Tor Browser Bundle 3.5rc1 Released

The first release candidate in the 3.5 series of the Tor Browser Bundle is now available from the Tor Package Archive:
https://archive.torproject.org/tor-package-archive/torbrowser/3.5rc1/.

This release includes important security updates to Firefox.

Moreover, the Firefox 17esr release series has been deprecated by Mozilla. This means the imminent end of life for our 2.x and 3.0 bundle series. All 3.0 users are strongly encourage to update immediately, as we will not be making further releases in that series. If this release candidate survives the next few days without issue, this release candidate will be declared stable, and we will officially deprecate the current stable 2.x Tor Browser Bundles and declare their versions out of date as well.

Here is the complete changelog:

  • All Platforms
    • Update Firefox to 24.2.0esr
    • Update NoScript to 2.6.8.7
    • Update HTTPS-Everywhere to 3.4.4tbb (special TBB tag)
      • Tag includes a patch to handle enabling/disabling Mixed Content Blocking
    • Bug 5060: Disable health report service
    • Bug 10367: Disable prompting about health report and Mozilla Sync
    • Misc Prefs: Disable HTTPS-Everywhere first-run tooltips
    • Misc Prefs: Disable layer acceleration to avoid crashes on Windows
    • Misc Prefs: Disable Mixed Content Blocker pending backport of Mozilla Bug 878890
    • Update Tor Launcher to 0.2.4.1
      • Bug 10147: Adblock Plus interferes w/Tor Launcher dialog
      • Bug 10201: FF ESR 24 hangs during exit on Mac OS
      • Bug 9984: Support running Tor Launcher from InstantBird
      • Misc: Support browser directory location API changes in Firefox 24
    • Update Torbutton to 1.6.5.1
      • Bug 10352: Clear FF24 Private Browsing Mode data during New Identity
      • Bug 8167: Update cache isolation for FF24 API changes
      • Bug 10201: FF ESR 24 hangs during exit on Mac OS
      • Bug 10078: Properly clear crypto tokens during New Identity on FF24
      • Bug 9454: Support changes to Private Browsing Mode and plugin APIs in FF24
  • Linux
    • Bug 10213; Use LD_LIBRARY_PATH (fixes launch issues on old Linux distros)

Right click the tab bar, click "Bookmark all tabs", choose a name, "New Identity", then right click the folder, "Open in all tabs". Again, even this is bad for anonymity because it can repeatedly associate the same URLs with a single circuit.

Lots of repeat questions, too, it /is/ (many for which the answers could have been found in no more than a few minutes of reading/searching)

Anonymous

December 15, 2013

Permalink

Hi, when I open Tor 3.5, it links to instructions on setting up a relay. Yet, the instructions tell me how to use Vidalia to do that.

How do I run a non-exit relay without Vidalia? Can I do that?

I've searched around for an answer to this, but have found nothing.

Anonymous

December 15, 2013

Permalink

people, could someone PLEASE explain why is it that TBB3.5 can't access www.trisquel.info

I have tried countless times now!
On the upper hand, this version seems to be working all right, and it's very fast. NoScript and HTTPSEverywhere are working fine, no problems here. Only problem is the fact that I can't access some pages.... LIke trisquel.info =(
Any help??

But I am able to access the website using the older versions of TorBrowserBundle.
I don't want to say that it's impossible to be their fault (they sometimes are a real pain in the ass) but it seems to be also a problem with the new version :S

I think it's a coincidence that you happened to get an exit not on their blacklist while using the older TBB version.

http://ioerror.us/bb2-support-key?key=d453-9712-2b02-1b1f

"Your IP address appeared on the third-party Project Honey Pot list as a source of spam or other malicious activity.

To resolve this problem, first clean your computer of viruses and other malware. Then, click the link below to visit Project Honey Pot and request removal of your IP address."

Trisquel is outsourcing their "who should I refuse to serve my website to" decisions, and it seems they made a poor decision.

If it's not a coincidence, it probably has to do with the fact that the old TBB used an older Tor versions, which may have an impact on which exit nodes Tor chooses. They are probably blocking based on an exit list for the newest version.

