Tor Browser 3.6.6 is released

The sixth pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Here is the complete changelog for 3.6.6:

  • All Platforms
    • Update Tor to tor-0.2.4.24
    • Update Firefox to 24.8.1esr
    • Update NoScript to 2.6.8.42
    • Update HTTPS Everywhere to 4.0.1
    • Bug 12998: Prevent intermediate certs from being written to disk
    • Update Torbutton to 1.6.12.3
      • Bug 13091: Use "Tor Browser" everywhere
      • Bug 10804: Workaround fix for some cases of startup hang
  • Linux
    • Bug 9150: Make RPATH unavailable on Tor binary.

The list of frequently encountered known issues is also available in our bug tracker.

Anonymous

September 25, 2014

Permalink

Expert bundle is not uploaded yet. What are the differences between the expert bundle tor binary and browser tor binary? The latter is smaller in size. Can/should I replace the current one from the browser bundle?

Anonymous

September 25, 2014

Permalink

I'm asking this question here because I can't find anywhere else to ask, and I'm just tearing my hair out. I'm new to the deep web, I have the Tor browser bundle, and I disabled all the settings just like http://tutorneunixbasq6.onion/guide/tbb.html recommended. Whenever I try to set up an e-mail account, anywhere, the Captcha will not validate me. I know how to type; I've tried dozens of times; I've tried every e-mail service (I'd like to use MailTor). I've tried "Temporarily allow this page" in case that was the problem. I have no idea what's wrong, and without e-mail, I can't join any forum to ask for help with e-mail! Can someone please help me? Thanks.

Properly implementing end-to-end encryption on the parts of BOTH parties emailing each other should be the first concern-- regardless of provider.

Quality of SSL/TLS implementation is a legitimate concern but nonetheless a secondary one here.

You should be careful when changing settings from the default torbrowser settings. While the NoScript issue is frequently debated and there's valid points on both sides, the changes in about:config suggested on that page are probably a bad idea given it makes browser fingerprinting easier.

I doubt it, considering that they cannot see your settings. Adding add-ons, now THAT is an issue because of the bass-ackwards way that Firefox and it's derivatives allow sites to poll Firefox for what plugins and add-ons you are running.

Anonymous

September 28, 2014

In reply to by Anonymous (not verified)

Permalink

Just what do you mean by "safe"?

End-to-end encryption (such as via PGP/GPG or S/MIME) is the only way to attain any reasonable level of privacy in email. (Beware about subject lines, headers, etc., though)

hi i am trying to also get help im new to this and would like to know what i could/should delete/avoid on my device it is currently slow long scripts etc. i would only use this software and methods if i could get some guidance pls, donations waiting please help :(

Anonymous

September 25, 2014

Permalink

Thanks for the fast action.
Why not update tor to Tor-0.2.5.x?

Well, although it is almost stable there is no 0.2.5.x release declared stable yet. Thus, we shipped the current 0.2.4.24. The alpha bundles already contain the 0.2.5.x series and the next stable Tor Browser will contain it as well. Stay tuned.

along with their "we're committed to your privacy" page ironically loading google analytics, mozilla's privacy-hostile actions are much more revealing than their marketing.

the sheer length of time this continues to go unpatched compared to, say, their prioritization of visual UI improvements is astonishing.

Reminds me of how sites like Ars Technica have all this content favorable toward-- if not actually championing-- Snowden, Assange, Tor, Tails, and even HTTPS (yes, explicitly), yet... still serve pages on unencrypted HTTP!

Such irony and even hypocrisy.

The whole Ars Technica site is available for paid subscribers? Or only certain pages, such as for login and account management?

Also, can a paid subscriber be anonymous?

I can only agree with above anons.

Just in case anyone doesn't know what we're talking about, here's the links:

https://bugzilla.mozilla.org/show_bug.cgi?id=864150
unsolved since 2013-04-21 (more than a year!)

https://bugzilla.mozilla.org/show_bug.cgi?id=823941
unsolved since 2012-12-21 (more than one and a half years!!)

https://bugzilla.mozilla.org/show_bug.cgi?id=777620
unsolved since 2012-07-25 (more than two years!!! what the fuck!?!?)

Trying to stay polite, I'd say that the Mozilla team seriously has the wrong priorities here... (I mean..!?!? what the..!?!?!?!?!?!? arghhhhhhhh!?!?!?!?!?!?!?!?!?!?!?!?!?!?)

remember when "mozilla is under attack for protecting your privacy" all over the news? and it then turned out to be a paid publicity by mozilla before they added numerous anti-privacy features into firefox like third party cookies enabled by default, just to name an example. Mozilla is by far the worst between major internet players, because they claim to be having your privacy's back all while they do the opposite, at least google doesn't hide the fact they're spying on everyone and invading our privacy, all the while people actually trust mozilla because they told them so... sickening..

