Tor Browser 3.6.3 is released

The third pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Here is the complete changelog:

  • All Platforms
    • Update Firefox to 24.7.0esr
    • Update obfsproxy to 0.2.12
    • Update FTE to 0.2.17
    • Update NoScript to 2.6.8.33
    • Update HTTPS Everywhere to 3.5.3
    • Bug 12673: Update FTE bridges
    • Update Torbutton to 1.6.11.0
      • Bug 12221: Remove obsolete Javascript components from the toggle era
      • Bug 10819: Bind new third party isolation pref to Torbutton security UI
      • Bug 9268: Fix some window resizing corner cases with DPI and taskbar size.
  • Linux:
    • Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
    • Bug 12249: Don't create PT debug files anymore

The list of frequently encountered known issues is also available in our bug tracker.

Consider checking to see if anyone has proposed this previously at trac.torproject.org and submitting a ticket if they haven't.

While I could see how this might be useful, having a bunch of users with potentially different user agents makes them much easier to track. Part of the beauty of TBB's current UA setup is that everyone sharing the same user agent makes each person harder for adversaries to fingerprint based on their user agent.

No, this is probably a bad idea. Your best bet is to stick with the same user agent all the other Tor Browser people have. If you switch yours, and nobody else does, that's basically a way to track you over time.

(If you have in mind to prevent browser fingerprinting, you're going to have to do a heck of a lot more than just changing your user agent.)

PETER

July 27, 2014

Permalink

Is there any news on when TBB releases can be made available via standard debian update channels?

There have been so many awesome improvements to TBB's release cycle, but bringing "conventional" update channels up to speed would be awesome, too.

If there's a way volunteers could help make this happen, please let us know.

You might like (or hate)
https://trac.torproject.org/projects/tor/ticket/3994

Micah also wrote 'Tor browser launcher' as a deb:
https://packages.debian.org/source/sid/torbrowser-launcher
but it's still kind of klunky compared to what you should want.

The fundamental issue is that Debian has a policy against overlapping code in different debs, and Tor Browser and Iceweasel overlap (but aren't the same).

So all the approaches you'll find are hacks around that issue.

Micah's project is cool and useful, but I still wish all debian users--by default--could sudo apt-get install tbb from main, or even have tbb replace iceweasel! This is what people have been saying about upstreaming tbb's patches into firefox for a while, but in a community where it seems more likely to happen. :-)

And I may be seriously overestimating the laziness of sysadmins, but I could even picture sudo apt-get install tor-relay-exit and sudo apt-get install tor-relay-non-exit with sane defaults helping to lower the barrier to entry for folks who should be running tor relays but currently don't. I can say from experience that the ease of sudo apt-get install tor-arm is one of the reasons I use arm as a relay monitor instead of synthesizing a bunch of other log/config information on my own.

And no offense intended, but working out a way to upstream TBB debs might even make TBB downloads a tiny, teensy bit more resistant to certain forms of traffic analysis (which we know NSA and probably others are already doing) while reducing your hosting bills. But again, personal biases are probably leading me to overestimate the popularity of the x86/amd64 builds of tbb.

Figuring out a way to comply with the (ultimately sensible) debian policy on overlapping code is something I'm planning to set aside some time to think through more in the near future. Reading that ticket makes me wonder if an automated (and since you guys are awesome, reproducible and verifiable) build might be worth trying to cobble together as a slightly different strategy.

Thanks for posting a link to the ticket!

PETER

July 27, 2014

Permalink

hi
I have problems to make 3.6.3 version connected! it just get connected for one single time and after that, it couldnt make connection process properly! restarting computer also doesnt help after 5-6 times! I am using the older version (3.6.2) right now.
could you please tell me how is it possible this happen?
thanks alot

I can't believe it! my 3.6.2 version was working fine! I installed 3.6.3 version. it didn't work. i returned to the older version. it worked fine last night. today, how many times i did try, it didn't connect at all, neither 3.6.2 nor 3.6.3 :|

PETER

July 27, 2014

Permalink

As others here have noted, I also have this problem with 3.6.3, so I went back to 3.6.2.

I downloaded 3.6.3 yesterday and it worked (for one or more times.) Today, after turning on the machine, the browser window doesn't show (but TaskManager shows that tor.exe and firefox.exe are running).

BTW, I'm using Windows.

-- Thanks

Happened to me too. Going back to 3.6.2 is not a good idea because there are several security fixes for Firefox for 3.6.3.

I fixed the issue by deleting the *.lock files under the Data folder for both browser and tor.

PETER

July 27, 2014

Permalink

I see that you say:
“Bug 9268: Fix some window resizing corner cases with DPI and taskbar size”
I have the same problem as the other contributor who reported some time ago that s/he couldn’t get a screen size reading of 100s x 100s when using both Panopticlick and ip-check.info. Like him/her I get exactly the same screen size measurement, e.g. 1342 x 768, when using both of them.
This version of Tor does not help in this respect. Have you any suggestions as to how I can get a screen size of 100s x 100s, since it appears that most of your users are able to.

I am using Windows 7.

Thank you.

