Tor Browser 3.6.4 and 4.0-alpha-1 are released

by erinn | August 12, 2014

The fourth pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features an update to OpenSSL to address the latest round of OpenSSL security issues. Tor Browser should only be vulnerable to one of these issues - the null pointer dereference. As this issue is only a DoS, we are not considering this a critical security update, but users are advised to upgrade anyway. This release also features an update to Tor to alert users of the RELAY_EARLY attack via a log message, and a fix for a hang that was happening to some users at startup/Tor network bootstrap.

Here is the complete changelog for 3.6.4:

  • Tor Browser 3.6.4 -- All Platforms
    • Update Tor to 0.2.4.23
    • Update Tor launcher to 0.2.5.6
    • Update OpenSSL to 1.0.1i
    • Backported Tor Patches:
      • Bug 11654: Properly apply the fix for malformed bug11156 log message
      • Bug 11200: Fix a hang during bootstrap introduced in the initial
        bug11200 patch.
    • Update NoScript to 2.6.8.36
      • Bug 9516: Send Tor Launcher log messages to Browser Console
    • Update Torbutton to 1.6.11.1
      • Bug 11472: Adjust about:tor font and logo positioning to avoid overlap
      • Bug 12680: Fix Torbutton about url.

In addition, we are also releasing the first alpha of the 4.0 series, available for download on the extended downloads page.

This alpha paves the way to our upcoming autoupdater by reorganizing the directory structure of the browser. This means that in-place upgrades from Tor Browser 3.6 (by extracting/copying over the old directory) will not work.

This release also features Tor 0.2.5.6, and some new defaults for NoScript to make the script permissions for a given url bar domain automatically cascade to all third parties by default (though this may be changed in the NoScript configuration).

  • Tor Browser 4.0-alpha-1 -- All Platforms
    • Ticket 10935: Include the Meek Pluggable Transport (version 0.10)
      • Two modes of Meek are provided: Meek over Google and Meek over Amazon
    • Update Firefox to 24.7.0esr
    • Update Tor to 0.2.5.6-alpha
    • Update OpenSSL to 1.0.1i
    • Update NoScript to 2.6.8.36
      • Script permissions now apply based on URL bar
    • Update HTTPS Everywhere to 5.0development.0
    • Update Torbutton to 1.6.12.0
      • Bug 12221: Remove obsolete Javascript components from the toggle era
      • Bug 10819: Bind new third party isolation pref to Torbutton security UI
      • Bug 9268: Fix some window resizing corner cases with DPI and taskbar size.
      • Bug 12680: Change Torbutton URL in about dialog.
      • Bug 11472: Adjust about:tor font and logo positioning to avoid overlap
      • Bug 9531: Workaround to avoid rare hangs during New Identity
    • Update Tor Launcher to 0.2.6.2
      • Bug 11199: Improve behavior if tor exits
      • Bug 12451: Add option to hide TBB's logo
      • Bug 11193: Change "Tor Browser Bundle" to "Tor Browser"
      • Bug 11471: Ensure text fits the initial configuration dialog
      • Bug 9516: Send Tor Launcher log messages to Browser Console
    • Bug 11641: Reorganize bundle directory structure to mimic Firefox
    • Bug 10819: Create a preference to enable/disable third party isolation
    • Backported Tor Patches:
      • Bug 11200: Fix a hang during bootstrap introduced in the initial
        bug11200 patch.
  • Tor Browser 4.0-alpha-1 -- Linux Changes
    • Bug 10178: Make it easier to set an alternate Tor control port and password
    • Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
    • Bug 12249: Don't create PT debug files anymore

The list of frequently encountered known issues is also available in our bug tracker.

Comments

Please note that the comment area below has been archived.

Anonymous (not verified) said:

August 13, 2014

Permalink

Download Vidalia i686 from https://people.torproject.org/~erinn/vidalia-standalone-bundles/, extract them to one folder, and executed start-vidalia in terminal in order to view the error, the error message say libssl and libcryto miss, after installing openssl-devel, no use at all, but after copying them to the vidalia Lib folder, it works. Well, I don't understand why this phenomenon happen? My OS is fedora 20 32bit Gnome livecd.

