New Tor Browser Bundles

The Tor Browser Bundles have all been updated to the latest OpenSSL 1.0.1c. All users are strongly encouraged to update.

https://www.torproject.org/download

Tor Browser Bundle (2.2.35-12)

  • Update OpenSSL to 1.0.1c
  • Update Libevent to 2.0.19-stable
  • Update zlib to 1.2.7
  • Update NoScript to 2.4.1
Anonymous

May 12, 2012

Permalink

When I start TBB 2.2.35-12, the start page still says I have to upgrade.

Also, the displayed fonts for webpages has changed but the settings in the browser are the same as the earlier version I was using (TBB 2.2.35-8). Anyone know how this can be corrected?

"When I start TBB 2.2.35-12, the start page still says I have to upgrade."
Same here on Vistx64. If I then get check.torproject.org from torproject.org, the briowser displays without the upgrade notice. A bug?

First, TBB 2.2.35-13 is out, so it is right that you should upgrade.

As for the bug, Torbutton in TBB loads https://check.torproject.org/RecommendedTBBVersions and checks if its version is in the list. It then sends you to the "you need to update" page if needed. So Torbutton in TBB is the one checking if you're up to date, not some magic run on the check.torproject.org side.

"So Torbutton in TBB is the one checking if you're up to date, not some magic run on the check.torproject.org side."

Gee, that "magic" sounds crabby... I was mystified by the removal of the "check Tor" link on the home page, to which we peasants were referred to previously. As I said in my prev. comment, when I ran check.torproject from there it returned a clean browser screen, That's what led me astray - I wasted time looking for the link to check.torproject.org rather than going to the download page.

I generally run my bridge from the vidalia bridge bundle, so lose track of the TBB updates. I run the bridge from the TBB only when I need the browser, and it seemed to me that ver .13 came along right quick after .12.

BTW, the ver. no. doesn't seem to be included somewhere in the documentation of each version. Maybe it shows up in the program list in Windows control panel - I wouldn't know as I don't install either of these packages to the default locations & so they don't show up in the list.

Anyway, this blog thread has eased my overactive securityitis. live & learn.,,

Anonymous

May 13, 2012

Permalink

"Update OpenSSL to 1.0.1c"

If OpenSSL was updated, why does my Tor Browser Bundle
(2.2.35-12) for Linux 32-bit show:

libssl.so.1.0.0

in ~/tor-browser_en-US/Lib directory?

md5sum:

d774c0f5ea0762271a814fecdf921c97 libssl.so.1.0.0

That looks scary I agree, but I think it may be ok. It's common to not bump library so filenames, so it's easy for other applications to symlink to them and to check if they (and thus the major version they represent) are present.

In the 64-bit case, build-trees/build-alpha/x86_64/openssl-1.0.1c/libssl.so looks like a symlink to libssl.so.1.0.0, so that's a good sign. I encourage more people to investigate of course.

Anonymous

May 13, 2012

Permalink

Installed and re-installed 2.2.35.12, yet the Tor homepage says: "There is a security update available for the Tor Browser Bundle." Also, the minimize, maximize buttons are totally blacked out and the security details pop-out (via the URL button) doesnt't render properly.

The minimize, maximize buttons can be restored by disabling the Firefox "App Button" by right-clicking on one of the bars at the top of the browser. Doesn't solve the problem entirely, but good enough.

I did a update from 2.2.35-8 to 2.2.35.12

There is something wrong with the graphic representation in Firefox. Close/Minimize buttons are missing.

Firefox is grey even I choose a different colour for my windows.

Win 7 / 32bit

Keep an eye on https://trac.torproject.org/projects/tor/ticket/4795 for progress. We could sure use some help if you know any Windows developers!

new version keeps crashing pc??? any help?

Is https://trac.torproject.org/projects/tor/ticket/4956 relevant?

That is, do you use any Kaspersky products?

I cant use the new tbb
it keeps crashing my pc
plz help!!??