Not without seeing a debug log. Could you open a ticket at trac.torproject.org (you don't need to create a new account; you can use the cypherpunks one) and attach the output of the browser console (Ctrl + Shift + J) after you set the Torbutton log level to "0" (via the "extensions.torbutton.loglevel" preference you can manipulate after loading about:config in your Tor Browser)? Thanks and if you have further questions don't hesitate to ask.

PETER

July 28, 2014

Permalink

IT DOESN'T WORK! IT SAYS CONNECTION TIMED OUT WHENEVER IT'S TRYING TO REQUEST RELAY INFORMATION ...HEELPP,,,
PS.I updated my tor today

PETER

July 28, 2014

Permalink

I am on a "Windows 7 Ultimate" laptop.
I have been using Tor without any problems for the past few years.
Yesterday,I downloaded 3.6.3 TBB but to my surprise and dismay,it does not connect
not even once.I downloaded a second copy and the same thing : TBB 3.6.3 does not
connect.
I deleted TBB 3.6.3 and started 3.6.2 from my saved programs on a flash stick.It worked
and still works without a problem.I am writing this comment using TBB 3.6.2.
Please address the issue and hopefully solve the problem as you have always done in the past.
May God Bless You All who help us reach the free world from a censored internet .

PETER

July 28, 2014

Permalink

My use of Tor is mostly limited to creating an obfuscated pipe for Bitcoin-Qt. I rarely use Tor to merely browse the Internet. Accordingly, I have been using Vidalia to create a connection, then running Bitcoin-Qt over that.

If I see things correctly, there no longer is a Vidalia. How now do I set up an obfuscated connection for Bitcoin-Qt?

you can get the same proxying behavior by running the new Tor Browser Bundle, waiting for it to connect, and then configuring Bitcoin-Qt use localhost:9150 as its SOCKS proxy. as long as TBB is running, bitcoin-Qt should be able to use that proxy connection.

Thanks - that worked.

Seems counterintuitive to need to run a browser session in order to obfuscate protocols other than http, but c'est la guerre.

PETER

July 28, 2014

Permalink

At first, i thought i did sth wrong, but as i'm reading comments, i see some people have my problem too. it seems installing new version of tor ruined even the last version who was working nicely! what did i do?! why did i update it? damn me! now my dear tor is gone!

my antivirus is 'avast-free version' and i've had it for more than 7 years and i think most of these years i've been a Tor user too but never had an experience of any kind of interruption between Tor and Avast! anyway, I disabled it and nothing got better and Tor is still unable to make its connection properly.
could this mean maybe my ISP has changed its filtering (censoring) settings and Tor servers are filtered now? and if so, is there any chance for me to overcome these censorship by using 'configure' option in Tor connecting window? if yes, is it possible for a 'not geek user' to do that or not?
thakns

as information I've received from some of my compatriots, it seems Tor servers has been blocked in Iran by some ISPs and nothing is wrong with new version of Tor. just some a**holes have decided to tighten the boundaries of the last resorts of freedom around here! so sad ...
p.s. so sorry about untrue (but right) comments about Tor's malfunction. I didn't mean to comment untrue feedback. i just didn't know the origin of the problem. thanks a lot for being so helpful and patient dear Tor guys :)
p.s.2 is there any chance to change some settings to overcome this situation (while Tor servers are blocked by local ISPs) that a 'not geek user' could do it personally? if so, is there any guide for that in Tor site or on the internet that is confirmed and endorsed by Tor?
thanks again
a big fan

PETER

July 28, 2014

Permalink

Did Andrea Shepard leave the Tor Project? It kind of looks like she spends most of her time tweeting instead of writing code. Even though she's listed as a core tor dev, her last commit was like 6+ weeks ago... https://gitweb.torproject.org/tor.git/search?s=Andrea+Shepard;st=author And at risk of getting inappropriately personal, I can't help but wonder what this person was being paid 10k+ for over the past few months. From an outsider's perspective, it looks like you could've funded a slew of contributions via BitHub for that kind of money....

If her role--or roles similar to it--for working on tor's core code base are going to be available again, could you please let us know?

PETER

July 29, 2014

Permalink

I've checked the anouncement and this whole comments page carefully. How annoying, can't seem to find VERSION NUMBER for the Tor core itself (so, tor.exe on Windows) anywhere !

Tor's version number - should be something like 0.2.??? or 0.3.??? is essential information (to me at least), much more than any other bundled software, including a browser's one.
Pray, answer here anyone! and, (Mike:) consider updating the above as well as any future announcement to include Tor's version.

Roger, I'll spare you from a copy & pasting from the link you provided, but the part concerning the TBB 3.6.3 (changelog lines 27-42) make NO mention of Tor.

Does this mean that Tor (on Windows, tor.exe) was NOT updated from the previous TBB ? Namely, would that be
Tor 0.2.4.22 ?

Really this info should be explicit even if it has not changed, and we shouldn't have to do guess work !
Unless you don't agree "Tor" is an essential component of the
"Tor browser bundle" or whatever it's now being called :=)

Regards !

