New Tor Browser Bundles

The Tor Browser Bundles have been updated with a bunch of new software: Tor 0.2.2.37, Vidalia 0.2.19, and we have switched to using Firefox's long-term stable release (10.0.5esr).

https://www.torproject.org/download

Tor Browser Bundle (2.2.37-1)

  • Update Tor to 0.2.2.37
  • Switch Firefox to 10.0.5esr, since we will be tracking the extended stable releases for TBB stable versions
  • Update Vidalia to 0.2.19
  • Update Torbutton to 1.4.6
  • Update NoScript to 2.4.4
k239

June 13, 2012

Permalink

Thank you for the switch to FF10.

But this is what startpage is telling me when I try to search:

> We have recently received a large number of searches coming from your computer or others on your local network in a very short time frame. In order to protect our service against automated "screen scraping" software programs, your access to Startpage's search has been paused for approximately one hour.

> If you were using Startpage normally, we apologize for the inconvenience and will be able to lift this pause if you phone us at (212) 447-1100 (USA). Alternately, if you were operating a "screen scraping" program, you may phone us to work out an arrangement. You can also contact us at: autoquery @ startpage.com

I never had anything like that with DuckDuckGo. Is it possible to switch the default. Using a search engine with issues like that would mean people will have to chose something from the list. And that is going to be a known and recognisable brand like Bing or Google.

k239

June 13, 2012

Permalink

I checked http://ip-check.info with TBB and it's shows the Tor exit IP address and then shows me my location as my city which is right...something is wrong

k239

June 13, 2012

Permalink

With this release, https://panopticlick.eff.org reports

Within our dataset of several million visitors, only one in 6k browsers have the same fingerprint as yours.

Strange, this has changed from 4xx to 6xxx!

k239

June 13, 2012

Permalink

Has the privacy bug in tor browsers been fixed yet?

Look at Ragnar's comment here:
https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton

The TOR browsers have been set up to do an unsettling thing on startup: Not only do they automatically (and unavoidably) go to a web site at startup (the torproject page saying that "Tor's working"), it does so with NoScript set to "allow all scripts globally".

How can this not be seen as a major problem for anyone who's serious about privacy? For TOR to be taken seriously, this forced "site visit" with scripting deliberately turned ON has to be eliminated.

So I repeat my question: Have the very latest Tor browser bundles 1) removed the mandatory URL visit and 2) set NoScript by default to "Deny all scripts globally"?

Please advise.

We use the url visit to pull down a list of currently recommended versions, and locally compare the current version with that list to see if we should tell the user to upgrade.

Tell us a way to use javascript to deanonymize the user? Currently we leave it on for usability (there are already enough people saying Tor is hard to use).

You're welcome to reconfigure noscript to disable scripts for you. It'll sure make the web less fun.

"For TOR to be taken seriously, this forced "site visit" with scripting deliberately turned ON has to be eliminated."

I agree. I hope it is fixed and soon.

How?

The Tor developers could make it so the browser loads a local page upon first run, providing the option of loading the tor check page or not. a local value could be saved. if Yes, it checks once, if No, it never checks. Or, a happy medium: check X amount of times in X amount of hours/days/weeks.

Another issue is usability. As a user, I want control over my TBB when it begins, runs, and ends. This control is taken from me and everyone else using TBB by this forced action on start-up. What's next? The slippery slope begins with such small steps.

"(there are already enough people saying Tor is hard to use)"

You can disable this automatic checking and inform the user they may visit the link for checks by clicking the Home icon. That wouldn't be difficult. if they cannot click an icon in their web browser maybe they shouldn't be using the TBB? Maybe they shouldn't be using a computer, either. Possible privacy/security vulns should not exist in the realm of possibility because some people are stupid.

Boo hoo! John Doe can't use Google, the included help files, or other documentation because they're just too lazy and want to mash buttons with their caveman forehead. It might be cute to feed animals at the zoo, but on the net there is plenty of information for the low brows to ingest themselves.

