New Firefox 17.0.4esr and Tor 0.2.4.11-alpha bundles

We've updated the stable and alpha Tor Browser Bundles with Firefox 17.0.4esr and Tor 0.2.4.11-alpha. These releases have numerous bug fixes and a new Torbutton as well.

https://www.torproject.org/download

Tor Browser Bundle (2.3.25-5)

  • Update Firefox to 17.0.4esr
  • Update NoScript to 2.6.5.8
  • Update HTTPS Everywhere to 3.1.4
  • Fix non-English language bundles to have the correct branding (closes: #8302)
  • Firefox patch changes:
    • Remove "This plugin is disabled" barrier
      • This improves the user experience for HTML5 Youtube videos:
        They "silently" attempt to load flash first, which was not so silent
        with this barrier in place. (closes: #8312)
    • Disable NoScript's HTML5 media click-to-play barrier (closes: #8386)
    • Fix a New Identity hang and/or crash condition (closes: #6386)
    • Fix crash with Drag + Drop on Windows (closes: #8324)
  • Torbutton changes:
    • Fix Drag+Drop crash by using a new TBB drag observer (closes: #8324)
    • Fix XML/E4X errors with Cookie Protections (closes: #6202)
    • Don't clear cookies at shutdown if user wants disk history (closes: #8423)
    • Leave IndexedDB and Offline Storage disabled. (closes: #8382)
    • Clear DOM localStorage on New Identity. (closes: #8422)
    • Don't strip "third party" HTTP auth from favicons (closes: #8335)
    • Localize the "Spoof english" button strings (closes: #5183)
    • Ask user for confirmation before enabling plugins (closes: #8313)
    • Emit private browsing session clearing event on "New Identity"

Tor Browser Bundle (2.4.11-alpha-1)

  • Update Firefox to 17.0.4esr
  • Update Tor to 0.2.4.11-alpha
  • Update NoScript to 2.6.5.8
  • Update HTTPS Everywhere to 4.0development.6
  • Update PDF.js to 0.7.236
  • Fix non-English language bundles to have the correct branding (closes: #8302)
  • Firefox patch changes:
    • Remove "This plugin is disabled" barrier
      • This improves the user experience for HTML5 Youtube videos:
        They "silently" attempt to load flash first, which was not so silent
        with this barrier in place. (closes: #8312)
    • Disable NoScript's HTML5 media click-to-play barrier (closes: #8386)
    • Fix a New Identity hang and/or crash condition (closes: #6386)
    • Fix crash with Drag + Drop on Windows (closes: #8324)
  • Torbutton changes:
    • Fix Drag+Drop crash by using a new TBB drag observer (closes: #8324)
    • Fix XML/E4X errors with Cookie Protections (closes: #6202)
    • Don't clear cookies at shutdown if user wants disk history (closes: #8423)
    • Leave IndexedDB and Offline Storage disabled. (closes: #8382)
    • Clear DOM localStorage on New Identity. (closes: #8422)
    • Don't strip "third party" HTTP auth from favicons (closes: #8335)
    • Localize the "Spoof english" button strings (closes: #5183)
    • Ask user for confirmation before enabling plugins (closes: #8313)
    • Emit private browsing session clearing event on "New Identity"
Anonymous

March 14, 2013

Permalink

I downloaded and installed the latest update - Tor Browser Bundle (2.3.25-5), and after re-starting, the "Are you using Tor?" page still says "There is a security update available for the Tor Browser Bundle.". I re-downloaded and installed again and still get that message. I checked the dates on the various updated files and they all have 3/12/13. Seems this has happened before, but can't re-call what fixed it.

Anonymous

March 15, 2013

Permalink

after installing new version i still get

" There is a security update available for the Tor Browser Bundle."

Anonymous

March 15, 2013

Permalink

Add me to the list of still getting the message there is an update. Just to be sure, I checked the versions of all the programs update to and they all check.

Anonymous

March 15, 2013

Permalink

Tools / Options / Advanced / General / Browsing

[x] check my spelling as i type

Who and why someone checks my (secret) spelling as I type?

It is good for your security to have your spelling mistakes pointed out to you. One way to identify who has written something is to look for certain, recurring misspellings.

