Tor Browser 3.6.1 is released

The first pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features a fix for a regression with using a proxy for normal Tor usage. It does not yet allow the configuration of proxies for pluggable transports. We hope to fix that issue in the following point release.

This is not a security release — feel free to keep using TBB 3.6 if it's working for you.

Here is the complete changelog:

  • All Platforms
    • Update HTTPS-Everywhere to 3.5.1
    • Update NoScript to 2.6.8.22
    • Bug 11658: Fix proxy configuration for non-Pluggable Transports users
    • Backport Pending Tor Patches:
      • Bug 8402: Allow Tor proxy configuration while PTs are present
    • Note: The Pluggable Transports themselves have not been updated to support proxy configuration yet.
k239

May 07, 2014

Permalink

Hi, is it possible to configure Tor Browser to change different proxies? I use Iceweasel with Foxy Proxy to use tor/i2p/no_proxy for different sites. Even if something leaks I use also vpn so I don't really care about it. Thanks

Proxy bypass is not the only worry you might have. See
https://www.torproject.org/projects/torbrowser/design/
for many other privacy issues that Tor Browser aims to resolve.

The short answer is "no, it makes it too easy for some other attacks, like linking between profiles, to happen." Maybe you don't care about these today, but in our experience people always seem to wish they'd had a bit more privacy in retrospect.

k239

May 07, 2014

Permalink

"This is not a security release."

So that would mean that users who feel content continuing to use 3.6 may do so safely, right?

If so, may I suggest that you state that explicitly in order to remove any possible doubt or ambiguity on the part of readers.

k239

May 08, 2014

Permalink

Hi,
i have a question:

In Tails "Maintain Offline Storage:Allow" is Default(Menu Bar:Page Info->Permissions).
Is it default in Tor Browser,too ?

Why not NoScript to 2.6.8.23?

If PT adds an extra layer of encryption, making it harder to decipher, why not make all nodes PT?

I have just installed Tor 3.6.1 and I would like to choose my IP address state but I can't find the Vidalia panel. How can I do?

This is what I got in the Terminal

/home/vidalia-standalone-0.2.21-gnu-linux-x86_64-1-en-US/start-vidalia: line 3: ./App/vidalia: No such file or directory

/home/vidalia-standalone-0.2.21-gnu-linux-x86_64-1-en-US/App/vidalia: cannot execute binary file

Tor Browser bundle Mac version questions & remarks ,
tested version TorBrowser-3.6-osx32

I was Looking at the Tor browser application for the Mac, trying to analyze it a bit out of security curiosity, and I have some questions about it regarding security.
Not about the connections, not about the built in ESR Firefox, but actually about the Tor bundle application itself.

Local storage
For what I see The Tor browser bundle is not storing information in de local user library except for some preferences, like org.mozilla.torbrowser.plist, only when the application itself is installed on the mac. That's nice, but the consequence is that the information that usually is stored in the local library folder, like the cache directory and application support directory for the stored user profile, is in this case completely stored within the application bundle itself. About that I have some security questions.

Privilege escalation?
When the Tor application is installed in the Applications folder, as suggested by the installer, you are actually also moving local storage functionality to a higher admin privilege directory level. Is that a safe approach from a security perspective?
More specific, is it possible that the application would create possibilities for privilege escalation in case of virus or malware attacks? Just wondering if that possible issue has been discussed by the developers.

Read and write permissions?
The alternative could be to not run this bundle application from the standard Applications folder, but from another local user directory or even from a usb stick.
In that case the application itself maybe has less user rights within the system but is at the same time less protected itself because of the read and write permissions from a standard user account that are on the TorBrowser.app . And maybe therefor is more vulnerable for malware that would try attack the browser itself by changing the browser settings or library?
I was just wondering about that but, I am not a security expert, nor a developer.

Print as pdf storage location
Something else, did you notice or know that when printing a page as pdf file you have different options for storing that pdf. When you choose one of the standard options from the menu option of Safe PDF to Web Receipts Folder, the Torbrowser is actually storing the pdf file within the TorBrowser.app.
Is that on purpose?
I can imagine that it is a smart solution when you run the application from an usb stick, keeping all the files together, but did not see an explanation or manual for that so that people are aware where their possible lost pdf files are hiding. Hint, hint you app is growing, the way I found out.

Growing app size?
More app size growing? Why is the application size growing, even if you do not store pdf prints in the application bundle? The original application size after installation was something like 81,1 mb. Using and testing the application for some time it is already over 120 mb? Closing will downsize the application size a bit, something like 2 mb but it is still a lot bigger than using it the first several times.
What extra information is the bundle storing inside and also keeping after closing the application?

Hopefully someone knows the answers to these questions, and sorry if I did overlook some FAQ answer somewhere, its a lot of information. Could not get my questions and remarks shorter, sorry for that too.

