New Tor Browser Bundles with Firefox 17.0.9esr

The stable and beta Tor Browser Bundles have been updated with Firefox 17.0.9esr. This release of Firefox has many important security updates and all users are strongly encouraged to upgrade.

The beta version includes an updated HTTPS Everywhere which fixes the problems many users were having with the google.com OCSP meltdown.

https://www.torproject.org/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.3.25-13)

Tor Browser Bundle (2.4.17-beta-2)

  • Update Firefox to 17.0.9esr
    https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#…
  • Update LibPNG to 1.6.3
  • Update HTTPS Everywhere to 4.0development.12
  • Update NoScript to 2.6.7.1
  • Remove extraneous libevent libraries (closes: #9727)
  • Enable GCC hardening for Tor
  • Firefox patch changes:
    • - Disable filtered results in Startpage omnibox (closes: #8839)
  • Add missing geoip file to Linux bundle
  • (entry missing from regular changelog)

Anonymous

September 20, 2013

Permalink

And, again, no source tarball seen on Tor website for either version.

When I boot my computer, it tells me that there is a newer version of Tor available, and so I went to Tor website, and seen about the 2.4.17-beta-2, but I believe I installed one that had an "rc" in it, and I have installed the beta also, I think. However when I boot up, it stills shows a warning that a newer version is available. I don't understand what I am doing wrong. Also, I tried re-installing it, and it still warns. Also, I have 17.0.8esr and now I am reading about 17.0.9esr and don't see it anywhere. I even click on "update" in my browser and it says I am up to date. I am getting confused here. what is the current version, and can I download it all in one place and install.

that is the link I went to when downloading the newer version. However, it doesn't seem to update the broweser, it is still on 17.0.8esr, so I don't know what to make of this. I'm still getting notification to update, have gone to right place and downloaded right file, but still leaves me wanting ? perhaps someone can do a test run through, and provide steps to follow ?

Anonymous

September 20, 2013

Permalink

Tails v0.20.1 was released two days ago. It includes Tor 0.2.4.17-rc.

1. Is Tor 0.2.4.17-rc equivalent to 2.4.17-beta-2?

2. Why did Tails not include 2.3.25-13, which is the stable release?

3. Can Tails and Tor developers work as a team, seeing that new releases of Tails are made on this blog?

1) 2.4.17-beta-2 is a Tor Browser Bundle version.

0.2.4.17-rc is a Tor version.

The two versions do look quite similar, and that's not a coincidence. It's meant to be helpful.

2) Tails moved to Tor 0.2.4.17-rc because of the advice in
https://blog.torproject.org/blog/how-to-handle-millions-new-tor-clients

3) We do collaborate. That's how I know the answer to question #2. :)

Anonymous

September 20, 2013

Permalink

when's the new version of the pluggable transports TBB coming out?

In the meantime, how do we upgrade the firefox in the PT 2.4.16-beta bundle?

I believe David has a new version built now, and is sorting out how to get it onto the website. (I used to do it for him each time, but I'm trying to stop being the bottleneck there.)

how long do we need to wait?

In the meantime, can we update the bundled Firefox directly to 17.09 ESR without breaking the bundle?

You can build them yourself, using the vanilla TBB:
https://trac.torproject.org/projects/tor/ticket/8416

(If you try to stick Mozilla's Firefox 17.0.9-esr into the TBB, things will go bad pretty quick. Tor Browser is a modified Firefox.)

Here are the corresponding pluggable transports bundles.

https://blog.torproject.org/blog/pluggable-transports-bundles-2417-beta…

Which is better to use, the stable or the beta?

I think the beta is probably faster, but it might have more unexpected bugs. So it depends how comfortable you are with that tradeoff.

1. Why is Tor still using SSL 3.0? and not TLS only?
2. Why aren't Tor and Tails' Iceweasel identical? Doesn't Tor heavily depend on "security thru obscurity"?
3. Why is Tor still using weak cipher suites for SSL connections instead of the stronger ones?
Thanks for your great work btw.

Would be nice to have the pluggable transport bundle updated as well!

Here are the corresponding pluggable transports bundles.

https://blog.torproject.org/blog/pluggable-transports-bundles-2417-beta…

Will there be an update for the 3.0 alpha version within the next few days?

What I really meant: Will there be soon an update for the 3.0 alpha version which uses Firefox 17.0.9 (or 24.0) ?

That's the answer.

I would like to add some dictionaries to 2.4.17-beta-2. Would I compromise my anonymity if I would do so?

ATTENTION! ALERT!

I downloaded tor-browser-2.3.25-13_en-US.exe just now. Upon clicking the executable, Symantec informed me there is a security risk. The risk has a name: it is called WS.Reputation.1

Tor developers, please verify the files uploaded to the servers have not been infected.

Thank you.

Whee. Can you tell us exactly what version of Symantec, etc?

Sounds like another case of https://www.torproject.org/docs/faq#VirusFalsePositives

Can you tell us exactly what version of Symantec, etc?

I have uploaded a screen capture. You can view it by clicking on the following link: http://i42.tinypic.com/2virxic.jpg

Wow. It looks like the security risk it's telling you about is "Not enough of Symantec's users have tried running this program yet".

I guess there's value in having that groupthink check, but... shouldn't Symantec be explaining what it's doing to its users? This does not sound like it is reporting any infection.

http://www.symantec.com/security_response/writeup.jsp?docid=2010-051308…

http://community.norton.com/t5/Norton-Internet-Security-Norton/Clarific…

http://www.mindworkshop.info/windows/the-norton-symantec-ws-reputation-…

If I were you I would try to opt out of telling Symantec about everything you do with your computer.

