Tor Browser 3.6-beta-2 is released

The Tor Browser Team is proud to announce the second beta in the 3.6 series. Packages are available from the Tor Browser Project page and also from our distribution directory.

This release is an important security update over 3.6-beta-1. This release updates OpenSSL to version 1.0.1g, to address potential client-side vectors for CVE-2014-0160.

The browser itself does not use OpenSSL, and is not vulnerable to this CVE. However, this release is still considered an important security update, because it is theoretically possible to extract sensitive information from the Tor client sub-process.

This beta also features a Turkish language bundle, experimental Javascript hardening options, fixes for pluggable transport issues, and a fix for improper update notification while extracting the bundle over an already existing copy.

Here is the complete changelog since 3.6-beta-1:

  • All Platforms
    • Update OpenSSL to 1.0.1g
    • Bug 9010: Add Turkish language support.
    • Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion.
    • Update fte transport to 0.2.12
    • Update NoScript to 2.6.8.19
    • Update Torbutton to 1.6.8.1
      • Bug 11242: Fix improper "update needed" message after in-place upgrade.
      • Bug 10398: Ease translation of about:tor page elements
    • Update Tor Launcher to 0.2.5.3
      • Bug 9665: Localize Tor's unreachable bridges bootstrap error
    • Backport Pending Tor Patches:
      • Bug 9665: Report a bootstrap error if all bridges are unreachable
      • Bug 11200: Prevent spurious error message prior to enabling network.
  • Linux:
    • Bug 11190: Switch linux PT build process to python2
    • Bug 10383: Enable NIST P224 and P256 accel support for 64bit builds.
  • Windows:
    • Bug 11286: Fix fte transport launch error

A list of frequently encountered known issues with the Tor Browser can be found on our bugtracker. Please check that list and help us diagnose and arrive at solutions for those issues before contacting support.

Anonymous

April 11, 2014

Permalink

The NSA has exploited Heartbleed bug for years, Bloomberg reports.

Do you still believe in TOR!?

I'm assuming that particular article is nonsense until somebody shows up with some actual details. I guess it's hot to point at NSA conspiracies these days. But doing it in this case undermines the *actual* NSA conspiracies that we should indeed be upset about.

And yes, pretty much no matter how this particular story goes, you'll still be happier that you used Tor than that you didn't, over the past years. The Internet is a rough place without something like Tor.

what a coincidence, these "reliable sources" just reveal this astonishing information after the heartbleed bug was well known.
Plus, the snowden papers refer to TOR and the NSA try to break it, it also refers to how the NSA have its hands on a lot of ssl certificates, but it doesn't tell a word about the heartbleed bug so far.
Bloomberg is just exploiting the situation to make some buzz in my opinion.

Anonymous

April 11, 2014

Permalink

Downloaded, installed and running on Win 8.1 Pro. 32bit. No problems so far. Thanks for the update!

TBB hangs on 'loading relay information'. I have to close TBB and restart it 3 or more times before TBB will connect. I am using PT-obfs 3. Maybe all the obfs 3 bridge relays are busy?

Anonymous

April 11, 2014

Permalink

Thanks for the rapid update to 3.6-beta releases!
There used to be an annoying gap between normal releases and PT bundles.

Anonymous

April 12, 2014

Permalink

Newbie question maybe, but I now have Norton Hotspot Privacy VPN. Since I use Tor Browser are there still benefits to using the Norton VPN?

without know the product in question i would say, in general , commercial VPN sw and services are USELESS for maintaining your anonymity.

They work for circumventing DNS/IP range blocking and thats about it.

VPNs can also be useful for protecting against eavesdroppers on public/untrusted networks, such as public WiFi.

(But remember that the VPN sees all your traffic. And if you think they won't hand over all they know about you under any pressure...)

I would use just Tor Browser. Norton have worked with the NSA and there is a chance their VPN service could log all your activity.

but I now have Norton Hotspot Privacy VPN.

Ditch Norton products. Symantec/Norton is a close partner of NSA. Have you heard of Edward Snowden, NSA's whistleblower?

You are wasting your money.

Yup. Didn't know Norton connexion though. Thanks for pointing it out. What about Hidemyass for anonymous browsing? And Hushmail for email? They were mentioned in Coke Stryker's book, 'Hacking the Future".

Hidemyass is famous for turning over some kid who was maybe part of Anonymous. And when he confronted them, the conversation went something like "well, what did you expect, you did something a government didn't like" "but you're named hide my ass!"

