Tor Browser 3.5.3 is released

The 3.5.3 stable release of the Tor Browser Bundle is now available on the Download page. You can also download the bundles directly from the distribution directory.

This release also includes important security updates to Firefox.

As a reminder, this is the stable series of the Tor Browser Bundle. It does not include the Pluggable Transport support mentioned in the 3.6 release post, and in this release MacOS archives are still in zip format. If you would like those features, we encourage you to use 3.6-beta-1 instead, and report any issues you encounter.

Here is the complete changelog for 3.5.3:

  • All Platforms
    • Update Firefox to 24.4.0esr
    • Update Torbutton to 1.6.7.0:
      • Bug 9901: Fix browser freeze due to content type sniffing
      • Bug 10611: Add Swedish (sv) to extra locales to update
    • Update NoScript to 2.6.8.17
    • Update Tor to 0.2.4.21
    • Bug 10237: Disable the media cache to prevent disk leaks for videos
    • Bug 10703: Force the default charset to avoid locale fingerprinting
    • Bug 10104: Update gitian to fix LXC build issues (for non-KVM/VT builders)
  • Linux:
    • Bug 9353: Fix keyboard input on Ubuntu 13.10
    • Bug 9896: Provide debug symbols for Tor Browser binary
    • Bug 10472: Pass arguments to the browser from Linux startup script

A list of frequently encountered known issues with the Tor Browser can be found on our bugtracker. Please check that list and help us diagnose and arrive at solutions for those issues before contacting support.

Tags
tor browser bundle
tor browser
tbb
tbb-3.5

No matter what Pentium family AMD K6-2 is closer, it doesn't support all i686 instructions. Compiling for i686 platform means using of CMOV instruction.

https://www.mozilla.org/en-US/firefox/28.0/system-requirements/
Mozilla claims needs of Pentium 4 or newer processor that supports SSE2.
It's probably bug that it's still works for AMD K6-2, in result.

Problem with AMD K6-2 began when TBB developers started building with gcc instead of cl (Visual Studio).
Up to TBB 2.4.18-rc-1 they used cl as Mozilla developers, but target never changed, also was i686 with cl, so the "bug" is due to gcc.
I've checked with "about:buildconfig" that up to Firefox 2-0-0-x target is i586, and starting with Firefox 3-0-x target is i686.
From Firefox 3.0.x to 3.6.x Minimum Hardware Requirements are the same:
[geshifilter-code]Pentium 233 MHz (Recommended: Pentium 500MHz or greater)
64 MB RAM (Recommended: 128 MB RAM or greater) ...
https://www.mozilla.org/en-US/firefox/3.0/system-requirements/
https://…]
So, if it is a bug that Firefox 28 runs perfectly with AMD K6, this bug is seven years old. ;)
Starting with Firefox 4, they only listed "Recommended" Hardware (not Minimum)
[geshifilter-code]https://www.mozilla.org/en-US/firefox/4.0/system-requirements/[/geshifi…]
By the way, SeaMonkey still has a "Minimum" Hardware requirements page...
[geshifilter-code]Pentium 233 MHz (Recommended: Pentium 500MHz or greater)...
http://www.seamonkey-project.org/releases/seamonkey2.25/#install[/geshi…]

Now I've tested latest TBB 3-5-3 with a Pentium III @ 450 Mhz and it works fine!

It's no brain to use tor with WinXP even if AMD K6, at least it's possible to find some another browser and to compile all for i586.
Try to use with i486 with almost zero ram and win98 if you want extremal experience.

"at least it's possible to find some another browser"

Using Tor with any other browser besides Firefox/Iceweasel is explicitly NOT supported and not recommended.

"win98"

Windows 98 (as well as Windows 2000 and very soon Windows XP as well) has not been supported with critical security updates for years now. Using any unsupported OS is downright dangerous. (with the possible exception of a strictly NON-NETWORKED box).

"Firefox/Iceweasel is explicitly NOT supported and not recommended."
Firefox dropped 32bit platforms actually. You need to have more than 4GB of virtual memory to build browser.
It's wrong that such browser only supported, overbloated software with kludges and security holes by design.

This is documented in http://gcc.gnu.org/bugzilla/show_bug.cgi?id=8243

The bug in question is discussing pre-Nehemiah VIA C3, but the brain damage is the same in the K6-2. Code generated with -march=i686 by gcc will use CMOV, and will fail on your processor.

I doubt the tor build people would ever use cl (Visual Studio) to build TBB again as well, given all of the work that has been done on deterministic builds.

This is orthogonal to "AMD K6-2 is a potato and is unsupported by TBB binary packages", but ok, I'll bite.

For what it's worth on Ivy Bridge Linus' synthetic benchmark is faster with CMOV, so there's that (I did increase the iteration count up since the code as is was fairly inconclusive).

