Tor Browser 3.5.3 is released

The 3.5.3 stable release of the Tor Browser Bundle is now available on the Download page. You can also download the bundles directly from the distribution directory.

This release also includes important security updates to Firefox.

As a reminder, this is the stable series of the Tor Browser Bundle. It does not include the Pluggable Transport support mentioned in the 3.6 release post, and in this release MacOS archives are still in zip format. If you would like those features, we encourage you to use 3.6-beta-1 instead, and report any issues you encounter.

Here is the complete changelog for 3.5.3:

  • All Platforms
    • Update Firefox to 24.4.0esr
    • Update Torbutton to 1.6.7.0:
      • Bug 9901: Fix browser freeze due to content type sniffing
      • Bug 10611: Add Swedish (sv) to extra locales to update
    • Update NoScript to 2.6.8.17
    • Update Tor to 0.2.4.21
    • Bug 10237: Disable the media cache to prevent disk leaks for videos
    • Bug 10703: Force the default charset to avoid locale fingerprinting
    • Bug 10104: Update gitian to fix LXC build issues (for non-KVM/VT builders)
  • Linux:
    • Bug 9353: Fix keyboard input on Ubuntu 13.10
    • Bug 9896: Provide debug symbols for Tor Browser binary
    • Bug 10472: Pass arguments to the browser from Linux startup script

A list of frequently encountered known issues with the Tor Browser can be found on our bugtracker. Please check that list and help us diagnose and arrive at solutions for those issues before contacting support.

Tags
tor browser bundle
tor browser
tbb
tbb-3.5

That is because that site does not support HTTPS. Your connection to ixquicks proxy is encrypted using HTTPS, but the connection between ixquick and the actual site is not.

"If the remote website you visit does not support end-to-end encryption (HTTPS), when it doesn't matter if you are using yet another proxy (ixquick/startpage), an attacker can still inject and observe data at some point (even if they cannot trace you)."

Let's see if we can unpack this...

A web proxy, such as the one ixquick/startpage offers, could indeed tamper with any content it fetches before returning it to you. This is just as an exit node could. But ixquick is far more trusted than a random exit node that could be rogue.

True, sort of.

Also anywhere in the network between ixquick and the destination website could mess with the traffic (just as, without ixquick, anywhere in the network between the exit relay and the destination website can mess with it).

If you trust ixquick more than your exit relay, and also your destination doesn't support https, then it may make sense. This is similar to using Tor to reach your VPN, and then accessing all the destination websites via the VPN provider.

One downside though is that you're centralizing your outbound traffic, such that an adversary who watches ixquick's network gets to see all your traffic, where before maybe they wouldn't get to see it at all. Seeing the outbound side of your circuits is not the end of the world (they need to see the inbound side too in order to win), but it does get them halfway there.

Anonymous

Anonymous (not verified) said:

March 24, 2014

Permalink

Why is torrc blank??? I tried writing in it and tor doesn't open...

I overwrote 3.5.2 and running in a Trucrypt encrypted drive...

Thanks

torrc is blank because it uses both torrc and torrc-defaults. Only new modifications go into torrc.

As for "I added lines to torrc and now Tor doesn't open", it sounds like you added bad lines. :)

As for overwriting, be aware that this may or may not work for you. If you get weird behavior, try doing a fresh install.

same adds---

---------------------------------
ExitNodes {US}
StrictNodes 1
------------------------------
works on 3.5.2 which I am on now... I will try 3.5.3 again but please confirm this is the right ditty...

I just want to save my settings and avoid a fresh install but if I have to I will...

Thank you for your help,,, I am not a complainer just lazy :)

Anonymous

Anonymous (not verified) said:

March 25, 2014

Permalink

How do I know if the data between my server and the onion site is actually encrypted? We are told it is but how can that be proved?

Been having lots of problems with Noscript and no longer trust it.

Tor does it for you.

For normal https, checking the certificate makes sense, because it's signed by one of 300 or more certificate authorities, most or all of which have nothing to do with the website you're trying to reach. The traditional CA model is a disaster.

But for Tor hidden services, the addresses are self-authenticating. Tor will verify, for sure (unless the crypto is broken), that you really are reaching the site whose address you told Tor to go to.

Of course, you have to make sure to be trying to go to the right address. If you click on one from a random website that *looks* like your intended hidden service address but actually it's one letter off, then all bets are off.

Anonymous

Anonymous (not verified) said:

March 25, 2014

Permalink

disregard last comment,,, This is Trucrypt weirdness the overwrite and addition of
--------------------------------------------
ExitNodes {US}
StrickNodes 1
-------------------------------------------

in torrc worked outside of the trucrypt container...

I then added the lines
--------------------------------------------
ExitNodes {US}
StrickNodes 1
-------------------------------------------
to the torrc-default in the truecrypt drive and FF did not open but when I pulled the lines out of torrc-default the torrc addition worked as you noted...

