Tor Browser 4.5a4 is released

by mikeperry | February 26, 2015

The Tor Browser team is proud to announce the release of the fourth alpha of the 4.5 series of Tor Browser. The release is available from the extended downloads page and also from our distribution directory.

Tor Browser 4.5a4 is based on Firefox ESR 31.5.0, which features important security updates to Firefox. Moreover, this release includes an updated Tor, 0.2.6.3-alpha, and switches Scramblesuit and obfs3 bridge support to a new golang-based implementation. We are especially interested in hearing any issues with using obfs3, obfs4, and Scramblesuit in this release.

The release also features several improvements to usability, following the results of the usability sprint at the end of last month. In particular, the Torbutton onion menu and related preference windows have been overhauled to provide more simplicity and more focus. The onion menu now features a much requested "New Circuit for this site" option, and the security and privacy settings window have been simplified. For censored users, the first run configuration wizard was also improved to present the choice of Pluggable Transport before the local proxy information, in an effort to avoid confusion between Pluggable Transports and local proxies. As can be seen from the changelog below, the release contains several other usability tweaks and enhancements as well.

Here is the full changelog for changes since 4.5-alpha-3:

  • All Platforms
    • Update Firefox to 31.5.0esr
    • Update Tor to 0.2.6.3-alpha
    • Update OpenSSL to 1.0.1l
    • Update NoScript to 2.6.9.15
    • Update obfs4proxy to 0.0.4
      • Use obfs4proxy for ScrambleSuit bridges
    • Update Torbutton to 1.9.0.0
      • Bug 13882: Fix display of bridges after bridge settings have been changed
      • Bug 5698: Use "Tor Browser" branding in "About Tor Browser" dialog
      • Bug 10280: Strings and pref for preventing plugin initialization.
      • Bug 14866: Show correct circuit when more than one exists for a given domain
      • Bug 9442: Add New Circuit button to Torbutton menu
      • Bug 9906: Warn users before closing all windows and performing new identity.
      • Bug 8400: Prompt for restart if disk records are enabled/disabled.
      • Bug 14630: Hide Torbutton's proxy settings tab.
      • Bug 14632: Disable Cookie Manager until we get it working.
      • Bug 11175: Remove "About Torbutton" from onion menu.
      • Bug 13900: Remove remaining SafeCache code in favor of C++ patch
      • Bug 14490: Use Disconnect search in about:tor search box
      • Bug 14392: Don't steal input focus in about:tor search box
      • Bug 11236: Don't set omnibox order in Torbutton (to prevent translation)
      • Bug 13406: Stop directing users to download-easy.html.en on update
      • Bug 9387: Handle "custom" mode better in Security Slider
      • Bug 12430: Bind jar: pref to Security Slider
      • Bug 14448: Restore Torbutton menu operation on non-English localizations
      • Translation updates
    • Update Tor Launcher to 0.2.7.2
      • Bug 13271: Display Bridge Configuration wizard pane before Proxy pane
      • Bug 14336: Fix navigation button display issues on some wizard panes
      • Translation updates
    • Bug 14203: Prevent meek from displaying an extra update notification
    • Bug 14849: Remove new NoScript menu option to make permissions permanent
    • Bug 14851: Set NoScript pref to disable permanent permissions
    • Bug 14490: Make Disconnect the default omnibox search engine
    • Bug 11236: Fix omnibox order for non-English builds
      • Also remove Amazon, eBay and bing; add Youtube and Twitter
    • Bug 10280: Don't load any plugins into the address space.
    • Bug 14392: Make about:tor hide itself from the URL bar
    • Bug 12430: Provide a preference to disable remote jar: urls
    • Bug 13900: Remove 3rd party HTTP auth tokens via Firefox patch
    • Bug 5698: Fix branding in "About Torbrowser" window
  • Windows:
    • Bug 13169: Don't use /dev/random on Windows for SSP
  • Linux:
    • Bug 13717: Make sure we use the bash shell on Linux

Note: Once again, the individual bundles of both Tor Browser series are signed by one of the subkeys of the Tor Browser Developers signing key from now on. You can find its fingerprint on the Signing Keys page. It is:

pub 4096R/0x4E2C6E8793298290 2014-12-15
Key fingerprint = EF6E 286D DA85 EA2A 4BA7
DE68 4E2C 6E87 9329 8290

Comments

Please note that the comment area below has been archived.

