Tor Browser 4.0.4 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Note: The individual bundles of the stable series are signed by one of the subkeys of the Tor Browser Developers signing key from now on, too. You can find its fingerprint on the Signing Keys page. It is:

pub 4096R/0x4E2C6E8793298290 2014-12-15
Key fingerprint = EF6E 286D DA85 EA2A 4BA7
DE68 4E2C 6E87 9329 8290

Tor Browser 4.0.4 is based on Firefox ESR 31.5.0, which features important security updates to Firefox. Additionally, it contains updates to NoScript, HTTPS-Everywhere, and OpenSSL (none of the OpenSSL advisories since OpenSSL 1.0.1i have affected Tor, but we decided to update to the latest 1.0.1 release anyway).

Here is the changelog since 4.0.3:

  • All Platforms
    • Update Firefox to 31.5.0esr
    • Update OpenSSL to 1.0.1l
    • Update NoScript to 2.6.9.15
    • Update HTTPS-Everywhere to 4.0.3
    • Bug 14203: Prevent meek from displaying an extra update notification
    • Bug 14849: Remove new NoScript menu option to make permissions permanent
    • Bug 14851: Set NoScript pref to disable permanent permissions
Anonymous

February 25, 2015

Permalink

AVG just flagged 4.0.4 as an unknown threat, and killed the exe file. I have had no issues with TOR until the newest update. Is anyone else having that issue?

same problem ... disabled AVG ... installed 4.0.4 ... scanned TOR directory with MS Security Essentials ... found no issue ... reactivated AVG ... scanned TOR directory with AVG ...no issues. TOR works fine so far.

only when I attempted to connect to the tor network. :P
I also noticed when you try and set ExitNodes {AU} It no longer works. (causes tor to crash and can't open) Had to re-install tor >_> Anyone who is having that problem let me know :P

Have you found a solution for this? I used to change the ExitNodes in torrc with the previous versions, but can't find a way to access the geo blocked content with the 4.0.4 version.

Anonymous

February 25, 2015

Permalink

Thanks for another great release! The team has been doing an excellent job of closing the gap between TBB updates and Firefox updates.

Anonymous

February 25, 2015

Permalink

Hi,

I can't find the public key corresponding to the .asc files given for the english linux64 TOR browser packages here: https://www.torproject.org/projects/torbrowser.html.en#downloads

I get the following:
$ gpg tor-browser-linux64-4.0.4_en-US.tar.xz.asc
gpg: Signature made Wed 25 Feb 2015 07:55:16 GMT using RSA key ID F65C2036
gpg: Can't check signature: public key not found

And F65C2036 also does not seem to be listed here:
https://www.torproject.org/docs/signing-keys.html.en

Key retrieval also fails:
$ gpg --keyserver keys.gnupg.net --recv F65C2036
gpg: requesting key F65C2036 from hkp server keys.gnupg.net
gpgkeys: key F65C2036 can't be retrieved
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

All my previous TOR downloads used to be signed with key RSA key ID 63FEE659 by Erinn Clark.

Anonymous

February 25, 2015

In reply to by Anonymous (not verified)

Permalink

For the benefit of Tor users, could Tor developers confirm whether pool.sks-keyservers.net is reliable, meaning, it doesn't host fake and modified keys uploaded by the NSA, GCHQ or other government surveillance agencies.

AFAIK any modification of a key results in a change of its fingerprint and a key server can't change anything about it, thus presence of modified keys on the key server is irrelevant (until GPG itself is definitely broken).

look at the very bottom of https://www.torproject.org/docs/signing-keys.html.en, sub #2:

  1. pub 4096R/0x4E2C6E8793298290 2014-12-15<br />
  2. Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290<br />
  3. uid Tor Browser Developers (signing key) <<a href="mailto:torbrowser@torproject.org" rel="nofollow">torbrowser@torproject.org</a>><br />
  4. sub 4096R/0x2E1AC68ED40814E0 2014-12-15<br />
  5. sub 4096R/0x7017ADCE<strong>F65C2036</strong> 2014-12-15<br />
  6. sub 4096R/0x2D000988589839A3 2014-12-15

Thanks to all who replied. I managed to get the key in the end using:
gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290

In case other people get this error:
gpg: requesting key 93298290 from hkp server pool.sks-keyservers.net
gpgkeys: key 4E2C6E8793298290 can't be retrieved
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

Check first that you do not have any special proxy setup like me. ;)
I could never import the key from a terminal and then tried via the KGpg GUI and it worked. It turns out I forgot to unset the http_proxy/https_proxy variables in bash after a recent setup change.

