Tor Browser 4.0 is released

Update (Oct 22 13:15 UTC): Windows users that are affected by Tor Browser crashes might try to avoid this problem by opening "about:config" and setting the preference "media.directshow.enabled" to "false". This is a workaround reported to help while the investigation is still on-going.

Update (Oct 25 02:32 UTC): If you are unhappy with the new Firefox 31 UI, please check out Classic Theme Restorer.

Update (Oct 16 20:35 UTC): The meek transport still needs performance tuning before it matches other more conventional transports. Ticket numbers are now listed in the post.

The first release of the 4.0 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Additionally, due to the POODLE attack, we have also disabled SSLv3 in this release.

The primary user-facing change since the 3.6 series is the transition to Firefox 31-ESR.

More importantly for censored users who were using 3.6, the 4.0 series also features the addition of three versions of the meek pluggable transport. In fact, we believe that both meek-amazon and meek-azure will work in China today, without the need to obtain bridge addresses. Note though that we still need to improve meek's performance to match other transports, though. so adjust your expectations accordingly. See tickets #12428, #12778, and #12857 for details.

This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work. Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures.

There are also a couple behavioral changes relating to NoScript since 3.6. In particular, by default it now enforces script enable/disable for all sub-elements of a page, so you only need to enable scripts once for a page to work, rather than enabling many sub-scripts. This will hopefully make it possible for more people to use the "High Security" setting in our upcoming Security Slider, which will have Javascript disabled globally via NoScript by default. While we do not recommend per-element whitelisting due to fingerprinting, users who insist on keeping this functionality may wish to check out RequestPolicy.

Note to MacOS users: We intend to deprecate 32bit OSX bundles very soon. If you are still using 32bit OSX 10.6, you soon will need to either update your OS to a later version, or begin using the Tails live operating system.

Here is the changelog since 4.0-alpha-3:

  • All Platforms
    • Update Firefox to 31.2.0esr
    • Update Torbutton to 1.7.0.1
      • Bug 13378: Prevent addon reordering in toolbars on first-run.
      • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
      • Bug 13138: ESR31-about:tor shows "Tor is not working"
      • Bug 12947: Adapt session storage blocker to ESR 31.
      • Bug 10716: Take care of drag/drop events in ESR 31.
      • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
    • Update Tor Launcher to 0.2.7.0.1
      • Translation updates only
    • Udate fteproxy to 0.2.19
    • Update NoScript to 2.6.9.1
    • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
    • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
    • Bug 13356: Meek and other symlinks missing after complete update.
    • Bug 13025: Spoof screen orientation to landscape-primary.
    • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
    • Bug 13318: Minimize number of buttons on the browser toolbar.
    • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
    • Bug 13023: Disable the gamepad API.
    • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
    • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
    • Bug 13186: Disable DOM Performance timers
    • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
    • Bug 13416: Defend against new SSLv3 attack (poodle).

Here is the list of all changes in the 4.0 series since 3.6.6:

  • All Platforms
    • Update Firefox to 31.2.0esr
    • Udate fteproxy to 0.2.19
    • Update Tor to 0.2.5.8-rc (from 0.2.4.24)
    • Update NoScript to 2.6.9.1
    • Update Torbutton to 1.7.0.1 (from 1.6.12.3)
      • Bug 13378: Prevent addon reordering in toolbars on first-run.
      • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
      • Bug 13138: ESR31-about:tor shows "Tor is not working"
      • Bug 12947: Adapt session storage blocker to ESR 31.
      • Bug 10716: Take care of drag/drop events in ESR 31.
      • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
    • Update Tor Launcher to 0.2.7.0.1 (from 0.2.5.6)
      • Bug 11405: Remove firewall prompt from wizard.
      • Bug 12895: Mention @riseup.net as a valid bridge request email address
      • Bug 12444: Provide feedback when “Copy Tor Log” is clicked.
      • Bug 11199: Improve error messages if Tor exits unexpectedly
      • Bug 12451: Add option to hide TBB's logo
      • Bug 11193: Change "Tor Browser Bundle" to "Tor Browser"
      • Bug 11471: Ensure text fits the initial configuration dialog
      • Bug 9516: Send Tor Launcher log messages to Browser Console
    • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
    • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
    • Bug 13356: Meek and other symlinks missing after complete update.
    • Bug 13025: Spoof screen orientation to landscape-primary.
    • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
    • Bug 13318: Minimize number of buttons on the browser toolbar.
    • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
    • Bug 13023: Disable the gamepad API.
    • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
    • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
    • Bug 13186: Disable DOM Performance timers
    • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
    • Bug 4234: Automatic Update support (off by default)
    • Bug 11641: Reorganize bundle directory structure to mimic Firefox
    • Bug 10819: Create a preference to enable/disable third party isolation
    • Bug 13416: Defend against new SSLv3 attack (poodle).
  • Windows:
    • Bug 10065: Enable DEP, ASLR, and SSP hardening options
  • Linux:
    • Bug 13031: Add full RELRO hardening protection.
    • Bug 10178: Make it easier to set an alternate Tor control port and password
    • Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
    • Bug 12249: Don't create PT debug files anymore

