Tor Browser Bundle 3.5rc1 Released

The first release candidate in the 3.5 series of the Tor Browser Bundle is now available from the Tor Package Archive:
https://archive.torproject.org/tor-package-archive/torbrowser/3.5rc1/.

This release includes important security updates to Firefox.

Moreover, the Firefox 17esr release series has been deprecated by Mozilla. This means the imminent end of life for our 2.x and 3.0 bundle series. All 3.0 users are strongly encourage to update immediately, as we will not be making further releases in that series. If this release candidate survives the next few days without issue, this release candidate will be declared stable, and we will officially deprecate the current stable 2.x Tor Browser Bundles and declare their versions out of date as well.

Here is the complete changelog:

  • All Platforms
    • Update Firefox to 24.2.0esr
    • Update NoScript to 2.6.8.7
    • Update HTTPS-Everywhere to 3.4.4tbb (special TBB tag)
      • Tag includes a patch to handle enabling/disabling Mixed Content Blocking
    • Bug 5060: Disable health report service
    • Bug 10367: Disable prompting about health report and Mozilla Sync
    • Misc Prefs: Disable HTTPS-Everywhere first-run tooltips
    • Misc Prefs: Disable layer acceleration to avoid crashes on Windows
    • Misc Prefs: Disable Mixed Content Blocker pending backport of Mozilla Bug 878890
    • Update Tor Launcher to 0.2.4.1
      • Bug 10147: Adblock Plus interferes w/Tor Launcher dialog
      • Bug 10201: FF ESR 24 hangs during exit on Mac OS
      • Bug 9984: Support running Tor Launcher from InstantBird
      • Misc: Support browser directory location API changes in Firefox 24
    • Update Torbutton to 1.6.5.1
      • Bug 10352: Clear FF24 Private Browsing Mode data during New Identity
      • Bug 8167: Update cache isolation for FF24 API changes
      • Bug 10201: FF ESR 24 hangs during exit on Mac OS
      • Bug 10078: Properly clear crypto tokens during New Identity on FF24
      • Bug 9454: Support changes to Private Browsing Mode and plugin APIs in FF24
  • Linux
    • Bug 10213; Use LD_LIBRARY_PATH (fixes launch issues on old Linux distros)

Same here. I thought about doing it in about:config but yet again I have no clue which of that should I disable. I think it's a bad move to remove the "disable java script" option from the settings. Why you do this?

Anonymous

December 18, 2013

Permalink

It's quite disappointing to see the developers have made it so hard for the average Joe to run a relay or an exit relay. I see there are different packages available with Vidalia for people who want to run a bridge or relay but there's no browser included in those packages and if you want the browser, there's no easy way to run a relay.

This will effectively reduce the number of available relays for the community and slows the growth of the community as a whole.

I'm slightly above the average Joe and have replaced the torrc file with my old torrc and I think I'm running an exit relay as before but still, I have no confirmation as to whether it's working or not. If I'm having trouble figuring it all out, I can't even imagine what the average Joe will have to go through in order to contribute to the community and not just be a user.

I agree, that's a start, but I also have to say nothing beats a single application that upon running would pop up and ask the user: "Would you like to help the community by becoming a relay? Yes / No ".

Perhaps you can bundle both together in one downloadable file and if the user says Yes to the question, Then the Vidalia relay bundle would start after TBB. If the answer is No, then the relay portion wouldn't run at all.

It would be nice if we strove to achieve that level of ease.

Thanks for listening.

When you open a FTP connection, sometimes you are fortunate enough to have your exit router handle both connections, but sometimes you are not so fortunate, then you need to use Vidalia to weed out some circuits in real time so both connections use the same exit router in order to complete the transfer.
Of course I'm willing to admit I'm an idiot and I might be wrong.

Anonymous

December 19, 2013

Permalink

I'd like to echo many of the negative sentiments expressed here about the removal of vidalia, the loss of control of some pretty important features and what seems to be a serious hobbling of functionality/usability ostensibly to help insulate inexperienced users from themselves. But if protecting the inexperienced user is the goal, why was the "Disable Javascript" box completely removed and NoScript set to default with "Allow Scripts Globally (dangerous)"? It seems irresponsible or counter-intuitive if you attempt to protect the user by removing features yet leave a vital security door wide open for them.

Anonymous

December 19, 2013

Permalink

I cannot locate the option to disable JAVA anymore...not available in prefs...

Anonymous

December 19, 2013

Permalink

I concur with ALL of the complaints and concerns about 3.5. I tried it myself and is VERY disappointed.

Removing Vidalia was a MISTAKE. It gave us better functionality, control, and improved peace of mind with it. Explain how people can trust the TBB without it? These changes are only going to discourage many Tor users and ultimately lose a lot of supporters in the process if they don't correct these MISTAKES called "improvements."

Until they restore the TBB to it's former functionality or place some acceptable substitute similar to Vidalia, I will NOT use TBB any longer nor encourage new users. I'll be looking into other anonymous browsing alternatives in the meantime.

Hope you're happy developers.

