Tor Browser 4.5.2 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.5.2 provides a fix for the Logjam attack (https://weakdh.org/) and updates a number of Tor Browser components: Tor to version 0.2.6.9, Torbutton to version 1.9.2.6, NoScript to version 2.6.9.26 and HTTPS-Everywhere to version 5.0.5. Moreover, it fixes a possible crash on Linux and avoids breaking the Add-ons page if Torbutton is disabled.

Here is the complete changelog since 4.5.1:

  • All Platforms
    • Update Tor to 0.2.6.9
    • Update OpenSSL to 1.0.1n
    • Update HTTPS-Everywhere to 5.0.5
    • Update NoScript to 2.6.9.26
    • Update Torbutton to 1.9.2.6
      • Bug 15984: Disabling Torbutton breaks the Add-ons Manager
      • Bug 14429: Make sure the automatic resizing is disabled
      • Translation updates
    • Bug 16130: Defend against logjam attack
    • Bug 15984: Disabling Torbutton breaks the Add-ons Manager
  • Linux
    • Bug 16026: Fix crash in GStreamer
    • Bug 16083: Update comment in start-tor-browser
Tags
tor browser bundle
tor browser
tbb
tbb-4.5
Anon

Anonymous (not verified) said:

June 16, 2015

Permalink

> Update OpenSSL to 1.0.1n

I take it then that Tor/Firefox are not effected by the HMAC ABI breakage that required the v1.0.1o release of OpenSSL the day after v1.0.1n?

That is our current understanding, yes. Thus, even pointing to a system tor or copying a self-compiled tor into the respective Tor Browser directory should not break things for users.

The regular Tor Browser update in two weeks will ship with OpenSSL 1.0.1o then.

To: mikeperry, gk, arma, erinn, et. al.

Firstly thanks for bringing out the latest update.

Secondly, according to gk, the next update of Tor Browser will include OpenSSL 1.0.1o.

Please, please, co-ordinate with Tails' developers so that Tails will have a Tor Browser that includes OpenSSL 1.0.1o and the latest updates from you guys. Your ability to work with Tails as a team and in-sync would be appreciated. For your info, according to Tails' website, the next update of Tails is scheduled for June 30.

Anon

Anonymous (not verified) said:

June 16, 2015

Permalink

My Windows PC has the OpenSSL 1.0.2 branch in the system directory. Do you perceive possible conflicts with TorBrowsers OpenSSL 1.0.1 when using TorBrowser?

Are there security/anonymity benefits of using OpenSSL 1.0.1 over 1.0.2?

> You will receive a faster response if you re-post your question on https://tor.stackexchange.com/

No, you won't. I asked the same question over a month ago and got no responses.

What's the difference between "new identity" and "new circuit for this site"?

New identity clears the browser state.

What's the difference between "new identity" and "new circuit for this site"?

You will receive a faster response if you re-post your question on https://tor.stackexchange.com/

"New Tor Circuit for this Site" just gives you a new Tor circuit for the particular website leaving all your browser state (cookies, etc.) untouched. "New Identity" gives you basically a clean, new browser session.

Thanks guys!

Not sure if a bug - windows resizing is not working properly. When I open tbb and go to ipcheck.info my monitor screen sizes varies from 999 x 490 pixels and other variations of this instead of the default size intended for TBB.

works without problem on my system: when I open ipcheck.info, I get 1000x600 pixels, which seems to be the intended value.

which operating system do you use?? maybe your window manager will mess up things...

I get--> Browser window 1004 x 632 pixels (inner size)

on Windows.

The link "https://weakdh.org/" is not working. I always get that "Problem loading page" thing...

The time: 14:30:00 UTC

Anon

Anonymous (not verified) said:

June 16, 2015

Permalink

now it works! I guess I was simply too impatient ::-)

ERROR: Not all signatures were verified

Is the signature's process during update not yet ready ?

What is broken in particular?

The error message during the update is scary:
Jun 17 20:55:54.000 [notice] New control connection opened from 127.0.0.1.
ERROR: Error verifying signature.
ERROR: Not all signatures were verified.
Jun 17 20:56:15.000 [notice] Owning controller connection has closed -- exiting now.

Did we install hacked software?

No, see: https://bugs.torproject.org/15532 for the background of this issue.

Some files from https://dist.torproject.org/torbrowser/4.5.2/ has 0 byte size

for example: tor-win32-0.2.6.9.zip, torbrowser-install-4.5.2_it.exe, TorBrowser-4.5.2-osx64_es-ES.dmg.asc and others.

This should be fixed now, thanks for reporting.

What is the fix for Logjam, disabling DHE ciphers or requiring minimum bitness, and If bits, how many?

Disabling DHE ciphers is one option but Mozilla did not do this. Rather, the fix we backported bumped the minimum key size. It is now 1024 bits.

Ok, thanks :)

SHA256 checksum doesn't verify

https://dist.torproject.org/torbrowser/4.5.2/sha256sums-unsigned-build…

2de1e369dea4b2c6a1192bad8b65e9cfb70ea2830ddb2ab0305be95cddbcda84 torbrowser-install-4.5.2_en-US.exe

As the name of the file implies this is the checksum of the *unsigned* .exe. Have you stripped the authenticode signature first, before comparing the SHA 256 sums? See: https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerif…

SHA256 checksum doesn't verify

My personal experience is if you are using Microsoft Windows OS, you could try installing gpg4win and use it to verify torbrowser-install-4.5.2_en-US.exe.asc against torbrowser-install-4.5.2_en-US.exe

gpg4win is available for free from: http://www.gpg4win.org/download.html

AVG attacks Torbrowser durning installation. (4.5.2 WIN)

Hadn't happened here, with AVG on my Windows.

Same. Tried installing it differently as well.

same. AVG detect Unknown Virus during installation / upgrade of 4.5.2
Win 7

AVG exactly found a threat named "IDP Generic Whitelisted". If let it repaire it deletes the tor.exe. Or you should add to AVG exceptions. I`v controlled the fingerprint and it was OK, but i don`t want punch a hole on my firewall with the exception. Please help me find a solution.

Tor browser is often unable to connect to the Tor network or pages
do not load.It works well only in Linux.I am in Russia.Can somebody
help?

I've tried to download the italian version but it's 0 byte large.
Can you check and solve this problem?
Thanks.

This should be fixed now, thanks for reporting this issue.

Tor had finally been working well for commenting on political sites. I could get a new circuit quickly, which is necessary for sites that have blocked many of Tor exit IPs. It is necessary to try many IPs before a post can get through the site's block list.

Now it is frigged up again, since getting a "new circuit for this site" reloads the page. The process takes much longer. Why did you change what had worked well?

If you people have no conception of what it is like to try and use Tor for online commenting, what in heaven's name are you using Tor for? Pirating movies?

Maximizing the browser window still does not work (4.5.2 WIN). The maximize window button does odd things: resulting window too high for screen, or window reduced to a bar. I'd like to start maximized. What can I do?

Are you sure you want to maximize? Are you aware of the fingerprinting implications?

I have the same issue. Unable to expand the TOR browser window. (Version 4.5.2 Windows 8.1) I could not find any options to correct this problem. Please help.

Domain isolation still broken. Can't download anything from any file host tried. When will this be a toggle?

Could you give me steps to reproduce your problem?

And on 4.5, only worked sometimes or with a new circuit created manually.

Link gets deleted because *obviously* it is evil. If repeat, look at end of ticket 15933, and just find any link to that site anywhere. Last worked on 4.5

tor-browser-linux32-4.5.2_en-US does not work for me:

$ ./start-tor-browser
$ echo $?
126