Tor Browser 4.0 is released

Update (Oct 22 13:15 UTC): Windows users that are affected by Tor Browser crashes might try to avoid this problem by opening "about:config" and setting the preference "media.directshow.enabled" to "false". This is a workaround reported to help while the investigation is still on-going.

Update (Oct 25 02:32 UTC): If you are unhappy with the new Firefox 31 UI, please check out Classic Theme Restorer.

Update (Oct 16 20:35 UTC): The meek transport still needs performance tuning before it matches other more conventional transports. Ticket numbers are now listed in the post.

The first release of the 4.0 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Additionally, due to the POODLE attack, we have also disabled SSLv3 in this release.

The primary user-facing change since the 3.6 series is the transition to Firefox 31-ESR.

More importantly for censored users who were using 3.6, the 4.0 series also features the addition of three versions of the meek pluggable transport. In fact, we believe that both meek-amazon and meek-azure will work in China today, without the need to obtain bridge addresses. Note though that we still need to improve meek's performance to match other transports, though. so adjust your expectations accordingly. See tickets #12428, #12778, and #12857 for details.

This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work. Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures.

There are also a couple behavioral changes relating to NoScript since 3.6. In particular, by default it now enforces script enable/disable for all sub-elements of a page, so you only need to enable scripts once for a page to work, rather than enabling many sub-scripts. This will hopefully make it possible for more people to use the "High Security" setting in our upcoming Security Slider, which will have Javascript disabled globally via NoScript by default. While we do not recommend per-element whitelisting due to fingerprinting, users who insist on keeping this functionality may wish to check out RequestPolicy.

Note to MacOS users: We intend to deprecate 32bit OSX bundles very soon. If you are still using 32bit OSX 10.6, you soon will need to either update your OS to a later version, or begin using the Tails live operating system.

Here is the changelog since 4.0-alpha-3:

  • All Platforms
    • Update Firefox to 31.2.0esr
    • Update Torbutton to 1.7.0.1
      • Bug 13378: Prevent addon reordering in toolbars on first-run.
      • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
      • Bug 13138: ESR31-about:tor shows "Tor is not working"
      • Bug 12947: Adapt session storage blocker to ESR 31.
      • Bug 10716: Take care of drag/drop events in ESR 31.
      • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
    • Update Tor Launcher to 0.2.7.0.1
      • Translation updates only
    • Udate fteproxy to 0.2.19
    • Update NoScript to 2.6.9.1
    • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
    • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
    • Bug 13356: Meek and other symlinks missing after complete update.
    • Bug 13025: Spoof screen orientation to landscape-primary.
    • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
    • Bug 13318: Minimize number of buttons on the browser toolbar.
    • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
    • Bug 13023: Disable the gamepad API.
    • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
    • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
    • Bug 13186: Disable DOM Performance timers
    • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
    • Bug 13416: Defend against new SSLv3 attack (poodle).

Here is the list of all changes in the 4.0 series since 3.6.6:

  • All Platforms
    • Update Firefox to 31.2.0esr
    • Udate fteproxy to 0.2.19
    • Update Tor to 0.2.5.8-rc (from 0.2.4.24)
    • Update NoScript to 2.6.9.1
    • Update Torbutton to 1.7.0.1 (from 1.6.12.3)
      • Bug 13378: Prevent addon reordering in toolbars on first-run.
      • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
      • Bug 13138: ESR31-about:tor shows "Tor is not working"
      • Bug 12947: Adapt session storage blocker to ESR 31.
      • Bug 10716: Take care of drag/drop events in ESR 31.
      • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
    • Update Tor Launcher to 0.2.7.0.1 (from 0.2.5.6)
      • Bug 11405: Remove firewall prompt from wizard.
      • Bug 12895: Mention @riseup.net as a valid bridge request email address
      • Bug 12444: Provide feedback when “Copy Tor Log” is clicked.
      • Bug 11199: Improve error messages if Tor exits unexpectedly
      • Bug 12451: Add option to hide TBB's logo
      • Bug 11193: Change "Tor Browser Bundle" to "Tor Browser"
      • Bug 11471: Ensure text fits the initial configuration dialog
      • Bug 9516: Send Tor Launcher log messages to Browser Console
    • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
    • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
    • Bug 13356: Meek and other symlinks missing after complete update.
    • Bug 13025: Spoof screen orientation to landscape-primary.
    • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
    • Bug 13318: Minimize number of buttons on the browser toolbar.
    • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
    • Bug 13023: Disable the gamepad API.
    • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
    • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
    • Bug 13186: Disable DOM Performance timers
    • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
    • Bug 4234: Automatic Update support (off by default)
    • Bug 11641: Reorganize bundle directory structure to mimic Firefox
    • Bug 10819: Create a preference to enable/disable third party isolation
    • Bug 13416: Defend against new SSLv3 attack (poodle).
  • Windows:
    • Bug 10065: Enable DEP, ASLR, and SSP hardening options
  • Linux:
    • Bug 13031: Add full RELRO hardening protection.
    • Bug 10178: Make it easier to set an alternate Tor control port and password
    • Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
    • Bug 12249: Don't create PT debug files anymore