I am running the TBB that uses Firefox 17.0.8.

This new version of TBB uses Firefox 17.0.9.

When I started up the TBB version with 17.0.8 it took me to the tor home page, but did not notify me that an update was available.

Why did I receive no update warning to update to 17.0.9?

The reason I am asking is that I always depend on the home page to notify me of updates. When the javascript exploit was used, I was sure I was using 17.0.7 because I had always updated when the home page gave me a notification. Now I am not so sure. Was a warning on the home page given to upgrade from 17.0.6 to 17.0.7?

The way TBB 2.x checks for updates is that it periodically goes to https://check.torproject.org/RecommendedTBBVersions, on its own, in the background. If that page tells it that it's out of date, it changes your homepage setting so the next time you start TBB it will go to a variant of check.torproject.org that tells you to upgrade.

So it sometimes takes a cycle or two before it will tell you. That also means that people who leave their TBB open forever take a long time to learn that they should upgrade. :(

Let's all look forward to TBB 3.x which has a better interface here.

Roger/Erinn, thanks for your work.
If you can show the following request to the Tails team, that would be appreciated:

Dear Tails team,
please consider enabling by default the option "Enable mouse clicks with touchpad", that is accessible via the menu System --> Preferences --> Mouse --> "Touchpad" tab. (Another option there, "Enable horizontal scrolling", enabled is also a good idea.)

This option is needed by all Tails laptop users without the external mouse. Currently we have to suffer or keep enabling that option by hand after every boot.
If you need to see the similar config files where it's enabled by default, please peek at the Liberte Linux: http://dee.su/liberte . It's Gentoo-based, but the mouse controls seem the same.

This would be especially appreciated by the new Tails/Linux users. (You've heard the people complaining that the "Tails touchpad doesn't work"... There was even, if I remember, Runa's Tor blog post here describing that happening at some conference, when she was give out the Tails USB sticks.)

Thank you.

This is totally the wrong place to try to reach Tails people.

https://tails.boum.org/support/index.en.html

Understood. Just mentioned because someone else here discussed Tails.

Starting Tails just to run Whisperback is a bit too involved (same with creating the Tor bug tickets). This blazing-quick blog posting, however, is much easier.

Never mind.

As a follow up to my previous question, I have always updated immediately when the update notification on the home page appeared when I started Tor.

Whenever I start Tor and it takes me to the home page with the "Congratulations you are using Tor" message in green letters, is that an assurance that I am using the latest most current version.

Great work you guys are doing, BTW.

It is not an assurance, unfortunately. There is nothing magic about "going to check.torproject.org" -- the page doesn't change what it says based on your version.

See
https://blog.torproject.org/blog/new-tor-browser-bundles-firefox-1709es…
for details.

Are any parts of Tor affected by the news below?
What about Tails?
-Thanks.

RSA Tells Its Developer Customers: Stop Using NSA-Linked Algorithm
http://www.wired.com/threatlevel/2013/09/rsa-advisory-nsa-algorithm/

"...RSA said that all versions of RSA BSAFE Toolkits, including all versions of Crypto-C ME, Micro Edition Suite, Crypto-J, Cert-J, SSL-J, Crypto-C, Cert-C, SSL-C were affected.
In addition, all versions of RSA Data Protection Manager (DPM) server and clients...
...RSA strongly recommends that customers discontinue use of Dual EC DRBG and move to a different PRNG.”

Ah, there is a random number generation algorithm out that there people are freaked out about now. No, Tor doesn't use it.

I regularly check Mozilla's FFesr downloads page ...

https://www.mozilla.org/en-US/firefox/organizations/all.html

... and I never saw a version 17.0.9esr there. For several weeks the latest release on that page was 17.0.8esr until it was upgraded to 24.0esr a couple of days ago. When was 17.0.9esr released and where did Mozilla publish it?

http://www.mozilla.org/en-US/firefox/17.0.9/releasenotes/

I agree that Mozilla didn't do a publicity splash for it. Good thing we're working closely with them so we hear about these things. (I agree that's not the best way for them to tell their users about updates.)

Yes, I want use 24.0 esr with TBB.

When will migration to Firefox 24esr be expected? I mean time difference between Mozilla's release and TBB included one.

Mike is still trying to fix major privacy bugs in FF24. So, "real soon now because we have to", but probably right around the time FF17 goes unmaintained.

"please peek at the Liberte Linux

IIRC,

  • Liberte Linux has one release. One. A long time ago.
  • Does Liberte Linux auto-update to bring packages up to date? If not, it should not be used and you shouldn't recommend others to use it.

    TAILS releases new versions in a timely manner.

    Sure, but no one "recommended others" to use Liberte Linux.

    If you read that above post in the context, it was addressed only to the Tails developers - and only to note an example of the mouse/touchpad setting enabled by default.

    2.4.17-beta-2 uses HTTPS-Everywhere 3.3.1 instead of the newest version 3.4.1. What is the reason for this?

    A fine question. Erinn?

    Sorry, my mistake. It`s 3.0 alpha-3 which still uses HHTP-Everywhere 3.3.1.

    Hi torproject!
    Why geoip file in stable & beta bundle differ?
    Stable > old shit from May 1 2012 (!)
    Beta > fresh database from Aug 7 2013
    WTF?! Why do not you replace it with a new in stable?

    Because the geoip file comes in the Tor distribution, and the stable Tor distribution (0.2.3.25) actually is from long ago. Once Tor 0.2.4 goes stable, it should get the new one.