Thank you ! As I use only Tor, and none custom browser stuff, may I ask whether the patches in question are security related and should I get the "patched"
tor.exe_0.2.4.22_patched_for_TB-3.6.3 ?

If so, is there a direct download for a standalone _patched_ Win32 executable ?

Please don't forget many of your users don't have broadband - more than you's think, and downloading a bundle when I may want a single exe may be a pain, not to mention having to unpack it in order to get the part(s) I want, without making an install. Yes this user can do it, but less technical ppl will be lost.

Adding to my above comment/question :
more troubling, now... the "expert" lot from the Torproject's downloads has been updated to serve :

Barring a numbering error, it's a newer update, or is it hte same thing as the "patched for TBB tor 0.2.4.22" ?

It's getting somewhat messy out there !

Argh ! For some reason your weblog software have removed the URL of the current "expert bundle" , which - this was the important point - now claims to be "0.2.4.23";

Hence my question , is .23 identical, but renamed, to the "patched .22" that Arma alluded to above ?

T.Y, gk. It's all clear now. Running 0.2.4.23 on Windows XP without problems.

Cheers

--
Noino

P.S : Posting comments from the web (blog.torproject.org/comment/...)
can't seem to be able to sign my posts other than 'anonymous'
Not a problem per se, just curious : is identifying self now reserved to the Torproject personal, or am I missing an option ?

PETER

July 29, 2014

Permalink

"Ever since I started using the latest version of TBB which is 3.6.3, I have the following error message appearing in the log very frequently:
[warn] Rejecting SOCKS request for anonymous connection to private address [scrubbed]"

Did you check that the private address in question is 127.0.0.1 (localhost)? Does the error appear once, soon after starting TBB?

If yes to both, here is a very slightly educated guess: your OS may be trying to add TBB to a list of "recently used items". Or possibly, some watchdog utility is trying to figure out what TBB is.

Arma suggested a third possibility:

"Sounds like some destination (e.g. website) you're trying to access sent you to an address like 127.0.0.1. When Tor Browser asks Tor to go there, Tor decides you're better off failing to reach it and gives you this log message instead. I get that message quite often when I connect pidgin to my Tor, since some component in Pidgin (maybe one of AIM's servers?) is trying to connect to a service those name resolves to localhost."

I see this warning even when not using pidgin. At Stack Exchange, several people have reported that they often see it when using TBB.

PETER

July 29, 2014

Permalink

"I still wish all debian users--by default--could sudo apt-get install tbb from main, or even have tbb replace iceweasel! This is what people have been saying about upstreaming tbb's patches into firefox for a while, but in a community where it seems more likely to happen."

Current Debian stable (Wheezy) appears to have some potentially exploitable geolocation sharing tools, user activity tracking tools, and more, tightly incorporated into the Gnome3 desktop and maybe others too. TBB on the other hand is installed by the user in his/her own directories and is functionally sort of "chrooted". I wonder whether this might not offer some advantages over incorporating TBB more tightly into a default Debian system?

Current Debian stable (Wheezy) appears to have some potentially exploitable geolocation sharing tools, user activity tracking tools, and more, tightly incorporated into the Gnome3 desktop and maybe others too.

Please, for the benefit of those who use the current Debian stable, list all the potentially exploitable geolocation sharing tools, user activity tracking tools..etc, etc.

PETER

July 29, 2014

Permalink

"I can't help but wonder what this person was being paid 10k+ for over the past few months. From an outsider's perspective, it looks like you could've funded a slew of contributions via BitHub for that kind of money...."

No to accuse, but only just to observe:

A commonly employed JTRIG tactic is to attempt to sow internal dissension inside a targeted organization by trying to plant the seeds of mutual suspicion, jealousy, and distrust. Carping about money is a favorite ploy.

We should all be alert to such possibilities, without developing excessive paranoia, because we know that Tor is a target of NSA/GCHQ, and we know what kind of dirty tricks they often employ against their targets.

Seconded. But in this case, the gaps between nick (other core tor dev) and andrea's logged contributions--especially given Tor's transparency--does make one wonder: https://gitweb.torproject.org/tor.git/shortlog

It's certainly possible that she's working on a fork offline or went on vacation or just has unusual dev habits (maybe she passes things through other people now?), but for someone listed a "core tor developer" being a few days shy of two months with no commits to the core code base for tor seems like a significant stretch of time.

It looks like her last commit was June 3rd, and the volume of tweets she's pushed out since then could lead a reasonable person to think maybe she's pivoted to Tor Project related communications (along the lines of jake).

The public tor-reports listserv doesn't list any recent updates from her (though Jake also tends to be quite late in submitting his): https://lists.torproject.org/pipermail/tor-reports/

Nick's update for part of June, however, does mention Andrea: https://lists.torproject.org/pipermail/tor-reports/2014-June/000572.html

PETER

July 29, 2014

Permalink

Hi thanks for your great efforts
whats the replacement for this type of TorBrowser?:
tor-pluggable-transports-browser-2.4.17-beta-2
that was pretty usefull; and I could use it even now but with some minor problem like the old Firefox version(3.6.3 doesn't work in my country).