The list of frequently encountered known issues is also available in our bug tracker.

but ... nobody can. just clicking on website page can not lead to steps like
- download and install virtualizer (like VirtualBox)
- create/download vm image with the user's version of Windows
- put tbb into this image and make snapshot (or use immutable image)
- start vm-windows-tbb in seamless windows mode, with shared folders etc.
- etc.
AND all this while showing just 'downloading xx%' to the user for not frighting him/her.
"you must be aware of the incredible stupidity of that class"

Anonymous

October 19, 2014

Permalink

I too have the same problem with Tor 4.0 on Win 7.
Tor crashes with Gmail for login. Login is successful, but Tor crashes completely in about 10 seconds. The google asks while logging in that it will install some image to identify to computer every time I login.. If I say no,, next ten seconds it crashes.. 2nd time I tried from VMware machine installing TOR 4.. n clicked yes some kinds image from google.. it allowed with out crash .. SH**T Google wants to recognize us..

Tor pp.. please find the solution for this..

Tor 4.0 on Win Vista crashes shortly after opening Gmail ( some 10 seconds after) as other users with different OS have reported.

Previous version of TOR still works fine on my Vista.

Any reason ?

Any solution ?

Thanks !

Anonymous

October 19, 2014

Permalink

Tails and the Torbrowser suffer of a common bug.
It is possible using javascripts to connect to other computers in the LAN, including (for the Torbrowser) with 127.0.0.1 that might host a local website. A connection to 192.168.0.1 or 192.168.1.1 might find out the version of an installed home router and send it via Tor to a hidden service or anyway to a remote website. Exploiting the common bugged home routers it's possible to access, without password requests, to a page that contains the public IP address of the modem and sent the page's content out.
It's generally possible to access a resource located on the LAN using img src="..." without javascript, but likely to no usefulness in this case.
The surprise comes with Tails however. Because it was a surprise as it was noted that it had suffered from the same vulnerability. It won't protect against this vulnerability.
Believe me or not. Here in Germany we have already successfully exploited that bug several months ago in a targeted attack... getting the IP from NETGEAR routers bypassing the password request. I tested the javascript exploit myself, it connected via javascript with [geshifilter-code]http://192.168.0.1/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=cat+…] to get the IP from the testing modem i had been given (a NETGEAR router) skipping the HTTP Basic authorization request and later sent the Ip via AJAX to a server i won't say.
The exploit works with and without Tor (with or without the Torbrowser and Tails -- no difference). In many cases it could be used to steal the configuration file of the modem that contains the ADSL credentials, so that it's a dangerous attack also for the normal everyday's clear Net users.
One more thing, it's very likely for all NETGEAR modems to be backdoored; or using our own language "misconfigured".

Tor Browser removes all the entries from "no proxy for", so it shouldn't let you make any non-Torified connections, including to 127.0.0.1 or to 192.168.1.1, even if you allow JavaScript. If you can make it do one anyway, please open a ticket at
https://bugs.torproject.org/

I don't know about Tails, but I hope they use Tor Browser's settings here too. If they don't, please open a ticket for Tails:
https://tails.boum.org/doc/first_steps/bug_reporting/index

(To be clear, does your attack involve breaking into the browser and then inducing it to bypass the 'no proxy for' settings? Or just giving it some normal javascript to run or img links to load?)

The Tor user got a private message with a link. The link had to be safe in appearance pointing to a Tor hidden service. However the HTML of the page deployed the javascript that worked deanonymizing the Tor user. At all meetings javascript was always referred as the most prominent vehicle of exploits against the Torbrowser, as it's the easiest and only way to execute an arbitrary program client-side.
I suggest never to reveal details about the used hardware and to keep javascript disabled while surfing in Internet in general.

