Tor Browser 4.0-alpha-3 is released

The third alpha release of the 4.0 series is available from the extended downloads page and also from our distribution directory.

The individual bundles of this release are signed by Georg Koppen. You can find his key fingerprint on the Signing Keys page. It is:

pub 4096R/4B7C3223 2013-07-30
Fingerprint = 35CD74C24A9B15A19E1A81A194373AA94B7C3223

IMPORTANT UPDATER ISSUES:

  • We discovered Bug 13245 will cause non-English Tor Browsers to update to the English version. This bug has been fixed in this release, but 4.0a2 users will still be updated to the English version if they use the in-browser updater.
  • Meek Transport users will need to restart their browser a second time after upgrade if they use the in-browser updater. We are still trying to get to the bottom of this issue.

This release also features important security updates to Firefox.

Here is the complete changelog:

  • All Platforms
    • Update Tor to 0.2.5.8-rc
    • Update Firefox to 24.8.1esr
    • Update meek to 0.11
    • Update NoScript to 2.6.8.42
    • Update Torbutton to 1.6.12.3
      • Bug 13091: Use "Tor Browser" everywhere
      • Bug 10804: Workaround fix for some cases of startup hang
    • Bug 13091: Use "Tor Browser" everywhere
    • Bug 13049: Browser update failure (self.update is undefined)
    • Bug 13047: Updater should not send Kernel and GTK version
    • Bug 12998: Prevent intermediate certs from being written to disk
    • Bug 13245: Prevent non-english TBBs from upgrading to english version.
  • Linux:
    • Bug 9150: Make RPATH unavailable on Tor binary.
    • Bug 13031: Add full RELRO protection.

The list of frequently encountered known issues is also available in our bug tracker.

Anonymous

September 26, 2014

Permalink

my torrc file i edit it
to use many ports and i manually put every port in my firefox browsers (many profiles)
each profile working with diferent port
but when i restrict an exit node to be from us or ca
all port give ips from us
how to edit that to make every port give ip from different country
i want to make port 9150 give {us} ip
and port 9152 give {ca} ip
and so on
but when i write ExitNodes {??} it over write the last ExitNodes {??}

SocksPort 9150
ExitNodes {us}
SocksPort 9152
ExitNodes {ca}
SocksPort 9153
SocksPort 9154
SocksPort 9155
SocksPort 9156
SocksPort 9157
SocksPort 9158
SocksPort 9159
SocksPort 9160
SocksPort 9161
SocksPort 9165
SocksPort 9170
SocksPort 9175
SocksPort 9180
SocksPort 9185
SocksPort 9190
SocksPort 9195
ControlPort 9151
CookieAuthentication 1
KeepalivePeriod 18000
StrictNodes 1

This is impossible, currently. The only thing you could do is run multiple tor daemons in parallel, each with a different torrc.

Anonymous

September 26, 2014

Permalink

Why is IceaWeasel in TAILS still 24.8.0 after the update in TAILS 1.1.2 where it should be 24.8.1?
inb4 "ask the TAILS people" : I don't have an email to communicate with them and I can;t sit around all day on #tails waiting for a TAILS dev to show up.

Anonymous

September 26, 2014

Permalink

Nice alpha. Approve Obfs4 for usage and add it to the next alpha and it will be even better.

Thanks for the interest in obfs4.

Well, the good news on this front is that, the deployment preparations for obfs4 is slowly progressing, and is at the point of "needs bridges", because there isn't much point in deploying a transport if there isn't enough bridges offering the protocol (and indeed the test snapshots only have one bridge by default).

I wrote a post to tor-relays@ the other day soliciting volunteers to run bridges:
https://lists.torproject.org/pipermail/tor-relays/2014-September/005372…

And since people apparently were still using my old snapshot bundles, I also rebased my branch based on Tor Browser-4.0-alpha-3, and uploaded newer snapshots:
https://lists.torproject.org/pipermail/tor-dev/2014-September/007535.ht…

Anonymous

September 26, 2014

Permalink

i have updated to Tor Browser 4.0-alpha-3 version ,and temporarily not find any flaws.Thanks!!

Anonymous

September 26, 2014

Permalink

Hi,
sorry for 1/2 off-topic but TAILS has no forum and its urgent(?).
They have a little bit strange announcement someone may can
explain?:

https://tails.boum.org/news/version_1.1.2/index.en.html
Known issues
The version of tor shipped in Tails 1.1.2 really is 0.2.4.24, not 0.2.4.21 as reported in the logs and by tor --version. The reason is that the package was built with outdated files generated by autogen.sh, but this only affects the reported version, not the code.

AND old announcement -tails 1.1.1- has tor update entry in
https://git-tails.immerda.ch/tails/plain/debian/changelog
tails (1.1.1) unstable; urgency=medium
* Security fixes
- Upgrade Tor to 0.2.4.23-2~d70.wheezy+1 (fixes CVE-2014-5117).

For tails 1.1.2 NO tor UPDATE entry.
Please anybody can explain this?

