Tor Browser 3.5.2 is released

The 3.5.2 release of the Tor Browser Bundle is now available on the Download page. You can also download the bundles directly from the distribution directory.

This release includes important security updates to Firefox.

Please see the TBB FAQ listing for any issues you may have before contacting support or filing tickets. In particular, the TBB 3.x section lists common issues specific to the Tor Browser 3.x series.

Here is the list of changes since 3.5.1. The 3.x ChangeLog is also available.

  • Rebase Tor Browser to Firefox 24.3.0ESR
  • Bug 10419: Block content window connections to localhost
  • Update Torbutton to 1.6.6.0
    • Bug 10800: Prevent findbox exception and popup in New Identity
    • Bug 10640: Fix about:tor's update pointer position for RTL languages.
    • Bug 10095: Fix some cases where resolution is not a multiple of 200x100
    • Bug 10374: Clear site permissions on New Identity
    • Bug 9738: Fix for auto-maximizing on browser start
    • Bug 10682: Workaround to really disable updates for Torbutton
    • Bug 10419: Don't allow connections to localhost if Torbutton is toggled
    • Bug 10140: Move Japanese to extra locales (not part of TBB dist)
    • Bug 10687: Add Basque (eu) to extra locales (not part of TBB dist)
  • Update Tor Launcher to 0.2.4.4
    • Bug 10682: Workaround to really disable updates for Tor Launcher
  • Update NoScript to 2.6.8.13
Anonymous

February 11, 2014

Permalink

Warning: Tor Browser 3.5.2

Google Safe Browsing is NOT disabled in this version! Means, Google can track you any time this version is starting!

See about:config search for Google

Anonymous

February 11, 2014

Permalink

Warning: Tor Browser 3.5.2

Google Safe Browsing is NOT disabled in this version! Means, Google can track you any time this version is starting!

Each Firefox browser has its own ID that Google can see!

This should NOT be in TOR!!!

See about:config search for Google

Thanks for the warning.

Users should NOT use Google products when using Tor.

I don't know why I never noticed that even in my regular browser.

What other SafeBrowsing values should be modified? *malware.enabled ; *gethashURL ; services.sync.prefs.sync.browser.safebrowsing.enabled; and so on

if I leave the reporting URLs as-is would it still send info?

Anonymous

February 11, 2014

Permalink

Hi there,

I investigated a Problem with the German (DE) Language Pack of 3.5.2:

Warning in the addon-manager: Language Pack in not compatible with 24.3.0esrpre

Workaround tested: Disable compatibility-checks.

Regards

Wolfgang (wolfgang@heukeroth.de)

Anonymous

February 11, 2014

Permalink

3.5.2_de for Mac (OS X 10.6.8 on iMac Core i5) comes with broken localisation, menu is not in German, but in English. What's worse: Tor messes around with the proy preferences. Either it is unable to "connect" to the local server at 127.0.0.1, but shows external sites, or (if it does access local server after being told to use the system's proxy preferences) it cannot connect to external addresses.

Anonymous

February 11, 2014

Permalink

Linux32
==========

Bug 10095: Fix some cases where resolution is not a multiple of 200x100 :
not to adjust the window size.

Bug 10640: Fix about:tor's update pointer position for RTL languages.

Language es-ES: no translate bar menu and others.Only en.

Anonymous

February 11, 2014

Permalink

Wait... Why are all the files and folders in that package have the owner/group set to "ftp" in the permissions? Is someone trying to play us a dirty trick!?

I'd like to think something is wrong in the chown routines of my system, or something else... but I don't recall having changed anything lately.

The owner/group is set to ubuntu/ubuntu in the tarball -- at least, in the 64-bit linux tarball. That's because that's the user in the gitian vm that builds the tarball.

Were you looking at a different package? In any case, if you extract the package using a normal user, the files will become owned by that normal user.

Anonymous

February 11, 2014

Permalink

It was previously possible to make the 1Password work in TBB. It's no longer working; I'm not sure, but I suspect the fix for ticket #10419 (I left a more detailed comment there).

Just for clarity, doing this wasn't supported by the 1Password folks devs (I have no relation to them other than a happy user of their software), so not sure what (if anything) can be done here... but life without 1P in the browser is going to be a pain.

Anonymous

February 11, 2014

Permalink

It doesn't open on my computer when i run "Start Tor Browser.exe". It starts a process "tor.exe" and a Tor Browser process, but the Tor Browser doesn't open.

I use Windows 7 32-bit

Anonymous

February 11, 2014

Permalink

PedroPerez

linux32 only work window 1016x819. If you increase the size of the window size increment is blank.
Forze size in "special preferences window" the same.
Icons small or large Icons,same.