February 25, 2015

Permalink

"The onion menu now features a much requested "New Circuit for this site" option, ..."

Am I dreaming?! OMG!!! YES!!! Thanks Mike!!! :)

February 25, 2015

Permalink

What happened to the circuit status info? Showing the circuit info that was added to TorButton just a short while ago (a'la Vidalia circut info)?

In a very recent TB release if I clicked on the TorButton icon the circuit status was listed in a gray flyout box.

February 25, 2015

Permalink

Bug possibly:

The box for "Custom Values" under "Privacy and Security Settings..." is not usable, I cannot tick the box to use custom settings.

It gets ticked if you change a setting governed by the security slider yourself. It is meant more as a hint for you that you are not in one of the 4 default security slider groups anymore which might make it easier to single you out.

February 26, 2015

In reply to gk

Permalink

Thanks, that wasn't clear to me, I though if I ticked the box I would be presented with a whole slew of options I could change.

February 25, 2015

Permalink

Thanks for all your efforts.
I wish you leaved the circuit display feature in torbutton. Please tell me it's coming back!
The new design for torbutton is great (minus removing the circuit display...)

February 26, 2015

In reply to gk

Permalink

if tor button is still on your Tor browser it maybe you updated directly.i download 4.5a4 From Download link and don't see Tor button on my Browser

February 27, 2015

In reply to gk

Permalink

when i connect via obf3 i see Tor button but when i connect via custom bridges (manually ) Tor button is hidden .

same here - torbutton is still there, but circuit display disappears, circuit display still works on my tor 4.5 alpha 3

Works for me. How do I reproduce that? Note: the display does not work for local pages like about:tor as there is obviously no circuit involved at all.

February 27, 2015

In reply to gk

Permalink

I don't know how to reproduce, it happens on my 4.5a4 everytime. My conf is win 8.1, run alpha 4.5a4.exe downloaded from tor website, changed network setting to meek, changed torrc to an exitnode, and the homepage is https://check.torproject.org/?lang=en_US not about:tor. Other than these, all are default.

February 27, 2015

In reply to gk

Permalink

Thank you. I can not use tor when the bridge is obfs3, obfs4 etc, does it mean I need to stay on 4.5a3 until 4.5a5 available?

One more question: do you have any Canadian tor user complaining they can't access internet with it is not meek? It seems weird to me, feels like I am in China.

February 25, 2015

Permalink

I reported what may be a bug today about the network info flyout when the green TorButton icon is clicked.

It seems that was only an issue on the landing page when TorBrowser is first started (the one with "Congratulations!..."). When on any other web page it works as expected.

February 25, 2015

Permalink

To ALL Tor developers:

On behalf of all journalists and whatever-rights advocates, I thank you for taking the time and effort to create this product.

February 25, 2015

Permalink

Downloaded the alpha4 and installed with no problems from my anti-virus program, Bitdefender Free. The circuit status display works on the TorButton in the alpha4 I downloaded. Alpha4 runs a bit faster than the alpha3 I was using. No problems with using obfs4 either.

February 25, 2015

Permalink

In China ,the default obfs3 and obfs4 and ScrambleSuit bridges are all down,but meek-amazon and meek-azure still work normally.

In China ,the default obfs3 and obfs4 and ScrambleSuit bridges are all down,but meek-amazon and meek-azure still work normally.

How popular is Tor among Chinese citizens?

Is there a simplified Chinese version of TBB and wiki for Chinese-speaking mainlanders?

Tails is available in Mandarin Chinese.

At the bottom of the greeter, one can select Tails to be run with Mandarin Chinese.

If you wish to know how to do it, please send an email to Tails' support.

Is there a simplified Chinese version of TBB and wiki for Chinese-speaking mainlanders?

There is a Chinese version of Tor Browser.

At https://www.torproject.org/download/download-easy.html, click the box that says "English" and change it to "简体字".

Or at https://www.torproject.org/projects/torbrowser.html#downloads, click the "简体字 (zh-CN)" download for your platform.

There is not a Chinese version of the wiki, but you can add new Chinese pages to it. For example, if you want to make a Chinese translation of the PluggableTransports page, you can create a wiki account, then go to https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/zh and click "Create this page".

You can change the wiki interface language at https://trac.torproject.org/projects/tor/prefs/language.

February 27, 2015

In reply to dcf

Permalink

There is a Chinese version of Tor Browser.

At.........click the box that says "English" and change it to "简体字".