Please, that's NOT a solution to the question asked!

New Identity is about as useful as tits on a bull for most users! We'll those that care about using a FAST Tor route that is.

I find it very annoying that you all REFUSE to add back that feature from Vadalia: NEW NYM!

It's like you want to make TBB so effing slow that people won't use it.

The question asked was ways to delete cookies, and a new identity is the easiest way to do so. The Cookie UI interface is broken in the firefox upstream. If torbrowser does make a patch it will probably be broken whenever Mozilla fixes the issue. Besides, single cookie deletion is NOT a good practice for anonymous browsing. Clearing everything makes it much harder to connect identities.

Concerning the routing feature, changing so that you went through faster relays was never the point of that feature in Vidalia, it was so that you could either seem like a different user or avoid broken relays. Torbrowser's New Identity feature works just as well and some of tor's improvements themselves have helped against broken relays.

Concerning Torbrowser being slow: you've got to accept that a slowdown is required for anonymity. With that said, tor is much faster these days than it was ten years ago. I remember trying it in its early days; it was painful. If you want tor to be faster, think about running a relay and donating some fast bandwidth.

"Single cookie deletion is NOT a good practice for anonymous browsing"

Utter nonsense.

"Torbrowser's New Identity feature works just as well (as vidalia's)"

More utter nonsense. With Vidalia you can generate a new ID without closing your browser and losing all your session credentials. With the new incarnation of TBB you lose everything each time you generate a new ID. Luckily Vidalia still works with TBB.

And whose idea was it to rename TBB from "tbb-firefox.exe" to just "firefox.exe"? Yet another ignorant maneuver.

Anyway, until the cookie problem is fixed the new TBB is simply unusable.

"New Identity is about as useful as tits on a bull for most users!

Alas that metaphor has lost considerable meaning, in this age of gender ambiguity, "transgender" quackery and the like.

Anonymous

September 26, 2014

Permalink

TorBrowser 3.6.6 for OS X will not display technical details of TLS connections. To reproduce, click on the padlock in the URL field of an HTTPS site. Choose "More information" and click on the "Security" tab. The "Technical Details" field, which would normally display the cipher suite in use, is blank.

I've noticed a similar, though clearly far less problematic, change with the GNU/Linux version of this release of TBB (3.6.6):

After clicking on the padlock icon, clicking on "More Information" now takes one to the "General" tab. Previously, it was the "Security" tab.

This also happens with Tor Browser 3.6.6 under W7. The Technical Details field is either blank or doesn't display the cipher suite.
Maybe this is related to Bug 12998: Prevent intermediate certs from being written to disk. Does Firefox not find the certs, because they are not written to disk?

What are 'intermediate certs' exactly? Certs of Tor or certs of websites?

Anonymous

September 26, 2014

Permalink

When disabling "Always use private browsing mode", I cannot permanently store an exception for a HTTPS certificate... This worked flawlessly and would be very useful to work again, since you can store trusted certificates and avoid suspicious "Man in the middle attack" certificates - which I encountered couple of times.

Sure, in 3.6.4 it worked fine.

Now:

1. set privacy to custom settings - disable "Always use private browsing mode"
2. browser requires you to restart
3. go to a site that has a custom certificate
4. if "Permanently store this exception" is checked, then "Confirm security exception" button does nothing
5. if "Permanently store this exception" is NOT checked, you can "Confirm security exception" though you have to check each time if the certificate is not spoofed

Being able to "permanently" (not really permanently but across sessions, until one manually deletes) store exceptions for self-signed certs and the like (after one verifies a fingerprint that one has authenticated to at least some degree) would indeed be most welcome.

Anonymous

September 26, 2014

Permalink

Congrats on keeping the time between a Firefox release & a new TBB release to a minimum!

Anonymous

September 26, 2014

Permalink

1st, I know what I do ;)

This version does not save passwords anymore? The saved-password list in the preferencences is empty and the key3.db seems not to be read. It's the same with a alpha releases. Why? How to fix is?

Why is tor in the vidalia bundle not updated to this tor version?

Anonymous

September 26, 2014

Permalink

I'm a total newbie to TOR and all things to do with computers outwith using the internet for email, social media, etc., but trying hard to get to grips with privacy etc.

When I try to activate the HTML 5 player on youtube to watch videos I have to disable noscript or else it won't work. Is this ok to do? Or, is there any way around the problem? If you can help, please reply like you are talking to a 5 year old :)