Tor Browser 3.6.2 is released

The second pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features a fix to allow the configuration of a local HTTP or SOCKS proxy with all included Pluggable Transports.

In addition, this release also features important security updates to Firefox, as well as an update to OpenSSL 1.0.1h to address the latest round of OpenSSL security issues.

This release also updates the Tor client software to version 0.2.4.22, which blacklists directory authority keys that were created prior to fixing the Heartbleed attack.

  • All Platforms
    • Update Firefox to 24.6.0esr
    • Update OpenSSL to 1.0.1h
    • Update NoScript to 2.6.8.28
    • Update Tor to 0.2.4.22
    • Update Tor Launcher to 0.2.5.5
      • Bug 10425: Provide geoip6 file location to Tor process
      • Bug 11754: Remove untranslated locales that were dropped from Transifex
      • Bug 11772: Set Proxy Type menu correctly after restart
      • Bug 11699: Change &#160 to   in UI elements
    • Update Torbutton to 1.6.10.0
      • Bug 11510: about:tor should not report success if tor proxy is unreachable
      • Bug 11783: Avoid b.webProgress error when double-clicking on New Identity
      • Bug 11722: Add hidden pref to force remote Tor check
      • Bug 11763: Fix pref dialog double-click race that caused settings to be reset
    • Bug 11629: Support proxies with Pluggable Transports
      • Updates FTEProxy to 0.2.15
      • Updates obfsproxy to 0.2.9
    • Backported Tor Patches:
      • Bug 11654: Fix malformed log message in bug11156 patch.
    • Bug 10425: Add in Tor's geoip6 files to the bundle distribution
    • Bugs 11834 and 11835: Include Pluggable Transport documentation
    • Bug 9701: Prevent ClipBoardCache from writing to disk.
    • Bug 12146: Make the CONNECT Host header the same as the Request-URI.
    • Bug 12212: Disable deprecated webaudio API
    • Bug 11253: Turn on TLS 1.1 and 1.2.
    • Bug 11817: Don't send startup time information to Mozilla.

The list of frequently encountered known issues is also available in our bug tracker.

k239

June 10, 2014

Permalink

Which version of Firefox will start with DRM-use made possible? And yes, i know you will delete all DRM-related parts in the Firefox source code. Many thanks for that. I have read the discussion with Mozilla about the matter. I would like to know if i have to worry about it or not. How are things?

k239

June 12, 2014

Permalink

I tried to install the 3.6.2 upgrade multiple times but keep getting the same error message when I go to launch the browser: "Couldn't load XPCOM"

Is there anything that can be done?

You should to remove Webroot SecureAnywhere software. It positioned as product for normal users but only geeks can configure it if some new browser release "suddenly" happens.

Starting with TBB 3.6.2, every time I launch Tor Browser, ZoneAlarm popups an alert:

  1. <strong>SERVER PROGRAM<br />
  2. Application Layer Gateway Service wants to accept connections from the internet.<br />
  3. Application: alg.exe<br />
  4. Source IP: x.x.x.x:Port 3542<br />
  5. (Allow / Deny)

I select Deny and TBB works fine.
Why this ZA alert only with version 3.6.2?
Is TBB trying to connect to a ftp server on start-up?

It looks like your Zone Alarm (one Windows security tool) is complaining about your Application Layer Gateway Service (a second Windows security tool)?

"alg.exe" is not TBB.

Yes, I know alg.exe is not TBB (it's MS Windows service).
ZoneAlarm firewall always shows this alert when a browser (or ftp client) access to a ftp server.
Thats why I was asking if TBB 3.6.2 tries to acces to a "ftp://" site on start-up (perhaps to check for updates).
ZA didn't show this alert with previous versions of TBB.

No, it does not try to do that as far as I can tell.

Tor relays listen on a variety of ports. This is a feature, since some users are behind firewalls that only allow certain ports out.

