Testing Tor Browser Bundle 1.2.0-dev

by phobos | May 23, 2009

This is an open call for testing of the soon to be released Tor Browser Bundle 1.2.0.

The major changes in this version are that you can now run multiple instances of Firefox. This means each Firefox browser is independent of the others. They won't leak urls, scripts, etc between instances.

It also includes Tor's geoip database. This will enable people to set ExitNodes by country code. You still have to manually edit the torrc file. We'd love it if someone wrote a way to do this into Vidalia (such as right click on a country in the network map and choose "exit here").

  • Switch to launching Firefox directly from Vidalia to allow multiple instances of Firefox
  • Update Firefox to 3.0.10
  • Update to Qt 4.5.1
  • Update Firefox prefs.js to stop scanning for plugins
  • Update libevent to 1.4.11
  • Include the Tor geoip database

I'll be watching this post and comments for feedback. I only created the English version for testing. Thanks for testing!

Here is the Tor IM Browser Bundle 1.2.0-dev, sig, and sha1 files.


Please note that the comment area below has been archived.

May 23, 2009



disable javascript (i.e., with this: http://controledescripts.mozdev.org)

disable mime type

disable XMLHttpRequests (with Configurable Security Policies: http://www.mozilla.org/projects/security/components/ConfigPolicy.html)

about:config (or pref.js/user.js) tweak:

browser.sessionstore.privacy_level 2
browser.chrome.site_icons false
browser.chrome.favicons false
browser.chrome.image_icons.max_size 0
plugin.scan.4xPluginFolder false
plugin.scan.Acrobat set high value (i.e., 30)
plugin.scan.Quicktime set high value (i.e., 30)
plugin.scan.SunJRE set high value (i.e., 30)
plugin.scan.WindowsMediaPlayer set high value (i.e., 30)
extensions.blocklist.enabled false
extensions.blocklist.url delete value
network.prefetch-next false
network.hosts.pop_server delete value
browser.bookmarks.max_backups 0
browser.microsummary.updateGenerators false
network.http.pipelining true
network.http.proxy.pipelining true
network.http.max-persistent-connections-per-proxy 16
network.http.pipelining.maxrequests 8
network.http.keep-alive.timeout 600
browser.identity.ssl_domain_display 2

Thanks for the suggestion. I've sent it on to our torbutton wizard to see if these help, hurt, or won't change the risks to users of TBB.

Torbutton mitigates all known javascript attacks. Sure, there could be new ones we don't know about, but the benefit vs. risk of javascript being enabled seems to be an acceptable balance for now.

Thanks for the hints about Adobe and Quicktime plugin scanners. TBB already disables SunJRE, WindowsMediaPlayer, and 4xPluginFolder.

I'll think about the rest too.

Hi Anonymous,

You've got a lot a lot of prefs there.. Some of them seem useful, but others I'm not quite sure if they matter or even improve the situation. For example:

extensions.blocklist.enabled false
extensions.blocklist.url delete value

seem like bad ideas. My firefox fetches the blocklist over https. Is there a reason why you think this is bad?

Also, what about the various http options? Are they just performance I take it? Do they work ok with privoxy?

Do you think you could repost the list with a brief description of why each option is a good idea?

May 23, 2009


it is working fine phobos but the plugin problems. i cant c the you tube videos, it says flash player not installed .so i installed flash player still it is not working.i also disable tor plugins in tor button but still no chance. i have done this thing in previous versions & it worked fine .i thinkit is not scanning 4 plugins or not allowing 2 install it..P lease fix it

April 17, 2010

In reply to phobos


If you have installed Firefox on you computer, install Flash player to this one, replace with tor's firefox

I DON'T care about anonymity, and I want to have Flash enabled so I can watch videos outside of my country. I can not get a straight answer anywhere.

July 02, 2010

In reply to phobos


Privacy and anonymity, yes, but what about censorship pass through?