Compliments for the application development, 3.6 is working stable on the Mac
and I'll try the 3.6.1 upgrade as well.
Thank you & best regards,

Re: Growing app size: Not sure why that is growing but we ship the bundle with a minimal profile only which gets filled with a lot of stuff pretty quickly. You might want to investigate that?

Re: Print as pdf storage location:
Yes, that is on purpose. The bundle is supposed to be self-contained.

Re: Read and write permissions/Privilege escalation:
Yes, we wanted to point the installer to ~/Desktop but we got feedback from Mac users that this is highly unusual, so we chose /Applications as almost all Mac programs do. That said see: https://www.torproject.org/projects/torbrowser/design/#attacks point 4.

RE "Re: Growing app size:"
Further investigation and comparison with the new installed 3.6.1 version made me found out that was mainly the cause of added extra addon's and some of their growing update subscriptions. For example addons like ABP or Ghostery have (off course) growing lists.
Newly installed 3.6.1 version size stay's around 99 or 100 mb.

Still investigating and thinking about the best place of installing the TorBrowser.app under Mac OS X. I'll post some more if I have an interesting considering opinion or alternative about that (I think I actually have but have to compare and investigate some more). Thanks for answering the questions.

I'm quite new to Tor, and I saw that the installer exe does not contain any information like file version, description etc.
Is there a reason for that?

Probably because nobody has added it. Please help?

Is Tor browser no longer self contained? as it seems to be loading windows system files which I don't recall it ever doing before.

At one point the files below wanted access which I denied:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL
C:\Program Files\Common Files\Microsoft Shared\Web Folders\msows409.dll

as it seemed more than a little odd to me, after restarting Tor and getting the same thing I disconnected.

I was using Tor 3.5.4 at the time, I have gone back to using an earlier version of Tor which doesn't use windows system files.

Any info appreciated.

Sounds like a new bug? Please open a ticket on bugs.torproject.org and provide as much information as you can.

It is still supposed to be self-contained and you are in fact the first user I am aware of reporting this problem. Might be some components on your system interfering here, hard to say without a further investigation...

I'm having an issue with geoip6 file not found on

C:\Documents and Settings\\Datos de programa\tor\geoip6

That folder does not even exist.

And also, I've searched all over my hard drive for the geoip6 file and it's nowhere to be found.

Posting from AC100, running a Cubieboard and a node on a Raspberry Pi:
Will there ever be a bundle for armhf?

I have configure all I know to make sure all the traffic go through Tor network, but how to test? can I see the leaking data?

On May 11th, 2014 Anonymous (me) had some security questions posted in a longer question (50 lines). Title: "Tor Browser bundle Mac version questions & remarks"
Is it still in moderation? Did you choose tot not place it for security reasons but are you working on these questions or solutions?
That would be nice & interesting to know (for me). Thank you in advance,
best regards, Anonymous.

We have ~1000 spam comments with a few actual comments mixed in. Every so often I go through them and delete most and approve the rest, but it's probably not a smart use of my time.

I recommend if you have an actual question and want an answer, to ask it through one of the recommended contact mechanisms:
https://www.torproject.org/about/contact

How can I store one cookie in torbrowser?
The site I want to log in (and all other sites) doesnt store a cookie by itself, so I guess torbrowser blocks it?!
If somebody asked the same question, please just comment a link, I didnt find any helpful information by searching :(

TBB actually does allow cookies -- it just discards them all when you exit.

But the interface for seeing them is broken:
https://trac.torproject.org/projects/tor/ticket/10353

Does any layer of Tor support Perfect Forward Secrecy? what about Hidden Services? because according to Wikipedia "In cryptography, forward secrecy (also known as perfect forward secrecy or PFS[1]) is a property of key-agreement protocols ensuring that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future. The key used to protect transmission of data must not be used to derive any additional keys, and if the key used to protect transmission of data is derived from some other keying material, then that material must not be used to derive any more keys. In this way, compromise of a single key permits access only to data protected by that single key."

Does that mean Heartbleed isn't going to be that much of an issue in the futur?

Well, maybe.

If you meant "does that mean future issues like heartbleed won't be a problem", then unfortunately no. The heartbleed vulnerability acted at a different level than whether a protocol has the perfect forward secrecy property. PFS is generally about what a *network* adversary can learn. The idea is that if "they" log traffic and later show up and ask you to decrypt it, you can't because you no longer have the key that was used for encrypting it. But if they can bust in and take your key, then things that happen later won't necessarily stay secure.

If you meant "does that mean that once people upgrade, the vulnerability called heartbleed won't be as much of an issue", then yes. There's still the worry that they did some successful attack in the past, but once people are upgraded, and once old identity keys have been thrown out (see https://blog.torproject.org/blog/openssl-bug-cve-2014-0160), we should be in pretty good shape.

