Tor Browser 4.0.4 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Note: The individual bundles of the stable series are signed by one of the subkeys of the Tor Browser Developers signing key from now on, too. You can find its fingerprint on the Signing Keys page. It is:

pub 4096R/0x4E2C6E8793298290 2014-12-15
Key fingerprint = EF6E 286D DA85 EA2A 4BA7
DE68 4E2C 6E87 9329 8290

Tor Browser 4.0.4 is based on Firefox ESR 31.5.0, which features important security updates to Firefox. Additionally, it contains updates to NoScript, HTTPS-Everywhere, and OpenSSL (none of the OpenSSL advisories since OpenSSL 1.0.1i have affected Tor, but we decided to update to the latest 1.0.1 release anyway).

Here is the changelog since 4.0.3:

  • All Platforms
    • Update Firefox to 31.5.0esr
    • Update OpenSSL to 1.0.1l
    • Update NoScript to 2.6.9.15
    • Update HTTPS-Everywhere to 4.0.3
    • Bug 14203: Prevent meek from displaying an extra update notification
    • Bug 14849: Remove new NoScript menu option to make permissions permanent
    • Bug 14851: Set NoScript pref to disable permanent permissions
Tags
tor browser bundle
tor browser
tbb
tbb-4.0

There is no verification (like checking a GPG signature) in the current stable series available: We just pin the cert that governs the download of the metadata and then check whether the SHA512 sum of the downloaded MAR file matches.

Yes, you can manually verify that. Check the MAR file of your OS/locale combination in the sha256sums file you can find in https://dist.torproject.org/torbrowser/4.0.4/ according to the advanced part of our verification documentation: https://www.torproject.org/docs/verifying-signatures.html.en. Then install that MAR file manually following the Mozilla documentation: https://wiki.mozilla.org/Software_Update:Manually_Installing_a_MAR_file

No one can find 2 different files with same SHA512 sum, so why it isn't secure enough, cert? If that should I enable update automatically in Tor browser add-ons manager?

For Windows, download and extract the Tor Browser exe file, use WinMerge to compare this folder with your older browser folder, all files should be identical with the older browser having extra files due to being used.

Anonymous

Anonymous (not verified) said:

February 25, 2015

Permalink

How do I force the browser to use US IP addresses only? I did it in the previous version, but now it's not working. Any help would be great! Thank you.

Anonymous

Anonymous (not verified) said:

February 25, 2015

Permalink

With all due respect, the new "Forbid making permissions permanent in NoScript" has broken the "Allow Javascript on this site!" functionality. There are some websites that people like myself would like to allow scripts for permanently because they are trusted websites.

Is there anyway to turn off this regression (in my mind)?

Anonymous

Anonymous (not verified) said:

February 26, 2015

Permalink

I have downloaded tor-browser-linux64-4.0.4_en-US.tar.xz. I have also read the page on who signs what packages. There seem to be a couple of anomalies. The primary key fingerprint suggests that there is no problem. The subkey fingerprint doesn't appear to match anything on the page about who signs what. Additionally the date on which the signature was made shows as 25 Feb, not a date in January as appears in the blog. Have I misunderstood something? Is the date of creation of the signature the date on which the package was signed (in which case 25 Feb sounds right) or is it meant to be the date on which the Fingerprint was created, in which something doesn't match.

More generally, I'd appreciate knowing whether it is possible (i.e., I'm not asking whether it is the case here) that a primary key fingerprint could be non-fraudlent at the same time as a subkey fingerprint was wrong? I guess I don't understand how primary key and sub-key relate to one another.

The output from gpg for the verification check is ...

Veryifying the file tor-browser-linux64-4.0.4_en-US.tar.xz
... using signature file tor-browser-linux64-4.0.4_en-US.tar.xz.asc
gpg: Signature made Wed 25 Feb 2015 18:55:16 AEDT
gpg: using RSA key 7017ADCEF65C2036
gpg: Good signature from "Tor Browser Developers (signing key) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: 5242 013F 02AF C851 B1C7 36B8 7017 ADCE F65C 2036

Anonymous

Anonymous (not verified) said:

February 26, 2015

Permalink

I don't really mean to be pedantic, but being a newcomer to TOR I want to make sure that everything is as it should be.

