Tor Browser 3.5.4 is Released

The 3.5.4-stable release of the Tor Browser is now available on the Download page. You can also download the bundles directly from the distribution directory.

This release updates only OpenSSL to version 1.0.1g, to address potential client-side vectors for CVE-2014-0160.

The browser itself does not use OpenSSL, and is not vulnerable to this CVE. However, this release is still considered an important security update, because it is theoretically possible to extract sensitive information from the Tor client sub-process.

Here is the changelog:

  • All Platforms
    • Update OpenSSL to 1.0.1g
Anonymous

April 08, 2014

Permalink

"Snowden also urged members of the Council of Europe to encrypt their personal communications. He said that encryption, used properly, could still withstand "brute force attacks" from powerful spy agencies and others. "Properly implemented algorithms backed up by truly random keys of significant length … all require more energy to decrypt than exists in the universe," he said." Source: http://www.theguardian.com/world/2014/apr/08/edwards-snowden-us-governm…

Anonymous

April 08, 2014

Permalink

Does this mean that we are safe to download things anonymously/without getting caught?

This means that the tor browser bundle is no longer vulnerable to the Heartbleed openssl vuln.

If you are downloading something online with tor that you are worried about being caught for, maybe you should not do it. It gives the rest of the users a bad rep.

If you are downloading something online with tor that you are worried about being caught for, maybe you should not do it.

That highly depends on what your local / national lawmakers deem illegal. Saying that you not fully agree with your country's president may be just that.

I totally agree. The entire purpose of tor is to access things online that you are worried about being caught for. If you aren't worried, why use tor? Just access it directly.

Tor is designed for online civil disobedience, which in some cases is vitally important to pursuing freedom.

No, you're not thinking big enough.

Consider how to answer the ordinary people who ask you "what do I have to hide?" and why they will wish they'd be using Tor.

In many cases people are bad at judging what they should be worried about. Being safe on the Internet isn't just about breaking (bad) laws and hiding (ethical) unpopular activities.

Does this mean that we are safe to download things anonymously/without getting caught?

Safe from whom? from what? from where?

There is no such thing as 100% safe-to-use product, especially for one that is built for use on the internet.

Having said that, please refrain from using Tor to download stuff of massive sizes as doing so will slow down the whole Tor network considerably. Be considerate.

"please refrain from using Tor to download stuff of massive sizes"

So downloading pr0n is okay as long as the calks and breasts featured aren't too large?

Anonymous

April 08, 2014

Permalink

A big thanks to Tor developers for their swift response and coming up with new Tor bundles.

Secondly will Tor developers request Tails developers to come up with a fix for their current version 0.23? Since all network connections in Tails are torrified, it means Tails' users are vulnerable to the "Heartbleed" attack, yes? no?

Tails uses debian oldstable, so it is not affected by this attack.

Yes, I know that Tails uses Debian 6.0.9. but it uses the Tor client, yes? no? If the answer is yes, then Tails should upgrade the Tor client, which means issuing a newer version of Tails, maybe 0.23.1

Does not matter: heartbleed does not depend on tor client, it does depend on openssl. Older versions of openssl (like the one tails is using) are not affected

Anonymous

April 08, 2014

Permalink

Not specific to this release but thumbnails on about:newtab are broken. Instead, 1933 byte blank white PNGs are generated in \Data\Browser\profile.default\thumbnails.

Interesting... This does not happen for me on my Linux box. Which operating system are you using? Does this always occur? With a clean new, say, 3.5.4? I.e. if you delete that thumbnails directory is it getting created again with the PNGs after entering about:newtab?

I only get an empty thumbnails folder, strange... And if I delete it then it does not come back on my Windows 7 test box. Are there some special steps to reproduce your problem?

Anonymous

April 08, 2014

Permalink

As always you guys fail to be clear and confuse the hell out of me. Are Vidalia Bundles updated as well? Why do they have to use different versions? Why don't you just add release dates to the download page? And why is the TOR.exe in the Browser Bundle dated 2000-01-01?

By different versions I mean why does the Browser Bundle and the Vidalia bundles have to use completely different version numbering? Together with absolutely no date on the download page provided there is no chance to compare if they contain the same version / if they have both been updated.

