Tor Browser 3.5.1 is released

The 3.5.1 release of the Tor Browser Bundle is now available on the Download page. You can also download the bundles directly from the distribution directory.

Please see the FAQ listing for any issues you may have before contacting support or filing tickets.

This release features an update to OpenSSL to fix a denial of service condition, and to fix the NoScript whitelist to remove addons.mozilla.org.

This release also features Tor 0.2.4.20, as well as a support for screen readers for the blind on Windows.

Here is the list of changes since 3.5.1. The 3.x ChangeLog is also available.

  • All Platforms
    • Bug 10447: Remove SocksListenAddress to allow multiple socks ports.
    • Bug 10464: Remove addons.mozilla.org from NoScript whitelist
    • Bug 10537: Build an Arabic version of TBB 3.5
    • Update Torbutton to 1.6.5.5
      • Bug 9486: Clear NoScript Temporary Permissions on New Identity
      • Include Arabic translations
    • Update Tor Launcher to 0.2.4.3
      • Include Arabic translations
    • Update Tor to 0.2.4.20
    • Update OpenSSL to 1.0.1f
    • Update NoScript to 2.6.8.12
    • Update HTTPS-Everywhere to 3.4.5
  • Windows
    • Bug 9259: Enable Accessibility (screen reader) support
  • Mac
    • misc: Update bundle version field in Info.plist (for MacUpdates service)
Anonymous

January 28, 2014

Permalink

So, I want to use TOR to sign up to forums and webmail services - but I find so many of them want to use javascript. They use it for Captchas very often.

I've read bad things about javascript and TOR, that it leaks information or can be used for exploits.

Can I let NoScript allow javascript, or where can I find services that don't use it in the fist place ?

Anonymous

January 28, 2014

Permalink

When I give TOR the Use New Identity command, how long is it until it actually gives a new identity ? Is it immediate, or does it use the old one for a short period of time ?

As far as I know it immediately disconnects from the current exit node and builds up a new route to a new exit node.
You can check that by using https://check.torproject.org/ or different websites which show your IP. If your IP address changed you got have a new identity.

"If your IP address changed you got have a new identity."

I believe it is not quite that simple and that the only sure way to completely achieve a new identity is to close and restart TBB.

"new identity" for Tor means that new stream requests get assigned to fresh circuits.

So if for example your browser has an http 1.1 connection open to a website and it uses pipelining to keep the connection open and reuse it for future requests, then from Tor's perspective there won't be any new stream requests (it never sees any new connections), and your browser will end up continuing to use the old connection.

That's one of the huge reasons why you can't get what you (should) want out of Vidalia's "new identity" button -- it simply does not consider any of the application-level privacy issues that TorBrowserButton does.

" ...then from Tor's perspective there won't be any new stream requests..."
"...That's one of the huge reasons why you can't get what you (should) want..."

I am not the OP but a short example:
Surfing convenient with TBB&Vidalia-Tails actually not so convenient)-:.
You have a list with links you are interested and you need no
further anonymity.Only the exit shouldn't see all URLs together.
Click New Identity in Vidalia you get a new exit-more or less enough anonymity.Right?

I refer to TBB)

See, using the same exit node doesn't seem like a new identity to me, even if the info is routed through a new circuit.
With the old one I would just keep clicking new identity until I could see I had a new exit node.
Does it help protect from analysis if you keep changing exit node ?

Well, using the old version I would hit 'new identity' and often it would keep me on the same exit node but with a different route. sometimes it would seem to take a lot of attempts to get a new exit node.
I don't think there is an easy way to watch the node path on the new version ?

Anonymous

January 28, 2014

Permalink

I can't see cookies.
How do I work add-ons?
Cookies Manager+
Cookie Manager Button
Remove Cookies for Site
Thx.

Anonymous

January 28, 2014

Permalink

McAfee is currently reporting the TROJAN that is included with Tor Browser Bundle v3.5.1, so I am unable to run it. This is the version downloaded from torproject for users in the UK.
The trojan included is a "profiler", it steals information and tracks people after giving their details to a site! Thanks for not checking before you uploaded this to the site for Windows users.
AVG and AVAST also report it and MSE stops the installation too.

Please STOP distributing this Trojan - or find out WHO has added it to your download files. The download needs to be removed until examined. Not all antivirus can be wrong and people should NOT allow the Trojan to run. NEVER EVER do that.

As I understand it, Erinn et al are looking into this currently.

But it's very likely a false positive -- there's a recurring theme with antivirus vendors where any new binary we put out is suspicious simply because not enough other users have tried running it yet.

Please let us know if you discover more concrete information than "I ran a program and it told me to be scared." :/

Here is the virustotal analysis, which says it's clean:
https://www.virustotal.com/en/file/68d00d64b8919db0d18593fee0dbcc9ff80d…

We looked into it (including a malware analyst) and found it to be clean. A list of AV vendors was also contacted about it and the responsive ones also found it clean. Can you update your anti-virus software and let me know if you are still encountering problems?

Anonymous

January 28, 2014

Permalink

Tor Browser Bundle for Windows 8.1

The latest version for Windows is v_3.5.1 and is stopped half way through installation with the following error message -

"Profiler.gen.b"(Trojan) C:\Tor v_3.5.1\Tor Browser\Browser\Firefox.exe

I have sent the file off to be examined, so it should be stopped from installing on people's systems. Any explanation for this?
Please don't say it's a false positive because it is not. It is a virus.

Please let us know what your experts-in-the-cloud have to say.

