Tor Browser Bundle 3.5 is released

by mikeperry | December 19, 2013

Update 12/20: Test builds of Pluggable Transport bundles are now available. See inline and see the FAQ link for more details.

The 2.x stable series of the Tor Browser Bundle has officially been deprecated, and all users are encouraged to upgrade to the 3.5 series.

Packages are now available from the Tor download page as well as the Tor Package archive.

For now, the Pluggable Transports-capable TBB is still a separate package, maintained by David Fifield. Download them here: https://people.torproject.org/~dcf/pt-bundle/3.5-pt20131217/. We hope to have combined packages available in a beta soon.

For people already using TBB 3.5rc1, the changes are not substantial, and are included below.

However, for users of TBB 2.x and 3.0, this release includes important security updates to Firefox. All users are strongly encouraged to update immediately, as we will not be making further releases in the 2.x or 3.0 series.

In terms of user-facing changes from TBB 2.x, the 3.x series primarily features the replacement of Vidalia with a Firefox-based Tor controller called Tor Launcher. This has resulted in a vast decrease in startup times, and a vast increase in usability. We have also begun work on an FAQ page to handle common questions arising from this transition -- where Vidalia went, how to disable JavaScript, how to check signatures, etc.

The complete changelog for the 3.x series describes the changes since 2.x.

The set of changes since the 3.5rc1 release is:

  • All Platforms
    • Update Tor to 0.2.4.19
    • Update Tor Launcher to 0.2.4.2
      • Bug 10382: Fix a Tor Launcher hang on TBB exit
    • Update Torbutton to 1.6.5.2
      • Misc: Switch update download URL back to download-easy

Comments

Please note that the comment area below has been archived.

Well, linux binary should work fine with new enough glibc and glib/gtk. Here's a port against CentOS 6 libs. One important difference with stock TBB is it stores mutable Data (firefox profile, tor cache/settings) under /tmp by default while everything else is installed under read-only directory. The data is, of course, removed upon port deinstall.

https://trillian.chruetertee.ch/freebsd-gecko/browser/trunk/www/linux-t…

You should be more concerned at why Mike Perry (we all know who he works for and runs 16 TOR exit nodes for) has taken away the ability to see who you are connected to. Don't forget that UK GCHQ run their own private TOR network that sucks in traffic to analyse it.
(Newtons Cradle it is known as). Take away the ability to see what a person is connected to, switch on JAVA and SCRIPTS by default and you fall straight in to the hands of GCHQ and NSA.
No doubt they have some new exploits and needed the help of Mike Perry again. He helped them last time when Freedom Hosting was attacked. He made sure NSA could infect people by not enabling ScriptBlock and by switching JAVA on ready. Most users trusted the TOR project.
I suspect that the TOR Project are now assisting the NSA and GCHQ. They have been forced to - otherwise TOR traffic will be stopped. It is a great shame they are not honest with their users who fund them (apart from NSA sponsorship).

I guess there will always be people with conspiracy theories trying to rip the privacy community apart.

And the sad part is that there *are* conspiracies out there, and we all need help fighting them and providing tools to let people stay safe despite the massive government (and heck, corporate too) surveillance.

(To briefly respond: Mike doesn't run 16 exits, see https://www.torproject.org/docs/faq#TBBJavaScriptEnabled which I wrote (not Mike), and see the FAQ entries linked above for how to hook up a standalone Vidalia to your TBB 3.5 if you want to see your circuits, and for how to disable JavaScript in TBB 3.5.)

December 27, 2013

In reply to arma

Permalink

Well... yes, as long as there are MASSIVE numbers of docs like Snowden released, there will be "theorists." If it's actually happened / still happening, is it still just a "theory?"

The other thing that gives a great # of "experts" pause, is Tor Project's LONG standing relationship w/ U.S. armed forces. Taking large sums from them. Sure, many say, "But it's open source & anyone, anywhere can examine it."

That's absolutely true. It's also true (for human nature), that the adages are true, "Perception is reality," & "You're judged by the company you keep." People running for public office don't pal around w/ known crime bosses.

From "thinking" private users' perspective of anonymity & security , it has & always will be a stupid, stupid idea to take large sums from "one of the enemy." It MAY be that funding from other sources is hard to find, but it's still STUPID.

No one can really expect NOT to raise suspicion when organizations take large sums from (one of) the very groups that it's trying to help users avoid.

It's also true that every time we find out some new gov't (or private) agency's previously unimaginable capability, we're surprised! Why? Are we really that short on memory? I guess so.

I totally agree with you about the perception thing, and that's why we need to be extra sure to be transparent and communicate well. Also, I'd love to get some more funding so we can make our government funding sources a smaller fraction of our budget. Along those lines, also see my statements in our 30c3 talk today (video coming soon if it's not out already):
http://events.ccc.de/congress/2013/Fahrplan/events/5423.html

But let me draw a distinction between your quite reasonable (and reasonably presented) concern, and the ad hominem rant of the earlier post.

December 31, 2013

In reply to arma

Permalink

oh noes, "snowden" is part of the conspiracy.
"MASSIVE numbers of docs"

oh noes, Anonymous is part of the conspiracy.

oh noes, "I" am part of the conspiracy.

January 01, 2014

In reply to arma

Permalink

Block javascript off by default and turn "Temporarily allow" on by default and we can talk.

I don't know what you guys are thinking, but nobody who uses Tor wants to load Google analytics javascript by default, or all the other billion javascripts by default for that matter, this should be a no brainer.

January 02, 2014

In reply to arma

Permalink

Dude, exactly why do you believe the Tor staff is above reproach? Why do you have this savior mentality regarding the Tor staff?

You think they can't be bought? You think government isn't interested in buying them? You can see what government has been doing.

Do you honestly believe that they have not already tried to find ways of cracking the anonymity of such a wide-spread and popular anonymous network of internet users?

My point is, you sitting here bashing people as conspiracy nuts for simply stating their concerns and opinions regarding the integrity of an anonymous internet network makes you sound like you have a stake in people simply dismissing him as a conspiracy nut.

You have a reason to say what you say, then state it. You continue to resort to bashing those you don't want people to agree with, and you become the person suspected of lying. Well, I suppose to anyone who's liberal, the bashing thing works rather well, but still, anyone serious about anonymity, you need to give the respect they deserve and don't be bashing people. You need to give reason to refute their claims, not simply call them a conspiracy nut. It's easy to label someone, and rather childish in the face of something as serious as government's overreaching eyes. Give reason or just shut your mouth because you obviously have nothing real to say.

How can we verify *you* are not bought. At some point paranoia must take a break, and we must trust someone. Otherwise we're forever trapped in full-time paranoia.

Tor is trustworthy because it's Free Software - where many people looks carefully at how it works. I trust this web-of-trust.

I used to defend the tor proejct but frankly this release is a bit questionable. they offer the ARM package and even support it on the home page but to actually run it with TBB is "unsupported" by the project. Once again taking JS lightly, etc etc. I think i'll donate bandwidth to Hyperboria instead :(

If somebody wrote up instructions for hooking up arm to TBB, then people could do it. I bet it would be pretty easy -- the main issue would probably be changing the controlport, and making sure that arm knows how to do cookie authentication for the controlport.

Maybe the small changes would be made even easier by making a 'standalone arm' bundle or something like the standalone VIdalia bundle? Or maybe people who want to use arm are willing to edit text files? I'm not sure.

Shouldn't we be more concerned that he creates the Tor Browser? Also he is responsible for the path bias. And shouldn't we blame the developers of Firefox that created the security hole in the first place. They probably got paid by Google and they got paid by the NSA (National Security[?] Agency) or the NASA (North American Spy Agency).

Please let us hear even more entertaining conspiracy theories. (Well, you better don't)

I was unaware that the Tor Browser ships with Java and that Java would also be enabled, but you might have an answer on how that can happen.

Beside that you still can add Vidalia back to the Tor Browser, even though Vidalia is a bit buggy.

Instead of ranting, improve the Tor settings.
Go to www.ip-check.info, check your settings and see your exit relay. After changing a few settings I get two orange markings that are "http session" and "window size" the rest is green - as private as it gets with Tor.
If you know a different or better website to check, please add it.

Yes, FreeBSD should be supported. I run it on notebook after it was found that Linux has its random number generator backdoored (fixed in kernel 3.13). NSA is more productive that i ever expected.

I bet it will run on KfreeBSD, with experimental in your sources list, with apt-get build-dep tor, then apt-get -b source tor, then dpkg -i *.deb

December 19, 2013

Permalink

Anyone can make PageInfo-Security GUI window in Torbrowser/Firefox more informative?Exact used crypto alrorithm.Like in Seamonkey -Mozilla,too.
Firefox/torbrowser GUI is going more and more the Microsoft 'dont use your brain'Mickey Mouse way.
Mozilla Company seems to have to much money.........

December 19, 2013

Permalink

I am having a hard time figuring out how to dictate what exit nodes to use in this new version (the mac one specifically). Vidalia had previously been helpful in not only locating the server names for specific countries and the supposed strength of the signals, but also in implementing those strict exit nodes. Will there be directions available soon to solve this issue?

Going through the comments on this and other blog entries, I'm noticing a lack of answers to questions the above type of problem. Under the FAQ for 3.5, it states that one can access the torrc file via: "the TBB directory under Data/Tor/Torrc". Unfortunately (unless these are hidden files), such a path cannot be found for the MacOS version, which I would've thought to have been: MacintoshHD/Library/ApplicationSupport under which one would find a directory for TBB.

Should I assume the lack of an application support folder is due to the absence of a standard installation process? This seems to be supported by the fact that the only searchable trace of TBB is the unzipped application. This then still makes the editable torrc file essentially non existent on a MacOS.

Even if the torrc file can indeed be accessed, the navigation of the new online replacement for Vidalia's "View the Network", Atlas, is not quite helpful either. Will there be a function to search by country code and not just name of specific servers? The problem seems to be when one needs to exit through a specific country: if your current exit nodes don't correspond to the correct country, or the ones you have accessed are down or working at minimum efficiency, there is no clear way to research new nodes with the right specifications.

Will someone from TorProject please lend some insight to the issue?

You are right that helping people select their exit country isn't high on our (already overly long) priority list. Maybe you want to help make it easier or make some better documentation for folks who want it? Thanks!

December 21, 2013

In reply to arma

Permalink

Please can we not litter OS X with billions of trace files all over the system. Please keep ALL TBB contained to /Applications/TorBrowser_en-US/. Lets not go back to the old days of data all over the place in /var /private /etc and so on.

OS X already came out the worst in a study of any system in leaving traces of Tor:

Can we keep torrc files within the bundle:

/Applications/TorBrowser_en-US/

Sounds great. Make it happen! This is a community with plenty of room for more people to make things happen. If you're thinking of this as "those Tor people who make and support Tor" and "us users who just use it", you're looking at it wrong.

See https://blog.torproject.org/blog/tor-browser-bundle-35-released#comment… for more thoughts.

[Edit: arm -i 9151 will do it]

December 31, 2013

In reply to arma

Permalink

Last I checked, tinkering with exit node selection was explicitly warned against.

December 19, 2013

Permalink

I can't seem to find the 64-bit versions for OSX and Windows... but neither were they in the set of files for rc1. I can understand if building them takes time, and they might show up later. Or is the policy to not make them anymore (though I could not find anything indicating that - what did I miss)? If so, what is recommended for users of 64-bit systems? Stick with 2.4, or run the 32bit version 3?

You should run the 32-bit version of 3.5 for now. I've been doing some work on 64-bit Windows, and I am confident we will begin doing 64-bit OSX bundles again, but I can't give you a timeframe.

December 19, 2013

In reply to erinn

Permalink

ok cool! that is a great news. Thanks for all the good work you guys are doing!! It is important in you don't know how many ways.

December 19, 2013

Permalink

I'm frustrated about what's happened to Vidalia. I find it useful and informative and I certainly don't want to be without it. Tor Launcher refused to let me start Firefox at all until I let it connect to Tor, which I didn't want to do because (1) I wanted to examine it more before letting it connect, and (2) I use Tor separately of Firefox and didn't need Tor Launcher trying to start a second copy. So I deleted Tor Launcher from Firefox and downloaded Vidalia and found the standalone Vidalia bundle is missing libgcc_s_dw2-1.dll and mingwm10.dll, so it doesn't run at all. I had to get those DLLs from an older TBB. It does work fine now though.

In terms of startup times, the only reason Vidalia is slow is because in the GUI it redraws the list of nodes for every node it adds to it (O(n²) complexity!). If it added all the nodes and then redrew it once it would start more quickly and wouldn't periodically stall single-CPU systems every time it decides to refresh the list in the background.

Don't get me wrong: I'm really ever so grateful for Tor, but some things could use improvement.

Well, you could, but he was really just a friendly fellow helping out while Vidalia was unmaintained.

You could as well say that somebody should tell Matt Edman (the original Vidalia author) about it. Alas, he too has long since decided that maintaining a Qt app was no fun. Vidalia has been unmaintained for years now.

Perhaps you (yes, you) want to pick it up? :)

Glad you got it working.

Re startup times, the other big change in TBB 3.5 is that the homepage is a local file (about:tor), so 1) it comes up immediately, and 2) loading the homepage isn't racing the rest of your directory bootstrap info to use the network at the same time (making Tor seem even slower than it will be once the bootstrapping is finished).

We can do this change because Tor launcher does its own version check in the background, so we no longer need to send users to an external website (which is a bad idea for other reasons).

I installed V3.5 a few days ago, and it worked fine until today. Beginning today it brings up the start page, then tells me, "Firefox is configured to use a proxy server that is refusing connections." Without Vidalia we have no tools at all to evaluate something like this.

For the record, I turned off Windows firewall and checked to make sure the Tor Browser was still configured to use the socks 5 proxy on port 9150. It is. I shut down Tor Browser and started up a regular copy of Firefox and everything was working fine.

