Tor Browser 3.6.3 is released

The third pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Here is the complete changelog:

  • All Platforms
    • Update Firefox to 24.7.0esr
    • Update obfsproxy to 0.2.12
    • Update FTE to 0.2.17
    • Update NoScript to 2.6.8.33
    • Update HTTPS Everywhere to 3.5.3
    • Bug 12673: Update FTE bridges
    • Update Torbutton to 1.6.11.0
      • Bug 12221: Remove obsolete Javascript components from the toggle era
      • Bug 10819: Bind new third party isolation pref to Torbutton security UI
      • Bug 9268: Fix some window resizing corner cases with DPI and taskbar size.
  • Linux:
    • Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
    • Bug 12249: Don't create PT debug files anymore

The list of frequently encountered known issues is also available in our bug tracker.

Anonymous

July 25, 2014

Permalink

good

Anonymous

July 25, 2014

Permalink

The beta and alpha versions have security features when can we see them? Because unfortunately tor 3.6.3 is only updated not new features

Anonymous

July 25, 2014

Permalink

I hope obfsproxy4 (or whatever it's called) will be ready before Russia cracks down on Tor by the end of this year :(

unfortunately we are waiting for long time. also they should disable obfs2 and 3 once releasing 4. tor is strong but has weak points

It's obfs4proxy, though in hindsight I should have picked a better name.

Unless their crackdown is reasonably sophisticated obfs3 should work (and ScrambleSuit/obfs4 will work, assuming unblocked bridges), so there's plenty of options in that area already. Furthermore, unless something unforeseen happens, I expect obfs4 should approach being usable from test bundles sometime next month.

obfs4 progress can be tracked at:
https://trac.torproject.org/projects/tor/ticket/12130

The new ESR is 31 - 24.7 will be the last update to the 24.x ESR. And I guess TBB will shift to 31ESR no later than when support for 24.7ESR runs out, but I can't remember the date.

Anonymous

July 25, 2014

Permalink

I'm desperately trying to lay my hands on the previous release (3.5.4 I believe). 3.6.3 simply does not connect. Where can I get the previous release from?

I have the same issue. The updates on two different computers downloaded through tor will not connect. I downloaded the update without tor and it connects fine. I don't know if that should worry me. Sorry, don't see where to submit bugs, I'll keep looking.

Hello, I wasn't able to connect too, but after running TBB in the terminal, I found out this message: "Our clock is 2 hours, 42 minutes behind the time published in the consensus network status document (2014-08-08 08:00:00 UTC). Tor needs an accurate clock to work correctly. Please check your time and date settings!" Then I adjusted the clock and it worked fine. I'm not an advanced user (migrated to linux recently), but maybe this info will help you.

(I think it would be better if these informations were presented to the user in the GUI too)

Anonymous

July 26, 2014

Permalink

Last version Tor Browser 3.6.2 always crack my SUSE Linux for playing youtube in html5 mode

Anonymous

August 01, 2014

In reply to by arma

Permalink

i am not the person you wrote to.
On my openSUSE 13.1 TBB don't work anymore. Tails work on this Computer and the last Version worked too. If I click on connect then the TBB sometimes start sending and receiving data but stops at some point. Sometimes it even don't start to send or receiving anything. I have deactivatet the Firewall.

Anonymous

July 26, 2014

Permalink

Can I check the Block reported attack sites and Block reported web forgeries options in Firefox/TBB: Menu Option - Security?

Anonymous

July 26, 2014

Permalink

given that Russia is now trying to bribe people to find tor users and grass them up, what features are gonna be incorporated to prevent this (or make it extremely difficult) and when will that be?

Anonymous

July 26, 2014

Permalink

When starting new version in Win XP pro3 the window is only about 70 percent wide. Any way I can get it to start 'maximised' ?

Anonymous

July 26, 2014

Permalink

Just wanted to say great work on "catching up" to Mozilla's ESR release cycle!

Anonymous

July 26, 2014

Permalink

Hello,

I've got a problem with cookie management in recent versions of TorBrowser. Can anyone help me please??

The problem can be reproduced with these steps:

1.: Download and start-up a fresh instance of TorBrowserBundle.

2.: Go to "Edit" → "Preferences" → "Privacy", and uncheck "Accept cookies from sites".

3.: Go to "Edit" → "Preferences" → "Privacy" → "Exceptions" and add an exception for a website where you can log in.

4.: Open a new tab and navigate to that website that you've added in step 3, and log in.

5.: While you're still logged in, go to "Edit" → "Preferences" → "Privacy" → "Exceptions", and click "Remove All Sites". This will remove the exception that you've added in step 3.

6.: While you're still logged in, go to "Edit" → "Preferences" → "Privacy" → "Show Cookies", and click "Remove All Cookies". Notice the number of cookies that are actually displayed.

7.: Refresh the tab from step 4. You are logged out now.

8.: Go to "Edit" → "Preferences" → "Privacy" → "Exceptions" and add an exception for the same website as in step 3.

9.: Refresh the tab from step 4. Notice whether you're logged in or logged out.