Still black buttons on torbrowser..why don't u fix this bug?

Because we don't have enough developers who care about Windows. Please help!

https://trac.torproject.org/projects/tor/ticket/4795

I'm sorry arma, but that's such a poor answer I almost spit out my coffee. While it may be true, it's not acceptable. Especially considering (I'd assume from how many people use Windows, worldwide) that ~>80% of your users use Windows.

Just because it's hard doesn't mean Tor devs should stick with low-hanging Windows fruit. If you don't have people that want to work with Windows, then stop shipping Windows software...(and doesn't that sound asinine?)

This bug NEEDS to be fixed, and soon. Like I wrote on the bug tracker, some (most) Tor devs see the trees, but not the forest. This is a major issue, it's not only about minimize, maximize, and close; it's about SSL cert info, bookmark features, and etc.

I offered to donate more than $500 to get this fixed, and soon. Why not make some sort of bounty system for Windows bugs you all don't want to "waste" your time fixing? Kind of like what I2P2 does, wrt goals and bugs. That way you can have Windows users donate just to some Windows specific bugs some Tor devs apparently think are below them, or at least think the bugs don't matter because they don't use Windows.

Ok, I mispoke a little bit. It's not that no Tor developers care about Windows. We certainly want our software to be usable, even on Windows. It's that developing well for Windows is really hard and no Tor developers are any good at it. And it shows.

Somewhere out there are good Windows developers, but we sure haven't been good at finding them.

Right click the title bar and make sure menu bar is checked.

Not the title bar; pull down torbrowser > hover over options, to check the menu bar. I don't use the menu bar myself, but to minimize or close I just guess where in the black to click. I appreciate the work the devs do and am more about functionality than chrome.

Just running this release of TBB for the first time right now, when I noticed the following.

Add-ons Manager says,

"HTTPS-Everywhere will be updated after you restart TorBrowser."
(Installed version of HTTPS-Everywhere is reported as 2.0.2)

Checking under "Tools for all add-ons", I find that "Update Add-ons Automatically" is indeed checked.

Is this supposed to be?

I recall past comments, from phobos* in particular, about the need for add-ons to be reviewed by the dev team in order to be sure they won't leak identifying info in any way.

(*Anyone else remember the good old days when phobos would actually answer questions people had posted to this blog about Tor Browser Bundle?)

Mike Perry, the Torbutton guy, is a developer on Https Everywhere too. So in this particular case it should be ok.

Mike is similarly keeping an eye on the other extensions that TBB includes. You're right to wonder if some update will introduce a problem, but at the same time, sometimes updates are really important. On the whole, now that Torbutton is good at forcing updates to do their update via To, I think it's better to let updates happen than to never let them happen.

In the distant future, when Thandy (the secure updater we've been working on forever, which is all ready to go except we don't have enough packaging people to get it deployed) is in action, maybe we will reconsider.

Thank you, arma, for this response.

Much appreciated.

Is there a reason why HTTPS Finder is not included along with HTTPS-Everywhere, to complement it?

(And, for that matter, why there seems to be no mention of HTTPS Finder on the EFF pages for HTTPS Everywhere?)

HTTPS Finder causes a lot of websites to break, and the HTTPS Everywhere rulesets that it produces are (currently) too buggy to be included in HTTPS Everywhere in most cases.

If HTTPS Finder could be improved so that it produced rules more like the ones that human authors produce, it could be good to encourage wider use of it. But at the moment, it tends to create more hassle for us than it's worth.

Thank you for that explanation.

When you say, "us", it clearly implies that you are one of the Tor devs.

Is there a reason you didn't identify yourself as such?

As in the previous release, "network.websocket.enabled" is set to "true".

Would a Tor dev please clarify whether or not this is cause for concern-- a number of posts asked this very question in the thread for the previous security release.

Thank you.

Thank you for the assurance.

Tor still doesn't work for Mac 10.5

We have reports from 10.5.8 users that it does work for them now.