I can't say that having Vidalia would have allowed me to easily find and fix the problem, but I would have had some idea of what had been going on during the bootup, and I would have had to log to refer to. Was the Tor network down Saturday evening?

Something else I noticed is that a misspelled URL will launch TB off to a search engine. I haven't found a way to disable this behavior.

And yet another question is why the new TBB comes configured to automatically check for search engine updates. It also places a search engine textbox next to the URL bar. I would think that it would be better to disable address line searches. I know that at least google says they don't use those for tracking people, but they certainly could if they wanted to. I always customize those away.

Thanks for an overall great product!

Jerry

"a misspelled URL will launch TB off to a search engine."

My guess is that this was the behavior of a DNS provider, such as OpenDNS, that your node at the time happened to be using.

The other (and decidedly more sinister) possibility I can think of is that you were the victim of a MITM attack.

December 19, 2013

Permalink

Give us a bundle with Vidalia back, or a tutorial about how to bring it back...
Right now what I had to do is to download both 2.x and this 3.5 and just merge the
newer TorBrowser to the old package

The TBB 3.5 FAQ, linked above, tells you how to fetch a standalone Vidalia and run it with your TBB 3.5.

(Unless you're on OS X, in which case, either sit tight and be patient, or help us make it work.)

December 19, 2013

In reply to arma

Permalink

The TBB 3.5 FAQ, linked above, tells you how to fetch a standalone Vidalia and run it with your TBB 3.5."

The FAQ linked above says nothing about how to get TBB 3.5 _working_ with Vidalia.

For Windows, if you follow the instructions and run "Start Vidalia.exe", then Vidalia will not connect since it can find tor. So, after adding the path to tor in the settings, Vidalia starts tor and sets up a connection. But Firefox from TBB 3.5 refuses to use that connection. So, what do I do next?

(Nor does the FAQ mention that you need to disable the new Tor Firefox Add-on to be able to start the TBB 3.5 bundle when running Vidalia.)

Yeah, don't do it that way. Let TBB start, and then after that run Vidalia. Your Vidalia should try to connect to Tor's control port, realize that it needs to authenticate, and do so.

At least, that's how it works on Linux. Hopefully it does the same on Windows.

December 21, 2013

In reply to arma

Permalink

thanks, but sadly that doesn't work.
Sooner or later there is a solution.
thanks again.

December 19, 2013

Permalink

How can we ensure if the TBB is really connected to 3 nodes? Sometimes the previous bundles used to connect to one node and I had to change the identity by closing the circuit to ensure that 3 nodes are really working.

A) You're welcome to hook up a Vidalia to your TBB 3.5. See the FAQ linked above for directions.

B) You are confused about how Tor works. Tor does indeed create one-hop circuits sometimes, to do directory fetches in a way that they benefit from encryption. But your Tor does not use those one-hop circuits for attaching actual streams. In short, this sounds like another case where if you'd left it alone it would have been safer.

December 19, 2013

In reply to arma

Permalink

Thank you for putting together a stand-alone Vidalia. Sure, it means that I have to run TBB 3.5 and then run the Start Vidalia thing as well, but that is not a major annoyance.

It will even allow me to 'refresh my identity' using Vidalia, which was the biggest annoyance with TBB 3.5, the fact that getting a new identity closed the browser totally and then reopened it.

Great!

In the future hopefully we'll have some of the more key features of Vidalia built in to Tor launcher, such as triggering a newnym without closing all tabs, and being able to see what relays are in your circuits.

One way to save having to start Vidalia up is to 'fix' the 'New Identity' button in TorButton to work the way people who actually use it think it should work. Pretty simple.

  • Go to the 'Data\Browser\profile.default\extensions' directory.

  • Rename 'torbutton@torproject.org.xpi' to 'torbutton@torproject.org.zip'.

  • Unzip this file in the extensions directory. Using the file name as the directory name might be necessary for this to work. Your zip program will probably do this automatically.

  • Go to the 'torbutton@torproject.org\chrome\content' directory.

  • Open the 'torbutton.js' file, and search for 'function torbutton_do_new_identity()'. A '{' follows this text. Add the text '/*' after the '{'.

  • Search for 'torbutton_log(3, "New Identity: Sending NEWNYM");'. Add the text '*/' just prior to this text.

  • Search for 'torbutton_log(3, "Ending any remaining private browsing sessions.");'. Add the text '/*' just prior to this text.

  • A little bit further on in the file there will be the text '// Close the current window for added safety' then 'window.close();' Add the text '*/' just after 'window.close();'.

  • Save the file and launch the TBB. You're done.

Suggest using Notepad++ rather than Windows Notepad for this, as it makes it a lot easier to see what you're doing.. but even without using Notepad++ it's just a couple minutes work all up.

December 19, 2013

Permalink

is there any way to check bandwidth used when as there was on Vidalia? It was useful and pleasant to check how much I sent and how much i received.

December 19, 2013

Permalink

Now that Vidalia is gone, is there any graphical way to configure relaying? I saw the TorLauncher in add-ons but it has no "Preferences".

You've got three options.

First, if you're on Linux, you can install the system Tor package (e.g. apt-get install tor) and then set it up to be a relay. You can then use TBB independent of that.

Second, if you're on Windows, you can fetch the separate "Vidalia relay bundle" from the download page and then use that (again you can use TBB independent of it).

Third, you can either hook your Vidalia up to TBB (as described in the FAQ above) or edit your torrc file directly. This option is pretty klunky right now, e.g.
https://trac.torproject.org/projects/tor/ticket/10449
but I'm hoping it will become an easy option in the future.

Thanks!

December 21, 2013

In reply to arma

Permalink

QUOTE:

"First, if you're on Linux, you can install the system Tor package (e.g. apt-get install tor) and then set it up to be a relay. You can then use TBB independent of that."

Pretty please with a cherry on top provide a 'step by step' tutorial for that for us newb Linux converts :)

December 19, 2013

Permalink

I want to start only TorBrowser, without Tor. I alredy have to running on my machine. How do I do that?

December 19, 2013

Permalink

Advice to those launching the Start Tor Browser.exe of TBB 3.5 FINAL for the first time.

You will have to wait at least 10 minutes for the loading of the relay circuits, something that never happened with TBB 2.x series.

At first I thought TBB 3.5 FINAL was still buggy and was about to revert to using TBB tor-browser-2.3.25-15_en-US.exe when after about 10 minutes, the former launched successfully.

Now whenever I launched TBB 3.5 FINAL, it starts up way faster than tor-browser-2.3.25-15_en-US.exe ever did.

Thanks to Tor developers for this software. We users certainly hope that it will provide greater anonymity and be more robust than the deprecated software.

Actually, it's not supposed to take 10 minutes. I assume you had a hiccup on one of your directory fetching circuits or something. Sorry for the troubles.

You could try blowing away your current TBB and unpacking a new one, and see how the second attempt fares?

Mine does this every time. It doesn't seem to be creating any data in my data directory either. What is it supposed to be doing and why doesn't it save the result?

December 19, 2013

Permalink

Suggestion to Tor developers of TBB 3.5 and above series

Could you please state clearly on the appropriate web pages who sign(s) the TBB bundle?

For TBB 2.x series, it was stated clearly that Erinn was the only signer.

As for TBB 3.5 and above series, who is the signer? Is it still Erinn?

Erinn still signs the .asc files that you're used to checking.

But there's actually a smarter way to check the signatures as of TBB 3.5, which resists a few subtle attacks that probably don't matter currently but might matter in the future.

See the "How do I verify the download (sha256sums.txt)?" question in the FAQ linked above.

December 19, 2013

Permalink

"Manage cookie protection" don't work (windows version). How can I see and delete cookies? In old version all cookies was there and I saw them.

December 19, 2013

Permalink

Hi all I want to link Vidalia to the new 3.5 TBB, I downloaded & extracted the stand alone package to a seperate folder, now how/where do I put the start script in so the open and are linked, I want map and abillity to new ID without browser refresh ass I use many tabs, Thanks

December 25, 2013

In reply to arma

Permalink

Sounds fishy to me, for some reason they want you to run the browser naked first, easier for the browser to phone home through some backdoor bypassing tor maybe?

Sorry, but the idea doesn't fit with the facts. Vidalia isn't some magic thing that lets you check whether your browser is making connections that bypass Tor. You can use some other tool for that (and you should!), whether you are attaching a Vidalia to your TBB or not.

December 19, 2013

Permalink

why dosint the browser start trough vidalialia like it used when i use it to start 3.5 trough that standalone bundle , it greenlights but no browser

December 19, 2013

Permalink

The startup time improvements in 3.5 are massive but there is some work to do. In TBB 2.3.x I used Vidalia to reconfigure and run as a Relay. Now TBB by default is running as Client-Only that is less secure (IMHO because it does not obfuscate the traffic I generate by mixing it into relay traffic). I also want to torrify other apps such as Bitcoin. I know about editing Torcc but I want to do it "in proper way".

Vidalia Standalone Bundle is not a real solution. TBB 3.5 uses cookie as control port auth, Vidalia wants to use random password. The Vidalia also now throws out uncensored .onion addresses in it's log claiming it is not supported.

I think I will need to run Vidalia Relay Bundle for all my other apps together with TBB for browsing. If they don't attempt to interfere with each others instance.

December 19, 2013

Permalink

The new Tor is great with its fast circuits. The rest is meh as usual.

Give me Vidalia or give me death!

(I know about the FAQ but I had to say that.)

December 19, 2013

Permalink

* With all due respect: Without Vevida it really sucks *

- Unable to see network connections. or if any connections are established in the first place.
- Unable to instantly check to which countries or nodes you are connected.
- Firefox’s preferences content is dramatically reduced until pretty unusable.

I’m losing my trust rapidly. What are you doing?
From now on Tor is for kids and foolish people only?

December 19, 2013

Permalink

Download page says: "This package requires no installation. Just extract it and run." but I get an .exe file that I must install. If I extract and try to run I always get an error message. What am I doing wrong?

December 19, 2013

Permalink

You say "This package requires no installation. Just extract it and run." but download is an .exe ...wft?

December 19, 2013

Permalink

Using the 63 Bit Linux version...I go into settings and cannot locate where to disable JAVA...option is gone in this new release...

December 19, 2013

Permalink

The censored users
- MUST see the Tor circuits,
- MAKE SURE the excluded country nodes are not in the circuits, and
- SEE the Tor ststus/error messages.
Without Vidalia this is all taken away. Do you suppose now we need to blindly trust everything and always? Or we need to dig in the files to return Vidalia manually?

OK, Vidalia is bad (per mentioned above FAQ), but please develop a modern informative substitute. Come on.

December 19, 2013

Permalink

Thank you for all your hard work.

FYI-- GET INFO tells me that I have downloaded Tor Browser Bundle 1.0, copyright 2010 instead of the 32-bit Mac version of 3.5, copyright 2013. Assume it was a labeling oversight.

December 19, 2013

Permalink

With 3.5 the message "Tor unexpectedly exited" appears when adding to torrc
SocksPort 127.0.0.1:9999
Or any address and port.

Also, TorBrowser crashes on exit when setting in options
"Show my windows and tabs..."

And when re-opened, it of course does not set the window size properly if the size has been altered before closing. Is this intended behaviour?

December 19, 2013

Permalink

Javascript is enabled by default.

Quote: "We configure NoScript to allow JavaScript by default in the Tor Browser Bundle because many websites will not work with JavaScript disabled."

Okay fine, what happened to the option to shut it off, its not longer under content.
Wtf is going on?

December 19, 2013

Permalink

Why is there no longer an option and no mention of the removal of enabling/disabling javascript from FF options? Also, "allow scripts globally" is enabled by default in noscript.

December 20, 2013

Permalink

Just like to say thanks for the new bundles - in particular the stand alone Vidalia. I too had a few problems with the two missing dlls but I managed to locate them in the previous Tor bundle and put them in my System32 folder.

Now everything works fine.

Thanks again.

December 20, 2013

Permalink

Tor Browser 3.5-MacOS
Javascript is on by default, with no obvious way to it turn off.

Why has the option been removed from preferences, and where has it been moved to?

Also, may I please have a link to *correct* article(s) on Javascript and cookies when using tor. There is much to much conflicting information out there.

December 20, 2013

Permalink

In all the previous TBB versions Javascript needed to be manually disabled.

I'm no techie so I ask Is Javascript now permanently disabled in TBB 3.5 - otherwise how would I go about doing this please.

TIA

December 20, 2013

Permalink

TBB-3.5 not started without tor from TBB. To use transparent torification with Linux system tor, first remove tor-browser_en-US/Data/Browser/profile.default/extensions/tor-launcher@torproject.org.xpi,
then go to Torbutton preferences and select "Transparent Torification (Requires custom transproxy or Tor router)". Press OK and restart TBB.

December 20, 2013

Permalink

How do you turn off Javascript in tor browser and why is it on by default? I have heard many bad things about Java. please advise

January 01, 2014

In reply to arma

Permalink

It is more accurate to state that many websites break themselves by relying on javascript, and expecting visitors to enable js to fix the defective website.
Proper website design requires testing the site then adding frills such as js later.

December 20, 2013

Permalink

the new version might be good for pro. users but i'm afraid it's not user friendly and isn't easy to me to set it up! i have no idea abt the information it wants me to enter! setting proxies?! is my isp open for tor servers or not?! are you kidding? how could a non-professional user could know these? i hope "tor" could be as helpful as always again :)

December 21, 2013

In reply to arma

Permalink

you are absolutely right man! I've gone to the wrong direction. today i tried again and i must correct what i said yesterday (in the comment above) and apologize for that of course :)
the new Tor software is really great! faster and lighter than older ones and i have nothing to say but thank you "Tor" guys for making a way for us to connect to the web securely; specially in Iran that you have no idea about the largeness of its filtering system formed by the gov.!

December 20, 2013

Permalink

This new version doesn't start and always tells me Firefox is already running, but I don't even have Firefox installed.....

