Tor Browser 3.5.4 is Released

by mikeperry | April 8, 2014

The 3.5.4-stable release of the Tor Browser is now available on the Download page. You can also download the bundles directly from the distribution directory.

This release updates only OpenSSL to version 1.0.1g, to address potential client-side vectors for CVE-2014-0160.

The browser itself does not use OpenSSL, and is not vulnerable to this CVE. However, this release is still considered an important security update, because it is theoretically possible to extract sensitive information from the Tor client sub-process.

Here is the changelog:

  • All Platforms
    • Update OpenSSL to 1.0.1g

Comments

Please note that the comment area below has been archived.

April 08, 2014

Permalink

"Snowden also urged members of the Council of Europe to encrypt their personal communications. He said that encryption, used properly, could still withstand "brute force attacks" from powerful spy agencies and others. "Properly implemented algorithms backed up by truly random keys of significant length … all require more energy to decrypt than exists in the universe," he said." Source: http://www.theguardian.com/world/2014/apr/08/edwards-snowden-us-governm…

This means that the tor browser bundle is no longer vulnerable to the Heartbleed openssl vuln.

If you are downloading something online with tor that you are worried about being caught for, maybe you should not do it. It gives the rest of the users a bad rep.

If you are downloading something online with tor that you are worried about being caught for, maybe you should not do it.

That highly depends on what your local / national lawmakers deem illegal. Saying that you not fully agree with your country's president may be just that.

I totally agree. The entire purpose of tor is to access things online that you are worried about being caught for. If you aren't worried, why use tor? Just access it directly.

Tor is designed for online civil disobedience, which in some cases is vitally important to pursuing freedom.

No, you're not thinking big enough.

Consider how to answer the ordinary people who ask you "what do I have to hide?" and why they will wish they'd be using Tor.

In many cases people are bad at judging what they should be worried about. Being safe on the Internet isn't just about breaking (bad) laws and hiding (ethical) unpopular activities.

April 13, 2014

In reply to arma

Permalink

Examples?

Does this mean that we are safe to download things anonymously/without getting caught?

Safe from whom? from what? from where?

There is no such thing as 100% safe-to-use product, especially for one that is built for use on the internet.

Having said that, please refrain from using Tor to download stuff of massive sizes as doing so will slow down the whole Tor network considerably. Be considerate.

"please refrain from using Tor to download stuff of massive sizes"

So downloading pr0n is okay as long as the calks and breasts featured aren't too large?

April 08, 2014

Permalink

A big thanks to Tor developers for their swift response and coming up with new Tor bundles.

Secondly will Tor developers request Tails developers to come up with a fix for their current version 0.23? Since all network connections in Tails are torrified, it means Tails' users are vulnerable to the "Heartbleed" attack, yes? no?

April 09, 2014

In reply to arma

Permalink

Tails uses debian oldstable, so it is not affected by this attack.

Yes, I know that Tails uses Debian 6.0.9. but it uses the Tor client, yes? no? If the answer is yes, then Tails should upgrade the Tor client, which means issuing a newer version of Tails, maybe 0.23.1

April 08, 2014

Permalink

Not specific to this release but thumbnails on about:newtab are broken. Instead, 1933 byte blank white PNGs are generated in \Data\Browser\profile.default\thumbnails.

Interesting... This does not happen for me on my Linux box. Which operating system are you using? Does this always occur? With a clean new, say, 3.5.4? I.e. if you delete that thumbnails directory is it getting created again with the PNGs after entering about:newtab?

April 09, 2014

In reply to gk

Permalink

1. Can't guess by the slashes? (Windows 7)
2. Yes
3. Yes. It worked pre-FF24 and it works in FF24 ESR.
4. Yes, no change

I only get an empty thumbnails folder, strange... And if I delete it then it does not come back on my Windows 7 test box. Are there some special steps to reproduce your problem?

April 08, 2014

Permalink

As always you guys fail to be clear and confuse the hell out of me. Are Vidalia Bundles updated as well? Why do they have to use different versions? Why don't you just add release dates to the download page? And why is the TOR.exe in the Browser Bundle dated 2000-01-01?

