Tor Browser 4.5.2 is released

by mikeperry | June 16, 2015

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.5.2 provides a fix for the Logjam attack (https://weakdh.org/) and updates a number of Tor Browser components: Tor to version 0.2.6.9, Torbutton to version 1.9.2.6, NoScript to version 2.6.9.26 and HTTPS-Everywhere to version 5.0.5. Moreover, it fixes a possible crash on Linux and avoids breaking the Add-ons page if Torbutton is disabled.

Here is the complete changelog since 4.5.1:

  • All Platforms
    • Update Tor to 0.2.6.9
    • Update OpenSSL to 1.0.1n
    • Update HTTPS-Everywhere to 5.0.5
    • Update NoScript to 2.6.9.26
    • Update Torbutton to 1.9.2.6
      • Bug 15984: Disabling Torbutton breaks the Add-ons Manager
      • Bug 14429: Make sure the automatic resizing is disabled
      • Translation updates
    • Bug 16130: Defend against logjam attack
    • Bug 15984: Disabling Torbutton breaks the Add-ons Manager
  • Linux
    • Bug 16026: Fix crash in GStreamer
    • Bug 16083: Update comment in start-tor-browser

Comments

Please note that the comment area below has been archived.

June 16, 2015

Permalink

> Update OpenSSL to 1.0.1n

I take it then that Tor/Firefox are not effected by the HMAC ABI breakage that required the v1.0.1o release of OpenSSL the day after v1.0.1n?

That is our current understanding, yes. Thus, even pointing to a system tor or copying a self-compiled tor into the respective Tor Browser directory should not break things for users.

The regular Tor Browser update in two weeks will ship with OpenSSL 1.0.1o then.

June 16, 2015

In reply to gk

Permalink

By the way:

"The regular Tor Browser update in two weeks"

Will this update be 4.5.x or 5.x.x ??

June 16, 2015

In reply to gk

Permalink

To: mikeperry, gk, arma, erinn, et. al.

Firstly thanks for bringing out the latest update.

Secondly, according to gk, the next update of Tor Browser will include OpenSSL 1.0.1o.

Please, please, co-ordinate with Tails' developers so that Tails will have a Tor Browser that includes OpenSSL 1.0.1o and the latest updates from you guys. Your ability to work with Tails as a team and in-sync would be appreciated. For your info, according to Tails' website, the next update of Tails is scheduled for June 30.

June 16, 2015

Permalink

My Windows PC has the OpenSSL 1.0.2 branch in the system directory. Do you perceive possible conflicts with TorBrowsers OpenSSL 1.0.1 when using TorBrowser?

Are there security/anonymity benefits of using OpenSSL 1.0.1 over 1.0.2?

June 16, 2015

Permalink

What's the difference between "new identity" and "new circuit for this site"?

"New Tor Circuit for this Site" just gives you a new Tor circuit for the particular website leaving all your browser state (cookies, etc.) untouched. "New Identity" gives you basically a clean, new browser session.

June 16, 2015

Permalink

Not sure if a bug - windows resizing is not working properly. When I open tbb and go to ipcheck.info my monitor screen sizes varies from 999 x 490 pixels and other variations of this instead of the default size intended for TBB.

works without problem on my system: when I open ipcheck.info, I get 1000x600 pixels, which seems to be the intended value.

which operating system do you use?? maybe your window manager will mess up things...

June 16, 2015

Permalink

The link "https://weakdh.org/" is not working. I always get that "Problem loading page" thing...

The time: 14:30:00 UTC

June 16, 2015

Permalink

ERROR: Not all signatures were verified

Is the signature's process during update not yet ready ?

June 17, 2015

In reply to gk

Permalink

The error message during the update is scary:
Jun 17 20:55:54.000 [notice] New control connection opened from 127.0.0.1.
ERROR: Error verifying signature.
ERROR: Not all signatures were verified.
Jun 17 20:56:15.000 [notice] Owning controller connection has closed -- exiting now.

Did we install hacked software?