(Your last line doesn't make any sense to me. The antivirus industry is a guessing game, and they're in a tough position because they have to detect every single scary thing without ever flagging normal things. Are you saying that you're certain that it's not a false positive, because the message from your antivirus thing sounds confident?)

3.5.1 doe NOT work on Windows 8.1 x64 Enterprise edition.

It just hangs after the connect screen.

I use it no problems on Win7

Anonymous

January 28, 2014

Permalink

I Had this whole bundle already pretty much from debian. I build it myself

Anonymous

January 28, 2014

Permalink

you are being attacked in the press again today. It would seem some people need to be reminded this project had nothing todo with TOR mail. One article tried to make it seem as though this project hosted it and gave up info on people it was at motherboarda. I was going to post a reply but needed an NSAbook account and I dont have one, oops I mean facebook

Anonymous

January 28, 2014

Permalink

PLEASE
rebuild the vidalia method to switch a NEW IDENTITY, it doesn't have to close the browser and reopen with all pages lost....

To use the method you're looking for, you need to install the Vidalia standalone compiled by erinn available from:

https://people.torproject.org/~erinn/vidalia-standalone-bundles/

But remember that "switching identities" this way only changes your exit point. If other tracking methods have been applied to your session, such as cookies, browser fingerprinting, or logins, switching "identities" won't help secure you that much. Restarting and clearing all session data is the closest way to actually get a "new identity" (which is why that is the new default).

Anonymous

January 29, 2014

Permalink

The worst thing for TBB 3.5 is Tor panel and many other functions from Tor panel!!!

Anonymous

January 29, 2014

Permalink

What is "this website attempted to access information on an image canvs" warning? what does it mean?
And since it's already established the NSA uses ad networks and cookies to track and identify Tor users, why don't you add an Adblock addon to TorBrowserBundle? AdBlock Plus is open source.

Right you are! I just noticed
https://gitweb.torproject.org/torbrowser.git/blob/master:/src/current-p…
and came back here to correct myself, and here you are already pointing it out. Great.

We should really try to get the TBB people to improve the phrasing on this warning -- I have no idea what it implies, or what it means I should do to correct it, or what I'm giving up or risking by not doing anything.

Anonymous

January 29, 2014

Permalink

Why so few Obfsproxy bridges? Do the operators know how to run Obfs3 on their relays? Can you help them?

Maybe because obsproxy won't run on RHEL/CentOS v5.x or v6.x systems?

I'd be happy to run obsproxy bridges if the developers went back to code that can be built by any C compiler.

Anonymous

January 29, 2014

Permalink

I have cookie problems with 3.5.1:

Tor Button 〉Cookie Protections
- does not list any cookies
- can not delete cookies
- cookies can not be deleted in Firefox menus either

Worked in 2.3.25 Linux x64

Anonymous

January 30, 2014

Permalink

I have just installed 3.5.1 and am also running McAfee. No trojan/profiler has been reported.

However I am going to uninstall it and put back 3.5 until this situation is clarified.

As a matter of urgency, could you pls investigate the above poster’s allegations so that I and all other users can be informed?

Apart from that, thanks for all your work in protecting us from spying eyes.

Anonymous

January 30, 2014

Permalink

Great job as usual.

Can we untar this release over 3.5.0 to upgrade or does it need to a fresh one ?

arma

January 30, 2014

In reply to by Anonymous (not verified)

Permalink

It's a hack that David (dcf) made, using TBB 3.5.

In the not-too-distant future, TBB 3.6 will have the pluggable transports stuff built-in. That's why people haven't been scrambling to make David's temporary hack more tolerable.

I downloaded and installed the ( dcf ) hack, put the hard-coded obfsproxy bridges that came with PT-TBB 2.4.18-rc-1-pt1_en-US and the hack runs fine. If PT is included in TBB 3.6 and millions ( if not all ) of Tor clients use the PT feature, how will 15 ( maybe more by now ) hard-coded obfsproxy bridges handle all the Tor traffic? Not everyone is going to request additional obfsproxy bridges not already hard-coded in TBB 3.6.

To clarify, the pluggable transport stuff will be there if you turn it on (unlike now, where you have to go find a totally different bundle if you want it).

https://trac.torproject.org/projects/tor/ticket/9444
https://trac.torproject.org/projects/tor/ticket/10418
https://lists.torproject.org/pipermail/tor-reports/2014-February/000438…

We're not going to make everybody use pluggable transports by default. (At least not yet -- and one of the reasons against is the one you describe.)

Anonymous

January 31, 2014

Permalink

Tor Browser Bundle for Windows (Version 3.5.1):

Extracting 'torbrowser-install-3.5.1_en-US.exe' with 7zip (http://www.7-zip.org) on Windows OS creates the following directories: (same as TBB 3.5 = same bug = does not work)

torbrowser-install-3.5.1_en-US
|- $_OUTDIR
|- $PLUGINSDIR

In the root directory is 'Start Tor Browser.exe'. Clicking it shows the error message 'Unable to start Tor Browser'.

What to do? Thanks.

It turns out that if you unzip the exe using 7zip, it won't put the files in the right locations for TBB to work. So you do in fact have to run the auto-extractor in order to get things set up right.

If somebody wanted to write a patch to make the self-extractor do the right thing when you use 7zip to unzip it, that would be neat. I'm not sure how complex that would turn out to be.

Anonymous

February 01, 2014

Permalink

Why are all of these non-Tor friendly search bars included in TBB 3.5.1?

Google
Amazon
Bing
Ebay
Twitter
Wikipedia
Yahoo