Tor Browser 4.0 is released

Update (Oct 22 13:15 UTC): Windows users that are affected by Tor Browser crashes might try to avoid this problem by opening "about:config" and setting the preference "media.directshow.enabled" to "false". This is a workaround reported to help while the investigation is still on-going.

Update (Oct 25 02:32 UTC): If you are unhappy with the new Firefox 31 UI, please check out Classic Theme Restorer.

Update (Oct 16 20:35 UTC): The meek transport still needs performance tuning before it matches other more conventional transports. Ticket numbers are now listed in the post.

The first release of the 4.0 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Additionally, due to the POODLE attack, we have also disabled SSLv3 in this release.

The primary user-facing change since the 3.6 series is the transition to Firefox 31-ESR.

More importantly for censored users who were using 3.6, the 4.0 series also features the addition of three versions of the meek pluggable transport. In fact, we believe that both meek-amazon and meek-azure will work in China today, without the need to obtain bridge addresses. Note though that we still need to improve meek's performance to match other transports, though. so adjust your expectations accordingly. See tickets #12428, #12778, and #12857 for details.

This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work. Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures.

There are also a couple behavioral changes relating to NoScript since 3.6. In particular, by default it now enforces script enable/disable for all sub-elements of a page, so you only need to enable scripts once for a page to work, rather than enabling many sub-scripts. This will hopefully make it possible for more people to use the "High Security" setting in our upcoming Security Slider, which will have Javascript disabled globally via NoScript by default. While we do not recommend per-element whitelisting due to fingerprinting, users who insist on keeping this functionality may wish to check out RequestPolicy.

Note to MacOS users: We intend to deprecate 32bit OSX bundles very soon. If you are still using 32bit OSX 10.6, you soon will need to either update your OS to a later version, or begin using the Tails live operating system.

Here is the changelog since 4.0-alpha-3:

  • All Platforms
    • Update Firefox to 31.2.0esr
    • Update Torbutton to 1.7.0.1
      • Bug 13378: Prevent addon reordering in toolbars on first-run.
      • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
      • Bug 13138: ESR31-about:tor shows "Tor is not working"
      • Bug 12947: Adapt session storage blocker to ESR 31.
      • Bug 10716: Take care of drag/drop events in ESR 31.
      • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
    • Update Tor Launcher to 0.2.7.0.1
      • Translation updates only
    • Udate fteproxy to 0.2.19
    • Update NoScript to 2.6.9.1
    • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
    • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
    • Bug 13356: Meek and other symlinks missing after complete update.
    • Bug 13025: Spoof screen orientation to landscape-primary.
    • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
    • Bug 13318: Minimize number of buttons on the browser toolbar.
    • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
    • Bug 13023: Disable the gamepad API.
    • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
    • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
    • Bug 13186: Disable DOM Performance timers
    • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
    • Bug 13416: Defend against new SSLv3 attack (poodle).

Here is the list of all changes in the 4.0 series since 3.6.6:

  • All Platforms
    • Update Firefox to 31.2.0esr
    • Udate fteproxy to 0.2.19
    • Update Tor to 0.2.5.8-rc (from 0.2.4.24)
    • Update NoScript to 2.6.9.1
    • Update Torbutton to 1.7.0.1 (from 1.6.12.3)
      • Bug 13378: Prevent addon reordering in toolbars on first-run.
      • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
      • Bug 13138: ESR31-about:tor shows "Tor is not working"
      • Bug 12947: Adapt session storage blocker to ESR 31.
      • Bug 10716: Take care of drag/drop events in ESR 31.
      • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
    • Update Tor Launcher to 0.2.7.0.1 (from 0.2.5.6)
      • Bug 11405: Remove firewall prompt from wizard.
      • Bug 12895: Mention @riseup.net as a valid bridge request email address
      • Bug 12444: Provide feedback when “Copy Tor Log” is clicked.
      • Bug 11199: Improve error messages if Tor exits unexpectedly
      • Bug 12451: Add option to hide TBB's logo
      • Bug 11193: Change "Tor Browser Bundle" to "Tor Browser"
      • Bug 11471: Ensure text fits the initial configuration dialog
      • Bug 9516: Send Tor Launcher log messages to Browser Console
    • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
    • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
    • Bug 13356: Meek and other symlinks missing after complete update.
    • Bug 13025: Spoof screen orientation to landscape-primary.
    • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
    • Bug 13318: Minimize number of buttons on the browser toolbar.
    • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
    • Bug 13023: Disable the gamepad API.
    • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
    • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
    • Bug 13186: Disable DOM Performance timers
    • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
    • Bug 4234: Automatic Update support (off by default)
    • Bug 11641: Reorganize bundle directory structure to mimic Firefox
    • Bug 10819: Create a preference to enable/disable third party isolation
    • Bug 13416: Defend against new SSLv3 attack (poodle).
  • Windows:
    • Bug 10065: Enable DEP, ASLR, and SSP hardening options
  • Linux:
    • Bug 13031: Add full RELRO hardening protection.
    • Bug 10178: Make it easier to set an alternate Tor control port and password
    • Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
    • Bug 12249: Don't create PT debug files anymore

The list of frequently encountered known issues is also available in our bug tracker.