Here's a relay that listens on port 21:
https://atlas.torproject.org/#details/1C90D3AEADFF3BCD079810632C8B85637…

So if your Tor client connects there, any spy software you have on your computer that assumes port 21 traffic is ftp will complain.

So good this latest upgrade ain't also susceptible to refusing to open on my XP 'less the manual feature be used. Well done!
And yes, afore anyone axes, I did download twice but it doodn't make one blind bit of difference. Y'all caught the "error" without needing to be whinged at. Yer still at the top of y'alls game - thanx fer that...

The only issue I've run into is that Tor crashes every time I try to load LinkedIn.com. Four times in a row — other sites are fine. It happens in the moments just after it fully loads. The CPU runs up over 100% and stays there, and the browser becomes unresponsive.

Try disabling httpseverywhere and see if that changes anything? If so, please file a ticket.

(I just loaded linkedin in my TBB and it loaded fine.)

I have the same issue with TBB 3.6.2 (and some 3.x previous versions too).
I tested TBB 2.3.25-15 (last based on Firefox 17 ESR), and it doesn't have this problem.
Also tested TBB 3.6.2 disabling "HTTPS Everywhere", and disabling javascript, but TBB Freezes and becomes unresponsive with 100% CPU usage after staying some seconds at linkedin.com
I've found someone else has already reported this issue 5 months ago:
#10631 closed defect (duplicate)
LinkedIn page freezes Tor Browser
https://trac.torproject.org/projects/tor/ticket/10631

Also checked "Firefox 24.6.0 ESR + Tor", and it does not freeze with linkedin

Me too. I've revived the ticket and we'll see if we can do something about it. Thanks!

How does TBB 3.6.2 get its "Provided set of bridges"? Are they different for each user? I chose the same option in TBB 3.6, and both versions' torrc shows same set of bridges. Are these "provided bridges" publicly known?

Also, FTE transport only works with "Provided set" and bridgeDB won't give out FTE bridges.

Those bridges are included in Tor Browser. They're the same for every user, so that the package signatures can still be checked. Presumably they're blocked after a while in a few places in the world, e.g. China, but continue to work fine in the rest of the world.

As for bridgedb giving out fte bridges...maybe you should run some fte bridges so we have some to give out? :)

Thanks for reply. Only fte bridges work here :(
Is it possible to run scramblingsuit bridge work in tor browser? Tor browser didn't accept them. I just pasted the lines the usual way. Maybe this type bridge nodes are offline.

Yes, I'd wish to run fte bridges, but I'm on a speed 120kbps internet connection, sad

No, Scramblesuit needs a newer tor (>= 0.2.5.2-alpha IIRC) while TBB ships 0.2.4.22.

Since installing the latest version I cannot get images to load on either flickr or tumblr even with Jscript enabled. Anyone else got this? Using Win XP.

Could you give me some steps to reproduce your issue? I am not using these services, thus I am not sure how they are supposed to look like... Do I need to be logged in to hit your problem?

TB 3.6.2 little bug: If you have a new window opened, the TorButton will disable "New Identity" in old TorBrowser window, even you close the new window. The idea is to create a new window again and close the old window if you want to re-enable "New Identity".

Interesting. Do you have steps to reproduce? Which operating system are you using? I just opened a new private window (Ctrl + N) but the New Identity option got not disabled in the old one.

In my case (Linux 64-bit) there is no old one after I click new identity. It closes all the windows and opens a fresh one.

Is this a problem with Tor?:

"Authentification weaknesses in GCM"
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/F…
Niels Ferguson(Microsoft)
-potential weakness:authentification & encrytion as ONE function
-AEAD authentication tag length

http://fse2012.inria.fr/SLIDES/36.pdf
Markku-Juhani Saarinen

I just downloaded Tor version 3.6.2 . after having removed the previous version.
I found Control Vidalia Panel missing on those.
Is this due to change in design or some kind of mistake?
I have downloaded several time with the same result.