Hushmail on the other hand is famous for turning over the mailboxes of its users to various law enforcement groups, despite claims that they technically can't do it. See e.g. https://blog.torproject.org/blog/trip-report-october-fbi-conference

The lesson here is that all of these centralized for-profit companies that claim privacy are still in fact still centralized. It's privacy by promise, not privacy by design:

https://svn.torproject.org/svn/projects/articles/circumvention-features…

Anonymous

April 12, 2014

Permalink

Dates of certificate issuing:

blog.torproject.org (05:CA:*): 2014-04-09
*.torproject.org (09:48:*): 2013-10-22

Are you planning to get a new cert for the latter?

Today is the first time I noticed these torproject certs.

*.torproject.org —
SHA1:
84:24:56:56:8E:D7:90:43:47:AA:89:AB:77:7D:A4:94:3B:A1:A7:D5
Serial Number:
09:48:B1:A9:3B:25:1D:0D:B1:05:10:59:E2:C2:68:0A
Issued: 10/22/2013 Exp.: 05/03/2016

blog.torproject.org blog.torproject.org — SHA1:
DE:20:3D:46:FD:C3:68:EB:BA:40:56:39:F5:FA:FD:F5:4E:3A:1F:83
Serial Number:
05:CA:2A:A9:A5:D6:ED:44:C7:2D:88:1A:18:B0:E7:DC
Issued: 04/08/2014 Exp.: 06/14/2017

If the one for *.torproject.org was issued back in October, why it is first being used now?

Below are the certs I had been seeing prior to today. What happened to them?

*.torproject.org
SHA1:
1F:9D:30:6E:8B:FC:CF:CB:03:98:1A:71:A2:7A:9F:5D:1E:08:76:CE

blog.torproject.org blog.torproject.org
SHA1:
0E:09:14:64:17:CD:7E:7A:4A:CA:98:C1:8E:92:C2:59:66:85:8D:BA

Anonymous

April 13, 2014

Permalink

Is something going on with the tor network? Connecting with the normal bundle is difficult and using obs3 in the beta is slow.

The speed of obfs3 depends a lot on the speed of the bridge you're using.

obfs2 and obfs3 shouldn't be any slower than normal Tor, if the underlying bridges / relays are the same speed.

Maybe you should spin up your own obfs3 bridge, e.g. on Amazon cloud or some VPS somewhere, and route through it?

Anonymous

April 13, 2014

Permalink

Any comment about the connections to IP 213.163.64.74 immediately after startup ?

That looks like one of the 5000+ Tor relays.

I assume you started your Tor, it picked some guards, and now when you start your Tor again it makes some circuits for you, so they will be ready when you try to use them, and one of those circuits was to that guard.

https://www.torproject.org/docs/faq#EntryGuards

So in short, "totally normal, and I encourage you to learn how Tor works".

Anonymous

April 13, 2014

Permalink

I love how OpenSSL put the whole world in grave danger out of sheer incompetence and no one dared say anything to them.

Anonymous

April 13, 2014

Permalink

I have the old version of TOR running. Can I drop in a 0.9 version of OpenSSL?

Anonymous

April 14, 2014

Permalink

how do you update this so called update erases all existing settings and addons

Anonymous

April 14, 2014

Permalink

Were Tor Browser for Mac OSX also vulnerable? It read that Mac OS X still used Openssl 0.98.

Anonymous

April 15, 2014

Permalink

Could not connect to news media and blog.torproject.org over
exit node bandito 1AAB39E97C7E4CFCA585265D17A03F8D3390D841

Other exit node right after that no problem.

Anonymous

April 15, 2014

Permalink

Offtopic: Tor 0.2.4.20 does not starts on Windows 2000. Where can I get older version of Tor?

Seriously, Windows 2000? Isn't that, like, unsupported for a long time now?

I think Tor should work there, but I think Firefox (and thus Tor Browser) won't.

If the Tor binary doesn't work, you should file tickets about what goes wrong, and help us fix it. Going to an older version is likely a poor idea -- check out the changelog of things we've fixed recently.

Anonymous

April 16, 2014

Permalink

It looks like 'torrc' ini file is deprecated.

Where do settings such as limiting exit nodes by country, specifying bridges etc. go now?

thanks

Anonymous

April 16, 2014

Permalink

Awesome! Congrats :) Is this version going to keep my local settings when I updated it to the next one (first time I'm using beta)? Thanks!