Anonymous

December 15, 2013

Permalink

downloading torrents thru tor seem to be dropping out or not connecting lately

Anonymous

December 16, 2013

Permalink

What's the reason for Vidalia in TAILS - no problem ?
Vidalia in Windows - RECENTLY big problem ?

Now TBB 'needs' NO Vidalia, why was it 'necessary' in the past ?
I thinks it's more than necessary if .....somebody aren't trust routes
like US-US/DK/SW-US, SW-RU-US/DK, RU-x-RU, FR-US-FR etc.. arm is not graphical enough for most. Without this Tor users are 'blind'. Desired )-:?

But the big question is: Why no? problem in Tails, Why -recently- not in TBB ?

In TAILS closed Control Port=no NewNym in Torbutton problem is solved ?
Respectively every close Browser-open Browser now DON'T open connection
to check.torproject.org? Would be really nice. Have not test it yet.

"[...]problem is solved?[...]"

lol NO, unfortunately not.
It's really little bit strange TAILS/amnesia is for best near anonymous communication
and in TAILS you cannot use the normal New Nym function of Torbutton.
When you try simulate New Identity in Torbutton you must close Browser,click New Identity in Vidalia and open (new) Browser.
RESULT: Connection to check.torproject.org:443 ........every time i need New Identity
..........can somebody explain why?? :-o
And HARDCORE: there is no normal way to stop this.
If you are no Linux crack and try the normal way like look to about:config,about:support+user.js/prefs.js(extensions.torbutton.versioncheck_enabled:false is nonpersistent after Browser/session close), gksudo in etc-iceweasel;no way.And why you cannot change user.js in SquashFS with gksudo?
Really strange. And annoying.

TBB without Vidalia is another ......funny story.

Anonymous

December 16, 2013

Permalink

When TBB 3.5-RC1 goes stable, what is the suggested course of action for those of us with Tor Browser Bundle v2.3.25-15 set up as bridge relays?
I mean we still want the client (browser) functionality but cannot afford a dedicated IP/server to run a Tor node.
Will we still be able to contribute to the network with Tor Browser Bundle somehow?

By the way, v3.5 is blazingly fast!
Congratulations and thank you all for your ongoing efforts :-D

Anonymous

December 16, 2013

Permalink

The "Cookie Protections" option on the tor browser button no longer seems to list any cookies ever. Though the "Remove All But Protected" button on that dialogue is clickable (even when you've just started and shouldn't yet have any cookies). I've dug through Firefox's settings to search for cookies and can't find any there either, despite extensive browsing which should result in plenty of cookies.

Issue is with tor-browser-linux64-3.5-rc-1_en-US.tar.xz (just in case not all os/lang have the problem)

Anonymous

December 16, 2013

Permalink

This update is not yet reflected on the torproject page. Please update, thank you <3

Anonymous

December 17, 2013

Permalink

This is entirely unrelated but has anyone noticed CloudFlare increasing its blocking of Tor exit nodes recently? It's almost impossible to access any CloudFlare site over Tor without entering in a CAPTCHA now. Fucking hypocritical dumbass web community claiming to be so worried about NSA surveillance while constantly trying to hobble the best tool we have against it.

Anonymous

December 17, 2013

Permalink

I have just download torbrowser-install-3.5-rc-1_en-US.exe and verified using the usual GPG verification methods. No problems with the verification.

However upon double clicking it, it wanted to install itself on my PC. Horror of horrors! I quickly clicked Cancel.

Why can't it just extract its own contents like tor-browser-2.3.25-15_en-US.exe?

As we all know, tor-browser-2.3.25-15_en-US.exe does NOT install on any PC. You just extract its contents and one of those contents is the start tor browser.exe for you to double click in order to launch Tor. I hope Tor developers keep to this method of launching Tor.

We watched many Windows users click on TBB, and select 'open' rather than 'save'. Then everything worked great, but when they wanted to run it a second time, it was nowhere to be found (since they never saved it anywhere).

