New Tor Browser Bundles with Firefox 17.0.3esr

We've updated all of the bundles with Firefox 17.0.3esr. This includes significant changes to Torbutton and its interaction with Firefox, in addition to many new patches being added to Firefox, which are outlined below.

Very important: if you've been using the Tor Browser Bundles with Firefox 10.0.x, you must not attempt to overwrite it with the new bundle. Open these into their own directory and do not copy any profile material from older TBB versions.

https://www.torproject.org/download

Tor Browser Bundle (2.3.25-4)

  • Update Firefox to 17.0.3esr
  • Downgrade OpenSSL to 1.0.0k
  • Update libpng to 1.5.14
  • Update NoScript to 2.6.5.7
  • Firefox patch changes:
    • Exempt remote @font-face fonts from font limits (and prefer them).
      (closes: #8270)
      • Remote fonts (aka "User Fonts") are not a fingerprinting threat, so
        they should not count towards our CSS font count limits. Moreover,
        if a CSS font-family rule lists any remote fonts, those fonts are
        preferred over the local fonts, so we do not reduce the font count
        for that rule.
      • This vastly improves rendering and typography for many websites.
    • Disable WebRTC in Firefox build options. (closes: #8178)
      • WebRTC isn't slated to be enabled until Firefox 18, but the code
        was getting compiled in already and is capable of creating UDP Sockets
        and bypassing Tor. We disable it from build as a safety measure.
    • Move prefs.js into omni.ja and extension-overrides. (closes: #3944)
      • This causes our browser pref changes to appear as defaults. It also
        means that future updates of TBB should preserve user pref settings.
    • Fix a use-after-free that caused crashing on MacOS (closes: #8234)
    • Eliminate several redundant, useless, and deprecated Firefox pref settings
    • Report Firefox 17.0 as the Tor Browser user agent
    • Use Firefox's click-to-play barrier for plugins instead of NoScript
    • Set the Tor SOCKS+Control ports to 9150, 9151 respectively on all platforms
      • This fixes a SOCKS race condition with our SOCKS autoport configuration
        and HTTPS-Everywhere's Tor test. Firefox 17 appears to cache proxy
        settings per URL now, which resulted in a proxy error for
        check.torproject.org if we lost the race.
  • Torbutton was updated to 1.5.0. The following issues were fixed:
    • Remove old toggle observers and related code (closes: #5279)
    • Simplify Security Preference UI and associated pref updates (closes: #3100)
    • Eliminate redundancy in our Flash/plugin disabling code (closes: #1305)
    • Leave most preferences under Tor Browser's control (closes: #3944)
    • Disable toggle-on-startup and crash detection logic (closes: #7974)
    • Disable/remove toggle-mode code and related observers (closes: #5279)
    • Add menu hint to Torbutton icon (closes: #6431)
    • Make Torbutton icon flash a warning symbol if TBB is out of date (closes: #7495)
    • Perform version check every time there's a new tab. (closes: #6096)
    • Rate limit version check queries to once every 1.5hrs max. (closes: #6156)
    • misc: Allow WebGL and DOM storage.
    • misc: Disable independent Torbutton updates
    • misc: Change the recommended SOCKSPort to 9150 (to match TBB)

The following Firefox patch changes are also included in this release:

  • Isolate image cache to url bar domain (closes: #5742 and #6539)
  • Enable DOM storage and isolate it to url bar domain (closes: #6564)
  • Include nsIHttpChannel.redirectTo API for HTTPS-Everywhere (closes: #5477)
  • Misc preference changes:
    • Disable DOM performance timers (dom.enable_performance) (closes: #6204)
    • Disable HTTP connection retry timeout (network.http.connection-retry-timeout) (closes: #7656)
    • Disable full path information for plugins (plugin.expose_full_path) (closes: #6210)
    • Disable NoScript's block of remote WebFonts (noscript.forbidFonts) (closes: #7937)

Tor Browser Bundle (2.4.10-alpha-2)

