Tor Browser 3.6.6 is released

by mikeperry | September 25, 2014

The sixth pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Here is the complete changelog for 3.6.6:

  • All Platforms
    • Update Tor to tor-0.2.4.24
    • Update Firefox to 24.8.1esr
    • Update NoScript to 2.6.8.42
    • Update HTTPS Everywhere to 4.0.1
    • Bug 12998: Prevent intermediate certs from being written to disk
    • Update Torbutton to 1.6.12.3
      • Bug 13091: Use "Tor Browser" everywhere
      • Bug 10804: Workaround fix for some cases of startup hang
  • Linux
    • Bug 9150: Make RPATH unavailable on Tor binary.

The list of frequently encountered known issues is also available in our bug tracker.

Comments

Please note that the comment area below has been archived.

September 25, 2014

Permalink

Expert bundle is not uploaded yet. What are the differences between the expert bundle tor binary and browser tor binary? The latter is smaller in size. Can/should I replace the current one from the browser bundle?

September 25, 2014

Permalink

I'm asking this question here because I can't find anywhere else to ask, and I'm just tearing my hair out. I'm new to the deep web, I have the Tor browser bundle, and I disabled all the settings just like http://tutorneunixbasq6.onion/guide/tbb.html recommended. Whenever I try to set up an e-mail account, anywhere, the Captcha will not validate me. I know how to type; I've tried dozens of times; I've tried every e-mail service (I'd like to use MailTor). I've tried "Temporarily allow this page" in case that was the problem. I have no idea what's wrong, and without e-mail, I can't join any forum to ask for help with e-mail! Can someone please help me? Thanks.

Properly implementing end-to-end encryption on the parts of BOTH parties emailing each other should be the first concern-- regardless of provider.

Quality of SSL/TLS implementation is a legitimate concern but nonetheless a secondary one here.

You should be careful when changing settings from the default torbrowser settings. While the NoScript issue is frequently debated and there's valid points on both sides, the changes in about:config suggested on that page are probably a bad idea given it makes browser fingerprinting easier.

I doubt it, considering that they cannot see your settings. Adding add-ons, now THAT is an issue because of the bass-ackwards way that Firefox and it's derivatives allow sites to poll Firefox for what plugins and add-ons you are running.

Just what do you mean by "safe"?

End-to-end encryption (such as via PGP/GPG or S/MIME) is the only way to attain any reasonable level of privacy in email. (Beware about subject lines, headers, etc., though)

hi i am trying to also get help im new to this and would like to know what i could/should delete/avoid on my device it is currently slow long scripts etc. i would only use this software and methods if i could get some guidance pls, donations waiting please help :(

September 25, 2014

Permalink

Thanks for the fast action.
Why not update tor to Tor-0.2.5.x?

Well, although it is almost stable there is no 0.2.5.x release declared stable yet. Thus, we shipped the current 0.2.4.24. The alpha bundles already contain the 0.2.5.x series and the next stable Tor Browser will contain it as well. Stay tuned.

September 26, 2014

In reply to gk

Permalink

obviously not a complaint for the TBB team, but this flaw has existed upstream in Firefox now for a weirdly, suspiciously long time...

along with their "we're committed to your privacy" page ironically loading google analytics, mozilla's privacy-hostile actions are much more revealing than their marketing.

the sheer length of time this continues to go unpatched compared to, say, their prioritization of visual UI improvements is astonishing.

Reminds me of how sites like Ars Technica have all this content favorable toward-- if not actually championing-- Snowden, Assange, Tor, Tails, and even HTTPS (yes, explicitly), yet... still serve pages on unencrypted HTTP!

Such irony and even hypocrisy.

The whole Ars Technica site is available for paid subscribers? Or only certain pages, such as for login and account management?

Also, can a paid subscriber be anonymous?

I can only agree with above anons.

Just in case anyone doesn't know what we're talking about, here's the links:

https://bugzilla.mozilla.org/show_bug.cgi?id=864150
unsolved since 2013-04-21 (more than a year!)

https://bugzilla.mozilla.org/show_bug.cgi?id=823941
unsolved since 2012-12-21 (more than one and a half years!!)

https://bugzilla.mozilla.org/show_bug.cgi?id=777620
unsolved since 2012-07-25 (more than two years!!! what the fuck!?!?)