The list of frequently encountered known issues is also available in our bug tracker.

khled.8@hotmai.com

October 16, 2014

Permalink

Very exciting! Thanks.

Regarding the following point:

"While we do not recommend per-element whitelisting due to fingerprinting, users who insist on keeping this functionality may wish to check out RequestPolicy."

Can't we retain this feature by changing the settings in NoScript? I have re-enabled the cascading scripts by going into NoScript's Settings>Advanced>Trusted and un-checking "Cascade top documents permissions".

Does this not achieve the same thing without the need for installing a new add-on?

To explain, I favor this cascading, as it means I can allow the page to work while blocking the (often extensive) tracking scripts that would otherwise load with it.

khled.8@hotmai.com

October 16, 2014

In reply to by Anonymous (not verified)

Permalink

I agree completely! Such as Google Analytics can be blocked with NoScript while allowing site specific script to run.

GTK: Could you please give you input on this good question? Thanks so much

Your suggested use case was exactly what this change was supposed to make impossible; by allowing some scripts and not others you make yourself easily fingerprintable. Sites can detect when some of the javascript is running but not all of it, and your particular selection may actually be unique to you.

So what to do about GA and other things I would never let run?

This isn't a good solution. All or nothing is not really ever a good thing to offer, there should always be some fined grained control.

I for one will be using sub-scripts.

I realize Tor thinks it's helping users, but with nearly every new "feature" TB becomes less usable. Like the bullhshit about removing the NEWNYM feature and forcing using to trash an entire session just to get a new IP, even if they don't care about linking sessions... (I don't like how Tor forces me into some decisions)

Over the next few weeks I'm going to write a script to do those things Tor Project has refused to allow us to do. Usability has to be important...

We're pushed into a lot of the design decisions based on changes in Firefox. Tor Browser development is largely about triaging to make sure we get rid of all the really bad new things in each Firefox. And Tor Browser has very few developers compared to all the things that need to be done. Please help!

this made me laugh out loud.. "all the really bad new things in each Firefox" ..but it's so true.

roger, if it were up to me, you'd be running mozilla and it would only ship the tor browser bundle, for everyone, by default....and mozilla would actually be financially independent to make decisions to benefit users and devs instead of perpetuating the schizophrenia of claiming to be pro-privacy while constantly, if subtly, giving users up to Google and other advertisers on issue after issue.

arm -i
bang keyboard then press enter
press "N"

There, new IP without trashing browser session or preventing javascript from knowing it's really the same session with a different exit node.

Oh yea, see what I wrote in this sub-topic:
I.e. all the NoScript allowed scripts are only temporary, for that time-frame at the web site (or page). Not using white-list.

Me again:

When allowing site specific scripts to run as the OP suggests, I only use "temporarily allow" so there is no whitelist...

In https://www.torproject.org/about/contact.html.en you never mentioned which key should be used for encryption :)

khled.8@hotmai.com

October 17, 2014

In reply to by Anonymous (not verified)

Permalink

I'm wondering too which key to use.

Right -- doing a group encryption key is no fun in terms of usability.

You could mail us individually. But we might not answer, since we're flooded with people mailing us individually already.

Finding us on irc might be the best answer, but that's not so good in terms of usability for you.

Basically we need a more thorough support team, and currently we don't have the resources or people to do that well. Please help!

How to run Tor Browser without Tor?

First off, I have to wonder: why?

