New Tor Browser Bundles

The Tor Browser Bundles have been updated to Firefox 9.0.1. Originally they were updated to Firefox 9 and both changelogs are listed below.

Tor Browser Bundle (2.2.35-3)

  • Update Firefox to 9.0.1

Tor Browser Bundle (2.2.35-2)

  • Update Firefox to 9.0
  • Update Torbutton to
  • Update Noscript to 2.2.4
  • New Firefox patches
    • Provide client values only to CSS Media Queries and disable several Mozilla extensions that seem fingerprintable

i think this depends on choosing the most common headers (fingerprinting) versus early adoption of progressive concept.
but afaik, DNT has no enforcement, and abusers do not obey when disobeying incurs neither carrot nor stick. So Do Not Track is effectively only pr fluff.

fingerprinting is a poor argument: Tor users already stick out because exit node IPs are public and no one else is still on Firefox 5.0. Look at the adoption curve, the most common user agent will always the latest stable followed by the long term release (currently 3.6 soon to be version 10).

DNT is not just fluff. Honest players (and those that are so big that they are kept honest by their competitors, NGOs and govs) will respect it sooner or later. Sooner if more people use it. Only a reason to enable it by default.

1. NGOs often operate more openbooks, but NGOs aren't significant on the net.

2. By shame-able government, you mean Dick Cheney's government? Ayatollah Khomeini's? Hugo Chavez's? Mugabe's?

3. To profit-making decision-makers, DNT was never more than a one-time laugh. They knew better than to even TRY using DNT for false marketing.
Exhibit 1: f@cebook
As long as many fools feed f@cebook with data, f@cebook will be a juggernaut.

Either government or business (DNT misuse or non-use) would quickly smother NGOs faithful use. So quickly, that both government and business would smother NGOs imperceptibly faster.

Tor could enable DNT only if FF enables by default, but as you write, Tor users already stick out... (from other firefox visitors)
And DNT is just cruft that will disappear 'quietly' from mozilla code within a few years.
So, Tor should always disable DNT, to prevent DNT becoming a tell tale between different tbb versions when DNT disappears.


December 23, 2011


Why Google search is not SSL enabled ? There is a search addon for it. And why there is no duckduckgo search bar?

you could edit the searchplugin xml.
or to
to avoid your edit being overwritten,be sure to
1. delete the Update lines (delete autosuggest lines also, if you dislike Suggest)
2. rename the searchname(s)
3. rename the xml file
I do all 3, but maybe only #1 is necessary.
#3 prevents you forgetfully replacing your edited xml. Firefox installer from overwrites the complete searchplugins folder (in install folder, but leaves alone searchplugins folder in your profile)

Googlebar Lite has option for
you could hack Googlebar for Seamonkey.
Internet Explorer search engines are in registry SearchScopes.
for Opera and K-meleon, you can easily edit search engines in prefs UI, or in editor when browser shut down.


December 23, 2011


Hi, my Persian blog Tor of yours? In terms of security and you confirm it? is definitely AES-256-bit SSL-enabled, with no errors under restrictive NoScript and RequestPolicy environment.
However, as of December 28th, the page is inaccessible, displaying that it is temporarily unavailable.

Bug in Firefox from 2.2.35-3 bundle.

Part of the top of firefox is not showing. The close, minimize and restore buttons area is only showing black with not buttons showing on my Windows 7 Home Premium 64bit.

I have this problem too. Win7 64 bit

Same here on 2 diffrent PCs.

Same with mine (Win 7) but I 'fixed' it by adding an Add-on skin.

Same problem 2.2.35-5... feb 8th now, 2 months... can we get this fixed?

Using TOR browser bundle 2.2.35-3 in Windows Vista, I find that if I use Aurora with the 'Menu' bar unticked (ie hidden) then I only get a black box in top right of browser page where the maximise/minimise/cancel buttons normally are.

Ticking the 'Menu' bar gives access to the buttons.

This doesn't happen in the Linux version (I'm using Puppy).

