Tor Browser 3.6.2 is released

by mikeperry | June 9, 2014

The second pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features a fix to allow the configuration of a local HTTP or SOCKS proxy with all included Pluggable Transports.

In addition, this release also features important security updates to Firefox, as well as an update to OpenSSL 1.0.1h to address the latest round of OpenSSL security issues.

This release also updates the Tor client software to version 0.2.4.22, which blacklists directory authority keys that were created prior to fixing the Heartbleed attack.

  • All Platforms
    • Update Firefox to 24.6.0esr
    • Update OpenSSL to 1.0.1h
    • Update NoScript to 2.6.8.28
    • Update Tor to 0.2.4.22
    • Update Tor Launcher to 0.2.5.5
      • Bug 10425: Provide geoip6 file location to Tor process
      • Bug 11754: Remove untranslated locales that were dropped from Transifex
      • Bug 11772: Set Proxy Type menu correctly after restart
      • Bug 11699: Change &#160 to   in UI elements
    • Update Torbutton to 1.6.10.0
      • Bug 11510: about:tor should not report success if tor proxy is unreachable
      • Bug 11783: Avoid b.webProgress error when double-clicking on New Identity
      • Bug 11722: Add hidden pref to force remote Tor check
      • Bug 11763: Fix pref dialog double-click race that caused settings to be reset
    • Bug 11629: Support proxies with Pluggable Transports
      • Updates FTEProxy to 0.2.15
      • Updates obfsproxy to 0.2.9
    • Backported Tor Patches:
      • Bug 11654: Fix malformed log message in bug11156 patch.
    • Bug 10425: Add in Tor's geoip6 files to the bundle distribution
    • Bugs 11834 and 11835: Include Pluggable Transport documentation
    • Bug 9701: Prevent ClipBoardCache from writing to disk.
    • Bug 12146: Make the CONNECT Host header the same as the Request-URI.
    • Bug 12212: Disable deprecated webaudio API
    • Bug 11253: Turn on TLS 1.1 and 1.2.
    • Bug 11817: Don't send startup time information to Mozilla.

The list of frequently encountered known issues is also available in our bug tracker.

Comments

Please note that the comment area below has been archived.

June 10, 2014

Permalink

Which version of Firefox will start with DRM-use made possible? And yes, i know you will delete all DRM-related parts in the Firefox source code. Many thanks for that. I have read the discussion with Mozilla about the matter. I would like to know if i have to worry about it or not. How are things?

June 12, 2014

Permalink

I tried to install the 3.6.2 upgrade multiple times but keep getting the same error message when I go to launch the browser: "Couldn't load XPCOM"

Is there anything that can be done?

You should to remove Webroot SecureAnywhere software. It positioned as product for normal users but only geeks can configure it if some new browser release "suddenly" happens.

June 12, 2014

Permalink

Starting with TBB 3.6.2, every time I launch Tor Browser, ZoneAlarm popups an alert:

  1. <strong>SERVER PROGRAM<br />
  2. Application Layer Gateway Service wants to accept connections from the internet.<br />
  3. Application: alg.exe<br />
  4. Source IP: x.x.x.x:Port 3542<br />
  5. (Allow / Deny)

I select Deny and TBB works fine.
Why this ZA alert only with version 3.6.2?
Is TBB trying to connect to a ftp server on start-up?

It looks like your Zone Alarm (one Windows security tool) is complaining about your Application Layer Gateway Service (a second Windows security tool)?

"alg.exe" is not TBB.

June 16, 2014

In reply to arma

Permalink

Yes, I know alg.exe is not TBB (it's MS Windows service).
ZoneAlarm firewall always shows this alert when a browser (or ftp client) access to a ftp server.
Thats why I was asking if TBB 3.6.2 tries to acces to a "ftp://" site on start-up (perhaps to check for updates).
ZA didn't show this alert with previous versions of TBB.

Tor relays listen on a variety of ports. This is a feature, since some users are behind firewalls that only allow certain ports out.

