New Tor Browser Bundles with Firefox 17.0.6esr

by erinn | May 14, 2013

There is a new Firefox 17.0.6esr out and all of the Tor Browser Bundles (stable and alpha branches) have been updated. The new stable TBBs have a lot of new and updated Firefox patches, so those of you who were experiencing crashes should no longer be seeing that behavior. Please let us know if you do by opening a ticket with details.

The stable Tor Browser Bundles are available at their normal location.

The alpha Tor Browser Bundles are available here.

Tor Browser Bundle (2.3.25-8)

  • Update Firefox to 17.0.6esr
  • Update HTTPS Everywhere to 3.2
  • Update Torbutton to 1.5.2
  • Update libpng to 1.5.15
  • Update NoScript to 2.6.6.1
  • Firefox patch changes:
    • Apply font limits to @font-face local() fonts and disable fallback
      rendering for @font-face. (closes: #8455)
    • Use Optimistic Data SOCKS handshake (improves page load performance).
      (closes: #3875)
    • Honor the Windows theme for inverse text colors (without leaking those
      colors to content). (closes: #7920)
    • Increase pipeline randomization and try harder to batch pipelined
      requests together. (closes: #8470)
    • Fix an image cache isolation domain key misusage. May fix several image
      cache related crash bugs with New Identity, exit, and certain websites.
      (closes: #8628)
  • Torbutton changes:
    • Allow session restore if the user allows disk actvity (closes: #8457)
    • Remove the Display Settings panel and associated locales (closes: #8301)
    • Fix "Transparent Torification" option. (closes: #6566)
    • Fix a hang on New Identity. (closes: #8642)
  • Build changes:
    • Fetch our source deps from an https mirror (closes: #8286)
    • Create watch scripts for syncing mirror sources and monitoring mirror
      integrity (closes: #8338)

    Tor Browser Bundle (2.4.12-alpha-2)

    • Update Firefox to 17.0.6esr
    • Update NoScript to 2.6.6.1
Tags
tor browser bundle
firefox updates
tbb
Anon

Anonymous (not verified) said:

May 14, 2013

Permalink

This release has again been built with a rather 'modern' version of GTK ... too modern for me! Shame, really. I haven't been able to use any of the TBBs since 2.3.25-2 came out. Are there any plans to do something about this?

> Why don't you open a ticket?

I will. But first I have to figure out how to do this :-) It's probably best to suggest that future browser bundles will be built with the same GTK version that Mozilla use for their ESR releases.

I just noticed that it is impossible to open a ticket without registering first. Since I don't want to do that ... can someone who has already registered please open a ticket regarding the GTK version? Thanks!

Anon

Anonymous (not verified) said:

May 14, 2013

Permalink

Thank you! downloading :D

Fixed in Firefox ESR 17.0.6

MFSA 2013-48 Memory corruption found using Address Sanitizer
MFSA 2013-47 Uninitialized functions in DOMSVGZoomEvent
MFSA 2013-46 Use-after-free with video and onresize event
MFSA 2013-44 Local privilege escalation through Mozilla Maintenance Service
MFSA 2013-42 Privileged access for content level constructor
MFSA 2013-41 Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6)

https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html

Anon

Anonymous (not verified) said:

May 14, 2013

Permalink

Thanks to all of you for your hard work and dedication. You make the world a better place

Anon

Anonymous (not verified) said:

May 14, 2013

Permalink

What about the slow UI performance of Tor Browser Bundles on Linux 32-bit systems? People will be using older versions of TBB (those built on Firefox 10) until they are fixed.

Please open a ticket with details.

There are multiple tickets that have been filed regarding this issue many months ago, to no avail.

See: https://trac.torproject.org/projects/tor/ticket/8352 and https://trac.torproject.org/projects/tor/ticket/8401

Isn't it dangerous to use a deprecated version of TBB?

Hi. What are the pros and cons of HTTPS and HTTP .onion sites?

Onion sites are already encrypted from your Tor process to their Tor process, and some have said that the additional HTTPS encryption is unnecessary. However, I think it can help in some cases. If their services are on a network behind a Tor gateway, I'd be concerned that they could have an eavesdropper. Also, if you already know their certificate, that's another layer of verification in addition to their .onion.

no chinese language now?

When updating to this new bundle (I am a Mac user) do I need to delete and replace my previous version of TorBrowser_en.US in the Applications folder? When launching from that location even after updating, I am still being notified of an available update from the home page and the 'About' screen is showing Firefox ESR 17.0.5 ("up to date" when I run update check).

