Tor Browser 3.5.2 is released

The 3.5.2 release of the Tor Browser Bundle is now available on the Download page. You can also download the bundles directly from the distribution directory.

This release includes important security updates to Firefox.

Please see the TBB FAQ listing for any issues you may have before contacting support or filing tickets. In particular, the TBB 3.x section lists common issues specific to the Tor Browser 3.x series.

Here is the list of changes since 3.5.1. The 3.x ChangeLog is also available.

  • Rebase Tor Browser to Firefox 24.3.0ESR
  • Bug 10419: Block content window connections to localhost
  • Update Torbutton to 1.6.6.0
    • Bug 10800: Prevent findbox exception and popup in New Identity
    • Bug 10640: Fix about:tor's update pointer position for RTL languages.
    • Bug 10095: Fix some cases where resolution is not a multiple of 200x100
    • Bug 10374: Clear site permissions on New Identity
    • Bug 9738: Fix for auto-maximizing on browser start
    • Bug 10682: Workaround to really disable updates for Torbutton
    • Bug 10419: Don't allow connections to localhost if Torbutton is toggled
    • Bug 10140: Move Japanese to extra locales (not part of TBB dist)
    • Bug 10687: Add Basque (eu) to extra locales (not part of TBB dist)
  • Update Tor Launcher to 0.2.4.4
    • Bug 10682: Workaround to really disable updates for Tor Launcher
  • Update NoScript to 2.6.8.13

Hi there,

I investigated a Problem with the German (DE) Language Pack of 3.5.2:

Warning in the addon-manager: Language Pack in not compatible with 24.3.0esrpre

Workaround tested: Disable compatibility-checks.

Regards

Wolfgang (wolfgang@heukeroth.de)

k239

February 10, 2014

Permalink

Hi,

thanks for TBB! Just please make sure next time the x86_64 builds for GNU/Linux are correctly "localised". I bet the previous "Anonymous" received his bundle poorly configured for his/her language, as I received mine.

Same here. Most of it english.

Please help me figure out which signature was used to sign this package.
I am having a little problem. I tried Erinn's and Mike Perry's but both failed. I checked to make sure that the info had not change with the details at https://www.torproject.org/docs/signing-keys.html.en and
https://www.torproject.org/docs/verifying-signatures.html.en

I didn't face this conundrum in previous packages. By the way, Erinn has several sigs and I tried all 3 blocks - still no go.

TIA
If I goofed, forgive me but this has never happened before. I even downloaded the asc and archived packaged to be sure nothing flipped.

Please ignore my post about the signature problems. I also snagged Erinn's 2003 signature. I downloaded the package again but from another machine without using the Tor network. Sorry about the drama.

Glad you got it working.

Downloaded, installed, still saying outdated browser.

same here, any solution/reason for this?
In my case I "installed" on top of 3.5.1

Thanks for the great project!

If it's complaining about being out of date, and you installed on top of 3.5.1, I suggest making a fresh 3.5.2 install. That's certainly the safer way to do it.

Isn't there too much trust in NoScript? Seeing how it's present in nearly every privacy configuration (TBB, Tails, etc.):

1. It became the primary, worthy target.

2. The integrity of the NoScript developer was ranked low after him reportedly giving a false statement regarding the embedded block-resistant advertisement code on his website. Who knows what else may be embedded? See the AdBlock developer blog for details.

Does anyone capable actually checks the NoScript source each time?

Would Tor Project (with any allied sponsor groups) be interested in producing their own script-control mechanism? A part of TBB, and not hosted at Mozilla?

^
This.

That's a great point, and certainly the various third-party things we pull in provide both risks as well as benefits. (I think Firefox itself is the best example of this balance.)

In the case of HTTPS Everywhere, we've actually ended up co-maintaining that because it's so important.

But actually, the reason we're co-maintaining HTTPS Everywhere is because somebody on the Tor side stepped up and personally decided to do it. We're all overloaded with too many components to maintain and keep track of. So would we be interested in replacing NoScript with something else? Maybe in theory, but in practice that seems like a poor plan, since it will just leave us with yet another thing, and when something goes wrong with the thing and it needs fixing and nobody has time, then you all will quite reasonably be upset about that too.

I think we have to grow the community of people who can write good reliable security components. The solution can't be for Tor to make its own version of each thing. (And even if we did, that wouldn't accomplish what you want, because we'd have to grow the set of people that make up Tor, and just calling somebody a Tor person doesn't make them immune to, say, programming errors.)

"The integrity of the NoScript developer was ranked low after him reportedly giving a false statement regarding the embedded block-resistant advertisement code on his website."

Has this claim been addressed by anyone at Tor Project?

Same here, with Dutch (NL) language pack. It is incompatible because Mozilla's Firefox ESR language packs require a minimum install version 24.3.0 but TBB's Firefox version is 24.3.0espre, which is considered lower than 24.3.0.

