Tor Browser 3.5.4 is Released

The 3.5.4-stable release of the Tor Browser is now available on the Download page. You can also download the bundles directly from the distribution directory.

This release updates only OpenSSL to version 1.0.1g, to address potential client-side vectors for CVE-2014-0160.

The browser itself does not use OpenSSL, and is not vulnerable to this CVE. However, this release is still considered an important security update, because it is theoretically possible to extract sensitive information from the Tor client sub-process.

Here is the changelog:

  • All Platforms
    • Update OpenSSL to 1.0.1g
Anonymous

April 10, 2014

Permalink

Screen-size

GK

I have installed 3.5.4 but, as I have reported regarding earlier Tor versions, both ip-check (with and without JS) and Panopticlick (with JS) can get my screen size - and they still get EXACTLY the same one.

If it is a bug, I would like to report it but I do not have the necessary permissions to do so.

Help !!!!! (Please)

What do you mean with "necessary permissions"? You can use the cypherpunks account if you like. See: https://trac.torproject.org/projects/tor the Welcome section. That said, bug 9268 is probably what you want. Could you test the latest .xpi attached there and report back whether it fixed your issue?

EDIT: And, no, neither maximizing nor resizing the browser window is currently working properly wrt to hiding your screen size. So, if you do one of those things or both you probably won't see the expected multiple of 200x100...

GK

Re 'necessary permissions' - In a previous post (re 3.5.3) you said: " feel free to open a ticket in our bugtracker at https://trac.torproject.org/projects/tor".

I went there, went to "Choose New Ticket to create a new bug report or feature request", chose 'New Ticket' and got the message: "Error: Forbidden
TICKET_CREATE privileges are required to perform this operation. You don't have the required permissions."

I'll do what you say.

Thanks

GK

I tried to do what you said. I probably did everything wrong but, as I suspect is the case with many people who use Tor, I didn’t/don’t really understand what is being said.

Anyway, what I did is:

I downloaded Bug Report 9268 and read it.
I downloaded the xpis: torbutton-1.6.7.0.xpi and torbutton-1.6.8.0pre1.xpi
I read the instruction: “You need to patch torbutton.js file inside of torbutton@torproject.org.xpi” under Comment 13, but do/did not know how to do it. As there are no instructions I had to guess, as follows:

I added the above xpis in turn – starting with 1.6.7.0 - to the ‘extensions’ folder found at:
C\user\My Name\desktop\Tor browser\data\Browser\Profile default\Extensions.

Via ip-check.info (Yes, I know that at least one contributor does not think much of this checking site, but –with JS enabled or disabled - it manages to detect the same screen size (not rounded) as Panopticlick does with JS enabled) I scrolled down to screen-size. It showed a rounded size. Success!!! I thought.

I closed the browser and turned off the computer. I then turned it on again, to check if I would get a rounded screen-size again. No, it was back to the original screen size. I turned the computer on and off again three times but each time I could not reproduce the rounded screen-size.

I then removed xpi 1.6.7.0 and put 1.6.8.0pre1 in its place and then checked the screen-size with ip-check. I got the rounded size. I turned the computer on/off three times and still got the rounded size. Was this success??? To make sure that the rounded size was being ‘detected’ and not just being brought back from some sort of cache, I cleaned the computer with Glary Utilities 4 and then with CCleaner 410 and then re-opened the browser and checked the screen-size with ip-check. I was back to the non-rounded screen-size. I also checked with Panopticlick and got the same non-rounded screen-size.

I don’t know what to do.

Maybe my problem started with my not understanding the instruction: “You need to patch torbutton.js file inside of torbutton@torproject.org.xpi” but I don’t know how to do that. If you (or someone) will enlighten me, I will do it and report back.

Should I now file a bug report?

Thanks for the assistance

Anonymous

April 10, 2014

Permalink

I0m running a debian 64bit wheezy kde.
When run start-tor-broswer appear "Tor unexpectedly exited." It happens since this version. with older don't happens! I try in many users sesion and try "killall tor", restart and nothing. I tryed delate, and donwload again. Also with check user owner.
Also I can execute older tor!

What can I do???

A) For relay identity keys yes, but not for circuit encryption keys or for link encryption.
https://gitweb.torproject.org/tor.git/blob/tor-0.2.4.21:/ReleaseNotes#l…
https://gitweb.torproject.org/tor.git/blob/tor-0.2.4.21:/ReleaseNotes#l…
https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/220-ecc-…

B) blutmagie just tells you what's in the Tor networkstatus consensus, so yes.

The erratasec person sure does like blurring details and getting attention. His math was wrong, because he computed the chance of picking a single 0.2.3 relay, not picking solely 0.2.3 relays for your whole circuit.

I think it's unlikely that NSA breaking 1024-bit RSA is the low-hanging fruit here. Especially given all the code security issues in libraries and browsers we've been seeing lately.

All of that said, the Tor 0.2.4.21 release (published February 28 2014) should put these issues to rest:
https://gitweb.torproject.org/tor.git/blob/tor-0.2.4.21:/ReleaseNotes#l…
https://trac.torproject.org/projects/tor/ticket/9777

Anonymous

April 11, 2014

Permalink

Fantastically fast response to heartbleed! Thanks guys. Just one thing:

Have you updated the EC2 AMI (to include OpenSSL 1.0.1g) for bridges-in-the-cloud? Or do we have to 'sudo apt-get install openssl' for each bridge?

Anonymous

April 12, 2014

Permalink

I have linux Tor browser 3.5.4 insalled, but it's reporting "Browser out of date". Only version on the download page is 3.5.4

Anonymous

April 12, 2014

Permalink

The Tor Cloud bridges are self-updating, though the older ones based on Ubuntu Lucid will not get the latest OpenSSL update. That said, Tor Cloud operators should manually generate new keys, if possible.

