Tor Browser 3.6-beta-2 is released

The Tor Browser Team is proud to announce the second beta in the 3.6 series. Packages are available from the Tor Browser Project page and also from our distribution directory.

This release is an important security update over 3.6-beta-1. This release updates OpenSSL to version 1.0.1g, to address potential client-side vectors for CVE-2014-0160.

The browser itself does not use OpenSSL, and is not vulnerable to this CVE. However, this release is still considered an important security update, because it is theoretically possible to extract sensitive information from the Tor client sub-process.

This beta also features a Turkish language bundle, experimental Javascript hardening options, fixes for pluggable transport issues, and a fix for improper update notification while extracting the bundle over an already existing copy.

Here is the complete changelog since 3.6-beta-1:

All Platforms
- Update OpenSSL to 1.0.1g
- Bug 9010: Add Turkish language support.
- Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion.
- Update fte transport to 0.2.12
- Update NoScript to 2.6.8.19
- Update Torbutton to 1.6.8.1
  - Bug 11242: Fix improper "update needed" message after in-place upgrade.
  - Bug 10398: Ease translation of about:tor page elements
- Update Tor Launcher to 0.2.5.3
  - Bug 9665: Localize Tor's unreachable bridges bootstrap error
- Backport Pending Tor Patches:
  - Bug 9665: Report a bootstrap error if all bridges are unreachable
  - Bug 11200: Prevent spurious error message prior to enabling network.
Linux:
- Bug 11190: Switch linux PT build process to python2
- Bug 10383: Enable NIST P224 and P256 accel support for 64bit builds.
Windows:
- Bug 11286: Fix fte transport launch error

A list of frequently encountered known issues with the Tor Browser can be found on our bugtracker. Please check that list and help us diagnose and arrive at solutions for those issues before contacting support.

Not yet,

Not yet, alas.

https://tor.stackexchange.com/questions/318/how-do-i-keep-my-tor-browse…

The bug #9387 changes

The bug #9387 changes ("Disable JS JIT, type inference, asmjs, and ion. ") seem to involve turning off everything which is intended to make JavaScript fast.
Has there been any systematic attempt to evaluate what effect this may have on performance?
Has there, for that matter, been any systematic attempt to evaluate what additional security benefit this brings, e.g. what proportion of past Firefox vulnerabilities would users have been protected against if each of these features were disabled?

While your suggestion of

While your suggestion of going thru past issues may sound systematic and smart, the low hanging fruit for bad guys is using already disclosed -- but unfixed -- vulnerabilities. So the past is somewhat irrelevant.

Regarding speed....well that's one of the benefits of having a beta to evaluate.

I entered about:config and

I entered about:config and typed "www" or ".com" or ".org" and then there are 50 built in urls that can potentially leak information. Why are they in there?

I Remove most of them in

I Remove most of them in about:config by either deleting or changing the URL. I suggest all google links are removed as those bastards are monitoring everything on the net.

what does the "experimental

what does the "experimental Javascript hardening options" do exactly?

SENDS HARD-CODED ID TO THE

SENDS HARD-CODED ID TO THE NSA.

Thank you Mr Troll for

Thank you Mr Troll for wasting our time.

(Or alternatively, please file a ticket if you find an issue.)

Not bad not bad. I see a lot

Not bad not bad. I see a lot of bitching and moaning ^ but also a lot of valid points which I wont point out to you again.

People moaning about speed - Learn how Tor works
People moaning about losing addons and bookmarks after updating - What do you expect?

Keep up the good work Tor. Much love.

I'm connecting thru VPN,

I'm connecting thru VPN, when I first launch the TBB should I click "connect" or "configure"?

Tor is not working at all on

Tor is not working at all on Win 8.1 for me now . . . it worked fine before

This blog probably won't

This blog probably won't help you move forward with your problem. Try the help desk or the stackexchange forum.

https://www.torproject.org/about/contact
https://tor.stackexchange.com/

Upcoming Events

March 28, 2019

Tor Meetup (Valencia)

March 23, 2019 - March 24, 2019

LibrePlanet (Boston)

March 24, 2019 - March 27, 2019

KNOW 2019 (Vegas)

April 01, 2019 - April 05, 2019

Internet Freedom Festival (Valencia)

June 11, 2019 - June 14, 2019

RightsCon (Tunis)

See All Upcoming Events

Recent Updates

Making Diversity The Default in The Open Source World

Tor is a community, an organization, a network, and a place to build and maintain technology that protects your information when navigating the internet.

International Women's Day

Today, March 8th, women all around the world are expressing themselves in one way or another on commemorating their all year long struggle for equality and justice.

How Has Tor Helped You? Send Us Your Story.

Last September, we asked to hear stories about how Tor has helped protect people online.

New Releases: Tor 0.4.0.2-alpha, 0.3.5.8, 0.3.4.11, and 0.3.3.12

There are new source code releases available for download. If you build Tor from source, you can download the source code for 0.4.0.2-alpha and 0.3.5.8 from the download page. You can find 0.3.4.11 and 0.3.3.12 at dist.torproject.org. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely in the same timeframe.

These releases all fix TROVE-2019-001, a possible security bug involving the KIST cell scheduler code in versions 0.3.2.1-alpha and later. We are not certain that it is possible to exploit this bug in the wild, but out of an abundance of caution, we recommend that all affected users upgrade once packages are available. The potential impact is a remote denial-of-service attack against clients or relays.

Also note: 0.3.3.12 is the last anticipated release in the 0.3.3.x series; that series will become unsupported next week. The remaining supported stable series will 0.2.9.x (long-term support until 2020), 0.3.4.x (supported until June), and 0.3.5.x (long-term support until 2022).

Below are the changes in Tor 0.3.5.8 and in 0.4.0.2-alpha. You can also read the changelog for 0.3.4.11 and the changelog for 0.3.3.12.

Changes in version 0.3.5.8 - 2019-02-21

Tor 0.3.5.8 backports serveral fixes from later releases, including fixes for an annoying SOCKS-parsing bug that affected users in earlier 0.3.5.x releases.

It also includes a fix for a medium-severity security bug affecting Tor 0.3.2.1-alpha and later. All Tor instances running an affected release should upgrade to 0.3.3.12, 0.3.4.11, 0.3.5.8, or 0.4.0.2-alpha.

Major bugfixes (cell scheduler, KIST, security):
- Make KIST consider the outbuf length when computing what it can put in the outbuf. Previously, KIST acted as though the outbuf were empty, which could lead to the outbuf becoming too full. It is possible that an attacker could exploit this bug to cause a Tor client or relay to run out of memory and crash. Fixes bug 29168; bugfix on 0.3.2.1-alpha. This issue is also being tracked as TROVE-2019-001 and CVE-2019-8955.
Major bugfixes (networking, backport from 0.4.0.2-alpha):
- Gracefully handle empty username/password fields in SOCKS5 username/password auth messsage and allow SOCKS5 handshake to continue. Previously, we had rejected these handshakes, breaking certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha.