Tor Browser 4.0.3 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.0.3 is based on Firefox ESR 31.4.0, which features important security updates to Firefox. Additionally, it contains updates to meek, NoScript and Tor Launcher.

Here is the changelog since 4.0.2:

  • All Platforms
    • Update Firefox to 31.4.0esr
    • Update NoScript to
    • Update meek to 0.15
    • Update Tor Launcher to
      • Translation updates only

January 13, 2015


I wonder how "current" the Crypto/HTTPS in the new browser version is.Have not try yet.

e.g. DSA or RC4 are outdated?
How trustworthy is DSS? And Camellia?
Or try download from the mozila ftp pub with GCM-sha256?Fail.
Why AES128 only in security.ssl3.ecdhe_rsa_aes_128_gcm_sha256?
Why not crypto with Twofish?
And so on.

I hope detailed crypto and media information is activared again.

Well, you can deactivate RC 4.

Type in the address bar of firefox


then search for "RC 4" or "RC4"

then deactivate all entries listed, so switch from "true" to "false"

that's it ! :)


January 14, 2015


Just wanted to say a huge thank you to everyone that works on TBB and associated products. I know lots of people complain about stuff but I just wanted to say that your work is greatly appreciated (by me at least). THANKS AGAIN. There are many adversaries out there trying to watch every last little thing that we do but with your help we can hold them off a good while longer.

Complaining is one thing, giving constructive criticism is another. Only the liberals and the government complain because things don't go their way.


January 14, 2015


thanks !

i have a question .

i have heared cyber police can track users by computer's IP ! is it true?

if Yes is there anyway to change computer's IP?

i mean the ip to be optained via :

Run> Cmd > ipconfig >IPv4

No. That is untrue.

There is no such thing as Internet police. Laws vary from country to country, so what's legal in one country could be illegal in another.

If you don't take measures to hide your real IP address, and you then start using peer-to-peer sites to obtain content that is protected by Copyright - for example, you download the latest Red Hot Chili Peppers album. Because you are now sharing that with the world (by default with most P2P software), you could end up sharing it with one of many computers that the Recording Industry Association of America (RIAA) have set up to trace the sharing of Copyrighted material. The Motion Picture Association of America (MPAA) are the ones who get involved if you've downloaded and shared movies, RIAA take care of music, and so on.

The RIAA, in this example, then go to the local Courts to request a Court Order instructing the Internet Service Provider (ISP) of the IP address to give them the details of the person who used the IP address at the time the Copyright infringement occurred. Details in hand, they go to the Police because you broke the law, and you get a slap on the wrist. It's not exactly a huge criminal act as far as law enforcement are concerned.

With the criminal conviction in the bag, they then set about ruining you financially and they commence legal proceedings against you for sharing content that was Copyrighted, and demand no less than $750 per song shared to any 1 person. So if 100 people downloaded 1 song, they sue you for $75,000. They make up a random number of people that they think have downloaded the Copyrighted material you have made available for downloading, and slap you with a ridiculous bill in the millions that nobody would be able to pay.

There are several horror stories out there of the RIAA bullying families to bankruptcy because their children have been loading up on Copyrighted content, and it's not the downloading that they're hot and bothered about, it's the fact that you made the Copyrighted material available for others to download from you.

I'm not recommending that you break Copyrighted laws at all. However, a service like Tor will cloak your real IP address from any drone computer the RIAA may have set up, and if your IP address is in North Korea, the RIAA don't have jurisdiction there, so they'd have to drop it and move on to the next case, hoping it's easy and straightforward.

Bottom line: Use Tor.
Written by JerryU

could they still charge me if i only download a copyright protected song directly ? (not form p2p websites)
thanks in advance.

Generally you shouldn't do anything that's illegal in your country.

so your advise is - do not use tor till you are in china??

There is always a way to track someones i.p. and track their activity. There is internet police, but they don't actually act on something unless it's their own getting threatened. In other words, say for example, you go to a chat site where there are predators on it. You report it to the FBI because there are hackers and stalkers on there. They will blatantly ignore it because they don't consider it a priority, yet, if you send an e-mail to one of them threatening their life, over a sudden it becomes a priority and they're all over you like a pig in sh-t.

When it comes to the RIAA and copyright material, don't worry about it. I've been a pioneer to peer to peer programs and have never been caught on tor. There is a lot of gossip that peer to peer networks may leak information, but that's untrue otherwise I would've gotten notices in the mail like I did when I was testing tor with cable. I was getting them without tor and wasn't getting them with tor. The thing that everyone doesn't know is that when the RIAA began bringing people to court, they had to give back 9 billion dollars because they were illegally hacking computers and claiming people were illegally downloading when they weren't. That was in 2005, after that, the RIAA was scared to death of bringing someone to court in fear of the speculation from the court of them planting copyright material in someones computer for the sake of getting $250,000 from someone. The criminal mind is that it's easier to gain the profit back by falsely accusing someone that way they can gain the money back from what they lost from it. There are people who may say don't encourage copyright "Theft," in reality, the entertainment industry is worth about $90 billion dollars a year. They aren't going bankrupt.

