Tor Browser 3.6.5 and 4.0-alpha-2 are released

Tor Browser 3.6.5

The fifth pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release also features improvements to the canvas image extraction permissions prompt, and will now log offending script urls to the browser console. It also restores the missing RELRO hardening option to the Linux bundles, and disables NTLM and Negotiate HTTP auth (which can leak sensitive information about the computer). To avoid resolution fingerprinting, popups are also opened in new tabs by default.

Here is the complete changelog for 3.6.5:

  • All Platforms
    • Update Firefox to 24.8.0esr
    • Update NoScript to 2.6.8.39
    • Update HTTPS Everywhere to 4.0.0
    • Update Torbutton to 1.6.12.1
      • Bug 12684: New strings for canvas image extraction message
      • Bug 8940: Move RecommendedTBBVersions file to www.torproject.org
      • Bug 9531: Workaround to avoid rare hangs during New Identity
    • Bug 12684: Improve Canvas image extraction permissions prompt
    • Bug 7265: Only prompt for first party canvas access. Log all scripts
      that attempt to extract canvas images to Browser console.
    • Bug 12974: Disable NTLM and Negotiate HTTP Auth
    • Bug 2874: Remove Components.* from content access (regression)
    • Bug 9881: Open popups in new tabs by default
  • Linux:
    • Bug 12103: Adding RELRO hardening back to browser binaries.

Tor Browser 4.0-alpha-2

In addition, we are also releasing the second alpha in the 4.0 series, available for download on the extended downloads page.

This release also includes important security updates to Firefox.

In addition to including the changes in 3.6.5, this release also is the first Tor Browser release to enable the in-browser Firefox-based updater. This means that if all goes well, 4.0-alpha-2 users will notified of an available update via a notification similar to that in Firefox. You will then be able to download and install it directly via the browser UI. By default, neither the download nor the update will happen automatically, so if you are not feeling adventurous, you need not allow it to update in this way. Even if you are feeling adventurous, you should probably back up your Tor Browser directory before updating.

In addition to the updater, this release should also re-enable the basic hardening features on Windows, including ASLR, DEP, and SSP.

Furthermore, the NoScript behavior in this release has changed. Selecting "Temporarily allow scripts" will now automatically allow all scripts in a page. This was done for usability reasons, to make it easier for novice users to run Tor Browser with scripting disabled most of the time. This will also hopefully make it possible for more people to use the "High Security" setting in our upcoming Security Slider, which will have Javascript disabled globally via NoScript by default.

Here is the complete changelog for 4.0-alpha-2:

  • All Platforms
    • Update Firefox to 24.8.0esr
    • Update NoScript to 2.6.8.39
    • Update Tor Launcher to 0.2.7.0
      • Bug 11405: Remove firewall prompt from wizard.
      • Bug 12895: Mention @riseup.net as a valid bridge request email address
      • Bug 12444: Provide feedback when “Copy Tor Log” is clicked.
      • Bug 11199: Improve error messages if Tor exits unexpectedly
    • Update Torbutton to 1.6.12.1
      • Bug 12684: New strings for canvas image extraction message
      • Bug 8940: Move RecommendedTBBVersions file to www.torproject.org
    • Bug 12684: Improve Canvas image extraction permissions prompt
    • Bug 7265: Only prompt for first party canvas access. Log all scripts
      that attempt to extract canvas images to Browser console.
    • Bug 12974: Disable NTLM and Negotiate HTTP Auth
    • Bug 2874: Remove Components.* from content access (regression)
    • Bug 4234: Automatic Update support (off by default)
    • Bug 9881: Open popups in new tabs by default
    • Meek Pluggable Transport:
      • Bug 12766: Use TLSv1.0 in meek-http-helper to blend in with Firefox 24
  • Windows:
    • Bug 10065: Enable DEP, ASLR, and SSP hardening options
  • Linux:
    • Bug 12103: Adding RELRO hardening back to browser binaries.

The list of frequently encountered known issues is also available in our bug tracker.

what's even more annoying is when you--as a real human just trying to read the news, for example--get served repeated captchas for the same page! after a few tries, i often given up.

cloudflare is messing with people's right to read, and that is vastly uncool.

Some "tricks" to help you deal with too frequent recaptcha requests:

1) Ignore the easy word - you don't need to type it in at all.*

2) On the difficult word, don't worry about the case - it doesn't matter.

3) Typically one character mistake per word is acceptable, so if you can't read everything perfectly, give it your best shot.

4) Use your browser's "Zoom in" button (+) to make the captcha easier to read - it really does help!

* I know that typing in the "easy" word is supposed to help increase the scanning accuracy of actual docs, but forcing me to deal with recaptchas every 5 minutes makes me less sympathetic to that project. Get CloudFlare to scale back their aggressiveness, and I'll go back to entering in both words!

Anonymous

September 07, 2014

Permalink

Several websites block users of TBB 4.0a2 and TBB 3.6.5 as robots while they work fine with TBB 3.6.4. Addon versions and settings appear to be identical, what else could cause this behavior?

