New Tor Browser Bundles with Firefox 17.0.9esr

The stable and beta Tor Browser Bundles have been updated with Firefox 17.0.9esr. This release of Firefox has many important security updates and all users are strongly encouraged to upgrade.

The beta version includes an updated HTTPS Everywhere which fixes the problems many users were having with the google.com OCSP meltdown.

https://www.torproject.org/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.3.25-13)

Tor Browser Bundle (2.4.17-beta-2)

  • Update Firefox to 17.0.9esr
    https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#…
  • Update LibPNG to 1.6.3
  • Update HTTPS Everywhere to 4.0development.12
  • Update NoScript to 2.6.7.1
  • Remove extraneous libevent libraries (closes: #9727)
  • Enable GCC hardening for Tor
  • Firefox patch changes:
    • - Disable filtered results in Startpage omnibox (closes: #8839)
  • Add missing geoip file to Linux bundle
  • (entry missing from regular changelog)

Anonymous

September 20, 2013

Permalink

And, again, no source tarball seen on Tor website for either version.

When I boot my computer, it tells me that there is a newer version of Tor available, and so I went to Tor website, and seen about the 2.4.17-beta-2, but I believe I installed one that had an "rc" in it, and I have installed the beta also, I think. However when I boot up, it stills shows a warning that a newer version is available. I don't understand what I am doing wrong. Also, I tried re-installing it, and it still warns. Also, I have 17.0.8esr and now I am reading about 17.0.9esr and don't see it anywhere. I even click on "update" in my browser and it says I am up to date. I am getting confused here. what is the current version, and can I download it all in one place and install.

that is the link I went to when downloading the newer version. However, it doesn't seem to update the broweser, it is still on 17.0.8esr, so I don't know what to make of this. I'm still getting notification to update, have gone to right place and downloaded right file, but still leaves me wanting ? perhaps someone can do a test run through, and provide steps to follow ?

Anonymous

September 20, 2013

Permalink

Tails v0.20.1 was released two days ago. It includes Tor 0.2.4.17-rc.

1. Is Tor 0.2.4.17-rc equivalent to 2.4.17-beta-2?

2. Why did Tails not include 2.3.25-13, which is the stable release?

3. Can Tails and Tor developers work as a team, seeing that new releases of Tails are made on this blog?

1) 2.4.17-beta-2 is a Tor Browser Bundle version.

0.2.4.17-rc is a Tor version.

The two versions do look quite similar, and that's not a coincidence. It's meant to be helpful.

2) Tails moved to Tor 0.2.4.17-rc because of the advice in
https://blog.torproject.org/blog/how-to-handle-millions-new-tor-clients

3) We do collaborate. That's how I know the answer to question #2. :)

Anonymous

September 20, 2013

Permalink

when's the new version of the pluggable transports TBB coming out?

In the meantime, how do we upgrade the firefox in the PT 2.4.16-beta bundle?

I believe David has a new version built now, and is sorting out how to get it onto the website. (I used to do it for him each time, but I'm trying to stop being the bottleneck there.)

Anonymous

September 20, 2013

Permalink

1. Why is Tor still using SSL 3.0? and not TLS only?
2. Why aren't Tor and Tails' Iceweasel identical? Doesn't Tor heavily depend on "security thru obscurity"?
3. Why is Tor still using weak cipher suites for SSL connections instead of the stronger ones?
Thanks for your great work btw.

Anonymous

September 21, 2013

Permalink

I would like to add some dictionaries to 2.4.17-beta-2. Would I compromise my anonymity if I would do so?

Anonymous

September 21, 2013

Permalink

ATTENTION! ALERT!

I downloaded tor-browser-2.3.25-13_en-US.exe just now. Upon clicking the executable, Symantec informed me there is a security risk. The risk has a name: it is called WS.Reputation.1

Tor developers, please verify the files uploaded to the servers have not been infected.

Thank you.

Wow. It looks like the security risk it's telling you about is "Not enough of Symantec's users have tried running this program yet".

I guess there's value in having that groupthink check, but... shouldn't Symantec be explaining what it's doing to its users? This does not sound like it is reporting any infection.

http://www.symantec.com/security_response/writeup.jsp?docid=2010-051308…

http://community.norton.com/t5/Norton-Internet-Security-Norton/Clarific…

http://www.mindworkshop.info/windows/the-norton-symantec-ws-reputation-…

If I were you I would try to opt out of telling Symantec about everything you do with your computer.