I'm 49 y/o and work in Qatar. Here only one ISP exist and they block contents as they like, regardless of worldwide recognized human rights (right to free information access, in particular). In Saudi Arabia is even worse. One friend told me they even block christian videos.

Anyone can tell how to watch youtube video (from here) about, for example, new testicle dysfunction treatments?

From your home country and your home ISP it's easy for you.

"Do not use Tor..." ???

If you're so smart, tell me what to use, then.

May 23, 2009


"Switch to launching Firefox directly from Vidalia to allow multiple instances of Firefox"
This sounds like a great improvement.

1 Does this mean that one can run 2 different versions of Firefox simultaneus for example the default 3.0.10 and
or only 2 of the same version 3.0.10

2 Can one have different settings in them for example in one have javascript and cookies on and the other have javascript and cookies off

3 Is this automatically configured safely, meaning that things like the phone home for updates, live bookmarks, RSSfeeds, javascript, cookies and so on, are turned off.

It should mean that TBB firefox and other non-TBB firefox instances are unique and separate from one another. So, I think "yes" to 1 and 2 above. And 3, it's as safe as the other TBB configurations.

May 27, 2009


have you noticed that the download does not work for the windows bundle? I have been trying for weeks to get it and get a 'file or server unavailable' message

May 27, 2009


Noticed two bugs:

(1) 'FirefoxPortable.ini" in the FirefoxPortable folder still contains the executable name "firefox.exe", looks like you forgot to change it to "tbb-firefox.exe". (I know not to start Firefox this way for normal use. Only point of executing firefoxportable.exe directly is for testing, and that's what I was doing when I found this.)

(2) Verified at least with http://www.torproject.org/torbrowser/dist/tor-browser-1.2.0_en-US.exe ... for some reason, after the first execution of "Start Tor Browser.exe", an "invalidprefs.js" file appears in the FirefoxPortable\Data\profile directory ... containing user_pref lines DIFFERENT than, or MISSING from, FirefoxPortable\Data\profile\prefs.js ... INCLUDING the new anti-plugin scanning options you added with this release. Thus, the new anti-plugin scanning config options you added (and possibly other stuff) are having no effect. (My environment: XP SP2)


May 27, 2009

In reply to by Anonymous (not verified)


1) nice catch, but it doesn't seem to affect functionality. I'll work on fixing it.

2) Yes, ff does create an invalidprefs.js file, but as far as I can tell, it's been doing this for a while. The plugin scanning options still work, even though it appears they show up in invalidprefs.js. Firefox has a few ways to display the plugins, so looking at about:plugins shows none, but going to Tools, Addons, Plugins, looks like there are some active. They aren't. In fact, if you try to test the plugins, they'll all fail.

I'm still reading through the firefox 3.0.10 source to figure out how to best disable the plugin scanning, and to see when/why invalidprefs.js is created.

May 28, 2009

In reply to phobos


1) Changing the executable name ("firefox.exe") in FirefoxPortable.ini to "tbb-firefox.exe" solved the problem here. Without this change, FirefoxPortable.exe, if directly executed (without the rest of TBB already running) says "Mozilla Firefox Portable Edition cannot be started. You may wish to re-install to fix this issue. (ERROR: firefox.exe could not be found)". And no, I didn't mean to say this bug interfered with the normal operation of TBB, only that it prevents firefoxportable.exe from being directly executed if someone wants to start the TBB bundle's copy of Firefox Portable all by itself for various testing purposes.

