Tor Browser 4.5-alpha-2 is released

by gk | December 5, 2014

The second alpha release of the 4.5 series is available from the extended downloads page and also from our distribution directory.

Tor Browser 4.5-alpha-2 is based on Firefox ESR 31.3.0, which features important security updates to Firefox. Additionally, it fixes a regression which caused third party authentication credentials to remain undeleted and contains smaller improvements to the circuit UI and the security slider.

Here is the changelog since 4.5-alpha-1:

  • All Platforms
    • Update Firefox to 31.3.0esr
    • Update NoScript to 2.6.9.5
    • Update HTTPS Everywhere to 5.0developement.1
    • Update Torbutton to 1.8.1.2
      • Bug 13672: Make circuit display optional
      • Bug 13671: Make bridges visible on circuit display
      • Bug 9387: Incorporate user feedback
      • Bug 13784: Remove third party authentication tokens
    • Bug 13435: Remove our custom POODLE fix (fixed by Mozilla in 31.3.0esr)

Comments

Please note that the comment area below has been archived.

December 05, 2014

Permalink

In China, Tor Browser 4 could connected over meek-amazon or meek-azure.

But Tor Browser 4.5-alpha-1 and 2 both couldn't use meek.

please check it.

In China, Tor Browser 4 could connected over meek-amazon or meek-azure.

Would you like to get your Chinese friends to translate Tor Browser into Mandarin Chinese?

With the recent implementation of laws by the Chinese authorities to curtail the freedom of expression on the internet, there is an urgent need for Tor Browser and its help pages to be made available in Mandarin Chinese.

How much would it cost to get a translator to translate tor and all its documentation to Mandarin Chinese (or any other language)? I'm thinking about maybe sponsoring it, or if you want you can set up a kickstarter and crowdfund it.

How much would it cost to get a translator to translate tor and all its documentation to Mandarin Chinese (or any other language)?

That's very nice of you :)

The cost of hiring a translator or translators depends very much on the volume of work to be translated.

If you've an idea of the volume of documentation to be translated, I can point you to some websites that offer English-to-Chinese translation.

December 05, 2014

Permalink

how can i revert to the classic theme? it´d be a good idea to remove irrelevant and unnecessary features like developers tools, as well as trim the binary download size - up until version 3.6 tor browser´s like 20-30 mb download, now it´s 40-50 mb.

I want to know this too. It's really needed, the new Firefox interface is terrible, and it's not even customizable remotely near the old Firefox interface.

Why do the Mozilla developers insist on breaking what was fixed since Firefox 1.0?

Lack of toolbar customization and lack of add-on bar are the two serious problems. A third serious problem that the Mozilla developers broke many releases ago is double clicking the URL bar. It selects everything (like a triple click always should) rather than just a single word. It makes trying to cut off parts of the URL extremely difficult, it used to be easy by just double clicking and dragging.

It's not really the TBB devs fault I know. It would be great if these features could be brought back in the TBB fork.

Classic Theme Restorer can give you a somewhat decent GUI, may change your browser signature especially if you have javascript enabled but should otherwise be safe, certainly safer than not using tor.

As for proper double click behavior, go to about:config and change browser.urlbar.doubleClickSelectsAll to false.

December 05, 2014

Permalink

If you really want your user base to explode (expand unbelievably) you should support torrenting over tor. TAILS have made some pretty remarkable advances in this field https://labs.riseup.net/code/issues/5991 which will also bring more support and funding to the project. It will not harm the network in terms of speed and over load, because this user base expansion will also make more people set up more relays. What do you think?

What about Wikileaks' 401.6GB insurance (torrent) file they asked everyone to download? https://www.facebook.com/wikileaks/posts/561645433870573 we should totally download that from our own ips or "anonymous" and "military grade encryption"™ VPNs and proxies, right? Reasons to torrent anonymously aside, this is about growing the network to improve tor's anonymity index, it's not about torrenting per se, it's only about growing the network even more to comply with its design "anonymity through obscurity" and it's a great idea that is destined for success once implemented.

There are options for large file transfer through Tor that are NOT going to kill the network, like Bittorrent would. While there may be a small faction of Bitorrenter's using it for human rights matters, etc., the vast majority use if for porn and movies.

I won't support Tor by running a node if it gets taken over by 18 year old kids looking for porn and movies.

Isn't this the same as 'i don't want my 18(!!!) years old kids(!!!) knew anything about nsa spying' so tor need censoring content? How can it be anonymity but only for accessing government' approved content? Is it a PRopaganda mist?
As for your 'kids' they can quite well be used in SS(nsa/cia/fbi/etc) operations all over the world. Did you ask them if they wanted to be controlled/censored even by you?

Tor network isn't designed for torrenting, period. Maybe some day it will be big enough, but that day isn't not anywhere near today.

And the day Tor says "please, torrent over Tor" I will stop running a node.