December 20, 2013

In reply to arma

Permalink

Well, the 3.5 Version of Tor.
I'm using Windows 8 and installed it normally into program files.
I'm starting the Tor exe then and get this weird error message.

December 21, 2013

In reply to arma

Permalink

I have seen this behavior with firefox in other versions and other platforms (when firefox is closed ten reopen attempted. It seems firefox doesn't always close cleanly. Check task manager and close any instances of firefox and try launching again. In Linux the "kilall firefox" command always does the trick.

Yeah, but I don't have FF installed. xD
Well, but I feel stupid know. I got around the problem by just opening Tor as an administrator. I only didn't thought of that because the error was me directing in a totally different direction.

December 20, 2013

Permalink

Why is there no safe, separate, zip file to extract and run apart from my regular installation? I'm not going to run an installer, I want everything separate and with no changes applied to my main machine!

WTF ? We've gone back to days of installers ?????

How does TBB 3.5 install on OS X? It's not gonna ask me for username/password is it ? It used to be just a zip you unpacked then a file you dragged to /Applications/

Do you know what ? I really think a lot of bad design decisions have been made with 3.5, they are just plucked out of thin air and undermine trust in the product. And trust is critical here. You can't make this kind of software just from the point of what works for devs mechanically, and I wonder anyone is learning this by now.

No, the OS X one is still just a zip file.

We only added the installer for Windows users, because they were the ones we consistently saw unpacking it wrong.

December 22, 2013

In reply to arma

Permalink

"But smart users don't *know* that that's all it's doing. We should a) make it clearer in the installer text itself that TBB remains self-contained in just the directory they specify, and b) make it clearer on the download webpage when they're fetching it."

smart users don't want to be infected by some shit by exit-node (fake exe)

Well, this is why you must check the signature on the thing you download, whether that thing is a zip or an exe.

If you're worried about getting a fake Tor bundle, and you're happy with a zip file but not happy with an exe installer, but inside the zip file is an exe file that you'll happily run... you're doing it wrong.

All of that said, checking signatures in Windows is horrible. Maybe somebody here will write up some better instructions on how to do it more easily?

December 20, 2013

Permalink

New version is bad. Can't use it to log into ebay. Downloads don't show in download tabs.

I don't know about the ebay part (works for me? ebay is blocking logins from some Tor exits?), but the second issue is because this is Firefox 24 not Firefox 17. Firefox 17 is unmaintained now. Sorry you're railroaded into a newer browser, but Mozilla hasn't left people much choice.

December 20, 2013

Permalink

Where is the option to disable javascript on the windows version? It is not in the same spot in the options menu that is normally is, and I can't find it. Someone pls respond.

December 22, 2013

In reply to arma

Permalink

And when NoScript fails to block JS due to some bug in it, an exploit will gladly run on targetted system.

January 28, 2014

In reply to arma

Permalink

Which is most likely the address bar. Which answers the question immediately. Heck even the start page of TBB 3.5 is about:tor

"And when NoScript fails to block JS due to some bug in it"

How likely is that to happen? Has it ever?

Meanwhile, JavaScript is but one attack surface out of MANY others.

December 20, 2013

Permalink

Minor issue but it was a nasty surprise when the new identity button closed down all my tabs and restarted the browser instead of just fetching a new identity as it used to. At least a warning before it does that should be there. It's not easy to recover things on a browser that does not and should not recover history, forms etc. Let's not make this worse. Is the restart absolutely necessary? Thanks for the great work so far.

December 20, 2013

Permalink

How do I manually disable javascript in the FF browser? I see a thing for Java, but not JS?

December 20, 2013

Permalink

Why isn't there a simple package without installer available? All the descriptions still say "just unzip", which is clearly wrong since you need to run an .exe now.

December 20, 2013

Permalink

When i install this 3.5 version, all the files in the folder are dated 1999

is this normal?

December 20, 2013

Permalink

What happened to the content tab in FF? There is no javascript enable button thing there anymore. How do we reliably disable JS in the browser?

December 20, 2013

Permalink

Don't have the 'new identity' button that's on Vidalia.
For some reason, download progress doesn't show on firefox.
Only good about this is the startup speed. Very fast!

December 20, 2013

Permalink

What happened to Load images automatically and Enable JavaScript options in Edit > Content? May I disable JavaScript thru about:config?

I'm too very interested to find the answer!

WTF? It's most important options and no info about how to handle this through the config file or menu interface! Maybe NSA/CIA pressured you to delete this options???

December 20, 2013

Permalink

TorButton > Cookie protections not working, no cookies there (Linux 32 and 64 bit tested, Win/Mac not tested).

Modifications on TBB:
start-tor-browser.sh: add "export TOR_SKIP_LAUNCH=1"
TorButton > Preferences > Socks Proxy to 127.0.0.1:9050; No proxy for 127.0.0.1, 192.168.0.0/24
NoScript > Disable Scripts Globally
Bookmarks > Show All > Restore ...

December 20, 2013

Permalink

How to disable javascript now? There's no option anymore in "content". How to get rid of tab bar?

And is it now right way to put proxy in "preferences" 'cause there is no vidalia anymore? Generally have to say that I don't like these changes.

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#…

A lot of the changes you don't like may well be from Firefox 24 vs Firefox 17 (which is now unmaintained).

For configuring the browser's proxy settings, click on the green onion and select "preferences" (which brings you to the browser proxy settings page).

For configuring Tor's proxy settings (e.g. if you need to go through a proxy to reach the Internet), click on the green onion and select "open network settings".

December 20, 2013

Permalink

Two questions for the new TBB:
- how to disable Javascript in Firefox? The option is not there anymore.
- how to set Tor as a non-exit relay without Vidalia?

Thanks.

December 20, 2013

Permalink

downloaded torbrowser 3.5 for mac today but it does not work. cant connect to any webpage at all. never had such problems with any tor package before in years and have not changed any other spec on my mac running latest build mavericks.switching back to previous tor-vidalia package works as always. whats wrong here with 3.5 ?

with vidalia no more i cant even start to figure out where to start getting tor 3.5 working....

The same thing is happening to me! It lets me access the public web, and only a very limited amount of .onion sites -- basically only hidden wiki or torsearch sites. How can I fix this?

I'm having the same problem. TBB 3.5 on latest OS X does not connect to any websites. I opened a bug ticket. Hopefully we OS X users get some love from the Tor community.

December 20, 2013

Permalink

I have a problem with a new versions of TOR browser last few months.
It seems that there is some problem with the CPU priority now with tabs.
With old versions ( In the first half of this year ) when tab was downloading a new site - other tabs was run smoothly - they work with no brakes and lags .
But in a last 3 or 4 month new TOR browser versions have a nasty habit - when some page is downloading other tabs are lagging and works very slow.
Сan you fix so that other tabs don't slowing down when one tab opening or refreshing something?
PLEASE!
p.s. sorry for my terrible english, i hope you can understand me and get optimal performance browser back to normal.

December 20, 2013

Permalink

I use Tor with other applications. I have been utilizing TBB to initiate the tor connection. With the new bundle closing firefox now closes the tor connection. Where can I find a stand-alone tor application for Linux.

December 20, 2013

Permalink

Can you bring back the control panel, please?, and there's a big problem when getting some new identity: all of my tabs are erased and we have to start from zero.
Thanks for this awesome and useful service!
Kind regards.

December 21, 2013

Permalink

Where is the documentation for running Arm? It looks like it will provide some of the functionality/information I'm used to seeing in Vidalia. I cannot find any documentation or tutorial about how to use it.

https://www.atagar.com/arm/download.php

Your main challenge will be hooking it up to the control port, with the control port authentication, that Tor Launcher configured Tor to use.

If you pick a control port of 9151, it might just work, if it knows how to do cookie authentication.

That said, be sure you've looked at https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#…

December 21, 2013

In reply to arma

Permalink

Thank you for the response. However, I'm looking for general documentation about how to configure and use it. I've switched to using the daemon.

Once you've installed the tor-arm deb, look in /usr/share/doc/tor-arm/ for e.g. the README.

If you still have questions I suggest catching atagar on irc -- he's often happy to help, even though he's mostly moved on to working on Stem.

December 21, 2013

Permalink

The close all tabs functionality is a very inconvenient feature. Scrubbing application level data is a great idea but losing the tabs introduces other problems like having to store the urls and half-completed e-mail texts on temporary files elsewhere. Huge problem for people running the tor bundle from encrypted containers. It's also a huge pain in the rear to do that often, it introduces unneeded reloads of pages which might provide some extra traffic analysis data and it also increases bandwidth usage on the tor network.

That may also be related to a bug which makes dictionaries unusable on some sites which wasn't present in the previous version.

December 21, 2013

Permalink

Where is Vidalia!?
There isent a control panel anymore why!?
You dont have the worldmap with a transparent view of the connections anymore.

This version hides something in the inner core.
Sorry but the new version is bullcrap!

December 21, 2013

In reply to arma

Permalink

At that link it says:

"Where did the world map (Vidalia) go?

Vidalia has been replaced with Tor Launcher, which is a Firefox extension that provides similar functionality. Unfortunately, circuit status reporting is still missing, but we are working on providing it. "

My strong suggestion and humble request is that you provide it again very, very soon because without allowing users ther transparency to physically see the built circuits, userrs will feel nothing but suspicious of torproject having been pawned by the evil NSA deamons who seek to destroy the liberty of billions....

December 21, 2013

Permalink

Idea about new install package (I mean Nullsoft Install System) - IT'S VERY VERY BAD IDEA. Not portable - S**K. Please make 7z.
P.S. Sorry for my bad English.

December 21, 2013

Permalink

I'm using Tor 3.5 Windows version.

I can't get the Tor browser settings to work as they should, it won't save any cookies at all or if it does I can't view them (I see that part has already been mentioned) but also if I set the Tor browser options to Use custom settings for history and then also set Accept third-party cookies to "Never" it won't save the setting, it just resets back to never remember History the next time I check the setting, *After saying that I now can't get it to save the setting back to "Never remember history" so I don't know what's going on with it.

December 21, 2013

Permalink

I just checked perfomance of TOR browser on XP with two different versions of TOR browser
2.3.25-13 - work smoothly and fast
3.5 - work laggy, heavy load of processor

Why new TOR browser now works so badly ?

December 21, 2013

Permalink

As someone who is not a techie, this new version is a nightmare. I deleted the old tor browser on my computer when told there was an updated version (I run fedora) and downloaded the new one. When I open Tor Browser, it instantly says "Tor unexpectedly exited" and I know no way to fix this. I cannot re-install the old packages. Now I have no way to be anonymous online without spending hours banging my head against a screen and probably failing anyway because I am not literate in the technical conversations taking place here. I essentially have no way to use tor now. This is so frustrating.

This was happening to me too... but I realized I'd quit the old browser but still had Vidalia open. As soon as I quit everything else, it worked fine.

I have the same problem. Using a live USB running Precise Puppy v5.4 on a 32 bit PC I was very comfortable installing the frequent Tor updates over the last couple of years. This v3.5 downloads ok, but says "Tor unexpectedly exited" when you try to start it. I am not a techie and cannot fix this, or find an answer on the web. Any ideas anyone?

December 21, 2013

Permalink

why everytiime i download the version 3.5 i am getting the tor but when i check the application to start it say made in 1999 or its old as fuck someone help me out here i have been trying to get this update for a couple of days now

December 21, 2013

Permalink

This just in...

The release of Tor 3.5 (aka New Coke, Windows 8, etc.) has many users baffled where the Vidalia control panel as gone. Many users seem blind-sighted (aka struck by surprise from an unexpected direction). With all the confusion and frustration being expressed by it's user base, it waits to be seen if the developers will be soon releasing a Classic Tor or Tor Blue version within the coming weeks.

More news at 11...

Well, maybe you like the Vidalia standalone bundle?

Or maybe you would like to help maintain a bundle you prefer better, starting with fixing the growing set of bugs in Vidalia, which has alas been unmaintained for years?

Also, it's "blind-sided", not blind-sighted -- but let me take this opportunity to tell everybody to read Peter Watts's great book "Blindsight". :)

Vidalia Control Panel can still be manually loaded AFTER connection is established with Tor 3.5.
Download Vidalia Standalone from:
https://people.torproject.org/~erinn/vidalia-standalone-bundles/

The Tor Project has replaced Vidalia with a Firefox Plugin known as TorLauncher. A major reason being cited is because Tor loads faster this way, and indeed it does seem to. I still like Vidalia and still use it to view my Network Map, Tor bandwidth, to switch relay services on/off, and change other settings.

December 21, 2013

Permalink

The new version seems also to make trouble on sites with crappy old/weak TLS logins. Maybe an issue of FF or its cookie handling??? TBB Refuses connection without warnings or errors. So what are the options if you want to use a login on these particular sites? Using the old version of TBB with support of "bad cryptography" or using the new TBB with no cryptography (using unsecured http login)? Bruce Schneier has his personal opinion about this topic.

December 22, 2013

In reply to arma

Permalink

It seems to be more like a problem with cookie handling in private mode. After unchecking the Torbutton options "Don't record browsing history or website data (enables Private Browsing Mode)" all seems to be OK. Also the FF option under Privacy "Accept cookies from sites" have to be checked. 3rd-party cookies can be disabled. Is it also possible, that this preference is not corresponding with the Torbutton option "Restrict third party cookies and other tracking"?
If the FF option (also Privacy) "Always use private browsing mode" is checked no cookies are listed under "show Cookies...", if unchecked cookies are listed.

December 21, 2013

Permalink

This whole FF issue with removing the javascript preference in the content tab, coupled with the cookie "haze", should be viewed with suspicion. Sure, you can supposedly still disable JS by doing the about:config thing, but a lot of, if not most, people are going to trust in Tor or Noscript or whatever.

One can rightly say that not all exploits and other crap use javascript to execute, but JS is the easiest vector to manipulate to unmask people. That is Exactly why the NSA and the UK people use it.