2) By "the plugin scanning options still work", did you mean to say that the user_pref() options being stripped from prefs.js still have an effect on Firefox because they remain in "invalidprefs.js"? If so, I beg to differ. :)

Here's what happens, according to filemon, the very first time "start tor browser.exe" is executed (after a fresh unpacking of the 7Z executable):

(a) VIDALIA queries FirefoxPortable\App\DefaultData\Profile\prefs.js (result: SUCCESS/FOUND)
(b) VIDALIA queries FirefoxPortable\Data\profile\prefs.js (result: NOT FOUND)
(c) VIDALIA opens FirefoxPortable\App\DefaultData\Profile\prefs.js
(d) VIDALIA creates FirefoxPortable\Data\profile\prefs.js
(e) VIDALIA copies all 5545 bytes of FirefoxPortable\App\DefaultData\Profile\prefs.js to FirefoxPortable\Data\profile\prefs.js
(f) VIDALIA closes FirefoxPortable\App\DefaultData\Profile\prefs.js
(g) VIDALIA closes FirefoxPortable\Data\profile\prefs.js

So it's clear the intent so far is making a verbatim copy of prefs.js from the App locale to the Data locale. With that in mind, later on in the "start tor browser.exe" startup process, Firefox gets executed and this is observed by filemon:

(h) TBB-FIREFOX queries FirefoxPortable\Data\profile\prefs.js
(i) TBB-FIREFOX opens FirefoxPortable\Data\profile\prefs.js
(j) TBB-FIREFOX reads all 5545 bytes of FirefoxPortable\Data\profile\prefs.js
(k) TBB-FIREFOX closes FirefoxPortable\Data\profile\prefs.js
(l) TBB-FIREFOX opens FirefoxPortable\Data\profile\prefs.js
(m) TBB-FIREFOX creates FirefoxPortable\Data\profile\invalidprefs.js
(n) TBB-FIREFOX reads all 5545 bytes of FirefoxPortable\Data\profile\prefs.js
(o) TBB-FIREFOX writes 5545 bytes to FirefoxPortable\Data\profile\invalidprefs.js
(p) TBB-FIREFOX closes FirefoxPortable\Data\profile\prefs.js
(q) TBB-FIREFOX closes FirefoxPortable\Data\profile\invalidprefs.js

And based upon continuous filemon observation, that is the ONLY time "invalidprefs.js" is EVER accesssed for the entire life of the TBB installation. (I.e. it's never touched again for the remainder of the first execution of "start tor browser.exe", and it's not touched even once during any later executions thereof.)

And because only "invalidprefs.js" contains your anti-plugin-scanning options (i.e. because Firefox is stripping them out of the new "prefs.js" it creates after creating "invalidprefs.js" itself), those options are literally thrown away, permanently, the instant TBB starts for the first time.

In fact, more than just your anti-plugin-scanning options are being thrown away. Here is what IS NOT in FirefoxPortable\Data\profile\prefs.js (but IS in invalidprefs.js and in FirefoxPortable\App\DefaultData\profile\prefs.js) after the very first execution of Firefox in TBB:

user_pref("urlclassifier.tableversion.goog-black-enchash", "1.55536");
user_pref("urlclassifier.tableversion.goog-black-url", "1.23256");
user_pref("urlclassifier.tableversion.goog-white-domain", "1.481");
user_pref("urlclassifier.tableversion.goog-white-url", "1.371");
user_pref("plugin.scan.SunJRE", 99.0);
user_pref("plugin.scan.WindowsMediaPlayer", 99.0);
user_pref("plugin.scan.4xPluginFolder", false);
user_pref("security.enable_java", false);
user_pref("signon.rememberSignons", false);
user_pref("general.useragent.locale", "en-US");

[Additionally, user_pref("general.productSub.override", "20080404") gets changed to "user_pref("general.productSub.override", "2009021910")]

Now that's quite bad. You may be right that torbutton thwarts *activation* of those plug-ins regardless of the plugin.scan.* options, but you're still losing the extra protection acquired by having them (having them = Firefox fails to realize they even exist and thus never *tries* to activate them), and even worse, you're losing several other critical options like the disabling of Java and remember-signons. Ouch! And of course, this can be confirmed just by starting TBB and looking in "Tools > Options > Content > Enable Java", where you will see it CHECKED. And in Tools > Add-Ons > Plugins, where you will see that Firefox is detecting Java, WMP, and NN4x plugins. (I'm not sure what security implications are involved in the loss of the urlclassifier and general.useragent options, and in general.productSub.override being changed, but yeah, they're toasted/altered too.)

