Tor Browser 4.0 is released

Update (Oct 22 13:15 UTC): Windows users that are affected by Tor Browser crashes might try to avoid this problem by opening "about:config" and setting the preference "media.directshow.enabled" to "false". This is a workaround reported to help while the investigation is still on-going.

Update (Oct 25 02:32 UTC): If you are unhappy with the new Firefox 31 UI, please check out Classic Theme Restorer.

Update (Oct 16 20:35 UTC): The meek transport still needs performance tuning before it matches other more conventional transports. Ticket numbers are now listed in the post.

The first release of the 4.0 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Additionally, due to the POODLE attack, we have also disabled SSLv3 in this release.

The primary user-facing change since the 3.6 series is the transition to Firefox 31-ESR.

More importantly for censored users who were using 3.6, the 4.0 series also features the addition of three versions of the meek pluggable transport. In fact, we believe that both meek-amazon and meek-azure will work in China today, without the need to obtain bridge addresses. Note though that we still need to improve meek's performance to match other transports, though. so adjust your expectations accordingly. See tickets #12428, #12778, and #12857 for details.

This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work. Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures.

There are also a couple behavioral changes relating to NoScript since 3.6. In particular, by default it now enforces script enable/disable for all sub-elements of a page, so you only need to enable scripts once for a page to work, rather than enabling many sub-scripts. This will hopefully make it possible for more people to use the "High Security" setting in our upcoming Security Slider, which will have Javascript disabled globally via NoScript by default. While we do not recommend per-element whitelisting due to fingerprinting, users who insist on keeping this functionality may wish to check out RequestPolicy.

Note to MacOS users: We intend to deprecate 32bit OSX bundles very soon. If you are still using 32bit OSX 10.6, you soon will need to either update your OS to a later version, or begin using the Tails live operating system.

Here is the changelog since 4.0-alpha-3:

  • All Platforms
    • Update Firefox to 31.2.0esr
    • Update Torbutton to 1.7.0.1
      • Bug 13378: Prevent addon reordering in toolbars on first-run.
      • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
      • Bug 13138: ESR31-about:tor shows "Tor is not working"
      • Bug 12947: Adapt session storage blocker to ESR 31.
      • Bug 10716: Take care of drag/drop events in ESR 31.
      • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
    • Update Tor Launcher to 0.2.7.0.1
      • Translation updates only
    • Udate fteproxy to 0.2.19
    • Update NoScript to 2.6.9.1
    • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
    • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
    • Bug 13356: Meek and other symlinks missing after complete update.
    • Bug 13025: Spoof screen orientation to landscape-primary.
    • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
    • Bug 13318: Minimize number of buttons on the browser toolbar.
    • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
    • Bug 13023: Disable the gamepad API.
    • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
    • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
    • Bug 13186: Disable DOM Performance timers
    • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
    • Bug 13416: Defend against new SSLv3 attack (poodle).

Here is the list of all changes in the 4.0 series since 3.6.6:

  • All Platforms
    • Update Firefox to 31.2.0esr
    • Udate fteproxy to 0.2.19
    • Update Tor to 0.2.5.8-rc (from 0.2.4.24)
    • Update NoScript to 2.6.9.1
    • Update Torbutton to 1.7.0.1 (from 1.6.12.3)
      • Bug 13378: Prevent addon reordering in toolbars on first-run.
      • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
      • Bug 13138: ESR31-about:tor shows "Tor is not working"
      • Bug 12947: Adapt session storage blocker to ESR 31.
      • Bug 10716: Take care of drag/drop events in ESR 31.
      • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
    • Update Tor Launcher to 0.2.7.0.1 (from 0.2.5.6)
      • Bug 11405: Remove firewall prompt from wizard.
      • Bug 12895: Mention @riseup.net as a valid bridge request email address
      • Bug 12444: Provide feedback when “Copy Tor Log” is clicked.
      • Bug 11199: Improve error messages if Tor exits unexpectedly
      • Bug 12451: Add option to hide TBB's logo
      • Bug 11193: Change "Tor Browser Bundle" to "Tor Browser"
      • Bug 11471: Ensure text fits the initial configuration dialog
      • Bug 9516: Send Tor Launcher log messages to Browser Console
    • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
    • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
    • Bug 13356: Meek and other symlinks missing after complete update.
    • Bug 13025: Spoof screen orientation to landscape-primary.
    • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
    • Bug 13318: Minimize number of buttons on the browser toolbar.
    • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
    • Bug 13023: Disable the gamepad API.
    • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
    • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
    • Bug 13186: Disable DOM Performance timers
    • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
    • Bug 4234: Automatic Update support (off by default)
    • Bug 11641: Reorganize bundle directory structure to mimic Firefox
    • Bug 10819: Create a preference to enable/disable third party isolation
    • Bug 13416: Defend against new SSLv3 attack (poodle).
  • Windows:
    • Bug 10065: Enable DEP, ASLR, and SSP hardening options
  • Linux:
    • Bug 13031: Add full RELRO hardening protection.
    • Bug 10178: Make it easier to set an alternate Tor control port and password
    • Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
    • Bug 12249: Don't create PT debug files anymore

The list of frequently encountered known issues is also available in our bug tracker.