Here's a relay that listens on port 21:
https://atlas.torproject.org/#details/1C90D3AEADFF3BCD079810632C8B85637…

So if your Tor client connects there, any spy software you have on your computer that assumes port 21 traffic is ftp will complain.

June 13, 2014

Permalink

So good this latest upgrade ain't also susceptible to refusing to open on my XP 'less the manual feature be used. Well done!
And yes, afore anyone axes, I did download twice but it doodn't make one blind bit of difference. Y'all caught the "error" without needing to be whinged at. Yer still at the top of y'alls game - thanx fer that...

June 13, 2014

Permalink

The only issue I've run into is that Tor crashes every time I try to load LinkedIn.com. Four times in a row — other sites are fine. It happens in the moments just after it fully loads. The CPU runs up over 100% and stays there, and the browser becomes unresponsive.

Try disabling httpseverywhere and see if that changes anything? If so, please file a ticket.

(I just loaded linkedin in my TBB and it loaded fine.)

I have the same issue with TBB 3.6.2 (and some 3.x previous versions too).
I tested TBB 2.3.25-15 (last based on Firefox 17 ESR), and it doesn't have this problem.
Also tested TBB 3.6.2 disabling "HTTPS Everywhere", and disabling javascript, but TBB Freezes and becomes unresponsive with 100% CPU usage after staying some seconds at linkedin.com
I've found someone else has already reported this issue 5 months ago:
#10631 closed defect (duplicate)
LinkedIn page freezes Tor Browser
https://trac.torproject.org/projects/tor/ticket/10631

Also checked "Firefox 24.6.0 ESR + Tor", and it does not freeze with linkedin

June 13, 2014

Permalink

How does TBB 3.6.2 get its "Provided set of bridges"? Are they different for each user? I chose the same option in TBB 3.6, and both versions' torrc shows same set of bridges. Are these "provided bridges" publicly known?

Also, FTE transport only works with "Provided set" and bridgeDB won't give out FTE bridges.

Those bridges are included in Tor Browser. They're the same for every user, so that the package signatures can still be checked. Presumably they're blocked after a while in a few places in the world, e.g. China, but continue to work fine in the rest of the world.

As for bridgedb giving out fte bridges...maybe you should run some fte bridges so we have some to give out? :)

June 14, 2014

In reply to arma

Permalink

Thanks for reply. Only fte bridges work here :(
Is it possible to run scramblingsuit bridge work in tor browser? Tor browser didn't accept them. I just pasted the lines the usual way. Maybe this type bridge nodes are offline.

Yes, I'd wish to run fte bridges, but I'm on a speed 120kbps internet connection, sad

June 14, 2014

Permalink

Since installing the latest version I cannot get images to load on either flickr or tumblr even with Jscript enabled. Anyone else got this? Using Win XP.

Could you give me some steps to reproduce your issue? I am not using these services, thus I am not sure how they are supposed to look like... Do I need to be logged in to hit your problem?

June 14, 2014

Permalink

TB 3.6.2 little bug: If you have a new window opened, the TorButton will disable "New Identity" in old TorBrowser window, even you close the new window. The idea is to create a new window again and close the old window if you want to re-enable "New Identity".

Interesting. Do you have steps to reproduce? Which operating system are you using? I just opened a new private window (Ctrl + N) but the New Identity option got not disabled in the old one.

arma

June 20, 2014

In reply to gk

Permalink

In my case (Linux 64-bit) there is no old one after I click new identity. It closes all the windows and opens a fresh one.

June 15, 2014

Permalink

I just downloaded Tor version 3.6.2 . after having removed the previous version.
I found Control Vidalia Panel missing on those.
Is this due to change in design or some kind of mistake?
I have downloaded several time with the same result.

Please advise.

June 15, 2014

Permalink

On OS X I get "The app can't be opened because it is from an unknown developer". I know what the warning means (that the binary isn't signed to apple's liking), but I don't remember getting the warning on previous versions, so I hesitate to run TorBrowser. Is it supposed to be signed?