So this is a serious problem. As far as why "invalidprefs.js" is being created and why the aforementioned options are being stripped from the new "prefs.js" Firefox creates at the same time, check this out:

https://bugzilla.mozilla.org/attachment.cgi?id=245907&action=edit (relevant source code)

This seems to be a newish function designed to backup your prefs.js (to "invalidprefs.js") if your prefs.js contains unparseable lines -- and then discard all non-parseable lines from your prefs.js. That in mind, I looked through your FirefoxPortable\App\DefaultData\profile\prefs.js file, and did in deed find two unparseable lines:

user_pref("plugin.scan.SunJRE", 99.0);
user_pref("plugin.scan.WindowsMediaPlayer", 99.0);

Those should have quotes around the values, like this:

user_pref("plugin.scan.SunJRE", "99.0");
user_pref("plugin.scan.WindowsMediaPlayer", "99.0");

So here's what I tried. I completely deleted my TBB folder from my HDD. Then I re-extracted TBB fresh from the 7Z executable. But before running "start tor browser.exe" for the first time, I manually notepad-edited FirefoxPortable\App\DefaultData\profile\prefs.js and added the necessary quotes as shown above. THEN I ran "start tor browser.exe" for the first time. The results? No "invalidprefs.js" file was generated, AND absolutely NO options went missing from the FirefoxPortable\Data\profile\prefs.js file (not the plugin.scan.* options, not the security.enable_java option, not the signon.rememberSignons optin -- NONE were lost)!

So that's the fix. :)

Which I suppose means there are actually two bugs here:

* You simply need to fix your FirefoxPortable\App\DefaultData\profile\prefs.js file (add those quotes) and everything will be fine.

* Someone needs to tell Mozilla that Firefox has a bug which deletes some uncorrupted lines from prefs.js when removing corrupted ones.

Anyway. Thanks for listening and thanks for all your hard work on this great bundle.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Incidentally, I second some of the first commenter's suggested additions to your master FirefoxPortable\App\DefaultData\profile\prefs.js file. Specifically these:

user_pref("network.prefetch-next", false); - Definitely a good one. Disables Firefox downloading web pages the user didn't explicitly request. On the onion network, any unnecessary traffic can only be detrmimental, after all.

user_pref("plugin.scan.Acrobat", "99.0");
user_pref("plugin.scan.Quicktime", "99.0"); - Yup, these definitely should've been included when the 4x/WMP/SunJRE options were themselves added. Just don't forget the quotes. ;)

user_pref("browser.microsummary.updateGenerators", false); - Stops spontaneous microsummary-type phone-home-to-update-your-bookmarks traffic. The danger here is these phone-outs could happen when tor is enabled and again when tor is disabled (linking anonymous to non-anonymous identities through cookies set/read in each case). (See http://kb.mozillazine.org/Browser.microsummary.updateGenerators for more information.)

user_pref("network.hosts.pop_server", ""); - Good idea in general to blank this (the default hostname is 'mail'). I would also blank these other two: network.hosts.smtp_server and network.hosts.nntp_server.

user_pref("extensions.blocklist.enabled", false);
user_pref("extensions.blocklist.url", ""); - These two are also a good idea. The blocklist feature downloads a list of extensions considered malicious by Mozilla from addons.mozilla.org. So we encounter the same danger as with browser.microsummary.updateGenerators -- linking anonymous and non-anonymous identities could happen through this.

user_pref("browser.sessionstore.privacy_level", 2); - Another good idea, because I believe Firefox gives you the choice whether to save your tabs (i.e. current browsing state) to disk when closing it normally but does *not* offer you that choice if FF crashes (i.e. it immediately writes said info to disk so your next session will open with your previous tabs). Disabling the session restore feature entirely seems to be the only way to make sure unrequested writes-to-disk of browsing state information won't happen upon a FF crash.