Perhaps the tor project should look into partnering with other browsers that don't make it hard for the ordinary layperson to disable JS and cookies.

It was always understood as a FUNDAMENTAL thing - if you wat to surf safe, disable JS and cookies. Any org that makes it more and more difficult to do these basic things should be viewed suspiciously.

The other browsers lock down extensions even more in terms of what they can do to change browser behavior -- so a lot of the contortions that Tor Browser Button goes through:
https://www.torproject.org/torbutton/en/design/
https://www.torproject.org/projects/torbrowser/design/
are downright impossible in things like Chrome without a huge amount of rewriting (which in turn means that when they change their code your patch breaks).

https://www.torproject.org/docs/faq#TBBOtherBrowser
points to
https://blog.torproject.org/blog/google-chrome-incognito-mode-tor-and-f…
which lists some Chrome bugs that remain blockers for moving TBB to Chrome.

Unless you had a different free-software browser in mind?

December 21, 2013

Permalink

Isn't it kind of funny how people have such an emotional attachment to a simple utility like Vidalia? For years it's served as their assurance that everything is right in onionland and taking it away is like removing a baby from his mother's nipple. A valuable lesson for software projects...

In all seriousness arma deserves a round of applause for dealing with very frustrated people in such a friendly way.

... and users deserve to be able to see for themselves that a three hop circuit has been built over three different continents as apposed to not being able to see... leaving open the possibility of a one or two hop circuit with entry and exits both within the USA's cess pool of a country along with the inherrant likihood that the NSA will own one or both of those servers.

Unless I have been allowed the opportunity by the developers to see for myself the built cuirciuts (as used to be the case), I cannot have any confidence in tor because transparency is essential to trust.

First, you're welcome to hook up Vidalia and resume watching your circuits (see above FAQ). I hope we'll have that functionality in Tor Launcher soon too.

Second, you should learn more about Internet routing -- if you think that "has three relays in US" is unsafe and "has not all three relays in US" is safe, you're doing it wrong. :( The question is what networks the *links between relays* traverse. For example, traffic from Ecuador to Peru often goes through Miami. The Internet is centralized in a really scary way.

See also
http://freehaven.net/anonbib/#feamster:wpes2004
which led to
http://freehaven.net/anonbib/#ccs2013-usersrouted
which led to
https://blog.torproject.org/blog/improving-tors-anonymity-changing-guar…

December 31, 2013

In reply to arma

Permalink

"if you think that "has three relays in US" is unsafe and "has not all three relays in US" is safe, you're doing it wrong."

And pathetically deluded.

Thanks.

What you're not seeing here is all the frustrated people who have been dealing with all the Vidalia bugs over the years (yes, actually years) that it's been unmaintained and rotting.

Totally agree.... torproject should lead by example in not forcing surfers to enable JavaScript.

I for one prefer to NEVER enable JS if at all possible for obvious reasons such as the NSA's MITM attacks seamlessly redirecting you to a Foxacid server to be fuggin owned regardless of the fact that the site you were attempting to view might have had a harmless JS script, the JS that that MITM page contains or calls may well not be benign and in fact likely will be malicious if it is from the NSA (Never Serve America).

In simple terms, leaving JS enabled even for sites you trust like Goggle (if your a dumb F@%K) or even DuckDuckgo or torproject leaves you completely open to the most malicious and 0-day JS out there if the NSA uses their fraudulent, stolen and illegitimate privileged positions on the WWW backbone to MITM or MOTS you.

Therefore torproject should NOT publish html pages with functionalities that are essential to users of the software that ONLY operate if JS is enabled.

Come on, get serious guys, not only should you lead by example with your own site by rejecting mandatory JS functionalities, you should adopt the policy of recommending to all your industry peers to do the same with their websites.

First, as far as I understand the Quantum attacks don't rely on Javascript in any way. Though I'll grant you that some of the Foxacid exploits use them -- but seriously, if that's your adversary, these people have like a 7 or 8 figure budget for buying browser exploits. We need way way better sandboxing in general before we can have those conversations.

As for whether atlas or globe use Javascript... they were both written by nice volunteers, and now we point people at them because we don't have better ones. If you want them to work better without Javascript, become one of the nice volunteers!

I guess we could throw them away, but there would be a lot more people yelling about "what did you do with atlas" than there are currently yelling about "omg atlas uses javascript".

Also, throwing away things written by nice volunteers is not a good way to have a community.

December 22, 2013

In reply to arma

Permalink

I understand and appreciate your point, it's a valid point, throwing away things written by nice volunteers is not a good way to have a community.

However I think that you are dangerously misplaced in so far as your assessment of the potential and actual harms in the situation being discussed.

Yes, the NSA is my and every bodies adversary because they are the predominant force committing these illegal and damaging hacks.

You might have given up any hope of defending from them, but thank god that many/most of us have not and never will.

Whatever can be done to defend, should be done, simple.

Even if it is just to defend against the NSA finding out one little minor piece of personal info that is not really vital or damaging because it is NONE OF THEIR DAMN BUSINESS and they are doing both minor and major infractions of privacy to MILLIONS of individuals daily adding up to untold and gargantuan suffering/hurt/harm amongst unsuspecting innocent humans both men, women and children.

Therefore, such things as a few hurt feelings that may be felt by a volunteer who's creation is removed or modified simply pales in comparison to the truly deeply damaging outcomes that can and do occur when the NSA gets root on a Linux box or drops a Trojan on a Winblows box.

I'm thinking of a activist who is working to promote knowledge amongst the general population of the systematic yet semi-covert stripping of the few remaining civil rights of the citizen against the unlimited power of the state.

The NSA identifies this individual via the repeated keywords of interest like 'civil liberties', 'protest', 'freedoms', 'tyrannic' etc etc that it keeps pulling from data steams of this individuals internet activities via Deep packet inspection using its fiber splitters in its secret rooms at the major ISP's

It then performs a MITM on this individual, redirecting them to a Foxacid server and uses a 0-day to compromise their OS.

From there, analysts pour over the PC's contents, determine that this individual is indeed a determined champion of personal liberties and is actively taking daily measures to work towards thwarting Big Govts Orwellian agenda.

The NSA then decides that this individual is a true threat to the Govt's planned totalitarian dictatorship and so contacts the FBI and hands over a dossier of info from the compromised PC (planted illegal materials) along with giving the FBI the PC's encryption key that they obtained from RAM.

They instruct the FBI to use 'parallel construction' to recreate the investigation trail to say that they obtained the password voluntarily from the PC's owner in a their word against ours scenario and proceed to federally prosecute the poor individual for whatever they planted on the PC.

They successfully remove the threat to their most evil plans.

All that is not to mention, senators whos PC's are breached and secrets stolen and used to blackmail them into silence and compliance in voting for whatever bills the blackmailers want them to vote on or reject.

Why do you think that congress recently just gave the NSA an additional 60 MILLION to spend on tightening security against whistle blowers ? No senator is going to vote for that of their own free will, just look at the slow turn of the tide of opinion amongst congressmen towards wanting to rein in the NSA. Knowing it is wrong and wanting to rein it in is their true desire from day one and is naturally showing through in time, voting to give the NSA an additional 50 Million to secure against future leaker's was blackmail.

Then there is journalists being blackmailed to maintain silence of sensitive issues that the public needs to know, political dissidents in cruel regimes being exposed and jailed or killed, there is non-violent drug users being prosecuted and jailed as a result of NSA snooping and subsequent FBI 'parallel construction' to recreate the investigation trail.

All that stuff is not conspiracy theories any more, it is known to be occurring as a matter of course on a daily basis, its info that is in the public domain now owing to the numerous and various disparate articles from both the mainstream media such as the guardian and WSJ and the independent media that is taking over, pulled together, the picture is that the articles show its all been going on for over a decade to the point where FBI sources have even been quoted normalizing it as routine.

And not surprisingly,sweet bugger all terrorists are being caught planning to commit terrorist acts other than those that the FBI has created themselves via solicitation and then entrapment.

So you see, a blanked avoidance on JS because of the NSA ability to perform MITM attacks in an automated fashion en mass is a critical and mandatory action that the entire WWW community need to adopt ASAP.

I don't see it as a choice, but a fundamental necessity to curtail the NSA's abilities.

No time to proof read this now, gotta run.

These things keep me up at night too. They're a big part of why many people work on Tor.

If turning off atlas.torproject.org would have any real impact on them, I would totally do it. But that makes no sense.

December 22, 2013

In reply to arma

Permalink

Um, I think that turning off atlas.torproject.org is only one action recommended as a part of a much wider plan strategy

It seems to me, and I agree with him/her on this wholeheartedly, that what they are trying to get across is that the very existence of and use of JS in web browsers is the major facilitator allowing the NSA to exploit innocent persons computers.

He/she then states "So you see, a blanked avoidance on JS because of the NSA ability to perform MITM attacks in an automated fashion en mass is a critical and mandatory action that the entire WWW community need to adopt ASAP. I don't see it as a choice, but a fundamental necessity to curtail the NSA's abilities."

I think the word 'blanket' rather than 'blanked' was intended in the quote above, but anyway, this person appears not only to be saying that atlas.torproject.org should be removed or a non JavaScript version implemented,but that JavaScript should be black banned and consciously shunned universally, by all WWW users, webmasters, and so on until it can be removed entirely as a specification from the Internet and web browsers for the express purpose of destroying a large percentage of the attack surface that the NSA uses to compromise systems.

That appears to me to be a great idea because it is one of very few actually effective measures that could be taken if we have the collective will.

In that sense, removing atlas seems like a desirable step amongst many millions of additional similar desirable steps..

Makes sense.

That said, I'm still unconvinced that this is where the fight is. For example, Flash has way more problems than JavaScript. The world is slowly winning the fight to make websites not expect that users will run Flash, but we have a long way to go.

*That* said, you have reminded me of another reason why the relay-search feature is useful: it does a bit of what atlas and globe do without demanding Javascript. I've added that point to the thread:
https://lists.torproject.org/pipermail/tor-talk/2013-December/031310.ht…

And see also
https://trac.torproject.org/projects/tor/ticket/10407

I know this is getting way off topic, so I'll make this my last comment here...

I think that YOU arma should use YOUR influence as being an insider within torproject to convince others that what the person above said needs to happen, and needs to happen ASAP.

Meaning, the torproject in collaboration with EFF and Mozilla and perhaps others could campaign to the rest of the WWW the critical importance of ridding the WWW of JS and Flash as a first priority above all else !

It is no secret that most of the technologies comprising the WWW were developed informally, outside governing bodies and in a ad-hock manner and by multiple different organizations. The WWW like most older cities in the world is a mess because it was not 'planned' from the beginning, but rather just developed piecemeal as it grew.

It need to be fixed properly, broken technologies need to be scrapped. The WWW will NEVER be able to be corrected by applying patches upon patches to technologies that are fundamentally flawed.

We got along just fine before JS and Flash were implemented into the WWW and could do so again by replacing them with style sheets and using only 'server side' scripting that stays out of the web browser until a properly developed and secured alternative using technologies that were not around when JS and Flash were created like strong sand-boxing, crypto and VM's or similar.

JS and Flash cannot now have these new technologies easily built into them given they were not in existence when JS and Flash's architectures were created so JS and Flash MUST GO, they're usefulness is over and they are now nothing but a serious liability that are very obviously undermining the WWW across the board.

Thinking about it, bandwidth has increased 100 fold over the last decade, so there is no reason that ALL scripting could not be done server side because nowadays any delays are virtually negligible for such small data streams as the output from a script run on a remote server. This would completely bypass an entire category of security vulnerabilities that now exist because these technologies are parsed within the browser on the clients PC.

If people like you and others in positions of influence don't get behind these principles, we will continue to have an insecure and broken WWW that unimaginably evil entities like the NSA can continue with impunity to exploit to inflict damage upon innocent persons en-mass in an completely automated fashion.

Can you imagine what a victory for individual and collective liberty it will be if we can stop the NSA dead in its tracks within only a couple of short months !

...you may say I'm a dreamer.... but I'm not the only one... i hope some day you'll join us.... and the world will be as one :) !

RT

Tor cells are 512 bytes, and Tor data cells use 498 of those 512 bytes for payload (that is, application-level traffic). So if you're sending an http get request and it takes 100 bytes, Tor still sends that in a 512-byte cell, leading to around 20% fullness in that data cell.

If most people are fetching medium to large things then the exit relays will generally see an average cell fullness near 100%, since most of the time there's a whole cell worth of data waiting to be "packaged".

I suggest asking for more details on irc, since the blog comments here aren't a great medium for this sort of question.

December 21, 2013

Permalink

I used to monitor the logs output from the control panel to confirm that my custom torcc file was parsed correctly and to confirm no other errors occurred that may concern me during startup and the building of a circuit etc.

I am not pleased to lose that ability... perhaps a little more brainstorming the consequences is in order before removing functionality from the software.

If you're launching TBB from the command line, it leaves Tor's log going to stdout (i.e. the terminal). I use that feature on Linux and hopefully it works on OS X too.

To see logs after startup, hooking up Vidalia to your TBB should work:
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#…

But to see logs *during* startup, it probably won't do what you want. In that case your best bet for now is to add log lines to your torrc manually:
https://www.torproject.org/docs/faq#Logs
and in the long run to help encourage the Tor Launcher developers to make it easier for you to view messages and events from Tor.

Oh, and I should add that Tor launcher already has a "copy the logs to the clipboard" button, which you can use and then paste them into a text file to read. Not a great UI I agree, but it's there now.

December 21, 2013

Permalink

@arma I appreciate the humility and mirth with which you've fielded so many user comments on this issue, but I have a question the FAQ doesn't speak to:

For users seeking to reduce their attack surface, it seems as though exclusively relying on NoScript to disable javascript functionality may or may not defend against all javascript-based Firefox exploits, which seems to be what most grumpy users are concerned about.

