New Firefox 17.0.4esr and Tor 0.2.4.11-alpha bundles

We've updated the stable and alpha Tor Browser Bundles with Firefox 17.0.4esr and Tor 0.2.4.11-alpha. These releases have numerous bug fixes and a new Torbutton as well.

https://www.torproject.org/download

Tor Browser Bundle (2.3.25-5)

  • Update Firefox to 17.0.4esr
  • Update NoScript to 2.6.5.8
  • Update HTTPS Everywhere to 3.1.4
  • Fix non-English language bundles to have the correct branding (closes: #8302)
  • Firefox patch changes:
    • Remove "This plugin is disabled" barrier
      • This improves the user experience for HTML5 Youtube videos:
        They "silently" attempt to load flash first, which was not so silent
        with this barrier in place. (closes: #8312)
    • Disable NoScript's HTML5 media click-to-play barrier (closes: #8386)
    • Fix a New Identity hang and/or crash condition (closes: #6386)
    • Fix crash with Drag + Drop on Windows (closes: #8324)
  • Torbutton changes:
    • Fix Drag+Drop crash by using a new TBB drag observer (closes: #8324)
    • Fix XML/E4X errors with Cookie Protections (closes: #6202)
    • Don't clear cookies at shutdown if user wants disk history (closes: #8423)
    • Leave IndexedDB and Offline Storage disabled. (closes: #8382)
    • Clear DOM localStorage on New Identity. (closes: #8422)
    • Don't strip "third party" HTTP auth from favicons (closes: #8335)
    • Localize the "Spoof english" button strings (closes: #5183)
    • Ask user for confirmation before enabling plugins (closes: #8313)
    • Emit private browsing session clearing event on "New Identity"

Tor Browser Bundle (2.4.11-alpha-1)

  • Update Firefox to 17.0.4esr
  • Update Tor to 0.2.4.11-alpha
  • Update NoScript to 2.6.5.8
  • Update HTTPS Everywhere to 4.0development.6
  • Update PDF.js to 0.7.236
  • Fix non-English language bundles to have the correct branding (closes: #8302)
  • Firefox patch changes:
    • Remove "This plugin is disabled" barrier
      • This improves the user experience for HTML5 Youtube videos:
        They "silently" attempt to load flash first, which was not so silent
        with this barrier in place. (closes: #8312)
    • Disable NoScript's HTML5 media click-to-play barrier (closes: #8386)
    • Fix a New Identity hang and/or crash condition (closes: #6386)
    • Fix crash with Drag + Drop on Windows (closes: #8324)
  • Torbutton changes:
    • Fix Drag+Drop crash by using a new TBB drag observer (closes: #8324)
    • Fix XML/E4X errors with Cookie Protections (closes: #6202)
    • Don't clear cookies at shutdown if user wants disk history (closes: #8423)
    • Leave IndexedDB and Offline Storage disabled. (closes: #8382)
    • Clear DOM localStorage on New Identity. (closes: #8422)
    • Don't strip "third party" HTTP auth from favicons (closes: #8335)
    • Localize the "Spoof english" button strings (closes: #5183)
    • Ask user for confirmation before enabling plugins (closes: #8313)
    • Emit private browsing session clearing event on "New Identity"
Anonymous

March 18, 2013

Permalink

Can anybody tell me why I keep getting a warning ("external application needed...") everytime I try to download a file by right-clicking on the link and selecting "Save link as" ? I'm using the latest official version of TBB.

I'm not talking about opening the file in the browser, only downloading. It's scary because it happens most of the times, but not always, even with the same file. It simply makes no sense.

Opening the file in the browser is safe. Downloading means you have to open the file with another application (external application), which may not be safe.

For example, say you download a .mp3 audio file. This should be safe by itself, but when you later start playing this file in your media player, your media player might think it is a good idea to download additional metadata for this .mp3 file (look for artist/album info, cover image, song lyrics, etc). Your media player is an external application, and will not be using Tor. And anyone observing your connection can see you has this file.

Make sure to either configure your external applications so they do not use Internet, or use the Tails live system or similar there someone have done the configuration for you.

Not really. Actually opening a file in the browser might be dangerous, if it is done by another application (i.e., the browser doesn't play video files by itself, even if it displays the output).

Instead, downloading should actually be safe, as long as the user right-click and selects "save files as". There's really no reason why TOR should display the "launch application" warning in this case, especially if one is using TBB, which should already be safely configured.

I found many other users complaining about the same problem.

Anonymous

March 18, 2013

Permalink

I think torproject disabled NoScript and enabled "Flash" beacuse the TBI OWNED TBB or maybe i am wrong ? and how many relays / nodes / servers are HONEYPOTS ?

NoScript is not disabled, but safe JavaScript is allowed.

Flash *is* disabled. If it isn't for you, it is a bug, report it.

Tor is designed to keep its anonymity properties even if there is a few "honeypots".

