Firefox 4 Tor Browser Bundle for Windows

Windows users, your time has finally arrived! A new Tor Browser Bundle with Firefox 4 is available here (sig). The build infrastructure has moved to a Windows 7 machine, but this bundle has been tested on both WinXP and Win7. If you encounter any strange issues, please let me know here or on our bug tracker.

Tor Browser Bundle (2.2.24-1) alpha; suite=windows

  • Create new bundle for Firefox 4
  • Update Tor to 0.2.2.24-alpha
  • Update Torbutton to 1.3.2-alpha
  • Update OpenSSL to 1.0.0d
  • Update Libevent to 2.0.10-stable
  • Update HTTPS-Everywhere to 0.9.9.development.4
  • Add NoScript 2.0.9.9
  • Add BetterPrivacy 1.49
  • The Opa Heinz release
Anonymous

April 24, 2011

Permalink

Hi Erinn,

I am unsure if these should be called bugs, and if so I will report them:

1) Why is Polipo included? This Firefox (v4) fork by the Tor Project has the SOCKS patch, no? I am currently using this Firefox with only Socks address:port set (all other protocols are set to 0:0), bypassing Polipo, and the browser still passes the https://check.torproject.org/ test. Surfing does seem faster without Polipo; I plan on testing the speed difference with Firebug and Hammerhead soon ...

2) You have NoScript set to globally allow all scripts.

3) Firefox is still picking up a system wide plugin "Foxit Reader Plugin for Mozilla 2.1.1.0012", but other system wide plugins are not found by Firefox; re TBB bug #2255 here: https://trac.torproject.org/projects/tor/ticket/2255

4) When I first tried to post this message I got the warning from this blog: "Cookies should be enabled in your browser for CAPTCHA validation". I assume this is a bug in TorButton, one of which I referred to below; otherwise it may be a bug with Firefox. I am unsure where to file the bug, in TorButton or TBB bug tracker.

5) A few issues that are bugs I shall report soon ...

That said, I do have a few bug reports to file for TorButton alpha with Firefox 4. I will try to so soon. The same bugs have been present in all alpha versions of TorButton I have tested with Firefox 4 over the past months. I was hoping they would be fixed with this release, by alas, no.

Thanks, HG2G

> 1) Why is Polipo included? This Firefox (v4) fork by the Tor Project has the SOCKS
> patch, no? I am currently using this Firefox with only Socks address:port set (all
> other protocols are set to 0:0), bypassing Polipo, and the browser still passes the
> https://check.torproject.org/ test. Surfing does seem faster without Polipo; I plan on
> testing the speed difference with Firebug and Hammerhead soon ...

Hmmmm. I just went to the check.torproject.org site with Tor not running, and got told "Congratulations. Your browser is configured to use Tor.", listing my actual IP address.

Platform is Firefox 4.01 under WinXP SP3.

I'd call this a showstopper bug.

Anonymous

April 25, 2011

Permalink

I have installed firefox 4.0 and the torbutton wont install due to a non-compatibility. What am i doing wrong

Same here. Just updated from FFox 3.5.1 up to 4.0.1 and vidalia bundle went dead :-( I can start the control panel, all fine, network map, everything is there but no change in IP. Any suggestions? pce!

Anonymous

April 25, 2011

Permalink

Thank you so much for your work!

But once again Firefox's ability to search the Windows registry path for system-wide plugins and extensions should be disabled!

And it would be great to have the package in other languages!

Anonymous

April 25, 2011

Permalink

can we play videos from youtube and other sites from this bundle or is it still block
scripts and plugins without the ability to disable this feature

Anonymous

April 26, 2011

Permalink

Thank you for including NoScript & BetterPrivacy as standard in this release.

Anonymous

April 26, 2011

Permalink

Did you mean to have NoScript set to allow all scripts by default? That kind of negates the point of using NoScript. Some people may not notice that, and assume they are being protected by NoScript but really are not.

