Tor Browser 4.0.3 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.0.3 is based on Firefox ESR 31.4.0, which features important security updates to Firefox. Additionally, it contains updates to meek, NoScript and Tor Launcher.

Here is the changelog since 4.0.2:

  • All Platforms
    • Update Firefox to 31.4.0esr
    • Update NoScript to
    • Update meek to 0.15
    • Update Tor Launcher to
      • Translation updates only

There's a new release of noscript every two days or something -- the guy makes his money by putting out frequent new releases and having all his users load his page, with ads in it, on each update.


January 17, 2015


First of all i would like to say thanks to the torproject team
for all work and effort you guys put into keeping people safe.

not sure if this is a bug, but tor 4.0.3 has been out for 4 days now
but i haven't got any notice about that in the tor browser.
i think that several days is a bit slow update to notifi people
that there is a new version aviable.

would really appreciate if this could be fixed so that we get the
updates right away. thanks in advence.


January 17, 2015


considering that this is a project with opensource help, then all questions about whether anyone has the ability to compromise your browser bundle or the ones about identity - we don't know who is who, anywhere.

That said, and unfortunately, it's probably a good assumption that the NSA/whoever, are also áiding' with the coding, helping them to input backdoors for themselves?

It's what i think, how the final bundle is assessed is never disclosed, so hopefully the Tor Dev Team are more towards the non-compromised view than allowing some.

Sorry it's very early, i'm tired - thanks for all your hard work guys! Keep it up.

Well, we do know all of the people who actually commit code to Tor components.

If you think "open source" means "we merge patches from strangers on the Internet without looking at them", then you're doing it wrong. :)

(Tor Browser is a tough case here though, because Firefox is enormous and has their own process for deciding who can merge patches.)


January 18, 2015


The iphone App "Onion Browser" uses Tor- but is its oversight run by the Tor project?
Was it updated with Tor's most recent update? If it does not belong to Tor do you have a recommendation how one would connect to the internet most securely from a mobile device? Many thanks.


January 18, 2015


What about alpha version? Does it get no love?! (Or is it not needed to update?)

The old version of TOR worked great. This one doesn´t work at all or loads a page in 10+ minutes. Haven´t had any issues with TOR in years.

The NoScript context menu isn't workng properly in the new (linux) release. It shows no options apart from general allow/ban globally even after changing the settings in the appearance tab of the options menu. Tried resetting after changing said options and tried to fix it in about:config to no avail. Any suggestions for a temporary fix until this bug is worked out? (I lack the time to register to file a ticket on the bug tracker)

We are not responsible for the NoScript code. You might want to contact Giorgio Maone about that issue. That said if it worked in the past having the NoScript version that introduced the bug would be a helpful information.

For me checking 'Permanent "Allow" commands in private windows' under Options helped.

Otherwise some options are not supposed to be available in private browsing mode.

I had similar problems on Windows, all that was showing up was Temporally allow all this page even though I had the options ticked to show Allow, I reset all the permissions in NoScript then I updated NoScript to version, re-imported my previously saved whitelist and it now works.

Why does Tor send data through 3 relays?
Why not 6 relays? Wouldn't that be more secure?
Although if that were the case using Tor would be a lot slower.

The relevant concern from "A Peel of Onion" by Paul Syverson:

" general, with two-hop circuits a compromised entry or exit would immediately know for each connection through it the single other point to attack to reveal the entire route. If the adversary has resources that can be readily mobilized for attacking at some of the nodes in the network when needed, two-hop circuits would make his job much easier than three-hop circuits, for which he would need to simply be lucky in knowing where to strike and when, or would need to keep his resources persistently mobilized everywhere."

I would argue that in a world where Internet connection data is retained, sometimes by legal mandate, that legal authorities monitoring middle relays are in a position to trivially query that data from both the entry and exit relays. The only thing to stop them would be if one of those relays were operating within an uncooperative regime.


what does it mean by permanent "Allow" commands in the command in private window???

You are allowing that particular site not only in the Private Browsing Mode but the permission will still be there if you are leaving it.


Since 'Private browsing mode' is the Tor browser default, does this not mean that you are always allowing scripts?

This sounds ridiculous and so I may have got it all wrong, but could you please clarify this point for us all?

Thank you

Having private browsing mode enabled is orthogonal to having scripts enabled. Both things are independent from each other.

What about RC4, why not disable it by default?

RC4 is broken in real time by the #NSA - stop using it.
Jacob Appelbaum

And yes i know some servers use RC4 as fallback, but is it worth it? I just don't think so.

I am using a Mac 10.6.8 32-bit system and I am glad that I can still use Tor Browser 4.0.3. But as far as I know the end will come soon. Is an exact date already fixed?

No, as soon as the 4.5 series will be the next stable one.

