Tor Browser 4.0.3 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.0.3 is based on Firefox ESR 31.4.0, which features important security updates to Firefox. Additionally, it contains updates to meek, NoScript and Tor Launcher.

Here is the changelog since 4.0.2:

  • All Platforms
    • Update Firefox to 31.4.0esr
    • Update NoScript to 2.6.9.10
    • Update meek to 0.15
    • Update Tor Launcher to 0.2.7.0.2
      • Translation updates only
Anonymous

January 14, 2015

Permalink

I have windows 8.1 and its telling me my PC can't run this app, any solution or just a bug?

What type of processor do you have? If it's ARM, you're not going to be able to run any modern browser other than IE. Windows on ARM doesn't provide the APIs they need for fast processing of Javascript including the internal Javascript the Browser is based on.

Anonymous

January 14, 2015

Permalink

I keep getting:
An error occurred during a connection to www.torproject.org. The server rejected the handshake because the client downgraded to a lower TLS version than the server supports. (Error code: ssl_error_inappropriate_fallback_alert)

I'm using TBB 4.0.2.

This has been happening occasionally for the past several weeks, IIRC ever since POODLE. Clearing history, switching to new exit node, etc doesn't fix it. Waiting a couple days usually does fix it.

Is anybody else getting this, or is it just me?

Yes, I currently get ssl_error_inappropriate_fallback_alert only for www.torproject.org. I still get it today (January 16), and it always fails (changing exit node doesn't help). I don't get it for blog.torproject.org. IIRC I got it once for duckduckgo.com a few weeks ago, but never again. DDG works fine now.

I'm using Tor 0.2.4.24 configured as a transparent proxy on a separate gateway machine (so a browser exploit can't reveal my IP address), and TBB 4.0.2 (instead of regular FF, so I'll look like other TBB users) set to transparent proxy mode (i.e. doesn't use TBB's built-in Tor).

I don't know if my split configuration is the problem, but it works fine (and has for years) everywhere else, including with TLS; only www.torproject.org is currently failing.

OS is Debian 7 stable, with Linux 3.2, both for the gateway (running Tor) and for the client machine (running the browser).

More info: enabling 4.0.2's built-in Tor (so now I'm using Tor over Tor; extremely slow) solves the problem.

But my split configuration should not be causing the problem I'm seeing. And the problem only occurs for www.torproject.org, not for blog.torproject.org or gitweb.torproject.org or any other site.

Tor 0.2.4.24 (on my transparent proxy) isn't the latest, but that shouldn't have any effect on a browser's use of TLS.

Updating my transparent proxy to 0.2.5.10 didn't help.

Set your TBB to transparent proxy mode, put it behind a transparent (i.e. intercepting) 0.2.5.10 proxy, and I think you'll see the problem I'm seeing.

Anonymous

January 14, 2015

Permalink

Hi.
Thanks for all the work.
I just updated, and now the icon in my task bar for Tor Browser is the stock Firefox icon. Any chance of switching it back in future releases?

I know it seems simple, but since I (and many people) use Tor Browser and Firefox concurrently, having different icons is a quick and easy way we can check to make sure we're using the right browser.

I'd hate for someone (especially beginners) to compromise our anonymity over something so rudimentary.

As a note to beginners who may read this, it's likely preferable to only have one browser window open, to avoid getting confused.

I wish I could use tor browser 100% of the time. For several reasons, that's not currently practical.

Thanks again,
me

Trying to think back, it is quite possible that I had firefox (clearnet) open while installing the new tor browser. It actually looks like it's now back to the tor browser icon.

It a certain linux distro, and it appears that after a reboot it's back to normal now. I don't know a lot about programming, but I guess since it appears to be back to normal it was some time of quirk. I had posted my comment under the assumption that it was a widespread "issue." Sorry if I posted hastily.

It does present a question, though.
Icons are harmless, but is it actually possible to have a vulnerability during installation if the firefox process is running? If not an active attack, then "just" the computer having bugs.

Next time I'll probably just shut down firefox to be safe, but it proves how tricky secure computing can really be.

Thanks again!

Anonymous

January 14, 2015

Permalink

Hopefully this comment get's posted. I have tried making a comment before but it didn't get posted(it was not an abusive or offensive or racist comment, it was a question about something to do with non exit Tor relays).
My question is, how do I tell if my non exit Tor relay is an entry relay, or a middle relay? I would prefer to be a middle relay(the relay which passes the data onto the exit relay).

Anonymous

January 14, 2015

Permalink

How can we force Tor 4.0.3 to always present the "Download an External File Type?" dialog when we right click a link and "Save Link As"?

Some file types seem to bypass this dialog and take you straight to naming the file.