Anonymous

October 16, 2014

Permalink

I installed on 2 different computers running Windows 7. When I open the TOR folder there is a shortcut to "Start TOR Browser" and an application of the same name. Neither work.

Same here. I haven't had issues running Tor before on my PC (running Windows 7 with all the latest patches) but when I install it or when I click on Start Tor Browser nothing happens (browser doesn't launch).

Anonymous

October 16, 2014

Permalink

Is there a Tor Mobile App for like the Iphone? I heard you have to set up your computer as a server for your Iphone to then access Tor.

Is there any way for Tor to auto-delete if it has been compromised? Maybe someone is tracking your Tor movements and if Tor detects some kind of suspicious tracking going on, it can automatically shut itself off? That would be great for pure defensive protection!

There's basically no way for tor to know it's been compromised and even if there were Eve could experiment on the same version as the one you're running to find a way to compromise it without triggering the auto-delete.

Anonymous

October 16, 2014

Permalink

Why can't you go onto the Yelp site with Tor? It keeps saying blocked. How much does that suck!

Because for every actual comment here there are ten times that many spam comments about shoes and Chinese herbs and so on. Trust me, you do not want to see the waves of spam comments.

Maybe someday we will have a blog that is open to anybody, and doesn't use any of those horrible centralized recaptcha things, and also doesn't have any spam on it. We're not there yet though, and we're focusing on developing Tor instead.

Anonymous

October 16, 2014

Permalink

Thanks for your wonderful and great work!

Sure, there is no update to this 4.0-version - anyways I wanted to check, where to manually activate the certificate for this: »Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option.«

I could not find this option by following your description...

If you open the main menu (the rightmost icon on the toolbar) and choose "?" and then "About Tor Browser" you'll find a button you need to press first to download an update (if there is an update available at all).

Anonymous

October 16, 2014

Permalink

Please answer, do you no longer maintain expert bundle? The current version is 0.2.4.23 which is older than 0.2.4.24, which is older than 0.2.5.8-rc.

Another question is, do I even have to download expert bundle to use tor stand-alone? Could I just grab the tor.exe from Tor Browser? I'm asking because they have different file sizes and there might be major differences, I even guess it might be better to do so.

There is nobody who makes them currently. I don't think there's a plan for fixing that. Maybe you should step up and help?

In the mean time, yes, I think you can just grab the Tor Browser and pull the tor.exe from it.

No.
Replacing Tor.exe from TBB does not work.
The only way to make it work is to grab the complete dir
Tor Browser\Browser\TorBrowser\Tor
and run tor.exe

It works on socks 127.0.0.1:9050
Since there is no UI, the only way to close tor.exe is killing the process.

Anonymous

October 16, 2014

Permalink

Crashes 100% after logging into my favorite site, page appears to load about 80% normally:

Problem Event Name: APPCRASH
Application Name: firefox.exe
Application Version: 31.2.0.0
Application Timestamp: 00000000
Fault Module Name: xul.dll
Fault Module Version: 31.2.0.0

Clean TBB 4 install. Guess I'm staying with 3.6.6 for now.

Anonymous

October 16, 2014

Permalink

WOOHOO!

Anonymous

October 18, 2014

In reply to by Anonymous (not verified)

Permalink

seconded!

Anonymous

October 16, 2014

Permalink

Can you further explain the reasons for changing NoScript's functionality?

I can be fingerprinted based on my particular NoScript policies? Is that the idea?

How does the suggested replacement reduce this risk?

They will fingerprint you the moment you activate the script for the website, for example if you go to https://panopticlick.eff.org/ and, if you have forbid scripts globally, choose to allow the scripts and press test me they will have a unique fingerprint for your browser, the same goes for any website. They should not have changed the settings on noscripts for the "cascade" now every script will be allowed thus not just the website you visit will be able to fingerprint you but all the other websites like those for comments or facebook, twitter will have a unique fingerprint of your browser. You should choose on a case by case which scripts you allow for all websites and just revoke temporary permissions before you go to a new website and don't make a whitelist. Regardless, go and check the website https://panopticlick.eff.org/ to see how unique your browser fingerprint is, hopefully it's not.

I understand that activating JavaScript opens up my browser to fingerprinting.

Unchecking the "cascade" options allows my setup to work the way I wish: only allowing the current site and blocking the rest until I temporarily allow each of them.

One interesting thing I noticed when visiting panopticlick at your suggestion is maximizing the browser is what fingerprints my browser more so than anything else. Keeping the browser the default size is best.

Perhaps resizing the browser should be disabled? : )

Anonymous

October 16, 2014

Permalink

If i try to change the download folder in firefox options - firefox will crash. (WinXP SP3) Anyone else with this problem?

I´ve tried to chance the path manually over "about:config", but it seems that some commands are missing. Here is my workaround for that problem...