There are certainly cases where CMOV would be a bad idea, and the Intel 64 and IA-32 Architectures Optimization Reference Manual has a detailed description of the tradeoffs. There's also at least one GCC bug open regarding cases where CMOV is used when it should not http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56309

There was a patch back in the 2.4.x kernel days (when not-quite Pentium Pro "i686" processors were relevant) that trapped illegal instructions and emulated CMOV in software to allow binaries to run with *terrible* performance for situations like "oh god, fsck on my rescue image is i686 targeted and I have a dinky AMD processor", but it didn't get mainlined AFAIK.

If to stop no need services while to keep tor. Then possible to surf some pages even.

amnesia@amnesia:~$ free
total used free shared buffers cached
Mem: 384652 369220 15432 0 38244 137200
-/+ buffers/cache: 193776 190876
Swap: 0 0 0

If you need Tor enough to consider a change of operating system, I'd recommend Puppy Linux. Its designed for getting the best performance out of old hardware with very limited RAM and the new Tor Browser bundles work on it. Warning: default user is root - you may want to downgrade to user "spot" via command line for security.

"Warning: default user is root - you may want to downgrade to user "spot" via command line for security."

Most important warning indeed.

Have you had success running TBB as 'spot'?

>.exe

You're running Windows on those specs?

Any version of Windows able to run on such old hardware, with only 384 MB RAM would be an old one that hasn't been supported with security updates for a long time.

I can only hope that your use of this box and certainly your running Tor on it, is for nothing more than testing/playing purposes.

The minimum hardware requirements for Windows XP Professional include:
At least 64 megabytes (MB) of RAM (128 MB is recommended)

WinXP supported with security updates till April 2014.

Anonymous

Anonymous (not verified) said:

March 21, 2014

Permalink

With an old pc windows 7 date/time, I can't connect with this bundle!
Bug?

Anonymous

Anonymous (not verified) said:

March 22, 2014

Permalink

TAILS seems have the same Browser(TBB) configuration? .Have questions:

WHY new(er) Browser version use WEAKER crypto? **WTF**
On lot off https://..........sites OLDER Browser: camellia_256 / aes_256 etc. .

NEW Browser version: max. aes_128 .............*WTF* again.
TLS 1.0 only activated? Why?
And who is responsible for that? I don't really like to now,but please change it.

Plus someone can make 'Connection Encrypted' info useable.Like Seamonkey.Or
why not?
If i would like browsing with thoughtless lollypolly Disney fastfood feeling,IE/Chrome would be my fav.

The new Firefox 30 look is......funny(-:,too

Anonymous

Anonymous (not verified) said:

March 22, 2014

Permalink

Re screen-size

Under 3.5.2.1 I posted the following reply on the 17th:

"GK
Thanks for your response. I read the bug report you mentioned. Since I am a relative newcomer to this and I am not very knowledgeable about the workings of computers/browsers/Tor I didn't follow what was said very well.
All I can say is that I have used Tor for about 18 months and have always used ip-check.info as a test, The screen-size (ip-check calls it Browser Window - inner size) has NEVER been rounded to 100.
For Tor versions 3.5.2 and 3.5.2.1 I have also checked it with Panopticlick and (with Javascript enabled) Panopticlick gives the same screen-size as ip-check. IP Check gets the screen size whether JS is enabled or disabled.
Sorry, the above may not be much help but if you can tell me what else to check or which settings to change, if any, I will.
Thanks for your help."

I have just carried out the same tests with 3.5.3 and, guess what, exactly the same results as with 3.5.2 and 3.5.2.1.

If other people are getting 'rounded to 100' screen sizes it is possible that one of my settings is wrong, but I don't know what to do.
Please help.
Thanks

ip-check.info ?

Still plain, unencrypted http. That means an exit node can tamper with the results.

If the JonDo folks behind ip-check can't or won't even bother to make the site HTTPS-encrypted and authenticated, then how can they be trusted?

As you obviously know more about these things than I do, I understand what you say.

However, as I have said, Panopticlick (with JS enabled) gets exactly the same screen-size as ip-check.info, so I think there must be more to it than tampering.

Also, ip-check can get the screen-size without JS.

Personally, I don't trust ip-check. Not that I think it's malicious, but aside from it's obvious commercial purpose, it makes up the unsubstantiated claim that a longer stream sessions such as the 10 minute one Tor uses is bad for anonymity, and encourages naive users to switch from Tor to JohnDonym as a solution, calling itself "stateless". In reality, a fully stateless anonymity system like that results in *less* anonymity, as it gives a passive adversary more opportunities to surveil and a greater chance of mounting a successful traffic correlation attack. If I recall, there are even several acedemic studies that show the reason why rapidly changing circuits is harmful to anonymity. JohnDonym doesn't even think to look this up before shouting to the naive masses that their commercial product is superior. It's not just problematic because it's dishonest, but because it gives that company a larger profit at the *expense* of the innocent user's anonymity. That's not all they've done to harm people. Who could forget that backdoor JohnDonym added to it's software at the request of the German government. With these points in mind, I urge people not to link to services such as ip-check because it lies to people in an attempt to sway them from a more secure alternative. Now, they aren't as bad as some companies (I'm looking at you, HMA), but they still don't deserve the extra traffic that comes to them when there are already plenty of less biased anonymity-checking websites.
/end rant

All valid points.