April 09, 2014

In reply to arma

Permalink

By different versions I mean why does the Browser Bundle and the Vidalia bundles have to use completely different version numbering? Together with absolutely no date on the download page provided there is no chance to compare if they contain the same version / if they have both been updated.

Also, thanks for the link about the timestamps but I still dont get why TOR in the browser bundle has a filedate from 2000 while the one that comes with the Vidalia Bundle does not.

Bottom line is, make things easier to understand. If you blog about TOR Bundle updates tell us about Vidalia bundles as well. Add file/updated dates to download page. Two small changed to make things easier.

Thanks

April 09, 2014

Permalink

A big thank you to everyone at the tor project . Thank you for your continued hard work and dedication to a free and open internet and by extension a free and open planet.

Everyone else if you can please consider a donation or run a relay. A little can go a long way

April 09, 2014

Permalink

Hi, how about the beta version though? Would the 3.6-beta-1 be getting an update as well?

April 09, 2014

Permalink

WARNING: WARNING: WARNING:

Google’s Safe Browsing IS AGAIN not deleted from Firefox!!!! You need to do it manualy!

This version has AGAIN a unique ID where Google can track you!!

Means, Google is able to track you any time you start using TOR!!!

Can't understand whay the developer don't take care about this...

Please show us how to manually delete Google's Safe Browsing from Firefox or Iceweasel.

Note to Tor developers: Could you please ensure that Google's Safe Browsing is deleted from future versions of TBB?

Hi,

1.) it would be good if you'd supply circumstantial evidence as a basis for your statement

2.) I did check this release
"about:config"

and found this:
"browser.safebrowsing.enabled;false"

3.) however I think having these features in a privacy enabled browser is really strange even when deactivated

yes all google safe browsing urls are still existent and could be brought back into operation

Firefox today is really tainted by googlemoney, it needs a good scrubb

April 09, 2014

Permalink

IT IS A SHAME THAT PRIVACY SOFTWARE AS TOR ALLOWS GOOGLE TO TRACK YOU ANY TIME YOU USE TOR: IT SEND YOUR UNIQUE FIREFOX VERSION TO THE GOOGLE SERVER IN THE USA:

April 09, 2014

Permalink

Snowden is a true hero, shame on NSA that is evil than communism or nazism.
Guess who is the next heartbleed: TrueCrypt, OpenSSH, PGP or Tor?

April 09, 2014

Permalink

There is something very eerie about this.
It seems a little "bug" (kinda cute little word isn't it?) in the encryption software has basically rendered all supposedly secure and private internet traffic completely insecure. Golly!

Many things point to that this "lil' bug" has probably been implemented and exploited for a long time by the NSA. Gosh!

I remember thinking that the stories behind both the SR and FH busts last year seemed contrived and also overly stressed the fact that Tor wasn't compromised. Oh no! How could it be, it's open source etc.!

Think about it. IF there was (and apparently there was) a virtually untraceable way of monitoring supposedly secure traffic, the NSA wouldn't do anything less than milk it for all it's worth.
The takedown of Freedom Hosting and Silk Road was done in a manner of "we cannot let this go on" but "we still want to wait and milk more info".
I'm starting to think all traffic over Tor for the last two years is compromised.

April 09, 2014

Permalink

As you know, users' privacy is most violated when they install malicious software that contains backdoors.

When will the TorProject begin codesigning the TBB with an Authenticode Certificate to raise users' confidence that the package is legitimate and hasn't been tampered with?

Today, Windows users are warned that new versions of TBB are likely malicious because there's no way to build reputation unless the downloads are properly signed.

Signing is easy to do (see http://blogs.msdn.com/b/ieinternals/archive/2011/03/22/authenticode-cod…) and you probably could get a major CA like GlobalSign to give you a free certificate.

The downloads are already signed using a HTTPS certificate, the whole Tor's homepage and download directory from which you get Tor is HTTPS. I believe this would give at least the same security as Windows codesigning would.

On top of that, every release from Tor is also properly signed using PGP, which (although tricky to verify on Windows) does provide better authentication than HTTPS or Windows codesigning does then used right.