So if a users wants to *completely* disable javascript, is there any potential value in *also* going to about:config in TBB, then typing in javascript.enabled, and then toggling the option to "disabled"?

I installed the Quick Java add on to enable single click control over my JAVA, JAVAScript, Flash, Silverlight, Image, Animated Image and CSS controls.

Very handy.

Just enable Add-On Bar after your install and you can customize what button you have on the bottom right of your browser.

For safety and speed I disable all plugins except image and CSS style.

To be safe, I've also got the Better Privacy LSO persistent flash cookies add on to remove all flash cookies created upon exit.

My COMODO defense kept pestering me Firefox.exe to access my COM section of my registry. Didn't have this issue in my last TOR Browser bundle.

December 21, 2013

Permalink

The main bundle has improved lots and is fast so thanks for all the hard work.

As many of the users have mentioned their frustration with lack of graphic controller (Vidalia) I also have to say, it is very frustrating.

Vidalia is more than just world map. It gives a much better control over functionality of every thing. Which the little button in Firefox does not.

I think it should have stayed until a better alternative with "ALL" same functions is made, instead of first removing it and then pointing to an FAQ for getting it back. A bit of a round about way to do it.

That being said all future bundles should still be compatible with Vidalia (standalone) and support control through it. Also keep Vidalia around for it.

As for start up times. You can just start browser as is in 3.5 and then automatically start Vidalia after Firefox has started. Instead of users doing it manually. That way you get both speed for main browser connection and graphic controller. And you dont have to change much for it to work.
Also may be add it to the main bundle package for download so people don't have to go around looking for answers.

I'd like to keep the Vidalia workaround working for as long as we can, yes.

The main rush here was getting something with FF24 working and out, because FF17 is no longer maintained. And our FF24 work didn't include getting Vidalia working with it.

One of the other big reasons for switching to Tor Launcher is that it will make secure updates much much easier (since it's only a browser and Firefox already has a way to do updates).

I'm not really excited to put Vidalia back into TBB3.5 by default -- maybe you have figured out all the things not to click because they are broken in confusing ways, but all the folks who think they can edit the torrc graphically (you can't, it's mostly broken) or set up a hidden service graphically (also broken), etc? There are a lot of Vidalia haters out there too, and for a good reason since it's been unmaintained for years now.

December 22, 2013

In reply to arma

Permalink

[...] all the folks who think they can edit the torrc graphically (you can't, it's mostly broken) [...]

Other things being harder, yes, you can edit torrc in Vidalia. Have been doing it until now... Working around that Vidalia torrc editor's "Save" bug is easy: simply remove the commented lines in torrc (those starting with the # symbol) before saving it.

December 21, 2013

Permalink

'kay Mike Perry and ama

Yeah, I'm that non-techie type from above.

Y''all kindly put me onna right track by pointing out that Javascript was now controlled by NoScript and that disabling Java is also a good idea.

And the test drive was an enormous success! Thank you...

Vidalia had, imho, many interesting features to play with but I ain't gonna miss it.

I'm still using XP and thus also IE8. To me, TBB 3.5 is now more like IE8 than it eva was before. Once installed one can now forget about it.

I'm sorry to see these youngers resist change so vehemently - they'll soon grow out of it and become more flexible in their ways as they start getting older and more mature. LOL

Seasonal blessing to you and all yer cronies. Thanks for the efforts to keep us safe - we are all very grateful even though we like to complain a lot.... more LOL

Great, thanks!

One question though -- I hope "Once installed one can now forget about it" doesn't mean that you're using it wrong, e.g. running your IE and thinking that you're using Tor? :)

@ arma
LOL .

I use IE8 without Java or Javascript enabled. I stuffed my "hosts" file" with verboten cookie urls. I also use the IE8 "InPrivate" nonsense only from force of habit. No add-ons or accelerators permitted. Google "basic" used as search engine. No "flash" nonsense either.

TBB3.5 loads, for me, in a wink - as does IE8. I can access all my favourite sites even with NoScript activated. Using Duck whatever as a search engine. My isp can now only verify the time and length of my browsing sessions.

Although I live in a third world community where internet speeds and bandwidth are reckoned in kb/sec I get a more robust and constant download speed with TBB3.5. Let's see if this persists?

Mozilla is, for me, unnecessarily complex and too many bells and whistles.

What's more to want - y'all provided me with the best seasonal present for 2014. Heaps of gratitudes...

But like I say - 'parently the youth are too hidebound in their choices and werry resistant to change - double LOL.

Y'all at Tor enjoy the break, hear!

Return refreshed for the 2014 fray. Who be knowing what surprises to expect next...

December 21, 2013

Permalink

What about relay configuration in 3.5? How to set up a relay in absence of Vidalia? I actually have no clue how to do it on Windows right now! I've always done it the easy way, graphically that is, thanks to the manual on site ( https://www.torproject.org/docs/tor-doc-relay.html.en ). In fact, the Tor browser sends me right there ( ->"Run a Tor Relay Node" ), even though this is still targeting the previous version(s), cum Vidalia. But now it won't be of much help anymore, or am I missing something? Is standalone Vidalia the only option left or is there some achievable way to set it up manually on Windows too? At least the website doesn't mention, it only describes how to do it on Linux. :-(

Thanks!

December 22, 2013

In reply to arma

Permalink

Vidalia Relay Bundle is indeed what does the trick! I should've checked the options. Thanks a lot.

December 21, 2013

Permalink

downloaded the latest build of Tor Browser Bundle 3.5 to this update, I used the same assembly and organized output node network. I do not see in the assembly Vidalia, how do I turn on the relay? OS Linux mint

December 22, 2013

Permalink

Thank you for all the fine work that you all do at torproject !

All of us users owe all of you developers/volunteers/etc a great deal of gratitude and I guess a great deal more seeing as we get to use this liberty safeguarding software for absolutely free...

I have a question.

Do the instructions provided by torproject for setting up torchat with linux still apply now that V 3.5 is out ? (which were almost impossible to follow BTW)

If not, can someone update the tutorial on how to set it up please ?

And just how dangerous (ball park, I know you cannot be specific) would it be to use TC with the older version of tor installed via apt get seeing as TC is end to end encrypted as apposed to using exit nodes ?

Thx

I'm afraid there are no instructions provided by torproject for setting up torchat -- in fact, none of the Tor people wrote or evaluated Torchat. Sorry for the confusion from the name. As to how dangerous it is to use, even with the new Tor... who knows? Somebody should do a security audit of its design and code.

December 22, 2013

Permalink

Creating a new identity stops running downloads. The older version kept downloading processes and provided a new identity as well. Will this feature come back?

December 23, 2013

In reply to arma

Permalink

This one is a real ball-breaker for me and everyone I know who uses TBB. I wish I were technical enough to contribute.

December 22, 2013

Permalink

Roger, you're a kind soul for answering so many questions patiently and respectfully. Something for the rest of us to aspire to, especially during the holiday season :-)

It's also kind of amazing how many people appear to have scrolled past various comments/questions on this post, only to ask basically the same question or make the same comment...

December 22, 2013

Permalink

help needed: downloaded tor 3.5. for osx. it starts fine, seems to connect to tor network ( 8 serves show up as being contacted in little snitch) but does NOT connect to any website. means: no websurfing at all. previous tor bundles with vidalia never had any problems at all on same osx installation.

where to start here ? no vidalia log that could indicate and provide info which could be posted here for guidance. guidance appreciated.

There's the 'copy Tor log to clipboard' option, and then you can paste it into a file or notepad or whatever you like and read it and see if there are any hints.

My first thought is to wonder if you're running some sort of security or anti-virus or something program that prevents some part of Tor Browser from talking to itself.

December 25, 2013

In reply to arma

Permalink

i am running "little snitch" but have set rules to allow enabled TOR 3.5. to make in and outgoing connection without restrictions.

also running sophos anti-virus for mac

in osx firewall had TOR 3.5 entered with permission to incoming and outgoing connections

the above security programs are running since long time. they never obstructed any previous tor version , so why should they now ?

littl snitch shows tor connecting to some servers on start-up m but then no further broweser request to connect to the world wide web show any change in little snitch TOR 3.5 connection window. cant even connect to tor pages or use startpage serach from TOR start window.

TOR 3.5 log shows "time out" with any of the failed url connection attempts , no further comments in the log

no idea whats going on here ( or better whats NOT going on here)

Little different, but same problem here. Sophos seems to be blocking TB. I tried back and forth and when you switch off Sophos (which is not really an option) TB goes through. Have not yet found any workaround...
C.

I am having the exact same problem. If I turn Little Snitch OFF, Tor works. But I need to keep Little Snitch running. I never had problems before running Tor while Little Snitch was active. Hopefully someone has the answer - or someone can tell me where I can find previous versions of Tor.

Fixed! Just double check you rules "affecting" LS Agent. You can turn off outgoing connections - you will get windows asking permission for Tor to connect, allow it to do so. Other apps / processes will NOT automatically be allowed to connect to anything etc, you will be asked and simply deny. A bit of a hassle but it works fine, especially if you're not running a bunch of other apps in the bg.

December 25, 2013

In reply to arma

Permalink

sophos antivirus for mac appears to be the culprit here. switching it OFF made TOR 3.5. work at least with tor websites. sophos anti virus has several scanners, one called "web protection" the other download protection and what the call "on-acces" scan.

not sure which one is the tor-block as switching them off appears to have a delay.

so, why and how to have virus protection and still run TOR ?

interesting enough, sophos anti virus did NOT obstruct any previous tor editions.

You are right. The recent (free)) version of Sophos (9.0.6) has "Web Protection" switched on by default. But both have to be switched off in order to work with TB. I tried all other combinations. My other, previous version (8.02.1) on my macbook works perfectly with sophos because it lacks "Web Protection". Contacted Sophos-Support...
C.

Ditto - this is a new problem - Sophos on-access scanning can be left running but both the "malicious websites" AND the "malicious downloads" blockers in Sophos Anti-Virus>Preferences>Web Protection>General must be toggled off for TBB 3.5 to run on Mavericks 10.9.1

December 22, 2013

Permalink

Can someone please answer the following question regarding the upgrade to a new Firefox version in TBB 3.5. ?

Looking at this vulnerability located here:
https://www.mozilla.org/security/announce/2013/mfsa2013-116.html

and which is linked to from here:
https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#…

The 'brief description' given reads:

"Description
Google security researcher Michal Zalewski reported issues with JPEG format image processing with Start Of Scan (SOS) and Define Huffman Table (DHT) markers in the libjpeg library. This could allow for the possible reading of arbitrary memory content as well as cross-domain image theft. "

There is a link to the full details at the URL I pasted above.

.....does this vulnerability description convey what I think it does ?

I.E. that a suitably crafted .JPG file could read arbitrary memory locations including encryption keys in RAM ?

Holy cow !!

Holy cow indeed. Every Firefox update includes fixes for issues like this. :(

All the more reason for you to stay up-to-date with your TBB's -- and for us to get TBB's secure updater working.

December 23, 2013

In reply to arma

Permalink

As a non-programmer it strikes me that that their appears to be a preponderance of incompetent and/or malicious computer programmers out there for it to end up being the case that such blatantly dangerous exploits exist in the code for the most fundamental WWW features like simple .JPG renderers that have been available for security review/hardening for literally decades.

The programming community should be ashamed and lift their game and professional standards and root out the vast numbers of incompetents among them that seem to exist.

There is no excuse for this level of utter uselessness, it would not be tolerated in any other industry even if it did occur and in any case it doesn't occur in other industries to any great extent.

You don't see mechanical or civil engineers designing bridges or buildings with such fundamental design floors that undermine them such that they collapse or sway and snap or other such critical faults.

They need to be held accountable for such pathetic trade-craft and much, much higher standards need to be implemented and strictly adhered to or we will continue to have an insecure internet and therefore consumers cannot have confidence and ultimately e-commerce is restricted.

Grrrrr this preventable madness makes me furious !

The other industries you mention produce much smaller systems.

Things like Firefox are enormously complex compared to a bridge or even a building.

I guess a better comparison might be to our financial system, which has sure grown its share of complexity (and security bugs).

Anyway, this one is pretty far off-topic by now. Suffice to say that they're not idiots, and making large computing systems safe actually is hard to do right even for smart people. But that said, I think it would be fair to say that maybe Mozilla hasn't been putting their energy into the direction that would produce the most benefit security-wise.

December 22, 2013

Permalink

Downloaded 3.5. (windows) installed. run. connect.

"Congratualtions you are using Tor"

but no connectivity. cannot navigate to any site.

previously this was instal and play - now what?

December 22, 2013

Permalink

This Cloudflare blocking is getting ridiculous. 99% of Tor exit nodes have been blocked for at least four days out of the week and continuing. What can the Tor community do about this? Would Tor ever consider switching to a design that tries to hide exit node IPs? Websites just get more and more hostile to Tor.

Hiding exit IPs doesn't seem like a workable strategy.

I think the right answer is that we need to grow an outreach campaign to a) teach websites why it's valuable to hear from Tor users, and b) teach them how to handle abuse issues better at the application level rather than at the "well just block bad IPs and hope that's good enough" level.

This issue is indeed growing in importance, but there aren't enough core Tor people to work on it. Please help!

December 24, 2013

In reply to arma

Permalink

1. New relays would be seeded into being either an exit relay or entry node (to start) according to their preference.

2. Only after a long period of trust would entry nodes move up to being middle nodes.

3. Middle nodes would only be allowed to connect to a small subset of exit nodes so that compromising them won't compromise all exit nodes. Users would use middle guards instead of entry guards.

4. The exit node's IP plus other random IPs will be censored out of all traffic returning along a circuit ending with it.

5. zk-SNARKS* (http://eprint.iacr.org/2013/507) will be used to guarantee that your SSL traffic isn't modified beyond that.

6. Clients will be restricted to using a limited number of exit nodes via proof-of-work or some other proof-of-something to prevent them from harvesting exit node IPs using websites that they run.

Then you have somewhat hidden proxies. Genius, or crazy?

*I know that most of this post is crazy but I've wondered about this part. If you can use cryptography to prove that somebody has executed a program in particular way via a zero-knowledge proof (without them learning the inputs) then can't you use it to prove that a node has routed your traffic correctly without knowing what it is? Wouldn't this make mix networks obsolete and make single-hop connections safe? It could be the next step in anonymous communications. I know Tor has cryptographic geniuses on hand so I thought I'd bring it up.

December 22, 2013

Permalink

If I'm a Mac OX X user and I have the Tor Browser Bundle 3.5 running, does that mean I'm running a relay, or do I need to do something special to run a relay?

December 25, 2013

In reply to arma

Permalink

The tor icon next to the clock on the notification area ,, doesn't appear any more

December 22, 2013

Permalink

Anyone else finding the TBB (3.5) just doesn't work? Windows 32bit version on a win7 64bit machine. Running from USB installation. Start up but that's it. Can't even find torproject.

Check prefs No Polipo - do I need it? Thought the TBB put an end to all that.

Or is TOR itself in difficulties today?

December 22, 2013

Permalink

um. Tor Browser Bundle doesn't (browse). dl'd today 3.5 and tor starts (checked firewall and is allowed) but no browsing. No sites available.

December 22, 2013

Permalink

The old version stopped browsing onion sites a few hours ago. I upgraded to 3.5 and can browse everything but onion.

December 23, 2013

Permalink

Serious leak in TBB 3.5 FINAL

    Relevant info:

Microsoft Windows 64bit
OpenVPN client 2.3.2-I003 64bit
tor-browser-2.3.25-15_en-US.exe
torbrowser-install-3.5_en-US.exe

    Scenario #1

I launched OpenVPN and connected to my VPN service provider via either TCP or UDP protocol. Next I launched Start Tor Browser.exe of tor-browser-2.3.25-15_en-US.exe

I surfed to some websites and launched a command prompt with admin privilege. In the command prompt window, I typed netstat -bn

Both openvpn.exe and openvpn-gui.exe showed 127.0.0.1:port number for both local address and foreign address

    Scenario #2

Same procedures as in Scenario #1 above except that I launched Start Tor Browser.exe of torbrowser-install-3.5_en-US.exe

Local address for both openvpn.exe and openvpn-gui.exe showed 127.0.0.1
However the foreign address for both of them showed 49.59.199.107

To Tor developers: Please fix the leak in TBB 3.5 FINAL as soon as possible to prevent NSA's hacks. Thanks.

I'm confused. Is this a bug report on your openvpn configuration, where you were hoping it would capture outgoing TCP streams but it didn't capture all of them?

49.59.199.107 looks like it's in Korea. I don't think it's a Tor relay of any sort. Perhaps it's where your OpenVPN was connected to? That case also doesn't sound like a Tor bug though.

December 23, 2013

In reply to arma

Permalink

You wrote: I'm confused. Is this a bug report on your openvpn configuration, where you were hoping it would capture outgoing TCP streams but it didn't capture all of them?

No, my above feedback is not a bug report on my OpenVPN configuration. On the contrary it is a feedback on the strange behavior of Tor 3.5 FINAL.

The following is what I discovered after posting my earlier feedback:

    Scenario #3

I deleted the extracted contents of Tor 3.5.
I double-clicked on torbrowser-install-3.5_en-US.exe to re-extract/re-expand its contents.
I launched OpenVPN and connected to one of the gateways given by my VPN service provider.
I double-clicked on Start Tor Browser.exe to launch Tor.
I surfed to a website.
In an elevated command prompt window, I typed netstat -bn and the results were:
local address for both openvpn.exe and openvpn-gui.exe were 127.0.0.1:port number
foreign address for both openvpn.exe and openvpn-gui.exe were 127.0.0.1: port number

Conclusion: If users wish to access Tor via OpenVPN regularly, the very first step after extracting/installing the contents of torbrowser-install-3.5_en-US.exe is to connect to their VPN gateway and only then launch their Tor browser.

Oh! So a paraphrase of the conclusion is "if you start Tor Browser Bundle before you start your VPN, then TBB's connections to the network won't go over your VPN, and if you start your VPN later it doesn't magically switch them"? Yes indeed.

But that should have been the case for earlier TBB's too.

Unless I misunderstood you?

December 25, 2013

In reply to arma

Permalink

To: arma

I would like to clarify your paraphrase:
"The very first time after extracting/installing the contents of torbrowser-install-3.5_en-US.exe, if you launch Start Tor Browser.exe before connecting to your VPN gateway, TBB's current and future connections to the internet will not go over your VPN. That is to say, the next time you first connect to your VPN gateway and then launch Start Tor Browser.exe, TBB's connections to the internet will still not go over your VPN."

The above strange behavior does not occur in TBB 2.x series, for example, tor-browser-2.3.25-15_en-US.exe.

December 23, 2013

Permalink

i dont will use it! it have ver big secure leaks. tor has now support for us nsa/fbi? lokks like so! tor no more serious at all.

if anyone use it: us govement can very good spy you with this version.

Details please?

(Two can play at this game -- for example, it strikes me that this is the sort of comment that an nsa/fbi person would leave. Ha, now neither of us can refute each other.)

December 23, 2013

Permalink

ha ha moderated... so you will dont let see users the us govement support messages. fuck u usa!

Ah, I assume you're the same person as above.

Yes, we don't let comments go up automatically. About 95% of the comments are SEO spam or the like, so I get rid of all of those first.

I'm also basically the last Tor person willing to tolerate this hackish blog comment system, so alas new comments wait on me.

December 30, 2013

In reply to arma

Permalink

Keep on keeping on, arma. Your work in answering comments is very appreciated. I know it's not easy. Happy New Year to you! :)

--

Sonny

December 23, 2013

Permalink

Is there a way, or are there plans to re-implement the ability to configure hidden services? Or is that something that is, sadly, gone forever?

Wow, you managed to make that work with Vidalia? It always turned into a disaster whenever I tried it.

The current answer is that you should edit the torrc file in TBB and add them. If you're going to set up a hidden service on your own, editing a text file is probably one of the easier steps.

That said, if somebody wrote that into Tor Launcher in a usable way (including not confusing users who don't know what a hidden service is), I bet the Tor Launcher team would take it.

December 23, 2013

Permalink

Wow, this new torbrowser starts really fast!

Amazing work you guys! Thanks for the effort and time you put into this continuously.

One side question: Why do you not disable RC4 ciphers already? The guardianproject does this currently in the Orfox builds. One Tor project member that I know of considers RC4 as broken, so why the hesitation?

December 23, 2013

Permalink

So confused.
I'm not too into the technical side of tor.
I don't exactly know much at all to be honest.
However, since the new update to 3.5, every time I try to run Tor it freezes on
"Connecting to Directory Server"...
If anyone knows how to fix..please reply.

Sorry to hear that. If you provide many more details, somebody might have a guess for you. (When providing details, pretend we can't read your mind. So don't leave something out because 'surely' we'll know it.)

Thanks!

December 24, 2013

In reply to arma

Permalink

What I said is literally all I know.
When I open Tor and click "Connect"
it just stays on "connecting to directory server"
I'll leave it for hours and it just stays like that.
Before the update it worked perfectly.
I don't understand.

arma

January 05, 2014

In reply to by Anonymous (not verified)

Permalink

Tor Launcher has a 'copy log to clipboard' button, which you can then paste into a text file or notepad or whatever to read. It's not as fun, but it should work (until somebody can make a better way to see Tor's logs).

December 23, 2013

Permalink

This version is too bad, it has multiple issues:

Cloudfare blocking is annoying.

The browser restarts when having a new ID

I used to download stuff from different hosts with simultaneous downloads and when I was doing this, I was able to change my ID every time without loosing the stuff. (up to 6 or 7 downloads at a time)
Goodbye to all of this!! it's awful. Now I have been receiving multiple "Wrong IP" messages when trying to download stuff.
The new ID feature seems like it's not working properly.
If you are lucky, you will be able to do one download at a time.
With the Vidalia stuff TOR was great, now it is a terrible waste of time. Now this thing really slow and you have to re-start over and over.
The new version is a BIG step back .

The recent Cloudflare blocking isn't a function of what TBB you're running. It has to do with whether some jerk has been abusing the Tor network lately in a way that made somebody at Cloudflare decide to discard a million Tor users because of the jerk.

As for the new identity question,
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#…
A workaround for you in the mean time might be to use Vidalia's new identity button. But be aware that you aren't discarding application-level data (though you weren't back when you were using Vidalia for it anyway).

December 23, 2013

In reply to arma

Permalink

Does Tor have any way to stop users from DDOSing through it? Any conceptual ideas even?

DDoS actually isn't the issue:
https://www.torproject.org/docs/faq-abuse#DDoS

The issue is application-level attacks, like somebody leaving a comment saying somebody else is a jerk, or somebody accessing a URL that gives them more access to a website than the website operator intended, etc.

A lot of this type of abuse on the Internet these days is actually commercial in nature -- for example, if somebody is paying you to hype up a restaurant on yelp, you use all the resources you can to appear to be as many people as you can.

December 24, 2013

In reply to arma

Permalink

He's right, it's too much of pain in the ass. Filehosting services block IPs for certain time (one download per IP), so one should be able to get a new IP without restarting the browser.

There aren't actually that many exit relays total, especially if you look at fast ones. So "keep switching" is a pretty crappy answer in terms of load on the Tor network vs success rate.

I guess the better answer might be for these services to know what Tor is, and use Tor Bulk Exit List:
https://check.torproject.org/cgi-bin/TorBulkExitList.py
to make a list of all the Tor IPs that can reach their website, and then just lump them into one big bucket and rate limit it as they like.

Though, that approach would make it easier for a greedy Tor user to use up the quota.

The actual better answer would be to base the rate limiting mechanism on something that isn't IP addresses. A fine open research question. See
http://freehaven.net/anonbib/#oakland11-formalizing

HEY, Stop using/abusing the tor network to download your porno from the file locker sites like Rapidshare et al.

The tor network can hardly cope as it is with the amount of traffic compared to the number of exit nodes and here is you, using 6-7 different connections to download porn through it.

Porno consists of HUGE binary files unlike text based www pages.

If your concerned about the legality of your porn enough to want to use tor to get it, then I suggest that you DON'T DOWNLOAD IT AT ALL !

Stop being so selfish, it is widely promoted that tor is not to be used for porno for the reasons I have stated above and I know that you have read that before and chosen to ignore it.

To the tor developers... please consider hard-wiring into the code for the exit nodes a list of IP's from the porno file-locker services and have the node refuse or close connections to those services so that selfish tor users cannot ruin the download speed for the rest of us of non porno sites.

Until a critical mass is achieved sufficient to sustain that kind of leech traffic I mean.

December 24, 2013

Permalink

Still not a "techie" type but

I imagine y'all have had download clients of TBB 3.5 inna hundreds of thousands.

but y'all have, evidentially, only 200 -250 users with their issues reported here.

Good metrics for you - Good job, Torfellers.

Now be getting yourselves home - the family waiting anxiously for you

Yes indeed, that's a nice way of looking at it. Thanks.

Or from the pessimist's perspective, many of our users have no idea that Tor has a blog at all. :)

Once you're up in the hundreds of thousands of users, most of them don't understand the 'community' side of Tor. But hey, we do what we can.

December 24, 2013

Permalink

I want to manually stop and start Tor network connection without closing browser. How can I do that with 3.5 bundle? Current documentation about "how to start Tor Relay Node" is no longer work for 3.5.

I don't think there's an easy way.

But there *is* an easy way to tell Tor to do it (i.e. to set DisableNetwork on and off), so this is just a Tor Launcher interface question.

I bet if you or somebody figured out a good interface for a "Suspend connections to the Tor network" option, it would be easy to put in. The main barrier I see is that we're trying not to overwhelm normal users with options they won't understand.

December 24, 2013

Permalink

With the circuit status missing, and the new version of Firefox where crucial settings are missing, it will just take a short time to hear in the news that many onion users got arrested.
Without overview and control you should defiantly *not* use Tor. (!)

December 24, 2013

Permalink

I have some questions regarding this release and i hope Arma or someone else can answer my questions :)

First thing first, I'm on Windows and i always download the expert release or Tor Bundle / Tor Bundle with Pluggable Transports or basically whichever the newest Tor version available to download for me because i prefer to configure everything manually (that means no Vidalia, not using the Tor Browser Bundle itself and only download the Bundle just to get a newer binaries of tor and pluggable transports to replace the old binaries).

And here is my questions:

  1. I just downloaded the new TBB3.5 (both pluggable version and non pluggable) but when i ran tor.exe there's no Console Window displayed although the tor process seems to be running fine (and to stop it i have to kill it / SIGKILL it via Task Manager). Why is that? and also would it be bad if the process gets terminated by SIGKILL?
  2. Because there's no console window displayed, i downloaded the expert unstable release (0.24.19), and found out that version still displaying the old console window. My questions for this is; is it okay If i use the tor.exe binary from the expert unstable combined with the pluggable transports binaries from the TBB3.5 pluggable? i've been doing this for quite sometime with the old releases (using the newer tor binary with older pluggable binaries) and found no problem but just wanted to make sure :)

Thanks.

1) https://trac.torproject.org/projects/tor/ticket/10297

Killing your Tor client by sigkill is fine with me.

2) You'll much prefer the 0.2.4.20 tor.exe when it comes out. But sure, feel free to mix and match Tor binaries if you like it more.

But: if you're trying to browse the web over your chimera contraption, and you think you don't need Tor Browser, make sure you've read all of
https://www.torproject.org/projects/torbrowser/design/
and
https://www.torproject.org/torbutton/en/design/

December 25, 2013

In reply to arma

Permalink

Thanks for the quick response! and yes, i read the tor browser design a long time ago and bookmarked it since because it contains a lot of useful informations, and implemented some of the things listed there.