Anyone else noticed this?

how the hell did you find that one out! nice job dude.....:))

I am getting a blank black square where the close/minimize buttons should be on aurora.

minimize, close & restore icons are not visible

Thank you very much for the updated TorButton Am using it with Mac OS 10.6 with Firefox 9.0.1. Works very well for enabling Tor.

But there is an odd complication.

When this add-on is enabled, I can't copy images to the Desktop! That is, when I grab and drag an image to the Desktop, no image file is created there (or anywhere, as far as I can tell). Doesn't matter if Tor is enabled or not. Copying images to the desktop just doesn't work. Works just fine, as usual, when I disable the TorButton add-on.

Does anyone else see this?

Correct, this version fixed a privacy leak where if you drag images/urls from firefox to the desktop, some people noticed their systems bypassing tor and directly getting the image/url.

That's fine, but when Tor isn't enabled (such that you've decided that you DO want to bypass Tor), it should let you drag images to the desktop. It doesn't. As I said, enabling Tor via Torbutton isn't what makes this problematical, it's simply having the Torbutton plug-in installed on the browser. While Tobutton is really very nice as a quick entry to Tor, this problem is a strong disincentive to me for keeping Torbutton installed.

I guess I have to install it every time I want to use it, or use a different browser for copying images from the desktop. I guess I could keep two versions of FF around. One with TorBrowser installed, and one not, but that really seems like an inelegant solution.

I can drag urls from tbb into text editor.
I keep a text file ready. I save the text file before using a batch file that runs wget.
these are minimum wget options

--user-agent="Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0"

i use the port 8118 so wget goes through polipo.
wasteful drawback is that if the file download is an image in web page, wget is downloading it a second time.

but I just now tried right click "save image as..", and it downloads and opens in image viewer. the only strangeness is that the download manager shows nothing downloaded.

(windows xp)

When trying to save image files (JPG, JPEG, GIF, PNG) I continue to *intermittently* get "Warning: External application required...".

Sometimes I've gotten this warning even when merely trying to *open* such images in a new tab or window within TBB.

HI Erinn,

I've had intermittent problems with a "Load external content" pop-up using the previous browser bundle but since installing the 2.2.35-3 browser bundle a coupla days ago I cotinually get this unwanted pop-up every time I click on "Save this link" which I've been using for the past mumblety mumble years.

Now I gotta use "Save image in new tab" which involves a lot of manual opening and closing of tabs and I fear I may inadvertently miss an important message while working this labour intensive system as my deadline approaches.

Is there a way around this pop-up please?


The prompt should allow you to 'always' allow the content launching, which in reality just brings up the native firefox save/load options.

I "hear" you but The warning given on this pop-up - viz: "NOTE: External applications are NOT safe by default and can unmask you!" is therefore simply a device to keep your brother-in-law out of mischief and has no actual bearing on the matter? And when my organisation is "unmasked" y'all gonna explain to the judge you wern't "serious" or what?

To my mind your reponse in answer to my very serious query is dismissive and inadequate and I expect you to see it in that context please. Either a warning is meaningful or it should be dismounted.

I look forward to your full and adequate reply please...

Is the pop-up redundant or not? *Should* is not a response!

So then why the warning in the first place?

Isn't using "the native Firefox save/load" options safe?

An annoying black rectangle appears instead of the browser's window buttons.

Are there any issues with using a separate, "non-Torified"/non-proxied browser (for non-sensitive browsing) simultaneously with TBB?

For example, let's say I'm browsing with TBB and I decide to look-up a neutral word or term. Since I don't need the cloak of Tor for this, I'd prefer to use a sep. browser that will use my direct Internet connection, as doing so will be much faster (and will also spare the Tor network some unnecessary extra load). Is there any risk to doing this? (Other than the obvious one of getting mixed-up and using the non-Torified browser for something I intended to use TBB for)

What about using the other browser to log-into an email, bank or merchant account tied to one's real identity?

I could see a possible risk with doing anything like this simultaneously with running Tor but I don't know enough to really have any idea just how great such a risk would be, or even if it would truly exist in the first place.