June 16, 2015

Permalink

What is the fix for Logjam, disabling DHE ciphers or requiring minimum bitness, and If bits, how many?

AVG exactly found a threat named "IDP Generic Whitelisted". If let it repaire it deletes the tor.exe. Or you should add to AVG exceptions. I`v controlled the fingerprint and it was OK, but i don`t want punch a hole on my firewall with the exception. Please help me find a solution.

June 16, 2015

Permalink

Tor browser is often unable to connect to the Tor network or pages
do not load.It works well only in Linux.I am in Russia.Can somebody
help?

June 16, 2015

Permalink

I've tried to download the italian version but it's 0 byte large.
Can you check and solve this problem?
Thanks.

June 16, 2015

Permalink

Tor had finally been working well for commenting on political sites. I could get a new circuit quickly, which is necessary for sites that have blocked many of Tor exit IPs. It is necessary to try many IPs before a post can get through the site's block list.

Now it is frigged up again, since getting a "new circuit for this site" reloads the page. The process takes much longer. Why did you change what had worked well?

If you people have no conception of what it is like to try and use Tor for online commenting, what in heaven's name are you using Tor for? Pirating movies?

June 16, 2015

Permalink

Maximizing the browser window still does not work (4.5.2 WIN). The maximize window button does odd things: resulting window too high for screen, or window reduced to a bar. I'd like to start maximized. What can I do?

I have the same issue. Unable to expand the TOR browser window. (Version 4.5.2 Windows 8.1) I could not find any options to correct this problem. Please help.

June 16, 2015

Permalink

Domain isolation still broken. Can't download anything from any file host tried. When will this be a toggle?

June 17, 2015

In reply to gk

Permalink

And on 4.5, only worked sometimes or with a new circuit created manually.

June 17, 2015

In reply to gk

Permalink

Link gets deleted because *obviously* it is evil. If repeat, look at end of ticket 15933, and just find any link to that site anywhere. Last worked on 4.5

"If a command is found but is not executable, the return status is 126." For some reason you need to do a chmod +x on the file first. How and where (file system) did you extract the .tar.xz in the first place? What are the permissions of the script after extraction in your case?

June 16, 2015

Permalink

Downloaded this update multiple times, crashes immediately on launch, says to send the tor log, but the log is completely empty. This is 64-bit Mac OS X version.

June 16, 2015

Permalink

error ssleay32.dll tor missing file / bad install...avg error.

did a "restore" through avg after some fiddling and it "solved" it; but I'm not convinced currently. Gonna hit 4.5.1 for now.

4.5.1 is bringing up the error now too...

What do you mean with "dont not work"? It does not load, or...? And did it work with a former version? If so, which one?

June 23, 2015

In reply to gk

Permalink

The website webmail.hostinger.com dont load.
the page show a blank page in a infinity loading.

June 17, 2015

In reply to by Anonymous (not verified)

Permalink

Tor Browser doesn't have issues with Google recaptcha, Google recaptcha has issues with Tor Browser, or more specifically an issue with clients without javascript enabled.

Update. I managed to find torbrowser-install-4.0.8_en-US.exe. If someone has PGP signature for this file (contents of .asc), please post it here for sure that the file is not trojaned.