I too am getting this as a Windows user

I unzipped the TBB zip file, and then dragged the TorBrowser.app into my Applications. Was prompted to overwrite, which I did, and then I launched from Applications as usual - I'm now running Firefox 17.0.6 and the update notification is gone.

Basically, if you have a TBB in Applications, then yes overwrite it with the new one. I suppose you can also execute the new one outside of Applications, but keeping a new release outside Applications and an old release inside Applications sounds like a recipe for confusion!

yes, you might want to export any bookmarks you have first though: menu Bookmarks -->Show All Bookmarks. then click the star icon drop down on top of the "library" window that opens. Select Backup. Save the .json.

Then drag your Tor Browser Bundle to the trash. Replace with new one you d/led. Then restore the .JSON file the same way.

My IP doesn't seem to change much (if at all), when I click on "Use a New Identity" and then go to the torcheck page.

I'm using the latest TorBrowserBundle in Windows 7 64bit.

The TorButton has never worked for me in the past (left and right clicks did nothing), and I always deleted the entire Tor Browser folder before installing the new one. But now with the latest version, the TorButton is functional - but here's the catch: I'm unable to move it from the Navigation Toolbar! :(

Hi
I have Tried to contact with the new version several times, but it did not work ..!!

Hi
tor does not work anymore in iran from weeks ago..
even all bridges or ....
even changing every tweaks and tricks are no use..
If u have a way u should release a special version for Iran... plz..
tks

how about Iran?

tor has stopped working in Iran from months ago..

all bridges and other tor software no more working..

we tried all tricks and tweaks no use..
if u have any way plz release a special version for Iran so that al can use it easily.. plz.....
we need it ..even psiphon 3 and freegate doesnot work..
by psiphon we can connect to youtube but after two minutes it disconnects..
all socks and vpn and port 443 are no more able to open youtube.. even by adding https to youtube the site can be open but can't play videos..

please help Iranian
tks
mah_deh@yahoo.com

Previous stable TBB version was 2.3.25-6

Why did you skip 7?

Forgive me if I sound like an idiot, but to update to the latest Tor Browser do you just delete the folder titled "Tor Browser" and download this file, then follow the same procedures as before (extracting, etc.)?

Yes, thats what I do

I suggest renaming the outdated "Tor Browser" folder to "Old Tor Browser" or something like that before extracting the new Tor Browser. This way, if there are any unforeseen problems with the new Tor Browser, you can go back to the outdated version without losing bookmarks and extensions.

Hi,
I downloaded the new version but doesn't connect , while the other version works normally

i have a new problem with tor bundle browser, after clicking start tor browser the vidalia control panel starts and within a second it connected with tor network but tor's modified firefox browser did not open. if i mannually starts tbb-firefox it shows unable to connet network,proxy settings changed.even installing new one the behaviour not changed. Can you please answer the reasons?

i have same problem

Are the default values of the Tor Firefox Browser different than what they are for the non-Tor Firefox Browser? For example, according to the MozillaZine website, the default value of "network. http. keep-alive. timeout" is 300 seconds, but the Tor Firefox Browser indicates in "about:config" the default value is 20.

Hey man
HELP IRANIAN USER
THERE IS NO WAY HERE LEFT CONNECTING TOR
even obfs can't connect
even with new bridge
plz show new trick
WHat are u waiting for?

I have been using TOR for a while now with no issues.So I downloaded and installed new one
for Windows (I am running Windows 7 64bit). I deleted my old install of the Tor Bundle before installing the new one.

I clicked on the Start TOR Browser.exe as usual and the Vidalia Control panel launches, the status says it connected to the TOR network, but the Browser never launches.
i installed previous one but same problem persists.
I tried reinstalling it and the same thing keeps happening. Any ideas?

How long did you wait?

It takes considerably longer for TBB to start than it does for a regular browser.

Chinese how to download it ?

Thanks!

The only bad thing that happened to me with this release is that the RequestPolicy extension -- https://www.requestpolicy.com -- now makes the browser crash. I don't know if that happens in Firefox 17.0.6esr (neither did I contact the extension's developer yet). Could anyone confirm that?

Thanks again for continued updates! Is it possible to post the MD5 for quick verification rather than using gnu sigs?

SHA256SUMS:
https://people.torproject.org/~erinn/qa/stable/2.3.25-8/sha256sums-2.3…

But without verifying the signature of the TXT file with the hashes, its only as trusted as as the SSL connection.

