Tor Browser 4.0 is released

Update (Oct 22 13:15 UTC): Windows users that are affected by Tor Browser crashes might try to avoid this problem by opening "about:config" and setting the preference "media.directshow.enabled" to "false". This is a workaround reported to help while the investigation is still on-going.

Update (Oct 25 02:32 UTC): If you are unhappy with the new Firefox 31 UI, please check out Classic Theme Restorer.

Update (Oct 16 20:35 UTC): The meek transport still needs performance tuning before it matches other more conventional transports. Ticket numbers are now listed in the post.

The first release of the 4.0 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Additionally, due to the POODLE attack, we have also disabled SSLv3 in this release.

The primary user-facing change since the 3.6 series is the transition to Firefox 31-ESR.

More importantly for censored users who were using 3.6, the 4.0 series also features the addition of three versions of the meek pluggable transport. In fact, we believe that both meek-amazon and meek-azure will work in China today, without the need to obtain bridge addresses. Note though that we still need to improve meek's performance to match other transports, though. so adjust your expectations accordingly. See tickets #12428, #12778, and #12857 for details.

This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work. Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures.

There are also a couple behavioral changes relating to NoScript since 3.6. In particular, by default it now enforces script enable/disable for all sub-elements of a page, so you only need to enable scripts once for a page to work, rather than enabling many sub-scripts. This will hopefully make it possible for more people to use the "High Security" setting in our upcoming Security Slider, which will have Javascript disabled globally via NoScript by default. While we do not recommend per-element whitelisting due to fingerprinting, users who insist on keeping this functionality may wish to check out RequestPolicy.

Note to MacOS users: We intend to deprecate 32bit OSX bundles very soon. If you are still using 32bit OSX 10.6, you soon will need to either update your OS to a later version, or begin using the Tails live operating system.

Here is the changelog since 4.0-alpha-3:

  • All Platforms
    • Update Firefox to 31.2.0esr
    • Update Torbutton to 1.7.0.1
      • Bug 13378: Prevent addon reordering in toolbars on first-run.
      • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
      • Bug 13138: ESR31-about:tor shows "Tor is not working"
      • Bug 12947: Adapt session storage blocker to ESR 31.
      • Bug 10716: Take care of drag/drop events in ESR 31.
      • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
    • Update Tor Launcher to 0.2.7.0.1
      • Translation updates only
    • Udate fteproxy to 0.2.19
    • Update NoScript to 2.6.9.1
    • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
    • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
    • Bug 13356: Meek and other symlinks missing after complete update.
    • Bug 13025: Spoof screen orientation to landscape-primary.
    • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
    • Bug 13318: Minimize number of buttons on the browser toolbar.
    • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
    • Bug 13023: Disable the gamepad API.
    • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
    • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
    • Bug 13186: Disable DOM Performance timers
    • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
    • Bug 13416: Defend against new SSLv3 attack (poodle).

Here is the list of all changes in the 4.0 series since 3.6.6:

  • All Platforms
    • Update Firefox to 31.2.0esr
    • Udate fteproxy to 0.2.19
    • Update Tor to 0.2.5.8-rc (from 0.2.4.24)
    • Update NoScript to 2.6.9.1
    • Update Torbutton to 1.7.0.1 (from 1.6.12.3)
      • Bug 13378: Prevent addon reordering in toolbars on first-run.
      • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
      • Bug 13138: ESR31-about:tor shows "Tor is not working"
      • Bug 12947: Adapt session storage blocker to ESR 31.
      • Bug 10716: Take care of drag/drop events in ESR 31.
      • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
    • Update Tor Launcher to 0.2.7.0.1 (from 0.2.5.6)
      • Bug 11405: Remove firewall prompt from wizard.
      • Bug 12895: Mention @riseup.net as a valid bridge request email address
      • Bug 12444: Provide feedback when “Copy Tor Log” is clicked.
      • Bug 11199: Improve error messages if Tor exits unexpectedly
      • Bug 12451: Add option to hide TBB's logo
      • Bug 11193: Change "Tor Browser Bundle" to "Tor Browser"
      • Bug 11471: Ensure text fits the initial configuration dialog
      • Bug 9516: Send Tor Launcher log messages to Browser Console
    • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
    • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
    • Bug 13356: Meek and other symlinks missing after complete update.
    • Bug 13025: Spoof screen orientation to landscape-primary.
    • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
    • Bug 13318: Minimize number of buttons on the browser toolbar.
    • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
    • Bug 13023: Disable the gamepad API.
    • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
    • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
    • Bug 13186: Disable DOM Performance timers
    • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
    • Bug 4234: Automatic Update support (off by default)
    • Bug 11641: Reorganize bundle directory structure to mimic Firefox
    • Bug 10819: Create a preference to enable/disable third party isolation
    • Bug 13416: Defend against new SSLv3 attack (poodle).
  • Windows:
    • Bug 10065: Enable DEP, ASLR, and SSP hardening options
  • Linux:
    • Bug 13031: Add full RELRO hardening protection.
    • Bug 10178: Make it easier to set an alternate Tor control port and password
    • Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
    • Bug 12249: Don't create PT debug files anymore