Maybe someone can post a reply and tell us how we can prevent TBB hitting the tor check page on start-up, before we have the chance to properly configure NoScript?

1) Your own TOR project people (not to mention every other technically savvy person in the privacy sphere) are the ones who have told us that allowing javascript during TOR usage can deanonymize a TOR user. I.e., this has been common knowledge for YEARS.

The idea that you force a version check in order to help the user rings hollow when you ship the tor browser to newbies with NoScript essentially turned off. (Setting NoScript to allow all scripts is substantially the same as turning it off.) Naive users (and even many veterans) will begin browsing without realizing that NoScript isn't denying scripting, which is a massive betrayal of users' privacy direct from torproject, the ones who profess to be competent and trustworthy and earnest in their desire to champion and protect privacy.

You say: "You're welcome to reconfigure noscript to disable scripts for you. It'll sure make the web less fun." I don't understand. That's the PURPOSE of NoScript. To turn scripting off until it's absolutely needed for a particular page or site. That's the reason you include it, presumably, in the tor browser, right? Because scripting IS an issue and needs to be turned off. Of course the web is "more fun" with scripting promiscuously turned on. We're all here because privacy and security take precedence over "fun", and that means turning scripting OFF until necessary, and even then, only temporarily.

2) You say to change the NoScript preferences myself. I would have liked to, but there is no way to change them BEFORE the tor browser does its suspicious forced connection to the web for the first time. Right? Could you tell us how to set our own NoScript and other browser settings before Tor forcibly connects to your web page? For example, is there a settings file somewhere within the tor browser package that will let me delete your forced URL before I actually run tor browser?

3) The TOR browser forces every user to connect to your web page every time it runs. For those who, for security reasons, operate using a freshly unzipped copy of tor browser for each internet session, this forced page visit is, so far as I can tell, unalterable until after it happens the first time. I.e., until it's too late. Again, is there a way to alter the NoScript settings WITHIN THE PACKAGE so that when I run it freshly unzipped before browsing, the settings are my own from the get go?
Thanks.

>You're welcome to reconfigure noscript to disable scripts for you. It'll sure make the web less fun.

Do you actually browse with scripts enabled by default on the same system that you keep sensitive data on/ perform critical tasks with?

I have privacy concerns as well about automatically directing users to the Tor Check Page every time Tor is started. While I cannot say specifically how it could be exploited, it creates a vulnerability someone could make use of if determined enough. The suggestion by one commentator of asking the user at the beginning of each Tor session whether he wants to visit the Tor Check Page is a good one, in my opinion.

As for NoScript, the bottom line is for something as complicated as computers, the user has to have a certain amount of technical knowledge to browse the web with privacy. There really is no way of getting around it, although it probably would be helpful to notify the user Javascript by default is turned on at the beginning of the Tor session.

This has been poorly handled, so far as I can see. At some point, the decision was made to _enable javascript universally without telling the end users_! This is in direct contradiction to the previously stated wisdom (on the Tor website) that Javascript can leak your IP address.
By making this change unannounced (so far as I can tell) the devs have, frankly, caused a good number of users (including myself) to be suddenly scared shitless when they've noticed that NoScript is allowing _all scripts_!
We need an official response regarding this change, along with an explanation as to the u-turn on the risks of Javascript.
NB: just to clarify - I'll actually be quite pleased if Javascript can now be used safely. But this should _not_ have been a stealth change.

When did we make the change? Javascript has always been enabled in the Tor Browser Bundle.

Are you confusing Java with Javascript? I bet you're not, but I bet a lot of people are.

Or perhaps you are surprised by the appearance of Noscript, since the javascript settings in TBB hadn't been clear before then?

It is the case that enabling Javascript exposes a larger surface area for bugs (and some of the privacy-related Firefox bugs lately have involved Javascript). But lots of things in Firefox have a large surface area.

Can you point to the places where we said that all Tor users should turn off Javascript? I remember, many many years ago, there were discussions where we were trying to figure out how dangerous it could be. Then Mike came along and expanded Torbutton to tackle Javascript risks (among many other issues).

