Tor Browser Bundle 3.5rc1 Released

The first release candidate in the 3.5 series of the Tor Browser Bundle is now available from the Tor Package Archive:
https://archive.torproject.org/tor-package-archive/torbrowser/3.5rc1/.

This release includes important security updates to Firefox.

Moreover, the Firefox 17esr release series has been deprecated by Mozilla. This means the imminent end of life for our 2.x and 3.0 bundle series. All 3.0 users are strongly encourage to update immediately, as we will not be making further releases in that series. If this release candidate survives the next few days without issue, this release candidate will be declared stable, and we will officially deprecate the current stable 2.x Tor Browser Bundles and declare their versions out of date as well.

Here is the complete changelog:

  • All Platforms
    • Update Firefox to 24.2.0esr
    • Update NoScript to 2.6.8.7
    • Update HTTPS-Everywhere to 3.4.4tbb (special TBB tag)
      • Tag includes a patch to handle enabling/disabling Mixed Content Blocking
    • Bug 5060: Disable health report service
    • Bug 10367: Disable prompting about health report and Mozilla Sync
    • Misc Prefs: Disable HTTPS-Everywhere first-run tooltips
    • Misc Prefs: Disable layer acceleration to avoid crashes on Windows
    • Misc Prefs: Disable Mixed Content Blocker pending backport of Mozilla Bug 878890
    • Update Tor Launcher to 0.2.4.1
      • Bug 10147: Adblock Plus interferes w/Tor Launcher dialog
      • Bug 10201: FF ESR 24 hangs during exit on Mac OS
      • Bug 9984: Support running Tor Launcher from InstantBird
      • Misc: Support browser directory location API changes in Firefox 24
    • Update Torbutton to 1.6.5.1
      • Bug 10352: Clear FF24 Private Browsing Mode data during New Identity
      • Bug 8167: Update cache isolation for FF24 API changes
      • Bug 10201: FF ESR 24 hangs during exit on Mac OS
      • Bug 10078: Properly clear crypto tokens during New Identity on FF24
      • Bug 9454: Support changes to Private Browsing Mode and plugin APIs in FF24
  • Linux
    • Bug 10213; Use LD_LIBRARY_PATH (fixes launch issues on old Linux distros)
PETER

December 13, 2013

Permalink

Not a good idea to depreciate the older TOR Bundle versions. Numerous of us NEED Vidalia and it's functionalities to ban various nodes that run 'filtering' software and therefore keep us from getting to perfectly legal content in our country of origin.

You don't need Vidalia for excluding relays. That's done with Tor. You can edit the torrc in tbb3 as easily as you can edit it in tbb2. (I'll grant you that Vidalia has a somewhat graphical way to edit the torrc file, but it's mostly broken and has been no end of headache for us.)

As for whether it's a good idea to deprecate the older bundles, we're working hard to keep up with Firefox versions as they change, and we don't have the cycles to keep that many different bundles going. Perhaps somebody else wants to maintain them?

Seems like the better answer is for somebody to write up some instructions on how to attach your Vidalia binary to your TBB3.5 Tor.

PETER

December 13, 2013

Permalink

Hello.
I have been having a problem with running the new 3.5 browser bundle. First time I used it, it connected to the network, but I noticed that I couldn't access some websites (getting a 403 error) and one example was www.trisquel.info
No matter how many times I would use torbutton's new identity option, it would always give me the same results. Using the 3.0 browser all worked ok. I decided to delete the folder of 3.5 and use a new extract. Now I can't get the broswer to load anymore. It always get's stuck in the "loading relays" part.
So... any chance you guys know what is going on??
I know this sounds weird, but it's the truth =/

PETER

December 13, 2013

Permalink

TBB 2.x - features of 2nd generation of Tor application environment, TBB 3.0 - features of 3rd generation based on Firefox 17esr, 3.5 - features of 3rd gen based on Firefox 24esr and (maybe) Firefox 31esr. Hope I understand the version naming logic right.

What do you mean by repositories?