I'm still using the Tor Browser 3.6.6 (debian amd64) and i can confirm you that i am able to connect with hosts in the LAN. I don't know about the version for Windows and this fucked Chrome Tor 4.0.
I checked Tails and the same is possible with cUrl as root and with Firefox as normal user. For the record looking at "no proxy for" it says: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
Misconfigurations?

Obviously not!

If iptables were configure properly, you could use it to prevent the root user to access the clearnet.
At least not to allow system programs and a user logged as root to mistakenly access the internet.
The root user can reconfigure iptables, but this requires a step more that isnt required at the moment. An exploit could force a program running as root to connect with an arbitrary host without being able to execute code remotely to disable iptables.

Better safe than sorry. Not for Tails. Tails is configured like shit. The link you posted proves what im saying.

Tails is designed to be dummy-proof system used without logging in as root, many of the unique features of Tails are expicitly tampered by using the root user, e.g. accessing hard drives. The idea is that even if some malware manages to take control of the amnesia user, it still cannot identify him (unless he used the persistent volume and kept there identifying info) and cannot harm the machine.

So the optional and unrecommended root user is there for highly competent users, those that would know and understand the iptables configuration and how to change it to their satisfaction.

Anonymous

October 19, 2014

Permalink

GTK:

Can you PLEASE make an announcement about the now broken (err...'better') UI for this TB release?!

As you can see, LOTS of users are confused and not happy about the change. Can you please update your blog post to make comments about this? Maybe link to the Mozilla web page explaining the change?
https://support.mozilla.org/en-US/questions/997275

I'm pretty surprised Tor didn't think this would upset users. I realize it's not Tor's fault, but you should at least make your users aware of what happened and what their options are (e.g. show Menu Bar, or the various add-ons like "Classic Theme Restorer" (note someone mentioned it changes window size by 1 pixel) or "The Addon Bar (Restored)").

i would suggest that upon updating, auto-loading a static page with the changelog (like noscript does except static/local) would be a good opportunity for communicating these types of changes to users

Anonymous

October 19, 2014

Permalink

To all readers:

The Tor Projects concern with NoScirpt's sub-script feature seems to be their assumption that ALL users use white-lists. Well, just don't use a white-list ;-)

Simply use temporary allow ONLY.

I for one will NOT allow Google Analytics to run, ever.

Not entirely; their concern lies more with the fact that allowing some javascript but not others to run is detectable. The selection you make for which scripts to run or not run is more information for fingerprinting, as there are ways to tell if some javascript but not all is blocked. Temporarily allow doesn't fix the issue because you're likely to Temporarily allow the same list of sites in future sessions, making it easier to link those sessions. To make matters worse, if you use similar settings on your clearnet browsing, it could be used to give a tentative identification!

I doubt more so than allowing GA to run, and other things like that.

Also, I doubt most people visit the same site with Tor as they do without Tor...

Tor isn't just used by power users. Tor Browser is targeted towards the general population who may not necessarily have the greatest understanding what threatens online anonymity. Personally, I make sure to use different browsing habits through Tor than I do without Tor, but that doesn't mean that I don't inevitably have some sites that I end up visiting both with Tor and without Tor. Of course I make sure to use them differently and they're all high traffic sites.
What you have to realize is that the average person doesn't have the education in Privacy/Data Correlation/etc to make use of Tor without shooting themselves in the foot. This doesn't mean that they don't have a need for anonymity; they may live in regions or countries that are repressive, and I mean worse than the NSA. The goal of Tor Browser is to make many of the common mistakes hard to accomplish compared to the earlier usage of Vidalia, etc. If you listen to some of the stories about teaching people how to use Tor, they really do treat it like they would any other web browsing experience. These are still people who have a need for Tor; in fact they probably have a greater need for Tor than the average person debating on Tor's blog. They just don't have that voice here.

Add this to your torrc:

MapAddress www.google-analytics.com 127.0.0.1
MapAddress ssl.google-analytics.com 127.0.0.1

Requests are redirected to localhost. Problem solved. Google Anal-Ytics is blocked.

But there are other surveillance servers out there. Log your requests on pageload and add them to torrc.

