Tor Browser 4.0 is released

Update (Oct 22 13:15 UTC): Windows users that are affected by Tor Browser crashes might try to avoid this problem by opening "about:config" and setting the preference "media.directshow.enabled" to "false". This is a workaround reported to help while the investigation is still on-going.

Update (Oct 25 02:32 UTC): If you are unhappy with the new Firefox 31 UI, please check out Classic Theme Restorer.

Update (Oct 16 20:35 UTC): The meek transport still needs performance tuning before it matches other more conventional transports. Ticket numbers are now listed in the post.

The first release of the 4.0 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Additionally, due to the POODLE attack, we have also disabled SSLv3 in this release.

The primary user-facing change since the 3.6 series is the transition to Firefox 31-ESR.

More importantly for censored users who were using 3.6, the 4.0 series also features the addition of three versions of the meek pluggable transport. In fact, we believe that both meek-amazon and meek-azure will work in China today, without the need to obtain bridge addresses. Note though that we still need to improve meek's performance to match other transports, though. so adjust your expectations accordingly. See tickets #12428, #12778, and #12857 for details.

This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work. Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures.

There are also a couple behavioral changes relating to NoScript since 3.6. In particular, by default it now enforces script enable/disable for all sub-elements of a page, so you only need to enable scripts once for a page to work, rather than enabling many sub-scripts. This will hopefully make it possible for more people to use the "High Security" setting in our upcoming Security Slider, which will have Javascript disabled globally via NoScript by default. While we do not recommend per-element whitelisting due to fingerprinting, users who insist on keeping this functionality may wish to check out RequestPolicy.

Note to MacOS users: We intend to deprecate 32bit OSX bundles very soon. If you are still using 32bit OSX 10.6, you soon will need to either update your OS to a later version, or begin using the Tails live operating system.

Here is the changelog since 4.0-alpha-3:

  • All Platforms
    • Update Firefox to 31.2.0esr
    • Update Torbutton to 1.7.0.1
      • Bug 13378: Prevent addon reordering in toolbars on first-run.
      • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
      • Bug 13138: ESR31-about:tor shows "Tor is not working"
      • Bug 12947: Adapt session storage blocker to ESR 31.
      • Bug 10716: Take care of drag/drop events in ESR 31.
      • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
    • Update Tor Launcher to 0.2.7.0.1
      • Translation updates only
    • Udate fteproxy to 0.2.19
    • Update NoScript to 2.6.9.1
    • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
    • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
    • Bug 13356: Meek and other symlinks missing after complete update.
    • Bug 13025: Spoof screen orientation to landscape-primary.
    • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
    • Bug 13318: Minimize number of buttons on the browser toolbar.
    • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
    • Bug 13023: Disable the gamepad API.
    • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
    • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
    • Bug 13186: Disable DOM Performance timers
    • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
    • Bug 13416: Defend against new SSLv3 attack (poodle).

Here is the list of all changes in the 4.0 series since 3.6.6:

  • All Platforms
    • Update Firefox to 31.2.0esr
    • Udate fteproxy to 0.2.19
    • Update Tor to 0.2.5.8-rc (from 0.2.4.24)
    • Update NoScript to 2.6.9.1
    • Update Torbutton to 1.7.0.1 (from 1.6.12.3)
      • Bug 13378: Prevent addon reordering in toolbars on first-run.
      • Bug 10751: Adapt Torbutton to ESR31's Australis UI.
      • Bug 13138: ESR31-about:tor shows "Tor is not working"
      • Bug 12947: Adapt session storage blocker to ESR 31.
      • Bug 10716: Take care of drag/drop events in ESR 31.
      • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
    • Update Tor Launcher to 0.2.7.0.1 (from 0.2.5.6)
      • Bug 11405: Remove firewall prompt from wizard.
      • Bug 12895: Mention @riseup.net as a valid bridge request email address
      • Bug 12444: Provide feedback when “Copy Tor Log” is clicked.
      • Bug 11199: Improve error messages if Tor exits unexpectedly
      • Bug 12451: Add option to hide TBB's logo
      • Bug 11193: Change "Tor Browser Bundle" to "Tor Browser"
      • Bug 11471: Ensure text fits the initial configuration dialog
      • Bug 9516: Send Tor Launcher log messages to Browser Console
    • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
    • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
    • Bug 13356: Meek and other symlinks missing after complete update.
    • Bug 13025: Spoof screen orientation to landscape-primary.
    • Bug 13346: Disable Firefox "slow to start" warnings and recordkeeping.
    • Bug 13318: Minimize number of buttons on the browser toolbar.
    • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
    • Bug 13023: Disable the gamepad API.
    • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
    • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
    • Bug 13186: Disable DOM Performance timers
    • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
    • Bug 4234: Automatic Update support (off by default)
    • Bug 11641: Reorganize bundle directory structure to mimic Firefox
    • Bug 10819: Create a preference to enable/disable third party isolation
    • Bug 13416: Defend against new SSLv3 attack (poodle).
  • Windows:
    • Bug 10065: Enable DEP, ASLR, and SSP hardening options
  • Linux:
    • Bug 13031: Add full RELRO hardening protection.
    • Bug 10178: Make it easier to set an alternate Tor control port and password
    • Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
    • Bug 12249: Don't create PT debug files anymore

The list of frequently encountered known issues is also available in our bug tracker.

