Tor Browser 4.0.3 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.0.3 is based on Firefox ESR 31.4.0, which features important security updates to Firefox. Additionally, it contains updates to meek, NoScript and Tor Launcher.

Here is the changelog since 4.0.2:

  • All Platforms
    • Update Firefox to 31.4.0esr
    • Update NoScript to 2.6.9.10
    • Update meek to 0.15
    • Update Tor Launcher to 0.2.7.0.2
      • Translation updates only
Anonymous

January 23, 2015

Permalink

Update on this attack from 2014: https://blog.torproject.org/blog/tor-security-advisory-relay-early-traf…

https://nakedsecurity.sophos.com/2015/01/23/silk-road-2-0-deputy-arrest…

"A 6-month infiltration of Tor

According to Larson's search warrant, the Silk Road 2.0 investigation has been based on a six-month infiltration attack launched against Tor, the anonymizing service that kept Silk Road 2.0 users anonymous.

From January 2014 to July 2014, agents managed to get what Larson described as "reliable" IP addresses for Tor and for services hidden behind its layers, including Silk Road 2.0. That included its main marketplace URL, its vendor URL, and its forum URL.

Agents used this data to track down Silk Road 2.0's servers, which resulted in the site's takedown in November 2014.

The data was also used to identify another 17 black markets hidden on Tor. Larson didn't give details on these other Tor-hidden markets."

Please share

Anonymous

January 25, 2015

Permalink

Re Mozilla corp. It's about time they were investigated as to how they can afford to give the whole world a free browser without ads paying them. Who pays I wonder? Yet TOR is based on this flawed browser?

And, yes, the fact that Mozilla makes their money* from the likes of Google and Yahoo, should warrant wariness about any claims made concerning "protecting your privacy", etc.

(*enough to pay pretty generous salaries to their top-cats, like most "non-profits")

Anonymous

January 27, 2015

Permalink

Tor is still has security problems, big ones.

I’ve noticed since using Vidalia to see all my connections, that the first connection is always the same one, even if the second and exit IPs change. Even if I log off for days, when I connect again, it always uses the same first IP as before. The only way to change this is to delete the whole installation, and reinstall again, which is a big pain.

If it were not for Vidalia, I would not be able to see this problem, and this problem has been around for about a year now. This never used to happen prior to that time with other versions, and is the same regardless of the PC I use, or which ‘updated’ installation I use.

Has anyone else seen this if they use Vidalia to see which connection is first? No matter how many new IP exits are made, the first connection remains the same, unless I delete the installation, and re-install, then there is a new one, but again, this new one locks again, and never changes, so the problem remains.

This surely must be a major security fault if you always get the same first connection? Are Tor developers even aware of this issue or do they not see it because not many people use Vidalia to see all their connections?

I've also re-installed Vidalia, and it does not influence the first IP, so it is not the problem, the problem is with Tor. Is there a log file that I can delete each session to erase any logs of the first IP?

Anonymous

January 27, 2015

Permalink

Problem loading page on 99,9% of the time.

Should be renamed to Crap Network.

sth. strange...
i downloaded, verified(ok) and extracted 4.0.3.
the last-modified-date of the newly created folder is 01/01/2000, same with "start-tor-browser"-file, whereas the "browser"-folder has got the actual date...

does it mean the dl is corrupted-although verification was ok???

hi is chat step safe with tor?i tried chat step with tor but i cannot join or create a room bcz the buttons are unresponsive.

also i get a untrustworthy site message .

Regarding all the problems with Firefox I wanted to suggest you to move to Pale Moon as a base (www.palemoon.org).

Pale Moon is a more conservative, stripped down, security concerned Firefox fork finely tuned for performance and without the much hated Australis UI. The developers already made a lot of tweaks you are doing to Firefox to make browsing more secure (and even some you don't - for example http://forum.palemoon.org/viewtopic.php?f=24&t=6262), so you could forget about re-doing them yourself and concentrate more on other aspects. They base their browser on older and thoroughly tested versions of Firefox, but still integrate last FF security fixes themselves.