It's on archive.torproject.org right now because it's so big (with all the translated versions) and we haven't set up our main website to be able to handle so many big files. Eventually (when it replaces TBB 2.x), I hope it'll be in a more traditional place.

If you mean "debian repositories", see the various trac tickets on the topic, e.g.
https://trac.torproject.org/projects/tor/ticket/3994

In the documentation you provide instuctions how to install Tor on Debian/Ubuntu:
https://www.torproject.org/docs/debian.html.en#ubuntu

The repo is:
deb http://deb.torproject.org/torproject.org (DISTRIBUTION) main

It would be a nice way to distribute and update TBB via your own repositories - easy and fast updates, and packages signature is checked automatically. I asked about Debian repos under your last blog post and concluded that only Debian Stable has up-to-date security updates. They only recently (2-3 days ago) updated Iceweasel from 17.0.9 to 17.0.10 in Testing branch. Firefox is today the main vector of attack for most exploits and keeping it updated is crucial. Unfortunatelly this is not possible in Debian Testing, so your own repository would help (of course if you have resources).

Is it just me, that isn't able to verify 'sha256sums.txt',....

Follow these steps:

1. Import Mike Perry's keyfile whose fingerprint is C963 C21D 6356 4E2B 10BB 335B 2984 6B3C 6836 86CC

(In one of Tor's web pages, it is stated that Mike Perry is responsible for signing TBB 3.x series)

2. Surf to https://archive.torproject.org/tor-package-archive/torbrowser/3.5rc1/ and download the following files: sha256sums.txt, sha256sums.txt.asc and sha256sums.txt.mp-asc

Do not forget to download the TBB corresponding to your OS.

3. Verify sha256sums.txt.mp-asc against sha256sums.txt

PETER

December 14, 2013

Permalink

Downloading TBB 3.5 rc1, I have to notice that the PDF.JS addon is still missing. What a pity! Will it come back one day?

https://blog.torproject.org/blog/tor-browser-bundle-30rc1-released says
"Unfortunately, we have decided to remove the PDF.JS addon from this bundle, as the version available for Firefox 17 has stopped receiving updates. Built-in PDF support should return when we transition to Firefox 24 in the coming weeks."

See also https://trac.torproject.org/projects/tor/ticket/7501

It seems that TBB 3.5 rc1 already includes PDF.js, but whether a given PDF is displayed in-browser by PDF.js or whether Torbrowser displays the download/open-with-external-program dialog seems to depend on the HTTP headers sent by the server; e.g. if there is a "Content-Disposition: attachment" header, then Torbrowser won't display it with PDF.js.

PETER

December 14, 2013

Permalink

Torbrowser 3.5 is still unable to access some websites (apparently something to do with project honeypot, as it directs to that website).
Any idea why?

Most likely this is a case of certain websites treating Tor exit relays specially. That's a problem with the Tor network, but not a problem with TBB 3.5 in particular (i.e. it would be a problem with earlier TBB's too).

PETER

December 14, 2013

Permalink

Thanks Tor and Tails developers for your hard work, but.....

Does Tails 0.22 contain the updates as described in the changelog of Tor Browser Bundle 3.5rc1?

If it does not, I would strongly recommend users of Tails 0.22 to switch to the stable release of TBB 3.5 when the latter is available for download later this month.

P.S.: I just wish that there is more co-ordination and co-operation among Tor and Tails developers. I am currently using Tails 0.22 but will switch to TBB 3.5 (stable) as I suppose the latter contains the latest bug fixes and better anonymizing components.

Tails 0.22 contains the development state TBB 3.5 RC was in a few days before the Tails release 11 December. The Tails developers were communicating with Mike Perry (TBB developer) to coordinate the migration, see tails-dev mailing list archives.

As for you in Tails switching to TBB 3.5 FINAL when it is released, I would recommend against doing so unless a critical security issue is found in the version in Tails. Tails doesn't use TBB as is, and if you try to run vanilla TBB in Tails, this may accidentially disable some of Tails anonymity/security features without you noticing.

I would recommend against doing so unless a critical security issue is found in the version in Tails.........

