Tor Browser 3.6 is released

The Tor Browser Team is proud to announce the first stable release of the 3.6 series. Packages are available from the Tor Browser Project page and also from our distribution directory.

For users upgrading from Tor Browser 3.5.x, the 3.6 series features fully integrated Pluggable Transport support, including an improved Tor Launcher UI for configuring Pluggable Transport bridges. The Pluggable Transport code is also fully disabled for users who do not configure them. The 3.6 series also changes the MacOS archive format from zip to DMG, which should improve installation usability for Mac users.

This release also includes important security updates to Firefox.

Please see the TBB FAQ listing for any issues you may have before contacting support or filing tickets. In particular, the TBB 3.x section lists common issues specific to the Tor Browser 3.x series. We also maintain a list of frequently encountered known issues in our bugtracker.

Here is the complete changelog since TBB 3.5.4:

  • All Platforms
    • Update Firefox to 24.5.0esr
    • Include Pluggable Transports by default:
      • Obfsproxy3 0.2.4, Flashproxy 1.6, and FTE 0.2.13 are now included
    • Bug 11586: Include license files for component software in Docs directory.
    • Bug 9010: Add Turkish language support.
    • Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion.
    • Update NoScript to 2.6.8.20
    • Update Tor Launcher to 0.2.5.4
      • Bug 9665: Localize Tor's unreachable bridges bootstrap error
      • Bug 10418: Provide UI configuration for Pluggable Transports
      • Bug 10604: Allow Tor status & error messages to be translated
      • Bug 10894: Make bridge UI clear that helpdesk is a last resort for bridges
      • Bug 10610: Clarify wizard UI text describing obstacles/blocking
      • Bug 11074: Support Tails use case (XULRunner and optional customizations)
      • Bug 11482: Hide bridge settings prompt if no default bridges.
      • Bug 11484: Show help button even if no default bridges.
    • Update Torbutton to 1.6.9.0:
      • Bug 11242: Fix improper "update needed" message after in-place upgrade.
      • Bug 10398: Ease translation of about:tor page elements
      • Bug 9901: Fix browser freeze due to content type sniffing
      • Bug 10611: Add Swedish (sv) to extra locales to update
      • Bug 7439: Improve download warning dialog text.
      • Bug 11384: Completely remove hidden toggle menu item.
    • Backport Pending Tor Patches:
      • Bug 9665: Report a bootstrap error if all bridges are unreachable
      • Bug 11200: Prevent spurious error message prior to enabling network.
      • Bug 5018: Don't launch Pluggable Transport helpers if not in use
      • Bug 9229: Eliminate 60 second stall during bootstrap with some PTs
      • Bug 11069: Detect and report Pluggable Transport bootstrap failures
      • Bug 11156: Prevent spurious warning about missing pluggable transports
  • Mac:
    • Bug 4261: Use DMG instead of ZIP for Mac packages
    • Bug 9308: Prevent install path from leaking in some JS exceptions on Mac and Windows
  • Linux:
    • Bug 11190: Switch linux PT build process to python2
    • Bug 10383: Enable NIST P224 and P256 accel support for 64bit builds.
  • Windows:
    • Bug 9308: Prevent install path from leaking in some JS exceptions on Mac and Windows

Here is the changelog since the 3.6-beta-2:

  • All Platforms
    • Update Firefox to 24.5.0esr
    • Update Tor Launcher to 0.2.5.4
      • Bug 11482: Hide bridge settings prompt if no default bridges.
      • Bug 11484: Show help button even if no default bridges.
    • Update Torbutton to 1.6.9.0
      • Bug 7439: Improve download warning dialog text.
      • Bug 11384: Completely remove hidden toggle menu item.
    • Update NoScript to 2.6.8.20
    • Update fte transport to 0.2.13
    • Backport Pending Tor Patches:
      • Bug 11156: Additional obfsproxy startup error message fixes
    • Bug 11586: Include license files for component software in Docs directory.
  • Windows and Mac:
    • Bug 9308: Prevent install path from leaking in some JS exceptions on Mac and Windows builds

HTTPS-Everywhere 3.5.x switched to using SQLite for storing rulesets, and the build process that generates this sqlite db is not yet reproducible/deterministic (See Bug 11630). We had to build+include the 3.4.5 version for TBB 3.6 builds to be reproducible.

We're trying to decide what to do about this, and should have some form of fix or stopgap by the next TBB release.

Anonymous

April 30, 2014

Permalink

[warn] Controller gave us config lines that didn't validate: You have configured more than one proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy|ClientTransportPlugin)

every time I try to connect through proxy it gives this... why?

I get this type of error during configuration:

Unable to save Tor settings.

Unacceptable option value: You have configured more than one proxy type.

Anonymous

April 30, 2014

Permalink

I have obfs2,3 standard, fte, and flashproxy in my custom bridges list.
While obfs3,2, standard work fine, I can't make fte & flashproxy bridges to work under "custom bridges" option. Why is this?

Where did you get the FTE bridges from? AFAIK, BridgeDB doesn't give out FTE bridges yet. Are you sure the FTE bridges work?