And lol at the chimera contraption, you'd be surprised on what my whole setup looks like if i have to write it here but to put it simply, it is a Frankenstein :D. The way i'm using tor in my browser (latest firefox not the esr release) at the moment is just if it detects certain keywords, sites or patterns i've designed, it'll goes through tor automatically because i want some privacy :). Obviously if i wanted a more anonymity i'd use TBB and run specific Linux distro designed for this.

December 24, 2013

Permalink

Is it just me, I can't find a way to launch the Tor Launcher..
I see the plugin in firefox but no way to launch it...

I do see it when I start firefox but where does it go after? no menu anymore to access anything??
I just have firefox...

Once you "Start Tor Browser" (or whatever it's called depending on your OS), Tor Browser includes an extension called Tor Launcher that automatically starts Tor in the background.

So assuming you have a window called 'Tor Browser', you're done.

December 25, 2013

Permalink

Thank you, it seems to work fine, but sometimes displays the following warning:

uri.host is explosive!
(about:tor)

What does it mean?

Not easily (at present).

Your best shot might be to run WiNon or Whonix and try to get Flash working inside that. It will be quite a bit of work though.

December 25, 2013

Permalink

Where is the dialog where you can see and manually close the circuits? I don't want to download a separate Vidalia package, this is supposed to be a BUNDLE.

December 25, 2013

Permalink

##################################################################
# The Snowden Config
##################################################################

#Default Tor Settings
AvoidDiskWrites 1
DataDirectory .\Data\Tor
GeoIPFile .\Data\Tor\geoip
Log notice stdout
SocksListenAddress 127.0.0.1
SocksPort 9150
ControlPort 9151

##################################################################
# The PRISM surveillance program
# http://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29
##################################################################
# Bypass all nodes in Prism first tier partner countries,
# also known as the Five Eyes Alliance.
#
# Also bypass some known second tier partners.
# Germany is known to be compromised, but you need to connect
# to Russia exit nodes somehow and Germany has one of the
# largest pool of relay nodes for you to hide in the crowd,
# add {de} to the list if you want to bypass Germany. But
# you'll be easilly singled out because you'll end up
# connecting to your first nodes in a small country all the time.
#
##################################################################
ExcludeNodes {au},{ca},{gb},{nz},{us},{fr},{ir},{it}

##################################################################
# Only use exit nodes from Russia,
# the only place NAS don't dare to raid and put pressure on.
##################################################################
ExitNodes {ru}

Well, feel free, but here are three points of caution before you try this:

A) If your adversary thinks you're running with this configuration, then any circuits they see that have no relays in those countries are more likely to be yours (and circuits that do use a relay in those countries definitely aren't yours). So you're shrinking the set of circuits that you blend with. See also
http://freehaven.net/anonbib/#ccs2011-trust

B) If your adversary thinks you're running with this configuration, he can actively seek to control or run relays that you're willing to use. And since you've removed a big chunk of the Tor network (especially if you exclude Germany too), it's cheaper for him to become a given fraction of the remaining relays.

C) Whether this config is safe is hugely dependent on where on the Internet you start out, and where your destination is. For example, if you start in the US and exclude US relays, 1) that will be funny-looking over time, and 2) you already start out being surveilled by your adversary even if your first relay is in Poland -- how do you get to Poland but by going through the US? And it's worse than that, because many Internet links go through one of your above countries even when they're going between two relays that aren't in your excluded list. So you are both dangerously overexcluding and also not accomplishing the goal you have in mind. See also
http://freehaven.net/anonbib/#ndss13-relay-selection

(Oh, and it's a bit rude to call it the Snowden configuration unless he has in some way said that he uses it, yes?)

December 26, 2013

In reply to arma

Permalink

That may be true, but the fact is if NSA is already monitoring all the border traffic of partner countries, then connecting to these countries is a dead give away.

As long as they have access to the border routers and undersea cables, knowing which IP connected to which IP at which millisecond, they can easily analyze which one is the first source IP, which is your IP.

When they own the whole system, bypassing those countries is the lesser of two evils.

Are you sure the NSA perfectly monitors those six countries, and doesn't monitor the others at all? That seems like a really funny-shaped assumption -- especially with stories about collaboration with Sweden over their FRA law, the Germany concerns raised above... you name a country, I bet there's a plausible discussion somewhere of the NSA trading data with them. (And even if you name Russia, I'll name Sweden as one of their major upstreams.) This centralization of the Internet is bad news.

January 01, 2014

In reply to arma

Permalink

The point is you need to ensure there is at least 1 node in a country that is out of NSA's reach, and the default configuration doesn't do that.

New document shows the NSA is recording all encrypted deep sea cable traffic for at least 15 years. That means they have the ability to can replay the entire data stream.

Forcing the first node to be Russia might work:

EntryNodes {ru}

December 26, 2013

Permalink

WARNING: IP LEAKAGE
It is to inform you that when I run the decloacking test in the new version of TBB 3.5 through the site ip-score(dot)com, it leaked my address in the category "Windows Media Player". Two standalone applications are responsible for it:
(1) Internet Download manager - which loads a video file when run the decloacking test, and starts automatically when we even exit IDM.
(2) Keepass Password Manager: secondly, after deleting IDM, I checked the TBB and there was no IP leak. But when i opened the Keepass manager to log into the accounts, it leaked the IP address which I by chance tried to check through this site.

I tried Better Privacy addon and configured it to delete cookies and LSOs at the time of starting TBB, but it again leaks my IP address in some of the tests.

I am now afraid because in the last two days I have leaked a lot of sensitive docs against someone.

December 26, 2013

Permalink

Oh, and it's named after Snowden simply because he exposed PRISM and is now in Russia.

You don't need people's permission to name something after them. If it make sense and is easy to remember, then that's good enough for me.

People might think that he was involved in the project if it bears his name. You can't sell a Crapple iPoop and not expect to face legal consequences. It's deceptive to hawk something that bears another's name/likeness and they will make sure you cease-n-desist, pay up, or get pounded-in-the-ass by a Big man named Tiny. If Edward was (hopefully not) 'dispatched' and 'they' made it look self-inflicted or a disturbingly hilarious auto-erotic asphyxiation mishap or some other nonsense in which there was clearly outside involvement+motive+tampering of evidence, then naming something in honor of his memory would be fine. But if he didn't work on the project that bears his name, then people might think he did when he didn't.

December 26, 2013

Permalink

Why do i have to instal something with the new 3.5 tor browser bundle ? Is'nt the whole principle of this bundle being instalation free ?

December 26, 2013

Permalink

This is the most stupid move I've ever seen.
No control, no JS button in FF (about:config hidden)
People will try to hack and get caught, FAQ reports you are working on.... just blabla

Too early, just plain nonsense and CRAP
are you working for NSA ?

Rantlingtruth

December 26, 2013

Permalink

I finally upgraded, and at first, the start-screen & what I am assuming was TorLauncher appeared to be phishy when I first launched the new build; I felt even more uneasy when I didn't see Vidalia in my tray. As you have stated, it had numerous holes since it was unmaintained, so I can't defend it, since I honestly don't know much about it. But since I've gotten used to it over the years, the sudden disappearance was a bit shocking. I (at least I think) was able to hook up Vidalia from an earlier build to the new TBB, but I don't feel secure, mainly because I used to be able to select 'Stop Tor' from Vidalia's context menu and then exit. Now, when I try that, there are still open TCP connections from the new thingamajig( TorLauncher?). Also, I'd have to assume selecting New Identity from the Vidalia context menu (not TorButton's located in the Browser) probably won't work the same either. I'm not complaining about the lack of Vidalia in this new version, I'm just a bit confused since I was so used to it being there. Thank you for any support you can offer. The things that I use Tor for are rarely, if ever malicious, and quite often actually benign, but that doesn't mean I don't value my privacy. Also, I was wondering if others were having issues with CloudFlare/Goog? blocking them from access to a large number of sites. It's been happening more often the past few months and is becoming increasingly annoying.

The new way to close TBB is to close the browser. Then everything else will shut down (except Vidalia, if you launched it separately -- you'd need to close that yourself).

The 'new identity' button in Vidalia does what it did before -- it expires currently-used circuits so new streams won't get attached to them. The 'new identity' button in TorBrowserButton does what it did before too -- it expires circuits as above, but it also throws out your browser-level state so websites can't link old-you to new-you. But see https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#… for what might be a surprise.

And yes, Cloudflare and google have been increasingly blocking Tor exits lately. Anybody have a contact at Cloudflare who can help us get started explaining what they're missing out on?

December 27, 2013

Permalink

Hi torproject!

WHY DID YOU STOP PACKAGING SELF-EXTRACTING ARCHIVES 7ZIP (FOR WIN)?

WTF???!!!

YOUR EXE-INSTALLER LOOKS SUSPICIOUS!

December 27, 2013

Permalink

I am no longer able to use bridges with TBB 3.5. As soon as I insert a few bridges TBB simply stops functioning. When I quit TBB and relaunch it, it bootstraps only to 5% only and gets stuck there. As soon as I remove the bridges it works again!

December 28, 2013

In reply to arma

Permalink

Thank you for your advice. The log shows quite a few 'warnings' with failed connection. Most of the bridges were obtained via gmail. With the previous TBB even if a few bridges failed (sometimes up to 11!) TBB still worked and I could continue using it. With this version of TBB this is not possible. Currently I have 17 bridges. Not all of them failed but I got the warning 'Tor Network unreachable' and was stuck there.

I am a novice user. My system: Macosx 10.9.

December 27, 2013

Permalink

I've been using 3.5 overnight and had no issues until this morning. I didn't change any settings in between last night when it was working fine and this morning, but now some sites don't seem to be loading properly. Only some text is visible, no background, no images or anything. Just partial text. Usually this happens, now and sometimes it doesn't. I also had something happen in TBB that I've never seen on FF. Usually when I select view image, a zoom icon ('+' '-') lets me do just that. Now, a cursor or arrows(stretch/size) appear. It also

I tried to re-install but nothing changed. I was wondering if un-installing Tor works differently with the new build?

same poster here; I didn't get an answer yet and I would like to know how to un-install 3.5 so I could re-install it.I wasn't sure if deleting it like the old bundle would be sufficient since there are .dll and other files I thought might still be hanging around.

Uninstalling should just be deleting the directory -- it's meant to be standalone so there should be nothing outside the directory. (I guess in Windows-land these are still called folders? :)

December 27, 2013

Permalink

While I understand the practical reasons for TorButton 'Refreshing' the Browser when selecting 'New Identity', is there any way to have a Vidalia-like option which doesn't clear all tabs in addition to how TorButton currently handles the 'New Identity' command?I'm not suggesting Vidalia was safer, as you've clearly stated that it wasn't, but sometimes I have important text that I don't want to lose, and Vidalia would make subsequent connections appear as new without clearing everything if I didn't need it to, like TorButton does.
Thank You.

December 28, 2013

Permalink

Wow great work Tor developers!! tbb is blazing fast starting up now (in gnu/linux at least). I know many are complaining about vidalia and it is true it was informative but thanks to the fast start I almost don't use firefox anymore :)

The only times i still use it is to get torrents from pirate bay as tbb doesn't support magnet linking into transmission. Is there any plans to support magnet links in the future? I'll be moving to the UK in the future and considering pirate bay is blocked there and I wont use shady proxies i'm left with pirate browser :X

December 28, 2013

Permalink

On Windows, is it possible to have TBB's Window always open up maximised, or remember the window position and size between runs? Thanks.

December 29, 2013

Permalink

Let's say I'm retrieving a resource over Tor. Let's then say my browser crashes while doing so, closing my connections to my entry guards and the exit node's connection to whatever I was retrieving at the same time. Let's then say that I immediately reopen Tor Browser, reconnecting to Tor, and immediately reconnect to the resource I was browsing. What are the timing correlation implications of this and other situations involving browser crashes?

December 30, 2013

Permalink

Cannot access LycosMail;

"The page isn't redirecting properly

"Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

"This problem can sometimes be caused by disabling or refusing to accept cookies".

http://www.mail.lycos.com/service/login?login_domain=lycos.com&availScr…

Is the anti-screen resolution fingerprinting mods breaking some websites?

December 31, 2013

In reply to by Anonymous (not verified)

Permalink

Tried accessing LycosMail using TBB [Tor v0.2.3.25 (git-17c24b3118224d65)]. with FireFox ESR 17.0.11.

No Problem.

I believe the problem lies with release 3.5 .

I guess I will have to continue to use the old version for some sites.

January 14, 2014

In reply to by Anonymous (not verified)

Permalink

Tied changing the privacy settings from "Do not tell sites anything about my tracking preferences" to "Tell sites I do not want to be tracked". Lycos still doesn't work.

Also tried "Tell sites that I do want to be tracked". Lycos still doesn't work.

December 30, 2013

Permalink

See http://www.csoonline.com/article/744697/report-accuses-bt-of-supplying-…

"[...] a secondary hidden network and IP address is assigned to a BT user's modem, which enables the attacker (in this case the NSA or GCHQ) direct access to their modem, and the systems on their LAN from the Internet.
[...] The authors also warn of Tor User/Content discovery via LAN packet fingerprinting.

"The attacker can stain packets leaving your network and before entering the Tor network, making traffic analysis much easier than was previously known. All Tor traffic can be redirected to a dedicated private Tor network controlled by the attacker, in this way the attacker controls ALL Tor nodes and so can see everything you do from end-to-end. This is not something the Tor project can fix," the paper explained.

To combat this, the paper recommends that Tor hidden services drop all traffic from un-trusted Tor nodes, so that clients running in the simulated Tor network will fail to connect to their destination."

December 31, 2013

Permalink

I just want to add another voice to the VERY MANY already saying....it is fucking retarded to remove vidalia, lots of people want to be able to just start vidalia to run other programs through the Tor network AND THEN start the browser bundle for browsing onion sites...please stop the process of going full retard...