torbrowser-install-4.0.8_en-US.exe.asc

  1. <br />
  2. -----BEGIN PGP SIGNATURE-----</p>
  3. <p>iQIcBAABCgAGBQJVJrogAAoJEC4axo7UCBTgqHMQAL0P6KZCUOtL57/JaPUTQM/A<br />
  4. FfZUBLHNTnh7Q7s77BaMSNUVQyZ/jBmbt+UwNZoGyLlOFhr+yBOcTmJVUlixZklF<br />
  5. nh8wEnY2/nNHrrd5l8Tzrp8XNYqfLgrCcohSNy9f768h831ffvE0uIkRDxLhm4e1<br />
  6. tABBPMPtYW9GO+hF7Un8CeILARPfYsPDErRJeBv3X6cfuYkC60MqpXyg/zXl897x<br />
  7. ItA9E6n0IP3n6UbAL4PceRAt1gh/PLY3BW7m3icVSlyWN6BkuyYWeqS7z8Lz4kWC<br />
  8. aJHA7aXqQAbuM4NgPEBgHcHmt3RyeUyGTLsFuPRuEA8cnAFpNvIS86oGrxqZJ6gc<br />
  9. IRQMEFO7OxGn5Vuy4NRYKz7WpFnX4FtCzmRR8rRrhE/h59+9yishUtS+NPXy2kQO<br />
  10. x0nnOSxGz1flPl276VBdNbSdXQFmslntpFV+dI5cpe+j+2AQruzWA6fR7NYZNnJs<br />
  11. dd3zyafspKQLAQxXsRyeR25iWjMafUYC49ouF52PsmajICSX02MfEFl1KQF6xAgA<br />
  12. i2ER3X++5N+ep8WImv8IcRde6Rfq0K03GiNzMVstpuw3tsQSQl0MYVhTwSNV8Q8t<br />
  13. Jit4AYDvRQ/QiZx03s2JTng4TUIL8e0u3SiybOXZUmeiFQQl9jJJicVzk4UDo9gS<br />
  14. WwZA7LxoopPxyr1g0OLo<br />
  15. =qd41<br />
  16. -----END PGP SIGNATURE-----<br />

June 17, 2015

Permalink

Tor Browser versions 4.5.2 & 4.5.1 for OS X are working usually fine.

But Tor Browser is actually crashing already for a long time on some webpages.
Tried to reproduce this again with the 4.5.2 version on this news page form dr.Web antivirus company, where this problem almost always is happening.

https://news.drweb.com/show/review/?lng=en&i=9461

Trying to directly print this page as a file, not using the preview option, results in a complete browser crash almost every time.
The crashes are not happening when I completely disable the page css, but you need to install an extra browser extension for that to accomplish printing without css lay out.
This crash was without any extra browser extension so it could not be addressed to that.

A very little piece of the crash report.

Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000…….
Crashed Thread: 0 Dispatch queue: com.apple.main-thread

The Dr. web site is only one of the sites thats causing a complete crash on printing as a file.
Now is this a Tor Browser problem or a very smart or bad webdesigned (css) way to prevent visitors printing a page?

I did not mention this before because it's only happening on some webpages.

June 17, 2015

In reply to gk

Permalink

Hi GK,

I did not test it yet on OS X 10.10 Yosemite but the crashes on the page mentioned are happening in two older different OS X versions.

Got another crash one, different OS X system

Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000…….

Anyway, I figured out that it probably has something to do with the NoScript settings after I did bring the Torbutton slider to the security setting 'Very Much Higher'.
Now, because you do not have the spec for that (yet ;), where can I upload that particular "Very Much Higher" Noscript config?
Pasting the exported specific NoScript settings as plain text would take too much space here.
Also images can say more then a thousand words but there's not an upload function for that (?).

The crash procedure is quite simple.
Visit the particular page of Dr.Web
https://news.drweb.com/show/review/?lng=en&i=9461
Do not allowing javascripts, give a printing command (cmd P), window appears, take in the left corner below the pdf button and choose under the arrow the hidden menu the option "Safe as pdf" , choose a location for storing the file, enter, wait a moment, swoosh there vanishes your browser.

I did also change the page lay out settings a bit, I don't like the url on the right side because a lot of times it's leaving the page and therefore not to use afterwards, so I put it on the left side. Did remove the printing date as well.

I really do think it has something to do with these manual extra secure NoScript settings, I'll try to reproduce this later on OS X Yosemite 10.10 as well.

Hi again GK,

Tested the print crash problem on another machine with OS X 10.10.3 Yosemite and Tor Browser 4.5.2 (3100.1.1) X86-64 (Native).
It gave another crash again on the particular dr. Web sitepage.

Part of the crash report again :

Crashed Thread:        0  Dispatch queue: com.apple.main-thread
Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000……(some more numbers and letters)..