June 17, 2014

Permalink

I understand Tor Bundle should be downloaded only from Tor Website .
I wonder if it is better to do this within and inside Tor browser , or can this be done outside of Tor browser using other browsers ?
[Even though very first download has to be through the use of other browser—no other choice. ]

Would like to know your opinion.

June 30, 2014

Permalink

Hello,

unfortunately, comments are now closed for your "Hardening android" blog post.
Could you create a followup blog post so we can continue the discussion and feedback?

June 30, 2014

Permalink

\Tor\PluggableTransports\flashproxy-client.exe: Win.Trojan.Agent-748059 FOUND
\Tor\PluggableTransports\flashproxy-reg-appspot.exe: Win.Trojan.Agent-748059 FOUND
\Tor\PluggableTransports\flashproxy-reg-email.exe: Win.Trojan.Agent-748059 FOUND
\Tor\PluggableTransports\flashproxy-reg-http.exe: Win.Trojan.Agent-748059 FOUND
\Tor\PluggableTransports\flashproxy-reg-url.exe: Win.Trojan.Agent-748059 FOUND
\Tor\PluggableTransports\fteproxy.exe: Win.Trojan.Agent-748059 FOUND
\Tor\PluggableTransports\obfsproxy.exe: Win.Trojan.Agent-748059 FOUND

Using clamwin antivirus. What's wrong?

June 30, 2014

Permalink

There is no option to add a hidden service in the Tor 3.6-2...Can someone tell me how to go about it?

July 02, 2014

Permalink

hello dear TOR guys :)

I had a question to ask. I didn't know where to ask it. if it's not the correct place, please forgive me & guide me to the right place. thank you.

Question:
I do connect to internet and run TOR. it connects to web and its browser opens.
During browsing, my internet (from ISP side) goes off & gets dc. windows does redialing and makes me connected again. after this, I checked and noticed that TOR browser still works and does service. but the question I wanted to ask from you TOR guys is this: Is my connection still as safe as before disconnecting? have you performed any survey or analysis for checking this situation?

thanks in advance
A big fan from Iran :)

July 05, 2014

In reply to arma

Permalink

are you sure about this? you know in some countries, security is more important than anything!
sorry to ask this buddy; are you from TOR team?
thanks again for being so helpful and responsive.

July 09, 2014

In reply to arma

Permalink

...thanks for your answer. Now, the discussion is out: I'm an extremist. Please remember this :D
Otherwise, thanks for your mission.
Will use TOR whenever I want, means: only.

July 09, 2014

Permalink

i cant seem to connect to the tor network, wont go past the loading authority certificate part...

July 12, 2014

Permalink

hi,
I have a problem with my TOR. I don't know it's a bug in TOR or a problem in my windows!
problem:
sometimes when I run TOR, the little box appears in the top left of the screen (as usual) and its connection bar also gets full, but the TOR browser doesn't appear on the screen!
when I open my task-manager, I see TOR program and its browser are open (fig 1) but as you can see in fig. 2, they haven't come onto the screen and the application tab (who represent open soft-wares on the screen) is empty!
is this a bug in TOR or just a problem in my windows? does anyone else have the same experience?
p.s. in these cases (10% happens), I always close TOR browser from the task manager and re-run TOR and the problem is gone! telling this to say, this doesn't hurt me at all like a real and serious problem, but I though it would be better to make a feedback to make you better and stronger.
thank you for all your efforts.
a fan :)
attach: http://postimg.org/image/x70fmb6b1/

July 13, 2014

Permalink

Does anyone know a simple way to signup/login to Tumblr while using Tor (without enabling plug-ins)? Thank you.

July 14, 2014

Permalink

Hey it would be great if there was simply an update button - icon, to click on to install updates without having to select the Firefox option, too many pop ups. Tired of these enter-ties bombarding us with adds we don't need or wish to receive, especially when we are paying for the service in the first place.

I am a big fan or Tor Browser and a big fan of internet privacy, it's getting harder and harder to acquire this concept so thank you for this facility, as it is truly appreciated.