I would like to suggest to the web master that Tor's web pages be made language-aware or region-aware. A good example is Microsoft's official website.

Depending on the default language that you set for Internet Explorer and/or "Region and Language" under the "Control Panel" of Microsoft Windows, Microsoft's official web pages would be served in the language of your choice.

Please keep in mind that a lot of people are in countries and can't read the language of the country (often if you travel...), or the country has different languages read among the people (a lot of country in Africa for example) !

So the best way is still to let people choose their favorite language (but please consider people not able to use english..)

February 26, 2015

Permalink

Can someone tell me what risk I am taking when I choose "low(default)" security level instead of the other 3? What's the difference between the 4 choices? One thing I realized is when I choose "High" or "Medium-High", some buttons on some websites do not displayed anymore, but I don't know if I downgrade the security level to see those buttons again, am I bringing any security risk to myself? Thank you.

These are fine questions and indeed the lack of information on the slider itself needs to get fixed. See: https://bugs.torproject.org/9387#comment:43 for things we disable/enable. Level 4 has disabled a bunch of features above all JavaScript. Level 3 allows JavaScript served by HTTPS (pages) and level 1 is basically the mode which should guarantee that all you need should work (apart from no-nos like plugins etc). I hope this helps at least a bit for now.

February 27, 2015

In reply to gk

Permalink

Another interesting question would be "since having different levels may lead to fingerprint, would NOT using the levels but instead choosing NoScript block all option, lead to more easily identify the user"?

February 26, 2015

Permalink

As a person who has been seriously stalked on all my devices
I greatly appreaciate TOR and all the folks that help make it happen. I have spent a lot of time reading the material offered by TOR in an effort to understand how to use it correctly to it's fullest capacity and also to understand "have I set it up correctly to protect the annoymity of myself and others and of TOR". But, S.O.S., I only get more confused with the more I read. Maybe this is not the place to bring my concerns up but it is a good example of my confusion. I currently have TOR browser 4.04 but came across this version and because it is 4.05 i assumed it's a newer version than mine, plus there seems to be features i may benefit from. Then I noticed "alpha" and do not understand what it means. I apologize if this is not the place to discuss my concerns. Would someone please then direct me to correct area that i may be helped? My PC is not used for illegal purposes with or without TOR. I have very little personal information on my devices, and no financial info at all, I can only conclude that my stalker(s) do this as a form of cruel, sadistic enertainment since they have been "in my face" letting me know I'm being watched. My country has laws protecting people from stalking but i refuse to go to law enforcement simply because i'm not even sure that they aren't the ones doing this to me. i may simply be a "real time" pilot study for them to test out all their evolving spying functions on my equipment. In either case, I live alone, no family, or other social protections, that this all gets very scary for me at times.

First, it's capitalized as Tor, not TOR.

Version 4.0.4 is from the 4.0 branch. Version 4.5-alpha-4 is from the new 4.5 branch. Because 4.5 has new features, it might have new bugs. "Alpha" means that 4.5 is still being tested, so 4.5-alpha-4 means that this version is the fourth alpha test release.

There's nothing illegal about using Tor.

Not telling the police you are being stalked because of a fear that they might be the stalkers is probably a bad idea.

February 27, 2015

Permalink

just did an upgrade to 4.0.4, computer said a newer version was already in the apps folder (4.5 or something like that---- double checked and did the upgrade - now all history and bookmarks are gone…any advice?

Try deleted file recovery for the places.sqlite file in the profile folder. If your bookmarks are important, back them up and encrypt them. Unless you need to know what websites you visited at certain times, your history should disappear like a fart in the wind.

Did your bookmarks survive the update to 4.0.4? Did you just install 4.5 over your existing 4.0.4 rather than updating? Is it possible that you now have two separate Tor Browser folders, one for each version? If the answer to the last question is yes, exit Tor Browser and start the older version and check your bookmarks.

February 27, 2015

Permalink

This is probably a naïve question, but how exactly do I edit my torrc to run a relay again? I've been dicking around with this, but my Tor-fu has failed me and I'd rather dick around with other things for a while. Thanks in advance.

March 03, 2015

Permalink

Excellent post. I was checking continuously this blog and I'm impressed! Very useful info particularly the last part bcbgeeefeecd

April 01, 2015

Permalink

Does anyone have a link to this version so i can download it? The latest update is a sack of garbage and I want this back!