Also, thanks for the link about the timestamps but I still dont get why TOR in the browser bundle has a filedate from 2000 while the one that comes with the Vidalia Bundle does not.

Bottom line is, make things easier to understand. If you blog about TOR Bundle updates tell us about Vidalia bundles as well. Add file/updated dates to download page. Two small changed to make things easier.

Thanks

Anonymous

April 09, 2014

Permalink

A big thank you to everyone at the tor project . Thank you for your continued hard work and dedication to a free and open internet and by extension a free and open planet.

Everyone else if you can please consider a donation or run a relay. A little can go a long way

Anonymous

April 09, 2014

Permalink

Hi, how about the beta version though? Would the 3.6-beta-1 be getting an update as well?

Anonymous

April 09, 2014

Permalink

WARNING: WARNING: WARNING:

Google’s Safe Browsing IS AGAIN not deleted from Firefox!!!! You need to do it manualy!

This version has AGAIN a unique ID where Google can track you!!

Means, Google is able to track you any time you start using TOR!!!

Can't understand whay the developer don't take care about this...

Please show us how to manually delete Google's Safe Browsing from Firefox or Iceweasel.

Note to Tor developers: Could you please ensure that Google's Safe Browsing is deleted from future versions of TBB?

Hi,

1.) it would be good if you'd supply circumstantial evidence as a basis for your statement

2.) I did check this release
"about:config"

and found this:
"browser.safebrowsing.enabled;false"

3.) however I think having these features in a privacy enabled browser is really strange even when deactivated

yes all google safe browsing urls are still existent and could be brought back into operation

Firefox today is really tainted by googlemoney, it needs a good scrubb

Anonymous

April 09, 2014

Permalink

IT IS A SHAME THAT PRIVACY SOFTWARE AS TOR ALLOWS GOOGLE TO TRACK YOU ANY TIME YOU USE TOR: IT SEND YOUR UNIQUE FIREFOX VERSION TO THE GOOGLE SERVER IN THE USA:

Anonymous

April 09, 2014

Permalink

Snowden is a true hero, shame on NSA that is evil than communism or nazism.
Guess who is the next heartbleed: TrueCrypt, OpenSSH, PGP or Tor?

Anonymous

April 09, 2014

Permalink

There is something very eerie about this.
It seems a little "bug" (kinda cute little word isn't it?) in the encryption software has basically rendered all supposedly secure and private internet traffic completely insecure. Golly!

Many things point to that this "lil' bug" has probably been implemented and exploited for a long time by the NSA. Gosh!

I remember thinking that the stories behind both the SR and FH busts last year seemed contrived and also overly stressed the fact that Tor wasn't compromised. Oh no! How could it be, it's open source etc.!

Think about it. IF there was (and apparently there was) a virtually untraceable way of monitoring supposedly secure traffic, the NSA wouldn't do anything less than milk it for all it's worth.
The takedown of Freedom Hosting and Silk Road was done in a manner of "we cannot let this go on" but "we still want to wait and milk more info".
I'm starting to think all traffic over Tor for the last two years is compromised.

Anonymous

April 09, 2014

Permalink

As you know, users' privacy is most violated when they install malicious software that contains backdoors.

When will the TorProject begin codesigning the TBB with an Authenticode Certificate to raise users' confidence that the package is legitimate and hasn't been tampered with?

Today, Windows users are warned that new versions of TBB are likely malicious because there's no way to build reputation unless the downloads are properly signed.

Signing is easy to do (see http://blogs.msdn.com/b/ieinternals/archive/2011/03/22/authenticode-cod…) and you probably could get a major CA like GlobalSign to give you a free certificate.

The downloads are already signed using a HTTPS certificate, the whole Tor's homepage and download directory from which you get Tor is HTTPS. I believe this would give at least the same security as Windows codesigning would.

On top of that, every release from Tor is also properly signed using PGP, which (although tricky to verify on Windows) does provide better authentication than HTTPS or Windows codesigning does then used right.

But besides that, one more way to verify the authenticity, that Windows users are familiar with, would be good. Maybe you should file a ticket about this (assuming one doesn't already exist), on:

https://trac.torproject.org/