Anonymous

December 19, 2013

Permalink

I' running Win 7 x64 and have downloaded the new TBB this morning (20 December 2013). I installed it and tried running it, which went really well up till the moment when I changed my history settings and needed to restart the browser. It didn't. Then I tried running it as administrator, and it asked whether I'd like it to run in safe mode or make it try to restore however much it could. It didn't restore all my setting either way, and encountered the same problems when I tried to restart it again.
And syncing it with my other browser was agonising.

So, in a nutshell: either I'm doing something wrong or this version of TBB has some serious problems with restarting.

Anonymous

December 20, 2013

Permalink

I've now used TBB 3.5 without any visible issues. My only concern is that there appears to be no facility to disable Javascript as and when required.

Can someone please help a clueless non-techie?

Tia

Anonymous

December 20, 2013

Permalink

Why in the world would you make such drastic changes? This version is absolutely useless to me. Perhaps that was the idea. Infiltrate the project and make it less useful.

A lot of the changes you're seeing are the underlying changes from Firefox 17 to Firefox 24 (and the changes we needed to make for the transition). But yes, it sure is still rough around the edges. Please help!

Because we're following the ESR (Extended Support Release) branch. FF17 was the last ESR, FF24 is the current one, and I guess FF31 will be the next.

http://www.mozilla.org/en-US/firefox/organizations/

The reason to choose the ESRs is because every new Firefox release ships surprising new privacy-invasive features that Mike has to fix:
https://gitweb.torproject.org/torbrowser.git/tree/HEAD:/src/current-pat…

https://trac.torproject.org/projects/tor/query?status=accepted&status=a…

By the time he's dealt with some of them there's already a new release out.

Anonymous

December 21, 2013

Permalink

all of my folders have the correct dates, but the individual files are dated 1999

Anonymous

December 21, 2013

Permalink

Why are the 'date stamps' for ALL the files and folders in the linux TBB 3.5_en-US.tar.xz set to the year 2001 ?

And what is the weirs grey screen that pops up initially ?

Anonymous

December 21, 2013

Permalink

I'm rather confused... I have been downloading files as directed by torbrowser when it tells me of a new security upgrade named in ascending sequence in the format of :
tor-browser-gnu-linux-i686-2.4.18-rc-1-dev-en-US.tar.gz
for many, many months now.

All of a sudden, there is this new format of ".tar.xz" with all files and folders dated back in the year 01/01/2001 !
named:
tor-browser-linux32-3.5_en-US.tar.xz
which is a very different version number to the ones I have been downing for months named like:
tor-browser-gnu-linux-i686-2.4.18-rc-1-dev-en-US.tar.gz (as mentioned above)

So, it like, have we gone from V2.4.18 straight to V3.5 ?
Is that right ?, is this legit ?, it all seems wrong, never experienced such confusion at face value from the torproject until now....

Whats more, there is a file named tor-0.2.4.19.tar.gz available for download that confuses me, although I suspect it is the stand alone tor without the firefox etc ?

Yep, it's right.

For why the date is so long in the past, that's part of the deterministic build process, so all the builders can produce exactly the same bundle:
https://blog.torproject.org/blog/deterministic-builds-part-two-technica…

For why the jump from 2.4.x to 3.5, you can see the history of Tor Browser Bundle 3.x at https://blog.torproject.org/category/tags/tbb-30 (all the way back to TBB 3.0alpha1 released in June).

The tor-0.2.4.19.tar.gz file is the source tarball for the Tor 0.2.4.19 release:
https://lists.torproject.org/pipermail/tor-talk/2013-December/031392.ht…
It's mostly used by packagers when building various bundles that include Tor, rather than by normal end-users.

Anonymous

December 22, 2013

Permalink

I downloaded the new tor bundle (3.5) and after I install it and click to open tor nothing happens. the task manager logs that there is a tor process running, however, the connection screen and the browser do not appear. I've tried deleting and reinstalling 4 times now and nothing has worked.

Anonymous

December 22, 2013

Permalink

i have error too on kali linux , previous release work like charm , even as root >>>>>>>> now recieving error as starting as root or user

Oh, also, beside from the root issue, I don't think I'd run anything like TBB from "Kali Linux", except for strictly experimental, NON-CRITICAL usage.

Anonymous

December 22, 2013

Permalink

Is there a guide anywhere on the internet to updating TBB *by only updating the parts that have actually changed*? E.g. "replace the Tor with such-and-such a version, replace the ESR with so-and-so ESR and then change this list of files, alter these prefs etc". There are customisations that can be done to the browser that I really like and that don't affect anonymity and I just refuse to keep having to do these over and over again from scratch with a totally new bundle that sends me back to square one every time. Logic suggests only the parts that have changed need to be changed, but it is very onerous and time consuming to try to work this out for myself and my concern is it taking dozens of hours if I were to try to do it, hence my desire for a how-to of some sort.

If you want to attempt such a feat, you would be completely at your own risk-- and considerable risk at that. Other than for purely experimental/hobby purposes, I'd leave such tinkering to the experts.