EXPECTED BEHAVIOUR:

In step 6: At least one cookie is displayed.

In step 9: You are logged out.

ACTUAL BEHAVIOUR:

In step 6: Zero cookies are displayed.

In step 9: You are logged in.

If this is a bug, then please fix this as soon as possible.
If this isn't a bug, then please explain to the world how reasonable software can behave this way.

Thanks!

I have not verified this behavior in TBB, but I'm pretty sure it's an upstream issue with Firefox, which doesn't display cookies properly in that part of the UI and hasn't for a while. Given Mozilla's recent marketing push around "fighting surveillance," this feature breaking over several Firefox releases--along with the Firefox 31.0 privacy degradations around similar features--make one question whether there's a disconnect between what Firefox wants to be seen as and how it actually functions.

In either case, I would encourage you to file a bug report upstream with Firefox's bugzilla, unless I'm wrong about this not being an upstream issue.

Just wanted to say GOOD ON YOU for filing this bug report!

In the process you've brought additional attention to an important policy question: is Mozilla for real when it comes to making sure Firefox privacy/security features actually work as describe, or is it rolling over in every way possible that's not obvious to the user in order to help preserve the tracking capabilities of Google, its major funder?

Thanks for this because it's good to know that I'm not the only one annoyed by that.

Unfortunately I just realised that this bug is now open since more than 1½ years, and it seemingly didn't make much progress in that time.

So, I'm afraid that Tor project can't count on Mozilla devs when it comes to resolving privacy issues.
@Tor devs
Can you estimate whether it would be feasible to fix this in Tor Browser if upstream continues to ignore/delay this issue?

Because, as things are right now, there's no possibility to do cookie management in Tor Browser. :-(

Anonymous

July 26, 2014

Permalink

Tor Browser 3.6.3 can be opened only one time. When it is closed you cannot open it again.

Well, that's not true for the rest of the people here. Perhaps you should contact the help desk and see if they can help you figure out what you're doing wrong? And ideally you can generate a bug report so we can help future people in your situation.
https://www.torproject.org/about/contact
[Edit: actually, it *does* appear true for more people here. Please help debug!]

Anonymous

July 26, 2014

Permalink

when I search for stuff an pop into a search to check it out by the time ive checked a 3rd seach im cut off with a response im an automated computer an I have to do a captcha to continue on start page on others it just flat out denys me usage now im not looking up anything illegal immoral or bad last seach I used was banned youtube vids for games an stupid look at me vids people doing dumass stuff an posting it an getting banned because its too dangerous it kept kicking me off means no longer are we able to surf anonumously if some1 or something is watching our searches an I did like 3 in 7 mins so I wasn't flipping thru it like no machine unless its 1 from the 1970s whats the deal with this sorry for the lack of punctuation.

Anonymous

July 27, 2014

Permalink

There is at least one area where Firefox ESR desperately needs to catch-up with its more fast-moving sister (regular Firefox): The ability to highlight and copy text from the "Certificate viewer". (And this functionality is especially important for Tor Browser) (And this functionality was long overdue when it came to regular Firefox. Chrome had already had it for some time.)

Without this, the only way to verify the hashes for SSL/TLS certificates is manual visual examination, carefully and tediously matching each digit of a displayed hash.

Anonymous

July 27, 2014

Permalink

Ever since I started using the latest version of TBB which is 3.6.3, I have the following error message appearing in the log very frequently:

[warn] Rejecting SOCKS request for anonymous connection to private address [scrubbed]

What caused it?

How do I fix it?

Thanks in advance for your help.

Sounds like some destination (e.g. website) you're trying to access sent you to an address like 127.0.0.1. When Tor Browser asks Tor to go there, Tor decides you're better off failing to reach it and gives you this log message instead.

I get that message quite often when I connect pidgin to my Tor, since some component in Pidgin (maybe one of AIM's servers?) is trying to connect to a service those name resolves to localhost.

The message (and behavior) is harmless. If your web browsing is working as you expect, don't worry about it. The log message is there as a hint for people who are unhappy that "Tor isn't working" and want to learn why.

Anonymous

July 27, 2014

Permalink

Does 3.6.3 go any way towards defeating the threat of deanonymisation which was the subject of the talk pulled from the BlackHat conference.

If not, has any progress been made to counter the threat?

Thanks

3.6.3 is an update to other components, like the browser. The Tor version remains the same.

Sit tight, there's another update coming. But that said, the next update won't be urgent, since the underlying issue isn't one where we need to put out a patch to the code. More details soon!

Arma,

Thanks for the quick reply. However, I am a bit confused. The announcement surrounding the cancelled Black Hat conference was that TOR users could be unmasked (easily and) cheaply.

Since the whole basis of TOR is to keep users from being unmasked, why is a solution not urgent?

I know you are busy but I am sure that all users of TOR would be interested in and grateful for a full response.

Thank you.

Anonymous

July 27, 2014

Permalink

Love you guys! You are making the Internet a better more free place. Everbody run Relays and Bridges and save the Internet from the Threat called NSA!