Anonymous

March 18, 2013

Permalink

TOR Internet connection was working fine in version 2.3.25-2 with the Internet connection selection set to “Manual proxy configuration” and Socks: 127.0.0.1 set to port 9050.

After installing either of releases -4 and -5 the TOR browser will not allow connection to the Internet, and gives the message: The proxy server is refusing connections.

After running Test Settings from the TOR Button, the test is successful.

Attempting to connect to the Internet gives the message:
What changed from -2 to -4 and 2 to -5 to cause the connection to stop working with settings that worked in version -2?

I had the same problem, and the reason was that I had edited my torrc file.
Solution:
Check the torrc file you are using.
Make sure that your file has these values:

  1. ControlPort 9151<br />
  2. SocksPort 9150<br />

If not, edit them after you have stopped Tor in the Vidalia Control Panel.
Then try again.

Hope this advice was useful to You.

I got the same problem, and this does NOT fix it (my torrc was downloaded with the package, and contains the correct ports.
Anyone has a suggestion? Someone can indicate which programs are supposed to be running, and where they are supposed to be listening?
Thanks

Anonymous

March 19, 2013

Permalink

Control port is strict and the same not automatic on the last two Linux TBB versions so it prevents the starting of two TBB simultaneously with default settings, is it because of the bug?

Anonymous

March 19, 2013

Permalink

Windows 7 64
Tor Browser Bundle (2.3.25-4) has been working for 2 weeks but today tor connects and starts firefox port but it closes immediately. I disabled antiv and set exclusions same behavior. Close all non essential programs same behavior. I downloaded alpha same behavior. I tested an old version of the tor-browser firefox port 3.6 and it runs

Thoughts

Anonymous

March 20, 2013

Permalink

i have often app.exe crash. how can i report it? Is there any log that i can e-mail you?

Anonymous

March 20, 2013

Permalink

You should add Cryptocat to the list of default addons in TBB. It's really a match made in heaven: CC encrypts and anonymizes the chat conversation, TBB obfuscates the IPs of the participants.

Anonymous

March 25, 2013

Permalink

Just downloaded the new tbb, my configure controlport automatically is already unchecked and the port is automatically 9151. Is this ok? I am trying to torify my bitcoin app? Are there any beginners guide to this new version of tbb?

Thanks

Anonymous

March 29, 2013

Permalink

why the tbb's version firefox is slow than normal firefox a lot?
(even both use same profile)
anyone have this (slow) problem?
thank you.

If you mean the time it takes pages to load, then the answer is probably simply the bouncing between nodes that is the very function of Tor itself.

no, I mean is tbb slow that (tor + normal firefox).
on my system, the tbb version firefox startup time need +10sec,
and normal firefox startup need +5sec,

Me too.
When I open a local html file (written by myself) in TBB it scrolls soooo slowly.
Opening the same file in normal firefox (with more addons) it scrolls fast and nice.
What gives?

Anonymous

March 31, 2013

Permalink

Hi, is it safe to attach files or pictures to an email you are sending from a webmail client? Or can the attaching of files to an email (through tor) lead to revealing of your IP to the webmail server (such as gmail?)

When you attach a file to an email, the little windows explorer opens up and you look through your computer to find the file. Gmail then spends a couple of seconds uploading the file to the actual email. Can this uploading of a file to an email reveal identity? Or does this uploading (attaching files to an email) also happen through the tor network and is 100% safe?

The upload should happen through Tor, but that still doesn't make it 100% safe. (Not least because Tor far from being "100% safe".) You should check your files carefully for potentially deanonymizing meta-data. A lot of cameras these days automatically tag images with GPS data, for instance. With that said, barring any metadata-associated privacy leaks, sending pictures via Gmail over Tor is likely no riskier than sending plaintext emails via Gmail over Tor.

Anonymous

March 31, 2013

Permalink

Ever since upgrading to FF 17 ESR bundle (now on 17.0.4) my fonts seem to be readable. Never had this problem with the older bundles. This is all according to ip-check.info. Any information on this?

Anonymous

April 02, 2013

Permalink

Firefox ESR 17.0.5 is out, ONLY Security fix

Changelogs:
https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html

Fixed in Firefox ESR 17.0.5
MFSA 2013-40 Out-of-bounds array read in CERT_DecodeCertPackage
MFSA 2013-38 Cross-site scripting (XSS) using timed history navigations
MFSA 2013-36 Bypass of SOW protections allows cloning of protected nodes
MFSA 2013-35 WebGL crash with Mesa graphics driver on Linux
MFSA 2013-34 Privilege escalation through Mozilla Updater
MFSA 2013-32 Privilege escalation through Mozilla Maintenance Service
MFSA 2013-31 Out-of-bounds write in Cairo library
MFSA 2013-30 Miscellaneous memory safety hazards (rv:20.0 / rv:17.0.5)