Tor Browser 3.5.2 is released

The 3.5.2 release of the Tor Browser Bundle is now available on the Download page. You can also download the bundles directly from the distribution directory.

This release includes important security updates to Firefox.

Please see the TBB FAQ listing for any issues you may have before contacting support or filing tickets. In particular, the TBB 3.x section lists common issues specific to the Tor Browser 3.x series.

Here is the list of changes since 3.5.1. The 3.x ChangeLog is also available.

  • Rebase Tor Browser to Firefox 24.3.0ESR
  • Bug 10419: Block content window connections to localhost
  • Update Torbutton to 1.6.6.0
    • Bug 10800: Prevent findbox exception and popup in New Identity
    • Bug 10640: Fix about:tor's update pointer position for RTL languages.
    • Bug 10095: Fix some cases where resolution is not a multiple of 200x100
    • Bug 10374: Clear site permissions on New Identity
    • Bug 9738: Fix for auto-maximizing on browser start
    • Bug 10682: Workaround to really disable updates for Torbutton
    • Bug 10419: Don't allow connections to localhost if Torbutton is toggled
    • Bug 10140: Move Japanese to extra locales (not part of TBB dist)
    • Bug 10687: Add Basque (eu) to extra locales (not part of TBB dist)
  • Update Tor Launcher to 0.2.4.4
    • Bug 10682: Workaround to really disable updates for Tor Launcher
  • Update NoScript to 2.6.8.13

not op: I meant to ask a few updates ago, roughly speaking, about how long does it take to rotate through a different exit relay? Is it a certain amount of time or amount of data in/out?

also, this isn't restricted to TBB, but I can't find an answer anywhere on the web. I used to be able to highlight text from somewhere on a page, then drag it to the address/url bar in FF. This text would be inserted among what was already present. Now, whatever I drag just replaces the existing text.

before: [www.abcdefg.com] could be [www.abcdefg.com/123]

now it would just be [123], replacing everything.

I thought maybe it was a setting I accidentally changed in FF a number of releases ago, but I noticed it's happening in TBB too. Sorry if it's not clear, but thanks for any help.

Tor's circuit rotation has nothing to do with amount of data in/out. It has to do with how much time has passed, and also whether any stream attempts have failed from that circuit.

You might like Damian's explanation of circuit rotation at
https://stem.torproject.org/faq.html#how-do-i-request-a-new-identity-fr…

As for pasting into Firefox's address bar, that sounds to me as much like a window manager question as it does a Firefox question.

Hi,
Sorry to barge ('Not OP' #2 here) but I must ask, I thought the most known method of TOR breaching is flooding the system with controled nodes, who over time will have interactions with the end user, combining that with the "fingertips" many/most/all users leave on the net- anonymity shattered.

So isn't frequent changing of nodes at the same browsing sesion increase this risk even more?

I don't think the most known system of Tor breaching is running a bunch of attacking relays. If I had to pick the most known system, it would be "give the user a webpage that exploits their browser and thus bypasses Tor". Or if you were thinking about attacking Tor directly, I would worry more about network-level attackers that observe large parts of the Internet and thus get to see traffic to/from many Tor relays.

In any case, against the attack you describe, we try to get the right balance in both ways: change your exit relay often to prevent the exit relay from building a profile of your activities, but keep the entry relay the same over time.

https://www.torproject.org/docs/faq#EntryGuards
https://blog.torproject.org/blog/improving-tors-anonymity-changing-guar…

Anonymous

February 12, 2014

Permalink

I use the new version of TBB on an iMac (osx 10.9.1) it works. I can browse the net. I click on the Torbutton "Test Settings. It reports no problem.

I use the same TBB on a Macbook Air. It installs alright but cannot reach the internet. I check all the settings of the laptop (firewall, Network, WiFi etc). I cannot detect any problem. When I click on Torbutton "Test Settings" it reports "Internal Error'.