Anonymous

April 26, 2011

Permalink

991 connection problems please raise your ulimit -n
Ubuntu 10.10. Linux

I know its a bit late but I had the same problem and I managed to fix it. I use linux. There is a Soft limit and a Hard limit. To see them you type ulimit -Sa for the the soft, and ulimit -Ha to see the hard. The soft is the minimum setting of that file in this case the -n. You type ulimit -Sn to see the -n soft and -Hn to see the -n hard.
To change the settings you must first change the Hard file which is the maximum allowed. If not it won't let you change the soft settings because setting in the hard file is smaller than in the setting in the soft file which you are trying to change.
To do this you have to change the settings here.
/etc/security/limits.conf
You go to the terminal and type in sudo gedit /etc/security/limits.conf

You will see a bunch of number signs. At the bottom of the commands right before the #end file
you type in this. * hard nofile 51200 with out the # sign.
and * soft nofile 51200 right below it.

This will set the hard and the soft to 51200 or any number you want as long as its in increments or 1024.

Then you have to go to this file
/etc/pam.d/common-session
In the terminal type sudo gedit /etc/pam.d/common-session
at the bottom of this file type this
session required pam_limits.so

save the file and restart the computer.
now look at your hard file
and your soft file
the hard should have changed to 51200 as well as the soft.

This is what it looks like

# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#
#
#Where:
# can be:
# - an user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
# - NOTE: group and wildcard limits are not applied to root.
# To apply a limit to the root user, must be
# the literal username root.
#
# can have the two values:
# - "soft" for enforcing the soft limits
# - "hard" for enforcing hard limits
#
# can be one of the following:
# - core - limits the core file size (KB)
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open files
# - rss - max resident set size (KB)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
# - as - address space limit (KB)
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
# - chroot - change root to directory (Debian-specific)
#
#
#
#* soft core 0
#root hard core 100000
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#ftp - chroot /ftp
#@student - maxlogins 4
* hard nofile 51200 <---sets the hard
* soft nofile 51200 <---sets the soft
# End of file

the other file looks like this

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_ck_connector.so nox11
# end of pam-auth-update config

session required pam_limits.so <-------------------------add this line here

I got most of this from this link and I played with it
till I got it to work.
http://techblog.ovidiudan.com/2008/09/too-many-open-files-change-ulimit…

hope it works for all you out there running a race.

Anonymous

April 26, 2011

Permalink

Thanks for working on these new versions.

It must be frustrating that as soon as you put something together, something beyond your control happens. I'm referring to the add-in you kindly included, BetterPrivacy, with version 1.49. They released
their version 1.50 dated April 13 with the comment

"This is a privacy-related update with critical severity!"

You might want to mention that Tor's other capabilities compensate for BetterPrivacy's problem of "critical severity".

Anonymous

April 27, 2011

Permalink

Hi Erinn,
I have been reporting a few bugs in TBB 2.2.24-1 alpha, and I have a few more to report plus some enhancements I think may be worthwhile. However, I am confused as to which "component" I should choose when reporting bugs, etc., for TBB. At the Tor flyspray there are the following two "components":
Tor Browser
Tor bundles/installation
It seems to me using "Tor Browser" would be the proper choice, but it also appears all(?) reports for TBB are filed as "Tor bundles/installation". What choice is correct for issues with TBB? For the time being I will choose "Tor bundles/installation" because (a) you are assigned to that component and (b) that component seems to be the choice de jour for TBB.
Lastly, why are there components "TorBrowserButton" and "Torbutton"? Is that not redundant? Should it not be only one choice: "Torbutton"?
Thanks, HG2G

Anonymous

April 27, 2011

Permalink

Have you guys ever seen any successful tor users from northern China lately? I've not been able to connect to any tor servers since half an year ago, either directly or via bridges. Could anybody look into this problem please? Thanks!