Anonymous (not verified) said:

August 14, 2014

Permalink

Wow, that's a fast start up! Running Tor Browser 4.0-alpha-1 -- All Platforms on Windows 8.1 Pro.

Anonymous (not verified) said:

August 14, 2014

Permalink

I hadn't run TBB in a while and then all versions started giving the 'Tor Launcher Error: Tor unexpectedly exit' error. 3.5, 3.6, and 4.0a left no log that I could find to indicate what the problem was but 2.1 did! It was hitting a max file descriptor limit on startup. Followed the advice over at http://goo.gl/58mfkD and now everything is working in all versions. I expect that error comes up after an OS upgrade along the way.

Anonymous (not verified) said:

August 14, 2014

Permalink

Adding the line TOR_SKIP_LAUNCH=1 to the top of start-tor-browser script is not working. It is still launching Tor.

Anonymous (not verified) said:

August 15, 2014

Permalink

If I live in a internet censored country and use Tor Browser 4.0-alpha-1 -- All Platforms and try all the Pluggable Transports listed on the setup and they all work, is there any reason I should choose a particular PT over all the others if they all work?

Anonymous (not verified) said:

August 15, 2014

Permalink

Eh Errin!
Kindly express your opinion on the following:
"Non-specialists who view the internet as a high-tech affair comparable to the bridge of the USS Enterprise of Star Trek fame, may be surprised.
In actuality, the internet is more akin to an 18th century Royal Navy frigate, with a lot of running about, climbing, shouting, and tugging on ropes required to maintain the desired course and speed."
Paraphrased from:
http://www.bbc.com/news/technology-28786954

What's your view? Is this the actual reality?

Anonymous (not verified) said:

August 15, 2014

Permalink

Anybody?
I was d/l TBB 3.6.4 for Win. and reading [ slow d/l link] the site when I noticed that nowhere is a link to any TBB basic security set-up/configuration instructions for beginners.

For Widows we are told: "Everything you need to safely browse the Internet." That's it?

For Mac and Linux we are told: "Everything you need to safely browse the Internet. This package requires no installation. Just extract it and run." Again, that's it?

Over the years I was taught - or rather, I learn't through gathering info piecemeal, that both Java and Javascript must be disabled at all times. There are also a few "musts" in the Options that need attention too.

The point is that I'm concerned the "newbie" users aren't made aware that there are also important manual settings - as far as Windows is concerned anyway, I'm not familiar with Mac or the GNU series - which need urgent attention before usage.

There is no info available anywhere drawing attention to this matter. Telling users that "Everything you need to safely browse the Internet. This package requires no installation. Just extract it and run." just don't cut it.

Newbie ignorance and caution is doing more to keep your product away from widespread usage than any other factor. In my humble opinion, I hasten to add...

Not for me personally, because I think I'm on top of these matters, but for those who need far more info than that encapsulated under your heading: "Want Tor to really work?"

Generally, the Tor info relating to Tor is still using Vidalia graphics and recommendations. This must be so terribly confusing to those even more unfortunate than myself.

I don't want to drag any of you from your more important Tor related labours but surely we have many communications experts who could, as users and laymen, update and improve [dumb it down] your documentation, graphics etc?

BTW: I'm one of millions of ignoramuses who don't know their bits from their bytes - my only homemade IT joke ever - so I'm asking that you factor in our sad-assed incompetence please.

Thank you all for your attention...

TBB is pretty much the same on all platforms, so all advice is the same even off Windows.

TBB really does contain *all* you really need for pseudonymous browsing across the web, with no configuration changes. Barring bugs (which do happen, but they happen in all software,) the primary security holes are caused by user error. The problem is that to the informed, most of those user errors look like a lack of common sense; for instance, logging into your private email account via a web interface will reveal your identity because you are logging into YOUR private email account (assuming that email account has personally identifiable information.) That type of error is really hard to warn against in language that makes sense to most uninformed users; once you explain that they can't log into their private email, they'll log into some other service with a personal account, check their personal webpage, or do something else that can easily identify them.

You shouldn't have to change any settings with the modern TBB; javascript does provide a small security concern, but NoScript and Torbutton (it's still called that even though it no longer provides its original functionality) deal with most of the javascript concerns and you many, if not most modern websites will not function without javascript. Editing any settings may make your User Agent more unique, so it isn't a good idea.