VM Regions Near …….:
    VM_ALLOCATE            …(some more numbers and letters)... [ 2824K] rw-/rwx SM=PRV  
-->
    VM_ALLOCATE            …(some more numbers and letters).. [ 1024K] rw-/rwx SM=PRV  

Extra note is that this problem exist on other websites as well (not a majority) but I just could remember this site doing this.
It seems OS X version independent, I tested it now several times with different Mac’s and different OS X versions, from the oldest supported X (by Torproject) to the newest OS.

Maybe you can reproduce this problem by setting NoScript almost as strict one can do, or otherwise just let me know where to paste an example of the used NoScript settings for this Crash matter.

If this is related to a NoScript setting could you try to isolate that one? I tried to follow your steps with the security slider set to "High" on an old OS X system (10.6.8) but I did not get to crash my Tor Browser. Opening a bug on https://bugs.torproject.org might be a good way as well to track this issue further down.

June 17, 2015

Permalink

Unable to expand the TOP browser window. (Version 4.5.2 Windows 8.1) I could not find any options to correct this problem. Please help.

June 17, 2015

Permalink

AVG 2015 detects "tor.exe" for the "tor 4.5.2" as a threat and don't give any other option than deleting :(

June 17, 2015

Permalink

Unable to expand the TOR browser window after update to version 4.5.2 (Windows 8.1, Windows 10, FullHD 1920x1080) I could not find any options to correct this problem. The problem occurs immediately after you make any change in your browser settings. The same problem also occur in version 5.0a2. Please help.

Be very sure you know exactly what your asking; Tor Browser is moving towards set browser window sizes for a reason! You're opening yourself up to browser fingerprinting.

June 17, 2015

Permalink

Why do you not all work on the Tor Project Browser? That way, we can keep releasing new version so much faster. You are all lazy punks, posting comments and wasting time. Go sign up and volunteer to work on this project, or else...

Or else Astoria will reign supreme!!!!!!!!!!!!!!!!!! HWAHAHAHAHA!

June 17, 2015

Permalink

Whenever I search a term using the right click->"Search for *", it goes to the disconnect search page and NoScript gives error "NoScript filtered a potential cross-site scripting (XSS) attempt from [chrome]. Technical details have been logged ..." How would I go by searching like this without disabling NoScript/temporarily allowing scripts?

By the way, there's a extra word typo and it says "Search Search for * instead, not sure if Tor devs should fix it or report it Mozilla.

The "Search Search" is coming from the fact the we are using "Search" instead of "Disconnect" as our search engine name as users might get the feeling they are disconnecting from the Tor network with the search bar otherwise. Seems we can't win here. :/

I need to investigate the XSS warnings. Maybe Disconnect or we can do something about them. I've created https://bugs.torproject.org/16425 for it.

June 23, 2015

In reply to gk

Permalink

Why not abbreviate to DC or Disc.? Would be better than leaving it as Search Search

June 17, 2015

Permalink

SERIOUS: I was using TBB for like an hour and then i visited ipcheck.info and it said that I was not using TOR and it could uniquely identify me!

Your IP:

213.61.149.100 (Proxy)
Cache (E-Tags) -> produced a number
HTTP session - > unlimited
Referrer: shown

and various other factors of identification! Why has this happened??

June 17, 2015

Permalink

Potential bug: I set NoScript to disallow all scripts globally, however if I set the tor button security setting to "Medium-High" it overrides the NoScript setting and allows scripts. This is pretty confusing.

This is a actually a feature to avoid people shooting themselves in the foot by having different configuration settings. We provide four different security levels which govern JavaScript settings as well in a less-fingerprintable way.

June 27, 2015

In reply to gk

Permalink

Ok, this is alright if it's by design. The confusing part was, that it won't allow me to setup a more restrictive setting for NoScript. Now, that I know this, it's okay. Thank you for your effort!

June 18, 2015

Permalink

I also have AVG detecting an unknown threat in the update. What do I do now? I'm using Windows 8.1.