If you really want to do it for some reason, you might try to check the Whonix documentation to see some of their changes, but be sure you're doing what you think you're doing.

Why would you want to do that?

I do the same for two reasons:

1. To use a more secure browser without anonymity ;-)

2. To use JAP when Tor IP exits are blocked.

Firefox with NoScript and HTTPS everywhere in an identical setup provide equivalent security to TBB.

Uh, sorry, this isn't true.

See
https://www.torproject.org/projects/torbrowser/design/
and
https://www.torproject.org/docs/torbutton/en/design/
and
https://gitweb.torproject.org/torbrowser.git/tree/master:/src/current-p…

Depending I guess on what you meant by "identical setup" -- perhaps you meant identical including all the patches and config changes? :)

They may have an isolating proxy.

In about:config set extensions.torlauncher.start_tor to false

Tor browser crashes everytime I use NoScript "Temporary allow..."

Do you have steps to reproduce your problem?

I tried many times and could not. I used Huffingtonpost as the test site (lots of scripts).

After temp. allowing all scripts it loaded fine.

I get crashes like this in win8.1:
gmail
- Login
- temporarily enable scripts
- page starts loading, but tor stops working before it finishes.

Using win8.1 I get the same crash when logging into gmail. It happens right after I've logged in. I can use gmail for a little bit but then it crashes. No more than 10 seconds. I don't enable scripts and it does it.

Also using windows 8.1 here and have the same issue. I've noticed that Gmail works up until the point where gchat would load. Then it crashes. I haven't had a chance to try it using the HTML only fallback version.

Interestingly enough, on the same connection, when I booted to Linux Mint, I didn't have any issues with Gmail. It appears to be a problem only in the Windows version.

The problem is very reproducible, load gmail from the latest tor browser 31.2.0, tor browser 4.0 on windows 8.1 (and judging from other comments on windows 7 as well). As soon as google chat loads, the browser crashes. This happened on two separate machines, but did not happen when I booted into Linux Mint.

I have the same problem with Tor 4.0 on Win 7. I temporarily allow scripts on Gmail for login. Login is successful, but Tor crashes completely in about 10 seconds. Reverted to Tor 3.6.6, and it works fine as usual.

I also had this issue with Win 7. It seems to crash just as the chat/hangouts applet is loading.

Same problem here on Win7 x86

I have same problem. but when I login in basic HTML format, it works properly

AVG detection on Browser itself !

Yeah, if you read some of the comments on that page it's hilarious.

AVG has been detecting Tor browser for some time. That doesn't mean there's a virus, and saying Tor Browser is a type Adware called Unknown... AVG is just setting up a wide net and dumping everything that their scanner comes up as possibly questionable in unknown.

libssp-0.dll is missing from my computer.
I has windows 7, and only unzipped tor , did not install. i always use it without install.
Tried to copy libssp-0 in c:\windows\system32 but still same error...

Right -- you can't just unzip it, you have to install it. The installer rearranges the files to be in the right places.

Some people want it to be different. You should submit a patch so the zip file can be used too.

There is no reason for not running the installer.
It just extracts files, no registry entries are created.
If you run the installer, libssp-0.dll right location will be:

  1. Tor Browser\Browser\libssp-0.dll<br />
  2. Tor Browser\Browser\TorBrowser\Tor\libssp-0.dll

There is no reason to USE installer! An archiver can extract files and set directories. Why force installer usage? Dumb following commercial practice? "no registry entries are created" -- now, but what about tomorrow?

I managed to make it work.
My shit windows is 64 bit, and the dll directory is c:\windows\s68wow ... something.

looks like off to shaky start on Ubuntu 14.

- menus are not there
- bookmarks button is not there.

You can enable the menu bar by right-clicking on the toolbar and you find the bookmarks button behind the Open Menu button on the right side of the toolbar.

I know how to do that but be sured that many many people does not.

They can dl and use tor browser but can't to a simple task as decorating.. pls..

No, this is a bug. See my post about Win 7 and my ticket, here: https://trac.torproject.org/projects/tor/ticket/13438

New version 4 will not even run on ubuntu 14.04 x64 for me. Tried multiple times, no luck at all. Had to return to previous version 3.6.6

I could not get it to run either if i download and run tor browser bundle but when used/install with torbrowser-launcher it works fine.

also the download and home button are missing

yes mine too