It is not a human that does this, but the browser software, of course.

Anonymous

March 15, 2013

Permalink

Before this and the previous stable release, the Tor Browser had its own icon and was grouped itself - please bring this back. Aside from being a bit of a PITA, it allows for the possibility of mistakenly bringing up the regular browser. It goes without saying, that wouldn't be good.

Using Ubuntu 12.10 x64

Anonymous

March 15, 2013

Permalink

What's the point of allowing users to enable plugins? They may as well stop using Tor Browser if they don't need anonymity. Disabling all of NoScript's hardening measures only expands attack surface for browser exploits. With each new version Tor Browser gets increasingly more dangerous for users who don't adjust their settings manually and go with the default config, it will inevitably lead to a massive security disaster someday.

Well I guess the logic goes like this: you wish to watch a kinky video on YouTube, and you just can't help against the site (i.e. Google) knowing that you are watching that video, but you are still interested in not announcing it to your employer whose network you are using. Even with vulnerable plugins, but Tor still keeps all sorts of middlemen unaware of what you are doing.

And you can disable them as you wish.

Click on the "TorBrowser" menu button and select "Add-ons". Then click "Extensions". Find the extension labelled "PDF Viewer" and click "Disable".

Anonymous

March 15, 2013

Permalink

Where does one download the Tor Browser Bundle (2.4.11-alpha-1)? You can download the 2.3.x version from the Downloads page, but not the 2.4.x version.

Also, when will 2.4.11-alpha be available in the torproject RPM repo for RHEL/CentOS 6?

Yes, where can I download Tor Browser Bundle (2.4.11-alpha-1)?
and I'm new to tbb, I feel it (esr firefox) slow than normal firefox a lot.

Thank you.

Anonymous

March 16, 2013

Permalink

any hope for flashproxy-pyobfsproxy new version?

Anonymous

March 16, 2013

Permalink

I am a little nervous about trying any TBB since last time I did my computer got infected with a virus after I unpacked the file. I had a heck of a time cleaning out the virus! Is the TBB safe and clean?

That might have been a false positive. One recent version of TBB trigged I think two different anti-virus programs (claiming the same kind of virus). The anti-virus companies looked into it and concluded their virus definition file was wrong and fixed it a few days later (iirc).

Of course, make sure you are downloading TBB from "torproject.org" over an HTTPS encrypted connection (https://).

SSL/HTTPS has been shown again time and again to be quite vulnerable and should not be considered a substitute for properly verifying a download by using the digital signature.

"my computer got infected with a virus after I unpacked the file."

/If/ the TBB download really was to blame, then it must have been rogue. Did you verify the signature?

Anonymous

March 16, 2013

Permalink

I had the same problem with recurring update prompts, but it went away the next day I started the browser.
The problem that remains is with https sites that do not have valid certificates. There seems no way to store exemption permanently as that box is grayed out.. And there seems to be no way to change private browsing mode for the same reason= grayed out.
It's a PITA to have to confirm exemption every time logging on to a site.

I have a suggestion for making things simpler for people who log on to https sites that they know well, but that do not have valid certificates - a setting in tools that once set, skips the security certificate query.
That way, no personal data need be stored, i.e. no "exceptions".

Imagine this scenario: Secret police search your pockets and find a USB key. They find TBB on it. They check to see what certificates it has saved. Now they know some of the places you browse.

Anonymous

March 16, 2013

Permalink

No problems here with the latest alpha update. Running Windows 8 Pro 32-bit. No virus reported. Using Avira Free, heuristics set to 'high'.

Anonymous

March 17, 2013

Permalink

After install I have to adjust so many settings manually to improve security that I need a to do list !!!

Well don't.

Any change in the setting you make will decrease your anonymity, so keep the changes to a minimum.

Really, the only change worth doing is disabling JavaScript using NoScript. This will also decrease your anonymity, but will increase security against exploits.