But besides that, one more way to verify the authenticity, that Windows users are familiar with, would be good. Maybe you should file a ticket about this (assuming one doesn't already exist), on:

https://trac.torproject.org/

April 10, 2014

Permalink

Screen-size

GK

I have installed 3.5.4 but, as I have reported regarding earlier Tor versions, both ip-check (with and without JS) and Panopticlick (with JS) can get my screen size - and they still get EXACTLY the same one.

If it is a bug, I would like to report it but I do not have the necessary permissions to do so.

Help !!!!! (Please)

What do you mean with "necessary permissions"? You can use the cypherpunks account if you like. See: https://trac.torproject.org/projects/tor the Welcome section. That said, bug 9268 is probably what you want. Could you test the latest .xpi attached there and report back whether it fixed your issue?

EDIT: And, no, neither maximizing nor resizing the browser window is currently working properly wrt to hiding your screen size. So, if you do one of those things or both you probably won't see the expected multiple of 200x100...

April 15, 2014

In reply to gk

Permalink

GK

Re 'necessary permissions' - In a previous post (re 3.5.3) you said: " feel free to open a ticket in our bugtracker at https://trac.torproject.org/projects/tor".

I went there, went to "Choose New Ticket to create a new bug report or feature request", chose 'New Ticket' and got the message: "Error: Forbidden
TICKET_CREATE privileges are required to perform this operation. You don't have the required permissions."

I'll do what you say.

Thanks

April 16, 2014

In reply to gk

Permalink

GK

I tried to do what you said. I probably did everything wrong but, as I suspect is the case with many people who use Tor, I didn’t/don’t really understand what is being said.

Anyway, what I did is:

I downloaded Bug Report 9268 and read it.
I downloaded the xpis: torbutton-1.6.7.0.xpi and torbutton-1.6.8.0pre1.xpi
I read the instruction: “You need to patch torbutton.js file inside of torbutton@torproject.org.xpi” under Comment 13, but do/did not know how to do it. As there are no instructions I had to guess, as follows:

I added the above xpis in turn – starting with 1.6.7.0 - to the ‘extensions’ folder found at:
C\user\My Name\desktop\Tor browser\data\Browser\Profile default\Extensions.

Via ip-check.info (Yes, I know that at least one contributor does not think much of this checking site, but –with JS enabled or disabled - it manages to detect the same screen size (not rounded) as Panopticlick does with JS enabled) I scrolled down to screen-size. It showed a rounded size. Success!!! I thought.

I closed the browser and turned off the computer. I then turned it on again, to check if I would get a rounded screen-size again. No, it was back to the original screen size. I turned the computer on and off again three times but each time I could not reproduce the rounded screen-size.

I then removed xpi 1.6.7.0 and put 1.6.8.0pre1 in its place and then checked the screen-size with ip-check. I got the rounded size. I turned the computer on/off three times and still got the rounded size. Was this success??? To make sure that the rounded size was being ‘detected’ and not just being brought back from some sort of cache, I cleaned the computer with Glary Utilities 4 and then with CCleaner 410 and then re-opened the browser and checked the screen-size with ip-check. I was back to the non-rounded screen-size. I also checked with Panopticlick and got the same non-rounded screen-size.

I don’t know what to do.

Maybe my problem started with my not understanding the instruction: “You need to patch torbutton.js file inside of torbutton@torproject.org.xpi” but I don’t know how to do that. If you (or someone) will enlighten me, I will do it and report back.

Should I now file a bug report?

Thanks for the assistance

April 10, 2014

Permalink

I0m running a debian 64bit wheezy kde.
When run start-tor-broswer appear "Tor unexpectedly exited." It happens since this version. with older don't happens! I try in many users sesion and try "killall tor", restart and nothing. I tryed delate, and donwload again. Also with check user owner.
Also I can execute older tor!

What can I do???

A) For relay identity keys yes, but not for circuit encryption keys or for link encryption.
https://gitweb.torproject.org/tor.git/blob/tor-0.2.4.21:/ReleaseNotes#l…
https://gitweb.torproject.org/tor.git/blob/tor-0.2.4.21:/ReleaseNotes#l…
https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/220-ecc-…

B) blutmagie just tells you what's in the Tor networkstatus consensus, so yes.