  • Update Firefox to 17.0.3esr
  • Downgrade OpenSSL to 1.0.0k
  • Update libpng to 1.5.14
  • Update NoScript to 2.6.5.7
  • Firefox patch changes:
    • Exempt remote @font-face fonts from font limits (and prefer them).
      (closes: #8270)
      • Remote fonts (aka "User Fonts") are not a fingerprinting threat, so
        they should not count towards our CSS font count limits. Moreover,
        if a CSS font-family rule lists any remote fonts, those fonts are
        preferred over the local fonts, so we do not reduce the font count
        for that rule.
      • This vastly improves rendering and typography for many websites.
    • Disable WebRTC in Firefox build options. (closes: #8178)
      • WebRTC isn't slated to be enabled until Firefox 18, but the code
        was getting compiled in already and is capable of creating UDP Sockets
        and bypassing Tor. We disable it from build as a safety measure.
    • Move prefs.js into omni.ja and extension-overrides. (closes: #3944)
      • This causes our browser pref changes to appear as defaults. It also
        means that future updates of TBB should preserve user pref settings.
    • Fix a use-after-free that caused crashing on MacOS (closes: #8234)
    • Eliminate several redundant, useless, and deprecated Firefox pref settings
    • Report Firefox 17.0 as the Tor Browser user agent
    • Use Firefox's click-to-play barrier for plugins instead of NoScript
    • Set the Tor SOCKS+Control ports to 9150, 9151 respectively on all platforms
      • This fixes a SOCKS race condition with our SOCKS autoport configuration
        and HTTPS-Everywhere's Tor test. Firefox 17 appears to cache proxy
        settings per URL now, which resulted in a proxy error for
        check.torproject.org if we lost the race.
  • Torbutton was updated to 1.5.0. The following issues were fixed:
    • Remove old toggle observers and related code (closes: #5279)
    • Simplify Security Preference UI and associated pref updates (closes: #3100)
    • Eliminate redundancy in our Flash/plugin disabling code (closes: #1305)
    • Leave most preferences under Tor Browser's control (closes: #3944)
    • Disable toggle-on-startup and crash detection logic (closes: #7974)
    • Disable/remove toggle-mode code and related observers (closes: #5279)
    • Add menu hint to Torbutton icon (closes: #6431)
    • Make Torbutton icon flash a warning symbol if TBB is out of date (closes: #7495)
    • Perform version check every time there's a new tab. (closes: #6096)
    • Rate limit version check queries to once every 1.5hrs max. (closes: #6156)
    • misc: Allow WebGL and DOM storage.
    • misc: Disable independent Torbutton updates
    • misc: Change the recommended SOCKSPort to 9150 (to match TBB)

"Have AVG Internet Security 2012 and keep getting pop-up warnings that it cannot read encrypted e-mail traffic." My guess is your Tor client is connecting to a Tor relay on some port that your AVG thinks could only possibly be used for encrypted email traffic. And since your AVG wants to spy on you, it kindly lets you know that it's having problems spying on you.

Downloaded the Tor update again and re-installed, this time entering my bookmarks manually instead of copying old ones from an exported html file. This fixed the AVG problem, but the program is still crashing, and it is retaining history and the icons of visited sites, even though the 'never keep history' option is enabled. I don't use a relay but might try this to see if that fixes anything.

Same problem here with ALL the latest releases, currently using ver. 17.0.5 from tor-browser-2.3.25-6_en-US.exe :

REGULAR CRASHES, always with xul.dll as the Fault Module Name.

Using Windows 7 as well, issues only began with update to a newer release of the tor browser bundle earlier this year. No other problems with my system or programs whatsoever, ram tests and hdd tests both without any errors. Tried reinstall, newer versions, all to no avail.

Tor may crash at any time, no matter if it has been running for hours or for just a few minutes, anywhere, no matter what site I'm on, but always during activity, often right after a right click, never when idling.

Very disapppointing that tor has become completely unstable all of a sudden over the course of several releases, although more people seem to have the same problem. I'm having some privacy issues as well, e.g. download locations are saved, although it's changed in the settings, tor made typing suggestions from previous visits although it had been closed in the meantime, and so on. Please fix!

Anonymous

February 26, 2013

Permalink

Usally Im using to get a verfication page. "You are now connected to TOR" or something similar in green text.

But with this boundle (2.3.25-4) I am just getting a blank page. And Im getting it immediately. It doesnt even semm to try to connect. But if I try to visit this or other pages, it connects. I'm not sure if TOR works or not.

If I Start the old boundle, it works as before. So the page is online.

Is this a bug, or is something changed that I have missed?

Anonymous

February 27, 2013

Permalink

Is there any way to have TBB on XP show the browser either maximised on startup, or remember the window state between sessions (position, size, whether maximised etc.)?

