Tor Browser 4.0.8 is released

by mikeperry | April 9, 2015

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release contains a fix for the update loop issue present in 4.0.7. It is otherwise identical to that release.

Both 4.0.7 and 4.0.8 contain an update to the included Tor software, to fix two crash bugs in the version of the Tor software included prior to 4.0.7. One crash bug affects only people using the bundled tor binary to run hidden services, and the other crash bug allows a malicious website or Tor exit node to crash the underlying tor client by inducing it to load a resource from a hidden service with a malformed descriptor. These bugs do not allow remote code execution, but because they can be used by arbitrary actors to perform a denial of service, we are issuing a security update to address them.

There will be no corresponding 4.5-alpha release for this fix, to allow us to focus on stabilizing that series for release in ~2 weeks.

Note to MacOS users: This is the last planned release that will run on 32 bit MacOS versions. Users of Mac OS 10.8 (Mountain Lion) and newer versions will be automatically updated to the 64 bit Tor Browser 4.5 when it is stabilized in April, and we expect this transition to be smooth for those users. However, the update process for 10.6 and 10.7 users will unfortunately not be automatic. For more details, see the original end-of-life blog post.

Here is the complete changelog since 4.0.6 (covering 4.0.7 and 4.0.8):

  • All Platforms
    • Bug 15637: Fix update loop due to improper versioning
    • Update Tor to 0.2.5.12
    • Update NoScript to 2.6.9.21

Comments

Please note that the comment area below has been archived.

April 19, 2015

In reply to by Anonymous (not verified)

Permalink

Hijacked Firefox browser ..new install! Made a post using Tor and Got a security threat that took over firefox and My DNS! when I cleaned Firefox..it pointed to a joining of Tor with Firefox that my firewall killed all connection! had to do a backup and a browser reinstall!

April 09, 2015

Permalink

"We've also made improvements to our display resolution fingerprinting defenses to automatically resize the browser window to a 200x100 pixel multiple after resize or maximizatio" what happend to this? i can still resize the window however i see fit in 4.0.8

April 09, 2015

In reply to arma

Permalink

well that´s confusing. so there are updates released individually for two different versions? When can we expect 2.5.x to be released as "stable"?

Usually alpha and stable updates are released almost simultaneously. So, yes, to your first question. 4.5 should be the new stable next week or the week thereafter.

April 09, 2015

Permalink

gpg --list-sigs 0x4E2C6E8793298290
pub 4096R/93298290 2014-12-15
uid Tor Browser Developers (signing key)
sig R 8B9E4469 2015-03-15 [User ID not found]
sig CD62C2F3 2015-03-25 [User ID not found]

gpg --recv-keys 8B9E4469 CD62C2F3
gpgkeys: key 8B9E4469 can't be retrieved
gpgkeys: key CD62C2F3 can't be retrieved

normal?

It's fine to have signatures from keys you've never heard of or can't fetch.

It's the keys that you *can* fetch, and consider trust in, that you should be looking at.

April 09, 2015

Permalink

i feel Alpha version is faster and lighter than stable version !Does someone else has experienced it?

April 09, 2015

Permalink

I absolutely love the new feature of running Tor as a VPN on Android. We totally need this feature on PC too!

Having Tor function similarly to a VPN is a dangerous route, given that a major reason for such a setup is to allow users to use software that does not have or respect proxy settings to be routed through Tor. Software like that (if it's closed source) could easily be designed to NOT use a VPN connection and use methods to connect directly without going through the VPN-like Tor.

April 09, 2015

Permalink

My Tor asked me if I wanted to update to 4.08. I chose to accept. It then installed. I also saw under the Window menu a "software update" option.

I found it a bit suspicious later because I thought you could only manually update directly from the website. I decided to then reinstall 4.08 by downloading straight from the website. All of a sudden I no longer see a "software update"option under the Window menu... only 'minimize' 'zoom' and 'about..' Should I be concerned that the auto-update I initially experienced was not a legitimate software bundle? Was I hacked?

April 09, 2015

Permalink

This probably is a dumb question (on this blog with many savvy posters). I installed the latest version (4.0.8) today and, unlike with prior new updates, couldn't figure out how to change the home page to one I prefer. Please help. Thanks.

April 09, 2015

Permalink

Question on the preferred way to update:

TBB can be updated in-place via Help -> About Tor Browser (works similar to how regular Firefox will update itself in-place.) After this in-place update, About Tor Browser reports the current correct v4.08. However, plugins must then be manually checked/updated.