The list of frequently encountered known issues is also available in our bug tracker.

Anonymous

October 16, 2014

Permalink

Could some Tor experts/developers tell me whether Tor Browser 4.0 (Linux-64bit) leaked personal details when the following errors were encountered, in particular my Tor browser ID 1413456385345:

Oct 16 18:37:17.000 [notice] New control connection opened from 127.0.0.1.
console.error:
[CustomizableUI]
[Exception... "Component not initialized" nsresult: "0xc1f30001 (NS_ERROR_NOT_INITIALIZED)" location: "JS frame :: chrome://noscript/content/noscriptOverlay.js :: noscriptOverlay<._customizableUIListener.onWidgetAfterDOMChange :: line 362" data: no] -- undefined:362
Oct 16 18:46:25.000 [warn] Rejecting SOCKS request for anonymous connection to private address [scrubbed].
1413456385345 addons.update-checker WARN HTTP Request failed for an unknown reason
1413456385345 addons.update-checker WARN HTTP Request failed for an unknown reason
1413456412233 addons.xpi WARN Download of https://www.eff.org/files/https-everywhere-4.0.2.xpi failed: 2147500037
Oct 16 18:46:52.000 [notice] New control connection opened from 127.0.0.1.
console.error:
[CustomizableUI]
[Exception... "Component not initialized" nsresult: "0xc1f30001 (NS_ERROR_NOT_INITIALIZED)" location: "JS frame :: chrome://noscript/content/noscriptOverlay.js :: noscriptOverlay<._customizableUIListener.onWidgetAfterDOMChange :: line 362" data: no] -- undefined:362
console.error:
[CustomizableUI]
[Exception... "Component not initialized" nsresult: "0xc1f30001 (NS_ERROR_NOT_INITIALIZED)" location: "JS frame :: chrome://noscript/content/noscriptOverlay.js :: noscriptOverlay<._customizableUIListener.onWidgetAfterDOMChange :: line 362" data: no] -- undefined:362

No, I don't think so. This happens after all your browser state got cleared. This issue is tracked in .......

Thanks for your reply.

Referring to my previous post, are the numbers 1413456385345 and 1413456412233 unique to my Tor browser? Will they deanonymize me?

I have also seen the

"addons.update-checker WARN HTTP Request failed for an unknown reason"

error message and can confirm it's thrown at times when my browser state is not being cleared.

Do you know why this would happening, especially given all the recent attention to the updating mechanism?

Kudos on a great release!

Anonymous

October 26, 2014

In reply to by Anonymous (not verified)

Permalink

This is from my terminal

  1. <br />
  2. Oct 26 17:45:55.000 [notice] Bootstrapped 90%: Establishing a Tor circuit<br />
  3. Oct 26 17:45:56.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.<br />
  4. Oct 26 17:45:56.000 [notice] Bootstrapped 100%: Done<br />
  5. Oct 26 17:45:58.000 [notice] New control connection opened from 127.0.0.1.<br />
  6. Oct 26 17:51:57.000 [warn] Rejecting SOCKS request for anonymous connection to private address [scrubbed].<br />
  7. 1414363917043 addons.update-checker WARN HTTP Request failed for an unknown reason<br />
  8. 1414363917045 addons.update-checker WARN HTTP Request failed for an unknown reason<br />
  9. [\code]<br />
  10. what just happened?