Trying to stay polite, I'd say that the Mozilla team seriously has the wrong priorities here... (I mean..!?!? what the..!?!?!?!?!?!? arghhhhhhhh!?!?!?!?!?!?!?!?!?!?!?!?!?!?)

remember when "mozilla is under attack for protecting your privacy" all over the news? and it then turned out to be a paid publicity by mozilla before they added numerous anti-privacy features into firefox like third party cookies enabled by default, just to name an example. Mozilla is by far the worst between major internet players, because they claim to be having your privacy's back all while they do the opposite, at least google doesn't hide the fact they're spying on everyone and invading our privacy, all the while people actually trust mozilla because they told them so... sickening..

September 27, 2014

In reply to gk

Permalink

Please, that's NOT a solution to the question asked!

New Identity is about as useful as tits on a bull for most users! We'll those that care about using a FAST Tor route that is.

I find it very annoying that you all REFUSE to add back that feature from Vadalia: NEW NYM!

It's like you want to make TBB so effing slow that people won't use it.

The question asked was ways to delete cookies, and a new identity is the easiest way to do so. The Cookie UI interface is broken in the firefox upstream. If torbrowser does make a patch it will probably be broken whenever Mozilla fixes the issue. Besides, single cookie deletion is NOT a good practice for anonymous browsing. Clearing everything makes it much harder to connect identities.

Concerning the routing feature, changing so that you went through faster relays was never the point of that feature in Vidalia, it was so that you could either seem like a different user or avoid broken relays. Torbrowser's New Identity feature works just as well and some of tor's improvements themselves have helped against broken relays.

Concerning Torbrowser being slow: you've got to accept that a slowdown is required for anonymity. With that said, tor is much faster these days than it was ten years ago. I remember trying it in its early days; it was painful. If you want tor to be faster, think about running a relay and donating some fast bandwidth.

"Single cookie deletion is NOT a good practice for anonymous browsing"

Utter nonsense.

"Torbrowser's New Identity feature works just as well (as vidalia's)"

More utter nonsense. With Vidalia you can generate a new ID without closing your browser and losing all your session credentials. With the new incarnation of TBB you lose everything each time you generate a new ID. Luckily Vidalia still works with TBB.

And whose idea was it to rename TBB from "tbb-firefox.exe" to just "firefox.exe"? Yet another ignorant maneuver.

Anyway, until the cookie problem is fixed the new TBB is simply unusable.

"New Identity is about as useful as tits on a bull for most users!

Alas that metaphor has lost considerable meaning, in this age of gender ambiguity, "transgender" quackery and the like.

September 26, 2014

Permalink

TorBrowser 3.6.6 for OS X will not display technical details of TLS connections. To reproduce, click on the padlock in the URL field of an HTTPS site. Choose "More information" and click on the "Security" tab. The "Technical Details" field, which would normally display the cipher suite in use, is blank.

September 26, 2014

In reply to gk

Permalink

Yes, the technical details of secure connections were displayed as expected in Firefox in TorBrowser 3.6.5 and earlier.

I've noticed a similar, though clearly far less problematic, change with the GNU/Linux version of this release of TBB (3.6.6):

After clicking on the padlock icon, clicking on "More Information" now takes one to the "General" tab. Previously, it was the "Security" tab.

This also happens with Tor Browser 3.6.6 under W7. The Technical Details field is either blank or doesn't display the cipher suite.
Maybe this is related to Bug 12998: Prevent intermediate certs from being written to disk. Does Firefox not find the certs, because they are not written to disk?

What are 'intermediate certs' exactly? Certs of Tor or certs of websites?

September 26, 2014

Permalink

When disabling "Always use private browsing mode", I cannot permanently store an exception for a HTTPS certificate... This worked flawlessly and would be very useful to work again, since you can store trusted certificates and avoid suspicious "Man in the middle attack" certificates - which I encountered couple of times.

September 28, 2014

In reply to gk

Permalink

Sure, in 3.6.4 it worked fine.

Now:

1. set privacy to custom settings - disable "Always use private browsing mode"
2. browser requires you to restart
3. go to a site that has a custom certificate
4. if "Permanently store this exception" is checked, then "Confirm security exception" button does nothing
5. if "Permanently store this exception" is NOT checked, you can "Confirm security exception" though you have to check each time if the certificate is not spoofed

September 30, 2014

In reply to gk

Permalink

Any possible workarounds?
Thanks...

