Tor Browser 3.5.4 is Released

The 3.5.4-stable release of the Tor Browser is now available on the Download page. You can also download the bundles directly from the distribution directory.

This release updates only OpenSSL to version 1.0.1g, to address potential client-side vectors for CVE-2014-0160.

The browser itself does not use OpenSSL, and is not vulnerable to this CVE. However, this release is still considered an important security update, because it is theoretically possible to extract sensitive information from the Tor client sub-process.

Here is the changelog:

  • All Platforms
    • Update OpenSSL to 1.0.1g
khled.8@hotmai.com

April 10, 2014

Permalink

Screen-size

GK

I have installed 3.5.4 but, as I have reported regarding earlier Tor versions, both ip-check (with and without JS) and Panopticlick (with JS) can get my screen size - and they still get EXACTLY the same one.

If it is a bug, I would like to report it but I do not have the necessary permissions to do so.

Help !!!!! (Please)

What do you mean with "necessary permissions"? You can use the cypherpunks account if you like. See: https://trac.torproject.org/projects/tor the Welcome section. That said, bug 9268 is probably what you want. Could you test the latest .xpi attached there and report back whether it fixed your issue?

EDIT: And, no, neither maximizing nor resizing the browser window is currently working properly wrt to hiding your screen size. So, if you do one of those things or both you probably won't see the expected multiple of 200x100...

GK

Re 'necessary permissions' - In a previous post (re 3.5.3) you said: " feel free to open a ticket in our bugtracker at https://trac.torproject.org/projects/tor".

I went there, went to "Choose New Ticket to create a new bug report or feature request", chose 'New Ticket' and got the message: "Error: Forbidden
TICKET_CREATE privileges are required to perform this operation. You don't have the required permissions."

I'll do what you say.

Thanks

GK

I tried to do what you said. I probably did everything wrong but, as I suspect is the case with many people who use Tor, I didn’t/don’t really understand what is being said.

Anyway, what I did is:

I downloaded Bug Report 9268 and read it.
I downloaded the xpis: torbutton-1.6.7.0.xpi and torbutton-1.6.8.0pre1.xpi
I read the instruction: “You need to patch torbutton.js file inside of torbutton@torproject.org.xpi” under Comment 13, but do/did not know how to do it. As there are no instructions I had to guess, as follows:

I added the above xpis in turn – starting with 1.6.7.0 - to the ‘extensions’ folder found at:
C\user\My Name\desktop\Tor browser\data\Browser\Profile default\Extensions.

Via ip-check.info (Yes, I know that at least one contributor does not think much of this checking site, but –with JS enabled or disabled - it manages to detect the same screen size (not rounded) as Panopticlick does with JS enabled) I scrolled down to screen-size. It showed a rounded size. Success!!! I thought.

I closed the browser and turned off the computer. I then turned it on again, to check if I would get a rounded screen-size again. No, it was back to the original screen size. I turned the computer on and off again three times but each time I could not reproduce the rounded screen-size.

I then removed xpi 1.6.7.0 and put 1.6.8.0pre1 in its place and then checked the screen-size with ip-check. I got the rounded size. I turned the computer on/off three times and still got the rounded size. Was this success??? To make sure that the rounded size was being ‘detected’ and not just being brought back from some sort of cache, I cleaned the computer with Glary Utilities 4 and then with CCleaner 410 and then re-opened the browser and checked the screen-size with ip-check. I was back to the non-rounded screen-size. I also checked with Panopticlick and got the same non-rounded screen-size.

I don’t know what to do.

Maybe my problem started with my not understanding the instruction: “You need to patch torbutton.js file inside of torbutton@torproject.org.xpi” but I don’t know how to do that. If you (or someone) will enlighten me, I will do it and report back.

Should I now file a bug report?

Thanks for the assistance

khled.8@hotmai.com

April 10, 2014

Permalink

I0m running a debian 64bit wheezy kde.
When run start-tor-broswer appear "Tor unexpectedly exited." It happens since this version. with older don't happens! I try in many users sesion and try "killall tor", restart and nothing. I tryed delate, and donwload again. Also with check user owner.
Also I can execute older tor!