Would be grateful if anyone could assist. Thank you.

Anonymous

February 12, 2014

Permalink

Re safe-browsing and Google. Could the contributors who have pointed this out please advise if any of the settings in about:config need to be changed and if so, which ones, how and to what?

Thanks

Anonymous

February 12, 2014

Permalink

When I first downloaded the update, there were no issues. But now everytime I open tor, it keeps saying it needs to be updated. So of course, I reinstalled, and it's still saying the same thing. Is this an issue or can I ignore it ? Even though that blinking onion is irritating lol

Anonymous

February 12, 2014

Permalink

vidalia isn't corresponding with tor. It keeps saying that tor isn't connected. Help is greatly appreciated

Copied from link below

"When Vidalia doesn't connect automatically to a running Tor instance, you'll have to configure it. Click on Settings and find a line with the word tor. On the right side is a button Browse. Click on it and enter the correct path to your Tor executable. This is usually the subdirectory Tor of your TBB installation. Now save your settings."

From https://tor.stackexchange.com/questions/1499/arm-may-not-be-usable-for-…

Anonymous

February 12, 2014

Permalink

========================
TOR & GOOGLE ID in FIREFOX.
========================
Notification to the development team!!!

In the previous release of the packages, Google safebrowsing and everything from Google was fully deleted!

browser.safebrowsing is in the new 3.5.2 version enabled!!!

Remember that any Firefox version installed has a unique ID which sent to Google as soon you start Firefox which may identify the user any time, therefore - browser.safebrowsing from Google and all other Google related points in "about:config) must be deleted to protect TOR user.

Anonymous

February 12, 2014

Permalink

========================
TOR & GOOGLE ID in FIREFOX.
========================
Notification to the development team!!!

In the previous release of the packages, Google safebrowsing and everything from Google was fully deleted!

browser.safebrowsing is in the new 3.5.2 version enabled!!!

Remember that any Firefox version installed has a unique ID which sent to Google as soon you start Firefox which may identify the user any time, therefore - browser.safebrowsing from Google and all other Google related points in "about:config) must be deleted to protect TOR user.

Anonymous

February 13, 2014

Permalink

In view of concerns about Google, despite the fact that safebrowsing seems to be disabled in about:config, would it be possible to re-release the TOR browser with all links to Google disabled?

Anonymous

February 13, 2014

Permalink

All noscript and other plugins seem to have stopped working in the new version (en). The tor icon that lets use new identity has disappeared.

Anonymous

February 13, 2014

Permalink

Hello there

I don't know if this is the right place to ask for help, move this post if necessary.

I've just downloaded and installed TBB 3.5.2 and was unable to make a connection.
Previous version TBB 3.5.0 works fine.

I just copied and pasted TBB 3.5.0's bridge setting into the new TBB's torrc file, when executing the program, the status bar just freeze at 0%...

I tried to add a log option into torrc, and by checking the log files, I found the following lines:

Feb 14 00:42:44.000 [warn] We were supposed to connect to bridge '173.246.104.81:45698' using pluggable transport 'obfs3', but we can't find a pluggable transport proxy supporting 'obfs3'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.

also the following lines are observed:

Feb 14 00:42:44.000 [debug] channel_change_state(): Changing state of channel 00EA2860 (global ID 0) from "opening" to "channel error"
Feb 14 00:42:44.000 [info] circuit_handle_first_hop(): connect to firsthop failed. Closing.
Feb 14 00:42:44.000 [info] circuit_build_failed(): Our circuit died before the first hop with no connection

