Tor Browser 4.0 is released

Update (Oct 22 13:15 UTC): Windows users that are affected by Tor Browser crashes might try to avoid this problem by opening "about:config" and setting the preference "media.directshow.enabled" to "false". This is a workaround reported to help while the investigation is still on-going.

Update (Oct 25 02:32 UTC): If you are unhappy with the new Firefox 31 UI, please check out Classic Theme Restorer.

Update (Oct 16 20:35 UTC): The meek transport still needs performance tuning before it matches other more conventional transports. Ticket numbers are now listed in the post.

The first release of the 4.0 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Additionally, due to the POODLE attack, we have also disabled SSLv3 in this release.

The primary user-facing change since the 3.6 series is the transition to Firefox 31-ESR.

More importantly for censored users who were using 3.6, the 4.0 series also features the addition of three versions of the meek pluggable transport. In fact, we believe that both meek-amazon and meek-azure will work in China today, without the need to obtain bridge addresses. Note though that we still need to improve meek's performance to match other transports, though. so adjust your expectations accordingly. See tickets #12428, #12778, and #12857 for details.

This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work. Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures.

There are also a couple behavioral changes relating to NoScript since 3.6. In particular, by default it now enforces script enable/disable for all sub-elements of a page, so you only need to enable scripts once for a page to work, rather than enabling many sub-scripts. This will hopefully make it possible for more people to use the "High Security" setting in our upcoming Security Slider, which will have Javascript disabled globally via NoScript by default. While we do not recommend per-element whitelisting due to fingerprinting, users who insist on keeping this functionality may wish to check out RequestPolicy.

Note to MacOS users: We intend to deprecate 32bit OSX bundles very soon. If you are still using 32bit OSX 10.6, you soon will need to either update your OS to a later version, or begin using the Tails live operating system.

Here is the changelog since 4.0-alpha-3:

  • All Platforms
    • Update Firefox to 31.2.0esr
    • Update Torbutton to 1.7.0.1
      • Bug 13378: Prevent addon reordering in toolbars on first-run.
      • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
      • Bug 13138: ESR31-about:tor shows "Tor is not working"
      • Bug 12947: Adapt session storage blocker to ESR 31.
      • Bug 10716: Take care of drag/drop events in ESR 31.
      • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
    • Update Tor Launcher to 0.2.7.0.1
      • Translation updates only
    • Udate fteproxy to 0.2.19
    • Update NoScript to 2.6.9.1
    • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
    • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
    • Bug 13356: Meek and other symlinks missing after complete update.
    • Bug 13025: Spoof screen orientation to landscape-primary.
    • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
    • Bug 13318: Minimize number of buttons on the browser toolbar.
    • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
    • Bug 13023: Disable the gamepad API.
    • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
    • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
    • Bug 13186: Disable DOM Performance timers
    • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
    • Bug 13416: Defend against new SSLv3 attack (poodle).

Here is the list of all changes in the 4.0 series since 3.6.6:

  • All Platforms
    • Update Firefox to 31.2.0esr
    • Udate fteproxy to 0.2.19
    • Update Tor to 0.2.5.8-rc (from 0.2.4.24)
    • Update NoScript to 2.6.9.1
    • Update Torbutton to 1.7.0.1 (from 1.6.12.3)
      • Bug 13378: Prevent addon reordering in toolbars on first-run.
      • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
      • Bug 13138: ESR31-about:tor shows "Tor is not working"
      • Bug 12947: Adapt session storage blocker to ESR 31.
      • Bug 10716: Take care of drag/drop events in ESR 31.
      • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
    • Update Tor Launcher to 0.2.7.0.1 (from 0.2.5.6)
      • Bug 11405: Remove firewall prompt from wizard.
      • Bug 12895: Mention @riseup.net as a valid bridge request email address
      • Bug 12444: Provide feedback when “Copy Tor Log” is clicked.
      • Bug 11199: Improve error messages if Tor exits unexpectedly
      • Bug 12451: Add option to hide TBB's logo
      • Bug 11193: Change "Tor Browser Bundle" to "Tor Browser"
      • Bug 11471: Ensure text fits the initial configuration dialog
      • Bug 9516: Send Tor Launcher log messages to Browser Console
    • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
    • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
    • Bug 13356: Meek and other symlinks missing after complete update.
    • Bug 13025: Spoof screen orientation to landscape-primary.
    • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
    • Bug 13318: Minimize number of buttons on the browser toolbar.
    • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
    • Bug 13023: Disable the gamepad API.
    • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
    • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
    • Bug 13186: Disable DOM Performance timers
    • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
    • Bug 4234: Automatic Update support (off by default)
    • Bug 11641: Reorganize bundle directory structure to mimic Firefox
    • Bug 10819: Create a preference to enable/disable third party isolation
    • Bug 13416: Defend against new SSLv3 attack (poodle).
  • Windows:
    • Bug 10065: Enable DEP, ASLR, and SSP hardening options
  • Linux:
    • Bug 13031: Add full RELRO hardening protection.
    • Bug 10178: Make it easier to set an alternate Tor control port and password
    • Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
    • Bug 12249: Don't create PT debug files anymore