1. type "about:config" (without the "") in the address field of Firefox and confirm with the button that you will pay attention not to break the browser (or so, i can´t remember the right words, but you know what i mean, if you see it)

2. type "browser.download" into the searchfield and look if you have an entry that will called "browser.download.dir"... if so go to the next point... if not, create a new one... rightclick into an empty part of the window and choose "new", then choose "string". Give it this name "browser.download.dir" and in the next part your download location. It should look like this:

browser.download.dir - changed by user (or so, but it should not be standard) - string - C:\test

3. Doubleclick on "browser.download.folderList" and change its value to "2"!

4. go into the Firefox options and choose the function, that it will save the downloads into the desired folder and not let the user everytime choose, where the download will be saved...

Now you can close Firefox and restart Tor... your desired download location will now be used for downloading... but... it will crashed again if you try to change the path over the button in the Firefox options again...

Anonymous

October 16, 2014

Permalink

Unfortunately, I had to leave the Tor Browser Bundle. The new Firefox UI removed all usability. There is a classic theme restorer, but the Tor Project does not recommend the installation of additional extensions to the Tor Browser Bundle. Even if the Tor Project were to approve the installation of the classic theme restorer, it won't completely restore the usability level lost to the Australis interface.

Firefox has been lagging behind for years, but Australis was a step too far for me. Maybe one day sanity will return to the Firefox UI. In the meantime, the latest release of Qupzilla supports nested bookmarks (finally!). And strangest of all, Qupzilla has a sane, rational and well thought out UI. It's almost an exact duplicate of the Firefox 24 UI.

So instead of using a relatively small extension to bring Firefox mostly back to how it should be you're suggesting we use a completely different browser that almost no one uses and which hasn't even had even the most cursory auditing done to it?

Okay, so what's your alternative to Tor Browser for anonymity?

Sure Firefox has made the not so great decision to try to compete with Chrome for the average user by trying to replicate Chrome. It's a decision that kind of makes sense give Chrome's market share.
See https://en.wikipedia.org/wiki/Usage_share_of_web_browsers .

However, I'd caution against using UI as the primary factor for deciding a browser, especially for someone who has concerns that made them use Tor Browser in the first place.

Actually it's probably the wrong decision as those who want a Chrome like interface are already using Chrome, it's those who want a usable interface that they should be targeting.

Chrome's interface is usable, it's just different. When ever you get a new user interface you get old users complaining about it and frequently someone comes up with some addon/software to restore the old interface for the next five to ten years. It isn't really about having a useable interface, it's about people getting frustrated because they don't know how to use the new interface well. Of course, that hasn't stopped me from using the Classic Theme restorer addon just like I use a piece of software on my Win 7 box to restore the classic start menu.

Look, Firefox has to appeal to the general public. A web browser that appeals to only a subset of technically minded power users isn't going to get the resources (money/manpower) thrown at it to support the ever evolving web. Sure, there are web browsers around that are for that specific subset, but there are large parts of the web that they are unusable on. Even more importantly, they don't necessarily support the security features the major browsers do. For instance, forget about Lynx having certificate pinning. If it means I have less of a chance for my online banking to get hit with a MitM attack, I'll deal with a harder to use UI.

Most people don't want to clutter their screen space with unnecessary controls that they never use. For most users the simplification of the UI makes it more usable. That means they're more likely to use it. Personally, you and I and 100 other people on this blog might not like it, but the people who do like it usually don't write comments about it. Most of the people commenting on the Tor Blog tend to be power users; I don't think we can even assume they're an average cross section of tor users. We don't really have an idea what percentage of TB users dislike the UI changes as opposed to liking it, let alone vanilla Firefox.

Anonymous

October 16, 2014

Permalink

Worked fine, updated, now -

Problem Event Name: APPCRASH
Application Name: firefox.exe

How do i fix it?

Looks like the Tor Browser team is now waiting Mozilla to fix this
https://bugzilla.mozilla.org/show_bug.cgi?id=1088848

Options:
a) Easy Fix: Use Visual Studio
b) Wait some years until Mozilla Developers close this bug as WONTFIX
c) Release a new TBB 4.0.1 with "media.directshow.enabled" workaround

If (a) is selected you may also fix this non reported bug in CPU's with no CMOV instructions:
https://blog.torproject.org/blog/tor-browser-353-released#comment-54924

Perhaps you can learn of QupZilla Devs.
History of QupZilla Browser:
The Windows version of QupZilla was compiled using MingW, but due to a huge problem with Flash, it is now compiled with Microsoft Visual C++ Compiler 2008
https://github.com/QupZilla/qupzilla

I believe 'c' is the current plan.

Visual studio is not at all the easy fix, because they would be throwing away all the reproducible build features, and I assume it will be approximately forever until visual studio can do that. So that tradeoff sure doesn't sound worth it to me.

Anonymous

October 16, 2014

Permalink

I just downloaded the Tor Browser from this site and when I ran it my Norton Security from Comcast told me that this file has a bad reputation and could be dangerous. I'm just wondering if anyone else had the same problem. Thanks

Anonymous

October 16, 2014

Permalink

Hey,
Certificates about China Internet ,eg China Internet Network Information Center EV Certificates Root ,CNNIC ROOT and Entrust.net Secure Server Certification Authority ,cann't be forbidden or deleted in TBB 4.0, WHY??????It's said that those certificates are dangerous while accessing some websites.
Thanks for comments.