New Tor Browser Bundles with Firefox 17.0.3esr

We've updated all of the bundles with Firefox 17.0.3esr. This includes significant changes to Torbutton and its interaction with Firefox, in addition to many new patches being added to Firefox, which are outlined below.

Very important: if you've been using the Tor Browser Bundles with Firefox 10.0.x, you must not attempt to overwrite it with the new bundle. Open these into their own directory and do not copy any profile material from older TBB versions.

https://www.torproject.org/download

Tor Browser Bundle (2.3.25-4)

  • Update Firefox to 17.0.3esr
  • Downgrade OpenSSL to 1.0.0k
  • Update libpng to 1.5.14
  • Update NoScript to 2.6.5.7
  • Firefox patch changes:
    • Exempt remote @font-face fonts from font limits (and prefer them).
      (closes: #8270)
      • Remote fonts (aka "User Fonts") are not a fingerprinting threat, so
        they should not count towards our CSS font count limits. Moreover,
        if a CSS font-family rule lists any remote fonts, those fonts are
        preferred over the local fonts, so we do not reduce the font count
        for that rule.
      • This vastly improves rendering and typography for many websites.
    • Disable WebRTC in Firefox build options. (closes: #8178)
      • WebRTC isn't slated to be enabled until Firefox 18, but the code
        was getting compiled in already and is capable of creating UDP Sockets
        and bypassing Tor. We disable it from build as a safety measure.
    • Move prefs.js into omni.ja and extension-overrides. (closes: #3944)
      • This causes our browser pref changes to appear as defaults. It also
        means that future updates of TBB should preserve user pref settings.
    • Fix a use-after-free that caused crashing on MacOS (closes: #8234)
    • Eliminate several redundant, useless, and deprecated Firefox pref settings
    • Report Firefox 17.0 as the Tor Browser user agent
    • Use Firefox's click-to-play barrier for plugins instead of NoScript
    • Set the Tor SOCKS+Control ports to 9150, 9151 respectively on all platforms
      • This fixes a SOCKS race condition with our SOCKS autoport configuration
        and HTTPS-Everywhere's Tor test. Firefox 17 appears to cache proxy
        settings per URL now, which resulted in a proxy error for
        check.torproject.org if we lost the race.
  • Torbutton was updated to 1.5.0. The following issues were fixed:
    • Remove old toggle observers and related code (closes: #5279)
    • Simplify Security Preference UI and associated pref updates (closes: #3100)
    • Eliminate redundancy in our Flash/plugin disabling code (closes: #1305)
    • Leave most preferences under Tor Browser's control (closes: #3944)
    • Disable toggle-on-startup and crash detection logic (closes: #7974)
    • Disable/remove toggle-mode code and related observers (closes: #5279)
    • Add menu hint to Torbutton icon (closes: #6431)
    • Make Torbutton icon flash a warning symbol if TBB is out of date (closes: #7495)
    • Perform version check every time there's a new tab. (closes: #6096)
    • Rate limit version check queries to once every 1.5hrs max. (closes: #6156)
    • misc: Allow WebGL and DOM storage.
    • misc: Disable independent Torbutton updates
    • misc: Change the recommended SOCKSPort to 9150 (to match TBB)

The following Firefox patch changes are also included in this release:

  • Isolate image cache to url bar domain (closes: #5742 and #6539)
  • Enable DOM storage and isolate it to url bar domain (closes: #6564)
  • Include nsIHttpChannel.redirectTo API for HTTPS-Everywhere (closes: #5477)
  • Misc preference changes:
    • Disable DOM performance timers (dom.enable_performance) (closes: #6204)
    • Disable HTTP connection retry timeout (network.http.connection-retry-timeout) (closes: #7656)
    • Disable full path information for plugins (plugin.expose_full_path) (closes: #6210)
    • Disable NoScript's block of remote WebFonts (noscript.forbidFonts) (closes: #7937)

Tor Browser Bundle (2.4.10-alpha-2)