The list of frequently encountered known issues is also available in our bug tracker.

Become a Tor advocate! Go out and tell people why Tor is important, how it's protecting our eroding freedoms, and how it's not about scary people wearing masks or people talking about dark webs.

That's a great suggestion! And rest assured that in fact I am already doing as much as much as my schedule allows me to, even making compromises in terms of getting no rest when I absolutely should. With my closest friends and family, I have found it OK to do that.

But even with them - being what I consider intelligent, open minded and capable individuals - it has been so ridiculously difficult to get the point across.
You probably know people with whom you can communicate in ways where there is no need for even using words to do so. And in my world even under said circumstances I have been met with resistance and lazy excuses. They say things like "I like what I am used to." "My day has been long enough already, I have no patience for this right now". Well, at least they are starting to see it, but very very slowly. And I will never ever give up. Because I care for them.

Another issue causing the above mentioned problem of having too little time is a result of the fact that I work in a profession which is very demanding on ones spirit, where it is an absolute must that you prioritize and take good care of your self lest it tears your soul apart and breaks you. It doesn't pay too well either, but money a sick joke anyway so I don't mind all that much. I am very happy to be able to do what I do, because it is spiritually fulfilling.

But as you can probably relate: Being passionate about things is a bit difficult because you can only do so much in one day. Oftentimes I reflect on days passed and gone, wishing I had done more. I will remain do whatever I can.

Humanity can't resist being reasoned with forever, or can it? ;)

Anonymous

October 18, 2014

Permalink

After downloading and extracting the tarball, I was "treated" to the following:

- my bookmarks: gone;
- my browser configuration: gone;
- Pentadactyl's configuration: gone.

Antics like the ones you pulled with this release give the whole OSS movement a bad name.

At the very least, you should have changed the name of the directory that the tarball extracts to. If you really wanted to do something professional, instead, you should have included a first-run script to move the user's old stuff to the new, horribly redundant, directory hierarchy.

Be ashamed.

From this very blog entry:
This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work.
Maybe you'll learn to read release notes next time.

The blog post suggests that you don't try to install over a preexisting install. In fact, that was never a supported feature in the first place. Don't go complaining about what an installer does when you just skim through the installer and don't pay attention to its warnings.

see - others OSes use "extract it and run" approach. WHY you need installer in first place? Its primary purpose is to add staff in not accessible by users places for auditing etc.

No, the primary purpose of the installer is because too many users were clicking 'run' rather than 'save' back when Tor Browser was a zip, and then when they closed the browser, they couldn't find it on their system anymore (since it never got there in the first place) and ended up confused.

We thought a simple zip was the much better solution too, until we actually watched users try to use it.

It might still be a good idea to have a simple .zip lying around for more advanced users (but can a windows or mac user even be called advanced?) on the View All Downloads page.

May also be easier for those who need to run tor from removable media.

I'm sure your old files are still there, new browser uses new directory structure, so that's why you cannot see your old profile on the new browser.

Anonymous

October 18, 2014

Permalink

Can't install Tor 4.0. AVG pops up with message that the install file is malware. The file is too big for AVG to work with so it crashes my computer. Windows 7 64 operating system. Tor 3.6.6 works OK.

Anonymous

October 18, 2014

Permalink

How do I download the .asc for verification. Every time I click the link, the .asc file is opened in tab on the browser, rather than prompting me to download.

You could right click on the link and then "save link as". Or copy the link location and use a command line tool like wget to fetch the signature file you need. The possibilities are plentiful. Don't give up trying so soon :)

It probably depends on your browser. In my Firefox, I right-click and choose 'save link as'.

(But to be fair, actually I right click and choose "Copy Link Location" and then paste the URL into wget. But again, it depends how you like downloading things.)