Anonymous

October 20, 2014

Permalink

W T F Torbrowser
Where is 'Page Info' -> Media

Firefox gets more and more like Tamagotchi.
Is this intentional?

'Nice' to know that some feedback posts here are 'not really read'

Like this point
(among other points at longread post in oktober 16th)


1) Torbrowser 4.0 browser feedback

- Media tab is still missing in page information while this tab is available in firefox ESR versions and torbrower 3.6.5 and before.

- Security tab, Technical details is still empty.

By the way, again, this problem already exists since version 3.6.5

Anonymous

October 20, 2014

Permalink

The new 4.0 Tor browser bundle didn't work at first, since found out that Rapport needed to be disabled for it to work correctly = Windows 8.1 64bit Rapport disabled works now

Anonymous

October 20, 2014

Permalink

It is not possible to control which nodes (or country) are used for exit anymore? I used to edit the torc file with the ExitNodes function, but it is not working anymore

Anonymous

October 20, 2014

Permalink

Well that was a weird one. I installed the new version, it instantly flagged firefox.exe as a threat on AVG, figured it was false positive so I just deleted the installer and downloaded again with no problems. Most of my addons transferred through, some settings have returned to default some not. Strange stuff!

It's quite amusing. WHY do you believe in "strange stuff" AVG and don't believe in TBB downloaded across HTTPS connection from torproject.org web site???
Surely it will be better for torproject.org to have link to 'securenet' onion site to download staff, but anyway...

Using a hidden service to fetch the 45+ megabytes means double the load on the network. It's already not clear if the Tor network can handle millions of people updating their browser over Tor.

What you really want here is "encrypted services":
https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/ideas/xx…
which reduces the load on the network on the service side. But nobody has finished fleshing out the design or building it. That could be you!

But really, another fine answer is pinning the cert that you expect on the other end of the https connection, and also actually signing the update. As the blog post here says, those are the next steps for the Tor Browser team.

Just don't forget there are users who use only tor for all web access! So maybe add link marked "slow but secure"?
Or do you mean hidden services are too heavy for tor network? Or for the hidden web site? I'm not sure I'm catching you...
BTW as it's you who compiles tbb package, you can add your own ca and not invite any third party between you and yours users.
(you can even name it 'nsa top secure root ca' etc.)

Thinking about it some more, I actually think signing the update is a more secure approach than running it on a hidden service. The hidden service approach is basically like https but without the awful "turkish telekom can pretend to be any website it wants to be" problems. But for updates, the property we want is "that file I got, and it doesn't matter how I got it, is the one I want".

So if you sign the files, you can do that offline, and then it doesn't even matter if somebody breaks into the webserver or computer hosting the hidden service.

Anyway, how can you _proof_ that tbb root ca certificates are what there are pretended to be? Users _ought_ to believe package creators.

And signing roughly just means: file hash is verified by (any)entity having private key as confirmed by (any)root ca from your list.
Maybe better to grant that an update is signed with the same key as the base package ? (aka pinning)

Signing is orthogonal to hidden service which will add protection against 'who get what' tracking. IF they are not broken of course.

Concerning distribution: maybe 'users help yourself' concept as in edonkey/imule/torrent will drastically lower server load? As a package creator you have the opportunity to (optionally?) add hidden service to every client and let them share downloaded parts of tbb.

Anonymous

October 20, 2014

Permalink

I'm so pleased my TBB 4 issues are shared. It won't configure "always ask to save files" download. It just tells Mozilla to 'pologise for inconvenience and closes.

BTW: This is why I always keep a copy of an earlier TBB on file. I reinstalled 3.6.6 and here I am.

Please fix TBB 4.O

Change 3.6.6 useragent into 4.0 version

If you use Tbb 3.6.6. again, maybe you should consider to change at least your useragent in the newer Tbb 4.0 one in the about:config settings.

In this case your browser is telling websites that it is an up to date mozilla browser which maybe can prevent you a bit from scripts that are targeting by detecting older browser version strings.

Old Tbb 3.6.6 useragent, just search for 'user', you'll find it.
general.useragent.override;
Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

New Tbb 4.0 useragent
general.useragent.override;
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0

Consider changing the numbers 24.0
into 31.0

Remember it's just a tiny 'reversed social engineering trick', also know as 'a bit security by some obscurity'.
No guarantees but every tiny security bit can help.

@ developers
In Tbb 4.0 this useragent is still set on rv 17 ? It may not matter but seems odd.

extensions.torbutton.useragent_override;Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0

you can put there anything you like, even Windows95. Or random text to let there databases explode. But better do not use "windows" string it will attract specific exploits.