Is this process the same as / better than / worse than "updating" TBB by downloading and running the "torbrowser_install_xxxx.exe" package? How should TBB updates be correctly performed?

I'd say it's about the same. The only exception might be if you want to verify signatures before installing a 4.0x package. In that case, you'd have to download the bundle in order to verify it. In 4.5x, I think (but am not completely positive) it's going to have signature verification built into the self-updater, so at that point there will be even less of a difference between the two update methods.

April 10, 2015

Permalink

Is it okay for me to update https everywhere to ver 5.0.2? Because TBB 4.0.8 still uses ver 4.1.3

April 10, 2015

Permalink

When was version 4.0.7 released?

Why is it that my Tor browser version 4.0.6 was unable to detect/inform me that version 4.0.7 was released?

Note: In the settings for version 4.0.6, I have the chosen the option of being informed of any upates via my Tor browser.

April 11, 2015

Permalink

Is there a way to enable "limited script" for Tor users? This would allow Javascript that makes a web site function properly but disable any code that accesses identifying information. It is likely that Facebook is identifying Tor users which would make it easier to identify everybody else.

Another idea is to give priority to users of little bandwidth over users who are using massive amounts.

And another thought: I suspect that major email providers are blocking clearnet emails from darknet email providers. Even if they are allowed through in some cases, the darknet email providers need to have a delayed send feature. Otherwise the timing of Tor access can be correlated with the timing of an email.

April 11, 2015

Permalink

If we cant trust java among the reasons are security issues revealing our your identity +++, why are we forced to enable java to use the Atlas?!

Anon

your comment states the obvious "uses a handful of javascript...", yes, thats what this is about java/javascript

Anon (call me no-java-please)

April 12, 2015

Permalink

Regarding my previous comment, I did not intend to come across as purely critical. It was my intention to kindly offer suggestions. Tor is free and a great tool. I know that a lot of volunteer work from experts and resources are put into this project. Thank you.

>Tor is free

Tor is NOT free: the devs putting their hearts and minds and time and effort are payed for by donations. PLEASE stop saying Tor is free! it's obviously NOT!

You don't understand the concept of "free software." Tor is licensed under BSD and Tor Browser under GPL. That makes it free software.

April 12, 2015

Permalink

Getting this on forums.hardwarezone.com.sg, can't log in also.

This Connection is Untrusted

You have asked Tor Browser to connect securely to secureforums.hardwarezone.com.sg, but we can't confirm that your connection is secure.

Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.
What Should I Do?

If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.

April 12, 2015

Permalink

Previous versions blocked the popup ads now they coming streaming through. Any way to stop them?

While not specifically an add blocker, disabling javascript can significantly reduce the number of popups. Have you changed how you're using noscript? Also, are you sure that the website(s) in question haven't changed behavior?

April 13, 2015

Permalink

Appeal to Tor developers:

Please elect a scripting language/programming language to replace java/javascript and continue to build on that..

we cannot trust java
as a user we have very little control of java apart from disabling it with noscript in the browser

what would be nice (not making this Tor developers responsibility here), is a sort of app-firewall/apparmor for java or a COMPLETELY security safe java-like to replace the existing java which is being rammed down our throats; java is being used because developers (java) are lazy and want to code once, well guess what python, perl etc also runs on many platforms...

Its simply a contradiction here, Tor users are "advised" to use noscript to disable javascript yet developers continue to expand on its use especially with the Tor apps.

no-java Anon

You will confuse many people by continuing to say 'java' when you (I think?) mean 'javascript'. They are two totally different things.

April 14, 2015

In reply to arma

Permalink

however java, javascript, jvm are interrelated in the context of a browser session, a Tor user expects use with maximum security possible.
perhaps my previous comment should state "javascript" then...apologies

no-java Anon

No; Java (which uses the Java Virual Machine) and Javascript (which doesn't use the JVM) are not in most cases interrelated. Yes, you can use javascript to for some (extremely limited) control of java applets, but from a security standpoint they are two very different technologies. Please, research the issue before posting; there's plenty of information on the web about Jav and Javascript and the difference between the two.

but javascript seems to be associated with popups, adsite on a page, loading adsite for every godam webpage these days I know noscript deals with lots of things.
nothing personal, but I have no interest in either i just want the page from the domain I'm browsing.

thankyou for clarification

no-java Anon

From Torbrowser's perspective, ads and popups are near to the end of the list of concerns from javascript. They're not at the end but they make tracking easier. Of course you don't need either of them to track with javascript, and there are more dangerous things than tracking that javascript can accomplish.