Well my Tor cloud bridges have not updated themselves. (They are running Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-52-virtual i686).) sudo apt-get fails: "disk full" (even though it isn't). In fact even sudo apt-get update fails trying to update Tor: "Err http://deb.torproject.org experimental-precise/main i386 Packages 404 Not Found [IP: 38.229.72.14 80]"

Wonder if it's possible to replace one AMI with a new one, without incurring any charges ....

Anonymous

April 12, 2014

Permalink

To clarify the previous comment; Tor Cloud bridges running Ubuntu Lucid will not be able to update to the latest OpenSSL, but they are not running the vulnerable version either. The version in Lucid is 0.9.8, heartbleed was introduced in 1.0.1.

Anonymous

April 13, 2014

Permalink

NO WAY TO CHANGE DEFAULT PORTS IN VERSION 3.5.X

OTHER THAN 9150 / 9151? TRIED EDITING TORRC-DEFAULT FILE,

NO GO. ERROR: CANNOT CONNECT TO CONTROL PORT

NEED NEW INSTRUCTIONS ON PROCEDURE TO CHANGE PORTS

Yeah, I bet there's a way, but I don't know what it is either. I recommend either reading the Tor Launcher code, or participating in irc and becoming helpful and then hoping somebody will look it up for you. It's easy to do with Tor, but I bet the Tor Launcher folks didn't think to make it easy.

Anonymous

April 14, 2014

Permalink

Screen size

I am rather concerned that I was invited by GK to lodge a bug report re the inability of the Tor browser to round my screen size to 100, but when I try to do so I am refused access as I don't have the necessary permissions..

Another contributor said that he/she has the same problem, so it does not appear to be a problem with just my machine - running Win 7.

So that I know if I and the other contributor are unique, could I trouble people to report, stating their operating system, whether Tor 3.5.4 does or does not round their screen size to 100.

In the meantime I would be grateful if GK could tell me how I can lodge a bug report.

Thanks

You can find a trac.torproject.org login on the front page (trac.torproject.org) if you don't want to make an account of your own.

(If you make an account of your own though, you can give it an email address, and it will mail you when the ticket updates. That might be nice if we need you to respond to questions / suggested patches / etc.)

Anonymous

April 15, 2014

Permalink

Have executable "naked" Tor versions 0.4.21 (stable) and 0.2.5.3 (alpha) been compiled for MS-Windows & uploaded to the distribution platforms ?

Maybe just me, couldn't find them on the site :-(
Can you please make a conspicuous link to both ?

Anonymous

April 15, 2014

Permalink

Torproject is now officially a sad joke. Goto about:config and type "www" or ".com" or ".org" and look at the staggering number of potential built-in leaks.

And you can't even see what nodes you're connected to anymore, that means you can't even tell if all 3 nodes you're using are all in the same country owned by the NSA.

It was fun while it lasted, but looks like it is time to start a new anonymous browsing project.

Sounds great. You'll probably want to use Tor in your anonymous browsing project, and you'll probably find the Tor Browser design document useful too.

...and once you're on that track, maybe you'll find it more fun to write patches for Tor Browser?

Anonymous

April 16, 2014

Permalink

My tor doesnt work after the last update. I keep getting thi error message. Can't load xpcom.

Anonymous

April 16, 2014

Permalink

for whatever reason I didn't think about this until now, but should "httpseverywhere_ver. 3.5" be temporarily disabled or should the update to 1.0.1g take care of everything?

I know. I was wondering if I should temporarily disable httpseverywhere due to the bug in openssl. I wasn't sure if SSL connections continued to remain vulnerable (other sites not renewing certificates, etc.) I didn't want to force SSL through httpseverywhere, but if the 1.0.1g update patched the bug, then I shouldn't worry about it anymore? Sorry, if I'm not being clear.

httpseverywhere makes you opt to use https on a few sites that support it but don't switch you to it by default. It doesn't make you stop using https on the other sites.

If you're in a position where some websites might not have upgraded and you're sending them sensitive info, the best plan might be to stop using the Internet for a while. Disabling httpseverywhere won't really change the threat much for you.

Anonymous

April 17, 2014

Permalink

RSA 1024 bit has been hacked. TOR uses RSA 1024. Isn't this a security problem? Why not use AES 256 and plug the whole?

I suggest you learn more about the various keys Tor uses, including link encryption and circuit encryption, where we've moved to curve25519.

Also, AES 256 is not a replacement for RSA 1024 -- one is symmetric crypto, the other is asymmetric crypto.

So you are right to be concerned, but there's a lot to learn, and a pile of blog comments here is probably not the best place.

Anonymous

April 18, 2014

Permalink

In normal firefox (V28.0), can websites read each others' cookies? If so, is there a way to prevent them from doing so?

Anonymous

April 20, 2014

Permalink

Hello.
I'm using Ubuntu 14.04LTS.
How can i run the Tor in Ubuntu14.04.

I used to run the Tor in Ubuntu12.04, very well.
(e.g; extract -> just run 'tor')

But Ubuntu 14.04 can't.

Anybody help me.

-Thnak you.

Anonymous

April 21, 2014

Permalink

When I update Tor 3.5.4 and re-start the browser, it tells me that I need to update. Looks like the update isn't working. I tried 3 times with no success.

Anonymous

April 24, 2014

Permalink

Sorry to comment here on this, but has anyone else noticed that TOR connections are infinitely faster since the HeartBleed bug was fixed in the latest TOR packages?

I'm getting my web pages nearly 10 times faster (yes, I checked to make sure that page caching was off in my TOR Bundle) now and I'm wondering what caused the exceedingly great change in the speed of TOR.