Anonymous

October 16, 2014

Permalink

thsnks a lot
why you jumped to version 31 ESR, while it is still in 24.8.x branch?
please blog back an answer

Because there are no security updates provided anymore for ESR 24.

When there are no more security updates for ESR 24, it must mean that ESR 24 has NO security vulnerabilities. It must mean that ESR 24 is THE most stable and secure version, yes?

YOU are right, historically there are _always_ significantly more security holes in "newest exiting etc." software. Seems tor joined race for "new release every week", not ready? - push it and collect users replies.

Well, a) this isn't the newest exciting software. We have joined the FF31 extended support release part-way through its cycle. And b) indeed, we were pushed onto FF31 by having FF24 no longer supported. At least they gave us a schedule so we knew it would happen.

If you know of other better browsers out there for adapting, I'm all ears.

In the mean time, also be sure to read the bottom of
https://blog.torproject.org/blog/isec-partners-conducts-tor-browser-har…

Why at least not to give user a _choice_ to select new or previous release? And as you have skilled people who know where to change code to make it more secure for FF24 why should they run for FF31...FFnn?
OK, may be hardenedTM and shinyTM versions of tbb? Isn't it a choice of compiling options? So what about such a little step? And it's fine have just "This package requires no installation. Just extract it and run." for HardenedTBB for windowz.
iSEC Partners ... they can just try to fill a bug report.
btw it's not mozilla writing browser code, it's people.

It is indeed people writing browser code, but it's hundreds of them, not the three or four that we have on Tor Browser. You'll have to take my word for it that trying to maintain an old abandoned Firefox with three or four people is a really bad move.

Or if you don't believe me, I invite you to go do it for us. :)

Anonymous

October 16, 2014

Permalink

how do I enable the "bookmarks toolbars" I can not get to "view" menu on Ubuntu?

Anonymous

October 16, 2014

Permalink

What a worthless ugly POS browser. There has got to be something useable out there?

What's wrong with it? If you are moaning about captchas that's not Tor's fault, if you're moaning about youtube videos not playing simply refresh the page and it works fine. Otherwise I don't know your problem.

Anonymous

October 16, 2014

Permalink

Different behavior between new started browser 4 and "new identify". (win 7, noscript: done: forbit settings globally)

Start 4.0. Open http://ip-check.info/ for privacy test. A window appears "Authentication request". This is a test, click cancel. Then Site loads and you can click start test. And later the result comes.

Now "new identify". Open http://ip-check.info/ for privacy test again. NO window appears anymore with "Authentication request". Most of the times it loads and don't stop. I retry with same URL. Sometimes you got on the page for the test. But no window "Authentication request".

If you close and start the browser, and open http://ip-check.info/, the window "Authentication request" appears again.

I always thought "New Identify" is the same with closing and starting the browser. As this example shows, there must be a difference. Is this a security/privacy problem? What is the difference between "New Identity" and closing/opening new browser? Best is to close and reopen the whole browser, not "New Identity" IMO.

Thanks for comments.

I always knew that it's not the same, simply by the much shorter time frame that "new identity" button took to "restart" the browser in comparison to manually restarting it (e.g. through disabling an add-on and clicking "restart now").

Anonymous

October 16, 2014

Permalink

"While we do not recommend per-element whitelisting due to fingerprinting", but if you "revoke temporary permissions" before going to any website and then allow only the scripts that are necessary to view the page, and you do this with every website, can they fingerprint you?

Fingerprinting due to per-element whitelisting is excluded then. Not sure whether this behavior opens up new holes as you would probably be the only one doing this cumbersome ritual. Might be dependent on what you mean with "they".

Exactly what I have been writing: simply don't use a whitelist with NoScript. Allow temp. scripts per page, every time, and then revoke permissions.

I wonder if NoScript has a feature that the temp. permissions can be auto-revoked when the page is no longer loaded?

Anonymous

October 16, 2014

Permalink

tor browser bundle 4.0 not working at all on windows 8.1 64bit, no gui pops up, tor.exe appears in task manager for a few seconds then disappears

Anonymous

October 16, 2014

Permalink

Thank you so much for your unrelenting efforts! (So cool about Meek!)