In previous versions I achieved this by setting extensions.torbbutton.resize_new_windows in about:config to "false", but this method does not work with this latest version.

Anonymous

February 27, 2013

Permalink

I am confused about how cookies are handled in this version of TBB.

Unlike in previous versions, I see no way to view any stored cookies in this version.

But it must be accepting cookies, since I am able to post here and at other sites with a Captcha.

Surely, there must be a way to see cookies and delete them individually, selectively?

Try this:
Preferences ➡ Privacy ➡ History heading: Torbrowser will 'Remember history' ➡ 'remove individual cookies' link

Remember to set it back to the default when done.

Next time, try the support site [1]; there's a section specifically on cookies [2]. If the information isn't there, ask the community [3], and maybe even contribute with whatever wasn't there [4]. Lastly, tell Mozilla that Firefox's cookie settings are buried in some obscure place so that they can fix it [5].

Also, before you ask, STFW.

footnotes
[1] https://support.mozilla.org/
[2] https://support.mozilla.org/en-US/kb/delete-cookies-remove-info-website…
[3] https://support.mozilla.org/en-US/kb/get-community-support
[4] https://support.mozilla.org/en-US/kb/superheroes-wanted
[5] https://input.mozilla.org/en-US/feedback/

Anonymous

February 28, 2013

Permalink

i have also APPCRASH with windows 7 when i have open 8-9 tabs and then push the exit button on vidalia.

Anonymous

February 28, 2013

Permalink

You ignore, that a PowerPC-User like I am, has no chance to work with Tor, Vidalia, Tails etc.

Bye, bye Tor.
Hello JonDo!

Anonymous

March 01, 2013

Permalink

May I ask:

Why the hell do bugs like the update bug so many people are complaining about get past Tor testers? That is, why didn't a single of your core Tor people test this and realize it's all eff'ed up?

This is an honest question, I've been using Tor for many years, and every now and then, you guys/gals really drop the ball, you end up looking silly, and then have to cancel updates, re-issue updates, and re-re-re-issue updates. ARRG!

Imagine how this makes you look to people who don't understand that these things happen to the best of projects, i.e., your largest user base (those generally ignorant of advanced computer use).

Please answer. Do you need to improve your pre-release testing?! (hind: yes, you do!)

Anonymous

March 01, 2013

Permalink

1) Windows Bundle: The browser crashes in an uncontrolled manner whenever an image is dragged from a windows app such as a password manager to an online web form textbox.

To reproduce the problem open
http://forums.informaction.com/ucp.php?mode=login
Open your password manger and drag anything to the 'username' box on the web form. Observe that both Vidalia and Firefox close down in an uncontrolled manner without reporting.

Disabling the Tor Button 1.5 extension prevents the problem from happening.

2) The Windows Bundle is being shipped for new installs with NoScript set to 'Allow Scripts Globally (dangerous)'. It should be shipped with NoScript set to 'Forbid Scripts Globally (advised)'. A user unfamiliar with NoScript would be at risk with the present install arrangement.

Anonymous

March 01, 2013

Permalink

hi i downloaded the latest bundle, it connects to network, onion goes green, then after the pause at this stage after which firefox usually opens and you see a confirmation page it crashes, the whole thing shuts down and disappears ?

Is this a problem with the network ? my windows 7 os ? or this new bundle ?

Anonymous

March 01, 2013

Permalink

Tor Browser Bundle (2.3.25-4) keeps throwing a error about DNS not responding. I reverted to tor-browser-2.3.25-2_en-US and viola Tor works.

Using Win 7 64 bit on i7 box w/16GB Ram

Anonymous

March 02, 2013

Permalink

Is there a way to add more than one bridge at a time using the vidalia control panel ?
as I now have a long list of bridges that are becoming a pain to add one at a time every time that there is an update

Anonymous

March 02, 2013

Permalink

On my Windows 7 64-bit Tor browser crashes after
several minutes when I visit a website.
But not every website causes Tor browser to crash.
For instance Tor browser works fine when I visit
"torproject.org".

Crash message:
Problem Event Name: APPCRASH
Application Name: tbb-firefox.exe
Application Version: 17.0.3.4799
Application Timestamp: 51247233
Fault Module Name: xul.dll
Fault Module Version: 17.0.3.4799
Fault Module Timestamp: 51247176
Exception Code: c0000005
Exception Offset: 0018c70c
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 1043
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789

Anonymous

March 03, 2013

Permalink

This new version crash more frequently than the previous one, that very rarely crashed.