Firefox
- Disabling Java
- Activate I do not want be tracked
- Use custom settings for History and than disabling Accept cookies from sites
- Override automatic cache management: Limit cache 0MB of space

Firefox about:config
browser.cache.disk.enable; false
browser.cache.memory.enable; false
extensions.torbutton.banned_ports; 8118,8123,9050,9051,9150,9151
network.security.ports.banned; 8118,8123,9050,9051,9150,9151

Noscript
Disable Script Globally Allowed
Activate Forbid Java
Activate Forbid Adobe Flash
Activate Forbid Microsoft Silverlight
Activate Forbid Othe plugins
Activate Forbid font@face
Activate Forbid Audio/Video
Activate ABE

Installing plugin RefControl

Take a look at http://ip-check.info/?lang=en

Anonymous

March 17, 2013

Permalink

enable plugins doen't work.once i uncheck it it rechecks on its own..

Anonymous

March 17, 2013

Permalink

My Slitaz Live CD still uses gtk+ 2.16.5 and there's no way for me to upgrade gtk+ as this would mean to rebuild practically the entire distribution from scratch. Unlike TBB 2.3.25-2 this latest version of TBB no longer works for me because once again (it has happened before) someone has built the package using a later version of gtk+ ...

libxul.so: undefined symbol: gtk_widget_set_can_focus

... and I'm wondering why? Shouldn't TBB function in the greatest possible number of environments? Unless there are security issues with older gtk+ versions I see no reason why you are using a version that leaves some of your users behind. Firefox 17.0.4esr works perfectly on my computer. If Mozilla can do it, why can't the Tor-Project?

I think the Tor-Project should be using a well specified, standardized build-box to produce its browser bundles so that the outcome no longer depends on who happens to run the build procedure. It would also be a good idea to publish minimum requirements together with the change log for each new TBB.

I saw a ticket on Tor Projects bug tracker that they are working towards making their build machines match those of Mozilla better.

Anonymous

March 17, 2013

Permalink

I noticed that NoScipt is not enabled by default in this version. I don't get that. Scripts are flagged in the usage guidelines as being potentially dangerous, but the system inside Tor Browser designed to keep them at bay is disabled unless you enable it?

What about people who believe what it says on the Tor download page about the Browser Bundle being "ready to go"? Correct me if I'm wrong on something here, but really - where's the logic in that?

Disabling JavaScript using NoScript is not required to make Tor Browser safe. Tor Browser includes its own patches and special configuration that blocks the dangerous parts of JavaScript, while still allowing the safe JavaScript to work.

Disabling JavaScript altogether breaks many more sites than it need to. This is bad for the less computer literate users.

You're wrong. TBB is safe and *meant* to be used with NoScript to globally allow all scripts. This issue comes up, well, at least once every week.

I think TBB should launch a window explaining all the FAQ's people post here without doing a simple search on the topic before they post . . . [rolls eyes]

"I noticed that NoSc[r]ipt is not enabled by default in this version."

NoScript /is/ enabled but set to enable scripts globally. This is addressed in the FAQ:
https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled

(NoScript still provides at least /some/ protection with this setting.)

This is how its been in TBB for as long as I can recall. What was the last version of TBB you tried?

Anonymous

March 17, 2013

Permalink

Wow. I just clicked on a youtube video and it played.

Is this a bug or a feature?

Did I lose anonymity?

Could be life-threatening for me.

I'm using

tor-browser-gnu-linux-x86_64-2.3.25-5-dev-en-US.tar.gz

Hope this is the right place to post this...

OK, it looks to be related to recent change:

"...
Firefox patch changes:

Remove "This plugin is disabled" barrier
This improves the user experience for HTML5 Youtube videos:
They "silently" attempt to load flash first, which was not so silent
with this barrier in place. (closes: #8312)
Disable NoScript's HTML5 media click-to-play barrier (closes: #8386)

..."

Recently work have been done towards supporting HTML5 video (which unlike flash video is safe to use inside Tor Browser). At least some videos on YouTube works using HTML5 too, without flash.

See the changelog posted in the top of this thread for more information.

Many YouTube videos now support html5, an alternative to Flash for watching video. As far as I know, these should play in TBB.

Anonymous

March 17, 2013

Permalink

Maybe you tell us the reason why you don't can't or want support PowerPC-Macs …

Do you think, that these machines will stop they're work soon or what?