A surprise: I am embarrassed to comment that the upgrade pooted my year's glut of bookmarks. This I did not expect because always before they remained intact, ergo, this time I did _not_ make a back-up. Heh. (Linux 32-bit english, btw.)

So be warned and be not lazy like me.

Thank you again, Tor folks!

I was surprised when mine were erased as well. I don't usually read the release notes for TBB updates before I download the newest version. If the home page tells me to update, I just automatically do it. I don't know why, but I do.
Anyway, If you still have, I think it was 3.6.6, open the browser, and export the bookmarks as an html. Then just open 4.0 and import it.

Anonymous

October 16, 2014

Permalink

WHY????

Problem signature:
Problem Event Name: APPCRASH
Application Name: firefox.exe
Application Version: 31.2.0.0
Application Timestamp: 00000000
Fault Module Name: xul.dll
Fault Module Version: 31.2.0.0
Fault Module Timestamp: 00000000
Exception Code: 80000003
Exception Offset: 0105d1e4
OS Version: 6.1.7601.2.1.0.256.1
Locale ID: ----
Additional Information 1: --
Additional Information 2: --
Additional Information 3: --
Additional Information 4: --

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

Anonymous

October 16, 2014

Permalink

apropos "pooted bookmarks" posted above (by me):

Embarrassed again - I found them! It appears that the new TBB's "show all bookmarks" and "restore" option did not go to the right place to find the backups.

Sorry. (I do not know which comment has the greater "doh!" factor!)

Thank you again.

Anonymous

October 16, 2014

Permalink

Remarks on :

- Torbrowser 4 functionality
.

Final extended feedback-remarks on :

- Dropping Mac support !!
- Bringing back separate tor network connection bundle

.

1) Torbrowser 4.0 browser feedback

- Media tab is still missing in page information while this tab is available in firefox ESR versions and torbrower 3.6.5 and before.

- Security tab, Technical details is still empty.

- Port management function tab is just deleted, missing

- Alternative connections, config bridge questions
a) Some bridges need Python application to connect internet.
Why is python needed, what are the extra security risks when python versions are not the latest.

b) Alternative to not using python connections is using meek-Google, meek-amazon, what about these companies using behavior analytics, device profiling in return?
What about user privacy?

c) Custom bridges, gives opportunity to manage ports but is absolutely non friendly in distributing system when people are looking for certain ports.

see remarks down

.

Quoted :

"Note to MacOS users: We intend to deprecate 32bit OSX bundles very soon. If you are still using 32bit OSX 10.6, you soon will need to either update your OS to a later version, or begin using the Tails (https://tails.boum.org/) live operating system."

.

2) Mac dropping - regarding this remarkable decision

- It seems a developer only decision that is taken by bypassing users in a sort of developer background discussion for which people had to register to take part!
Registering to take part in a discussion about a anonymous browser?
That wass not a really user friendly option, it's more a way to threshold user feedback.
.

A reason to give a final feedback on this now and here.
.

- It seems a decision that seems not to be taken on a fact basis.
About specific user usage facts per country for example to actually serve the Torbrowser user group.
Just mentioning a world wide average number does not make sense in any way at all. You cannot compare the countries you are serving in many ways an therefore not use one general statistical number.
.

- It just could be that the target group of the Torbrowser users are not all capable to buy new and fast computers.
Forcing users to buy new, newer or computers with an other os does not have anything to do with working on a realistic solution and will lead as usual to a common user solution for which some developers will not understand nor see nor recognize, working with unsupported versions of software because the user cannot upgrade anymore and does not feel the urge to throw away working hardware.
.

- Did the developers actually seriously try out their own suggested OS X solutions working with tails?
I don't believe so, take a bunch of 2006/2007 Macs and try in yourself.
Then, just invite a average computer user and ask them to do it.
Will they succeed? In how many day's?

Impression, Tails is not actually such a lightweight distro and seems not to be mend for 2006 computers to run.