Anonymous

April 28, 2011

Permalink

There is no new Torbutton update compatible to Firefox 4.01. Can someone ask the author to develop an new version to make sure a more secure web surfing . thanks

Anonymous

April 30, 2011

Permalink

Tried to download Firefox 4 Browser Bundle for Windows 2.2.24-1 alpha on Microsoft Vista Home Basic SP2 using IE 9. Message from IE 9 saying unable to download, tried twice on cable broadband.

Switched to USB memory stick, FAT32 using QTWeb v.3.7.2. Downloaded fast and installed easily. Thanks for the Firefox 4 upgrade.

Anonymous

May 02, 2011

Permalink

Hello Tor Devloper,

I m facing a problem and m using Vidalia 0.2.12, Tor 0.2.1.30 and Qt 4.6.2

Probem is whenever i use Tor with U torrent it shows over Excited and tor stop working will u please tell me the reason or resolution

Anonymous

May 02, 2011

Permalink

I concur that the "allow scripts globally" default is a serious oversight. Disclaimer: I do distribute NoScript, BetterPrivacy and some other security and privacy extensions as part of my employer's standard browser package, and I do have many of those add-ins configured by default to be relatively unrestrictive, but that is because of a potential backlash from many foolish users who have no knowledge of and less interest in security and privacy. I shouldn't think that would be an issue for most Tor users...I also recommend that Tor users seriously consider using the following NoScript settings:
-Whitelist: remove all entries (Mozilla/chrome mandatory items cannot be removed)
-Embeddings: select all options except "no placeholder" and "collapse blocked objects"
-Appearance: deselect "allow"; select "temporarily allow"
-Appearance: deselect": "allow all this page"; "make page permissions permanent"; "allow scripts globally" (optional, but to me it is a dangerous mis-click in waiting)
-Appearance: select "revoke temporary permissions"
-Advanced|untrusted: select "forbid 'web bugs'"
-Advanced|XSS: remove all exceptions
-Advanced|external filters: remove all objects from "do not filter" list
Are those settings too inconvenient for Grandma to use when retrieving her sewing circle daily list digest? Yeh, probably. But that isn't why I'm using Tor - what about you? I actually roll this way with my normal browser settings during non-Tor (read: not all that concerned about Big Brother seeing what I'm doing) sessions, just for minimizing malware risk. It is somewhat inconvenient in that mode, but there is rarely a page I need that I can't load adequately, and I have adjusted to it pretty easily...

Anonymous

May 02, 2011

Permalink

i have a windows 7 machine running the older version of Tor with firefox 3.5. is this safer than running the newer version of Tor with firefox 4 browser bundle Thanks! G

Anonymous

May 11, 2011

Permalink

I have just installed TOR 2.2.25-1 in my Windows 7 system with Firefox 4.01.
The TorButton appears on the toolbar - but seems not to work. When I point my cursor at it, I see the message "Disable TOR". After I click the button, I get the same message - which seems to indicate that the button either FAILS to disable TOR, OR it disables it, but fails to tell me so.

Is there a fix for this?

Anonymous

May 13, 2011

Permalink

Hi
Just wondering if there will be a new tor release with tor button for firefox 4?

Anonymous

November 08, 2011

Permalink

Hi I just wanted to say that I found ther error that I previously tried to post, probably on another subject but on torproject.org
I think that you go through the questions before they are actually put in the blog so I guess you can just move it to the right place as it should be.
In the message that I had first posted I asked about
why I got 3 orange in http://ip-check.info 2 of them I could understand but the third one was my actualy main concern.
Namely "Signature" it showed that I was easily identified since the header wasnt a TOR Signature, I have now finaly found what caused it, and it seems that using FF 3.6x isnt good enough, perhaps due to the favico.ico checked twice or some other easily spotted weirdness

I started by getting the Aurora package and it got green..
Then I did some investigation and realised that somewhere between FF3 and FF7 it got green. Now I am actually proxying a FF7 Aurora with a Proxy plogin to my TOR Chain
and even that I use IE or Opera and what not all the traffic is "Proxied" through FF7 and case is closed "IF" I use the profile catalog from Aurora.