Feb 14 00:42:49.000 [debug] onion_extend_cpath(): Path is complete: 1 steps long
Feb 14 00:42:49.000 [debug] circuit_handle_first_hop(): Looking for firsthop '173.246.104.81:45698'
Feb 14 00:42:49.000 [info] circuit_handle_first_hop(): Next router is [scrubbed]: Not connected. Connecting.
Feb 14 00:42:49.000 [debug] channel_tls_connect(): In channel_tls_connect() for channel 00EA2860 (global id 33)
Feb 14 00:42:49.000 [warn] We were supposed to connect to bridge '173.246.104.81:45698' using pluggable transport 'obfs3', but we can't find a pluggable transport proxy supporting 'obfs3'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
Feb 14 00:42:49.000 [debug] channel_change_state(): Changing state of channel 00EA2860 (global ID 33) from "opening" to "channel error"
Feb 14 00:42:49.000 [info] circuit_handle_first_hop(): connect to firsthop failed. Closing.
Feb 14 00:42:49.000 [info] circuit_build_failed(): Our circuit died before the first hop with no connection
Feb 14 00:42:49.000 [info] connection_ap_fail_onehop(): Closing one-hop stream to '$0000000000000000000000000000000000000000/173.246.104.81' because the OR conn just failed.
Feb 14 00:42:49.000 [debug] circuit_increment_failure_count(): n_circuit_failures now 34.

Sorry to bother you guys with exceptionally long log lines, but the log file just grows to a good size of >300KB!

I use WinXP SP3 with all necessary patches, and Kapasky AV software. The TBB 3.5.0 still works fine when I was writing this post.

Could somebody please point out where did I do wrong?

Anonymous

February 13, 2014

Permalink

I can't manage cookies in cookie protections and cookie management. Is it normal? TBB 3.5.2 on Windows

I don't see any cookies not only in Cookie Protections, but even in the default Firefox cookie management dialog. There are no cookies even when I stay logged in (so cookies must be). The only way to erase cookies is to use New Identity. I have this problem since TBB 3.5.1. Do all Tor users have the same problem?

Anonymous

February 13, 2014

Permalink

===========================
How to eradicate Google from Firefox
===========================

This tutorial will help you eradicate Google from Firefox, so that your browser does not send information about you to the Monster of Mountain View.

Step 1. Remove Google from the list of search engines.
Click the dropdown icon next to the search box in the upper right hand corner of Firefox.
Click “Manage Search Engines” (at the bottom of the list).
A dialogue box will appear. Select Google and click Remove. Then click OK.

Step 2. Turn off “safe browsing”.
Firefox has a feature called “safe browsing” which reports information about your browsing to Google. This “feature” can be turned off by going to Tools > Options, clicking the Security tab, and unchecking “Block reported attack sites” and “Block reported web forgeries.” (You can take charge of your own browsing security by installing these essential privacy add-ons for Firefox, outlined in this separate tutorial).

Step 3. Disable location-aware browsing. Another Firefox “feature” that works in conjunction with Google, this useless piece of functionality allows websites to collect detailed information about where you’re browsing from.
In the URL bar, type about:config
Click “I’ll be careful, I promise” when you get the “This might void you warranty” warning
In the Filter box, type geo.enabled
Double click on the geo.enabled preference
Location-Aware Browsing is now disabled.
Leave the about:config tab open for next steps.

Step 4. Adjust and/or disable location bar search
When you type an invalid URL into Firefox’s address bar and hit enter (or mistakenly use the location bar in place of the search box), Firefox’s default behavior is to send this information to Google as a search query, whereupon Google shows you results for the invalid URL. We can modify and also disable this behavior.
Clear the Filter Box by clicking the little X just inside the right edge of the box.

Type keyword

You’ll see two listings. The first will show a Google URL. Double click this listing.
A box will appear allowing you to edit the URL. You can paste in substitutes like:
http://bing.com/results.aspx?q= (for Bing)

Click OK to save changes.
Optionally, you can double click the second listing (keyword.enabled) to completely turn off location bar search in Firefox. Replacing the Google URL first is still a good idea!

Step 5. Change your home page.
The default homepage for Mozilla Firefox has a Google search bar in it. You can change this by dragging the icon next to any URL onto your Home button. If you don’t have a favorite website to change to, consider making Bing your homepage. It features a gorgeous picture every day.