December 10, 2014

In reply to arma

Permalink

They WILL harm the network, you dolt. That's the WHOLE POINT!

Torrents are mostly pirated movies, WAREZ, games, and porn. Fact.

Yes, and facebook and html5 aren't torrents.

I'm not a big fan of bulk transfers in general over Tor. And doing it via bittorrent is generally especially unwise:
https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea

But we have to accept that many web pages these days have a variety of types of content on them, and that's what people want to do with the web.

If you really want your user base to explode (expand unbelievably) you should support torrenting over tor.

NO, NO and NO.

On the contrary Tor developers should incorporate technology that's able to detect when a Tor user is using bittorrent over Tor and blacklist and kick out that Tor user out of the Tor network.

Stick to Tor's original goals: to provide a means for those living in oppressive regimes such as North Korea, Iran, China, Egypt, etc... to freely express their opinions. Also journalists living in those regimes ought to be able to freely do their jobs.

Supported ! The Torproject and developers community
should takeit to heart to put their acts in line with
their (stated) goals, lest theu be suspect of hypocrisy,
in turn giving rise to legal attacks against (safe) use of Tor
and perhaps to Tor's total prohibition.

So, NO help or support for torrents over Tor,
and in general privilege safety and privacy over speed
and throughput.

Do you mean to announce that tor network is really nsa-controlled machine for exclusive usage in "oppressive regimes such as North Korea, Iran, China, Egypt, etc..."? So quite rightfully it _should_ be illegal for use in any country which is not under nsa control as tool of foreign spy agencies.
Seems to me it's just another attempt to disjoint tor community. BTW, why do you believe nsa-controlled state is not an oppressive regime?

Actually, I really don't want to do anything that can detect certain protocols and change behavior based on them. That way means losing "common carrier" like status, and anyway it's just an unfriendly thing to do on what we'd like to be a network-neutral Internet.

That said, we *have* been investigating throttling people who use more than their fair share of bytes, not because doing so is evil, but because doing so harms other users. See
http://freehaven.net/anonbib/#throttling-sec12
for some designs, and
http://freehaven.net/anonbib/#pets13-how-low
for some attacks on these designs. As with many suggested changes in Tor, getting it right is still an open research area.

Let me also address your last point -- Tor's original goals were as a civil liberties tool for people in the west (America, Europe, etc) to not get stuck in corporate or government databases. The censorship-resistance came later. But as other commenters here point out, resisting surveillance in Egypt and resisting surveillance in Italy are just matters of degree these days.

December 06, 2014

Permalink

Hi,

I downloaded, verified and installed a copy of tor-browser-linux64-4.5-alpha-2_en-US and after clicking on the Test for Tor Network Settings found that the Atlas link produced a page with the animated icon followed after a while by an error message.

No Results found!

No Tor relays or bridges matched your query :(

Should this be expected in this Alpha at this stage of development?

Thanks.

December 06, 2014

Permalink

I know everything is encrypted except from the exit node to the final destination. I'm wondering, though, what, if any, anonymity concerns exist due to at least the user's Tor client knowing the entire circuit?

In general I think that's a good thing rather than a concern. *Something* has to pick the path, and if it's not the client, that sounds even scarier to me.

December 22, 2014

In reply to arma

Permalink

Would it be better if the client only chose the first node, the first node then would pick the second node, the second would choose the third (exit) node? No one node would then know the complete path. Today is seems, at least theoretically, that all nodes know, or could determine, the complete path.

December 06, 2014

Permalink

More crap being thrown at Tor; this time it is Wordpress doing the blocking:

"Lost?

Our server sentries tell us you should probably not be here. Maybe you are lost?

If you are sure this is the place you are trying to go, please contact us and we will be happy to help."

Contact address is http://en.support.wordpress.com/contact/

December 06, 2014

Permalink

PS everything works just fine with Wordpress when you disable Tor ;)

Cloudfare, Wordpress... next... things are not looking good for Tor.

Just as it becomes usable, accessible and is gaining popularity it is being blocked and frustrated at every turn.

December 06, 2014

Permalink

The circuit display feature in torbutton is great! But, two problems I noticed:
- you can't select text in it to copy to the clipboard
- hidden service circuits still show "internet" after the last hop, which seems wrong

How about making the relays in the list be links to Atlas?

And how about a "report bad exit" button where users could submit reports to bad-relays via a hidden service? Ideally the reports could even (with the user's consent) include a copy of the TLS certificate and/or HTTP response received.

> How about making the relays in the list be links to Atlas?

No, please don't do that. People are going to click their relays and hence expose which relays make up their circuit.

December 07, 2014

Permalink

StartPage is giving us this warning everytime I try to use it:"As part of StartPage's ongoing mission to provide the best experience for our users, we occasionally need to confirm that you are a legitimate user. Completing the CAPTCHA below helps us reduce abuse and improve the quality of our services.