My current setup is:
FF - Proxomitron
Proxomitron to Squid that is Roundrobbined through 3 Different Chains:
Every chain concists of
Privoxy-Polipo-Tor

DNS is going through TOR and DNS 53 is blocked at Firewall Barrier towards Internet.

Now I have some ideas to use the different TOR Nodes to direct to different parts of the world, and redirect the traffic to the right TOR node via rulesets in Privoxy mainly to see if the speed is somewhat getting better.
Its difficult to measure it though but the theory is that the endpoint should be near the location where the actual webpage is located.

I would ALSO want to recommend a plugin that seems to be forgotten or very few people knows about it. Its called
HTTPS Finder, and it "Automates" the ruleset creation for HTTPS Everywhere, I am actually supriced its almost never mentioned, it has made my HTTPS Everywhere rulesets grow very fast, and those are now in the thousands.

Also I would want to point out the SSL problems that exists even using Certpatrol, but are very well documented on the Certpatrol homepage.

Whatmore, keep up the goodwork, and I would like to read more on the subjects regarding the Encryption breakthrougs made by the french, claiming that TOR is nolonger safe.
I havent studied the encryption used by TOR but TOR is very old so yeah not supriced if its broken by the public.
Since the US governement has let it be alive for this long one can only assume that its a really nice Honeypot for NSA for who knows 10 years allready, so some extremely good encryption algorithms combined with TOR networking basic idea would definately not be something considered lightly to look at for the future if the TOR projects completeness of security is going to be considered as somewhere near safe for the anonymity for an enduser from an encryption analyst point of view, and that doesnt conclude the problems with SSL but the whole infrastructures challenge response algorithms. Hmm now that said I think I said allready toomuch to be able to backup my theories but I would though assume that there are some deep thoughts to consider for the future of TORS "real" anonymity goals and not just the "illussion" that yeah its safe, lets continue using it. So even so, anything that isnt encrypted is still probably safer "IF" the mainstream uses it, otherwise its just a Honeypot... Thanks

Anonymous

December 28, 2011

Permalink

I am unable to install hammerhead plugin to fore fox. I have tried for FF 3.6,8.0 and 9.0. This is really annoying me as I am desperately need it. Can some please give some thoughts on it, like which version is compatible with this.

Anonymous

March 02, 2012

Permalink

I haven't seen any answers to the questions about Youtube......So how does one view videos from there or any other site that may contain videos,eg. Machines Like Us, etc...
Thanks.

Anonymous

April 23, 2012

Permalink

hi, i actually am having trouble understanding this forum and its stressing me out. i have a question. i have looked through all of the other questions and answers and i cant tell if they fit my question. and actually i cant even tell what answers are answering which questions. so i clearly am confused, and i dont wish to confuse any one else but i just had to put that out there to say that i may not really understand if i am being answered directly when i recheck this blog.

i as you may have noticed am no computer genius, however i have been getting a little better lately, but if some body is going to answer me i will really need blow by blow instructions and also if there is some thing that could look a few alternate ways that might confuse me it would be much apreciated if that was described as well.

ive been using tor for a while, i used to just down load every time it was out of date, i would click on it when i wanted to use it and it would bring up a separate fire fox to my other one. this time when i down loaded it i did some thing different, its now the toor toggle in the top left hand corner of my firefox search page.

after i downloaded it this time it worked at first but then stopped letting me search. i have done a few new things like installig thunderbird/enigmail and a few other addons. the thunder bird was installed before i reistalled tor so it has worked with my pgp settings earlier on.

i use duckduckgo but i have checked it whith goole as well and its not working for either.
oh im using a mac

i dont know if ive given you enough information to help me but if you can that would be great.

thanks