So for Windows we now have a simple installer that simply unpacks stuff and sticks it into the self-contained directory, just like before. I would hope that it encourages you to "install" it in about the same place it used to go. If not, please help us make that part more obvious for WIndows users!

Anonymous

December 17, 2013

Permalink

It would be nice to include an https-everywhere rule for tor.stackexchange.com, now that that site supports https.

Anonymous

December 18, 2013

Permalink

I wish to thank Tor for setting up tor.stackexchange.com

At present Tails maintains a mailing list of subscribers. The latter ask questions and have their answers delivered via the aforementioned mailing list.

Since Tails is mentioned as one of Tor's projects on Tor's homepage, it would be good if tor.stackexchange.com includes a separate section solely to deal with Tails' users' questions. What I mean is Tails can migrate the mailing list to tor.stackexchange.com

IMHO my suggestion makes for a more efficient and productive way for both Tor and Tails. (Some of Tails' users' questions are basically about Tor and if the Search function on tor.stackexchange.com site is efficient, the users are recommended to search for answers already posted.)

Pooling of both Tor's and Tails' resources is highly recommended.

The Tails folks are welcome to encourage their users to use the tor SE. I agree with you that it's on-topic and would be helpful on both sides.

That said, people also have some reasonable concerns about the privacy policies, logging policies, etc of the SE websites. So I can understand why they hesitate.

I suggest you propose it to the Tails people, which is not the same as adding a comment to a blog post about TBB. :)

Anonymous

December 18, 2013

Permalink

Why is the Tor 3.5 series not easily found on the main Tor website (you have to know the browser directory)? By default they want to serve up Tor BB 2.3 and if you jump a little you can get to Tor BB 2.4 RC1.

Are there any reasons to stay with 2.x series? If 3.x looks stable get it some more attention. If there are reasons give a little matrix on the page explaining when one would want one vs the other.

Anonymous

December 18, 2013

Permalink

Constantly removing functionality is just going to make users stick to old and less secure versions. What is "not safe" or "useless" in your academic discussions may not be so in every context, or the safety risk may be offset by another problem the user needs to solve.

For example, plenty of exit nodes ironically originate from countries that block certain websites. If I want to visit one of these websites and Tor happens to pick a circuit with an exit node that blocks it, then in this new TBB my choices are to wait ten minutes or to erase my entire browser session.

This is just one example of Tor becoming less useful over time, a process which started with the release of the original browser bundle and has continued since. Casual users who want to visit the "deep web" once to see if there are really secret alien drug dealing child porn stars and the mythical Syrian rebels who only use Tor once a month when they get injured on the battlefield are being promoted over habitual users who want to preserve their privacy consistently and aren't afraid to learn a bit about how Tor works. You're consistently pissing off the exact audience that knows Tor, might like to contribute to it, and will defend it from threats.

This new Tor Launcher is frankly uglier and less inviting than Vidalia too for any type of user. I don't understand why a superior program was replaced with an inferior version.

Things that really need to be changed:

1. Let users restart Firefox (after it has crashed) without reconnecting to the Tor network. Firefox will always be buggy so this is completely necessary. This was easy to do before Tor Browser was made to exit if not started from the main bundle executable.

2. Give us Vidalia back or an adequate substitute. Using Tor in practice is a frustrating gauntlet of IP blocks, CAPTCHAs, CloudFlare error pages, and exit node censorship. A little circuit control eases the pain. It would be even better if we could have .exit back and if users could pick the circuit their next connection would run through.

3. If you're not going to make it easier to run multiple copies of TBB on the same computer then at least quit making it harder. I could change the ports on the old one but this one just won't play nicely.

These would be small steps toward restoring the large amount of functionality that has been slowly stripped from Tor and TBB over time. Please consider wrapping warnings around features you think are dangerous instead of just outright yanking them. It makes TBB jarring to use. I am a BTC early adopter and would probably donate a good amount to Tor but not with the way it's been going.