Additionally, the failure of JonDoNym to use HTTPS authentication by default for ip-check.info (and any other sites of theirs) should give pause to anyone.

I did not mean to suggest that the results you reported were the result of tampering. Nor that I had knowledge of any evidence of such tampering having ever occurred with ip-check.info.

Rather, I was merely pointing-out that the risk exists. And even if it would be determined to be relatively low, the mere failure, whatever the reason, of the JonDoNym folks to implement SSL/TLS across all of their WWW properties seems cause for concern to me.

GK

As I have said, I have read the bug report but don't really understand it. All I can say is that with Windows 7 and Tor 3.5.2 , 3.5.2.1 and 3.5.3 I NEVER get a rounded widow size - Panopticlick (with JS enabled) gets exactly the same window size as ip-check (with and without JS enabled).
To answer your specific question: No, I am not resizing my window. I don't know how to.

GK

As you have suggested, I have just tried to create a new ticket but when I go to the page that you have stated I just get:

"TICKET_CREATE privileges are required to perform this operation. You don't have the required permissions."

Pls let me know what I have to do.

Thanks

Sorry, I don't know what you mean by: "do you know how to reproduce never rounded widow size?".

If, in fact, I do understand what you mean, I don't have to "reproduce" a 'never rounded" window size, I just have to check it via ip-check.info with or without JS enabled and via Panopticlick with JS enabled.

If I haven't understood you correctly, could you please explain what you mea. Thanks.

Anonymous

Anonymous (not verified) said:

March 22, 2014

Permalink

Sometimes when I start the program it just refuses to open. I have to kill it ctrl+shift+esc and restart. This happens on all 3 of my computers. Has been happening since the first 3.x version. What's wrong?

It happens randomly. It rarely/never happens with 3.5.3, but it happens often with every other version. Might be coincidental, either way it stinks.

Anonymous

Anonymous (not verified) said:

March 23, 2014

Permalink

What happened to the stable and unstable Expert Bundles for Windows? Are we supposed to build our own now? And please don't waste my time by telling me I *should* be using the browser bundle...

Anonymous

Anonymous (not verified) said:

March 24, 2014

Permalink

There is a bug in TBB 3.5.3.

I am using OpenVPN to connect to one of the VPN gateways/servers, the protocol is TCP.

Next in a terminal window -I am using Debian- I launched TBB.

When I surf to a website, for example, Tails, I launch a root terminal window and type in the command netstat -rn

The results are:

  1. Kernel IP routing table<br />
  2. Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface<br />
  3. 0.0.0.0         10.8.0.5        0.0.0.0         UG        0 0          0 tun0<br />
  4. 10.8.0.1        10.8.0.5        255.255.255.255 UGH       0 0          0 tun0<br />
  5. 10.8.0.5        0.0.0.0         255.255.255.255 UH        0 0          0 tun0<br />
  6. 45.27.157.184   192.168.1.1     255.255.255.255 UGH       0 0          0 eth0<br />
  7. 192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0<br />

Notice that on eth0 and gateway 192.168.1.1, the destination corresponds to the IP address of the OpenVPN gateway/server.

The above did not happen with earlier versions of TBB.

I hope Tor developers can look into the above issue.

It has nothing to do with (that is, no influence on) what your netstat says your gateways are.

Thanks arma for your reply.

About the steps that I undertook in my earlier post: what IP address will the destination website see? Tor's exit node IP address? or the IP address of my OpenVPN gateway/server? or both?

Would you be able to offer some suggestions on why some websites and forums recommend Tor users to use Tor over VPN or VPN over Tor?

Anonymous

Anonymous (not verified) said:

March 24, 2014

Permalink

I was wondering if I need start page and Ixquick which provide proxy and encryption. I noticed in this version of TOR bundle, HTTPS Anywhere is provided. Should I just get rid of start page and Ixquick?

HTTPS Everywhere have been bundled with the Tor Browser for a long time.

You are already using Tor, so you do not need to use ixquicks/startpages proxy service. Tor provides all the anonymity you need.

If the remote website you visit does not support end-to-end encryption (HTTPS), when it doesn't matter if you are using yet another proxy (ixquick/startpage), an attacker can still inject and observe data at some point (even if they cannot trace you).

Startpage is still a good alternative to use as a search engine.

Thanks for the reply. I just noticed HTTPS Everywhere does not encrypt some sites, and what is strange is that ixquicks does allow me to encrypt the same sites that HTTPS does not encrypt, and I can see in the URL address starts with https when I get connected. Can I trust this connection?