Anonymous

October 20, 2014

Permalink

I always download and save, using TBB, the most recent TBB for my XP. Then I close the Tor browser and delete all Tor relevant files. Then I run CCleaner and reboot.

After this self-imposed procedure I open and install the latest iteration of the TBB - but always keeping a copy of the previous to hand. In the pc's backup external hdd, if you must know. Most of us do!

And TBB 4 won't install properly. I also now note that many others have reported similar issues. In my case it failed to accept a new download destination - My Pictures. I re-installed TBB 3.6.6; reconfigured same and hastened my issues over to your blog.

What else do I need to do? TIA

Anonymous

October 20, 2014

Permalink

My english is very poor,so i only tell you the fact that TBB 4.0 is working very good now.

Anonymous

October 20, 2014

Permalink

Can somebody confirm that TBB 4 is known to work on Debian Wheezy stable? I get

/usr/lib/i386-linux-gnu/libstdc++.so.6: version `GLIBCXX_3.4.20' not found (required by /root/tor-browser_en-US/Browser/libxul.so)
Couldn't load XPCOM.

Wheezy uses GCC 4.7 with libstdc++ 6.0.17, but TBB 4 depends on GLIBCXX_3.4.20 which is in libstdc++ 6.0.20 with GCC 4.9, which aren't available in Wheezy. Did I miss something, or does TBB 4 not run on Wheezy?

Didn't you knew that we are the beta-testers? We aren't the end user.
Releases of Tor and the TBB are always bugged beyond imagination.
The end users are the FBI, the CIA, the NSA, the american govt.
Ofc it doesn't work on Debian Wheezy. Wait and even the update for us, the less fortunate, will come.
Thank you for your bug report.

Anonymous

October 20, 2014

Permalink

To all TB users, here's how to unbreak this version of TB's UI. Realize though there are issues with fingerprinting (changing window size for example) and the add-ons have not been vetted by Tor Project:

How to make the new Firefox look like the old Firefox
https://support.mozilla.org/en-US/kb/how-to-make-new-firefox-look-like-…

Right-Click Menu Change
http://forums.mozillazine.org/viewtopic.php?f=7&t=2865005

Windows XP is end of life and not receiving security updates so stop F@#$ing using it for internet access and either pay for a newer version of windows or download a good Linux distro (preferably one without systemd).

you mean automated updates from ms@nsa? seems like win situation. maybe that comp is on the internal net behind firewall/ids or just as vm image? whats wrong with working os? not a gamer's comp?
name you tor browser 'linux wihtout systemd' or 'newer indian windows', disable js and you'll end with "newer os" inet behavior (approx...)
sorry, i don't know answer for original question...

Anonymous

October 20, 2014

Permalink

Hi,

I tried to register to the Tor issue tracker but I get the error:

CAPTCHA failed to handle original request all the time. I've retried over and over again, but my registration keeps getting rejected.

I know that the comments aren't the right place, but I'd like to suggest an enhancement to the tor browser.

To make it easier to distinguish from vanilla Firefox (in case somebody's running them both at the same time) Tor should have a different default browser background that clearly identifies it as Tor Browser. This will make it harder to mistake them for each other.

It really isn't a good idea to make Tor Browser look different than vanilla Firefox. Just like Tails goes out of its way to look like Windows to reduce suspicion for usage cases where there physical surveillance, Tor Browser should look as much as possible like vanilla Firefox.
If you must run them at the same time, try using a different theme in Firefox to tell the difference. With that said, it's recommended that you do use them at the same time so that you don't mistake one for the other.

seems like its time to use themes with govs heads, they will count you as supporter and switch to others.
im curious why use Firefox? are you feel guilty for using tbb?

Because I've got things open in my actual Firefox which reveal my real-life identity. If I were to open these in TBB as well, my activity over Tor could be traced back to me.

Anonymous

October 20, 2014

Permalink

This new version 4.0 is not working for me (windows 7). Luckily I had a copy of 3.6.6 in my download folder, re-installed it, and now I am ok again ....

Anonymous

October 20, 2014

Permalink

I'm still using 3.6.6. tried v 4.0 on 3 separate windows PCs and it doesn't work. Won't even open - Firefox appears in task manager - then promptly disappears again. Never had any problems in the past.

Anonymous

October 20, 2014

Permalink

How can I enable to store passwords. It is grayed out to enable it in secure settings. I didn't find anything in the about:config and in the net.

Anonymous

October 20, 2014

Permalink

Found a never seen before temporary -Quit TBB&open TBB solve this- behaviour on TBB4.0:
The Menu Bar is greyed out.Visible but unclickable.

Anonymous

October 21, 2014

Permalink

What concerns me about TBB 4.0 failure is the the lack of feedback or any other acknowledgement at all from Tor that serious issues exist.

It's exactly like they're saying &%#*- you. It's like talking to a wall...

Anonymous

October 21, 2014

Permalink

it says something went wrong, tor is not working in this browser wtf its the new version 4. does anybody know how to fix this im on windows 7