Anonymous

October 18, 2014

Permalink

I've downloaded the new version, but when I click on "Start Tor Browser" nothing happens. Nothing at all. This means i cannot acces Tor anymore, because I deleted the older version.

Anonymous

October 18, 2014

Permalink

Hi,

I would like to run Tor on my Debian Wheezy to help the project.
Maybe this is a stupid question, but is there a way to split the internet connection and have a browser working through TOR and other stuff through my regular internet connection? Cause I want to stream videos for example and the speed is not that good for streaming through TOR, or using social media and not getting Warnings because my account looks like it is accessed from various ip addresses from all over the world.

Looking forward for some recommendations and/or documentation.

Thanks

You can do three things:

A) apt-get install tor and then edit /etc/tor/torrc to become a relay or a bridge. That way you'll be contributing bandwidth to the Tor network. For much more detailed instructions, see
https://www.torproject.org/docs/tor-relay-debian

B) Run the Tor Browser, and use it when you want safety for your web connections.

C) Use some other browser or other application when you don't want safety for your Internet activity.

You can do all three of these at the same time. Just running Tor Browser doesn't magically push all your traffic through it.

Hope that helps!

Thank god someone is funding tor, without the us gov you wouldn't have it. and btw the us gov does NOT want tor broken, this is one tool they wouldn't give up because they use it too, and they use it the most.

I was with you until that last part. They use it the most? We have millions of daily users at this point -- it seems unlikely that any single group is a substantial fraction of that number. And that's important to its security, since the diversity of users is part of what makes it ok to be a Tor user.

Anonymous

October 18, 2014

Permalink

Upgrading from v4.0.3 alpha and trying to get the autoupdate triggered. Sometimes it starts. But the last time it started my circuit broke and when I restarted TBB, I could not retrigger it. Has anyone determined the Secret Link that will restart it?

Go to "Help -> About Tor Browser" and then check for updates.

Also, I think the Tor Browser team disabled some of the "automatically notice and start fetching updates" features in 4.0-alpha-3, since they wanted to reduce the number of surprises for the alpha testers. So it's possible it will become smoother than what you're experiencing with mainstream 4.0 over time.

Anonymous

October 18, 2014

Permalink

torbrowser 4.0 will not start on win8.1 if Trusteer Rapport is installed on pc.
had to uninstall Trusteer Rapport to run tor

Anonymous

October 18, 2014

Permalink

The post about the conflict with Trusteer Raport appears right! I am pleased to report that I am now able to use Tor 4.0 on windows vista sp2 after disabling Trusteer Raport.

To disable, make sure firefox is closed, go to : start menu>all programs>trusteer endpoint protection>stop trusteer endpoint protection.

Anonymous

October 18, 2014

Permalink

Under NoScript Options-->Advanced tab-->HTTPS tab-->Permissions tab

Why isn't the default under "Forbid active web content unless it comes from a secure (HTTPS) connection left on "When using a proxy (recommended for use with tor)" and instead left on "Never"? The more secure default would seem to be "always" (forbid active web content) followed by the tor-specific setting. Could you please clarify why active web content is never forbidden in the default NoScript configuration?

thanks--i've been following 9387 for a while now.

i'm still curious if you have any specific thoughts in response to my question. my impression as someone outside the dev team is that some of these decisions have not been made and/or translated into shipping releases in some cases.

"Websites can easily determine whether you have allowed JavaScript for them, and if you disable JavaScript by default but then allow a few websites to run scripts (the way most people use NoScript), then your choice of whitelisted websites acts as a sort of cookie that makes you recognizable (and distinguishable), thus harming your anonymity."

Could you explain that or link-reference?

Thanks

Anonymous

October 18, 2014

Permalink

I get th waiting for moderation thing....! But 4.0 is broken....! Reset to old version ,then diagnostic the new but get the old version back online...! This is frustrating....!

I feel sorry for those who work on TOR. They work hard on trying to help keep us safe on the Internet but then get showered with complaints. Making bug fix suggestions is fine, but please people bear in mind this software is free unless you contribute. So please keep the complaints none personal unless you want the developers to say "oh screw this I am out of it" and we loose a valuable resource. I am certain the NSA and others would love to scoop it up, paying new developers highly so they can find out what we are all up to. TOR 4 needs a rebuild for sure, but I will go back to 3.6.6 until the developers can fix things.

Me

Anonymous

October 19, 2014

Permalink

Guys & Girls - TOR we have a big problem. (java script Exploit problem)

This means one thing stop using Firefox 31.2.0
fucking

    now

.