June 21, 2015

Permalink

tor very great
tor browser vulnerable to hacking,man-in-the-middle-attacks,viruses,spyware,etc
tor browser secure
thanks tor project to securing tor browser

"In present you can use Vidalia for a similar feature.If you want."

Right.
And the user can set HIS prefered entry,directory guards from the relay list in Vidalia. It would be really WORSE + a problem if TAILS denies custom entry.
The possibility to make custom entry persistent on DVD/USB woud be nice,too.

June 22, 2015

Permalink

Somehow, with the new 4.5.2 on Win7 64, Tor suddenly will NOT start at all.
I also tried the 5.0a2, which did the same. Older versions of Tor still work on my system.

Do you get error messages? What does "NOT start at all" mean? You don't see any Tor Browser configuration dialog? Or just the browser is not showing up? Do you have an Antivirus program running? If so, which one?

June 23, 2015

Permalink

Bridges do NOT work in this version of TBB for Linux. Whether obfs3 or obfs4, default bridges or manually entered, Tor will not be able to connect. You can only connect if you don't use bridges. Fix this, please.

June 24, 2015

Permalink

Hi Mr. Perry
I'm a Windows 7 user and have been using Tor Browser for the past 5-6 years on both Windows XP & 7 successfully . In fact Tor has been working flawlessly for me up to the last 10 days . I have not been able to connect to Tor since then . I continuously get the message " no route to host ***.***.***.***:*** ".
The problem,in my opinion,started with version 4.5 and on later .
I have been getting bridges that resulted in the same result : no route to host .
In the meantime , I have been able to connect to FREEGATE software easily which IT SAYS "CONNECTED TO 7 SERVERS".
A few hours ago I got three more obfs3 bridges and I'm now connected to Tor and posting this message (comment ) .
By the way , I'm in Iran .
It seems that the censors have found a way to block Tor in Iran .
Please investigate my comments and try to find out a solution to the problem for the Iranians.
I don't know whether it's relevant or not :
I opened regular Firefox and after a minute or so I opened Tor Browser connect page and after 4 to 5 minutes I got connected . I did the same with other browsers and even when Freegate software was running and I could not get connected to Tor.
I'm anxiously awaiting for your new and improved Tor Browser .

June 28, 2015

Permalink

I still have Chatzilla problem on Linux, when connecting: "error creating socket".
I added SocksPort 8150 NoIsolateSOCKSAuth below SocksPort 9150 in torrc-defaults

What do i put in Chatzilla >> Preferences >> Global Settings >> Proxy Type: ?

Neither of http://chatzilla.hacksrus.com/faq/#proxy settins works

July 02, 2015

Permalink

Cloudflare has changed his ugly behaviour blocking normal surfing with tor and is
working with most(?) exit relays?
That would be nice.

July 03, 2015

Permalink

Have you changed the way the scrolling through pages with the arrow down key works? Ever since this update it seems using the arrow up and down keys to move up and down a webpage results in different behaviour. Whereas before it would scroll down evenly and smoothly, now it makes sudden jumps and seems to act more like a tab key! I dont think it is performing tab function though. It will work well when scrolling through text for example, but then will suddenly change.

It seems like the arrow keys might be causing the cursor to jump to sections of text as if you are in a word processing program rather than on a webpage! It is very annoying whatever it is and I think it should be changed back. It also caused trouble when trying to select a body of text using the shift key + the up or down arrow, suddenly deselecting a section of text that had already been selected and jumping to another section. Is this a bug or was this deliberate to try and achieve something?

July 22, 2015

Permalink

I am trying to download the Tor browser and verify that the download is secure. Tor instructions read:
-----------------------------------------------------------------------
To verify the signature of the package you downloaded, you will need to download the ".asc" file as well. Assuming you downloaded the package and its signature to your Desktop, run:

For Mac OS X users:
gpg --verify ~/Desktop/TorBrowser-4.5.3-osx64_en-US.dmg{.asc*,}
---------------------------------------------------------------------------
The download does not include the .asc file and I cannot find it to download. Anyone know where it is?