You might like https://www.torproject.org/torbutton/en/design/ and https://www.torproject.org/projects/torbrowser/design/

And finally, I totally agree with you that we ought to be doing a better job of explaining how to be safe on the web with Tor. I wish we had enough time to both make it good and also explain it well (and as a bonus, package it well too). In the mean time I'll point you to the above two URLs.

I must confess to being unable to find any information on the Tor website regarding the security risks of Javascript. I know this weakens my argument. However, if I am mistaken, then I'm not alone: Anonymous poster from June 14th above also is quite strongly of the impression that Javascript was until recently "persona non grata" for security-conscioius users:
"Your own TOR project people (not to mention every other technically savvy person in the privacy sphere) are the ones who have told us that allowing javascript during TOR usage can deanonymize a TOR user. I.e., this has been common knowledge for YEARS."
I'm confident that warnings against using Javascript came from your very own website, at least in my case - I'm no network guru, and this is not a conclusion I'd have reached by myself.
"perhaps you are surprised by the appearance of Noscript"
No, I was aware of it before its inclusion in TBB, and am confident it used to be set by default to disable all scripts. I can even recall one time when I tentatively set it to accept scripts on a particular site temporarily. I don't use Firefox or any of its variants in any other context, so I'm not confusing browsers.
"I wish we had enough time to both make it good and also explain it well"
I of course fully understand you're not exactly suffering from a surplus of labour :) It's not my intention to judge, only to raise my concerns at an (IMO) unexpected and possibly-unwise change.

This is a follow-up to a comment already in moderation, posted several minutes ago. From https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ:
"[A]ctive content, such as Java, Javascript, […] are binary applications. […] [W]e recommend disabling these technologies in your browser to improve the situation."
I understand that there's now a disclaimer at the top of that page. However, it only claims that the content of the page may be "be old, incorrect, or obsolete." There's also no indication as to when that diclaimer appeared.

I'm so sorry, this is yet another follow up, now to two comments posted as replies to arma's comment.
The following page discussing Torbutton also addresses Javascript. In fact, it specifies it as the _first_ in the list of "Adversary Capabilities - Attacks":
https://www.torproject.org/torbutton/en/design/

I am first day user. Is it normal that Tor is so slow?

You have to define slow. It's slower than your normal browsing experience, that's expected. Your traffic runs through 3 different Tor relays. The relays you get are an important factor to your performance.

Consider that all relays are run by volunteers, so that bandwidth might be not as high as it would be for a server. The hardware might be a factor, too.

Also consider that Tor is pretty popular and has many users. The average performance shouldn't be too bad. Please keep using it.

It is indeed normal for Tor to be slow. Think about it. This is addressed in the FAQ.

I have the current tbb. I've used tbb before on an xp machine and had no problems. I recently got a 7 machine and now no .onion sites work. Clearweb works just fine. What am i doing wrong?

Your time, time zone, or date are wrong (probably).

"Switch Firefox to 10.0.5esr, since we will be tracking the extended stable releases for TBB stable versions"

This could be good, bad, or a mixture of both. I ask the maintainers of TBB to read this:

... Why Ubuntu is not using the Firefox ESR ...
http://www.chriscoulson.me.uk/blog/?p=111

Sections include:

Arguments against the ESR
- Over time, Firefox ESR will become less secure than Firefox
- The risk of introducing bugs is greater with Firefox ESR

Thanks for this post.

I eagerly await response from the Tor devs.

I think the main reason is because covering all the bases to make sure the bundle is operational and safe for everyone, with very little manpower to go over things, is very difficult, so using ESR gives them a greater chance to work on proactive problems instead of constantly keeping up with a new release every 5 minutes, along with putting it with vidalia and Tor...

I think they might agree that a perfectly implemented current release of firefox, vs ESR, might be the absolute best scenario, but that isn't the actual scenario... the real scenario is comparing ESR, where they have to deal with minimal changes and can focus on new issues, to frequent current releases which might be at risk of being improperly implemented plus sucking up more of their precious time and energy.

