New Tor Browser Bundles

by erinn | November 24, 2011

The Tor Browser Bundles have been updated to Firefox 8.0.1 along with a new Libevent and some extension updates.

https://www.torproject.org/download

Tor Browser Bundle (2.2.34-3)

  • Update Firefox to 8.0.1
  • Update Libevent to 2.0.16-stable
  • Update NoScript to 2.2
  • Update HTTPS Everywhere to 1.2.1
  • Begin building Tor with --enable-gcc-warnings

Comments

Please note that the comment area below has been archived.

November 24, 2011

Permalink

I wish i could use tor for my android phone. but i can't ( location : IRAN )... because when i want to active, then i should wait for 5 and 6 mins and noting wll happen. I mean IRAN government blocks tor in iran. specially mobile phones. i used bridge but i could connect

any suggestion? PLEASE.
Now the only way is tor

So Don't use your android phone , I'm from Iran and I have no problem with Tor , I use Tor on my pc . yeah , they try to block Tor but fortunately these cool guys at TorProject have the upper hand :D

November 24, 2011

Permalink

Thank you, I appreciate the work you put into it. I have a question: Is it considered risky to update add-on's like HTTPS Everywhere and NoScript before a TBB update gets released with the new updated versions included? Is there some sort of security audit you put these though before including them in the release and can this sort of add-on leak identifying info and IP address through bypassing Tor like some plug-ins can?

November 25, 2011

Permalink

Version of Tor Browser Bundle (2.2.34-3) does not start.

With numerous manipulations and dances around the Tor, it was reported that there is a problem with the file polipo.
As it turned out, in a folder. \ App \ file missing polipo.

Please check that the file can no polipo prevents run Tor?

System:
Win 7 HP 32-bit 1SP
Phenom II 4X 970
SA-MA770T-UD3P
Kingston DDR3-1333 2x2GB
Western Digital 250GB 16MB SATA-II
Delta GPS-500AB A 500W

November 25, 2011

Permalink

Hi, the TBB for Linux functions well but I receive this error in the Terminal when I launch the app:

"Qt: Session management error: Authentication Rejected, reason : None of the authentication protocols specified are supported and host-based authentication failed"

Vidalia, Tor, and Aurora function without any visible errors. I googled this error and found a few tickets on your Tor's bug site, any clue to what's causing the error, what the error means and how it relates to the TBB performance if it all?

November 25, 2011

Permalink

In later versions of your "Firefox Add-one" Please use the following

Calomel SSL Validation
CipherFox
Extended Statusbar
FlashBlock
ReloadEvery
Safe
WorldIP

Thank you
email : MojtabaFaal@Live.com

November 25, 2011

Permalink

In later versions of your "Firefox Add-one" Please use the following

Calomel SSL Validation
CipherFox
Extended Statusbar
FlashBlock
ReloadEvery
Safe
WorldIP

Thank you
email : MojtabaFaal@Live.com

November 26, 2011

Permalink

I do not know if this is the right thread to write about this. For security reasons I do most of my web searches using Tor. My main concern about Tor is that I am never sure if all traffic from my computer is going through it. If this is not happening there is no warning. For example, the TBB comes with automatic updates of add-ons enabled! I believe this is done in the background and does not go through Tor. I do not know. I am an average computer user. I discovered only yesterday that this can be disabled by the user in the Torbutton preferences. But how many users are aware of this?

When I installed a small application called Little Snitch (for osx 10.6.8) which warns when one of my applications wants to connect with a particular IP address, I was shocked that this was done outside Tor thereby revealing my real IP to that address. Also, during the Tor session Little Snitch reveals that Apple is requesting all kinds of information from my computer (software updates, storeagent, time check etc) at regular intervals. I select a paragraph of text from a website through Tor and when I try to copy it to the TextEdit application I get a warning that the latter wants to connect to that particular website. Now I know why there is this warning in the Tor Notices: "This is experimental software. Do not rely on it for strong anonymity". Does this mean that those who need strong anonymity (to avoid a knock on the door at 2 am!) should not use it?

My other concern is regarding Javascript and webbugs. Noscript comes with webbugs enabled! One has to manually disable it in Noscript preferences. Again, how many users are aware of this? Unlike the Tor Blog, on the website I post my opinions javascript and cookies must be enabled before I can write anything! I suppose they already have my real IP address logged! Is this why Noscript considers javascript to be dangerous when enabled globally?