Thank you,
The StartPage Team

JavaScript appears to be disabled in your web browser. To complete the CAPTCHA, please enable JavaScript and reload the page."

Time to ditch it as the default search engine I guess

just for joke try to use something like "...googlebot..." in user-agent string. they're going to be mad.
and not just using it by default but actively recommend against it through a pop-up message.

December 09, 2014

In reply to gk

Permalink

Maybe he refers to the fact that the Tor circuit is not displayed for every tab.

December 07, 2014

Permalink

Downloaded and installed this alpha with no problems. No complaints from my antivirus program ( BitDefender Free ). Thanks for fixing the bug that caused me to re-disable Javascript via NoScript, every time I chose "New Identity".

December 08, 2014

Permalink

Problems downloading TBB exe file with seamonkey.
The Download window says blocked!

It's any strange shit with "stricttransportsecurity" the browser says.
Where is the misconfiguration?

December 08, 2014

Permalink

Is there a good reason that the Tor Browser auto-updater has to make a copy of the entire browser, user profile included, into an "updated" folder just to update? It makes it very easy to run out of space if you have a larger user profile.

December 09, 2014

Permalink

I noticed that HTTPSProxyAuthenticator username and password are still in clear plain text in torrc. This is a serious security issue in my view: it allows anybody with access to the file (e.g. through a backup or an old disk) to get the identity and network credentials of the tor user (esp. in corporate or controlled environments). Thanks if somebody could fix this issue somehow or at least try to reduce the risk: maybe (i) adding an option not to save network access credentials (ii) a password protected startup process or, ideally, (iii) the possibility to choose a pw protected profile to run tor. Thanks!

I suggest you open a ticket on https://bugs.torproject.org/ and be prepared to help write the feature the way you want it.

That said, doesn't the httpsproxyauthenticator go out on the network unencrypted too? So it's not like these things are actually very secret.

December 09, 2014

Permalink

I just downloaded Tor and nothing else.
Is it safe to use Tor with Internet Explorer 11?

December 11, 2014

Permalink

Another day, more propaganda, this time targeting "users of of the 'dark net'" i.e. Tor... the 'dark net' the place where all those 'paedophiles' lurk. "It's outrageous, why aren't the Government doing something about this and blocking this Tor or whatever is is called from accessing the internet?" Why is it all so predictable? All so reminiscent of when the Pirate Bay first started appearing on the pages of the BBC: "Pirate who? Never heard of them. But wow, this 'file-sharing' sounds so cool, must give it a try... you get all sorts of 'free' stuff like movies, music and software you say".... and look where the Pirate Bay is now - offline! Now we have moved onto: "Onion who? Never heard of them. But wow, this 'anonymity' sound so cool must give it a try... you can get up to all sorts of 'illegal' stuff and not get caught you say?"

From the BBC: http://www.bbc.co.uk/news/uk-30426164 .. always worth keeping an eye on.... ;)

December 11, 2014

Permalink

From the BBC article: "The joint unit will tackle people who are using increasingly sophisticated encryption techniques and the so-called "dark-net" to hide their true identities and trade child abuse images and videos."

Probably means GCHQ has already set up numerous fake nodes or is about to. Probably watching exit traffic and tracing it back to origin.
We need a new TOR that can't be broken by super computers.

I know we keep going back and forth about this, but setting up your own relays to attack Tor is only one of a wide variety of ways to attack, and it's probably not the most effective or most efficient. Other approaches include watching relays that are set up by other honest people (less risk, less hassle, easy to do if you've already put surveillance gear in place) and compromising the browser of users who visit a given site.

December 13, 2014

Permalink

I really hope this is the next release (which is due in about a month?!) or you at least backport some of it.

Also is TorBrowser fully portable?if so on all operating systems?

No, it will still take some months before we can call it a stable release. E.g. signing the update files is missing in 4.5-alpha-2 and we need at least two further releases to test that. And there will be no backport of features either.

Yes, Tor Browser aims at being fully portable. You should be able to run it on Windows/OS X/Linux.

December 16, 2014

Permalink

Could you please provide some documentation explaining what the ominous security slider actually does? My apologies if this has already been explained but I could not find anything about it.

Also, is there a way to revert NoScript to its original state so we have the ability to enable/disable sub-elements of a page again?
I know this came with v4.0 and I understand it has been done to make browsing easier for inexperienced users, but can't we have a choice? This all-or-nothing approach seems a bit drastic to me.

December 23, 2014

Permalink

Consideration : Remove Google as Search engine

It Seems Google has now blacklisted all Tor exitnode ip's, search
seemed definitely stopped working.
Trying to use Google as a search engine (sometimes you have to) nowadays results in a never ending captcha process without any progress!

June 25, 2015

Permalink

I understand it has been done to make browsing easier for inexperienced users, but can't we have a choice? This all-or-nothing approach seems a bit drastic to me.Baahubali torrent