Quick fix:

Unzip the languagepack-??@firefox.mozilla.org.xpi file
Edit the file "install.rdf". Replace the line

24.3.0

with

24.3.0esrpre

Re-zip the unpacked files and rename the zip to xpi.
Copy the new xpi over the old languagepack file.

Restart TBB - it should now speak your language!

Yep! All non-English languages are broken in 3.5.2.

https://bugs.torproject.org/10895

Should be fixed in 3.5.2.1, coming out pretty soon I hope.

(The above workaround looks fine to me too.)

Already changed in the german version...

The date created shows Saturday Jan 1, 2000 12am. Is this correct?

Tails users: Caution

People should proceed with caution when using Tails 0.22.1 as it contains security holes that are only fixed in Tor Browser Bundle 3.5.2.

Yeah? Please be specific about which ones you're worried about?

I think Tails 0.22.1 has the same Firefox ESR that TBB 3.5.2 has.

But it looks like the various bugs fixed in Torbutton 1.6.6.0 (changelog above) aren't in Tails 0.22.1, since that version of Tails has an earlier Torbutton:
https://tails.boum.org/news/version_0.22.1/index.en.html#index1h1

Yeah? Please be specific about which ones you're worried about?

You only need to compare the changelogs of TBB 3.5.2 and Tails 0.22.1 to see that the latter has unpatched security holes.

Hi,
Any plan to release a new pluggable transport TBB? The latest 3.6-beta-1 pt bundle says: "HOWEVER, this browser is out of date". A bit confusing!

Thanks!

David, George, and others are still working on it, in (alas) their spare time.

See David's tor-qa mail recently for something he needs help with:
https://lists.torproject.org/pipermail/tor-qa/2014-February/000324.html

See also Kevin Dyer's release candidate of TBB + fteproxy:
https://lists.torproject.org/pipermail/tor-dev/2014-February/006170.html

In theory, once TBB 3.6 comes out, it will have (some of) the PT stuff in (but disabled) by default. That way we won't need to have separate downloads.

I downloaded the new 3.5.2 version ,extracted it and installed it.
And now I cannot open it, and I get the message 'could not load XPCOM'
Is that a bug and what can I do about it, thanks.

Please provide the following information:

1. What is your operating system? Microsoft Windows XP/Vista/7/8/8.1 or....? Mac OS? Linux?

2. Did you thoroughly delete the old TBB before extracting the contents of the latest version?

im having the same issue except my browser wont even open

Yes, this is a bug: https://trac.torproject.org/projects/tor/ticket/10789. There are some things mentioned there, that might help.

I just updated, and yet i still have the flashing yellow "need to update" on the onion.

Same here button still flashing update.
Also very hard to get the right download.
Downloading the Tor package and after un taring. It's the source code.
Not the package. So it complies OK and Tor runs but that was not what I
was trying to get.
I don't feel safe with Tor. I used to but not so much now.
At least I don't use Micro$oft.

Yeah, if you downloaded the source tarball, you definitely didn't download the Tor Browser Bundle package.

Go to https://www.torproject.org/download/download-easy and look for the huge purple button(s).

Maybe I'm missing something, but is there a typo in the Torbutton version?

The last two TBB versions (3.5 and 3.5.1) on the changelog mention "update Torbutton to 1.6.5.2" and "update Torbutton to 1.6.5.5" respectively. This newer TBB says "update to Torbutton 1.6.0"... erm, huh?

I haven't downloaded anything yet, but is it supposed to be 1.6.6.0 ... ??

Yes, thanks. Fixed.

Please go back and look at ticket https://trac.torproject.org/projects/tor/ticket/7449 tbb-disk-leak , especially now that people are starting to watch videos using the internal browser video player.

"TorBrowser creates temp files in Linux /tmp & Windows %temp% during the file downloads dialog & when using internal browser video player"

Whenever a person downloads a file, there is a short period of time when it is stored in their %TEMP% directory for windows and /tmp for linux.

The same applies while a person watches a video such as mp4 with the native browser video player.

Yep, looks like it's still a bug. Please help!

keeps saying couldnt load xpcom when I installed the update, worked perfectly before, now I cant use tor at all

Please report additional details about installed AV, Firewall, or something like that software.
https://trac.torproject.org/projects/tor/ticket/10789

I downloaded tor browser 3.5.2, extracted, installed and now nothing will start it and all I get is "couldn't load XPCOM" whatever that means.
Have no idea what to do next.

i have the same problem.where can i find help?

if you have web root anti virus,go to application-protection and allow tor browser

I have Webroot and cannot find application-protection listed anywhere in the menus, including advanced. Where is it? Thanks.

I found a temporary fix. Before I start TOR, I turn off Webroot. When TOR opens, I turn Webroot back on. It works so far, but I don't know if I am endangering my protection.

thanks, but:

Deutsch (DE) Language Pack is inconpatible with TorBrowser 24.3.0espre.

Deutsch (DE) Language Pack 24.3.0 (disabled)

is it possible to fix it?