To verify the file containing the SHA256 sums:

1.) Download the following two files from
https://people.torproject.org/~erinn/qa/stable/2.3.25-8/

- sha256sums-2.3.25-8.txt
- sha256sums-2.3.25-8.txt.asc

2.) Follow the instructions for verifying TBB ( https://www.torproject.org/docs/verifying-signatures.html.en ), replacing the TBB file with the sha256sums file:

gpg --verify sha256sums-2.3.25-8.txt.asc

BTW, why do the Tor Project signature files not end in .gpg as the Debian, Ubuntu and (apparently most others) do?

According to the Tor FAQ, Google search engine is just fine with TorBrowser. The reality is somewhat different. Every 10 mins or so Tor changes nodes to create a new identity and, if you are using Google, it is meant to provide you with a simple CAPTCHA page to go on. However, most of the time it does not and instead produces one of two dreaded "Google Screens of Death" with no CAPTCHA option at all. This has been increasingly the case of late to the point where now most new Google sessions in Tor are effectively being barred. Creating a fresh new identity and deleting all Google's cookies doesn't help much either (and causes other problems in itself).

It seems Google is quietly suppressing Tor/anonymous traffic--which doesn't exactly fit into their revenue model--while maintaining that they are not anti-tor because they (sometimes) provide a simple CAPTCHA. Well, actions speak loudest, and Google is definitely blocking most Tor sessions now.

And before people start recommending Startpage/DDG, they are all well and good but only up to a point. Google has monopolized most of the world's data which these small companies do not have access too. That is our (the world's) data Google is hoarding and we need access to it.

This is an issue you guys really need to take up with Google before they've quietly suppressed most of the anonymous traffic. Yet I see absolutely no discussion of this issue on the blog besides the misleading information mentioned above.

While Startpage "scrapes" from Google, the results often differ from those obtained from Google directly. And it is not uncommon, alas, for the latter to be absolutely necessary.

  1. Yes. Google doesn't play nice with TorBrowser.
  2. Yes. Google makes money from displaying directed ads based on identifying a users search terms and search history, and if Google allows anonymous usage the value of an advertisers dollar decreases.
  3. Yes. Google is hoarding our shared knowledge and thoughts.

Conclusion: Google IS EVIL.

What to do?
Vote with your feet: use Startpage/DuckDuckGo.
In time (I hope) their search results may improve.

I fully agree. However, in the meantime (while access is still needed to a good deal of that Google hoard), the resistance still needs to press Google hard for continued (and much improved) anonymous/Tor access to it, in addition to supporting the alternatives whenever we can.

It would also be a good idea to directly test Tor against Google in a systematic way, and to update the Tor FAQ accordingly (i.e. to establish a successful:unsuccessful Tor sessions ratio to determine how the average success rate is changing over time, and then to use this as ammunition to throw at Google when they inevitably come up with their disingenuous, half-baked counter claim).

DON'T (admit to) BE(ing) EVIL.

I've been trying all day to search on Google and almost every single request (out of dozens) is being blocked with the "Google sorry" screen (no CAPTCHA in sight). The page just says "We're sorry... but your computer or network may be sending automated queries (NOT!!) To protect our users, we can't process your request right now. See Google Help for more information. © 2009 Google - Google Home". Absolutely no CAPTCHA. Same's been true last few days. Looks like Google has definitely clamped down very recently and is locking up all its stolen treasure.

Another important point that people seem to have overlooked is that if people know they can't use Tor with Google then an awful lot of people will not bother using Tor at all. The whole point of Tor is for as many people to adopt it as possible, i.e. this is a significant marketing blow for Tor.

I've noticed Google seems to be very sensitive to pressing the Enter button with tor (it actually asks you to do this with its "instant suggestions"). If you just let it produce searches without pressing enter it often comes up with a captcha, wheras pressing Enter almost always gets the Google Sorry page with no captcha. Pretty weird. It does seem to have got worse recently though. Never used to be this bad.

Have you tried 'https://encrypted.google.com/'? Or does it matter?

How do you torify applications that give you a proxy option to set an IP address and a port now that Polipo has been removed?

I used to put
127.0.0.0 8118

in the applications config

but now I don't know what the heck to put there.

If I open up advanced/network settings, I do not see anything for TBB http config, only a socks port.

So what do I put in the apps proxy config now?
i.e. filezilla, a/v update via proxy

Thanks