Do you get some kind of error when you try to add FTE bridges?

Anonymous

April 30, 2014

Permalink

AND, yet again, "important security updates to Firefox".

Many of which fix bugs that allow arbitrary code execution, and therefore give away your real IP address, MAC address, and whatever else can be found on the computer.

Just like every other release so far. That Firefox change log is red all over.

You have had years with the TBB. During that time, Firefox, like every other browser, has had a continuous stream of critical vulnerabilities. Those have been exploited to unmask Tor users in very public incidents and presumably in many more non-public incidents.

You have never had a single secure release, ever.

You have never had a single release that couldn't be broken with ONE single exploit.

How long is it going to take you to realize that relying on the browser alone to prevent Web sites from finding the user's identity can never work?

Your whole approach is broken. You are putting your users at risk. The browser WILL be subverted. You are going to have to find a reliable way to hide the computer's identity from the browser. Preferably more than one layer. You can't trust ANYTHING to not have bugs.

No web browsers are free of security bugs. Should TOR stop shipping any web browser?

TAILS and Whonix also use Firefox, protected by read only media and firewalls. Is that what you want? Or should TAILS and Whonix not ship a web browser either?

Same person here.

I didn't say "don't ship Firefox". I said "don't rely on the browser alone" and "hide the computer's identity from the browser".

Whonix is an improvement. It's not perfect, but it's an improvement.

With the TBB, if you break out of the Web browser, you immediately get the user's real IP address, MAC address, etc. One zero-day and the user is owned. Tails is basically the same; it gives you additional protection against local attacks, but nothing much against attacks from the network.

On the other hand, if you break out of the Web browser in Whonix, you may get information about the user's anonymous activities, but it's anonymous information about anonymous activities.

Unless the user has actively (and unwisely and against advice) put identity information inside the Whonix "workstation" VM, you get nothing identifiable until you ALSO break out of the "workstation" VM or compromise the "gateway" VM. You have to be able to break either VirtualBox, Tor, or the kernel on the Whonix "gateway" VM. And even that attack surface can be reduced with hardware isolation.

It takes TWO bugs in TWO different pieces of software to find the user's identity in Whonix, versus ONE bug in TBB or Tails. That is a radical improvement. Qubes with a Tor-based network VM is similar to Whonix.

It's true that really tough opponents may have libraries of zero-days in both browsers and kernels/Tor, but a lot more opponents are going to have just a zero-day in Firefox.

Whonix is at least giving security a real try. I can't say that for the TBB or TAILS. As far as I can tell, they're emphasizing ease of use, and just turning off their brains to avoid thinking about how easy they are to break. That excessive emphasis on ease of use just encourages people who don't understand the risks to expose themselves.

There are other things you could do to lock things down, too, mostly involving confining the browser more, so it's harder to use it to attack VMs or whatever. Tails could do them. I don't think the TBB is architecturally able to do them, because you're going to need kernel support.

Yes, I'd love to have more people looking into Whonix, WiNoN, etc. Seems like one nice way forward would be for Tails to put more things into VMs if you have hardware virtualization support (and not do it if you don't). Another option to explore is how to do this from within Windows, for those who feel they need to stick to it, though of course having yours Windows OS underneath everything, with all your spyware/etc already installed, is not a great situation.

The Tor Browser team is all full up trying to keep the serious privacy issues under control in Firefox. We need help from others to try to make these other pieces usable for normal people. Please help!

Meanwhile, it seems like usually no more than several days pass between the time that Firefox ESR releases a new version with one or more critical security fixes and the time that a new TBB based on this is released.

This does NOT, however, appear to be the case for Tails, with its 6-week release cycle.

I realize it is not realistic or even fair to expect Tails to come out with new releases any more often than this (and even every six weeks seems rather impressive). But how secure is using Tails more than a few days after one or more critical vulns in its Firefox/Iceweasel version (or any of the other software Tails runs) have been reported?

Perhaps the Tails folks should include a warning along these lines, urging people to continually follow the security disclosures and make risk-benefit decisions accordingly.

What about working on a TBB based on a text-only browser and encouraging/educating people (those at high risk, at least) to recondition themselves into making-do with text-only?

Wouldn't a text-only browser eliminate MANY of the threats that every full-fledged browser is rife with?

In the meantime, by the time a given Tails release is, say a week or two old, perhaps the option of using TBB within an ordinary just-released or updated live system should be considered as a potentially safer alternative. (Depending, of course, upon specific usage case and threat model.)

Yes, just like there has never been a completely secure operating system. By adding additional layers, you're just increasing the attack surface; you're just increasing the number of possible vulnerabilities to exploit.

You are never going to get 100% safety using Tor; even Whonix (an isolating proxy) can't insure for certain your IP isn't leaked. An bugs in the VM could de-anonymize you. But if you're looking to be completely safe, the only way to do that is not to use a computer at all.

Anonymous

April 30, 2014

Permalink

I've been downloading TBB releases for a while now, and this is the first time I've gotten this message on my Mac:

“TorBrowser.app” can’t be opened because it is from an unidentified developer.
Your security preferences allow installation of only apps from the Mac App Store and identified developers.