A few days ago I had another shock with Tor. I have a Gmail account which was not opened through Tor. I sent a short email to another account I have at yopmail.com which I always visit through Tor. I included in the body of the email a tiny tracking photo obtained from spypig.org. To check my mail at yopmail.com both cookies and javascript must be enabled! I read the message and I noticed that an image was enclosed. I click on the 'download' button. I could not see the image because it was of the same colour of the background. I went back to my Gmail account and lo and behold I had a message saying that my email has been read! I expected this. The shock was that the email did not show the recipient IP address as either the Tor exit node or yopmail.com but MY IP address with all the 'who is' information included. Must one turn off all images when one visits sensitive websites?

I wish Tor would ship with a 'read me first' document written by a very experienced and knowledgeable Tor user to warn about the obvious dangers and how to dodge them. I am happy that TBB is updated frequently thereby helping me learn more about it because I always check the configurations of Aurora carefully before I start using it. One thing is certain: Tor does give its users a false sense of security!! But we must all thank the Tor Team for the time and effort they put in their endeavor to remove the word 'false' from the previous sentence. Thank you.

All Firefox traffic is routed through Tor, so unless some trusted CA has its keys stolen, updating add-ons should be safe. Web bugs cannot deanonymize you, so not forbidding them by default in NoScript is not a big concern. A much bigger one is that NoScript is configured in TBB to allow scripts globally by default, but on the other hand you benefit from "security by obscurity" if you're actually aware that you should disable scripts -- potential attackers able to exploit 0-day browser security holes may wish to focus on the majority of users going with the default settings and skip trying to bypass NoScript protection. If any website can read your real IP address then your TBB is not configured properly or your computer is compromised, it should never happen, even with JavaScript and cookies enabled. The message about "experimental software" in Tor notices is indeed misleading, I'm not sure why it's there.

I don't know if NoScript allows the placement of a button on the Browser's bar so the user can toggle Javascript on/off. If it doesn't, there are some Firefox extensions that do, such as QuickJava. I also recommend the Firefox extension Eraser which allows the user to clear the cache, cookies, etc from the Browser's bar. I do this regularly while surfing. A lot easier than going into the Browser's menu items.

One final thing: there are reports Google is considering ending financial support for Firefox. Since Google supplies 80% of the funding for Firefox, this could be the end of Firefox.

You do realize you aren't using Tor at all, right?

Tor Browsers default configuration should be safe enough,
everything is routed through Tor. But only everything in
Tor Browser, not other applications.
Changing configuration from the default is bad usually.

And use Wireshark or the like for monitoring the network.

I think the most important thing is to say: Tor doesn't magically anonymize all the traffic your computer generates, just because you have installed it. You have to tell applications that they must connect through Tor. Even then, you must be wary that many applications will leak information.

Your Operating System (Apple OSX in your case) connects to the internet to do various thing. Since it isn't configured to do this through Tor, it won't. Note that it is very, very hard to make sure all (meaning all) traffic goes through Tor. There exists a special project to achieve this, using a CD-bootable Linux operating system. See http://tails.boum.org/

A very common application that people want to have anonymized is their web browser. The Tor developers have created a handy package for this: the Tor Browser Bundle. All websites opened in this browser are almost guaranteed to be anonymized by Tor. Since you asked: updates for plugins are fetched through Tor.

For the "'read me first' document writter by a very experienced and knowledgable Tor user": read the official documentation. Also read the list of common pitfalls here: https://www.torproject.org/download/download-easy.html.en#warning

There is a fat button 'Documentation' at the top of this page. Click it, and spend at least an hour there.

I am not sure about update checks, but I know all images, javascript, css, etc should load through Tor if you have Tor enabled and configured correctly. Always check that you're using Tor by visiting https://check.torproject.org/

The thing with Javascript being enabled by default I think is for practical reasons, otherwise there would be a number of users who might think Tor is very limited, and can only load certain websites. Lot's of sites break when javascript is disabled, and users might not understand to enable it for the specific site.

As for the information MacOS sends Apple, I hear Windows does the same thing. Certain information is harmless, (such as asking Apple for the local time), but a list of installed software is very serious.

waaw, i mean am so surprised how well you understand this programes and how they really work.... plzz can yo hel me connect my Bunddle tor browser, am using window 7, 64-bit operating system, and my internet is given by the university which is HTTP Proxy of 10.0.0.20 and port 80. the problem is i can't get past through Relay Directory.
so plzz help me here. the other thing is that in the campus everybody has a specific IP and share common Default Gateway.

my email
abdul_microbiologist@yahoo.com

November 27, 2011

Permalink

Since Firefox is being updated so quickly, isn't including the latest Firefox browser compromising the security and privacy of Tor users? If the users of Tor are more fragmented among different versions of Firefox, it makes easier to identify an individual as opposed to Tor users collectively using just one or two versions of Firefox. My suggestion is unless there is a significant improvement in the security/privacy of Firefox, the Tor Project not force Tor users to change Firefox versions when adopting a new Tor Browser Bundle.

TorButton sets "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0" as the user agent instead of the actual version. Also, some of the Firefox updates contain security fixes.

However, new bugs could be introduced in later versions, but there isn't much you can do unless Mozilla decides to maintain a long term support version (other than the 3.x series which requires polipo), or the TorProject backports the security patches.

Actually these are pretty good questions.

I myself don't use or update TOR that much. I mainly just use it so I can keep up on how it works just in case I go to some other country where I'll want more anonymous browsing.

For Windows users I'd recommend installing within Sandboxie. This way if you don't update then any security holes that don't get patched won't (shouldn't) get to your main system. This way if TOR decides to stick to one Firefox version for awhile like the above poster said, then it won't matter too much from a browser security standpoint.
It might make it much easier on you guys to lock down the security.

I mean with NoScript and TorButton working in conjunction, it should really help.

I’ve always used the Vidialia Bundle with Privoxy, but decided to try the Propilo. It seemed to work but then I ran across this in your General FAQ’s ( think most updated one):

https://www.torproject.org/docs/faq#TBBPolipo

I need an HTTP proxy. Where did Polipo go?

In the past, Tor bundles included an HTTP proxy like Privoxy or Polipo, solely to work around
a bug in Firefox that was finally fixed in Firefox 6. Now you don't need a separate HTTP proxy
to use Tor, and in fact leaving it out makes you safer because Torbutton has better control over
Firefox's interaction with websites…..

If that fails, feel free to install privoxy or polipo. You can use our old polipo config file if
you like. However, please realize that this approach is not recommended for novice users.
--

Is this still true for 8.0.1 or 8.0 Final, you really do NOT need Polipo with the Vidalia Bundle?

------------------------------------

“………My other concern is regarding Javascript and webbugs. Noscript comes with webbugs enabled! One has to manually disable it in Noscript preferences. Again, how many users are aware of this?”......

Actually this is a good question and I found this after I read your post; https://trac.torproject.org/projects/tor/ticket/3975
------------------------------------

“……I have a question: Is it considered risky to update add-on's like HTTPS Everywhere and NoScript before a TBB update gets released with the new updated versions included? Is there some sort of security audit you put these though before including them in the release and can this sort of add-on leak identifying info and IP address through bypassing Tor like some plug-ins can?”......

I’d like to know about this also.

---------------

I'm also getting an error, granted I'm using Sandboxie and fully installed the Tor Browser Bundle, but the 2nd time I ran it after I imported my bookmarks.json I was getting a Sandboxie error. But it still seems to be working right. Maybe it's that QT one others are getting?

On a side note, I've always used this site to check my anonymity; http://www.stilllistener.com/checkpoint1/
With Privoxy before I've always gotten a grade letter at the bottom. Now when I tried Polipo and then this Tor Browser Bundle I am not getting that anymore. I haven't used TOR for a little over a month, so I don't know if he got rid of that feature or the new things I'm trying just don't let it grade you. 95% of the time I always seemed to get a A-, a few times I got a C.

Thanks for the wonderful work on this though.

November 27, 2011

Permalink

Yo you know with like Brazil banning exit nodes and trying to block tor exits... tor needs hidden exit nodes that aren't just broadcast

Also can we have a config option for 4 hops please, or some way to config arbitrary hops if we want slow connection and maybe a way to say 3-4 hops so it's random like (or x-y hops).