Being able to "permanently" (not really permanently but across sessions, until one manually deletes) store exceptions for self-signed certs and the like (after one verifies a fingerprint that one has authenticated to at least some degree) would indeed be most welcome.

September 26, 2014

Permalink

1st, I know what I do ;)

This version does not save passwords anymore? The saved-password list in the preferencences is empty and the key3.db seems not to be read. It's the same with a alpha releases. Why? How to fix is?

Why is tor in the vidalia bundle not updated to this tor version?

September 26, 2014

Permalink

I'm a total newbie to TOR and all things to do with computers outwith using the internet for email, social media, etc., but trying hard to get to grips with privacy etc.

When I try to activate the HTML 5 player on youtube to watch videos I have to disable noscript or else it won't work. Is this ok to do? Or, is there any way around the problem? If you can help, please reply like you are talking to a 5 year old :)

whether it is "ok" to enable JavaScript (the button "Temporarily allow all this page") really depends on you and your privacy needs.

do you feel comfortable with youtube knowing about your screen size, screen resolution, system font size, TorBrowser's window size, and (if your TorBrowser is maximized to cover most of your screen) details about your desktop theme (i.e. how thick is your window borders, taskbar size, etc.), among other info?

if yes, then you can go on and enable JS.

but keep in mind that above mentioned info can be used to fingerprint (and track) you, even if you delete cookies. and remember that youtube (as being a google product) will share this info with the NSA, and (probably) with any other institutions that pay enough / make enough pressure...

after all, you'll have to make lots of little decisions between privacy and usability.
not using youtube at all means less usability, but certainly more privacy.

keep in mind that youtube is by far not the only video-sharing service, and there are several other options to use that don't require JS.
...vote with your feet!

Thank you for that reply. Very informative. I'm devoting some time to try and educate myself and information like you have provided is very helpful.

This may be another privacy/usability dichotomy but, is there any way to distinguish which sites you can "trust"? For the average person I'd imagine I'm not alone in not knowing the above info RE. youtube.

By default, NoScript is set to allow scripts globally in Tor Browser. This isn't the same as actually disabling NoScript entirely but many people don't seem to realize this.

You definitely should not need to disable NoScript entirely for HTML5 videos on YouTube (or any other site, for that matter) to play.

""By default, NoScript is set to allow scripts globally in Tor Browser.""

...which is not recommended!

Personally, I recommend to create two separate installations of TorBrowser (i.e. extract/install twice to two different locations), and then to use one browser with JavaScript enabled, and one browser with JavaScript disabled.

You'll have to set environment variables "TOR_SOCKS_PORT" and "TOR_CONTROL_PORT" along with corresponding configuration items in "torrc", and it might take a little bit of trying until you find your way around.
However once it is done, this setup allows simultaneous use of two TorBrowsers (with different settings), and personally I use the one without JS whenever possible, yet allowing me to quickly "enable" JS (by switching to the other browser) whenever some site refuses to work without.

The reasoning behind this setup is that I want to avoid being fingerprinted through the combination of sites that I've allowed JavaScript, which might be possible if one makes extensive use of the "Temporarily allow all this page" button.

September 26, 2014

Permalink

I am having this problem since 3.6.4 and it still persists with 3.6.6. I already posted a comment on the release notes page for 3.6.4 - if I try to download the browser bundle any browser will crash. I have EMET enabled on that system for all browsers on it (ff, ie, chrome). I tried with another system not EMET enabled, that worked. Now for the new release all browsers again kept crashing, then I disabled EMET specifically for one of the browsers and downloaded with this one - OK fine. So it is one of the EMET protection functions (don't know which of them yet) which for some strange reason stumbles upon something in the binary. Some combination of bytes that EMET interprets as malicious and hence stops the process. It ain't really a bug of TOR I think, just a strange and possibly rare interaction. But I felt it might be useful for you to know.
Best regards

September 26, 2014

Permalink

now that i have this updated TBB it wont work. it worked before the update and now when i try to open tor it says "couldn't load XPCOM." anyone you help?