December 31, 2013

Permalink

Hello Torproject
Secunia PSI shows a program " Python " which needs a less critical update.
do I have to update it to version 2.7.6 manually? or I have to wait for new version of tor pluggable transports?
OS : Windows XP

December 31, 2013

Permalink

Trying to run a standalone Vidalia with this new TBB not only didn't work but messed up Tor Browser's settings and forced a reinstall. What a debacle

January 01, 2014

Permalink

What!?
No Vidalia!? How can I watch my traffic through Vidalia's Network Map?
Javascript already on!? WTF! Tor gives less anomity than before!

All I just need is a Tor and Vidalia. I already have my own latest firefox build, so I don' t need a poor bbrowser.
http://chacha.d.estiva.org/blog.php

January 01, 2014

Permalink

Fuck this build. Give my huge donation back.

Just give me back my Vidalia. Vidalia AND Tor. Nothing else.
I don't need your shit broswer. Seriously.

January 01, 2014

Permalink

Isn't screen size basically a foolproof way to fingerprint Tor users individually? Why doesn't Tor Browser always simply report a particular standard size?

January 01, 2014

Permalink

I don't have any complaints about this new build, but I was wondering how we should uninstall it should an update be released in the near future? Is it the same as before, just delete the folder we extracted into?

January 02, 2014

Permalink

Tell me why is the new 3.5 bundle making directory's out side of the tor working dir's? Found it in the roaming dir, and then a key folder in the tor folder, that was found in the roaming dir.
This is still done when you tell it to install some place other then the default, and what are those key files for. Other versions never did this. I now see Tor as nothing more then a virus.

January 03, 2014

Permalink

After a short moment of irritation, thank you for the new version! Works fine here.
And good job in answering so patiently to all the (sometimes pretty embarassing) rage-questions of people who didn't spend 5 minutes doing research or at least reading the FAQ.

January 04, 2014

Permalink

The new tor bundle for mac does not even give me an option to disable javascript, which is the whole point of using TOR, to browse with anonymity. Or am I slow and cannot find it? or is tor now playing along with our fearless security leaders. I just want the switch, javascript ON, javascript OFF. my trust has just melted away in TOR

1. JavaScript is disabled by default 'cuz it is very insecure - users are advised not to enable it.
2. JavaScript is enabled by default 'cuz most site would not work and people would not use TOR any longer.
3. The nsa exploit with the help of JS enabling.
4. Url trimmed in the address bar so you can oversee it's not an SSL/https site.
5. TBB with no vidalia and JS enabled to make users feel more comfortable - they do not need to know what routers they are connected to, JS will do the job.

Did I miss anything ?

January 04, 2014

Permalink

It's impossible to download stuff with TOR, lots of "wrong ip" messages. It used to be cool, now it's useless

January 05, 2014

Permalink

A Vidalia that can only be opened after the browser is already started isn't very useful for seeing if my addons are doing anything when the browser starts...

January 05, 2014

Permalink

What would be the fingerprinting implications of using an extension like Fasterfox with TBB?

January 06, 2014

Permalink

Hi, I don't understand :

#1 TBB 3.5 for windows has Firefox ESR version 24.2 and can be downloaded from here :
https://archive.torproject.org/tor-package-archive/torbrowser/3.5/torbr…

#2 Tor Pluggable TBB for windows has Firefox ESR version 17.0.11 & can be downloaded from here :
https://www.torproject.org/docs/pluggable-transports.html.en

#2 has obfsproxy activated by default

Questions :

1) Does #1 have obfsproxy activated by default with the same features as #2 if I add this to its torrc file? (see below)

2) If not, how can I have TBB 3.5 with obfsproxy activated?

3) Is #2 deprecated?

Thanks

------------------------------------------------------------------------------------
# This file was generated by Tor; if you edit it, comments will not be preserved
# The old torrc file was renamed to torrc.orig.1 or similar, and Tor will ignore it

Bridge 176.9.42.X:9001
Bridge 41.135.78.X:443
Bridge 54.241.168.X:443
DataDirectory C:\Tor Browser\Data\Tor
DirReqStatistics 0
GeoIPFile C:\Tor Browser\Data\Tor\geoip
UseBridges 1

January 06, 2014

Permalink

Help! Where has the yellow onion tab gone down the bottom of my screen with the new 3.5 bundle? It used to accompany the globe and allowed us to view the network and change exit nodes etc. How do I change exit nodes now? Thanks :)

January 07, 2014

Permalink

I discovered a bug in the "start-tor-bundle" file. defines the HOME variable that causes conflict with the system (ubuntu 13.10). You have to rename the HOME variable to HOME_TOR or another name.

January 09, 2014

Permalink

New bundle does not work on Mac Mavericks. Date of browser bundle shows as the year 2000; timestamps in the log are wrong; and it will not connect to any website. I had to revert to version TorBrowser-2.3.25-12-osx-x86_64-en-US, which works fine, proving no problem on my end: the problem is in 3.5. I downloaded 3.5 multiple times, in user and admin accounts, rebooted, gave it time. The console log shows it has trouble establishing connection, but claimed it did connect when it did not connect to any site, any search engine, your own website, etc: just a blank page, even tried New Identity several times, and tried each combination for hours.
Tor 3.5 is unusable.
Log:

1/9/14, 23:46:04.523 [NOTICE] Tor has successfully opened a circuit. Looks like client functionality is working.
1/9/14, 23:46:04.523 [NOTICE] Bootstrapped 100%: Done.
1/9/14, 23:48:08.830 [NOTICE] Tried for 120 seconds to get a connection to [scrubbed]:0. Giving up. (waiting for socks info)

Exact same thing occurred with both TBB 3.5 and TBB-PT 3.5 under Snow Leopard, so problem likely affects Mac OS X 10.6–10.9. Had to revert to v2.x. Too bad, because I really like some of the Mac-like improvements the developers made to v3.5.

Apparently, Sophos anti-virus blocks Tor from making connections. To use TBB 3.5 with Mac OS, users running Sophos must disable the two options found under Preferences>Web Protection:
-"Block access to malicious websites..."
-"Block malicious downloads from websites..."
Previous versions of the TBB are unaffected by the incompatibility.

January 12, 2014

Permalink

This new version of TBB, 3.5, does indeed load much faster than the previous versions. But after double-clicking the 'start-tor-browser' icon, until the browser actually opens, there is no feedback that TBB is, in fact, starting.
(The only thing I see: some window that appears blank flashes for what seems like a split second, only to vanish.)

Thus, there is a period of at least several seconds (on my admittedly relatively slow hardware, at least) during which I cannot even be sure that:
a) I properly double-clicked the icon , and,
b) that I did so effectively

This, as should be needless to say, is rather unnerving. Worse, it can lead to user's re-clicking the start-tor-browser icon, resulting in "Firefox is already running" messages.

Since posting the above, the Tor status window has displayed for me until the browser opens.

Odd. Wonder what could have changed, as I've been using the same hardware and OS.

January 16, 2014

Permalink

Please, ship the vidalia. It is very comfortable to use : I usually separate tor + vidalia and firefox and use them separately: use ff for daily web surfing and tor only when I need it.

January 16, 2014

Permalink

TBB v3.5 running under Mac OS X Snow Leopard (as another poster running Mavericks also found) cannot establish a connection to any website, although it indicates Tor has successfully opened a circuit. Also affects TBB-PT v3.5. Reversion to v2.x restores normal functionality.

January 16, 2014

Permalink

Hello,
i use Tor in some ways. TBB,arm,tails etc..Recently i noticed Expert tor(standalone) isn't working on old windows anymore(something like error with vscprintf...).
Can you compile for old windows again? I know......security,but... .
Would be really nice.Please.

January 18, 2014

Permalink

It is amazing how many people are ticked off about vidalia being removed! Seems like the folks at torproject should pay attention to their users no?

To build vidalia back into the tor bundle follow these steps. You will need a pre-3.5 copy of the tbb to complete these instructions and the latest Vidalia source code.

Extract the old and new bundles to seperate directories. Replace the new start-tor-browser script or exe program with the old one.

Copy the old Data/Vidalia folder into the new Data folder.

Copy the old Lib folder into the new tbb root folder.

Move the Tor/*.so or *.dll files into the copied Lib folder, overwrite existing files.

Open the copied Data/Vidalia/vidalia.conf with your favorite text editor and replace the following options:
BrowserDirectory=./Browser
ProfileDirectory=../../Data/Browser/profile.default
PluginsDirectory=../../Data/Browser/profile.default/extensions
TorExecutable=../Tor/tor

Delete the following file from the new bundle: Data/Browser/profile.default/extensions/tor-launcher@torproject.org.xpi

Here is where you become a programmer, extract the vidalia source code and open the vidalia-0.2.21/src/vidalia/MainWindow.cpp file with a text editor.

Go to line 1125 and add the following lines of code:

QString expDef = QDir(expand_filename(dataDirectory + "/torrc-defaults")).canonicalPath();
if (!expDef.isEmpty())
args << "--defaults-torrc" << expDef;

QString expGeoip = QDir(expand_filename(dataDirectory + "/geoip")).canonicalPath();
if (!expGeoip.isEmpty())
args << "GeoIPFile" << expGeoip;

Save the file and follow the directions to build vidalia in the INSTALL file included with the source.

If you are building on Ubuntu you may need to install the following packages: gcc make libevent-dev cmake libssl build-essential qt4-qmake libqt4-dev libx11-dev libcv-dev libcvaux-dev libhighgui-dev checkinstall

Copy the new build/src/vidalia/vidalia binary into the new App folder, you should see the new Browser folder in there also.

Now run the copied start-tor-browser and you should be up and running with vidalia and the latest tor bundle!

That was easy right?

As far as I see there is no fault in your description and in may work, but WHY?

If you like Vidalia (I do!) simply download the standalone Vidalia and run it after starting Tor. You get the same result without the need to mess around your Tor installation.

January 19, 2014

Permalink

On my Debian Linux I start the new TBB and wait till it connects to my home page. Then I start the previous TBB and minimize it. I found I can use the green onion to change my identity in the new TBB. Haven't played around much with it to see if it works 100%.

January 22, 2014

Permalink

I have a problem with TBB 3.5 for windows. (torbrowser-install-3.5_en-US.exe)
I downloaded and extract it with 7zip to a directory.
The unpacked directory structure looks like:

torbrowser-install-3.5_en-US
- $_OUTDIR
- $PLUGINSDIR

The 'Start Tor Browser.exe' is in the root directory. After clicking it I get the error message 'Unable to start Tor Browser'.
The strange '$'-directories seems to be the culprit. What to do? Thanks.

January 24, 2014

Permalink

arma-
This is my summary of Torproject's status..in the eyes of users. For reference, I am not a programmer but I build my own Linux boxes and have been watching the growth of Onion/Torproject closely for a decade. User concerns:

1) The Project has adopted the Ubuntu model, ignoring user wishes.
2) Torproject declines to address a major issue: what, specifically, have you given the Federal agencies in return for the ~$15 million they have given the Project over the last decade (exact amt irrelevant). If you are unable to disclose this, the open-source argument goes down the drain.
3) The notion that you are being "forced" by Mozilla to use their newer versions. The last usable, fast and relatively configurable release of Firefox/Iceweasel was version 3.
4) The seeming inability of folks at the Project to accept that simpler is better. Older and patched is better than the changes you are making. The fact is that addons such as NoScript and HTTPS Everywhere are worse than unneeded vs: a simple, tested browser..no Java and no Javascript by default. They add massive potential for vulnerability. No loose config settings or Mozilla "Services" enabled unnecessarily in the browser.
5) Vidalia is wanted. Period.
6) torrc should work, allowing reliable exclusion of certain Country Exit Nodes (Strict). It has never worked in this regard.

Thanks, arma. Don't embarrass Chomsky. Do what users want.

I recognize that some of the blog commenters here believe some of these things. From talking to many Tor users (remember we have many hundreds of thousands), I don't think they're as representative as you think.

As for your conspiracy theory in #2... what have we given our funders? Everything we've given you. Nothing more. Really.

And I agree that Firefox/Iceweasel version 3 had some advantages in usability. But I don't think you fully understand how hard it is to keep browser code secure once it's abandoned by its upstream.

Oh, and for "Vidalia is wanted", yes, it sure it -- but actually, some of its features are wanted. I bet nobody actually wants the horrible Qt backend that doesn't work on various platforms -- they want the things that it let them do. And I want those too. Please help make them happen in Tor Launcher.

Man, here I am disagreeing with you at basically every turn. You should join the Tor project and make things into what you want them to be. Otherwise you'll just remain a complaining user on page 2 of some blog comments. :/

January 27, 2014

Permalink

Am thinking of buying a new computer.

As operating system I am tending towards Windows 8.1. Are there any issues I should be aware of?
Will TBB work OK with this system?

It works great with XP.

Thanks for help.

Just a humble opinion. There is no point in using Tor with any Windows installation. It would only give a false sense of security. Use Windows for all your everyday stuff, games, writing a note to your sweetie, and so on. For your hardnosed political opinions requiring care in countries such as UK, US, NZ and Aus, use a separate harddrive with Debian. Cheapest way is get a bunch of old HD's from abandoned laptops and connect one to your tower ribbon-cable with a handy little $4 adapter avail at Amazon. I have a dozen harddrives, each with a different version Linux, all installed with whole-disk-encryption, with bootloader (GRUB) passphrase encrypted/locked. It has cost me maybe $30 dollars in total and I just plug-in any drive I feel like playing around with that day. Any OS used with Tor S/B barebones and have almost all of the egress Ports blocked by the firewall, as well as all incoming. Of course, a hardware router is required for any internet-connected machine; w/icmp ping, UPnP and remote-updates all disabled.

February 01, 2014

Permalink

WTF now tor finally became covered by the same NSA and corporate industry server alliance putting out AngloSaxon fascist AS World Gov server controls. No more Videlia working so only a nerd can find out how to block their suspicious servers...