There is a Windows and a Linux version available - both have 32 and 64bit optimized variants but dropped Windows XP support. There is also an ARM processor variant which will continue to support Windows XP and works also on all later versions of Windows, so you could just use this one to cover it all! And there is an Android version too!

Is there anything I'm missing in terms of this not being a suitable browser for Tor?

I would also like to ask you if it is OK to use HTTP nowhere add-on with Tor Browser and the reason you don't include it by default? Same question goes for http://convergence.io.

I have heard that allowing Frames (about config: Browser. Frames. Enabled true) is a threat to anonymity.

Is this true?

I am sure that we would all welsome your thoughts.

Thanks for all you work.

If you are using Tor Browser then this is false I think.

I need to use Twitter and it is necessary to enable Javascript. Will this compromise my Tor 4.0.3 Anonymity?

Many Tor Browser users have JavaScript enabled and are doing fine.

There are no known ways currently to use JavaScript to deanonymize you. It does increase the surface area (exposing more security vulnerabilities in the browser), but things like image rendering are bad news there too, and we don't hear about people trying to turn those off.

https://www.torproject.org/docs/faq#TBBJavaScriptEnabled

OK, I also use a 256 encryption VPN and then open Tor. Does this increase protect and can a VPN of this type be hacked?

I'm pretty sure Tor Browser users are uniquely identifiable!
I found this bugtracker https://trac.torproject.org/projects/tor/ticket/11949 where developers say it's by design, but to me it seems a pretty bad leak...

The fingerprinting test http://fingerprint.pet-portal.eu knows it's me every time, even if I click on New Identity! And after restarting the browser or even reinstalling it's still me! So as the OP says it looks like my PC is uniquely identifiable even through Tor Browser.

Developers say Tor users are supposed to look the same, but this test shows exactly the opposite! If I run the test on another machine the test generates a different identifier, which of course again persists even when reinstalling Tor Browser. So PC1 has always one identifier and PC2 always the second!

I invite anybody who doesn't believe this to take the test and compare the identifier. Mine is c7ddf2f2639f4af5df92105cadef88d9, is yours the same? Please post your results if possible.

I don't know how the hash is getting generated. They collect the IP address they say.. So, if it goes into the hash as well it is not surprising that you get a different one after you clicked "New Identity" or tested on a different computer.

And no, making Tor Browser users ideally uniform leaks nothing besides the fact that they are using a Tor exit relay which is public information anyway.

The hash is being generated according to the fingerprint the browser leaks. Clicking on the "Details" tab gives you an overview of what info did they get from you (tests I ran on other similar pages got even some more info).

Apparently I got misunderstood. Actually I wanted to expose the fact, that I DON'T get a different hash, even if I click on New Identity (so the hash doesn't take the IP in consideration at all). And even after restarting the browser or reinstalling Tor Browser it's still me, meaning I get the same hash - let's say hash1. That would be OK if I got the same hash using the same browser on another PC, but no there I get a different hash - let's say hash2, which is again always the same no matter what I do. This way the testing page always knows which PC I'm on. I didn't change any other settings or installed any plug-in/add-on in neither of browsers, so I suspect it's something hardware related.

Maybe I don't understand something, but I still think Tor Browser users should always get the same hash, no matter what PC they are on.

why was this file added to tor "terminateprocess-buffer.exe*32*? I noticed in task manager when deleted it closes tor browser, it takes forever now to go on websites.

Hello,

I would like to setup Tor Browser 4.0.3 to pick an IP address in France. It was easy to do with vidalia, but I don't know how to proceed with the new tor. Could someone help?

Best

I thought Tor got taken and was not safe anymore, is it safe?

"Taken"? No, it sounds like you've been reading bad media articles.

You might enjoy watching our 31c3 video ("state of the onion") from this past December.