Anonymous

October 19, 2014

Permalink

Hi. I have a problem with TOR 4, after a few minutes of use, Firefox 31.2.0.0 I think, crashes and a window pops up. The gist of the messages are:

problem with TOR v.4, Firefox 31.2.0 dies after a couple minutes or so. error messages ---
firefox.exe
appver: 31.2.0.0
modname: xul.dll
modver: 31.2.0.0
offset:0105d1e4
code: 0x80000003
flags:0x000000000
record:0x0 *all zeroes*
address: 0x000000000225d1e4

rest of report available upon request (modules by number, doesn't point anything else out to me, I'm not clear how to save it to a file, as I can't highlight and copy the text, maybe there is a better way or it auto saves to a file unknown to me).

Anonymous

October 19, 2014

Permalink

Upon downloading and running v 4.0, I immediately received a Firefox keylogger warning for the onion browser. I blocked it, but this is worrisome.

Anonymous

October 19, 2014

Permalink

tor 4.0 will not run if Trusteer Rapport is installed i had to uninstall it to get tor working

Anonymous

October 19, 2014

Permalink

Strange white strip bar at the bottom of the browser window. Please take a look bit.ly/1CHgmyb. Appears on every page cropping out the pages from bottom. It gets disappeared if the TBB window is maximized for a moment, but that solves it temporarily as a new fresh start of TBB brings this issue back.

Me too! I thought that was only my OS.

TB has a small bar of whatever is in the background, but when TB is moved or window resized it goes away.

Do you want to open a bug report now that I can confirm the issue on Win 7 64bit?

Anonymous

October 19, 2014

Permalink

installed 3.6 and got prompted to update and opened a page with a place to do so. DL new version and installed. Now i crash when i open app. Win 7 64

Anonymous

October 19, 2014

Permalink

Listen up guys!

NSA gets early access to zero-day data from Microsoft, others
http://arstechnica.com/security/2013/06/nsa-gets-early-access-to-zero-d…

*Microsoft and other companies give the government so much information....talk about privacy laws.

FBI pressures Internet providers to install surveillance software
http://www.cnet.com/news/fbi-pressures-internet-providers-to-install-su…

*And the feds all of a sudden want to fun Tor? Look up articles, cause it says feds just donated money to the Tor Project

The NSA is giving your phone rechttp://www.washingtonpost.com/blogs/the-switch/wp/2013/08/05/the-nsa-is… to the DEA. And the DEA is covering it up.

*Fight crim is good but really? All records?

We should indeed be worried about the tendency of large corporations to give up their user data to governments (and heck, to others too).

As for your "all of a sudden", it seems you haven't been paying attention. Various parts of the government have been funding privacy research and development for a long time now.

See also
https://blog.torproject.org/blog/transparency-openness-and-our-2013-fin…
https://www.torproject.org/about/sponsors

But I'll also point out that the feds you talk about (FBI, NSA, DEA) haven't funded Tor.

Anonymous

October 19, 2014

Permalink

first of all, thank you, thank you and thank you again for your efforts to make web secure and reachable for us, in these dark parts of the world, shadowed by tyrannical gov's.
I have 2 questions:
1- why I can't use some of websites? this problem came after last two versions of TOR and still exists. so many sites, from normal Persian news sites to subtitle sites, don't let me use them with TOR. some of them absolutely don't, some of the killing me with captcha tests! why?
http://digarban.com/ http://subscene.com/
2- I installed a weather forecast add-on and set my city up on that. after that, I removed that add-on, closed TOR and shut down my PC. next time that I run TOR, when I installed the same add-on, the add-on knew about my city! how could is this possible?! shouldn't the cache and cookies (and also IP) be removed and renewed every time we run TOR?
thank you again for your efforts to make world a better one :)
a fan

Anonymous

October 19, 2014

Permalink

Just downloaded the new release and replaced my old Tor folder with the new.

Now when I try to start Tor I get this:

sh start-tor-browser
start-tor-browser: 221: start-tor-browser: Syntax error: "(" unexpected

Help?

I start mine with ./start-tor-browser

It looks like the start-tor-browser script is bash, not sh (which for me is dash).

What instructions told you to run it with sh?

Same here.
no: sh start-tor-browser
no: sh ./start-tor-browser

works for me: ./start-tor-browser

hth

I am also getting this in ubuntu 14.04

$ sh start-tor-browser
start-tor-browser: 221: start-tor-browser: Syntax error: "(" unexpected