  • Update Firefox to 17.0.3esr
  • Downgrade OpenSSL to 1.0.0k
  • Update libpng to 1.5.14
  • Update NoScript to 2.6.5.7
  • Firefox patch changes:
    • Exempt remote @font-face fonts from font limits (and prefer them).
      (closes: #8270)
      • Remote fonts (aka "User Fonts") are not a fingerprinting threat, so
        they should not count towards our CSS font count limits. Moreover,
        if a CSS font-family rule lists any remote fonts, those fonts are
        preferred over the local fonts, so we do not reduce the font count
        for that rule.
      • This vastly improves rendering and typography for many websites.
    • Disable WebRTC in Firefox build options. (closes: #8178)
      • WebRTC isn't slated to be enabled until Firefox 18, but the code
        was getting compiled in already and is capable of creating UDP Sockets
        and bypassing Tor. We disable it from build as a safety measure.
    • Move prefs.js into omni.ja and extension-overrides. (closes: #3944)
      • This causes our browser pref changes to appear as defaults. It also
        means that future updates of TBB should preserve user pref settings.
    • Fix a use-after-free that caused crashing on MacOS (closes: #8234)
    • Eliminate several redundant, useless, and deprecated Firefox pref settings
    • Report Firefox 17.0 as the Tor Browser user agent
    • Use Firefox's click-to-play barrier for plugins instead of NoScript
    • Set the Tor SOCKS+Control ports to 9150, 9151 respectively on all platforms
      • This fixes a SOCKS race condition with our SOCKS autoport configuration
        and HTTPS-Everywhere's Tor test. Firefox 17 appears to cache proxy
        settings per URL now, which resulted in a proxy error for
        check.torproject.org if we lost the race.
  • Torbutton was updated to 1.5.0. The following issues were fixed:
    • Remove old toggle observers and related code (closes: #5279)
    • Simplify Security Preference UI and associated pref updates (closes: #3100)
    • Eliminate redundancy in our Flash/plugin disabling code (closes: #1305)
    • Leave most preferences under Tor Browser's control (closes: #3944)
    • Disable toggle-on-startup and crash detection logic (closes: #7974)
    • Disable/remove toggle-mode code and related observers (closes: #5279)
    • Add menu hint to Torbutton icon (closes: #6431)
    • Make Torbutton icon flash a warning symbol if TBB is out of date (closes: #7495)
    • Perform version check every time there's a new tab. (closes: #6096)
    • Rate limit version check queries to once every 1.5hrs max. (closes: #6156)
    • misc: Allow WebGL and DOM storage.
    • misc: Disable independent Torbutton updates
    • misc: Change the recommended SOCKSPort to 9150 (to match TBB)

When you notice that some creepy man is trying to follow you, and you have all the means to escape him with ease, would you love to first tell him that you do not want to be tracked, or would you prefer to just disappear in a puff?

Anon

February 22, 2013

Permalink

Hey I'm having this exact same problem, help please.

On February 22nd, 2013 Anonymous said:
I have been using TOR for a while now with no issues. However, today after I ran the previous version it notified me to download the latest version because of a security issues. So I downloaded and installed
Version 2.3.25-4 for Windows (I am running Windows 7 64bit). I deleted my old install of the Tor Bundle before installing the new one.
I clicked on the Start TOR Browser.exe as usual and the Vidalia Control panel launches, the status says it connected to the TOR network, but the Browser never launches and after about 12 seconds Vidalia control panel just closes.
I tried reinstalling it and the same thing keeps happening. Any ideas?

Anon

February 23, 2013

Permalink

I have been using TOR for a while now with no issues. However, today after I ran the previous version it notified me to download the latest version because of a security issues. So I downloaded and installed
Version 2.3.25-4 for Windows (I am running Windows 7 64bit). I deleted my old install of the Tor Bundle before installing the new one.

I clicked on the Start TOR Browser.exe as usual and the Vidalia Control panel launches, the status says it connected to the TOR network, but the Browser never launches and after about 12 seconds Vidalia control panel just closes.

I tried reinstalling it and the same thing keeps happening. Any ideas?

Having the exact same problem. I installed over the old version like I always do.

I got the same virus notice from bitdefender that was mentioned previously. I guess I can't use tor until they update us. Shitty.

Yeah. I don't know how you Windows people survive, with all the false positives from your virus scanners (and worse, all the false negatives!)

https://www.torproject.org/docs/faq#VirusFalsePositives

No problem here with Avast 7

Only serious firms hold it on the on the
"Do not track" rules. But many firms make tracking equal is default or not.

Where to download the alpha version ? I can't find it on the download link that is provided above.

Look for the ALPHA section on
https://www.torproject.org/projects/torbrowser.html.en

Sorry it's so hidden. That said, we could use some more testing on the stable version. :)

bitdefender flags the new tor..

it says virus....

Is it false positive? to afraid to run it :S

/Tor Bundle/tor-browser_en-US/Data/profile/preferences/extension-overrides.js

  1. # NoScript Preferences:<br />
  2. pref("capability.policy.maonoscript.javascript.enabled", <b>"allAccess"</b>);

Shouldn't that be "noaccess" or something?