Thanks!!!

Anonymous

Anonymous (not verified) said:

March 25, 2014

Permalink

Seems bizarre that an app that needs to be kept up to date requires manual uninstallation and reinstallation (plus bookmark migration) on every upgrade. Could the installer not handle this, hopefully including bookmark migration? Preferably via transparent automatic / approved update within the app itself, per normal browser updates.

Thanks to the team for their invaluable work!

Haven't there been comments from Tor devs stating that they are indeed working on implementing the very type of functionality that you describe?

Anonymous

Anonymous (not verified) said:

March 26, 2014

Permalink

A question to TAILS. =TBB ?

Everytime you open new browser,
connections to check.torproject.org:443 (customs here ! ?) AND

Wikipedia , Google ! Whats that?

My bet is that the favicons for those two sites is not bundled with the browser for some reason, but is required by the search bar. So they are downloaded on first startup.

But that is just a guess.

TTB is tor plus browser etc that you install on your HD.

Tails is a linux live disk that includes tor and much else. It is set up so it never writes anything to your HD

Anonymous

Anonymous (not verified) said:

March 26, 2014

Permalink

@ Arma,

My system date and time were old(but I didn't know that) due system problems.
But I saw this after a while, when trying to connect with Tor on the internet.
After changing the system date and time, the problem with Tor was over.

Anonymous

Anonymous (not verified) said:

March 26, 2014

Permalink

when right click on the -"Start Tor Browser" (exe) icon- in windows, it says "Date Modified: Saturday, ‎January ‎01, ‎2000, ‏‎2:00:00 AM" -.... IS IT NORMAL?

Arma is saying that the time/date stamp in question (Saturday, ‎January ‎01, ‎2000, ‏‎2:00:00 AM) is not evidence of tampering.

But, for any download, the only way to actually answer the question,
"HAS IT BEEN TAMPERED WITH????", with any degree of certainty, is through proper verification of the downloaded file. In the case of TBB, this means following the instructions for verifying the digital signature.

Anonymous

Anonymous (not verified) said:

March 26, 2014

Permalink

A Tor Browser Bundle repository for linux would be nice. That way updates are handled automatically.

But what would be involved in implementing a sufficient degree of authentication for anything and everything obtained through said repo?

Anonymous

Anonymous (not verified) said:

March 27, 2014

Permalink

startpage.com is not safe!!. i cant believe you guys are using it as standard search engine on tor browser. startpage tracks your IP adress and sends it on to google. want to see the proof??? go search for a normal word. for instance you can search for a company name. then look at the top results. look at the sponsored results AND the top non sponsor results too. they are based on your IP adress. if you search from SPAIN IP adress first couple of results will be from SPAIN sites. search for same term from US IP adress. results will be from US sites. THIS DOESN'T HAPPEN FOR ALL KEYWORD. TRY IT WITHOUT USING TOR then it will be more clear. the results will be specific to your country

startpage and ixquick SUCKS. They send your IP address to Google. They are the biggest online marketing fraud Ive seen. If you use TOR you should be protected. Many people dont use tor and trust them

"Are you sure that startpage doesn't first deduce the location from the IP address and then forward only the location to Google?"

they only deduce the location.... then disregard the IP.... hahaha sure.... Trust them with your data

Even if thats all they do with your ip...they are still a fraud and lie in their privacy policy

I think you are right regardless of what startpage says re/ their sending anonymous requests to google. What browser do you use with Tor bundle?

"What browser do you use with Tor bundle?"

Did you, perhaps, mean to write, 'Which search engine do you use with Tor Bundle?"

Anonymous

Anonymous (not verified) said:

March 27, 2014

Permalink

Hello
I just wonder;
What happen if I use "vpn gate" and "tor browser" together? I always use vpn gate and than I connect with the tor browser, is it ok? or I could get some security connection problem? Thanks for help.

Anonymous

Anonymous (not verified) said:

March 28, 2014

Permalink

Seems to be a problem with the latest TOR and using flickr . If Javascript is enabled to sign on and view albums, with this version the comments do not show up. Tried everything with No Script to fix it but even if noscript is disabled when clicking on 'comments' it just reverts to the image. Could be a no script error or maybe a change with flickr scripts? Any ideas?

Perhaps you had disabled JavaScript via about:config and then forgotten that you had done so?

Another possibility: scripts from other domains than just flickr.com likely need to be enabled for comment functionality.

(Knowing which domains one must enable scripts from in order to get a give function, such as comments, etc., can be quite a challenge.)

Finally, do you have an Ad Blocker enabled?

Downloaded the new beta version and suddenly flickr is working again.

>do you have an Ad Blocker enabled?
Not an independent program, just as part of my firewall. Anyway the beta seems to have fixed it. Thanks for response.