I appreciate that Tor developers have core pieces to look after
security is important but, from our perspective, popups and ads are *king nuisance have spoilt the internet experience
i dont care about ads helping to finance something, get a million billion dollar corporation to pay for it, same logic as food packaging don't make it the consumers problem get the manufacturers to comply thats the source of the problem.
remove porn, ads, popups, marketing depts pull push bs and we would have a better world.

non-java Anon

April 23, 2015

In reply to arma

Permalink

yes netscape called it that for so called marketing purposes
they intended to confuse and they've succeeded.
whatver its called its sh*t

thanks

no-java Anon

April 14, 2015

In reply to by Anonymous (not verified)

Permalink

dart is or was google's replacement for javascript however
http://www.infoworld.com/article/2902074/javascript/google-dart-will-no…

http://tobyho.com/2010/03/11/how-much-of-the-web-actually/
is actually quite interesting how ebay site is still relatively functional without javascript enabled proof of what is possible depending on the code and whats required.

Tor
as security sensitive Tor, onion and hidden services are why consider using javascript at all?
are the inclusions deliberate? are some aspects of insecurity included for some purpose?
a lean Atlas page displaying just the facts isnt as sexy as it is current but then who cares how pretty it looks I'm using the Tor bundle with security in mind?!

no-java Anon

It really isn't because there's no intention to expand it to include all of javascript's functionality and if it was expanded there's no reason to believe it would be safer.

April 14, 2015

In reply to by Anonymous (not verified)

Permalink

First of all, Java =/= Javascript; in fact, they're not remotely related from a technical standpoint. Javascript was originally named livescript but was remained to Javascript for marketing reasons after the first Java plugin was made for Netscape (some type of 'wave' of "Java-" technologies.)Second, Tor project developers are hardly ramming javascript down anyones throat. Sure, the web is more and more dependent on javascript every day, but it's not like someone can simply write a replacement for javascript and expect all the web developers to move over, especially when a scripting language is only supported by it is only supported by one browser. Microsoft tried that with vbscript back when IE held far more of the market share and they failed. That's not even mentioning the fact that coders would have to recode everything and despite what you think, that's a substantial job especially given they'd have to learn a whole new language to code with. In addition, any new language, like any new piece of software, is going to be buggy; such a solution is going to add to the number of security vulnerabilities in the initial period. That's where a good number of the Javascript security threats are: bugs. A new scripting language is simply adding to that problem; sure, Javascript was not designed with all of the threats that Torproject thinks about but those threats aren't the only or even primary reason to disable Javascript. Yes, disabling Javascript is the easy answer (Torbrowser contains patches to make Java itself incredibly hard to enable,) but that's because for most users that all they need to know. However, if you're going to give actual suggestions or make appeals it might be a good idea to know what you're actually talking about. It may be cool to jump on the Javascript hating bandwagon, but if you don't know why you're there you really aren't in any place to give advice.

further web searches
netscape called it javascript for marketing purposes but has no relation to java (and jvm); intention was to confuse with the jargon and its still called javascript to this day.
alternate names -jscript even suggests 'Java', or its original 'ecma'
without javascript enabled on a webpage we get just the main content, i have no all interest in scorecardsearch, adtech, every other useless adsite popups and related (thank god for noscript)
I think most people would agree we can do without the crap bolted on or called by javascript on just about every website these days = "rammed down our throats". my earlier comment doesnt say nor did I suggest it was just Tor browser teams its webadmins everywhere, surfing the web is not as pleasant experience as it was decades ago.
thankyou Tor developers for the great work.

no-java Anon

April 27, 2015

In reply to by Anonymous (not verified)

Permalink

First of all, popup ads aren't nearly as bad as they used to be. After several years of most browsers having some limited form of blocking, their prevalence has definitely decreased as they aren't worthwhile from a revenue prospective. Second, javascript does far more than just ads. In fact, that's why in most browsers you can't simply disable it like the old days. Firefox (and therefore Torbrowser) uses javascript internally to do a whole bunch of things; it wouldn't work without javascript. Of course, that's separate from javascript from external sources.

are you suggesting we just enable javascript and wait for an ad related bit to do something and then work out if it was malicious or just a nuisance?!

non-java Anon

new software, buggy -thats not supposed to be an excuse for not using it, oh I just forgot developers want to develop and not go back and doing any fixing.
i answered 'ramming' in another post
i and many other will continue to block and disable ecmascript till it dies a death and never returns.
thankyou for your explanations

no-java Anon

Software being buggy is a very good reason not to use it when dealing with security; Javascript bugs are after all the number one reason to disable javascript. A bug in a webbrowser can easily be exploited to do a whole number of nasty things, like infecting your system with a trojan.

