Tor Browser 4.0.2 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.0.2 is based on Firefox ESR 31.3.0, which features important security updates to Firefox. Additionally, it fixes a regression in third party cache isolation (tracking protection) that appeared in 4.0, and prevents JavaScript engine locale leaks. Moreover, we believe we have fixed all of the Windows crashes that were due to mingw-w64 compiler bugs. DirectShow is still disabled by default, though, to give the respective mingw-w64 patch another round of testing.

Here is the changelog since 4.0.1:

  • All Platforms
    • Update Firefox to 31.3.0esr
    • Update NoScript to 2.6.9.5
    • Update HTTPS Everywhere to 4.0.2
    • Update Torbutton to 1.7.0.2
      • Bug 13019: Synchronize locale spoofing pref with our Firefox patch
      • Bug 13746: Properly link Torbutton UI to thirdparty pref.
    • Bug 13742: Fix domain isolation for content cache and disk-enabled
      browsing mode
    • Bug 5926: Prevent JS engine locale leaks (by setting the C library
      locale)
    • Bug 13504: Remove unreliable/unreachable non-public bridges
    • Bug 13435: Remove our custom POODLE fix (fixed by Mozilla in 31.3.0esr)
  • Windows
    • Bug 13443: Fix DirectShow-related crash with mingw patch.
    • Bug 13558: Fix crash on Windows XP during download folder changing
    • Bug 13594: Fix update failure for Windows XP users
Anonymous

December 03, 2014

Permalink

As a release version this rightly triggered an autoupdate alert for me. The autoupdater is however seriously broken, This time, in addition to the warning (correctly or incorrectly, cannot tell) that my user profile is missing, I am inundated with additional messages that indicate TBB cannot start because it is executing multiple firefox.exe instances, and I'm fatally looped on each try.

Not sure what is going on, honestly, as I have never seen this behavior. It might be the best to start over with a fresh new bundle and check whether the update to the next Tor Browser version behaves the same which might indicate that there is indeed a bug that is not detected yet.

The new update did block everything on my PC. I could not open Tor anymore. Something is wrong with this update. I had to delete it. After I took it of my PC everything worked fine again.

The Autoupdate functionality is seriously borked. Even though it is supposed to be an option, I have just been downloading the TBB bundle and doing the old 'manual upgrade' route because of the horror stories I have read on the internet.
An auto-updating secure browser sounds good in theory but in practice, considering the number of locations where people might put it? It just does not work.

Anonymous

December 03, 2014

Permalink

which one should we use ? Tor Browser 4.5-alpha or Tor Browser 4.0.2 ? i mean which on is more safe?

Anonymous

December 03, 2014

Permalink

Great update to the browser. Wondering however why the TBB Bundle was live for hours before this blog entry appeared.

I don't know actually. Looking at my chat log there is just one hour delay between updating the website and getting the updater related pieces sorted out + getting this blog post live.

Anonymous

December 03, 2014

Permalink

Here's to hoping for the best. Thanks for making the world a bit more private. Tired of living in fucking big brother without getting paid for it, atleast :)

Now, now, is that any way to talk of our noble and benign corporate masters?

Not only do they provide sub-par service for bloated prices, not only do they snoop and spy on your every click and keystroke, but then they turn around and sell all that data to the highest bidder.

How could anyone not be grateful?

Anonymous

December 03, 2014

Permalink

I downloaded TBB 4.0.2 from: https://www.torproject.org/download/download-easy.html.en. Next, I clicked on torbrowser-install-4.0.2_en-US.exe with Tor Browser 4.0.1 open on Win 8.1 desktop. I got a message that TBB 4.0.2 install would perform "update". Next got a message inside progress box: "Connecting to Update Server". I canceled the progress box, deleted 4.0.1 TBB and ran 4.0.2 install again and installation seems to have worked correctly. I did not note exact wording of "Update feature" so my comments are from my recollection. I could not find any Tor Browser documentation that ver 4.0.2 would perform an "update" rather than a full install and under what conditions and why would TBB install connect to "Update Server" if .exe file contains complete install. Please document this function so others will not be surprised.

The update is happening within Tor Browser. You don't have to download a brand new version. To trigger an update manually click on the "hambuger" button (menu button), then the question mark on the bottom and then "About Tor Browser".

Anonymous

December 03, 2014

Permalink

Updated but not synced with available Firefox ESR 31.3.0 functions

- "Page Info" (function)
"Security" info tab, "Media" info tab ("Feeds" info tab) still missing.

All the former and present Firefox ESR versions have these info tabs present (when relevant on webpages).

But Tor did just deleted it several browser versions ago.
Does security really matter or not (anymore)?
Why don't we get an satisfying answer to this or is this crucial info-functionality placed back the way it is in the Firefox ESR?

What is the (info & Security) deal here?

Thank you for answering, but

This ticket, as already stated earlier by people, is not complete!

"Media" tab is another important tab that is missing (yes also important in security / privacy check matters) and the "Feeds" tab as well .
These tabs are also broken (deleted) since Torbrowser version 3.6.6., quite a while now.

So, 4 issues on 3 tabs ; "Media", "Feeds", "Security" .