Suggesting that making a bootable OS X tails usb is not so easy, or, but preferred tot do is far from every reasonable OS X user reality.
Besides, it will probably not work anyhow what makes this more like a 9th circle area exercise. Not the kind of energy people are looking for.
A exercise that OS X users are not used to, will not seriously consider, maybe also not in the least because it's far too difficult, beside pgp check troubles, and leads them to a complete change of operating system to just make one browser work?
What do you think?

The result will be in advance or again that people stay using old unsupported Torbrowser versions because they have no choice.

A supported 32 version would maybe not 99.99% secure but more secure and far more wanted than a unsupported Torbrowser.
Give people the opportunity to decide and don't push them to more insecure behavior.

.

3) 100% security dream - back to reality - real OS X threads

Dropping support arguments against real threads, what is actually the problem ?

The perception that some things in the Torbrowser are not safe?
It is a good thing to recognize, to look for and work on solving that.
So, although it seems a good idea to work on extra security it seems that the argument department is not really clear nor convincing, seems at least not in a realistic balance.

To put in in another way, there seems to be some misbalance between high advanced possibly possible risks and threads that are used as arguments to drop down support while the easier solutions or threads are still unsolved.
Why not begin with and first finish all the issues that all could be solved within the existing Torbrowser, they still had not in 3.6.6. as reported by user feedback over here and in the Torbrowser security analysis report.

.

Some examples
.

- Why taking the possible ASLR exploits as an Mac dropping support argument while not having solved the most easy basic and essential solutions in the Torbrowser and addons itself as mentioned in the report.
Javascript technique is commonly used in infection routines, could affect lots of people, and should have had more priority than this sudden sophisticated possible exploit argument which is fare more rare.
Remarkable Security risk balance.
.

- Some time ago the Torbrowser team had having a big report written about security threads for OS X and the Torbrowser.

But not having investigated the basic issue of one very uncommon Torbrowser solution in OS X that maybe could lead to bad permission privilege escalation.
Privilege escalation possibly served by placing the Torbrowser in the general applications folder, which is normal, but not really normal with a direct write permission to that environment because it is continually storing it's temporary files inside the bundle instead in a local user library like all other apps usually used to do.

It's clear why everything is in one bundle, it's not clear if placing the Torbrowserbundle in the application directory is actually really safe.
This is a big security related decision that has effects for all OS X versions and is not investigated while the security of the browser and Os X was analyzed by a security research company?

Bit remarkable to only focus on the 64 bit discussion and take Chrome as a example for 64 bit security while they even only had a beta version at that time. Firefox ESR is 64 bit and is even working on 32 bit Mac's without a problem.
Possible Privilege escalation Security risk related for all OS X versions.
.

- More security thread misbalance?
In what way is the Torbrowser protected when running from an usb stick?
It seems that any malware can change the browser files because the usb stick is running in the same local user permission area.
USB infection Security risk related for all OS X versions.
.

- In which way the Torbrowser is getting safer by enlarging the attack surface in the usage of extra processes that need internet connection?

This new Torbrowser 4.0 version even needs a python application to make access to the internet?
That makes two, or three applications connecting to the internet for the usage of one browser.
Users have to monitor the security status of their Python application as an extra, manually updating python in OS X is not a easy thing to do for average users and Apple security updates for python are not that common or taking place that often.

Besides, the big malware outbreak in 2012 with the flashback malware used Java and python functionality. The difference is that in Mac OS X there is no option to monitor the Python application or even a preferences pane like Java has.
Python and internet usage, security risk?
Anyhow related to all OS X versions, but especially for the not the newest versions.
.

- Degrading security by deleting port config options.

Why is the managing ports security option totally removed?
That was actually not a bug but a security feature.

Some people want to manage their computer ports instead of leaving them all open. So, removing a security option because some users did not understand the way it worked?
What is the balance here in the whole security discussion perspective?

To manage ports, there is a one very non practical option left.
This option is to enter custom bridges and look for addresses connected to certain ports? Thats is a lot of manual work! Especially if one wants to change the addresses once in a while.

Remarkable is that people can ask a list of bridges by email and the suggestion to use a gmail account.
Gmail? Google? Privacy?
.

- More about privacy.
What does the usage of amazon and Google Meek with the privacy of Torbrowser users?
Another new profiling addition to Google analytics, exitnode analytics, system profiling analytics?