coders will have to recode...
technology comes and goes all the time, entire websites are rewritten all the time how is that different from any other week, month?!

no-java Anon

Yes, and every line of code can be buggy and that bug could be exploitable. Of course, that's true with old code as well, but the old code has had time for people to find the bugs. By the way, entire websites aren't rewritten all of the time. Most major (big) websites are significantly compartmentalized and they change one piece at a time; they don't throw out the whole thing and start over unless they have too.
But that's missing another major point: Any replacement for Javascript that handles most of the use cases for Javascript is going to have the same problems as javascript. It's not like we don't already have several different implementations of javascript already.

April 13, 2015

Permalink

Tor Service Help

I have windows 7

I updated to 4.0.8 when the update message appeared. Now when I try to open the browser it hangs up while loading (the green screen line stops moving half way along).

Downloaded 4.0.8 directly from the web, same results.

Any suggestions?

Thank you for your support.

April 13, 2015

Permalink

Hey Guys Isn't This Tor Version Compact With IDM (Internet Download Manager)

it Help Download accleration

Why should you trust a piece of closed-source software that might be leaking everything you do on your computer for "Download Acceleration," a task that has many other open-source solutions?

April 14, 2015

Permalink

Since installing the latest version of tor last night AVG antivirus keeps blocking tor from running

AVG has never done this before, If i turn AVG off then tor will start and run

Any ideas?

April 14, 2015

Permalink

Hello, I just tried to download and launch this newer version and I keep getting a (firefox.exe) error which prevents the browser from launching. I tried a number of different approaches and they all have failed. Some insight or tips would be appreciated.

April 15, 2015

Permalink

sqlite is buggy,exploitable.

Should be patched.

April 16, 2015

Permalink

Since this release opening the tor browser bundle is very slow for me. It used to take max 5 seconds with the previous release, now sometimes I have to wait 10 minutes. Why is this happening?

April 17, 2015

Permalink

I just download

tor-browser-linux64-4.0.8_en-US.tar.xz
tor-browser-linux64-4.0.8_en-US.tar.xz.asc

and the key used to sign the tar file is

gpg: Signature made Thu 09 Apr 2015 10:44:53 AM PDT using RSA key ID D40814E0
gpg: Can't check signature: No public key

I can NOT find this key on the key signing page.

April 17, 2015

Permalink

Opps - the RSA key ID is the last 8 characters.

The primary fingerprint appears to match but this no fingerprint for the RSA signing key of D40814E0. Where can I find the fingerprint?

April 17, 2015

Permalink

about:config

experiments.enabled;true
network.http.sendSecureXSiteReferrer;true
beacon.enabled;true

?????????

April 19, 2015

Permalink

FF31.6.0 Tor4.0.8 on Win7 SP1. Getting "another version of Firefox is already running" when trying to launch the browser for a second time. Only fix is to delete old browser and reinstall from install.exe.

Didn't have this issue when using Tor4.0.6.

(sorry for double posting, forgot to include tidbit about previous version)

I have experienced that on occasion for as far as back as I can recall.

The following usually works (but will close any and all instances of regular Firefox that may be running). Open a terminal and execute the following command:

killall firefox

Then restart Tor Browser.

Sorry, it just hit me that my previous response assumed you were also a (GNU+)Linux user, when from your post it was clear that you are a Windows user.

April 24, 2015

Permalink

Please allow "One Click" access in place of "Long Press" option in Orbot. I have faced this incident where accidentally my phone dropped out of the bag and when I tried again to use Orbot, I was no longer able to as I was told that my phone suffered some display issue and so I lost "Touch and Hold" functionality. I was trapped and had no option left to communicate with privacy

Please allow a simple one-tap access within the app.

April 24, 2015

Permalink

I got a question. I recently attained bookmarks from my firefox browser by exporting to HTML. I imported them into the new tor browser (4.0.8). Now I have bookmarks from my firefox browser in my tor browser. Is this OKAY? Do they use different coding? Will my ISP be able to tell that it's not actually firefox I'm using but Tor browser? They figured it out once when I opened both at the same time and blocked it. Can they figure it out from the bookmarks? Does it compromise my anonymity in any way?

May 01, 2015

Permalink

Tor warned me about someone trying to hack and get me to click something. Never seen that warning before. I closed tor immediately.

May 31, 2015

Permalink

What domains do we need to authorize in order for the Google Capcha dialog to correctly display its images? This is the common capcha that Google is promoting now across the web for use by third party web sites.