What doesn't work for you?

The Icon just bounces on the dashboard and then dissapears. I had the TBB installed before but decided to just update it and delete the old one. Bad choice on my part.

Are you aware of the risks of using a deprecated TBB?

On M$_WinXP Pro, the new version ( & the one previous ), hung the computer completely. Cold restarts the only recourse ..

Reboots yielded the same result.

No indication that this is the ISP ( Virgin ), refusing the connection, but I think not, because latest TOR on Linux elsewhere on a Virgin ISP connection, seems fine. Same goes for all the previous versions ..

Wonderful work. Long may it continue

Please provide a snail-mail address, for a permanent subscription - better for us all, than a mere one-off donation !

The Lurker

New browser bundle 2.2.35-12 won't install on Vista

Details? Most people seem to have it working fine.

Has the torproject moved to another site?

What do you mean another site? No, it's still on torproject.org.

I have a question regarding the 10 minute interval for circuit reuse. From the wiki:

How often does Tor change its paths? ¶

Tor will reuse the same circuit for new TCP streams for 10 minutes, as long as the circuit is working fine. (If the circuit fails, Tor will switch to a new circuit immediately.)

Can Tor be configured to generate a new circuit more often, say every minute?

Thank you,
Chris

Yes. See the MaxCircuitDirtiness option in the man page.

TorBrowser doesn't seem to retain cookie exceptions (white- or blacklisting) after restarting the Tor Browser Bundle. Even if I turn on(!) all the history settings, it keeps all my history...but still my cookie whitelist is emptied the next time I start the Tor Browser Bundle.

Using the latest version.

Is this a bug or expected behavior?

Has the Vidalia Bundle been updated as well?

Helix tells me "yes".

The system tray onion icon for the Tor Browser Bundle does not display on the most modern Ubuntu systems, under Unity, you might want to fix that.

Effectively this error means you'll have to make sure the Vidalia interface is checked, as it is by default, to auto-display, (and make sure not to ever close its window, or controls good bye,) as the systray icon always fails to display.

Boot out of Beanbag debian and Arch and give it a dealfixing shot, no offense of course.

See https://trac.torproject.org/projects/tor/ticket/3255 and https://trac.torproject.org/projects/tor/ticket/3058

The issue appears to be that Unity has a whitelist of applications that are allowed to show icons, and Vidalia uses Qt, and there's a bug in Unity that basically ignores all icons from Qt apps:
https://bugs.launchpad.net/ubuntu/+bug/773307

Perhaps bug your ubuntu developers to address that bug?

Anonymous

May 18, 2012

In reply to by arma

Permalink

Original parent poster here: Good, and informative answer. Thanks.

The Vidalia bundle for MacOS Intel 0.2.2.35-0.2.17 utterly lacks Polipo, failing to bootstrap the proxy during start. Someone screwed up in the building of Vidalia.

Downloaded from: https://www.torproject.org/dist/vidalia-bundles/vidalia-bundle-0.2.2.35…

Signature checks out.

It is supposed to lack Polipo. We dropped Polipo a while ago.

What part fails to bootstrap?

Sorry, I hadn't followed that, I update very sporadically, and specifically use Vidalia instead of the browser bundle.

Vidalia still has a config setting to start a proxy service, with that failing, tor starts up fine but throws an error since /Applications/Vidalia.app/Contents/MacOS/polipo doesn't exist, and neither does /Applications/Vidalia.app/Contents/Resources/polipo.conf.

Vidalia.conf in ~/Library/Vidalia, was updated, but it appears the references to Polipo were left in place. So, I'm not sure the upgrade went quite correctly. I'll do a little more digging.

Also, you may want to have someone update your documentation at https://www.torproject.org/docs/tor-doc-osx.html.en It still claims that Vidalia bundles polipo, and still says you should point your application at the SOCKS proxy at port 8118. Which, since there is no proxy bundled with vidalia anymore, isn't open.

Either way, Vidalia appears to be broken.