Addtional Note: In about:config you should delete anything with the name Google on it!!

From:
http://www.leavegooglebehind.com/how-tos/how-to-eradicate-google-from-f…

(No copyright, You may copy and distribute this text anywhere!)

Anonymous

February 13, 2014

Permalink

===========================
How to eradicate Google from Firefox
===========================

browser.safebrowsing.enabled (search in about:config)

Firefox ships with the Google Safe Browsing extension built-in and enabled by default. Designed to prevent phishing, it compares the websites you visit to a Google-run blacklist. This means that Google is constantly able to track you. If you have installed our recommended Firefox extensions then you will gain no additional protection from Google Safe Browsing, while telling Google a great deal about your browsing history. We therefore strongly recommend that you turn it off by setting the value to false.

browser.safebrowsing.malware.enabled (search in about:config)

Safe Browsing (now renamed Phishing Protection) is basically a version of Google Safe Browsing licenced to Mozilla (but which still reports to Google). We therefore recommend that you set it to false, for the same reasons as above.

Stop disinformation !
"browser.safebrowsing.enabled" is "false"! Safebrowsing disabled for TBB by default.

And report your OS, and hash for installer file.

Anonymous

February 13, 2014

Permalink

Anybody ever tested if this browser ID changes with updates or is it related to system specification (partly or 100%)?
We don't need a browser ID at all!
Is it not time that the TOR users form a group to get all of this shit out of the browser that is used for TOR. (100 see more then 1 ....) If I wire-shark a standard Firefox just starting it generates tons of traffic

Anonymous

February 13, 2014

Permalink

From the website https://www.torproject.org

"Tor prevents people from learning your location or browsing habits."

How can Tor protect people if it still has Google inside?

Anonymous

February 13, 2014

Permalink

************************************************************************

GOOGLE is Anywhere and Everywhere!

Google's dominance in all areas hurts many of us, Anywhere and Everywhere!

Google has a real dangerous monopoly and Google is much more dangerous than Microsoft ever was.

Google has grown dramatically and the monopoly over all the internet searches and advertising is a problem now for all.

************************************************************************

Anonymous

February 13, 2014

Permalink

The Update Add-ons Automatically option is checked so NoScript updated.

I agree that it's important -- alas, many things are important.

See https://trac.torproject.org/projects/tor/ticket/10902 for part of your bug. Patches happily accepted.

As for a Windows zip that has everything you need... I think the TBB people would be happy to receive a patch for the gitian build system that makes one of those also. Or heck, maybe even just a script you can run afterwards to convert the installer version to a zip version. The ideal case would be to fix the installer so when you unzip the exe, you get a functional thing. This is the sort of thing that is perfect for a volunteer to help with. Otherwise the TBB will (as they should) keep putting out things that are more on fire. Please help!

As for "what are you hiding"... First, you can check for yourself that we're not hiding anything. And second, that sort of statement makes reasonable developers prioritize other issues than yours.

Anonymous

February 14, 2014

Permalink

Yes folks, how truth the statement is Google is anywhere and everywhere and Google has owned the Internet. And as long people will not switch from search engine Google to Yahoo, Bing or any other, Google will be anywhere and everywhere. Google has grown too big! Absolute power corrupts absolutely

Anonymous

February 14, 2014

Permalink

I love the Vidalia viewing the Tor network rate, traffic, deleting the circuit ect, if I would be in Windows there is Toranger instead, what is the tool in Linux?

Anonymous

February 14, 2014

Permalink

Am I a victim of a man-in-the-middle attack?

Why is TBB 3.5.1and TBB 3.5.2 NoScript is configured in the manner of enabling all java scripting? Crazy! All granularity options to administer java scripting on a site are disappeared. Strange! What's about NoScript ABE ( Application Boundaries Enforcer )? NoScript ABE is like a Firewall inside the browser. It's disabled. Rational?