The erratasec person sure does like blurring details and getting attention. His math was wrong, because he computed the chance of picking a single 0.2.3 relay, not picking solely 0.2.3 relays for your whole circuit.

I think it's unlikely that NSA breaking 1024-bit RSA is the low-hanging fruit here. Especially given all the code security issues in libraries and browsers we've been seeing lately.

All of that said, the Tor 0.2.4.21 release (published February 28 2014) should put these issues to rest:
https://gitweb.torproject.org/tor.git/blob/tor-0.2.4.21:/ReleaseNotes#l…
https://trac.torproject.org/projects/tor/ticket/9777

April 11, 2014

In reply to arma

Permalink

For example, torproject.org uses AES_128_CBC_SHA, eff recommends using GCM instead of CVC, and SHA256 instead of SHA, read the link...

April 11, 2014

Permalink

Fantastically fast response to heartbleed! Thanks guys. Just one thing:

Have you updated the EC2 AMI (to include OpenSSL 1.0.1g) for bridges-in-the-cloud? Or do we have to 'sudo apt-get install openssl' for each bridge?

April 12, 2014

Permalink

I have linux Tor browser 3.5.4 insalled, but it's reporting "Browser out of date". Only version on the download page is 3.5.4

April 12, 2014

Permalink

The Tor Cloud bridges are self-updating, though the older ones based on Ubuntu Lucid will not get the latest OpenSSL update. That said, Tor Cloud operators should manually generate new keys, if possible.

Well my Tor cloud bridges have not updated themselves. (They are running Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-52-virtual i686).) sudo apt-get fails: "disk full" (even though it isn't). In fact even sudo apt-get update fails trying to update Tor: "Err http://deb.torproject.org experimental-precise/main i386 Packages 404 Not Found [IP: 38.229.72.14 80]"

Wonder if it's possible to replace one AMI with a new one, without incurring any charges ....

April 12, 2014

Permalink

To clarify the previous comment; Tor Cloud bridges running Ubuntu Lucid will not be able to update to the latest OpenSSL, but they are not running the vulnerable version either. The version in Lucid is 0.9.8, heartbleed was introduced in 1.0.1.

April 13, 2014

Permalink

NO WAY TO CHANGE DEFAULT PORTS IN VERSION 3.5.X

OTHER THAN 9150 / 9151? TRIED EDITING TORRC-DEFAULT FILE,

NO GO. ERROR: CANNOT CONNECT TO CONTROL PORT

NEED NEW INSTRUCTIONS ON PROCEDURE TO CHANGE PORTS

Yeah, I bet there's a way, but I don't know what it is either. I recommend either reading the Tor Launcher code, or participating in irc and becoming helpful and then hoping somebody will look it up for you. It's easy to do with Tor, but I bet the Tor Launcher folks didn't think to make it easy.

April 14, 2014

Permalink

Screen size

I am rather concerned that I was invited by GK to lodge a bug report re the inability of the Tor browser to round my screen size to 100, but when I try to do so I am refused access as I don't have the necessary permissions..

Another contributor said that he/she has the same problem, so it does not appear to be a problem with just my machine - running Win 7.

So that I know if I and the other contributor are unique, could I trouble people to report, stating their operating system, whether Tor 3.5.4 does or does not round their screen size to 100.

In the meantime I would be grateful if GK could tell me how I can lodge a bug report.

Thanks

You can find a trac.torproject.org login on the front page (trac.torproject.org) if you don't want to make an account of your own.

(If you make an account of your own though, you can give it an email address, and it will mail you when the ticket updates. That might be nice if we need you to respond to questions / suggested patches / etc.)

April 15, 2014

Permalink

Have executable "naked" Tor versions 0.4.21 (stable) and 0.2.5.3 (alpha) been compiled for MS-Windows & uploaded to the distribution platforms ?

Maybe just me, couldn't find them on the site :-(
Can you please make a conspicuous link to both ?

April 15, 2014

Permalink

Torproject is now officially a sad joke. Goto about:config and type "www" or ".com" or ".org" and look at the staggering number of potential built-in leaks.

