Tor Browser 3.6.6 is released

The sixth pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Here is the complete changelog for 3.6.6:

  • All Platforms
    • Update Tor to tor-0.2.4.24
    • Update Firefox to 24.8.1esr
    • Update NoScript to 2.6.8.42
    • Update HTTPS Everywhere to 4.0.1
    • Bug 12998: Prevent intermediate certs from being written to disk
    • Update Torbutton to 1.6.12.3
      • Bug 13091: Use "Tor Browser" everywhere
      • Bug 10804: Workaround fix for some cases of startup hang
  • Linux
    • Bug 9150: Make RPATH unavailable on Tor binary.

The list of frequently encountered known issues is also available in our bug tracker.

whether it is "ok" to enable JavaScript (the button "Temporarily allow all this page") really depends on you and your privacy needs.

do you feel comfortable with youtube knowing about your screen size, screen resolution, system font size, TorBrowser's window size, and (if your TorBrowser is maximized to cover most of your screen) details about your desktop theme (i.e. how thick is your window borders, taskbar size, etc.), among other info?

if yes, then you can go on and enable JS.

but keep in mind that above mentioned info can be used to fingerprint (and track) you, even if you delete cookies. and remember that youtube (as being a google product) will share this info with the NSA, and (probably) with any other institutions that pay enough / make enough pressure...

after all, you'll have to make lots of little decisions between privacy and usability.
not using youtube at all means less usability, but certainly more privacy.

keep in mind that youtube is by far not the only video-sharing service, and there are several other options to use that don't require JS.
...vote with your feet!

Thank you for that reply. Very informative. I'm devoting some time to try and educate myself and information like you have provided is very helpful.

This may be another privacy/usability dichotomy but, is there any way to distinguish which sites you can "trust"? For the average person I'd imagine I'm not alone in not knowing the above info RE. youtube.

By default, NoScript is set to allow scripts globally in Tor Browser. This isn't the same as actually disabling NoScript entirely but many people don't seem to realize this.

You definitely should not need to disable NoScript entirely for HTML5 videos on YouTube (or any other site, for that matter) to play.

""By default, NoScript is set to allow scripts globally in Tor Browser.""

...which is not recommended!

Personally, I recommend to create two separate installations of TorBrowser (i.e. extract/install twice to two different locations), and then to use one browser with JavaScript enabled, and one browser with JavaScript disabled.

You'll have to set environment variables "TOR_SOCKS_PORT" and "TOR_CONTROL_PORT" along with corresponding configuration items in "torrc", and it might take a little bit of trying until you find your way around.
However once it is done, this setup allows simultaneous use of two TorBrowsers (with different settings), and personally I use the one without JS whenever possible, yet allowing me to quickly "enable" JS (by switching to the other browser) whenever some site refuses to work without.

The reasoning behind this setup is that I want to avoid being fingerprinted through the combination of sites that I've allowed JavaScript, which might be possible if one makes extensive use of the "Temporarily allow all this page" button.

Anonymous

September 26, 2014

Permalink

I am having this problem since 3.6.4 and it still persists with 3.6.6. I already posted a comment on the release notes page for 3.6.4 - if I try to download the browser bundle any browser will crash. I have EMET enabled on that system for all browsers on it (ff, ie, chrome). I tried with another system not EMET enabled, that worked. Now for the new release all browsers again kept crashing, then I disabled EMET specifically for one of the browsers and downloaded with this one - OK fine. So it is one of the EMET protection functions (don't know which of them yet) which for some strange reason stumbles upon something in the binary. Some combination of bytes that EMET interprets as malicious and hence stops the process. It ain't really a bug of TOR I think, just a strange and possibly rare interaction. But I felt it might be useful for you to know.
Best regards

Anonymous

September 26, 2014

Permalink

now that i have this updated TBB it wont work. it worked before the update and now when i try to open tor it says "couldn't load XPCOM." anyone you help?

Perhaps you have a setting on your antivirus software that causes it to flag any software that it hasn't seen many other users run? That's usually what's wrong with new releases.

Oh, and you should also be wondering about the wisdom and safety of all of the users letting the antivirus company paw through their systems in order to be able to draw conclusions like "many of our users haven't run that binary before". But I guess that's a different discussion.

Ditto all of arma's comment.

Let me add that the process of placing trust in any given download from the Tor Project is essentially a two-part one that should be completely independent of any third-party antivirus program or the like.

First, you need to decide whether or not to trust Tor Browser (or any other offering from the Tor Project)-- assuming, of course, that you will be getting the authentic download. Then, if you decide to trust a given piece of software from the Tor Project, you need to authenticate your download of said software in order to have some reasonable degree of certainty that you are actually getting the intended, legitimate file(s) and not a trojan.

How did this "AVG" company tricky you into being confident in the decisions its program makes?

I totally agree with the "not a great confidence builder" conclusion, but I agree on the "why am I listening to this program" side. which maybe isn't the same as you. :)

I can only re-iterate that users should at least *try* to use a GNU/Linux distro (e.g. Ubuntu).

These projects try really hard to make GNU/Linux easy for everyone, and objections about it being too difficult come mostly from people who haven't even tried it.

Why I'm saying this: GNU/Linux distros come with out-of-the-box security and don't need dedicated antivirus software (just as any sane operating system should be).