What can I do???

Best answer is to try the helpdesk or irc. A comment in a blog post is not a good place to track down your issue.

Is Tor still using 1K RSA?
And are bad relays mentionned here http://torstatus.blutmagie.de/ excluded by default in TBB?

A) For relay identity keys yes, but not for circuit encryption keys or for link encryption.
https://gitweb.torproject.org/tor.git/blob/tor-0.2.4.21:/ReleaseNotes#l…
https://gitweb.torproject.org/tor.git/blob/tor-0.2.4.21:/ReleaseNotes#l…
https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/220-ecc-…

B) blutmagie just tells you what's in the Tor networkstatus consensus, so yes.

The erratasec person sure does like blurring details and getting attention. His math was wrong, because he computed the chance of picking a single 0.2.3 relay, not picking solely 0.2.3 relays for your whole circuit.

I think it's unlikely that NSA breaking 1024-bit RSA is the low-hanging fruit here. Especially given all the code security issues in libraries and browsers we've been seeing lately.

All of that said, the Tor 0.2.4.21 release (published February 28 2014) should put these issues to rest:
https://gitweb.torproject.org/tor.git/blob/tor-0.2.4.21:/ReleaseNotes#l…
https://trac.torproject.org/projects/tor/ticket/9777

That awkward moment when TorProject.org doesn't comply with EFF's HTTPS deployment recommendations https://www.eff.org/https-everywhere/deploying-https

Hm? Details please?

For example, torproject.org uses AES_128_CBC_SHA, eff recommends using GCM instead of CVC, and SHA256 instead of SHA, read the link...

Fantastically fast response to heartbleed! Thanks guys. Just one thing:

Have you updated the EC2 AMI (to include OpenSSL 1.0.1g) for bridges-in-the-cloud? Or do we have to 'sudo apt-get install openssl' for each bridge?

I have linux Tor browser 3.5.4 insalled, but it's reporting "Browser out of date". Only version on the download page is 3.5.4

The Tor Cloud bridges are self-updating, though the older ones based on Ubuntu Lucid will not get the latest OpenSSL update. That said, Tor Cloud operators should manually generate new keys, if possible.

Well my Tor cloud bridges have not updated themselves. (They are running Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-52-virtual i686).) sudo apt-get fails: "disk full" (even though it isn't). In fact even sudo apt-get update fails trying to update Tor: "Err http://deb.torproject.org experimental-precise/main i386 Packages 404 Not Found [IP: 38.229.72.14 80]"

Wonder if it's possible to replace one AMI with a new one, without incurring any charges ....

To clarify the previous comment; Tor Cloud bridges running Ubuntu Lucid will not be able to update to the latest OpenSSL, but they are not running the vulnerable version either. The version in Lucid is 0.9.8, heartbleed was introduced in 1.0.1.

NO WAY TO CHANGE DEFAULT PORTS IN VERSION 3.5.X

OTHER THAN 9150 / 9151? TRIED EDITING TORRC-DEFAULT FILE,

NO GO. ERROR: CANNOT CONNECT TO CONTROL PORT

NEED NEW INSTRUCTIONS ON PROCEDURE TO CHANGE PORTS

Yeah, I bet there's a way, but I don't know what it is either. I recommend either reading the Tor Launcher code, or participating in irc and becoming helpful and then hoping somebody will look it up for you. It's easy to do with Tor, but I bet the Tor Launcher folks didn't think to make it easy.

Screen size

I am rather concerned that I was invited by GK to lodge a bug report re the inability of the Tor browser to round my screen size to 100, but when I try to do so I am refused access as I don't have the necessary permissions..

Another contributor said that he/she has the same problem, so it does not appear to be a problem with just my machine - running Win 7.

So that I know if I and the other contributor are unique, could I trouble people to report, stating their operating system, whether Tor 3.5.4 does or does not round their screen size to 100.

In the meantime I would be grateful if GK could tell me how I can lodge a bug report.

Thanks

You can find a trac.torproject.org login on the front page (trac.torproject.org) if you don't want to make an account of your own.