Anonymous

January 15, 2015

Permalink

4.0.3 has a bug.
The Tor browser crashes every time I use it.
Please create a 4.0.4 as soon as possible to fix this bug.
Also has anyone noticed that when you download Tor your connection to the Download Tor page really isn't encrypted?
Right click somewhere on the Download Tor page, and click on properties, and you will see that the connection is Not Encrypted.
Because the Download Tor page isn't encrypted, that means that an attacker can modify your download and eavesdrop on the page.

I also get random crashes since 4.0 or so. I'm on XP for what's it worth. Did you ditch XP-support for good?
I know it's virtually impossible to reproduce random crashes, but it would be great if something could be done about this. Is it a Firefox-issue?
So far the best solution for me is still Privoxy and the Expert Bundle. Works like a charm.

Anonymous

January 15, 2015

Permalink

Hello i from china
Tor here blocked
connections to public tor relays blocked
how do i circumnavigate this?

Anonymous

January 15, 2015

Permalink

With TOR 4.0.2 I had the same guard node for a few days (which is how I assume it should be).

I have just downloaded 4.0.3.

Checking with Vidalia, it gave me one guard node for half an hour – call it Guard A (not the same one as under 4.0.2). Then it changed to another one (Guard B). I have just started TOR again and it has gone back to the previous guard A. But, under 'connections' on Vidalia Guard B is showing as well.

This does not seem right.

Any comments please?

What has Vidalia to do with Tor 4.0.3? There is no Vidalia we ship anymore. It is long outdated and not maintained anymore. And changing guard nodes might happen, e.g. if the one you wanted to use is not available at the moment.

GK

I use Vidalia to see which three nodes make up my connection.

If you know of another way to see my entry, middle and exit nodes I would be very grateful - as, I am sure, many other users would be.

Thanks

Anonymous

January 15, 2015

Permalink

Excelent

Anonymous

January 15, 2015

Permalink

I know how to transfer my bookmarks to a new version.
What is the best way to transfer additional about:config settings and installed Add-ons with their partially extensive configurations?

Perhaps the internal updater is your answer. Didn't check if it keeps extensions and settings but I know it keeps the bookmarks.

Manually, you have to copy your extension files (xpi) or folders into the new profile, you could also create a user.js file in the profile.default folder to enforce your settings at each browser launch. So you would copy the user.js file and the extensions into a new profile after each update.

usually there is a folder with the broswer icon in it. Don't remove it from the folder, needs those files to work. I'm guessing you moved it to your desktop manually, out of the folder?

Try and see what happens.

the folder names may have changed.

if you go into tor browser folder, and see the shortcut to start tor browser, make a shortcut to that, and put the new shortcut on your desktop.

Anonymous

January 16, 2015

Permalink

cant open the tor download, on windows 8.1." It says NSIS error installer integrity check has failed. contact installers author for a new copy" I have tried redownloading multple times. Any idea what this means?

Anonymous

January 16, 2015

Permalink

PLEASE help.I haven't a clue what's going on.

Try downloading TBB with a mozilla browser(.zip - version) on Windows 7.
File is downloading but saving is BLOCKED, the download tab in the browser
says.
When i RENAME the file for saving, e.g. .txt insted .exe, it WORKS. ???
I am absolutely clueless.

Defender only as AV and Ad-blocker count is 0.
Some idea?

Anonymous

January 17, 2015

Permalink

I've gotta ask.

I've been using tor almost ever since it began for communication purposes. I'm still around so yes, it is efficacious - good to see spell-check functional again lol - but now it's time to step up our activities.

Can I use it on the regular internet for making commentary? All non-tor sites - 'cepting this 'un, of course - require a functioning javascript for interaction.

Can our repressive regime, after compelling the isp/media owner to surrender data relating to this activity trace my genuine ip address or does the false ip securely block any and all further enquiries? I'm very much aware that tor net requires javascript to be disabled.

I'd hate to experiment and then find m'self back in goal. lol

Thanks in advance...

There is the possibility of traffic correlation in extreme (?) cases. There is always the risk of zero-day exploits.

I would recommend using multiple layers of security such as: firewall, anti-exploit, anti-logger applications, VPN(s), virtual machines such as Whonix or Qubes + Whonix, a local DNS proxy with wildcard support (like Acrylic DNS) and an ip blocker such as PeerBlock to gain control over (unwanted) connections.

But if you go the extremely secure Qubes + Whonix route, much of this stuff would be unnecessary.

Anonymous

January 17, 2015

Permalink

Anyone else ever notice how shortly after a new release of TBB occurs when just as suddenly there's a new release of NoScript available?
Really makes you think...