Hello, question for the developers or anyone... I have been reading a lot about DNS Leaks and Tor, but I have not found a perfect answer to this yet: Does Tor Browser Bundle leak DNS? If yes, what is a good solution to this?

The short answer is "no, it doesn't."

The longer answer is "no, we hope it doesn't, and we've blocked all the issues we know about, but Firefox sure is complicated, so maybe we missed one. That's why everybody should audit it and report bugs if they find any."

You might like
https://www.torproject.org/projects/torbrowser/design/

When I checked the current release via the video tutorial I got the message after I tried to check Erinn's signature via cmd.exe:

"C:\Users\My name\Desktop>gpg --keyserver x-hkp://pgp.mit.edu --recv-keys 0x63FEE6
59
gpg: requesting key 63FEE659 from hkp server pgp.mit.edu
gpg: key 63FEE659: "Erinn Clark " 10 new signatures
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: new signatures: 10

What is the significance of TEN signatures and is this a problem for security?

It's fine. That gpg line you quote doesn't actually check the signature -- it fetches the key from the keyserver. You already had a cached copy of the key, but you fetched a new copy, and the new copy had more signatures (think of them as endorsements) than the copy you already had.

That said, I hope you're following that line up with another gpg line with --verify in it?
https://www.torproject.org/docs/verifying-signatures

Arma

Thanks for the info.

Yes, I verify the signature and get the advice "Good signature".

But what about verifying the singing key itself?

Seems very few people actually do this.

Without verifying the signing key, is verifying a signature any better than simply verifying a SHA256 checksum obtained from an HTTPS authenticated site? (Providing one verifies the fingerprint of the cert.)

I thought that I was doing enough by completeing successfully all the instructions on the video 'tutorial' released a short while ago and then 'cross-checking' that by also following the written instructions "How to verify signatures for packages" - but if there is something else that needs to be verified, please put the instructions up and most of us will gratefully follow them.

Mozilla recently announced it will be including a closed source module from Adobe in order to provide EME DRM-in-HTML support.

Will the torproject be removing it to ensure browser integrity and security? A statement on the future of the TBB would be welcomed. I personally feel that any closed source module should be omitted.

https://www.eff.org/deeplinks/2014/05/mozilla-and-drm

See https://lists.torproject.org/pipermail/tor-talk/2014-May/032947.html and responses there. Apparently Firefox won't actually be including it, but rather they'll be including easy support for having it. So it should be easy to leave it out of Tor Browser, just like we leave Flash out of Tor Browser.

k239

May 15, 2014

In reply to by arma

Permalink

Thanks for the link.

I noticed one of the comments said it would still need to be installed like any other plugin which is good news. Early reports I read were a bit ambiguous and I got the impression it would be built into the browser wether you wanted it or not.

For everyday browsing it may not be a bad thing but for people on TOR, this DRM could most likely be used to fingerprint a user's browser.

I am new to the Tor browser and have been reading all about it, tails and vpn. I also read that using Tor you should not download files. If I did this did I compromise my anonymity? and now using Tor from my IP address is now pointless?

There is no rule never to download files over Tor. Rather, there are certain critical precautions and caveats regarding doing so.

The main danger lies with OPENING files. As a rule, this should only be done while, at the very least, disconnected from the Internet. And unless one can be certain of the safety of a given file, it should only be opened within a live system (such as Tails) or a system that is never network-connected.

See
https://www.torproject.org/download/download-easy.html.en#warning

Also, for the sake of minimizing congestion and bandwidth usage over the network, restraint is urged regarding downloading (or streaming, via HTML5) large files via Tor.

Please be mindful and considerate of the other Tor users.

I have recently, with TB 3.6-beta-2, started to get
[warn] Proxy Client: unable to connect to 209.141.36.236:45496

and

[warn] Rejecting SOCKS request for anonymous connection to private address [scrubbed]

I do reach the internet, but what about privacy?

On Linux, both Fedora 19 and Mint 13 and both 32 and 64 bit, the firefox browser sometimes hangs and never starts. strace -p shows that the firefox hang is due to FUTEX_WAIT_PRIVATE. The tor daemon always starts and works correctly which I verified with torsocks. This has been going on with at least the past 3 releases as well. I finally figured out how to debug it.

pdfjs.disabled; false

Again? Is this a bad joke?

Are there any special precautions to take if you don't trust your ISP?

By default, your ISP controls both DNS and packets, so theoretically, they could set up fake Tor nodes, hijack your DNS request and maybe uncover a thing or two about your browsing habits. A proxy sort of moves the problem to some other company you have to trust.

Does Tor protect against this?
Can I read about how somewhere?