user_pref("browser.chrome.site_icons", false);
user_pref("browser.chrome.favicons", false);
user_pref("browser.chrome.image_icons.max_size", 0); - Not sure why he suggested these, unless the favicon.ico files Firefox caches in its bookmarks file are ever updated at any time OTHER than when the user intentionally clicks one of those bookmarks. If they *are* updated at any other times, then the same anonymous/non-anonymous identity association problem previously mentioned would occur. Original commenter: do you know something I don't? TBB: In either case, if you do decide to implement these, be sure to also take http://kb.mozillazine.org/Browser.chrome.load_toolbar_icons into account (whose value can override these three).

I'm also confused by what the original commenter meant by "disable mime type" (huh?), and what the danger of having XMLHttpRequests enabled could be. Does Firefox not send XMLHttpRequests through the user-selected SOCKS/HTTP/FTP/Gopher proxies? Or maybe he was just concerned about XMLHttpRequests being used as "web bugs" for tracking)? Anyway, seems to me XMLHttpRequests is a fairly vital feature in the Web 2.0 world. Maybe the original poster can explain his reasoning behind suggesting it be turned off?

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

And now a couple suggestions of my own (derived from comparing my personal prefs.js settings with TBB's):

user_pref("browser.download.manager.retention", 1); - Your current setting is 0. Changing this to "1" would make the DL manager list clear upon browser exit instead of immediately when each file stops downloading (which is what "0" causes). Reason I suggest "1" is, immediate clearing stops you from seeing "successful/done" vs. "failed" style messages for downloads that have stopped. So as long as changing to "1" causes no data to be written to disk (not confirmed by me), "1" would be the most user-friendly IMO.

user_pref("browser.send_pings", false); - A privacy risk (in the sense of web bugs) if enabled. Also a security risk if enabled (hovering your mouse over a link doesn't show you the URL your browser will hit as the "ping" itself). See http://kb.mozillazine.org/Browser.send_pings for more info.

user_pref("dom.event.contextmenu.enabled", false); - Stop various right-click hijacking/denial/alteration.

user_pref("plugin.expose_full_path", true); - VERY handy (makes exact full paths of each plugin filename firefox is detecting visible in about:plugins)

user_pref("extensions.getAddons.showPane", false); - Prevents the "Get Add-ons" pane from appearing in the Tools > Add-Ons dialogue. If this is enabled, Firefox phones out to Mozilla as soon as you bring this pane into view. Which poses yet another anonymous/non-anonymous identity association risk (via cookies) if accessed when tor is on and again when tor is off, or vice versa.

user_pref("xpinstall.whitelist.add", "");
user_pref("xpinstall.whitelist.add.103", ""); - In the current version of TBB, you have "xpinstall.whitelist.required" set to its default ("true"), which is what makes Tools > Options > Security > "Warn me when sites try to install add-ons" appear checked. However, the [Exceptions] button right next to that option contains "addons.mozilla.org" and "update.mozilla.org". Hence, no warning from those sites. Even though \FirefoxPortable\Data\profile\permissions.sqlite is where the list of those [Exceptions] is stored, "permissions.sqlite" is only generated when Firefox first runs, and its initial content ("addons.mozilla.org" and "update.mozilla.org") comes from the default values of these xpinstall.whitelist.add.* options. So, setting these xpinstall.whitelist.add.* options to blank strings prevents "addons.mozilla.org" and "update.mozilla.org" from becoming default entries in [Exceptions]. (FYI: once "permissions.sqlite" is generated for the first time, all future user changes to the Exceptions list are stored there; the xpinstall.whitelist.add.* options are apparently never altered again in prefs.js, even if the user adds "addons.mozilla.org" and "update.mozilla.org" themselves back to his/her Exceptions list.)