I have a question, why are you asking about changing your i.p. if you're on this site knowing about tor?

Can I change the entry node without restarting TBB? How to know which entry node I'm using?

I don't think you can change the entry node without restarting Tor Browser or having a different controller accessing it. Your circuit is visible in the alpha version of Tor Browser. We are currently testing this feature.

I want to know if I update the TBB needs to delete the folder and sub folders of TBB? Then extract the TBB to somewhere.

If you are using Tor Browser's own internal updater you don't have to do anything yourself.

What if I'm not using internal updater?

Does the internal updater automatically verify the update?

Verifying a signature embedded into the update just landed in the alpha series. Thus, this is not available in the stable series yet.

If GFW blocking meek...

Hello, how secure is the included updater in 4.0.2? Does NSA has the capability to tamper with updates using this mechanism?

It's hard to say anything about NSA's capacity but the updater is quite secure we think. It is getting even more secure with signed updates which is currently tested in the alpha series.

How secure can the internal updater be when it apparently doesn't even attempt to verify the update?

As secure as you can get it with pinned certificates. See: for the details.

In the Tor Browser 4.0 release announcement mikeperry wrote: "Please also be aware that the security of the updater depends on the specific CA that issued the HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures."
So i'd like to know if now is safe to update TBB 4.0.x through the Help / "about browser" menu option or not yet.

Signed update files have not landed in the stable series yet. We are starting to test that feature in the alpha currently.

How can we examine the fingerprints of the CA in this case?

Which case are you talking about? The things we pinned in the stable series are visible via about:config. Have a look at app.update.certs.1.*

I am seriously not trying to troll here, but:
What is the deal with the binaries not giving the same checksum as when we compile Tor ourselves from source? (Honest question and honest concern).

Someone might have tampered with the binary you are downloading or the binary you are compiling yourself. Have a look at Mike Perry's and Seth Schoen's reproducible builds talk at the 31C3 for the issue.


The religious dictator regime In Iran Tortured and imprisoned the Bloggers.
The religious dictator regime In Iran is One of the greatest enemies of the Internet.
I'm a blogger And I'm blogging with security(with Tor).
Iran is a prison For journalists, freedom and Dissidents.

thank you.

>The religious dictator regime In Iran Tortured and imprisoned the Bloggers... Iran is a prison For journalists, freedom and Dissidents.

Josh Wolf says hi.

> The religious dictator regime In Iran is One of the greatest enemies of the Internet.

Did you mean to say NSA?

The NSA does things, which can have positive and negative effects. They make it harder to be anonymous. But in Iran, you can die just for saying the government is stupid.

Good response.

you should use tails

Dictators will be toppled.

Freedom close.

Great! I have an idea for the Tor project, instead of making data go through 3 Tor relays, make data go through 6 Tor relays. That would make Tor impossible to be hacked by anyone.

Can you imagine how much slower that would make using Tor?

The Tor network has a large surplus of middle relays, so adding an additional middle relay would not necessarily take network capacity away from other users.

The extra time would consist of a) the additional latency of going through an additional relay and b) the chance of choosing an additional middle relay that has the lowest available bandwidth of each relay in the circuit.

The length should be four relays (at a minimum). That would place (at least) a two-relay onion route between either the entry relay or exit relay and any network observer (at one link) along the path. As it is with third-generation onion routing, the fixed three relay length allows the middle relay to know the IP addresses of both the entry and exit relays (as well as the timing information) of every circuit it serves as a middle relay for.

Since onion routing does not protect against an adversary that can see both endpoints of the onion route, no observer should know the physical locations of both endpoints, let alone so easily and with certainty.

Please see the paper "A Peel of Onion" by Paul Syverson at section 4 for some of the rationale behind the circuit length design choices for each of the three generations of onion routing.

Has Erinn changed gpg keys? I got a "bad signature" output when verifying tbb 4.0.3. Additionally, I noticed in that the asc files for this latest release have a different "last modified" date than that of the corresponding bundle. That isn't usually the case is it? Should I be worried?

As always, thank you Tor Project.

As long as the signature is properly verified you should not worry. Which bundle did you try to verify?

I tried to verify tbb 4.0.3 en_us.exe.
I've never had a "bad signature" output before. tbb4.0.2 and tbb4.0.0, wich i still have, produce the expected output, as do a couple of other applications that I verified today.

Thanks again.

Nevermind, it was a corrupted, somewhat smaller executable. I downloaded again, this time with no problems, and verified it. No problem. I feel a bit stupid, now.
Anyway, thanks.

Τhis is actually happening to me too! I keep getting:
gpg: Signature made Di 13 Jan 2015 20:10:16 CET using RSA key ID 63FEE659
gpg: BAD signature from "Erinn Clark "
I don't think it's a corrupted d/l, I redownloaded tor-browser-linux64-4.0.3_en-US.tar.xz three times.. Creepy.

Am I supposed to download my GPG through the tor browser?