Would it be possible to add this to this ticket or make a new one for Media and Feeds as well?

Thank you in advance GK

What about "View Cookies" on that "Security" tab always showing an empty list? Is there supposed to be another place to check what cookies are set, or is this part of ticket #13254, or another bug altogether?

With the cumulative total of time and effort put into managing firefox it seems that a small lightweight browser with basic capabilities (at first), would eventually allow for more effort to be direct toward the main goal...anonymity and security. Look at orweb, from my understanding there is only one developer with maybe a few volunteer bug hunters at the forefront. The TBB team with all of it's new experience could design an ugly but usable browser with security and anonymity in mind. Having to patch, rewrite, and audit code every single tedious time a new version of ESR arrives must fucking suck. It likely isn't fun and probably feels like a chore. It's sad that the talented dev's working on the TBB use precious time to work non such a monotonous task. For all we know, one or some could have solved a portion of the critical issues tor faces within that time. The tor button was a perfect example of this. Micromanagement leads to exhaustion and eventual loss of interest. As it is the TBB must be maintained but please consider slowly and very carefully building a barebones browser in parallel. Coded to be modular so that members from this expanding community could add the features they desire (initially features like flash, java, pdf, etc). Only audits would then occur on your end or the team itself could write un-convoluted airtight code. I believe experience in the cutting edge of security and anti-surveillance has granted some of the team this ability.

Cheers!

I'm using TAILS 1.2.1, which comes with Tor Browser 4.0.2, right now. "Page Info" shows me three 'tabs': "General", "Permissions" and "Security". I vaguely remember a "Media" tab, now I see it mentioned, but neither that nor "Feeds" appears. I can confirm that the "Technical Details" heading at bottom of "Security" has nothing below.

What bothers me though is cookies. Tor Browser always claims none are stored and "View Cookies" always shows an empty list. I can't believe that there are always no cookies set, and I would really like to check them. It seems to have been the case certainly for TAILS 1.2, and maybe earlier.

Is there supposed to be another way to check cookies? Or, is cookie blindness part of ticket #13254?

Anonymous

December 03, 2014

Permalink

Does this fix the no-Javascript browser kill which has been scourging the wilds of .onion-land?

(Works on Linux; Javascript not required.)

What?! Please post more details, so some experts can analyze this. Even if this is bug was fixed, if there is something crashing the previous TBB on multiple onion sites it would be good to know what it is!

Anonymous

December 03, 2014

Permalink

Important request at torproject.org

Since Torbrowser is also part of Tails, Tails is part of torproject.org and there is no place to comment on Tails;

please, could someone from the Torproject please ask or tell the Tails developers to make their downloads available over httpS instead of http ?

I just can't believe that such an important (and big, thus long) download is offered over a plain insecure http connection.
(a download of 20/30/.. minutes makes at least 1 or 2 changes of exitnodes, so you cannot 'manage' your download by looking for a 'trustworthy' exitnode to download with because they're changing during the download anyway to another you don't know or maybe is less trustworthy in your opinion).

Wasn't there some recent news about adding malware to downloads on some exitnodes?
Isn't there a general global policy or idea about security within (https)torproject.org about security that all the people from different projects could, should follow ?

Would it be possible to offer all downloads (and all information) from torproject.org via https ?

Thank you very much in advance

The insecure Tails Link : http://dl.amnesia.boum.org/tails/stable/tails-i386-1.2.1/tails-i386-1.2…

As the Tails website itself points out, HTTPS "still leaves open the possibility of a man-in-the-middle attack even when your browser is trusting an HTTPS connection."[0]

Don't trust the CA cartel. If you value security, you MUST verify[1] your Tails download with PGP! Do you check PGP signatures on your downloads from https://dist.torproject.org/? If not, you are opening yourself to attack by anybody who can break into the server and/or coerce a CA to issue a fake certificate. Repeat, do NOT rely on HTTPS only to protect your downloads; this is horrible security posture.

Also, this information is totally incorrect: "a download of 20/30/.. minutes makes at least 1 or 2 changes of exitnodes," Read the Tor docs and src again. An unbroken connection does NOT hop between exit nodes (handoff of the circuit between middle nodes is long proposed, but would not affect exit nodes and is not implemented anyway). It is for this reason, connections to certain ports use nodes marked with the "Stable" flag.

Also, it is not correct that "Tails is part of torproject.org" as the poster asserts.

(As an aside, it may be a good idea to provide Tails downloads via HTTPS for reasons of defense in depth, and toward the greater good of encrypting the entire Web. However, this may also provide a false sense of security... as shown by the post to which this replies.)

I post this, to deter/debunk bad security advice and incorrect information. But it is off-topic; please do not continue here. The Tails release post itself says, "For support and feedback, visit the Support section on the Tails website."[2] If they wanted comments on Torblog, they would enable comments here (duh).

[0] https://tails.boum.org/doc/about/warning/index.en.html#man-in-the-middle

[1] https://tails.boum.org/download/index.en.html#index3h1

[2] https://blog.torproject.org/blog/tails-121-out

I agree, tails should have an onion available so that all this MITM stuff isnt a threat. Tails should also not open up to tails website with javascript enabled (as it is by default) as a compromise of tails server with malicious js targeted for tails OS could compromise alot of users rather easily.