Thank you for taking the time to clarify my doubt.

PETER

December 14, 2013

Permalink

How do I make it use a new identity without it also getting rid of everything I'm looking at? the trayicon used to let me do that but it appears to be missing.

PETER

December 16, 2013

In reply to by arma

Permalink

So I'll just have to keep using an older version and hope javascript being disabled is enough.

But what is the exact security problem with not throwing everything away? Is it only a problem if javascript is enabled (which of course it shouldn't be)?

Agree that this was not a step forward.

Suggestions on using telnet to connect didn't help me (tried connecting to the control port, tried fiddling with the config file, no use, all that happened was the damn thing closed the connection as soon as I tried to type anything), and I didn't run across the suggestion to use Vidalia.

My suggestion would be to simply 'fix' the 'New Identity' button in TorButton to work the way people who actually use it think it should work. Pretty simple.

  • Go to the 'Data\Browser\profile.default\extensions' directory.

  • Rename 'torbutton@torproject.org.xpi' to 'torbutton@torproject.org.zip'.

  • Unzip this file in the extensions directory. Using the file name as the directory name might be necessary for this to work. Your zip program will probably do this automatically.

  • Go to the 'torbutton@torproject.org\chrome\content' directory.

  • Open the 'torbutton.js' file, and search for 'function torbutton_do_new_identity()'. A '{' follows this text. Add the text '/*' after the '{'.

  • Search for 'torbutton_log(3, "New Identity: Sending NEWNYM");'. Add the text '*/' just prior to this text.

  • Search for 'torbutton_log(3, "Ending any remaining private browsing sessions.");'. Add the text '/*' just prior to this text.

  • A little bit further on in the file there will be the text '// Close the current window for added safety' then 'window.close();' Add the text '*/' just after 'window.close();'.

  • Save the file and launch the TBB. You're done.

I would suggest using Notepad++ rather than Windows Notepad for this, as it makes it a lot easier to see what you're doing.. but even without using Notepad++ it's just a couple minutes work all up.

That sounds a lot more difficult than setting "ControlPort 9051" in torrc and running

#!/bin/bash
(echo authenticate '""'; echo signal newnym; echo quit) > /dev/tcp/localhost/9051

But whatever works for you, go with it :)

PETER

December 14, 2013

Permalink

sha256sums.txt signed with key 0x1E8BF34923291265... Is this a new signing key?

$ gpg --verify sha256sums.txt.asc

  • gpg: armor header: Version: GnuPG v1.4.12 (GNU/Linux)
  • gpg: assuming signed data in `sha256sums.txt'
  • gpg: Signature made Thu 12 Dec 2013 03:10:16 PM UTC
  • gpg: using RSA key 0x1E8BF34923291265
  • gpg: Can't check signature: public key not found
  • sha256sums.txt signed with key 0x1E8BF34923291265... Is this a new signing key?

    Follow these steps:

    1. Import Mike Perry's keyfile whose fingerprint is C963 C21D 6356 4E2B 10BB 335B 2984 6B3C 6836 86CC

    (In one of Tor's web pages, it is stated that Mike Perry is responsible for signing TBB 3.x series)

    2. Surf to https://archive.torproject.org/tor-package-archive/torbrowser/3.5rc1/ and download the following files: sha256sums.txt, sha256sums.txt.asc and sha256sums.txt.mp-asc

    Do not forget to download the TBB corresponding to your OS.

    3. Verify sha256sums.txt.mp-asc against sha256sums.txt

    PETER

    December 14, 2013

    Permalink

    torbrowser-install-3.5-rc-1_en-US.exe

    Why is this called a bundle when there Vidalia is not included in the package?

    To: arma or any Tor developer

    You wrote: Because there's a browser and a tor. That in essence is what a Tor Browser Bundle is

    My question: There's no Vidalia in TBB 3.5rc1. So how do I change to a new identity?

    Click on the green onion in your TBB's taskbar, and select 'new identity'.

    Be careful though, since it will close your current tabs -- that's part of how it keeps you safe, but it's also surprising the first time it happens.