Well, frequently they provide antivirus/anti-malware packages which is somewhat different but raises the point that GNU/Linux distros require some (albeit limited) technical knowledge to set up securely.

With that said, Windows has gotten better over the years. I feel safe on my one Windows box without any third party antivirus program. Many complaints about the insecurity of vanilla Windows either have to do with older versions (going back to XP if not earlier,) and poor user behavior (running executables downloaded from the web, etc.) That's not to say I'm suggesting Windows as a secure environment, but against the sorts of threats that antivirus programs are designed to defend against aren't really weak points for a user that goes out of his/her way to use safe habits.

Of course, computer users don't always have a choice on whether or not to install an antivirus program; work or school networks frequently require them.

I have to use too many programs that only run on Windows, and I can't run out and buy a second computer. So Windows it is, for better or worse.

Just FYI: One need not have more than one computer in order to use more than one operating system (OS). Dual-booting, virtual machines (VMs), live environments (CD or USB) and installations to USB drives, are all options that allow one to run multiple OSs on the same hardware.

Anonymous

September 26, 2014

Permalink

Another....... funny thing:

On sites with HTTPS i don't see Technical Details about used
Crypto.

??

Have you tried manually clicking-on the "Security" tab?

In previous releases, this would display automatically after clicking-on "More information". This changed for some reason with this release.

Anonymous

September 27, 2014

Permalink

Why is device.sensors.enabled set to true?

Anonymous

September 27, 2014

Permalink

When i update from prev version, my saved site passwords are gone. The key3.db File is there and the same like in the prev version.

Anonymous

September 27, 2014

Permalink

I update the TBB to 3.6.6. It wasn't authentic when I checked the signatures. I got rid of that bundle and went to the official Tor Project page to get the 3.6.6 and now that one wont verify either. What is going on? Any one else have these and if so, what do I have to do now to properly handle this ?

Are you sure you are actually downloading from torproject.org ?

First, check the URL carefully.

If the problem persists, try downloading from a different system (you could try a live environment first, booted by CD/DVD or USB). If this gets you a download that outputs "Good Signature" then your system was most likely compromised (somewhere at the software level).

If, however, the file you download while booted into a live environment doesn't verify either, then you need to suspect a problem with your Internet connection and/or compromised hardware as the culprit. Troubleshoot accordingly, by trying a different Internet connection and different hardware, respectively.

Also, you wrote,

" I got rid of that bundle and went to the official Tor Project page to get the 3.6.6",

which makes me wonder: Where had you downloaded that first "bundle" from?

If it was from anywhere else than torproject.org (or, perhaps, an official, trusted mirror, if any exist)... then you probably should no longer trust the entire system that accessed whatever suspicious site it was that you downloaded something that purported to be the Tor Browser from.

You need to "flatten and rebuild", as the saying is.

After making sure your critical data is backed-up, you should completely wipe* the disk containing the OS installation that was used to access the dodgy site (and Lord knows how many other such sites...) and then start from scratch, with a fresh, clean install of your (authenticated) OS of choice.

*One-pass of zeroes should be quite sufficient to delete any data (and nasties) beyond recovery. Though, if you intend to encrypt the drive (which, of course, you probably should), you might want to do one pass of psuedo-random data ( such as /dev/urandom) instead (will take much longer but will supposedly make cracking the encryption considerably more difficult).

Also, are you certain that the signature and TBB file you have match? If you haven't already, examine closely to make sure they do. (Same platform, language and architecture, i.e., 32- or 64-bit.)

I had this problem too on windows 7 32bit with the downloaded bundle from the main page https://www.torproject.org/download/download-easy.html.en but when I downloaded the bundle + sig from the distribution directory https://www.torproject.org/dist/torbrowser/3.6.6/ it verified.
to arma: Could the bundle from the main page be compromised?

I just fetched the signature and the windows 3.6.6 from the download-easy page, and the signature matched just fine.

I assume it's user error on your part in some way, but I can't guess what way. :(

Anonymous

September 27, 2014

Permalink

is there another Tor blog that is more active?

I submitted a question hours ago and it's not even posted yet? A lot can happen in 6 hours...

There is no other blog. In fact, there is barely this one, if you consider comments. Sometimes I pay attention to it and approve the small number of actual comments amongst the large number of spam comments. Sometimes I write code instead.

You might enjoy the thread on the www-team list about migrating to a new blog that is easier to maintain.

"the small number of actual comments amongst the large number of spam comments."

I don't question that the number of actual comments are small in proportion to the spam. But in their own right, the number of comments that appear here hardly seems "small".

Anonymous

September 27, 2014

Permalink

First copy text, then new Identify. Now you can't paste the text. Is this a feature or a bug? And if it's a feature, why? Thanks.

With new identity tor browser restarts. On closing tor browser it deletes copied data. It is not a bug, it is a security feature. You can use vidalia to get a new identity without restarting the complete browser.

"You can use vidalia to get a new identity without restarting the complete browser."

Note that according to the official Tails documentation, the only way of being sure of obtaining a completely new identity is to shutdown and restart Tails.

Could this also be said for Tor Browser?

Restarting TorBrowser is the proper way to get a new identity.

However, restarting Tails would be analogous to re-installing TorBrowser; the latter should not be necessary.

Is clicking on "New Identity" in TorButton considered "restarting TorBrowser" in this context?

Or did you mean to manually close all open windows of TorBrowser and then start it up again?