Torbrowser seems to have a very dualistic moral and practical relationship with Google on privacy matters and actual cooperation, Google search is still asking for captcha's in return for usage for example.

.

4) Security arguments and Security threads for Mac OS X

Slightly rhetorical question, could the security researchers and developers please tell the Torbrowser Mac users what the actual realistic malware threads are for OS X an the way targeted attacks take place?
Could they please give some figures and examples in which way the threads will be much higher for the older 32 bit Mac systems compared to 64 bit and newest Mac OS X'es?

Please show these big differences with figures about infected Mac's divided in older and newer OS X'es.
One should convince the users by comparing facts and arguments, right?

You will probably not find these figures or have these available because there is probably not such a big difference in infection rates by OS X version.
And when you even would find figures about older infected compromised Mac's even then the compromising reason is usually not the older OS X version itself.

For what I see, read and know, which is maybe not enough, is that far most malware and even targeted attacks are using methods which don't actually need the safer 64 bit browser functionality that hard.
Not a reason to not work on it.

By the way the original Firefox ESR is already a 64 bit browser is there for years and also runs on 32 bit systems by the way, so why cant the Torbrowser be?

.

General, most seen, more common, simple attack surface for Mac
.

a) Social engineering

- A user has to actively install a malware application with the help of giving admin permissions, ignoring warnings and active further cooperation.
Or even like just installing a normal application.
Working all day within a admin account helps malware developers a lot, a lot of people do and it's not smart. A safer browser won't help against this.
.

b) Internet browser

- The usage of javascripts which you can manage with noscript also in Torbrowser
- The misusage of browser plugins like flash and java, which are managed already in de config of Torbrowser
- The usage of feedback information the browser is giving, which are managed in the config settings of Torbrowser.
So a Mac Torbrowser is actually telling that it is a windows system which reduces the attack surface already. Most malware attacks are based on user agent strings. Windows malware does not work on OS X.

Although it seems that there is one hidden setting that can tell the outside world that it is a Mac Torbrowser!?
One will notice when there is a update available and get a specific Mac redirect.
Wouldn't it be safer to remove that option as well before it will be misused?
People are probably smart enough to choose between the Windows, Mac and Linux download button on that same download page.
.

c) Non apple non up to date software

- adobe flashplayer plugin
- java and java plugin
- ms office for Mac, 2004 for example
- adobe reader
- fake video codec's and misusage of non up to date video players like vlc player.
.

d) Non up to date apple software

- Safari browser, take Torbrowser as long as they are supporting it, otherwise 64 bit firefox
- Java Mac versions 6 is 1.6 and earlier

.

All these threads above do not really primarily have to do with the arguments to drop support for certain Mac's or older OS X'es.
.

With one exception,
(e) that people could simply avoid because it is not necessary!
Running Mac OS X 10.5 or 10.4 on a Mac with a intel processor. Just take at least OS X 10.6 on that intel Mac.
.

(f) Learning from out of support site threads !

When not having facts and figures available about OS X versions related to malware and targeted attacks, one could also learn from Mac malware in another way.
When malware seems to have another motive than a criminal motivation and targets specific groups or organizations, the malware is especially, almost always targeting and written for older Mac's with older unpatched program's.
Mac's Torbrowser even missed to support.

It is very easy to conclude from there that there especially is a possible need for Torbrowser support on older Mac's and also direct proof of the fact that older Mac's are still in more than main average figures used by people that especially can use that extra security too.

In plain english, the customer group Torbrowser is talking about and heading for.
The group that will not have support anymore, or even did not have at all because they use even older Mac's.
The group that, according to Torbrowser team, should buy newer, other computers or just go to Windows or Linux?

Maybe they do,
a lot of them probably won't, it's just the way things will not work. Something with everlasting gap between user behavior and developers future possible functions perception.

.

5) Smart behavior before even upgrading

Mainly all above threads are to stop by good and smart behavior within every OS X and using options that are already in the Torbrowser itself.

When using the possibilities that noscript will give a user or with the built in possibilities of changing some about config settings.
You do not need the latest OS X for that,
You do not need to upgrade you OS X for that,
although it is a very good idea to do if to can on that system.