(Desktop of PC is 1440x900)

Anonymous

February 11, 2014

Permalink

downloaded the new 3.5.2 version on Windows 7 64bit.
get the message 'could not load XPCOM' same as person above
regards

Anonymous

February 11, 2014

Permalink

That Google safebrowsing thing sure is more than sketchy! Why the hell is this in the Tor Browser!?

Hey,
What Google safebrowsing thingy are you talking about?
I'm in the config console and I see "browser.safebrowsing.enabled =false", Should I'll be looking for a different parameter?

tank you

Anonymous

February 11, 2014

Permalink

1) why has the bundle changed to mandatory installation?
It used to require only extraction in the past.

2)what happened to the Vidalia console (that little square which gave you access to some options including seeing your IP and some of the members in the network)?

Thank you very much!

Thanks for the reply.
Regarding the installation - I supppose you have a point and if the previous constellation really created a problem for some users then I approve your change (not that you need my approval :) ), but would it be difficult to make 2 versions one with an installer and another with an extraction? The extract packages could be added in some "Other versions" section.

Also, I want to note that the download page reads "Everything you need to safely browse the Internet. This package requires no installation. Just extract it and run". That quote made me think I missed something and spend 30 min digging through the site, eventually giving up...

Anyway, thx:)

Kick Vidalia(Worldmap) out because of
this:
"We switched to an installer after watching many Windows users click "run" rather than "save as" when they first fetch it, meaning it works the first time but then they can't find it after that."

Sould like a really really....... strange programmer joke.
To use friendly words.

Anonymous

February 11, 2014

Permalink

3) have you thought about abandoning Firefox now that it has so brazenly removed/deeply burried the "disable JS" option, discouraging users to turn it off and creating what is quite an obvious security vulnerabilty for nor no good reason, raising strong suspicions about NSA pressure?

Thank you.

I do think Mozilla has been making some poor decisions lately on the "have a simple interface" vs "give users control" spectrum, but that doesn't at all make me jump to "NSA pressure".

There are plenty of good explanations for their poor decisions that have nothing to do with shady government agencies -- keep in mind that they're feeling a lot of pressure from Chrome.

As for abandoning Firefox... what would we move to? Chrome has an even larger list of privacy-invasive flaws that need attention.
https://www.torproject.org/docs/faq#TBBOtherBrowser

Damn you and your cold logic!
I was under the impression that Opera was open source (especially with them abandoning their old platform and moving to some kit shared with google).
Interwebz say it is not.
:(
Are there really no alternatives?

As for the pressure/machinations on Mozilla- I wish I could believe that but I haven't heard a good enough explanation yet.
What they are saying is that they want to provide with an "accident free" user experience for the laymen (http://limi.net/checkboxes-that-kill) and remove "buttons that destroy the product", but just off the top of my head I can think of 2 easy ways of achieving that without damaging the product for other users.
The most obvious thing is to move the "dangerous options" to a seperate tab in the "Advanced" section with ample warnings and queries for user consent with a big green button that says "push here in case of trouble" (reactivates all the cancelled definitions they fear about).
Let me tell you, as a reasonably tech savy but not a coding person who upon recieving a new item always tinker with every possible customize option- I had no idea of Firefoxes 'about:config' page, I thought that I explored everything availiable and if I had not used this browser before I would have not known it is even capable of turning Javascript off (actually, Firefox is where I found out about Javascript existence to begin with). But even now, with me knowing where things are and me being used to tech, I must say that the first time I opened that page I was somewhat intimidated. As for the comfort of getting there... even IE does a better job and that should say something.

So with quite a few ways to reach the goal they want, they chose the worst one, perhaps indeed I'm wrong, but it just seems peculiar ...

If we had an extra 100 developers with nothing better for them to do, it would be a great idea. Alas, we both don't have the developers, and also have many pressing things that need our attention.

Thanks for replying.

So apparently as time-consuming and stressful as having to thoroughly examine and test each new release of Firefox no doubt is, building a browser from scratch would be considerably (if not vastly) more so.

The old "reinventing the wheel" thing, eh?

Anonymous

February 11, 2014

Permalink

everytime I try to open the browser it says firefox cant load XPCOM and closes down. HELP

Problem: can't load XPCOM
Solution: If you have webroot antivirus, go to ---|--- IDENTITY PROTECTION ---|--- Application Protection ---|--- and allow gkmedias.dll in C:\users\..\tor browser\browser

Anonymous

February 12, 2014

Permalink

Is it normal for Tor to randomly change the IP in the same session, without me manually selecting "New Identity" after just a few minutes?

You could set "trackhostexits ." in your torrc file. Or you could crank up the value of MaxCircuitDirtiness more. Or both.

But really, you're walking into dangerous territory here in terms of implications on anonymity and whether you blend in anymore with other Tor users.

Maybe if you want a VPN you should just be using one?