user_pref("browser.safebrowsing.malware.enabled", false); - I noticed you have "browser.safebrowsing.enabled" set "false" (which unchecks Tools > Options > Security > "Tell me if the site I'm visiting is a suspected forgery." But you have "Tell me if the site I'm visiting is a suspected attack site" checked. I'm assuming you don't want any "safe browsing" stuff enabled at all? If so, then adding "browser.safebrowsing.malware.enabled", and set false, will uncheck the "is a suspected attack site" option too.

user_pref("network.protocol-handler.external-default", false);
user_pref("network.protocol-handler.external.mailto", false);
user_pref("network.protocol-handler.external.news", false);
user_pref("network.protocol-handler.external.nntp", false);
user_pref("network.protocol-handler.external.snews", false); - Might be good to have these in addition to your existing "network.protocol-handler.warn-external.*" settings, as extra Firefox hardening. These (via "false") tell Firefox to handle those protocols exclusively internally (no external launching). And since Firefox can't handle these internally, these options effectively /dev/null these protocols (at least according to http://kb.mozillazine.org/Network.protocol-handler.external-default).

user_pref("privacy.sanitize.sanitizeOnShutdown", true); - Forces Ctrl+Shift+Del (Clear Private Data) to happen on FF shutdowns. If you decide to implement this, be sure to note the "privacy.item.*" prefs.js options explained at http://kb.mozillazine.org/About:config_entries (cache/cookies/downloads/formdata/history/offlineApps/passwords/sessions/siteprefs) ... because you'll want to add them (set true) so Firefox knows which ones to clear when the auto-sanitize happens.

user_pref("browser.history_expire_days", 0);
user_pref("browser.history_expire_days.mirror", 0); - These I think used to be in TBB but aren't now. Any reason why? (I see TBB still keeps no history info, but still, this is kind of concerning.)

Guess that's it. Pfew. :)


May 31, 2009

In reply to by Anonymous (not verified)


Wow, I wish all comments were as detailed and researched. I'm going to test out some of your suggested changes. Some of them are taken care of by torbutton already. In general, we're trying to balance a usable firefox when torbutton is disabled with a strongly anonymous firefox when torbutton is enabled. The anonymous vs. non-anonymous profiling could be a larger concern than we first expected.

i'm finding lots of people use TBB on a cd rom, , in Asia for instance, since usb ports are blocked in most internet cafes.

June 28, 2009


hi, I tried re-installing the most updated latest flash player, and made the modification with tor disabled, to uncheck in security --> contents tab, and enabled, javascript in the Firefox options.

However, I'm still having a large problem with flash player not being detected

August 31, 2009


I tried to restore them with the latest *.json, but apparently it is just a blank file created by TOR. My book marks are completely gone. Not the least bit happy about this.

September 01, 2009

In reply to phobos


wow, I just installed the tor browser package....and it destroyed my local install as well. like 4 years worth of bookmarks is gone. backup file and everything.
I did read through first before launching the portable app, was under impression it could be run as a stand alone. maybe needs to be more clear?
Any ideas on file recovery....I can't believe I just lost this.. heh

There is nothing to install, you extract the exe and run it. The 2 firefoxes never learn about each other and don't touch each other's information.


September 15, 2009

In reply to by mack (not verified)


Perhaps torproject.org is blocked from where you are. Here's the text:

I can't view videos on YouTube and other Flash-based sites. Why?

YouTube and similar sites require third party browser plugins such as Flash. Plugins operate independently from Firefox and can perform activity on your computer that ruins your anonymity. This includes but is not limited to: completely disregarding proxy settings, querying your local IP address, and storing their own cookies. It is possible to use a LiveCD or VMWare-based solution such as Tor VM or Incognito that creates a secure, transparent proxy to protect you from proxy bypass, however issues with local IP address discovery and Flash cookies still remain.