I'm not a dev though, just a user.

What you write certainly _sounds_ reasonable but I (and many other TBB users) simply don't have the expertise to properly evaluate and judge such arguments. (i.e., to judge which of the two options, overall, presents the lesser evil.)

This doesn't run on OSX Mountain Lion developer preview. The code signing information is invalid.

tor is the best thing happened to me !
so what is with this bs? probably im too stupid/lazy to figure this out.
pc-s running a quite stripped down w7, everything is fcking portable, been quite stable for a while, dont remember the timeline exactly, but like a week ago or so tor browser bundle pissed me off - earlier i could somehow set my start/homepage to something different from that freakin "YOU ARE USING TOR", and although this is a very importan security issue, like i have read from the blog recently - the screen shit- like i said i somehow managed to show my start/homepage something different from that crap, i managed somehow to start TBB in a almost maximized screen resolution, but all the good/bad things must come to an end and there i am figuring out what the fck happened, who has the power to alter my portable installation?
oh, and the other question also - why is this tor bs startin up so slow? this is the fckin slowest shit on my pc, and i mean there only the browser startin time. tldr i quess ;)

oh crap, i just remembered that i had to enable COOKIES to post my previous sht

nothing to hide, nothing to worry about

hi just upgraded to the new tor 37.1

looks like all major websites are blocking Tor:
Google , startpage, Amazon, sears,

I tried to click "use new identity" but nothing changed, even cleaning cookies.

Just curious, why would you use Tor for a site like Sears(.com)?

Unless you only interested in browsing it anonymously-- since any purchase would necessarily reveal your actual i.d.

Actually, I guess there could be cases where one could reveal their i.d. but not their actual location.

Anyone tried this latest TBB on any of the OSX Mountain Lion developer previews ? if yes, can you give feedback here please

I'm sorry if this is completely irrelevant to what you were talking about, but you seem to know a lot about "Tor" and "Vidalia".
My question is: How do you download adobe flash player for the Tor browser? I've tried doing it, and well it says that it downloads and everything, but a new tab randomly opens in GOOGLE CHROME, saying "Thank you for downloading Adobe Flash Player...". So I guess it downloads for Google Chrome, and not for Tor. And so then I try to use adobe flash player on Tor to see a video for example, and it still doesn't let me, because it wasn't downloaded for Tor. It was downloaded for google chrome or something. Do you think you can help me with this?

You can't use Flash Player in Tor without running the risk of exposing your IP address

just an average joe answering here :) from my experience, i have flash installed, but tor is not officially reckognizing it, so if you also have flash installed, just ignore the browsers warning messages. just keep trying :) of course here i could already imagine all the webmasters and whoever already lol'd, but i saw some youtube vids after messing around with noscript and something else. after all i came to a conclusion that watching vids is not a life&death situation, so it could be cut off easily.
and that life&death shit (i mean like the journalism from hell etc&whatever) i lately discovered (again) the wonderful world of gifs.

Thanks for the hard work!

I've got the same problem with 'error at line 1' message shown. Can't even save torrc file.

arma can you please go to this post:
https://blog.torproject.org/blog/new-tor-browser-bundles-windows#commen…
- look at your comment from June03:

Arma:
"https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:… is the patch that does what you suggest. It's already applied. I just asked several users to test, and it works for them.

What Windows are you using? Which TBB version is it? Can you go to about:config in your normal (system) Firefox profile and search for 'torbrowser' and let us know if there's anything there (and if so, speculate about why it's there)?"

I responded to your comment but you haven't responded back can you please do so? I still have this bug with new version

I find that TBB often crashes when I close the browser (about 50% of the time), pointing to an error in qtcore4.dll. This had happened with previous versions too. Is there any way to fix this? I'm using XP SP 3. Great software otherwise - thanks for your hard work!