Could someone please answer this very intersting question. Thx!

I know you do not recommend adding plugins but, what about lastpass.

Just installed Tor Browser Bundle (2.2.35-3) and Portable Firefox's main window buttons have disappeared! See following screenshot for more:

Regarding the missing buttons in Portable Firefox (Aurora) 9.0.1 (see my previous comment), just wanted to add that I'm using Windows 7 Professional SP1. Also tried adding themes, resetting toolbars, running in safe mode, pressing F11 repeatedly etc., but nothing worked.

Thank you

You guys should really create a forum with anonymous posting allowed. Where you can post without having to register and posts have to go through approval the same way as here on the blog.

How hard can it be just get one of the open source forums and install on the torproject server. Enable SSL encryption.

It would be nice to have a bit of organized discussions about privacy, security, new tor releases....

Posts on this blog are confusing and it's very hard to see who's a tor programmer since almost everybody posts as "anonymous". Not that there's anything wrong with that but it would be more credible to get responses from a registered tor dev on a forum.

We're working on it, see The problem is generally twofold:

1. finding forum software that isn't filled with exploits
2. finding forum mods willing to pay attention to the forums to filter out spam and stop stupid conversations about conspiracy theories and alien invasions. Or at least moving the latter to topics out of the normal forums.

what "exploits" are you talking about? Most people posting will generally be using Tor any way, so their privacy or security can't really be exploited. ALL boards have anonymous posting option usually with CAPTCHA module. Just install the board already. It should be easy to run over SSL, I'm assuming you have a dedicated IP for along with SSL certificate. Most boards allow you to easily set up SSL.

phpBB is a good choice and it's open source.

Please install a forum already. all this posting back and forth comments on blog posts is confusing !!

I basically could ditto everything you wrote.

Just one thing, though:

"it's very hard to see who's a tor programmer since almost everybody posts as "anonymous"."

I believe that when the devs post, they always use their name. For all other posters, the default posting name of "Anonymous" does not even seem possible to change. So unless someone went to the trouble of actual hijacking the site, impersonating a dev doesn't even seem possible.

Something is wrong with the browser skin, it has reverted to being opaque.

I believe you can fix this by clicking 'Remove' for your skin at 'Appearance' tab under Add-ons, and click the 'Undo' button when the removal is a success.
Restart the browser.
Works for me at Windows 7 32-bit.

The fact that my post about the missing Forbid "web-bugs" option in this version of Noscript for this new version of TBB makes me wonder........

Since comments are blocked in the "Thank you to our donors" post I'll comment here.

Maybe the Tor Project should focus on what it can do without more money to improve the performance of Tor, like encouraging Non-Exit Relays to be Exit Relays for at least Web and Secure Web pages. Please don't rely on the "There will be abuses" excuse because for Web pages there are few.

I can only hope that a dev will very soon make a post here acknowledging the issue with the Aurora maximize/minimise buttons, etc. that so many posts here report.

I have problems with graphics, like when I click the SSL encryption button next to URL it is transparent and barely visible.... Is this just a graphical problem or is there something more?? And is it a problem with the tor browser bundle or with firefox (aurora) 9.0.1?

black square where minimize\cloze!!11 i posted that with screenshot about 3 weeks ago but message deleted

I'm new to all this, but I am running the Tor Browser Bundle, and it works fine. The problem is that in today's world, a flash player is almost an essential item, especially if the information is on YouTube or something similar.
I read that installing software can disable your protection, and I'm sure that includes Adobe Flash player, but how badly or predictable is the damage done by installing this software? Is your anonymity totally disabled?

I don't know anything about this stuff, I can't imagine how someone can track you by running a YouTube video. I would think that Adobe is concerned about abuse using it's software, but maybe not.

Recently TOR Doesn't Work in Iran
I try Tor bridge but this isn't successful too

Doesnt work at all. Browser crashes. I guess People dont know who I am online because I cant be online with this torrent. NOTHING happens PLEASE FIX.