One should be prepared to other attacks an make a safe browser and that is a good goal.
.

In this specific already former dropping Mac discussion I get the impression that it's not the arguments that are counting but possibly more other wishes like having less work, don't like a fat application to distribute.
While a lot of other developers made universal applications for OS X or just served two. But Torbrowser cannot?

Further on, one can understand that it is more trendy to market and to show having a 64 bit browser available. Does not count for the ones who will be abandoned by Torbrowser.
.

This discussion is more than a slightly different argument perspective and accent.
Something that is missing everywhere in the general developer progress arguments end wishes usually ending in fat system requirements.
That is probably why we also have to buy new computers again with more heavy specs to still do the same simple things we do the most, browsing, mailing, writing, watching some fotos and video.

.

6) What is actually wrong by offering two versions, 64 bit 32 bit?

Even offering a stripped 32 bit version with higher more strict security settings and less functionality if it could have security implications.
Strong example : Browsing with no javascript activated is always better than no opportunity to browse at all!

When offering a separate version, then you can also measure the need for the 32 bit browser and make a decision, at least based on facts by usage numbers.
Which is still not a guarantee for a acceptable moral decision, but it's a far better start then just dropping without knowledge.
Better than privacy and safety for the upperclass, rich and the west. Did not get the impression that is the main goal for offering tor.

Question,
When dropping support, please do so with fair arguments and listen to your users, next time give them a real anonymous opportunity to give feedback on important anonymous browser issues.

Unfortunately a long story, just the other side in this not so open browser discussion that I wanted to point at.
I agree on working at a good security product and I do appreciate the effort of all the people who did work on that a lot, no misunderstanding for that.

.

7) Food for thought

When supporting older systems or browser versions is not an option for the tor developers anymore.
Maybe it would be an idea to give users the option back to distribute a separate app again to separately connect with the Tor network.
Vidalia download option?

In this case, the abandoned users and even users with older Mac's could use another still supported mozilla fork browser in combination with the Tor functionality.

The Torbrowser developers that are dropping support could leave the possibility open for others to create some sort of a torbrowsing fork experience by using another combination with browsers that still are supported by other enthusiastic developers for even older OS X versions and a lot of even older Macs that are in business and used in other parts of the world.

.
If this long feedback on dropping Mac support contribution is placed, I hope so, Thank you very much for placing this user feedback.
Hopefully helping anyone with it,
especially the Torbrowser developer team.

All the best,

Anonymous

October 16, 2014

Permalink

I mark a word in this forum and right click mouse and chose "search startpage [word]". new tab opens with site startpage, but without the marked word and with alert: "noscript filtered a potial post-site-scripting (XSS) attemts from [Chrome]; technical details have been logged in console."

in the console:

[NoScript XSS] Sanitized suspicious upload to [https://startpage.com/rto/search] from [chrome://browser/content/browser.xul]: transformed into a download-only GET request

this is all new for me, what should i do? thx.

I have this same problem with vanilla Firefox. It seems to be a combination of NoScript blocking + a search engine that uses POST rather than GET. It is probably a bug in NoScript.

Anonymous

October 16, 2014

Permalink

The mac download link on the main page gives the following error:

Not Found

The requested URL /dist/torbrowser/3.6.6/TorBrowser-3.6.6-osx32_en-US.dmg was not found on this server.
Apache Server at www.torproject.org Port 443

Apparently the link needs to be updated to point to the dmg files here: https://www.torproject.org/dist/torbrowser/4.0/
The English Mac version I downloaded from the distribution directory link works.

Anonymous

October 16, 2014

Permalink

"We intend to deprecate 32bit OSX bundles very soon. If you are still using 32bit OSX 10.6, you soon will need to either update your OS to a later version"

>> Okay, but I don't see any 64 bit OS X bundles available. Where can I download them ?

Anonymous

October 16, 2014

Permalink

On October 16th, 2014 Anonymous said:
...
> Is it safe to install the theme classic theme restorer?

I don't know, but ... I did it anyway, first thing, and the devs should be aware that a lot of us probably will.

The fact that a lot of us are installing it should help prevent fingerprinting from being too effective though unless a majority of us use a decent UI we'll still show up a bit when we enable js.