Anonymous

September 21, 2013

Permalink

I am running the TBB that uses Firefox 17.0.8.

This new version of TBB uses Firefox 17.0.9.

When I started up the TBB version with 17.0.8 it took me to the tor home page, but did not notify me that an update was available.

Why did I receive no update warning to update to 17.0.9?

The reason I am asking is that I always depend on the home page to notify me of updates. When the javascript exploit was used, I was sure I was using 17.0.7 because I had always updated when the home page gave me a notification. Now I am not so sure. Was a warning on the home page given to upgrade from 17.0.6 to 17.0.7?

The way TBB 2.x checks for updates is that it periodically goes to https://check.torproject.org/RecommendedTBBVersions, on its own, in the background. If that page tells it that it's out of date, it changes your homepage setting so the next time you start TBB it will go to a variant of check.torproject.org that tells you to upgrade.

So it sometimes takes a cycle or two before it will tell you. That also means that people who leave their TBB open forever take a long time to learn that they should upgrade. :(

Let's all look forward to TBB 3.x which has a better interface here.

Anonymous

September 21, 2013

Permalink

Roger/Erinn, thanks for your work.
If you can show the following request to the Tails team, that would be appreciated:

Dear Tails team,
please consider enabling by default the option "Enable mouse clicks with touchpad", that is accessible via the menu System --> Preferences --> Mouse --> "Touchpad" tab. (Another option there, "Enable horizontal scrolling", enabled is also a good idea.)

This option is needed by all Tails laptop users without the external mouse. Currently we have to suffer or keep enabling that option by hand after every boot.
If you need to see the similar config files where it's enabled by default, please peek at the Liberte Linux: http://dee.su/liberte . It's Gentoo-based, but the mouse controls seem the same.

This would be especially appreciated by the new Tails/Linux users. (You've heard the people complaining that the "Tails touchpad doesn't work"... There was even, if I remember, Runa's Tor blog post here describing that happening at some conference, when she was give out the Tails USB sticks.)

Thank you.

Understood. Just mentioned because someone else here discussed Tails.

Starting Tails just to run Whisperback is a bit too involved (same with creating the Tor bug tickets). This blazing-quick blog posting, however, is much easier.

Never mind.

Anonymous

September 21, 2013

Permalink

As a follow up to my previous question, I have always updated immediately when the update notification on the home page appeared when I started Tor.

Whenever I start Tor and it takes me to the home page with the "Congratulations you are using Tor" message in green letters, is that an assurance that I am using the latest most current version.

Great work you guys are doing, BTW.

Anonymous

September 21, 2013

Permalink

Are any parts of Tor affected by the news below?
What about Tails?
-Thanks.

RSA Tells Its Developer Customers: Stop Using NSA-Linked Algorithm
http://www.wired.com/threatlevel/2013/09/rsa-advisory-nsa-algorithm/

"...RSA said that all versions of RSA BSAFE Toolkits, including all versions of Crypto-C ME, Micro Edition Suite, Crypto-J, Cert-J, SSL-J, Crypto-C, Cert-C, SSL-C were affected.
In addition, all versions of RSA Data Protection Manager (DPM) server and clients...
...RSA strongly recommends that customers discontinue use of Dual EC DRBG and move to a different PRNG.”

Anonymous

September 21, 2013

Permalink

When will migration to Firefox 24esr be expected? I mean time difference between Mozilla's release and TBB included one.

Anonymous

September 21, 2013

Permalink

"please peek at the Liberte Linux

IIRC,

  • Liberte Linux has one release. One. A long time ago.
  • Does Liberte Linux auto-update to bring packages up to date? If not, it should not be used and you shouldn't recommend others to use it.

    TAILS releases new versions in a timely manner.

    Sure, but no one "recommended others" to use Liberte Linux.

    If you read that above post in the context, it was addressed only to the Tails developers - and only to note an example of the mouse/touchpad setting enabled by default.

    Anonymous

    September 22, 2013

    Permalink

    2.4.17-beta-2 uses HTTPS-Everywhere 3.3.1 instead of the newest version 3.4.1. What is the reason for this?

    Anonymous

    September 22, 2013

    Permalink

    Hi torproject!
    Why geoip file in stable & beta bundle differ?
    Stable > old shit from May 1 2012 (!)
    Beta > fresh database from Aug 7 2013
    WTF?! Why do not you replace it with a new in stable?