Anonymous

September 27, 2014

Permalink

This Version can't use in China .
The flash bridges are never worked.
The meek-google can't work. Because of the Google are blocked in China from may.
The meek-amazon can used in Sep. 5th . but it is unstable. Now it can't work.
All of the six FTE bridges are unable to connected. I have tested more than 20 FTE bridges that can use in Sep. 5th. They're all die now.
All of the seven obfs3 bridges are unable to connected also. They need to be updated only. Then it works.
All of the three ScrambleSuit bridges are unable to connected also. They need to be updated only. Then it works.

we're glad to see the bridges be updated in next release.

Unfortunately this is somewhat difficult. Currently the default bridges are run by long time members of the Tor Project (and community), and are not just randomly picked out of BridgeDB as they get substantial amounts of traffic.

It is probably somewhat unrealistic to continually rotate the default bridges (and would place a considerable burden on the administrators), when it is trivial for the GFW people (or any other censor for that matter) to pull the list of default bridges out of the bundle's configuration each time a release happens.

Improving bridge distribution is an interesting (and substantial) research question, which probably is the correct way of addressing this problem, but is something that is extremely non-trivial.

In the mean time, you could try meek via Azure (requires manual configuration, see https://lists.torproject.org/pipermail/tor-dev/2014-September/007525.ht…).

Anonymous

September 27, 2014

Permalink

How do you enable the in-browser updating to go from 4.0-alpha-2 to alpha 3? When I go to Help -> About -> Check for Updates it says TorBrowser is up to date.

Anonymous

September 27, 2014

Permalink

Is Tails in any way vulnerable with the saga of the Bash-a-mole in full rage? I hope this is a redundant question but I rather ask than assume because I have zero knowledge about Debian or its implementations within TAILS.

TIA

Anonymous

September 28, 2014

Permalink

Will 4.0-alpha2 update itself to 4.0-alpha3? Or do we download something?

The update does not happen automatically yet. You should get a notice of a new update is available. Or you can just go to Help -> About Tor Browser -> Check for Updates to check/download manually.

Anonymous

September 28, 2014

Permalink

My system openSuse 13.1 + KDE 4.11.5 running TBB 3.66 always auto logout without any warning when TBB is playing html5 videos at Youtube, It is hard to tell who makes the bug.

if "auto logout" means that you're logged out of youtube, then it is most probably youtube's fault.

some sites, and I'd assume youtube belongs to them, will logout you whenever your IP address is changed (every 10 minutes).

Anonymous

September 29, 2014

Permalink

Ive never tried anything but the TBB.. What exactly is this Tor B alpha? what does it have or not have that the TBB doesnt?

What makes this Alpha so different?

It's in development stage, for folks who want to test it. If you prefer security over new features/bugfixes, stick to the regular one for now.

The Tor Browser Bundle had been renamed to just Tor Browser a while back. This specific version is an Alpha release of the next major version of Tor Browser, meaning it has new feature but has yet to be properly tested. If you want to know more you should research software versioning, but to make a long story short, if you are depending on Tor Browser to keep you safe you should probably stick with 3.6.6 if it works for you.

Anonymous

September 30, 2014

Permalink

Was wondering if Tor employees will work with Free Net and The Invisible Internet Project to better improve Tor networks? I heard that Tor is under attack in all directions.

Anonymous

October 01, 2014

Permalink

I am an idiot but, I haven't used Tor in a while and when I opened the browser, the Tor browser mainpage is telling me I need to DL "Tor Bundle Update". Is this a legitimate, genuine and maliciously benign update from Tor or should I ignore the prompt all together.

DUUUHH.....I LIKE PIE!!! :)

Anonymous

October 06, 2014

Permalink

Hello Torproject,

can you make 'EntryNodes' and 'NumDirectoryGuards'
independent for clients?
Otherwise you can't set 'EntryNodes' and 'NumDirectoryGuards' manually like
declared in consensus.

Thanks a lot.

Anonymous

October 12, 2014

Permalink

Why this piece of garbage does not support random User agent? why not to implement addons like Secret Agent or Random Agent Spoofer?

I dont like the browser bundle, because it is an old version of firefox, but I read that the browser bundle has a unique identity,

well my point is, implement random user agent usage!

The goal of Tor Browser is to make all Tor Browser users look like each other. Not to make you blend in with the rest of the web users in the world. You are after all using Tor, and the Tor exit relay IP addresses are known and public -- and that is not easy to solve, and maybe not even something we *should* solve:
https://www.torproject.org/docs/faq#HideExits

Having a randomly changing user agent can actually make things worse in a lot of ways, since it sure isn't going to help you blend in with the rest of the web users (what other users change their user agent for every http fetch?), and if you change it less often than that, it can become an identifier for you over time.

See also https://www.torproject.org/projects/torbrowser/design/#fingerprinting-l…

Anonymous

October 17, 2014

Permalink

New version major bug for wind XP pro3. As soon as I go into the options-general tab and try to change the default location for 'save files to' a mozilla error pops up and program closes. Reverting to 3.6.6

Anonymous

October 21, 2014

Permalink

This version 4 is just awful. Keeps closing the whole program when the x is hit rather than opening a new tab as in previous versions.
Horrible menu layout compared to the last and I keep hitting the no script button instead of the back button. Crashes if trying to change the default downloads folder. Annoying search engine box even in a blank page. Security, who knows!!