Tor Browser 4.0 is released

Update (Oct 22 13:15 UTC): Windows users that are affected by Tor Browser crashes might try to avoid this problem by opening "about:config" and setting the preference "media.directshow.enabled" to "false". This is a workaround reported to help while the investigation is still on-going.

Update (Oct 25 02:32 UTC): If you are unhappy with the new Firefox 31 UI, please check out Classic Theme Restorer.

Update (Oct 16 20:35 UTC): The meek transport still needs performance tuning before it matches other more conventional transports. Ticket numbers are now listed in the post.

The first release of the 4.0 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Additionally, due to the POODLE attack, we have also disabled SSLv3 in this release.

The primary user-facing change since the 3.6 series is the transition to Firefox 31-ESR.

More importantly for censored users who were using 3.6, the 4.0 series also features the addition of three versions of the meek pluggable transport. In fact, we believe that both meek-amazon and meek-azure will work in China today, without the need to obtain bridge addresses. Note though that we still need to improve meek's performance to match other transports, though. so adjust your expectations accordingly. See tickets #12428, #12778, and #12857 for details.

This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work. Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures.

There are also a couple behavioral changes relating to NoScript since 3.6. In particular, by default it now enforces script enable/disable for all sub-elements of a page, so you only need to enable scripts once for a page to work, rather than enabling many sub-scripts. This will hopefully make it possible for more people to use the "High Security" setting in our upcoming Security Slider, which will have Javascript disabled globally via NoScript by default. While we do not recommend per-element whitelisting due to fingerprinting, users who insist on keeping this functionality may wish to check out RequestPolicy.

Note to MacOS users: We intend to deprecate 32bit OSX bundles very soon. If you are still using 32bit OSX 10.6, you soon will need to either update your OS to a later version, or begin using the Tails live operating system.

Here is the changelog since 4.0-alpha-3:

  • All Platforms
    • Update Firefox to 31.2.0esr
    • Update Torbutton to 1.7.0.1
      • Bug 13378: Prevent addon reordering in toolbars on first-run.
      • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
      • Bug 13138: ESR31-about:tor shows "Tor is not working"
      • Bug 12947: Adapt session storage blocker to ESR 31.
      • Bug 10716: Take care of drag/drop events in ESR 31.
      • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
    • Update Tor Launcher to 0.2.7.0.1
      • Translation updates only
    • Udate fteproxy to 0.2.19
    • Update NoScript to 2.6.9.1
    • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
    • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
    • Bug 13356: Meek and other symlinks missing after complete update.
    • Bug 13025: Spoof screen orientation to landscape-primary.
    • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
    • Bug 13318: Minimize number of buttons on the browser toolbar.
    • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
    • Bug 13023: Disable the gamepad API.
    • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
    • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
    • Bug 13186: Disable DOM Performance timers
    • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
    • Bug 13416: Defend against new SSLv3 attack (poodle).

Here is the list of all changes in the 4.0 series since 3.6.6:

  • All Platforms
    • Update Firefox to 31.2.0esr
    • Udate fteproxy to 0.2.19
    • Update Tor to 0.2.5.8-rc (from 0.2.4.24)
    • Update NoScript to 2.6.9.1
    • Update Torbutton to 1.7.0.1 (from 1.6.12.3)
      • Bug 13378: Prevent addon reordering in toolbars on first-run.
      • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
      • Bug 13138: ESR31-about:tor shows "Tor is not working"
      • Bug 12947: Adapt session storage blocker to ESR 31.
      • Bug 10716: Take care of drag/drop events in ESR 31.
      • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
    • Update Tor Launcher to 0.2.7.0.1 (from 0.2.5.6)
      • Bug 11405: Remove firewall prompt from wizard.
      • Bug 12895: Mention @riseup.net as a valid bridge request email address
      • Bug 12444: Provide feedback when “Copy Tor Log” is clicked.
      • Bug 11199: Improve error messages if Tor exits unexpectedly
      • Bug 12451: Add option to hide TBB's logo
      • Bug 11193: Change "Tor Browser Bundle" to "Tor Browser"
      • Bug 11471: Ensure text fits the initial configuration dialog
      • Bug 9516: Send Tor Launcher log messages to Browser Console
    • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
    • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
    • Bug 13356: Meek and other symlinks missing after complete update.
    • Bug 13025: Spoof screen orientation to landscape-primary.
    • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
    • Bug 13318: Minimize number of buttons on the browser toolbar.
    • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
    • Bug 13023: Disable the gamepad API.
    • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
    • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
    • Bug 13186: Disable DOM Performance timers
    • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
    • Bug 4234: Automatic Update support (off by default)
    • Bug 11641: Reorganize bundle directory structure to mimic Firefox
    • Bug 10819: Create a preference to enable/disable third party isolation
    • Bug 13416: Defend against new SSLv3 attack (poodle).
  • Windows:
    • Bug 10065: Enable DEP, ASLR, and SSP hardening options
  • Linux:
    • Bug 13031: Add full RELRO hardening protection.
    • Bug 10178: Make it easier to set an alternate Tor control port and password
    • Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
    • Bug 12249: Don't create PT debug files anymore