Anonymous

October 17, 2014

Permalink

Problem signature:
Problem Event Name: APPCRASH
Application Name: firefox.exe
Application Version: 31.2.0.0
Application Timestamp: 00000000
Fault Module Name: xul.dll
Fault Module Version: 31.2.0.0
Fault Module Timestamp: 00000000
Exception Code: 80000003
Exception Offset: 0105d1e4
OS Version: 6.2.9200.2.0.0.256.48
Locale ID: 1033
Additional Information 1: 5861
Additional Information 2: 5861822e1919d7c014bbb064c64908b2
Additional Information 3: 1a2a
Additional Information 4: 1a2aa8e38ac8adbb6fe1e594fa623c2e

Every time I'm in face book this will happen and I have to close Tor and restart it again, this is happening every time pop out news feed alerting me about my friends activity... I have no Idea what should I do, I had no problem with others Tor and this is surprising...

Anonymous

October 17, 2014

Permalink

Hi, this new version sucks keep crashing on me...
Problem signature:
Problem Event Name: APPCRASH
Application Name: firefox.exe
Application Version: 31.2.0.0
Application Timestamp: 00000000
Fault Module Name: xul.dll
Fault Module Version: 31.2.0.0
Fault Module Timestamp: 00000000
Exception Code: 80000003
Exception Offset: 0105d1e4
OS Version: 6.2.9200.2.0.0.256.48
Locale ID: 1033
Additional Information 1: 5861
Additional Information 2: 5861822e1919d7c014bbb064c64908b2
Additional Information 3: 1a2a
Additional Information 4: 1a2aa8e38ac8adbb6fe1e594fa623c2e

Anonymous

October 17, 2014

Permalink

Awful update!
New FF is lame and broken Chrome, based on Chromium.
U'd better make good Tor Bundle w/o f*cking chrome-based FF and teach ppl how to configure any Chromium-based browsers (Chrome, FF. Opera).
U sold urself to the wrong browser.

Firefox isn't based on Chromium, the new UI was just designed to look like Chrome; there's significant differences in the internals. There is the unfortunate choice of "chrome" as a pseudo protocol to access browser internals, but that actually predates the Google Chrome browser. As for using any Chromium-based browser with tor, I remember reading that Chromium's doesn't handle certificates in a way that works well with tor and can break anonymity. If you really need to use a Chromium-based browser with tor, you probably should use an isolating proxy.

Also, while Opera uses the Blink layout engine which is part of Chromium, it isn't based on Chromium as a whole like Google Chrome is. Google Chrome is pretty much just repackaged Chromium with a few additional nonfree components. Like Flash.

Anonymous

October 17, 2014

Permalink

Hi, this version is can't delete the "CNNIC" certificate, how to delete it? Thanks very much!

Anonymous

October 17, 2014

Permalink

Certificates about China Internet ,eg China Internet Network Information Center EV Certificates Root ,CNNIC ROOT and Entrust.net Secure Server Certification Authority ,cann't be forbidden or deleted in TBB 4.0, WHY??????It's said that those certificates are dangerous while accessing some websites.

I thought it sent them to the EFF (a non-profit committed to privacy), and it can do it over tor (hopefully it gives the ASN on the exit node you use, if not just make sure to uncheck the part about telling them what ISP you're using.

Anonymous

October 17, 2014

Permalink

Why do you not establish a hidden service (or multiple of them) to update TBB? That doesn't rely on any CA.

Anonymous

October 17, 2014

Permalink

Hi, I don't know if anyone is using Vidalia, Tor Bandwith Usage is always 0 when it is listening TBB 4.0 with meek-azure. I want to know why and how to view your rate TBB produced and deletet the nodes.

Anonymous

October 17, 2014

Permalink

I would like to thanks the developers of TOR for the hard work and the steady improvement of security. But I also have to say that the foundation of TB (means: Firefox) is getting worse by every update (of FF). The continual integration of features like WebGL, social media APIs, codecs and removal on the ability to turn off JavaScript by menu should give food for thought. Plus, the new Australis UI is really dreadful. Dumbing down everything IS NOT EQUALS improving usability. Just because everything is round, not everything is more beautiful. And c'mon... Burger menu... If I want a burger Menu, I choose Chrome or go the Mac Donald's ;-).
But like said. This is not critique to the TOR developers. But maybe they should think about the future of FF. Just my 2 cents.