Thanks for that, Anon - but I used IE8 fro many years with Java and Javascript disabled. Ditto with Mozilla now that IE8 is no longer feasible.
I find can still interact with most sites without difficulty - one or two need Javascript in order to post, but then, they are "trusted" sites.
This site, f'instance don' require either.
This 20yo habit of mine was mainly adopted to avoid what the general web user refers to as "advertising" - and it's still werry successful.
I've never bothered with AdBlock - ever!
I'm not even sure if it is enabled on my current browser - and I don't care. "Social networking" and "enhanced browsing experiences" too aren't a priority with me.
But I definitely don't use the same "Privacy Settings" on Tor which I use on Mozilla. To me, that would be reckless.
Probably you're right that my original post isn't really, after all, so important in the big scheme of things...

"one or two need Javascript in order to post, but then, they are "trusted" sites."

I'm afraid it is not that simple, especially when using Tor.

You may trust a given site not to deliver malicious scripts to you but what about your exit nodes? Any one of them, at any given point, can inject malicious script-into and otherwise alter the content of any site you visit.

HTTPS offers some (and, if you actually verify the certificates, considerable) protection against such attacks, yes. But the problem nonetheless remains that,
a) the number of sites that fully (and properly) implement HTTPS are still in a distinct minority,
and,
b) more often than not, the scripts that are necessary for essential functionality such as posting and all too often even merely /viewing/ comments, come from one or more /third-parties/. And such third-parties are both, a) less likely to be trusted, as well as, b) less likely to use HTTPS.

Then, of course, there is the old problem of the fingerprinting risks that are introduced when one selectively enables JavaScript.

This problem, the risks of untrusted exit nodes combined with the still relative rarity of sites that fully and properly implement HTTPS, is one of two overwhelming factors that keeps me (and, I'm sure, many others as well) from using Tor as much as I would like to. The other is the unpleasant reality, when using Tor, of finding oneself restricted from many sites, simply because one is using Tor.

Anonymous (not verified) said:

August 19, 2014

Permalink

Tor Browser 4.0-alpha-1-MacOS

- Startup looks faster!
- No more 'mysterious' icon switching in the dock
- Image search with Startpage search engine is not loading images.
Loading the original filepaths of the not shown images are leading to browser certificate warnings for domains ts1.mm.bing.com, ts2.mm.bing.com, ts3.mm.bing.com, ts4.mm.bing.com.
Like, "ts1.mm.bing.com uses an invalid security certificate."
Startpage search engine in OS X Torbrowserbundle version 3.6.4 is working fine.

Anonymous (not verified) said:

August 30, 2014

Permalink

What does this warning mean?

"Rejecting SOCKS request for anonymous connection to private address [scrubbed]"?

Anonymous (not verified) said:

August 31, 2014

Permalink

I tried to download torbrowser-install-3.6.4_en-US.exe with firefox 31. I used both web interface and ftp. Firefox crashes immediately after the download initiates. Can't even select the location where to save the file to. This behaviour is true for a standard firefox as well as the tor firefox. Have you been hacked? I CAN download the signature file, but not the executable. It looks like illegitimate data comes in designed to make firefox crash, in order to? Infect the system? Again, have you been hacked? Pls check. Best regards

Anonymous (not verified) said:

August 31, 2014

Permalink

Sorry what I meant was I tried to download from Project Page:

https://www.torproject.org/download/download-easy.html

and directly from Distribution Directory:

https://www.torproject.org/dist/torbrowser/3.6.4/

(the latter appeared to me as a web-interface to a FTP server)

I tried with a different system. Yes, with this system I can download. Maybe EMET (which is on the system where it didn't work but not on the system where it did) creates the problem. But nevertheless it's strange. With the EMET protected system I can download anything from anywhere but not the tor executable.

I did a signature check with the executable downloaded from the non-EMET and the executable from the EMET-system. Reported "correct signature" so everything looks ok.

Thanks for your help, best regards

Anonymous (not verified) said:

September 07, 2014

Permalink

when will we get a working cookie management?!

(i.e. to delete specific cookies, without restart)