Tor Browser 3.6.6 is released

The sixth pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Here is the complete changelog for 3.6.6:

  • All Platforms
    • Update Tor to tor-0.2.4.24
    • Update Firefox to 24.8.1esr
    • Update NoScript to 2.6.8.42
    • Update HTTPS Everywhere to 4.0.1
    • Bug 12998: Prevent intermediate certs from being written to disk
    • Update Torbutton to 1.6.12.3
      • Bug 13091: Use "Tor Browser" everywhere
      • Bug 10804: Workaround fix for some cases of startup hang
  • Linux
    • Bug 9150: Make RPATH unavailable on Tor binary.

The list of frequently encountered known issues is also available in our bug tracker.

Anonymous

September 25, 2014

Permalink

Expert bundle is not uploaded yet. What are the differences between the expert bundle tor binary and browser tor binary? The latter is smaller in size. Can/should I replace the current one from the browser bundle?

Anonymous

September 25, 2014

Permalink

I'm asking this question here because I can't find anywhere else to ask, and I'm just tearing my hair out. I'm new to the deep web, I have the Tor browser bundle, and I disabled all the settings just like http://tutorneunixbasq6.onion/guide/tbb.html recommended. Whenever I try to set up an e-mail account, anywhere, the Captcha will not validate me. I know how to type; I've tried dozens of times; I've tried every e-mail service (I'd like to use MailTor). I've tried "Temporarily allow this page" in case that was the problem. I have no idea what's wrong, and without e-mail, I can't join any forum to ask for help with e-mail! Can someone please help me? Thanks.

Properly implementing end-to-end encryption on the parts of BOTH parties emailing each other should be the first concern-- regardless of provider.

Quality of SSL/TLS implementation is a legitimate concern but nonetheless a secondary one here.

You should be careful when changing settings from the default torbrowser settings. While the NoScript issue is frequently debated and there's valid points on both sides, the changes in about:config suggested on that page are probably a bad idea given it makes browser fingerprinting easier.

I doubt it, considering that they cannot see your settings. Adding add-ons, now THAT is an issue because of the bass-ackwards way that Firefox and it's derivatives allow sites to poll Firefox for what plugins and add-ons you are running.

Also I recommend mail.yandex.com which is a safe choice in my opinion.

Anonymous

September 28, 2014

In reply to by Anonymous (not verified)

Permalink

Just what do you mean by "safe"?

End-to-end encryption (such as via PGP/GPG or S/MIME) is the only way to attain any reasonable level of privacy in email. (Beware about subject lines, headers, etc., though)

hi i am trying to also get help im new to this and would like to know what i could/should delete/avoid on my device it is currently slow long scripts etc. i would only use this software and methods if i could get some guidance pls, donations waiting please help :(

Thanks for the fast action.
Why not update tor to Tor-0.2.5.x?

Well, although it is almost stable there is no 0.2.5.x release declared stable yet. Thus, we shipped the current 0.2.4.24. The alpha bundles already contain the 0.2.5.x series and the next stable Tor Browser will contain it as well. Stay tuned.

Can I delete cookies yet?

Sure. One easy way to do it is clicking on "New Identity" which gives you a fresh browser session. Deleting cookies via the browser UI is still not possible, though, due to an underlying Mozilla bug. See: https://bugs.torproject.org/10353

obviously not a complaint for the TBB team, but this flaw has existed upstream in Firefox now for a weirdly, suspiciously long time...

along with their "we're committed to your privacy" page ironically loading google analytics, mozilla's privacy-hostile actions are much more revealing than their marketing.

the sheer length of time this continues to go unpatched compared to, say, their prioritization of visual UI improvements is astonishing.

Reminds me of how sites like Ars Technica have all this content favorable toward-- if not actually championing-- Snowden, Assange, Tor, Tails, and even HTTPS (yes, explicitly), yet... still serve pages on unencrypted HTTP!

Such irony and even hypocrisy.

FWIW Ars Technica replied to the same point raised on their site, saying that they make httpS available but only as an upgrade for paid subscribers.

The whole Ars Technica site is available for paid subscribers? Or only certain pages, such as for login and account management?

Also, can a paid subscriber be anonymous?

I can only agree with above anons.

Just in case anyone doesn't know what we're talking about, here's the links:

https://bugzilla.mozilla.org/show_bug.cgi?id=864150
unsolved since 2013-04-21 (more than a year!)

https://bugzilla.mozilla.org/show_bug.cgi?id=823941
unsolved since 2012-12-21 (more than one and a half years!!)

https://bugzilla.mozilla.org/show_bug.cgi?id=777620
unsolved since 2012-07-25 (more than two years!!! what the fuck!?!?)

Trying to stay polite, I'd say that the Mozilla team seriously has the wrong priorities here... (I mean..!?!? what the..!?!?!?!?!?!? arghhhhhhhh!?!?!?!?!?!?!?!?!?!?!?!?!?!?)

remember when "mozilla is under attack for protecting your privacy" all over the news? and it then turned out to be a paid publicity by mozilla before they added numerous anti-privacy features into firefox like third party cookies enabled by default, just to name an example. Mozilla is by far the worst between major internet players, because they claim to be having your privacy's back all while they do the opposite, at least google doesn't hide the fact they're spying on everyone and invading our privacy, all the while people actually trust mozilla because they told them so... sickening..

Please, that's NOT a solution to the question asked!

