks for this great work !
Why we dont use firefox release 24.1.1esr from 2013-11-15 ?
Im glad to see and try "Pluggable Transports Tor Browser Bundle"
But Im asking why Privoxy is not inside the bundle ?

Best Regards
MrWhite

I don't believe Privoxy has ever been a part of Tor Browser Bundle, although it was once a part of the Vidalia Bundle. Something called Polipo was included when Firefox contained a bug which caused connections through Tor to timeout. That's been long since fixed, so there's no need for something like Privoxy or Polipo to use Tor.

November 20, 2013

Permalink

@erinn

So glad the team is so responsive to propagating updates into TBB. Would it be possible to aim to standardize this practice across all TBB releases?

I imagine many users understand the alpha-->beta-->RC-->stable convention for releases and I can sympathize with the huge diversity of platforms the project supports, but the current set of builds makes the distinction a bit confusing:
* TBB 0.2.3.25-15, with latest FF and NoScript but a version of Tor that has remained "stable" for a bizarrely long time despite arma and nickm's comments about its handshake making it almost functionally deprecated
* TBB 0.2.4.18-rc1, which contains what's called a rc of tor that most users--and as far as I can tell, developers--are treating as stable code...especially in relation to the current "stable" build
* TBB 3.0-b1, which currently contains the OLD FF/NoScript and a slightly older version of tor itself but which isn't made easily accessible to users who don't follow the project's e-mail and announcements carefully

For modular components like tor itself, NoScript, and Firefox, it might be ideal to propagate updates to all TBB releases simultaneously. Encouraging as many TBB users as possible to converge on the latest FF/NoScript code in whatever flavor of TBB they use seems important from both a security standpoint and an anonymity standpoint. Vulnerabilities fixed in 17.0.11esr could be used to exploit the minority of TBB 3.0beta1 users without those patches, but to the extent other users running updated releases can be identified as non-vulnerable, their anonymity is also potentially reduced when component updates into different TBBs are staggered.

November 22, 2013

Permalink

Today with 2.3.25-15_en-US.

Status: Connected to the Tor network!

Message log: the usual stuff (100%).

'Sorry. You are not using Tor.

Your IP address appears to be: 72.52.91.19'

Not mine, by the way.

And it crashes often in multi-tab-use as well as -14 does.

November 23, 2013

Permalink

Do the Tor Browser Bundles use Perfect Forward Secrecy ( PFS )? If no, do they need to or is PFS dependent on the individual website being viewed and not the browser?

November 24, 2013

Permalink

I JUST d/l'd tor browser bundle 17.0.11 and thought I'd check the NoScript "Allow Scripts Globally" default setting. uhh...guys....it looks like scripts are allowed globally by default...if I'm reading this right. I pulled a screenshot (this is for Debian 6.0.8 Linux Kernel 2.6.32-5-amd64 Gnome 2.30.2) just to show I'm not crazy. I'm sure I MUST be reading this wrong. I'll send if you like. (Do you have a preferred public key I should use?)

In the NoScript options window on the "General" tab at the bottom of that, I see "Scripts Globally Allowed (dangerous)" and its CHECKED on. (So I unchecked it.)

Is there some old setting somewhere that does this just on MY system? Does this not apply somehow?

What don't I understand? Is my OS broke?

December 01, 2013

In reply to arma

Permalink

I saw this logic earlier. But it doesn't go far enough...though you're certainly right about profiling javascript off.
The trouble is that, as you know, everything is profilable using Naive Bayes and many similar. So website visits have a profile. IP exit points add to that. Absince of TOR exit adds to that. Mouse behavior/timing between clicks add to that. This is the unavoidable nature of modern machine discovery. All of us, whether we use javascript or not, have fuzzily unique profiles.
Unfortunately, this logic surrenders (by default) something huge like javascript execution. You do this to buy the absence of only a single variable!! This is in a large multi-dimensional profiling analysis offered by something as simple as Naive Bayes. You increase the profiling complexity by only 10% (if that) when you leave this front door wide open!
SUGGESTION: Issue a banner warning on the Tor "Congratulations" page that says "JAVASCRIPT IS ON". Then more people will be informed enough to make a truly intelligent decision.

No, you are confused.

It depends how your noscript was configured.

The trouble is that we weren't using noscript for the thing that would have helped in that case. That doesn't mean noscript itself is a waste of time.

There is now a little thing at the bottom of check.torproject.org. It remains for us to make check.tp.o a better page. Also, in TBB 3, that page isn't the homepage anymore.

November 25, 2013

Permalink

This release of the TBB freezes and occasionally crashes whilst visiting Amazon.

November 25, 2013

Permalink

The tor browser bundle is flashing an update info that's apparently not available. It's no bid deal but probably should be addressed as soon as possible. Your efforts are highly appreciated.

November 28, 2013

Permalink

NoScript updated itself to 2.6.8.6

Don't recall NS updating itself in previous TBBs.

Everything ok?