The list of frequently encountered known issues is also available in our bug tracker.

I can't get Tor to work. Just got the update and nada. Doesn't even boot up the browser. The programme is stopped within a few seconds of trying to open up the browser. Any idea's on how I can solve this problem?
I have downloaded the package so many times today and same result since the initial download.
I have uninstalled virus protection etc and tried to install Tor again. No luck at all. I have to give up for now because I'm out of idea's on how to get it working. Can't even find an older version of Tor to download.

Same here. I haven't had issues running earlier versions of Tor before on my PC (running Windows 7 64bit with all the latest patches) but after I install Tor 4.0 and tell it to launch or when I click on Start Tor Browser nothing happens (browser doesn't launch).

exactly the same problem for me 3.6.6 has been running great on several of my win 7 64bit machines also runs from usb stick elsewhere but no luck at all with new updated 4.0 install WHY?

yes tor is filtered via google ..., and your big brother... once was good now is made absolute junk! Tor 4.0 is absolute crap....!

Do not run....! This is an obvious flag about safety...! Untill they offer a real expanation not just a patch or go into your computer and change settings...I would advise no one concerned of safety initiate Tor...!

Make sure you aren't simply unzipping the archive over an existing folder. I did that and it bombed out (Linux) within a couple of seconds. I had to delete the old folder and then unzip fresh. It worked after that.

Hope that helps.

(Ubuntu 14.04.1 running tor-browser-linux64-4.0_en-US) The new Tor Browser Bundle 4.0 indeed needs to be installed fresh. The 4.0 directory structure has been reorganized, and merging the updated files with the old folders cause it to break.

Yup same here, I initially installed over 3.6 but upon reading the release notes I removed and installed a clean version but it won't boot at all. Win7 64 bit.

I'm using Win 8.1 32 bit, and I'm having the same problem. Even when I delete 3.6 and restart my computer after installation, the the browser with 4.0 won't start at all.

Instead of clicking on the "Start Tor Browser" icon, open a terminal (Command Prompt) and type "./path/to/tor-browser_en-US/start-tor-browser" and post the output. That'll give you more information about what Tor and Firefox are trying to do.

Quote from a user further down the page:

"The post about the conflict with Trusteer Raport appears right! I am pleased to report that I am now able to use Tor 4.0 on windows vista sp2 after disabling Trusteer Raport.
To disable, make sure firefox is closed, go to : start menu>all programs>trusteer endpoint protection>stop trusteer endpoint protection."

I've been having this exact issue and it was fixed straight away!

Same fault with two downloads of TOR 4 (one to Win 7 64-bit; one to Win 7 32-bit).

Both machines had previously downloaded several upgrades of TOR up to and including 3.6.6 and all had worked without problems. What has changed in the TOR process?

Installed fine for me except for a problem with unpacking in a Truecrypt volume. The unpacking refuses to create a symiink for the starter. The Browser folder unpacks just fine however and the starter is located in it.
Thanks for your work! I just donated.