Are you guys aware of this issue?

Anonymous

April 30, 2014

Permalink

Proxy setting don't work for TBB 3.6 on Linux (32 bit - haven't tried on the 64 bit machine.)

If I try to configure the proxy setting at startup I get this error:

Unacceptable option value: You have configured more than one proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy|ClientTransportPlugin)

I'm back to using the last version which works flawlessly.

Can't please all the people all the time, I guess.

There were many users clamoring for DMGs and uncertain what to do with zips, before. Many of the Apple users I've talked to are happy we've finally moved to DMGs, since they're "the standard" and "what everybody expects".

As a Mac user, it's cool and all you did that, but it's hardly an important feature. If there are Mac users out there who don't know how extract a zip, perhaps they have no business using Tor or even computers at all.

It's more simpler using zips than DMG. DMG you have to double click, wait, then drag the application to wherever you want, then eject DMG. ZIP just double click then drag wherever you want, its easier.

The target audience of Tor isn't restricted to those who are computer wizards. It aims to serve those who aren't as well; everyone uses a computer these days no matter their skill level, and not all of them want governments and/or corporations finding out their activities online.

Anonymous

April 30, 2014

Permalink

What does "Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion. " do in ELI5?

First read:
https://www.torproject.org/docs/faq#TBBJavaScriptEnabled

It turns out that a) some parts of Firefox's JavaScript engine are responsible for a lot of its JavaScript security vulnerabilities, and b) you can disable those parts without actually disabling JavaScript. It makes things slower (because Firefox uses slower but more secure versions to do everything instead), but it doesn't actually disable the functionality.

So we've turned those parts off, and we'll see what users think.

Anonymous

May 04, 2014

In reply to by arma

Permalink

That's why TBB 3.6 is so sloooooooower compared to TBB 3.5.4?

Tested on not-so-new hardware (Pentium IV @ 2.4 GHz), with this ugly results:

Your SPEED-BATTLE result*:

TBB 3.6
Calculate / Store / Render / OVERALL SCORE
3.01 / 1.88 / 6.92 / 11.81

TBB 3.5.4
Calculate / Store / Render / OVERALL SCORE
30.57 / 309.13 / 6.02 / 345.72

(Similar results for TBB 3.6 on Dual Core 2.00 GHz)

TBB 3.6 is unusable for me! :-(

Well, that test is explicitly measuring JavaScript speed. Therefore, it is no surprise that 3.6 is not as good as 3.5.4 in this regard. That said whether that matters and is responsible for the slowness you describe is hard to tell. We tested these settings quite a bit and did not recognize a slowdown during day-to-day browsing. What sites do you have issues with?

Anonymous

April 30, 2014

Permalink

Hi, I can't access panopticlick.eff.org using Tor Browser.

I tried several times, it says Untrusted Connection and there is only one option, "Get me out of here!" and the Technical Details. Nothing else. I can't continue to website. Is this normal?

(Details: panopticlick.eff.org uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided.)

Anonymous

May 01, 2014

Permalink

Thanks for the new release. Two questions about your distribution process: 1. do you provide the sources to your changes to Firefox and your launcher, and 2. could you provide a Windows version that can be extracted without user interaction, either as command line parameters to the installer or as an alternative ZIP distribution?

1) https://gitweb.torproject.org/builders/tor-browser-bundle.git
https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/HEAD…
https://gitweb.torproject.org/tor-launcher.git/tree

For the patches, it looks like we moved from "have a directory with diffs in it" to "have a git repo that you can see the commits on". Here it is:
https://gitweb.torproject.org/tor-browser.git/log/refs/heads/tor-browse…

2) Several people have asked for this. The best way to make it happen is to open a trac ticket and write a patch. (Thanks in advance! :)

Anonymous

May 01, 2014

Permalink

Unfortunately I received this error after download

"Could not load XPCOM"

Using Windows 7 64 Bit

Regards

I did all the things people suggested with this problem and it still doesn't seem to fix anything whatsoever... I don't get why this is such a huge problem... I disable my webroot like it suggested with everything closed down and try using the new browser and still get the same message... then turn my web root back on and scan and have adware... Lol lovely... would love to here a solution to this that's guaranteed to work and doesn't involve putting my computer at risk with no antivirus

Anonymous

May 01, 2014

Permalink

Hi!
I can't to any pages since this new release on my Mac however my Torbutton is green

Anonymous

May 01, 2014

Permalink

Can't remember the answer to this, but why isn't TBB also distributed via default (i.e. non torproject.org) aptitude repositories for ubuntu/debian?

Anonymous

May 01, 2014

Permalink

I have no real need for anonymity. I haven't downloaded Tor to hide spurious web browsing or for financial or business protection. My last browser became buggy. I looked over the various browsers on offer & found Tor. I don't do social networking, and although I have nothing to hide I resent the ever present Gestapo feel of information mining today.
I am not technically aware. I can't be certain that Tor is more secure than a plasticine padlock, but the thought that it just might be a thorn in the side of Big Brother is good enough reason for me.
Thanks