But then again tails devs have been warned for years now that non-persistent guard nodes is a very dangerous security issue, one that they refuse to address, at least for its persistence users.

1) this anonymous hacker totally agrees with you that Tails' default download locations should be HTTPS.

2) I thought there was a ticket about this in the tails issue tracker, but I couldn't find it. I did find this, though: https://labs.riseup.net/code/issues/7161 :/ I do recall that the reason for not having HTTPS mirrors is that they want to use round-robin DNS to balance between mirrors and obviously that wouldn't work with TLS (distributing the private key to mirror operators would sort of defeat the purpose). Wrong decision, imho.

3) the tor project does maintain an HTTPS mirror of the tails website, including the latest ISO and signature, here: https://archive.torproject.org/amnesia.boum.org/tails/stable/

4) in their defense, tails does at least provide file hashes and GPG signatures over HTTPS, though this is difficult or impossible to use safely on a fresh windows system (downloading GPG4win over HTTP -> sad panda)

4) you're mistaken about exit nodes changing during a download. streams cannot migrate to a new circuit in tor's current design. So, any single HTTP(S) download will use the same exit for the duration.

5) choosing a "trustworthy" exit node is easier said than done. internet is a hostile place.

For what it's worth:

Since Tails isn't distributing the large iso-files themselves (maybe because that would be too expensive), HTTPS won't provide much if any security. The mirrors can be malicious either way. SHA256 or GPG must be used. That neither SHA256 or GPG is available on Windows by default is a recognized problem. The Tails developers are planning to implement or review a Firefox addon which can be used to check SHA256 sums (there is a ticket about it). This should work for users regardless of operating system, but isn't realized yet.

Only Tails !
Tails is really good . Tor works on Tails better and Faster .
Generally i think tor works on Linux smoothly

Anonymous

December 03, 2014

Permalink

Great.
I had problems with 4.0.1 and it kept crashing all the time which was annoying.
I hope 4.0.2 does not crash like the previous one.

Anonymous

December 03, 2014

Permalink

I believe all the way up to version 3.6 no problems had existed for connectivity to websites. Every release after that has been trouble.
Something must've been taken out of the code or weakened?

Can we please address this cloudfare issue??? Every other site flags Tor now? It is obvious that when you advertise the browser as Tor... it isn't a common browser name and it is known for obfuscating.

Why don't you spoof the name of the browser as well so it doesn't stick out when a website notices that it isn't a common browser so it blends in with the others?

Every one knows what Tor is suppose to be about. Instead of advertising it to all of the global adversaries can you look into more unique ways to hide the fingerprints? That is something that should've been taken care of long ago...Thanks

The TBB actually advertises itself to websites as a standard release of Firefox running on Windows 7 (regardless of the OS you're using). Cloudflare recently started detecting Tor exit nodes based on their IP addresses, something that's always been possible and that the TBB can't do anything to avoid. The only thing that's changed here is Cloudflare's policies.

Anonymous

December 03, 2014

Permalink

On Windows 7 64 bit, updating Tor Browser 4.0.1 to 4.0.2 using torbrowser-install-4.0.2_en-US.exe installer it seems that Torbutton is not updatetd to 1.7.0.2: both the "Add-ons Manager" and the "About Torbutton" still report version 1.7.0.1.
Also doing a "Check for updates" from the "Add-ons Manager" does not update Torbutton.
I had to use "Install Add-on From File" from the "Add-ons Manager" and select \Browser\TorBrowser\Data\Browser\profile.default\extensions\torbutton@torproject.org.xpi in order to properly update Torbutton to 1.7.0.2 version.

You don't need to update to a new version with a while new bundle. The update happens now within your browser (see my above answer on where to click). That said downloading a fresh 4.0.2 en-US Windows Tor Browser gives me a Torbutton 1.7.0.2.

However in the Tor Browser 4.0 release announcement, mikeperry
wrote: "Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures."
So my uncertainty using the in-browser updater!

Anonymous

December 03, 2014

Permalink

The TBB 4.0.2 release I downloaded appears to be signed by Erinn Clark as previously, except I thought she no longer worked for the Tor Project.

Is this correct?

Anonymous

December 03, 2014

Permalink

Download doesn't complete properly in OS X Yosemite (10.10.1). Firefox .part file loads to about 600KB and then no more downloading takes place.

Anonymous

December 04, 2014

Permalink

Есть ли какой-нибудь способ использовать meek-google в Tails OS?

Anonymous

December 04, 2014

Permalink

When running the Tor Installer for 4.0.2 on Windows 8.1 - as either an update to existing folder OR as a fresh install - all attempts to execute Tor Browser get the infamous "Couldn't load XPCOM".

Running Tor Installer for 4.0.0 is the only way I could get back.

Any thoughts on how to get 4.0.2 installed? Is there some shared component being saved to the file system outside of the target install folder?

This was a familiar error message. Which antivirus software was it that caused this now again? Anyway, disabling the antivirus software was enough to make Tor Browser work again, if it is the same problem.