New Identity is about as useful as tits on a bull for most users! We'll those that care about using a FAST Tor route that is.

I find it very annoying that you all REFUSE to add back that feature from Vadalia: NEW NYM!

It's like you want to make TBB so effing slow that people won't use it.

The question asked was ways to delete cookies, and a new identity is the easiest way to do so. The Cookie UI interface is broken in the firefox upstream. If torbrowser does make a patch it will probably be broken whenever Mozilla fixes the issue. Besides, single cookie deletion is NOT a good practice for anonymous browsing. Clearing everything makes it much harder to connect identities.

Concerning the routing feature, changing so that you went through faster relays was never the point of that feature in Vidalia, it was so that you could either seem like a different user or avoid broken relays. Torbrowser's New Identity feature works just as well and some of tor's improvements themselves have helped against broken relays.

Concerning Torbrowser being slow: you've got to accept that a slowdown is required for anonymity. With that said, tor is much faster these days than it was ten years ago. I remember trying it in its early days; it was painful. If you want tor to be faster, think about running a relay and donating some fast bandwidth.

"Single cookie deletion is NOT a good practice for anonymous browsing"

Utter nonsense.

"Torbrowser's New Identity feature works just as well (as vidalia's)"

More utter nonsense. With Vidalia you can generate a new ID without closing your browser and losing all your session credentials. With the new incarnation of TBB you lose everything each time you generate a new ID. Luckily Vidalia still works with TBB.

And whose idea was it to rename TBB from "tbb-firefox.exe" to just "firefox.exe"? Yet another ignorant maneuver.

Anyway, until the cookie problem is fixed the new TBB is simply unusable.

"New Identity is about as useful as tits on a bull for most users!

Alas that metaphor has lost considerable meaning, in this age of gender ambiguity, "transgender" quackery and the like.

Is this bug any threat to Linux/ Unix servers running Tor relays?

http://www.maximumpc.com/linux_bash_bug_poses_security_threat_gets_comp…

TorBrowser 3.6.6 for OS X will not display technical details of TLS connections. To reproduce, click on the padlock in the URL field of an HTTPS site. Choose "More information" and click on the "Security" tab. The "Technical Details" field, which would normally display the cipher suite in use, is blank.

you may want to consider using the CipherFox Add-On for this purpose

In general it's a bad idea to add addons to torbrowser. If nothing else they can make browser fingerprinting easier.

"If nothing else they can make browser fingerprinting easier."

That's at best...

How odd. This works on Linux at least. I've filed https://bugs.torproject.org/13254, thanks. Did that work with earlier Tor Browser versions on OS X?

Yes, the technical details of secure connections were displayed as expected in Firefox in TorBrowser 3.6.5 and earlier.

I've noticed a similar, though clearly far less problematic, change with the GNU/Linux version of this release of TBB (3.6.6):

After clicking on the padlock icon, clicking on "More Information" now takes one to the "General" tab. Previously, it was the "Security" tab.

Issue also affects Windows version

This also happens with Tor Browser 3.6.6 under W7. The Technical Details field is either blank or doesn't display the cipher suite.
Maybe this is related to Bug 12998: Prevent intermediate certs from being written to disk. Does Firefox not find the certs, because they are not written to disk?

What are 'intermediate certs' exactly? Certs of Tor or certs of websites?

When disabling "Always use private browsing mode", I cannot permanently store an exception for a HTTPS certificate... This worked flawlessly and would be very useful to work again, since you can store trusted certificates and avoid suspicious "Man in the middle attack" certificates - which I encountered couple of times.

When did it work? Do you have steps to reproduce?

Sure, in 3.6.4 it worked fine.

Now:

1. set privacy to custom settings - disable "Always use private browsing mode"
2. browser requires you to restart
3. go to a site that has a custom certificate
4. if "Permanently store this exception" is checked, then "Confirm security exception" button does nothing
5. if "Permanently store this exception" is NOT checked, you can "Confirm security exception" though you have to check each time if the certificate is not spoofed

"disable "Always use private browsing mode""

How advisable is this, though?

Any repercussions?

Any possible workarounds?
Thanks...

Being able to "permanently" (not really permanently but across sessions, until one manually deletes) store exceptions for self-signed certs and the like (after one verifies a fingerprint that one has authenticated to at least some degree) would indeed be most welcome.

Congrats on keeping the time between a Firefox release & a new TBB release to a minimum!

Why doesn't TBB on Linux play nice with sudo setenforce 1?

1st, I know what I do ;)

This version does not save passwords anymore? The saved-password list in the preferencences is empty and the key3.db seems not to be read. It's the same with a alpha releases. Why? How to fix is?

Why is tor in the vidalia bundle not updated to this tor version?

Your password problems are due to the fix for https://bugs.torproject.org/12998. That means disabling this pref and restarting should solve your problem. We might want to consider binding this pref to the private browsing mode which would allow both the intended (avoiding disk leaks) and your usecase.

Thanks. It works fine.

I'm having trouble to install this version;

You need to be much more specific.

And you should probably try one of the actual support channels.

I'm a total newbie to TOR and all things to do with computers outwith using the internet for email, social media, etc., but trying hard to get to grips with privacy etc.

When I try to activate the HTML 5 player on youtube to watch videos I have to disable noscript or else it won't work. Is this ok to do? Or, is there any way around the problem? If you can help, please reply like you are talking to a 5 year old :)