Anonymous

March 03, 2013

Permalink

I can't open the OSX bundles on Mountain Lion. An alert shows up saying ""TorBrowser_en-US.app" is damaged and can't be opened. You should move it to the Trash.".

This is a codesigning issue that has persisted for many releases. PLEASE FIX IT. Here are the files that are incorrectly signed:

$ codesign -vv TorBrowser_en-US.app
TorBrowser_en-US.app: a sealed resource is missing or invalid
resource modified: /Users/xxx/Desktop/TorBrowser_en-US.app/Contents/Resources/Data/Tor/geoip
resource modified: /Users/xxx/Desktop/TorBrowser_en-US.app/Contents/Resources/Docs/Tor/LICENSE
resource modified: /Users/xxx/Desktop/TorBrowser_en-US.app/Contents/Resources/Docs/Vidalia/LICENSE
resource modified: /Users/xxx/Desktop/TorBrowser_en-US.app/Contents/Resources/Docs/changelog
resource missing: /Users/xxx/Desktop/TorBrowser_en-US.app/Contents/Resources/Docs/Vidalia/LICENSE-OPENSSL

It is very likely that whatever make script you use CHANGED or ADDED these files AFTER codesigning has taken place. I have successfully transplanted these files from the PREVIOUS build, which then fixes the codesigning issues.

PLEASE fix this!

Anonymous

March 03, 2013

Permalink

It crashes because Firefox checks if there's already an instance running, which it shouldn't because it's suppose to be encapsulated.

Anonymous

March 04, 2013

Permalink

Intermittently unable to connect to MANY sites.

Get generic "unable to establish connection to the server at {domain}" message from Firefox.

Most recently:
03/04/13 0:11 UTC
check.torproject.org shows IP:
176.99.7.69

Only other site I was able to reach (of the ones I tried) was startpage.com

Has happened several times before while running TBB as well as Tails. Clicking "New Identity" in TorButton would also solve the problem but this time I just waited it out. As soon as I was again able to access http://cmyip.com/ , it showed 87.236.194.158, which was corroborated by check.torproject.org.

Anonymous

March 05, 2013

Permalink

when i go to https://www.torproject.org/download
i see this
Invalid Server Certificate
You attempted to reach www.torproject.org, but the server presented an invalid certificate.
You cannot proceed because the website operator has requested heightened security for this domain.
Back to safety

Anonymous

March 05, 2013

Permalink

Have used previous versions of Tor without problems but latest version opens for a few seconds and then crashes. Have removed previous versions and done two clean installs. Same problem both times. If it helps I managed to copy the messages from the advanced tab. Any suggestions would be gratefully received.

Mar 05 12:03:09.774 [Notice] Tor v0.2.3.25 (git-17c24b3118224d65) running on Windows 7.
Mar 05 12:03:09.774 [Notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Mar 05 12:03:09.774 [Notice] Read configuration file "Y:\Tor Browser\Data\Tor\torrc".
Mar 05 12:03:09.882 [Notice] Initialized libevent version 2.0.21-stable using method win32. Good.
Mar 05 12:03:09.882 [Notice] Opening Socks listener on 127.0.0.1:9150
Mar 05 12:03:09.882 [Notice] Opening Control listener on 127.0.0.1:9151
Mar 05 12:03:10.102 [Notice] Parsing GEOIP file .\Data\Tor\geoip.
Mar 05 12:03:12.067 [Notice] No AES engine found; using AES_* functions.
Mar 05 12:03:12.067 [Notice] This OpenSSL has a good implementation of counter mode; using it.
Mar 05 12:03:12.067 [Notice] OpenSSL OpenSSL 1.0.0k 5 Feb 2013 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation
Mar 05 12:03:12.067 [Notice] Reloaded microdescriptor cache. Found 2777 descriptors.
Mar 05 12:03:12.067 [Notice] We now have enough directory information to build circuits.
Mar 05 12:03:12.067 [Notice] Bootstrapped 80%: Connecting to the Tor network.
Mar 05 12:03:12.067 [Notice] New control connection opened.
Mar 05 12:03:12.956 [Notice] Heartbeat: Tor's uptime is 0:00 hours, with 7 circuits open. I've sent 0 kB and received 0 kB.
Mar 05 12:03:13.181 [Notice] Bootstrapped 85%: Finishing handshake with first hop.
Mar 05 12:03:13.970 [Notice] Bootstrapped 90%: Establishing a Tor circuit.
Mar 05 12:03:15.500 [Notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Mar 05 12:03:15.500 [Notice] Bootstrapped 100%: Done.