Some onion sites shows sporadically advertising compromising content, e.g. kid porn. No java script, ( perhaps ) no advertising content. In Germany an user, who only had/has a file with compromising content, also in form of deleted TEMPORARY files in the past, may be imprisoned. The scenario is very simply: A uses TOR. Sometimes he encounters advertising compromising content. B denounces A for whatever reason. A house search includes the confiscation of the IT hardware. Computer forensic specialist do the rest. After a trial A will be imprisoned. In Germany, this is the main road to criminalize using TOR.

Ok, an user should know what he does. But how he does what he knows? He administers the access to a site using NoScript to enabling scripting slightly - if he wants this. Using the browser in a well configured sandbox protect the system as well as possible. Therefore the main problem is not malicious code. It's compromising content. For that reason, NoScript has to be configured to disable all scripting as default. Enabling all scripting as default subtly compromises an user heavily! NoScript in TBB 3.5.1 and in TBB 3.5.2 has to be reconfigured completely in the depth to prevent compromising the system user more the system itself. That's why TBB 3.5.1 and TBB 3.5.2 are highly unrecommended for an normal user.

The signatures are useless because they are not certified. A simple md5 check sum would rather do the same job.

Anonymous

February 14, 2014

Permalink

Suggestion: Add the open source ad blocker AdBlock Plus (https://adblockplus.org) to TBB.
Main reasons and benefits:
1-It is already added to TAILS' IceWeasel
2-Saves TONS of bandwidth for the Tor network
3-Removes a vulnerable platform, which is the ad networks, cookies, scripts, objects, etc... which the NSA is using to track Tor users, therefore increasing Tor users' privacy and security.

These would appear to be valid, if not strong arguments for the inclusion of an Ad blocker in TBB. At the same time, there are also valid, if not strong arguments against such inclusion, which have been stated by the Tor Project.

But one thing seems certain to me: Tails and TBB should do the same thing, whatever that will be. Having Tails ship w/ AdBlock Plus, while TBB ships w/out any Ad blocker, can only harm the Tor user base by further splitting it into such easily identifiable sub-categories. The fact that this discrepancy between TBB and Tails has existed for as long as it has (since I can remember) should be disturbing to anyone concerned about Tor and the issues it addresses.

BTW, are you sure you would choose AdBlock Plus over the fork AdBlock Edge?

+1. Good points, I agree.
I would prefer AdBlock Edge to be included in TBB.
Also, it would be better if all ties to Google would be severed and all URLs in TBB code referencing Google-related sites would be removed.

Google does not like anonymity because it generates less profits.
Google is not my friend. Google Is EVIL...

But doesn't each new version of NoScript, like that of any add-on, first need to be examined and tested to ensure no conflicts w/ Tor or other potential anonymity leaks?

Anonymous

February 15, 2014

Permalink

Been trying to get TBB 3.5.2 to work in the past few days without luck...TBB 3.5.0 works fine though.

Every time the program starts up, it stuck at 'connecting to directory server' forever. What should I do to locate the problems?

I say again TBB 3.5.0 works fine on this computer, that ruled out any misconfiguration in hardware or network connection.

Any input will be greatly appreciated.

Tor was updated since 3.5.0, to 0.2.4.20
Maybe try to replace Tor for TBB 3.5.2 with Tor from TBB 3.5.0?
What OS? Maybe some smart AV/Firewall decide you no need internet with changed Tor?

Anonymous

February 15, 2014

Permalink

I extract the file through Tor, and then install; Tor works and says it is up to date until I close it, then it reverts to it's previous verison (3.5.1). Anyone else having this issue?

Anonymous

February 15, 2014

Permalink

After this update when i try to launch the program nothing happens! I have Xubuntu 13.10 on my machine! anyone has solutions?
thanks!