There doesn't seem to be much in the way of other options, though NoScript can at least kill WebGL and audio/video and plugins are blocked.

Classic Theme Restorer works well enough, something other than Firefox might be nice but what?

It is not the problem of the ability to disable. But the decision to remove the option from the FF menu is very questionable. Why? If people turn of JavaScript, web pages are not working properly anymore? So what! Why remove a well known feature from the menu and keep the functionality to turn on/off JavaScript in the back end anyway?
And there are plans to get the rid of addons. This is definitely not the reason why I switched to FF years ago.

I think FF devs rightfully think that the ppl who disable FF from the menu are the same ppl who will know how to disable it, with the same level of ease, from about:config.

on one level this appears to make sense, but in my opinion does not hold up at all once you start looking through all the other even-more-obscure options they've left UI-visible.

it's quite telling that mozilla's pages telling you about their commitment to your privacy drop google analytics on you..

While Firefox devs may make a number of bad decisions the problem with suggesting TB switch to a different browser is there needs to be a better alternative out there that more than just power users can use.

That is indeed true.
To say "make a fork of FF" seems to be a easier said than done.
Creating a own fork: Enough resources to maintain TOR and the fork?
Using an existing FF fork like Palemoon: I don't know.
Chrome: The same problem like FF.
Opera: Open enough?
Konqueror: Usable and platform independent enough?
Safari: LOL.
IE: No comment...
Year, and we are back to square one. Really a quandary...

Palemoon might be the closest though they branched it to MPL only as far as I can tell (tor project would probably want dual licensing) and there's no macintoy version.

Realistically only Gecko based browsers are likely to have the API hooks needed without lots of extra work.

Anonymous

October 17, 2014

Permalink

linux64, gets stuck at loading -- 85% bootstrap, trying to establish first hop connection but nothing happens.
3.6.6 works fine.

Any idea what is the issue?

Anonymous

October 17, 2014

Permalink

after installing 4.0 tor keeps telling me that something went wrong when i start it up whats the chance anyone has ideas to fix this please used tor for a while now and never had a problem

Anonymous

October 17, 2014

Permalink

Wont work downloaded installed wont open very frustrating indeed

Anonymous

October 17, 2014

Permalink

Hello.
I used not to be able to play mp4 files in the tor browser (because the browser couldn't support natively mp4 codecs) but with the new 4.0 version it can. Before it used to just give me the option to download the file, now it plays. Is it intentional, and how can I choose to donwload the file? Instead of playing the video, how can I download it? Thanks.

Interestingly, I used to be able to play mp3s in 3.6.6 and earlier, but now I can't.
The browser crashes every time and notes an issue with "xul.dll"

It took a lot of headache for me to get mp4 videos to work after awhile, but I'm not even sure how that happened. The modified preferences don't seem to have anything to do with video or mpeg.

is this related to the following? re:concerns about vulnerabilities

https://trac.torproject.org/projects/tor/ticket/12212

thanks

In theory Tor Browser shouldn't play any videos other than WebM and OGG. That's because Firefox only has native support for those codecs/formats. If you play them, that's because Tor Browser is getting plugins from the system (which might be leaking sensitive information) or that Firefox has new native support for those formats (mp4 and such).
I don't know if the new version of firefox has such support.

I have finally discovered what caused Tor Browser Bundle to now be able to play mp4 files. It's because the new firefox has the ability to use gstreamer plugins (if installed in your system) to play the h264 codecs. Which makes me ask: is it safe?? Or can gstreamer plugins leak any sensitive information (like DNS requests)??
I have found a workaround to this you just go to "about:config" and search for "media.gstreamer.enabled" and set it to false. At least it prevents gstreamer from being loaded into the browser. HOWEVER IT MIGHT CAUSE FINGERPRINTING PROBLEMS, BECAUSE YOUR BROWSER WILL ACTUALLY LOAD ANY VIDEO INSIDE A WEBPAGE WHICH IS DIFFERENT BEHAVIOR FROM VANILLA TOR BROWSER BUNDLE! USE AT YOUR OWN RISK! I will open a bug concerning this.

Anonymous

October 17, 2014

Permalink

about:downloads is not on the NoScript whitelist causing any downloads not to update in that tab until manually reloaded (unless you have JS enabled).

Anonymous

October 17, 2014

Permalink

Why is it a good idea to include Firefox Sync? I'm sure it can be used in a secure way but it just doesn't feel right.