Perhaps you have a setting on your antivirus software that causes it to flag any software that it hasn't seen many other users run? That's usually what's wrong with new releases.

Oh, and you should also be wondering about the wisdom and safety of all of the users letting the antivirus company paw through their systems in order to be able to draw conclusions like "many of our users haven't run that binary before". But I guess that's a different discussion.

September 28, 2014

In reply to arma

Permalink

Ditto all of arma's comment.

Let me add that the process of placing trust in any given download from the Tor Project is essentially a two-part one that should be completely independent of any third-party antivirus program or the like.

First, you need to decide whether or not to trust Tor Browser (or any other offering from the Tor Project)-- assuming, of course, that you will be getting the authentic download. Then, if you decide to trust a given piece of software from the Tor Project, you need to authenticate your download of said software in order to have some reasonable degree of certainty that you are actually getting the intended, legitimate file(s) and not a trojan.

How did this "AVG" company tricky you into being confident in the decisions its program makes?

I totally agree with the "not a great confidence builder" conclusion, but I agree on the "why am I listening to this program" side. which maybe isn't the same as you. :)

September 29, 2014

In reply to arma

Permalink

I can only re-iterate that users should at least *try* to use a GNU/Linux distro (e.g. Ubuntu).

These projects try really hard to make GNU/Linux easy for everyone, and objections about it being too difficult come mostly from people who haven't even tried it.

Why I'm saying this: GNU/Linux distros come with out-of-the-box security and don't need dedicated antivirus software (just as any sane operating system should be).

Well, frequently they provide antivirus/anti-malware packages which is somewhat different but raises the point that GNU/Linux distros require some (albeit limited) technical knowledge to set up securely.

With that said, Windows has gotten better over the years. I feel safe on my one Windows box without any third party antivirus program. Many complaints about the insecurity of vanilla Windows either have to do with older versions (going back to XP if not earlier,) and poor user behavior (running executables downloaded from the web, etc.) That's not to say I'm suggesting Windows as a secure environment, but against the sorts of threats that antivirus programs are designed to defend against aren't really weak points for a user that goes out of his/her way to use safe habits.

Of course, computer users don't always have a choice on whether or not to install an antivirus program; work or school networks frequently require them.

I have to use too many programs that only run on Windows, and I can't run out and buy a second computer. So Windows it is, for better or worse.

Just FYI: One need not have more than one computer in order to use more than one operating system (OS). Dual-booting, virtual machines (VMs), live environments (CD or USB) and installations to USB drives, are all options that allow one to run multiple OSs on the same hardware.

September 26, 2014

Permalink

Another....... funny thing:

On sites with HTTPS i don't see Technical Details about used
Crypto.

??

Have you tried manually clicking-on the "Security" tab?

In previous releases, this would display automatically after clicking-on "More information". This changed for some reason with this release.

September 27, 2014

Permalink

Why is device.sensors.enabled set to true?

September 27, 2014

Permalink

When i update from prev version, my saved site passwords are gone. The key3.db File is there and the same like in the prev version.

September 27, 2014

Permalink

I update the TBB to 3.6.6. It wasn't authentic when I checked the signatures. I got rid of that bundle and went to the official Tor Project page to get the 3.6.6 and now that one wont verify either. What is going on? Any one else have these and if so, what do I have to do now to properly handle this ?

Are you sure you are actually downloading from torproject.org ?

First, check the URL carefully.

If the problem persists, try downloading from a different system (you could try a live environment first, booted by CD/DVD or USB). If this gets you a download that outputs "Good Signature" then your system was most likely compromised (somewhere at the software level).

If, however, the file you download while booted into a live environment doesn't verify either, then you need to suspect a problem with your Internet connection and/or compromised hardware as the culprit. Troubleshoot accordingly, by trying a different Internet connection and different hardware, respectively.

Also, you wrote,

" I got rid of that bundle and went to the official Tor Project page to get the 3.6.6",

which makes me wonder: Where had you downloaded that first "bundle" from?

If it was from anywhere else than torproject.org (or, perhaps, an official, trusted mirror, if any exist)... then you probably should no longer trust the entire system that accessed whatever suspicious site it was that you downloaded something that purported to be the Tor Browser from.

You need to "flatten and rebuild", as the saying is.