If you are not concerned about being tracked by these sites (and sites that try to unmask you by pretending to be them), and are unconcerned about your local censors potentially noticing you visit them, you can enable plugins by going into the Torbutton Preferences->Security Settings->Dynamic Content tab and unchecking "Disable plugins during Tor usage" box. If you do this without Tor VM, Incognito or appropriate firewall rules, we strongly suggest you at least use NoScript to block plugins. You do not need to use the NoScript per-domain permissions if you check the Apply these restrictions to trusted sites too option under the NoScript Plugins preference tab. In fact, with this setting you can even have NoScript allow Javascript globally, but still block all plugins until you click on their placeholders in a page. We also recommend Better Privacy in this case to help you clear your Flash cookies.

October 15, 2009


i looked at https://www.torproject.org/torbutton/faq.html.en#noflash

However, for some website like youtube, i dont care about anonymity. So i went going into the Torbutton Preferences->Security Settings->Dynamic Content tab and unchecking "Disable plugins during Tor usage" box. But i still cant watch my fav sites!!

What am i not doing?

November 15, 2009


I am doing the same for flash and all I want to do is view UK Tv from europe
I have unchecked options Security Settings->Dynamic Content tab and unchecking "Disable plugins during Tor usage" box

I do not have a preferences option when I look at add ons but I have an options tab where I have changed it version 1.2.2

November 30, 2009


I have unchecked the disable plugins buttun. Despite having flash loaded on ff, when using Tor i get message flash not installed.
if i toggle tor off, i have flash again.

I am trying to watch bbc iplayer from USA. once i initiate the connection, i woudl switch off tor so wouldnt overload circuit, but I cant get flash to work with tor enabled.
I am not the only one, this is a commonly posted problem on the net, but there are no answers anywhere, except "uncheck disable plugins" which doesnt help

December 08, 2009


Is there no solution? no replies on here since 15 september.
I really appreciate the hard work needed to get this going, and the idea behind it is top rate, but I'd love a little support and an idea of how to get flash working in tor, just long enough to log in to the BBC iplayer, then I;d be off of the circuit.
Anyone found a solution??

December 08, 2009

In reply to by Anonymous (not verified)


I can't view those flash in Firefox, so I use the IE to view it.

If your IE or chrome can browse flash pages. I suggest u to add a script to the IE / Chrome browser.

1. Use notepad to contain following script and save it as "ieproxy.pac” in anywhere you want.

function FindProxyForURL(url, host){
if (
return "PROXY";
return "DIRECT";


If you want to add more sites, you just duplicate "||dnsDomainIs(host,"fbcddn.net")", place it in next line and change the site name from "fbcddn.net" to the domain name you want.

2. Open the IE Internet option, click the "connection" tag and click LAN setting. Please check the "use the auto-configured script" (I don't have the exact wording in English, I am using a Chinese version IE) and add a ieproxy.pac file address (file:\\d:ieproxy.pac) where you saved to to the text box.

3. Save the setting and exit all the IE tag / window

4. Restart the IE again

Good Luck...

December 10, 2009


that looks good, I'd like to try that but can you clarify first-what does that do?
Is that a UK located server?
I'm a little new to this, but have managed to get Tor so close to working, the above solution is the first time i've seen that remarkably straightforward method mentioned, and I'd like to know what it does before I set it up on my pc
many thanks

December 18, 2009


Well I found a solution, very easy actually...

The fact that I didn't use Firefox before is a part of the problem.

Even though I followed the rules and unchecked the boxes in the Tor Add-on menu it still didn't work.
You'll have to start Firefox without Tor first, install the Flash player, restart Firefox and then only then, launch Tor with your Firefox session still open. Enable Tor, the flash player being installed and recognized before, it's all fine and it will work.