November 29, 2011

Permalink

I tried to replicate the spypig issue on windows with 2.2.34. I've sent an email using tor from a web based email to another email. My real IP address was never revealed.

However while trying to paste the image to an email i've opened it in a browser window and next i received a notification from spypig (without reading the mail) containing the exit node IP. Could it be that you opened the image from your real IP and that is why you have received the "who is" notification?

Anyway, i have not tried to replicate the issue with the 2.2.34-3 version.

November 29, 2011

Permalink

I can't be the first person to wonder this, but how come this blog isn't available as a hidden service? I think this great content deserves to be accessible from inside of the onion without using an exit node.

November 30, 2011

Permalink

Thank you for the advice re my concern. The following was what I did step by step. My system is OSX 10.6.8. Please forgive my long post. I am an average computer user.

!. I have a normal gmail account which was NOT opened through Tor.

2. I have an account at yopmail.com where one does not have to register for an
email address.

3. I compose a test email using my gmail account.

4. I visit spypig.com. From there I drag a tracking small image to the body of the
test email I have composed.

6. I send the email to my yopmail.com account which I visit through Tor. There I am
advised I have to enable both javascript and cookies to read my email.

7. I enable javascript and cookies. I see a button saying: 'download image'.

8. As soon as I click on the button a notification email is sent to my gmail account advising
me that my mail has been read! It contains the recipient IP address. The shock
is that it is my REAL IP address giving the full name and address of my ISP.
I expect it to be the IP address of the exit node I am using when I am reading
the email I sent to my yopmail.com account.

Of course to avoid the 'read notification' I simply do not download the image! But
what if it is an email from someone else? What if the image (it could be as small
as a webbug) is automatically downloaded as soon as I open the email and I do
not have to click on anything else?

I post comments on articles in a newspaper hosted in an autocratic country. I
use the yopmail.com account as my ID address. If the newspaper wants to know where
I and who I am it simply has to send me a nice email with a tracking image and I am
toast! I am starting to get paranoid about the pictures there because most articles
are accompanied by a picture and one has to click on it in order to read the article.

Also, the fact that Apple (or Microsoft for PCs) is contacting computers all the time
for all kinds of maintenance jobs means that Tor users are not anonymous. I do
not think I am experienced enough to use Wireshark. I read about Tor all the time
at the torproject.org but I admit I skip the bits I do not understand. The Torbutton FAQ
is Greek to me!

I have started to read about Tails but it looks more complicated than Tor! My hunch
is that when one is using Tor at sensitive websites one has to be very very careful. I
think that the various anonymity test websites are useless because one does not
know what is happening in the background. Can Tor warn when 'something' has
bypassed it.

Thank you.

You must have accessed the "tracking" image before you got it on yopmail.com, for example you looked it up on you GMail account in the "sent mail". Or your you disabled Tor.

In your part 4 you did not state if you were visiting spypig thru Tor or not.

"4. I visit spypig.com. From there I drag a tracking small image to the body of the test email I have composed. "

It is obvious you are a n00b of the most dangerous order -- the n00b who doesn't want to read documentation.

Go read a book and then come back here to try and absorb some information.

December 04, 2011

Permalink

In some countries the use of Tor is illegal and if caught the consequences can be painful indeed. The ISPs of these countries try to block all Tor exit nodes and also all bridges if they can detect them. My question is: Why is the word 'tor' allowed in the names of a good percentage of exit nodes? Does not this make it easier for these ISPs to detect and block them?

December 04, 2011

Permalink

tbb was running fine on mac osx 10.6.8 then suddenly speed slowed down and as i tried to get a new identity the whole system crashed and i got a black screen of death, had to force shutdown holding power button. no log files about it in the consolle.
anyone can help it? thanks.

December 04, 2011

Permalink

while going through limitations that tor might have, we came to discussion about the case that an adversary have control on both entry and exit nodes in a country (case is Syria here) and might have the equipments to analyze the traffic between entry nodes and exit nodes to identify who connects to what..

what is the probability (for a user inside country X) to be routed to connect to an entry and an exit node both inside country X and for how long this route can remain?

of course we know about the configurations that can be set in torrc to exclude nodes from Syria
example
ExcludeNodes {sy}
StrictNodes 1

but the question remains needed to know the probabilities of worst case scenario for those regular guys who don't know how tor works or don't know how to set these settings..