Quote: All my previous TOR downloads used to be signed with key RSA key ID 63FEE659 by Erinn Clark.

I'm wondering about it too.

Has Erinn Clark crossed over to the Dark Side to work for the NSA? I was told that NSA pays about US$70,000 to US$100,000 per MONTH for top talents.

Well, I am no GPG expert, but it seems that Erinn Clark signed the new key 0x4E2C6E8793298290 with her old one 63FEE659:

$ gpg --list-sigs 0x4E2C6E8793298290
pub 4096R/93298290 2014-12-15
uid Tor Browser Developers (signing key)
sig 63FEE659 2015-01-13 Erinn Clark
sig 4B7C3223 2014-12-15 [User ID not found]
sig 3 93298290 2014-12-15 Tor Browser Developers (signing key)
sub 4096R/F65C2036 2014-12-15
sig 93298290 2014-12-15 Tor Browser Developers (signing key)
sub 4096R/D40814E0 2014-12-15
sig 93298290 2014-12-15 Tor Browser Developers (signing key)
sub 4096R/589839A3 2014-12-15
sig 93298290 2014-12-15 Tor Browser Developers (signing key)

Also, for those worried about the validity of pool.sks-keyservers.net, hkp://keys.gnupg.net also works to get the key.
But from what I know about public keyservers, that's just because they all exchange keys together. And anyone can submit keys there anyway.

I guess the best would be to meet the developers and do some keysigning...

Anyway, the new TOR browser 4.0.4 works as expected for me.

Yes! Same problem here. This is just not how it's supposed to go. I also expected this to be signed by Erinn Clark with one of the following key IDs:

91FCD12F
63FEE659

I see a post here that tries to explain this:
https://blog.torproject.org/blog/tor-browser-404-released

I would like for this message/blog post to be signed by Erinn Clark's key but what I do find instead is mostly ok.

Go to the pgp.mit.edu server and enter the ID specified on that page (0x4E2C6E8793298290) You will see a key associated with Tor Browser Developers (signing key) and you will see that it is signed by 63FEE659 a.k.a. erinn@debian.org.

So I trust this new file and will use it.

Anonymous

February 25, 2015

Permalink

good job

Anonymous

February 25, 2015

Permalink

While I was using Tor Browser 4.0.4, I visited an HTTP website.
Within a few seconds of me visiting the HTTP website, I saw words and images on the website being removed and changed. While I was on the HTTP website, I got a message saying, "Hello Tor user, Tor stinks and is not anonymous anymore".
When I left the HTTP website, everything went back to normal, and I haven't visited a website that doesn't use HTTPS/SSL since.
Was someone conducting a Man In The Middle Attack on me while I was visiting that HTTP website?

Anonymous

February 25, 2015

Permalink

My Mac version has modified date of 1999 and create date of 2000 -- it's also about 24k smaller. ??? What's this about ???

Anonymous

February 25, 2015

Permalink

Getting AVG unknown threat for versions 4.0.4 and 4.5a4

Previous versions were ok

AVG version is 2015.0.5645

Virus database version is 4299/9181

Running win 7 ultimate 64bit

Anonymous

February 25, 2015

Permalink

Forgot to add: AVG identifies the threat on install

Anonymous

February 25, 2015

Permalink

Auto-updates in TBB is only update the Tor Browser not the Tor Browser Bundle, is it OK?

Anonymous

February 25, 2015

Permalink

How to verify the Tor Browser after updating from Tor Browser itself, as I am very worried about anything without verification.

That is tricky. Your best bet is to not use the built-in updater until the 4.5 alpha series is the new stable one. There the update files are signed by one of the Tor Browser developers and the Tor Browser is refusing any unsigned/wrongly signed updates.

We believe it is secure enough to allow updates via the in-browser updater. If you think your update files should be signed please try the current alpha series where this feature already landed.

Got really insecure when that auto-updater first
came up and told that 4.0.4 was out.

that's kinda risky since people can't check the
original keys and compare them before installation.

however, could you guys please name the releases
more specific just as in the blog? to be able to see
when it's an alpha/stable version in to see in the update
manager and not just the number of version, like this time (4.0.4).

the less information aviable, the more people will get insecure.
will there be any keys aviable in the next versions of update-manager?

The alpha has an "a" in its version scheme, like "4.5a4". So, you can differentiate between both series pretty easily. That said, yes, the current alpha is supposed to be the next stable in 6 weeks and will have the singed MAR files feature implemented.