(If you make an account of your own though, you can give it an email address, and it will mail you when the ticket updates. That might be nice if we need you to respond to questions / suggested patches / etc.)

Have executable "naked" Tor versions 0.4.21 (stable) and 0.2.5.3 (alpha) been compiled for MS-Windows & uploaded to the distribution platforms ?

Maybe just me, couldn't find them on the site :-(
Can you please make a conspicuous link to both ?

You might like the "expert bundle" in the Windows section of
https://www.torproject.org/download/download
?

Torproject is now officially a sad joke. Goto about:config and type "www" or ".com" or ".org" and look at the staggering number of potential built-in leaks.

And you can't even see what nodes you're connected to anymore, that means you can't even tell if all 3 nodes you're using are all in the same country owned by the NSA.

It was fun while it lasted, but looks like it is time to start a new anonymous browsing project.

Sounds great. You'll probably want to use Tor in your anonymous browsing project, and you'll probably find the Tor Browser design document useful too.

...and once you're on that track, maybe you'll find it more fun to write patches for Tor Browser?

My tor doesnt work after the last update. I keep getting thi error message. Can't load xpcom.

Your antivirus is preventing your Tor from talking to itself.

I recommend googling for the problem and its solution.

for whatever reason I didn't think about this until now, but should "httpseverywhere_ver. 3.5" be temporarily disabled or should the update to 1.0.1g take care of everything?

httpseverywhere and openssl are different things.

I know. I was wondering if I should temporarily disable httpseverywhere due to the bug in openssl. I wasn't sure if SSL connections continued to remain vulnerable (other sites not renewing certificates, etc.) I didn't want to force SSL through httpseverywhere, but if the 1.0.1g update patched the bug, then I shouldn't worry about it anymore? Sorry, if I'm not being clear.

httpseverywhere makes you opt to use https on a few sites that support it but don't switch you to it by default. It doesn't make you stop using https on the other sites.

If you're in a position where some websites might not have upgraded and you're sending them sensitive info, the best plan might be to stop using the Internet for a while. Disabling httpseverywhere won't really change the threat much for you.

RSA 1024 bit has been hacked. TOR uses RSA 1024. Isn't this a security problem? Why not use AES 256 and plug the whole?

I suggest you learn more about the various keys Tor uses, including link encryption and circuit encryption, where we've moved to curve25519.

Also, AES 256 is not a replacement for RSA 1024 -- one is symmetric crypto, the other is asymmetric crypto.

So you are right to be concerned, but there's a lot to learn, and a pile of blog comments here is probably not the best place.

In normal firefox (V28.0), can websites read each others' cookies? If so, is there a way to prevent them from doing so?

Gosh, I hope not. Why do you ask?

Also, asking about normal Firefox on a Tor blog post is not really a great place to get support.

Hello.
I'm using Ubuntu 14.04LTS.
How can i run the Tor in Ubuntu14.04.

I used to run the Tor in Ubuntu12.04, very well.
(e.g; extract -> just run 'tor')

But Ubuntu 14.04 can't.

Anybody help me.

-Thnak you.

I have the same problem...

I suggest you open a question on https://tor.stackexchange.com/ and see if somebody there who runs that version of Ubuntu can help.

Did you try:

# aptitude install tor

?

This isn't going to get the person a tor browser bundle, and without the tor browser part, they're unlikely to use Tor safely.

What do you think about tails?

Just try to use it as a LiveCD with Virtual Machine.

When I update Tor 3.5.4 and re-start the browser, it tells me that I need to update. Looks like the update isn't working. I tried 3 times with no success.

Sorry to comment here on this, but has anyone else noticed that TOR connections are infinitely faster since the HeartBleed bug was fixed in the latest TOR packages?

I'm getting my web pages nearly 10 times faster (yes, I checked to make sure that page caching was off in my TOR Bundle) now and I'm wondering what caused the exceedingly great change in the speed of TOR.

Which Tor bundles were you using earlier?

The Tor network in general has gotten a lot faster in the past years, as more capacity has come online.