I noticed this as well. It is more common with websites that use CloudFlare (CloudFlare absolutely HATES TOR for some reason and insists 99% of the time that you 'verify that you are a human').

Anonymous

September 07, 2014

Permalink

A lot of cloudy mystery about cranky CloudFlare?
I have seen this silly sh*t with Torbrowser ONLY.

Anonymous

September 08, 2014

Permalink

It would be great if Yawning Angel would add obfs4 to Tor Browser 4.0-alpha-2! The updated Firefox ESR on TB 4.0a2 makes me security leery of using TB 4.0a1.

Thanks for your interest in obfs4.

I did rebase my integration branch when switching the build process to use the obfs4proxy-0.0.1 tag (instead of a WIP commit), but the bundle build process hung due to unrelated issues with OSX builds, and since my rebase and tag switch was what I was interested in testing, I haven't retried making another set of snapshots.

I wasn't planning on making new snapshots since I got testing on the aspects I wanted to (build integration, obfs4 UI integration, and basic functionality), and the things holding up deployment are all on the bridge side (specifically, there needs to be more obfs4 bridges).

If there's unexpected substantial delays in deployment later, or I make major code changes I may make snapshots again.

Hope that clarifies things.

Anonymous

September 08, 2014

Permalink

NOTE AND WARNING:

Could the TOR developer eradicate Google from Mozilla Firefox?!!!

As soon you open TOR and Firefox is running, its conected to the monster of mountain view and they get your IP -- Google service: Google Safe Browsing.

I do know that in order to get CloudFlare to display the captchas (so you can visit the site you want to get to) you need to enable google.com with NoScript (as well as enabling cloudflare.com).

So while Google may be blocked initially, getting TBB to work with CloudFlare forces you to unblock Google. Now I don't know if that compromises your anonymity with TBB - any ideas?

Anonymous

September 10, 2014

Permalink

I have been seeing this WARNING in the message log a lot recently:

"Rejecting SOCKS request for anonymous connection to private address [scrubbed]"

What does it mean?

Anonymous

September 11, 2014

Permalink

"All you need to do is disable noscript, httpseverywhere & adblock"

A....... really..... good idea.

Anonymous

September 11, 2014

Permalink

>Here is the complete changelog for 3.6.5:
>
> All Platforms
> Update Firefox to 24.8.0esr
I have downloaded 3.6.5 tor browser bundle for linux64 but Help->About Tor browser say I have 24.7.0 version

What does it mean?

Anonymous

September 11, 2014

Permalink

The problem with CloudFlare and other services blocking Tor users is really annoying. Enabling cookies and disabling noscript is no solution, this way I can stop using Tor as well.

Whilst there are now several powerful tools to overcome censorship at ISP level via bridges, I miss options to circumvent the blocking of Tor users on the destination server side.

The question is - what makes us look like robots and what can be done against it?

Not much in the real world. Some people have been using TOR-enabled robot browsers to download stuff that CloudFlare helps host/protect, so it is actually reasonable for CloudFlare to say "Okay, anyone coming from a TOR IP address has to put in a captcha!"

just as "Some people have been using" (internet or proxy) "-enabled robot browsers...".
And btw do you think google manually collect their dbs???

There is publicly available helper file with all tor exit ip in I(brainless)Net. !!You don't even need to use tor to get near real-time status!!
This info can be downloaded and used by website to treat incoming connections differently.
So IF connection comes from TorExitIp THEN treat it as robot.
It's published for "to make live simpler for ..." not as hidden service. I believe, nobody here will help you to hide your tor usage from destination server.
So help yourself and use tor to connect to (anonymous)proxy.

Anonymous

September 11, 2014

Permalink

Strange interaction with Youtube. No matter which exit node you're on, always goes to the Youtube of Country X (not the exit node you're on), after changing identities several times, repeats several times, then goes to the Youtube of Country Y (not the exit node you're on), repeats . . . persistent after reinstall etc.

Anonymous

September 12, 2014

Permalink

Hi,
I recently downloaded tor 3.6.5 for windows and Linux and used the successfully. However today, neither will connect to the tor network. However, Orbot on my phone works fine, as well as an older version of tor that I had sitting on a rarely used computer (I don't know the version)
Any ideas?

Anonymous

September 13, 2014

Permalink

Now tor browser bundle 3.6.5 is running very well in iran,i love you--tor project members so much ,if i am a girl,i will marry one of members!

Anonymous

September 14, 2014

Permalink

A really hard WTF?

Tried downloading addons ( .xpi ) on https://addons.mozilla.org with Torbrowser ( Iceweasel ).

CRAZY: the Download window has NO entry.
Whats going on ? Whats the error ? Could anybody explain ??
This is strange.

Anonymous

September 15, 2014

Permalink

"CRAZY: the Download window has NO entry."

Solved.
Most likely custom noscript.default .

Anonymous

September 20, 2014

Permalink

Widely observed by many, but to add one more voice, Cloudflare is now an impediment to many, many sites. Major hit to practical functionality of Tor.

Anonymous

September 22, 2014

Permalink

Please someone find a way to bypass the most annoying shit called CloudFlare. The creators of unreadable captchas should kill themselves