Recently I uninstalled Avast Antivirus, Comodo Firewall and Windows Defender (all free versions). I then installed Microsoft Security Essentials and switched on the Windows XP Firewall. After doing this, I no longer get the error when closing down the browser in TBB.

after the latest release, like someone here already mentioned - startpage.com refuses to cooperate and suggests to get a new identity. it seems quite reasonable from them to ask it, because lately my attention was caught by that ip number which is displayed on the home or "start" page which informs about your tor status etc. it's like almost (or even more than) half the browser bundle starts will give you a ip of 31.172.30.X. this is too weird i think.

hi i also has that kind of ip tons of time with previous release of TBB.

i have this bug too.
it happens 90% of the times .
I tried using the Tor of the torproject repositories and also TBB.
the problem persists

31.172.30.2 is chaoscomputerclub, a DE (Germany) exit node. It could be because it is a "fast" router. Or maybe they are hackers or something.

I just downloaded the new browser bundle for linux 32bit, using ubuntu 12.04. Vidalia starts just fine and connects to the tor network, but firefox doesn't start. The connection is just fine, so it seems a bit weird (and very annoying since I can't start it manually). Does anyone else have this problem?

Vidalia connects, 'but firefox doesn't start'

yes, i do rarely get this, like just now for this session, but not with linux - i'm using OSX.6.8 SnowLeopard (64-bit), with Vidalia 0.2.17, Tor 0.2.2.35(git), Torbutton 1.4.6, and Qt4.8.1 ... Vidalia runs thru her startup and tells me i'm connected to the network, but Tor's nowhere around - tonite the TBB wouldn't open tho MsgLog said the network was 'running', but i didn't get the 'connected' confirmation ... thru Vidalia i did a StopTor, then had Vidalia Exit, and restarted the TBB from the Applications folder (usually i have Vidalia start everything from the Dock but she was having problems, and TBB had fallen off the Dock twice) ... after restarting, everything worked as expected, even with the 'connected' confirm in MsgLog/Basic - tho TorBrowser does NOT open to the check page (i go there manually each time) - maybe i should share my version with some of the folks who don't want to see the check page? ;)

2) i think an Option switch or checkbox might be a good way for those who don't want to go to 'check' page - i prefer TO go, and i return to that page after changing ID to confirm that it has been changed (and occasionally check out what country i'm in - when adverts are in German, that answers THAT question)

3) i've dwnldd 37-1 but haven't installed yet after reading about the strange hassles folks are having with it

4) right up there in Vidalia's MessageLog, the very first line we see EVERY time reminds that this is 'experimental software' ... hard for me to believe, but some folks posting here write disparagingly of the software AND the devs, apparently forgetting that users are participating in an experiment that costs them nothing (save the occasional bouts of frustration, and i've surely had them, too! :) ... if we don't have the patience, if we don't want to help get the TBB to its full (and awesome) Potential, maybe we should just return to a naked FireFox and cease the badmouthing?

5) i was shocked to see that NoScript's 'Allow scripts globally' (wch i'd been using ~1yr before learning about Tor) was CHECKED by Tor, and i immediately UNchecked that box the first time i saw it ... after becoming more familiar and comfortable with the TBB, i decided to try it checked to see the difference ... that didn't last long, and i'm now excluding scripts, and will continue to do so - yes, there's stuff i don't get to see, but i glommed onto Tor for security/privacy/anonymity, not 'fun' ... Tor's taught me a lot about max safe browsing, and i've been using my own computers since the early '90s ... we each set our own priorities

6) re: torrc - it says right at the top that any changes made WON'T be Saved, so shouldn't be a surprise!

you TorProject folks are wonderful, thankyou SO very much for your efforts, yr global altruism, and for putting up with even the impatient ones among us! ;-)

right up there in Vidalia's MessageLog, the very first line we see EVERY time reminds that this is 'experimental software'

And yet... how many people, realistically, ever open the message log and see that warning?

Shouldn't it be placed in more conspicuous places, such as on the download page itself? I have searched said page
( find no mention of the software itself being "experimental"

I enclosed the first paragraph above with the html tags:

but it appears they were totally ignored.

Yet, the html tags got swallowed-up!

Go figure.