FireFox Sync CANNOT be used in a secure and private way because it is designed in a way to collect information. Please stop considering Mozilla FireFox to be "secure" and "cares about your privacy" because it's not, there's basic security features that are still missing 4from it, out of mere neglect, carelessness, and hypocrisy (e.g. sandboxing)

Anonymous

October 17, 2014

Permalink

After this fix, I'm unable to move the "Refresh" button to it's normal spot, next to the back button. This is where it is in every other browser I use, so it's where I click without thinking. What is the security enhancement provided by locking the refresh button to the right of the address bar and taking away the ability to move it where I want?

Please don't suggest installing addons without mentioning that they may open users up to security flaws or deanonymization attacks.

Anonymous

October 17, 2014

Permalink

Me here,using transport pluggable The TorBrowser 4.0 is running very well,but Three Certificates such asChina Internet Network Information Center EV Certificates Root /CNNIC ROOT/Entrust.net Secure Server Certification Authority cann't be forbidden.

Anonymous

October 17, 2014

Permalink

Thank you for this great update. I love this interface and have been happy while using it with Firefox.

I just had one question, can I use Disconnect and privacy badger (from EFF) with tor browser?

Please do not discourage users from layering on additional security & privacy settings without any rhyme or reason. The primary reason it makes one "easier to track" is because everyone is discouraged from using things like the EFF's privacy badger. If people were free to decide their level of security for themselves, there would be the "it's that one person who uses Tor Browser Bundle with PB and Disconnect" risk, as there would be more people who had this setup. Furthermore Privacy Badger will change over time, so the first time you go to a site it may block different things than subsequent visits. Accounting for this in tracking software is non-trivial to say the least.

So I say, go ahead and install them if you want. You should realize that since you will not be requesting certain things (as that's the entire purpose of PB), and so a site could identify that it was the same person visiting the site multiple times, however if you're logging in with a pseudonym then this is of no concern as there's no more risk than without PB.

Simple and accurate answer: It depends on your security goals.

If you're just trying to hide your location and remain pseudonymous, then it's fine.

If you're attempting to avoid being identified as the same user with multiple visits to the same site, then it's possible that it's a bad idea. While I may be confident that the gains of PB will outweigh the negative side effects, that's for each person to decide.

Anonymous

October 18, 2014

Permalink

When using Tor Browser 4.0, it asks me to contact system administrator. It said is blocked because of the system settings.
Kindly guide.
PS:I can use earlier version of tor though.

The exact lines are:
This operations has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.
I have installed it on the system in new directory.
Please answer..

Anonymous

October 18, 2014

Permalink

First things first:
Huge thanks, hugs and love etc. for all the work you have done for us so far! For me personally, the TBB has been running flawlessly ever since I've started using it.
While I feel a bit dickish for adding to what I feel is more than enough clueless individuals complaining without trying to figure things out themselves, the following two things must be mentioned:

1. This Australis abomination needs to GTFO. Please make it stop if you can find the time to do it. Might have been mentioned before, will try to figure it out myself. But I wouldn't wanna mess up anything relevant to TBBs security features. It just hurts the eyes extremely bad, as I find overly round edges distasteful to say the least ;(
But enough crying and taking things for granted which clearly aren't.

2. This one might actually be relevant: on a non-Windows machine, I've been seeing error messages related to NoScript overlay. Occurs when using TorButton to acquire New Identity. Will look into it more, maybe file bug report properly if it's a thing...

Yes that's the "thing" I was referring to.

Found it in mere minutes after posting and consequently hung my head in shame for 8 nanoseconds (rough estimate, but close enough).

Ultimately, however, I had a good chuckle: partly due to the fact that I could have easily found the answer before wasting valuable time and resources, but mostly because the bug number appeared even more odd considering my short bout of having "the stupids and lazies" spoke quite the contrary.

But what does 1337 even mean here on the internet in times when once "established and "respectable" printed newspapers, you could even say most media in general, consider the term "selfie" to be an actual word. In my opinion this neologism has taken the ongoing abuse of language way too far.

Oh well. Silly ranting about unimportant matters doesn't change shit, but what can you say in times like these, which are clearly governmentally insane, when fellow humans are confusing electronics-store openings with religious ceremonies.
I guess it all somehow fits the picture in the weirdest possible way. Something's off...feels wrong.

So in addition to the huge respect I already have for your tireless work and dedication, which is already saving many peoples lives and freedom,
I thank you for your patience and for taking the time to reply to my post.

But also know that the Tor Project's work has helped me personally a great deal in terms of keeping my sanity and not giving up hope for some positive change. Love ya'll.