Or disable java script fully, and get the flash plugin out of the system folder that TOR-Browser does not try to ennumerate it and then disable it, just not let it find it.

(put it for normal operation in local plugin folder of your clearnet browser)

Because getting 404 (see below) from tor-4.0 download page this means somebody might have recognized the problem and tries to stop it from spreading.

What's whacky and no information about this error:

1.) Firefox 31.2.0-ESR has a "security problem" when certain java script tries to call the flash plugin it has something to do with a video class declared.

Keep in mind the plugin is disabled.

It crashes the browser I could replicate it with the non-tor version of Firefox 31.2.0 ESR on the source and you can use it for a heap spraying attack, I analyzed that code and it did not, it was just accidently triggering the hole.

2.) https://tor.eff.org/dist/torbrowser/4.0/torbrowser-install-4.0_en-US.exe

I tried to download tor-4.0 again and got a "404 Not Found"
through tor and through clearnet

Given that Tor Browser doesn't ship with adobe flash anyways, and in order to get it to work with flash you need to do some technical manipulation, adobe flash exploits really aren't something to be concerned about.
Also, writing javascript as "java script" suggests although it does not prove that you don't understand exactly what javascript is.. It's like using "java" and "javascript" interchangeably.
On a similar note, there's a difference between the versions of Tor Browser and Tor. Tor Browser is the one at 4.0, Tor is in the 0.2.5.x versions. You're not the only one to make that mistake, and it might be a minor one but it makes you come off as not knowing what you're talking about.

Anonymous

October 19, 2014

Permalink

“One document provided by Snowden included an internal exchange among NSA hackers in which one of them said the agency’s Remote Operations Center was capable of targeting anyone who visited an al-Qaeda Web site using Tor.”

If it is true, it isn't restricted to al-Qaeda Web sites. Is it just the worst case? It is very devious, the CIA invented al-Qaeda, so these websites are honeypots. So the CIA will protect al-Qaeda, rather than terminate it. Devious!

De-cloaking Tor users doesn’t necessarily require a federal budget either. According to a couple of researchers slated to speak at Black Hat in a few weeks[ix]:

“In our analysis, we’ve discovered that a persistent adversary with a handful of powerful servers and a couple gigabit links can de-anonymize hundreds of thousands Tor clients and thousands of hidden services within a couple of months. The total investment cost? Just under $3,000.”

Is this still to be considered?

http://www.counterpunch.org/2014/07/18/the-nsa-wants-you-to-trust-tor-s…

What they meant by "targetting" was that they'd put their intercept boxes on the Internet near the target website, and then look for web requests going to it and inject attacks that would break into the web browser of users who visit the website. This sort of attack doesn't care whether the user is routing their traffic over Tor, since it's about attacking the endpoint. For more details see
https://blog.torproject.org/blog/yes-we-know-about-guardian-article
and
http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-networ…

As for the Black Hat thing, see
https://blog.torproject.org/blog/tor-security-advisory-relay-early-traf…

“One document provided by Snowden included an internal exchange among NSA hackers in which one of them said the agency’s Remote Operations Center was capable of targeting anyone who visited an al-Qaeda Web site using ___Tor____.”
Am I reading right? And why push unready browser with suspicious settings?

You're not quite reading it right. Or rather, they intentionally wrote it poorly so you would end up not reading it right. :(

It means they can target anybody visiting the website, including people using Tor.

Now, mind you they could also specifically only try to attack people using Tor. That would be straightforward to do -- you watch the website for connections coming in, and then you check each IP address to see if it's a Tor exit relay, and if it is, you inject something into the response that tries to break into the user's web browser.

This passage exists in Washington Post also. Nevertheless, new buggy browser will be much help, is it not? And up-to-date tor exit lists are available in wild net.
Funny, did anybody see such official up-to-date lists with nsa addresses?

Roger, these are all fair comments but I think issue the OP was pointing out was that if TBB users can be exploited using Firefox 0days in this way when reading things that are interesting to intelligence agencies, that probably means attackers can also inject from elsewhere to infect anyone using TBB and we may never know if 5 or 50% or all of TBB users can be or will be exploited by intelligence agencies or some other adversary.

I agree that this doesn't really mean that Tor is broken, but if people using your tools can still get owned because of upstream problems, they're still going to get owned and will still be concerned even if their concerns are misplaced.

I would encourage the OP to consider using TAILS from a connection not linkable to them while taking multiple other steps to ensure operational security if they're concerned about these types of attacks.