After making sure your critical data is backed-up, you should completely wipe* the disk containing the OS installation that was used to access the dodgy site (and Lord knows how many other such sites...) and then start from scratch, with a fresh, clean install of your (authenticated) OS of choice.

*One-pass of zeroes should be quite sufficient to delete any data (and nasties) beyond recovery. Though, if you intend to encrypt the drive (which, of course, you probably should), you might want to do one pass of psuedo-random data ( such as /dev/urandom) instead (will take much longer but will supposedly make cracking the encryption considerably more difficult).

Also, are you certain that the signature and TBB file you have match? If you haven't already, examine closely to make sure they do. (Same platform, language and architecture, i.e., 32- or 64-bit.)

I just fetched the signature and the windows 3.6.6 from the download-easy page, and the signature matched just fine.

I assume it's user error on your part in some way, but I can't guess what way. :(

September 27, 2014

Permalink

is there another Tor blog that is more active?

I submitted a question hours ago and it's not even posted yet? A lot can happen in 6 hours...

There is no other blog. In fact, there is barely this one, if you consider comments. Sometimes I pay attention to it and approve the small number of actual comments amongst the large number of spam comments. Sometimes I write code instead.

You might enjoy the thread on the www-team list about migrating to a new blog that is easier to maintain.

September 28, 2014

In reply to arma

Permalink

"the small number of actual comments amongst the large number of spam comments."

I don't question that the number of actual comments are small in proportion to the spam. But in their own right, the number of comments that appear here hardly seems "small".

September 27, 2014

Permalink

First copy text, then new Identify. Now you can't paste the text. Is this a feature or a bug? And if it's a feature, why? Thanks.

With new identity tor browser restarts. On closing tor browser it deletes copied data. It is not a bug, it is a security feature. You can use vidalia to get a new identity without restarting the complete browser.

"You can use vidalia to get a new identity without restarting the complete browser."

Note that according to the official Tails documentation, the only way of being sure of obtaining a completely new identity is to shutdown and restart Tails.

Could this also be said for Tor Browser?

Restarting TorBrowser is the proper way to get a new identity.

However, restarting Tails would be analogous to re-installing TorBrowser; the latter should not be necessary.

Is clicking on "New Identity" in TorButton considered "restarting TorBrowser" in this context?

Or did you mean to manually close all open windows of TorBrowser and then start it up again?

I assume it is a bug.

My reasoning: The TorBrowser as a hole doesn't update automagically, but merely informs the user about updates. This leads the user to believe it'd be a project-wide policy not to auto-update (which is the right thing to do by the way; please refer to the "uplink" feature in "I, Robot" (Will Smith) for the details).

I honestly can't imagine that TBB developers want to have such inconsistent behaviour (no auto-update for browser versus auto-update for add-ons) in their project.

So, feel free to be the first one to file the bug report!

Such is how it would seem to me as well.

Now the question is: How much concern is warranted over this behavior of TorBrowser, i.e., automatically updating addons?

Is some immediate action on the part of the Tor Project warranted?

TorBrowser doesn't update automatically because automatic updating like Firefox isn't a trivial feature to write for the number of programmers Tor has. There was a time TBB didn't even check if there was a new version like it does now even though that is significantly less work.

While updating automatically does allow for certain attacks (and assumes that the Tor developers will remain trustworthy,) for the vast majority of users it significantly reduces the amount of time after an update is published that it gets deployed on their machine.

Can someone from the TBB developers confirm that autoupdate add-ons is wrong please?

my version of no script is now 2.6.8.43. i deactivated autoupdate, i guess reinstall TBB is the right thing?! thanks

September 28, 2014

Permalink

I like to let my fixed IP in tor version 3.66.

need 1 ip is clear that it is not mine but that is FIXED in BRAZIL .

I can not in this version .

need 1 ip is clear that it is not mine but that is FIXED in BRAZIL .

I can not in this version .

the game I play I can not ta turning the changing world of IP that almost denounces me ..

there help me please ..

Sounds like you want to get one of those VPN providers or something that offer that service. Their anonymity promises are snakeoil, but I imagine if they promise to route you through Brazil they probably do.

September 29, 2014

Permalink

Sync freezes on 366. if I use the "replace local" option in the advances options box I can't close the dialog box. If I check the "merge" radio button, the dialog box closes but no action is performed when I try to go on. It worked fine as of 365. Thanks.