Please advise.

On OS X I get "The app can't be opened because it is from an unknown developer". I know what the warning means (that the binary isn't signed to apple's liking), but I don't remember getting the warning on previous versions, so I hesitate to run TorBrowser. Is it supposed to be signed?

No, we don't sign it yet but are working on a proper solution.

I understand Tor Bundle should be downloaded only from Tor Website .
I wonder if it is better to do this within and inside Tor browser , or can this be done outside of Tor browser using other browsers ?
[Even though very first download has to be through the use of other browser—no other choice. ]

Would like to know your opinion.

Integer-Overflow in LZ4 and LZO
http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-t…

Relevant for Tor?
Sorry,iam no programmer

Hello,

unfortunately, comments are now closed for your "Hardening android" blog post.
Could you create a followup blog post so we can continue the discussion and feedback?

I think they still work (though we approve comments by hand, alas, since there's so much spam).

\Tor\PluggableTransports\flashproxy-client.exe: Win.Trojan.Agent-748059 FOUND
\Tor\PluggableTransports\flashproxy-reg-appspot.exe: Win.Trojan.Agent-748059 FOUND
\Tor\PluggableTransports\flashproxy-reg-email.exe: Win.Trojan.Agent-748059 FOUND
\Tor\PluggableTransports\flashproxy-reg-http.exe: Win.Trojan.Agent-748059 FOUND
\Tor\PluggableTransports\flashproxy-reg-url.exe: Win.Trojan.Agent-748059 FOUND
\Tor\PluggableTransports\fteproxy.exe: Win.Trojan.Agent-748059 FOUND
\Tor\PluggableTransports\obfsproxy.exe: Win.Trojan.Agent-748059 FOUND

Using clamwin antivirus. What's wrong?

Well, one possibility is that you have a virus on your computer that's infecting files you download.

But the much more likely possibility is that "clamwin antivirus" is just wrong.
https://www.torproject.org/docs/faq#VirusFalsePositives

There is no option to add a hidden service in the Tor 3.6-2...Can someone tell me how to go about it?

You'll have to edit your torrc file by hand.

https://www.torproject.org/docs/tor-hidden-service.html

And while I agree this isn't as easy as having something in Tor Launcher that does it for you, I think configuring Tor to use a hidden service is the easy part, compared to setting up and locking down the service itself. Be careful / good luck!

hello dear TOR guys :)

I had a question to ask. I didn't know where to ask it. if it's not the correct place, please forgive me & guide me to the right place. thank you.

Question:
I do connect to internet and run TOR. it connects to web and its browser opens.
During browsing, my internet (from ISP side) goes off & gets dc. windows does redialing and makes me connected again. after this, I checked and noticed that TOR browser still works and does service. but the question I wanted to ask from you TOR guys is this: Is my connection still as safe as before disconnecting? have you performed any survey or analysis for checking this situation?

thanks in advance
A big fan from Iran :)

It should be fine -- this is one of the situations that Tor is designed to handle well.

are you sure about this? you know in some countries, security is more important than anything!
sorry to ask this buddy; are you from TOR team?
thanks again for being so helpful and responsive.

I'm more sure about it than I am of many other things. Or said another way, I worry about plenty of things in Tor (and Internet security in general), but this isn't one of them.

But don't take my word for it! Learn more about Tor and privacy, so you can help teach your friends about it too.
https://www.torproject.org/docs/documentation#UpToSpeed

thank you buddy for all you do for TOR and for us :)

Hello, please read the content (in german language) in the link above and give a comment to us. Many thanks in advance.

http://www.tagesschau.de/inland/nsa-xkeyscore-100.html

...thanks for your answer. Now, the discussion is out: I'm an extremist. Please remember this :D
Otherwise, thanks for your mission.
Will use TOR whenever I want, means: only.

Is there a hidden service version of the downloads?

i cant seem to connect to the tor network, wont go past the loading authority certificate part...