Anonymous

March 05, 2013

Permalink

Download button doesn't work in PDF.js ?

Nothing happens if I click it (JavaScript off or on, doesn't matter)

i dont know how wise it would be to have pdf.js enabled
you might want to research that a bit before even enabling it
also, any deviation from other tbb users can be used to identify you

Anonymous

March 05, 2013

Permalink

I used to be able to load the tor browser bundle, then separately load pidgin set up with tor as a proxy. But in this browser bundle version, pidgin fails to connect "connection refused".

What changed? How to fix?

Anonymous

March 09, 2013

Permalink

will not upgrade untill there is a fix , the new ver will not let me "save passwords for sites" why the hell not? i have very long and complex passes and i have no idea what they are, TTB saves them and it knows, any new version will leave me high and dry. pointless fail upgrade?

Anonymous

March 10, 2013

Permalink

17.0.4 ESR has just been released. Any estimates for roll-out date of TBB w/ 17.0.4?

Anonymous

March 13, 2013

Permalink

Good day. I can't seem to use Google search services. Google thinks im a bot and always shows captcha every time i search. It's captcha after captcha.

How do i work around this? Is there something i need to do or not do so that this will not happen?

Here's what google says:
This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the Terms of Service. The block will expire shortly after those requests stop. In the meantime, solving the above CAPTCHA will let you continue to use our services.

This traffic may have been sent by malicious software, a browser plug-in, or a script that sends automated requests. If you share your network connection, ask your administrator for help — a different computer using the same IP address may be responsible. Learn more

Sometimes you may be asked to solve the CAPTCHA if you are using advanced terms that robots are known to use, or sending requests very quickly.

I disagree. Google (according to the Tor brothers) is not meaning to be killing tor traffic. So you should (according to the myth) be able to use it with TorBrowser without any undue problem (filling in a CAPTCHA every 10 minutes is not a big problem). HOWEVER, even this myth is not the case anymore, as Google doesn't even provide a CAPTCHA most of the time the tor node changes--instead it more often than not produces one of two "Google Screens of Death" without even the option of a CAPTCHA. This has been getting increasingly worse and means you have to scramble around with new identities, cleansing cookies, etc. Not good.

Intentional or not (and how can it, with all its coding armies, not be intentional) Google is effectively blocking most tor traffic after each automatic tor node change (i.e after every 10 mins or so).

Tor brothers ought to have a quiet word with Google BROTHER before this BROTHER (aka el fascisto Schmidt) quietly marginalizes all non-revenue-generating anonymous traffic for good.

Anonymous users still need to use Google over other search engines, some of the time, for the very simple reason that Google has monopolized all of our (the world's) data which other search engines just don't have access to. That's our data Google has locked up in its servers, and we still need access to it. Startpage and DDG are great (and need our support) but only up to a (very limited) point, which neither they or us can do anything about, and only Herr Schmidt can.

Anonymous

March 18, 2013

Permalink

I downloaded the latest TBB ( 2.3.25-5) yesterday after I saw the blinking yellow icon.

I scanned it with my various anti-virus software (Sophos, etc) and nothing came up.

To be extra safe, I then scanned it on VirusTotal and McAfee-GW-Edition provided this alert:

Heuristic.LooksLike.Win32.Suspicious.J!89

I am now unsure what to do next...

Anonymous

March 19, 2013

Permalink

After downloading the latest TBB, I noticed I can no longer leave comments on blog sites. Why is that?

Anonymous

April 06, 2013

Permalink

I can't get the latest tor bundle working with windows xp sp3 on my laptop. it won't authenticate. ISP is not blocking the connection, it just refuses to connect and run the browser. Using 2.3.25-5.

Anonymous

April 17, 2013

Permalink

What happen to For button allot of security options have been removed seems less secure. Is Google behind this?

Anonymous

May 17, 2013

Permalink

I can't get the latest version to open the firefox browser. I didn't overwrite anything, and the previous version continues to work. Go figure.

Anonymous

July 10, 2013

Permalink

Maybe these problems started when TOR developers started sleeping with Google?
I'm done with this tripe.
What a freaking joke.