Of course for most of the code lovers that are behind Tor, this is ridiculously simple, at the point that they don't really care to inquire or even think we poor things only used IE or some other Microsoft interface to surf before to be saved (just kidding, nothing serious)

I must say that some answers that provoke your deep admiration with all the code implied (see this https://blog.torproject.org/blog/testing-tor-browser-bundle-120dev ), just make me laugh out loud (now that I can acess youtube and others)
But I do acknowledge your deep concern for our freedom. So big and warm thank you [dear nerds]

I'm still not getting it!
I launch FF via the vidalia control panel, so have the Torbutton appear immediately. I set it to "disabled", then i try installing Flash, and Shockwave, both of which say they are installed.
Then I enable Tor via the tor button.
But when i try to access BBC Iplayer, I get a notice saying I need Flash!
SO the Tor is doing its stuff and getting me access to the UK, but the browser bundled with Vidalia seems to prevent me from using flash!(I am deselectign the plugin box)

Is there a sepereate Tor exe file I can use somehow?
That is, can I open a FF browser, set up flash/shockwave there, then "start" Tor somehow WITHOUT going via Vidalia, which automatically opens a new browser?

The Tor Browser Bundle does not use plugins installed on the system. It lacks all plugins and disables them in the Firefox configuration. If you want to try using Flash, and other dynamic remote execution technologies, try Tor VM, https://torproject.org/torvm/.

TorVM is very much alpha code, but it we believe it works well enough for public testing.

And of course, you can reconfigure other applications to use the SOCKS 5 proxy part of Tor once it's running.

January 06, 2010

In reply to phobos


Many thanks for that-I'll have to try it in the next day or so.
Can I configure the tor network to exit in the UK?

That's what I'm aiming for, so i can use the bbc iplayer.
I'd disconnect from Tor once running so as not to lean heavily on other people's good nature.

After many unhappy hours trying many different permutations, I can confirm that TorVM does not let me watch BBC Iplayer in the USA
Thanks for the effort guys-I appreciate it-it just doesn't work.

February 11, 2010


I've got as far as setting up firefox with Uk dedicated exit nodes, and can get bbc iplayer on my pc here in the USA, but it says I must install flash. I do that and unclick disable plugins, I have torbutton 1.2.4, but still iplayer insists I install flash!
I just need to use the tor network long enough to start my iplayer stream, then toggle it off so i can watch a UK program-is that possible?
Why does the preferences button, to enable plug ins use, not work?!

I'm so close to getting it, there must be a solution-and i've already tried the torVM, I also get the promiscuous mode failure as above.

February 21, 2010


I have seen lot of people asking the question "Flash is not playing with TOR Browser", or that they are unable to install Flash Player etc..etc...It seems strange that nobody has provided a solution.

I am the CEO of http://www.learnerstv.com and we have thousands of Free streaming video lecture courses on our website. we do receive lot of queries from Chinese visitors unable to view the video lectures due to governmental restrictions in China. We offer TOR Browser as a solution to the issue.

Here is my solution to the issue. What I am talking about is the portable "Browser Bundle Pack" and Firefox included in it.

Remember that TOR Browser Bundle Pack, includes the portable version of Firefox. You need to enable Flash Plugin for Firefox. Here is how.

If you have the latest Adobe Flash Player installed in your system, search for 2 files:
1. flashplayer.xpt
2. NPSWF32

These will be in Windows ==>System 32 ==>Macromed==>Flash

Copy the above files to the following TOR folder:
Firefox Portable==>App==>Firefox==>plugins

1. Click the "Start Tor Browser". Once you start it a control panel opens
called "Vidalia Control panel". It will open a Firefox Browser too.

2. On the bottom right you will be able to view "Tor Enabled" in green

3. Right click and choose preferences on "Tor Enabled". It will open a
preferences window.

4. Choose "security settings" tab and uncheck "Disable plugins during Tor
Usage (crucial)". This step is to display the Flash Player window.

6. Click "OK" and close the Tor Browser. Closing the browser will close the
Vidalia control panel too.

7. Start the program again by clicking "Start Tor Browser".

8. Visit http://www.learnerstv.com using TOR Firefox browser for thousands of Free streaming video lecture courses.

Hope this helps everyone.