  1. // Now handled by plugins.click_to_play<br />
  2. pref("noscript.forbidFlash", false);<br />
  3. pref("noscript.forbidSilverlight", false);<br />
  4. pref("noscript.forbidJava", false);<br />
  5. pref("noscript.forbidPlugins", false);

Shouldn't those options be "true" instead of "false"

I suspect that this is what is causing some warnings to keep appearing
/Tor Bundle/tor-browser_en-US/Data/profile/compatibility.ini

LastVersion=17.0.3_20130220040246/20130220040246

You can also find some more preferences in:
/Tor Bundle/tor-browser_en-US/Data/profile/prefs.js

For the antivirus warnings it may be coming from here:
/Tor Bundle/tor-browser_en-US/Data/profile/safebrowsing/

Which is populated by a lot of test files.
I suspect they are the same as EICAR
https://en.wikipedia.org/wiki/EICAR_test_file

My system spec: Linux Ubuntu 12.04 (updated to date) 64bit
Connecting from Iran

Preface
In Iran the security of the communication is a matter of life and prison.

Issue 1:
Since I've updated my OBSFProxy to
tor-flashproxy-pyobfsproxy-browser-gnu-linux-x86_64-2.4.7-alpha-1-dev-en-US.tar.gz
in the first run, it works normal.
In the 2nd run and afterwards, when vidalia starts, it says that there is a new update available.
When I go to the OBFS download page, the version is still the same that I'm already using.

When I exit Tor, and delete the extracted folder, and I re-extract the above zipped file, the cycle begins: the 1st run is ok and the next runs ask me to update.

Issue 2:
The firefox version for new download is still Firefox ESR 10.0.12

Issue 3:
When I'm running OBFS version, the default update message leads to standard Tor Bundle page, where it's logical that by clicking on the link the user is directed to OBFS download page

Issue 4:
The default Tor page needs to be more smart and there shall be a safe and reasonable method for the page to understand which version of OS (Linux, Win, Mac,...) and which architecture (32 bit, 64 bit) the user is using. then the page can redirect the user to the relevan download page and not to the current default windows download page.

As for your issue 4, you might be interested to learn that the download page *is* smart, but the Tor Browser Bundle is even smarter. The download page checks your OS, but TBB lies to it and pretends to be Windows, and so the download page presents you with the Windows version.

Suggestions appreciated, but on the whole I'd rather have TBB be smarter than our webpage. :)

Are the OBFSPROXY versions included in this new release?

The OBFSPROXY page with releases should include more details upon new release, date of release, version, more...

it doesn't work now. great. thank for the update. now i can't use TOR. EPIC FAIL.

Re: Erinn's signature

There's a discrepancy regarding the signature creation date. On this page ...

https://www.torproject.org/docs/verifying-signatures.html.en

... it says the date should be:
Wed 31 Aug 2011 06:37:01 PM EDT using RSA key ID 63FEE659

But the gpg verification actually displays this date:
Fri 22 Feb 2013 07:09:54 AM CET using RSA key ID 63FEE659

31 Aug 2011 was the date when we ran that command to produce the example.

The only way your gpg verification would display 31 Aug 2011 is if you ran your command on 31 Aug 2011 too.

Huge problem with the latest Tor Browser Bundle and DownThemAll, it keeps on clearing the DTA downloads list when I exit, when I sometimes want to keep on downloading things the next time I open the browser.

Don't use DTA with TBB, it won't work. DTA is not safe, that is, it hasn't been proved safe by Tor people (or others Tor people trust); much better is wget through Privoxy or curl for single files.

Using atypical Firefox add-ons, relative to the whole Tor community using TBB, can make you stand-out from the crowd, especially considering those who use DTA tend to download files most people abhor (from what I gather reading tor-talk and elsewhere).

To update my previous post, I have figured out the DTA problem. There is absoulutely no reason why you should automatically enable private browsing, if DTA automatically tells the browser to save nothing or has the 'best settings' in Options - Privacy.

It just causes many more problems than it solves.

"There is absoulutely no reason why you should automatically enable private browsing . . ."

Please provide your reasoning for such a bold claim, please include references to your source materiel.

site-http://ip-check.info-informa that with the new version of Tor Browser Bundle (2.3.25-4)-Are you using Tor, but your browser profile and 'different from that recommended.

Sounds like a bug with that site's expectations, not with TBB.

Apparently obfs-bundles are not part of "all of the bundles" as they didn't get update :/

As a long-time user of the TBB I have found the latest version (2.3.25-4) for Windows to be very concerning, and I am considering regressing to the previous version (2.3.25-2).[Didn't see/get (2.3.25-3) for some reason?]