And you can't even see what nodes you're connected to anymore, that means you can't even tell if all 3 nodes you're using are all in the same country owned by the NSA.

It was fun while it lasted, but looks like it is time to start a new anonymous browsing project.

Sounds great. You'll probably want to use Tor in your anonymous browsing project, and you'll probably find the Tor Browser design document useful too.

...and once you're on that track, maybe you'll find it more fun to write patches for Tor Browser?

April 16, 2014

Permalink

for whatever reason I didn't think about this until now, but should "httpseverywhere_ver. 3.5" be temporarily disabled or should the update to 1.0.1g take care of everything?

April 17, 2014

In reply to arma

Permalink

I know. I was wondering if I should temporarily disable httpseverywhere due to the bug in openssl. I wasn't sure if SSL connections continued to remain vulnerable (other sites not renewing certificates, etc.) I didn't want to force SSL through httpseverywhere, but if the 1.0.1g update patched the bug, then I shouldn't worry about it anymore? Sorry, if I'm not being clear.

httpseverywhere makes you opt to use https on a few sites that support it but don't switch you to it by default. It doesn't make you stop using https on the other sites.

If you're in a position where some websites might not have upgraded and you're sending them sensitive info, the best plan might be to stop using the Internet for a while. Disabling httpseverywhere won't really change the threat much for you.

April 17, 2014

Permalink

RSA 1024 bit has been hacked. TOR uses RSA 1024. Isn't this a security problem? Why not use AES 256 and plug the whole?

I suggest you learn more about the various keys Tor uses, including link encryption and circuit encryption, where we've moved to curve25519.

Also, AES 256 is not a replacement for RSA 1024 -- one is symmetric crypto, the other is asymmetric crypto.

So you are right to be concerned, but there's a lot to learn, and a pile of blog comments here is probably not the best place.

April 18, 2014

Permalink

In normal firefox (V28.0), can websites read each others' cookies? If so, is there a way to prevent them from doing so?

April 20, 2014

Permalink

Hello.
I'm using Ubuntu 14.04LTS.
How can i run the Tor in Ubuntu14.04.

I used to run the Tor in Ubuntu12.04, very well.
(e.g; extract -> just run 'tor')

But Ubuntu 14.04 can't.

Anybody help me.

-Thnak you.

April 25, 2014

In reply to arma

Permalink

What do you think about tails?

Just try to use it as a LiveCD with Virtual Machine.

April 21, 2014

Permalink

When I update Tor 3.5.4 and re-start the browser, it tells me that I need to update. Looks like the update isn't working. I tried 3 times with no success.

April 24, 2014

Permalink

Sorry to comment here on this, but has anyone else noticed that TOR connections are infinitely faster since the HeartBleed bug was fixed in the latest TOR packages?

I'm getting my web pages nearly 10 times faster (yes, I checked to make sure that page caching was off in my TOR Bundle) now and I'm wondering what caused the exceedingly great change in the speed of TOR.

April 26, 2014

Permalink

Thanks TOR proj ! A suggestion: It would be helpful to provide a search feature for your site. Also, detailed instruction or links for root access/jailbreaking for various models/operating systems. This would seem germane to the ideals and reasons for this great service.

April 28, 2014

Permalink

arma
the Apr15 post critical of the Project's course may have been snotty but your reply avoided any mention of the issues raised. this is becoming a habit, unfortunately.

Sure. Answer #1 is "because those are in Firefox" and "you can still attach Vidalia if you want".

Answer #2 is that I don't know the details of why those are in Firefox, and maybe somebody should look at it. But why do you always expect it to be me? Just because I'm the last Tor person still willing to respond to blog post comments here doesn't mean I know everything. :) You (yes, you, the one reading this) should investigate and contribute.

And the related answer #3 is that tucking your question away in the blog comments is a great way to not get a good answer. Let me direct you to three options that are more likely to help you:
A) irc: https://www.torproject.org/about/contact#irc
B) stackexchange: https://tor.stackexchange.com/
C) helpdesk: https://www.torproject.org/about/contact#support

Hope that helps!

May 01, 2014

Permalink

How to enable save current session tabs and open webpages.
Or How to restore previous browsing session if tor browser does not close properly