Sorry for the rough edges. I used to agree with you about using my own browser, until I read https://www.torproject.org/projects/torbrowser/design/ and https://www.torproject.org/torbutton/en/design/ and then read some of the NSA's leaked slides, e.g. see my quotes in http://arstechnica.com/security/2013/10/how-the-nsa-might-use-hotmail-o…

Now I am a strict TBB fan. :)

1) If your Tor Browser crashes, restart it. It shouldn't be much extra effort for its Tor to reconnect.

2) Here's the Vidalia workaround: https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#…

You can get .exit back by setting "AllowDotExit 1" in your torrc. But take note of the sentence in the man page, "Disabled by default since attacking websites and exit relays can use it to manipulate your path selection."

3) https://trac.torproject.org/projects/tor/ticket/10439

Hope that helps!

Anonymous

December 18, 2013

Permalink

what about different online games, videos and a lot of what things that 'really push it to the limits?' Previously its said additional plugins needed to peform 60% of things i have done. It turns into some issue again or endlessly usually. It is like the whole thing... just running in circles.

Anonymous

December 18, 2013

Permalink

The connection has timed out

The server at check.torproject.org is taking too long to respond.

The site could be temporarily unavailable or too busy. Try again in a few
moments.
If you are unable to load any pages, check your computer's network
connection.
If your computer or network is protected by a firewall or proxy, make sure
that TorBrowser is permitted to access the Web.

Do you have same problem?

Anonymous

December 18, 2013

Permalink

I haven't used 3.5.x yet, but I think dumping Vidalia is a mistake, unless it's functionality has been replaced elsewhere else in the package, which it sounds like it hasn't.

It's important to have visual access of what's going on with this kind of software and it's a good thing to see a list of nodes and countries so people can make decisions about whether to use a particular exit node if they have to. The more the end user can see about how Tor is working the better.

Also it was useful sometimes to create a New Identity with Vidalia rather than the FF Tor button, as it kept cookies etc (Useful if you wanted to keep your session, but the connection was horrible that time)

Editing torcc files is a giant leap backwards and just effectively makes the information invisible.

Also disagree with dumping the Torcheck page. Again, what you're doing there sacrificing assurances and feedback that the software is working to the user for sake of your own convenience.

Don't wish to be nitpicking but sometimes people involved with the FOSS movement don't have a great sense about usability and about software giving the user feedback, satisfaction and trust. And this isn't GIMP or something, but a really important piece of software where it is vital that the user can see and feel that the software is working in a way that suits the user, and what small changes can be tweaked, can be tweaked from within an accessible GUI.

Agreed totally. All of these 'improvements' might have seemed like improvements to the TOR makers themselves, but if they would have discussed with users, they would have found that getting rid of portions of these things is a heap big bad idea.

For the Vidalia workaround, see
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#…

I'm really pleased to get rid of the Tor Check bottleneck,

a) because when the website got overloaded all our users freaked out,

b) because it sometimes gives false positives:
http://tor.stackexchange.com/questions/190/why-does-check-torproject-or…

c) because using a remote website actually allows some cool subtle attacks where a local network adversary can trick you:
https://lists.torproject.org/pipermail/tor-talk/2013-November/031225.ht…

and d) because loading a local homepage makes startup a lot faster (and makes it feel a lot faster too, since otherwise you're racing the Tor directory bootstrapping connections with your check.tp.o connection, so performance is even worse than it will be once you're done bootstrapping).

(The Tor Check page is still there. It's even linked from the new about:tor page. Feel free to use it.)

"And this isn't GIMP or something, but a really important piece of software"

Oh, so GIMP is just chopped liver to you?

What about all the people who depend upon the functions that GIMP provides?

Anonymous

December 18, 2013

Permalink

Disappointed that the TOR Browser 3.5 does not include Vidalia nor an easy way to run Vidalia with it. I have to blacklist NUMEROUS TOR nodes because they are doing filtering of perfectly legal stuff in my country that is banned/blocked overseas (though is controversial enough in my country that I want to obfuscate that I am accessing it) that I need something like Vidalia to control nodes.