Now I understand the rationale for wanting sites to look good, however I see the changed @font-face attributes as a security threat as such external fonts can/are being used for tracking purposes.

What is more inexplicable is that the contents of my cache were exposed in this new version and I had to go into about:config to turn it off!

I went to ip-check.info to see if I was anonymous; these are the values I received:
cache (E-Tags): BAD
signature: MEDIUM
fonts: BAD (strange characters seen)

I have since disabled the cache and @font-face settings in about:config however, I think that you may have over-simplified the torbutton add-on.

Now that I have complained, I thank you for your efforts; nice job with plugin containment- I hope you see this as genuine concern and not just the usual fear of change.

P.S. Any ideas as to why my header signature is seen as atypical?

Hm. I think you might have better luck opening a ticket on trac. Mike probably will never see this comment.

changing settings may make you stand out even more, no?

aha, this person is 1 out of 1000 that have fonts disabled

Boston, we have a problem...

Err, make that:

WALPOLE, we have a problem...

nice
thanks !

I live in Iran. So far , I haven't had any problems with obfsflashproxy Bundle Alpha-1.
When I saw New Bundle 2.3.25-4 I downloaded it and deleted all other Tor ( obfs , etc.) .
Iused it ( 2.3.25-4 ) for couple of days and now suddenly won,t reboot and hangs at 10% bootstrapped !!!!.
I deleted eveything ( both 2.3.25-4 and obfsflashproxy ) and cleaned the registry and only send 2.3.25-4 to the computer,but unfortunately it only bootstrapped 10% and stopped.
I am sending this message through obfsflashproxy.
PLEASE PLEASE inform us what is wrong and give us simple ( REPEAT : SIMPLE ) instructions as how to fix the problem.
AS ALWAYS
THANKS A MILLION.

If you're in Iran, and the normal Tor Browser Bundle doesn't bootstrap, and the obfsflashproxy bundle does bootstrap, I suggest you stick with the one that works.

(I know Iran has been experimenting with all sorts of ways to make your network less fun to use, so I am not surprised.)

Hopefully its just me, but when I downloaded the new Bundle and checked the certificates I saw that 3 by TurkTrust were still listed...this is a problem, yes?

using the windows bundle for win-xp
keep getting the
"There is a security update available for the Tor Browser Bundle."
update message when i start up tor browser.
also the tor button in the browser (onion icon with a cross through it) indicates that Tor is Disabled.

please can you fix this?

I want to know when are you guys going to fix this thing.Now i can even access the tor sites.It keep saying:
"Check the proxy settings to make sure that they are correct."
"Contact your network administrator to make sure the proxy server is
working."

I and also it keep saying there is an update.

what is going on here?

On 32-bit Win XP, I deleted the existing subdirectories in the Tor Browser directory and unpacked 2.3.25-4. At first it looked okay but then I noticed that a TB's "Cookie Protections" showed the usual cookies the first time but then showed no cookies at all, when I have a site open that I know sets cookies. Also all the dialogs for cookies in the Privacy menu are not there any more. It feels like other menu items are missing too but I can't say exactly what. About half the time it wants to come up in Safe Mode but there's no indication why. In general the UI is very laggy compared to 10.X.

So I tried 2.3.25-4 on Linux x64 and I see the same thing.

Something is seriously not right. I'm dropping back to 2.3.52-2 for a while longer...

Yep, cookie management is not working. New TBB is much slower. Had several crashes already. Oh, since when default font is "serif"??

since you have removed the Torbutton option:
am I right in thinking that I need to set "extensions.torbutton.no_updates" in "about:config" to "true" to stop Torbutton from searching for and installing updates?

I believe Mike (thinks he) made it so Torbutton never updates itself ever again. The idea is that updates would come in new TBB's.

If this is different from what he actually did, please open a ticket on trac.

running Win7 and just downloaded Firefox ESR 17.0.3 (Tor browser). The program keeps crashing after several minutes (crash message below). Also, icons of visited sites stored in bookmarks are retained, even after browser is closed and re-opened. Have AVG Internet Security 2012 and keep getting pop-up warnings that it cannot read encrypted e-mail traffic. Have never seen either of those things before.

Crash message:
Problem Event Name: APPCRASH
Application Name: tbb-firefox.exe
Application Version: 17.0.3.4799
Application Timestamp: 51247233
Fault Module Name: xul.dll
Fault Module Version: 17.0.3.4799
Fault Module Timestamp: 51247176
Exception Code: c0000005
Exception Offset: 00199a1c
OS Version: 6.1.7600.2.0.0.768.3
Locale ID: 2057
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789