Anonymous

October 15, 2014

Permalink

awesome! thanks a lot for your endless effort.
Can you please answer my question? isn't it negative to my anonymity if google and amazon know that I'm using tor, know my real ip, my first hop, and my second hop? doesn't it make it much easier to deanonmize me my the -you-know-who agency my merely requesting this data from google and amazon with a single letter to the latter? all what's left is finding out my exit node (third hop) which is pretty easy since they know all my previous hops?

Not sure I follow here but if they already know your real IP the game is over. I don't know either why you think they already know your first and your second hop. That should not be the case. And knowing that you use Tor is not singling you out with respect to Google and Amazon given that there are a lot of Tor users using these services.

as i understand meek connects to google/amazon/microsoft and so using meek-google and meek-amazon and meek-azure doesn't it make it obvious to google and amazon and microsoft that I'm using tor? and if so, they know my real ip, and since they're my first hop they know my second hop (isn't the connection to the second hop reouted thru their services?) and if I'm logged in to one of their services (from a different browser but same ip) for example to gmail, amazon, or hotmail they know my real identity and much more. isn't that denaonymizing?

Amazon/Azure/Google only know your first hop, not your second hop. Amazon/Azure/Google are not your first Tor hop; they are something you pass through on the way to your first Tor hop. Check this comment on a previous blog post and the graphic in the meek overview.

There's a proposal to, in the future, use four hops for circuits that use a bridge, so there are three client-chosen hops after the first bridge hop.

You are right that the situation is worse when you are using meek and you are also browsing Amazon/Azure/Google. Then Amazon/Azure/Google sees both your entry and your exit traffic, and they can try to do timing correlation in order to deanonymize you. (But keep in mind that the same problem exists when you are using an ordinary bridge that is running on e.g. Amazon EC2.)

Anonymous

October 16, 2014

Permalink

tor is growing strongly. we just to need how strong adversaries hunt specific users

Anonymous

October 16, 2014

Permalink

Thanks Tor.

Meek-azure/amazon works in mainland China, but azuer bridge is so slow that it takes about 6 minutes to connect Tor network.

Thank you for trying it. Here are tickets we're working on that will make meek faster.

  • #12428 Make it possible to have multiple requests and responses in flight
  • #12778 Put meek HTTP headers on a diet
  • #12857 Use streaming downloads
Anonymous

October 16, 2014

Permalink

How to change the tabs style to the classic? I would like the classic style of tabs. How to change it in new Tor Browser 4.0?

Has anyone audited that addon for security vulnerabilities or fingerprinting? Because "probably safe" doesn't really help users who depend on tor and doesn't come off as well informed about the issue.

Anonymous

October 16, 2014

Permalink

How to disable Australis (hate this thing)?
Is it safe to install the theme classic theme restorer?

One thing Classic Theme Restorer did for me was it changed the window height by one pixel. Tiny thing, but still identifying information... I got around it by adding the setting "extensions.torbutton.window.innerHeight" (integer) and setting it to 901. There could be other problems too, of course.

It should be, classic theme restorer is unlikely to add anything new that could be exploitable though if you don't disable javascript it might add a new exploit path.

It may if you've got javascript enabled make you easier to fingerprint compared to those who suffer through ChromeFox.

Just wanted to add that getting back the add-ons bar is not merely a cosmetic concern.

For example, add-on bar visibility is needed for TBB users to be able to use the CipherFox extension which provides, by default, UI-visible information about the ciphers/CAs in use on a tab.

Try "The Addon Bar (Restored)" v 3.2. It's a Firefox add-on.

As for putting tabs back on the bottom where they belong :-) try this:

(1) Select Help->Troubleshooting Information
(2) For Profile Folder: push the [Show Folder] button
(3) Navigate into the chrome folder. If it is not already there, create a subdirectory called chrome and navigate into it.
(4) Edit or create the userChrome.css. Make sure these lines are in the file and save it.

@namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"); /* only needed once */

#TabsToolbar{-moz-box-ordinal-group:10000!important}

(5) Close all Firefox windows and dialogs and restart Firefox.

The above is from: http://forums.mozillazine.org/viewtopic.php?f=38&t=2825513