Seems to be a bug. For now the solution is to enter about:config, find the preference security.nocertdb and change it to false. Then you have to close and restart the Tor Browser and you should be able to sync.

September 29, 2014

Permalink

Can you disguise the "TorBrowser" title? As anyone can become suspicious when they see that instead of a standard "Firefox" title. Making us vulnerable to prying eyes!

Unfortunately, Firefox's legal team would have a problem with that. If you modify the firefox source (which Torbrowser does,) you can't legally use Firefox trademarks (like the name, logo, etc.)

Hello, I would also like to ask this question.
@devs: There is not anymore an easy way to check the content (images, scripts etc.) of a page. Maybe with the debug tools. But there is no overview as far as I know.
Is this due to security reasons? And is it possible to enable the tab in About:config or so?

Same here "Change Master password" button is greyed out and when I try to add a password I get "unable to change password" popup...

September 30, 2014

Permalink

Just wondering, are there any plans to release binary diffs in the future?
Considering all the work that goes into deterministic builds, all that minimization of so much extraneous data sounds (to a layman) like it could be tight.

September 30, 2014

Permalink

Hi All,

I can not login to badoo.com
Even with the link in the registration email not working.
Any ideas?
Thank you

September 30, 2014

Permalink

I've noticed an issue on Comcast and I was wondering if anyone else has. When going to totally legal and legit sites using Comcast lately (last 3 days about), unless I use obsf3, the sites keep on timing out and Firefox keeps on refusing to go to the websites.
I thought that this was an issue with the TOR Browser until enabling that and then it was like "What the hell is Comcast doing?"

October 01, 2014

Permalink

Have an unusual error here.Quite by accident,may not.
Using Tor years with Debian on some computers.All fine,no problems.Almost with javascript off.
With releasing Tor Browser 3.6.6 i installed it on a nearly new computer with windows.
Windows was working fine -before this.
Surfing some time with javascript on then shutting down windows.
Next try to start computer was a surprise.
HDD is "ill".Boot is running moments before uefi-bios starts HDD.Then comp hangs+no other device can boot+no entry in bios.HDD seems very healthy(S.M.A.R.T,manufacturer test software). Windows repair disc cannot repair and cannot find installed Windows.
When pull sata plug from HDD i can enter bios and boot normally,windows from HDD too.With sata plug in machine it's hanging.
I've never had any strange error especially like this.

October 02, 2014

Permalink

Would really appreciate some instructions for setting up and running Vidalia with TBB 3.6.6. It worked perfectly with the previous version of TBB, but now it asks for a password, and if I hit the reset button in vidalia, then vidalia works, but TBB doesn't.

I suspect there is a difference in port settings between Vidalia and TBB 3.6.6. Where are the ports used by TBB documented?

Also, my AVG antivirus keeps alerting on this version of TBB, but has never done so on previous versions. Makes me nervous.

I don't think that there are any changes between 3.6.6 and 3.6.5 that should effect Vidalia; of course Tor Browser no longer supports Vidalia and using Vidalia with Tor Browser might end up with undesired behavior.

Also, what's the exact complaint by your antivirus? Modern antivirus software uses several different techniques to identify potential threats, some of which produce false positives. It doesn't help that there are some individuals that use tor for nefarious purposes possibly getting it added to some malware lists.

October 03, 2014

Permalink

3.6.6 is terribly slow at loading web pages. Please make available the 3.6.5 version for download

3.6.5 shouldn't be any faster than 3.6.6 unless it's related to firefox itself; are you sure it isn't either server side or some other change with your computer? I haven't noticed any differences.

If you downgrade, you're potentially opening yourself up to more bugs that could be used to identify you.

October 03, 2014

Permalink

This version breaks the find (ctrl + F) feature in TorBrowser for me, Windows 7. Can anyone confirm?

October 06, 2014

Permalink

The 3.6.6 (GNU/Linux 64-bit) version takes a very long time to connect to the network and then equally long times to load websites, which makes this version completely unusable. Can you please allow the download of version 3.6.5?

October 18, 2014

Permalink

I am giving Tor 24 hours....! To fix all bugs...! other wise i will access ...it is a take over...!