Tor does work more or less on Windows 7(with often 100 % CPU usage),crashes and very slow on Windows XP,does not start at all on certain popular Linuxes I have tried.For me Tor 4 is almost useless,I have to use 3.6.6 and sick and tired of the "update needed" exclamation mark.Terrible modern programming...

If you could give us steps of reproducing your issues we might be able to fix them assuming they are caused by Tor Browser.

Still using Windows XP for any networking (e.g., the Internet)?


Tor 4.0.3 works normally on Debian 7.8,Altlinux Starter Kits.
On older distros like Mint 16 or Centos 6.3 there are problems
(errors) when I extract tar.xz.If I extract it in Mint 16 only
terminal and tar -xfJz works.In Centos 6.3 extraction in terminal fails.

As far as Windows XP users concerned I advise to disable Web Client service.
After that you can use Tor 4.0.3 with only very rare crashes.

Windows XP SP3 behind a firewall is as safe as Windows 7 and Linux or safer than Linux(with firewalls too).

First of all, you're probably having trouble with Tor Browser, not tor itself. Second, "certain popular Linuxes" doesn't really help troubleshooters; be specific. In fact, give the error in detail. The Windows XP error might not have anything to do with WinXP but the hardware. Does normal Firefox run on it well?

Dude, There's a tweak to keep XPsp3 updated well into June 2019.…

Note: I reformatted an' reinstalled XP in Jan 2014 to ensure a "clean" system. I've been using this tweak on XP auto updates since June 2014 with zero issues.

So why not keep using it? I do. Don't upgrade if there are no problems. And yes I believe winxp(x64) os is fine for many purposes. Just have some structural security in your local network.

For both Windows and Tor Browser, you're opening yourself up to known security flaws with using unsupported versions. DON'T use an outdated browser! You shouldn't use Windows XP for anything that connects to the internet (unless you're still on corporate support. If you don't know what that means, you're not.) In general, it's a bad idea that can lead to an attacker easily compromising your computer. In terms of maintaining anonymity, it makes it impossible; an attacker can compromise your system and easily gain access to your identity before doing whatever else they want. Yes, there are ways to mitigate some of these attacks, but by and large the mitigations are complicated solutions the average user isn't going to want to try.


This is not a complaint but rather a suggestion. I get fed up keep having to redo all my settings every time there is a new TOR version. Main reason is because of all the crap that Mozilla carries with it such as unwanted search engines, google links in about:config, https settings that I am still puzzled about, changing the Mozilla home page and suchlike. Could the developers not create a really stripped down version for those of us who do not want bells and whistles, but just a basic secure browser?

You don't have to redo all your settings with each new Tor Browser version. Download it once, configure it as you please and just use the internal updater. It won't touch your modifications (if so, then this is a bug that needs to get fixed).

My point is why do you still retain the automatic google links that firefox browser has. This alone is a security issue let alone all the other things such as 'network.http.sendRefererHeader ' and other settings which can be disabled?

TOR may be great but there still remains the need for a basic version stripped of every potential security leak that firefox creates.

Not sure what you meant with security leak but I guess you find at least some answers in our design documentation:

I guess this sounds weird, I felt weird too. When I installed the new 4.0.3, I installed it in a new folder instead of the default folder which will overwrite my 4.0.2. After I installed 4.0.3, I ran it and went to bridge setting, to my surprise, it didn't show obfs3, instead there is a line under "enter custom bridges", this surprised me, I do not understand how did it come? feels like all my connections will go through that "I am not aware of" relay, which means it captures all my connection information. Can someone help to give me some information how could this happen? thanks.


what does it mean by permanent "Allow" commands in the command in private window???


You'll have to provide some more context before anybody can guess what you're talking about.

The test of with "Allow Script Globally" on NoScript says Local storage is enabled and should be disabled.

It recommends to open about:config and set to "false".

Is this recommended or not? Thanks.


January 24, 2015

In reply to by Anonymous (not verified)



Last I checked, site was a plain, unencrypted, unauthenticated http; not httpS SSL/TLS.

That means when you visit the site, you are at the mercy of your exit node, which can tamper with and manipulate the content.

And yet people continue to take this "" seriously?

Am I missing something here?

True. But it is still the best test for Tor-browser-anonymity. When you are unsure, then don't turn off your script settings.

i believe the question was "Is this recommended or not?" but not about personal opinion to believe or not. and no need to check when it was clearly typed http://...

Why does the Tor Browser included with Tails not have all the pluggable transports offered in the non-Tails Tor Browser?

Would love to know the reasoning behind this epic fail

I downloaded Tor on it's own and I use Tor with Google Chrome, is that safe?


No. Use the Tor browser.

and do not forget to do much handwork to disable google, rc4, useragent, js etc.