I followed your instructions on verifying the signatures (https://www.torproject.org/docs/verifying-signatures.html.en
but got a few variations to what you say.

You say:
gpg: Signature made Tue 24 Jan 2015 09:29:09 AM CET using RSA key ID D40814E0
I got
gpg: Signature made 02/25/15 07:55:56 GMT Standard Time using RSA key ID F65C203
I understand that the date and time will be the time I make my enquiry (will they?), and I assume there is no problem here (is there?) BUT the RSA key ID is different from what you say.

Also, you say:
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
I got
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: 5242 013F 02AF C851 B1C7 36B8 7017 ADCE F65C 2036

I take it that this is OK as well and there is no problem getting a 'subkey fingerprint' as well but I would just like to make sure.

Thanks for your clarification.

Anonymous

Anonymous (not verified) said:

February 26, 2015

Permalink

Yeah I'm also having that problem with exitnodes... When I edit the torrc file.
ExitNodes {AU}

It just causes tor to crash on the tor startup... Had to delete then re-install ._.

Anonymous

Anonymous (not verified) said:

February 26, 2015

Permalink

I log-in my google plus page normally by using Tor Browser. However,I cannot use hangouts in google plus ,it says "please sign in to chat with your friends",and I tried so many times to sign in, but still failed yet. Why?

Anonymous

Anonymous (not verified) said:

February 26, 2015

Permalink

Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Yup fine

but...

Subkey fingerprint: 5242 013F 02AF C851 B1C7 36B8 7017 ADCE F65C 2036

Is this the correct subkey fingerprint? Why not just also list the subkeys here and make it simple?

Verifying the top-level key automatically verifies the subkeys because the sub-key IDs are in the top-level key. It's way easier to verify 1 key regardless of OS is way simpler than people trying to find the correct one.

The problem is, that on the blog was mentioned one particular subkey that wasn't actually used. The release is signed with other (AFAIK) valid, but nowhere published subkey - that's confusing for users - for example using Kleopatra graphical interface for verification gives a result like the subkey was entirely invalid (because the main key doesn't contain it). The used subkey should be at least uploaded to a key server.

Anonymous

Anonymous (not verified) said:

February 26, 2015

Permalink

WARNING !!!!!!!!!!!!
Possible backdor in Windows 10. After installing Tor, I recognise severeal unauthorised comunications of windows application via unknow servers. One came from Windows email client, and another one was comming from some windows update application. Anti-Virus software recognised also one trojan and one virus app which were installed when I was not in front of PC.
Before Tor installing everything was perfectly fine. I don't download any files after tor instalation and I use tor only in couple of standard sites.
I'm not expert but I suspect that Tor activity is strictly monitored and agencies have backdors is MS systems...
Sorry for my English...

Anonymous

Anonymous (not verified) said:

February 27, 2015

Permalink

Go to https://tails.boum.org/ and download and use Tails. Tails is based on Debian, a Linux distribution. You won't have to worry about backdoors in MS systems 'cause Tails does not use Microsoft.

Anonymous

Anonymous (not verified) said:

February 27, 2015

Permalink

WARNING !!!!!!!!!!!!
Possible bullshit alert!

because censoring the tor project blog would be the most ridiculously hypocritical thing i could think of. Also, shockingly, a lot of vulnerabilities are found by end users, if this turned out to be right you wouldn't be so judgmental

Anonymous

Anonymous (not verified) said:

March 02, 2015

Permalink

Try to not use Windows directly connected to the Internet. It is a private closed source commercial OS controlled by company close to infamous agencies. In extremal situation it is better to install VirtualBox and use Tails.

Anonymous

Anonymous (not verified) said:

February 26, 2015

Permalink

I have problem:

Error: platform version 31.5.0 is not compatible with
minVersion >=31.4.0
maxVersion<=31.4.0

What does it mean and how can i fix it?

Interesting. Could you give us some details hoe you get to this error? Like th operating system you are using which previous Tor Browser version etc. in order to get that reproduced?

Well, for some reason you can't use the built-in updater to get an up-to-date Tor Browser. It seems you have to get a new one via https://www.torproject.org/download/download-easy.html.en

Anonymous

Anonymous (not verified) said:

February 26, 2015

Permalink

hi is chat step safe with tor?i tried chat step with tor but i cannot join or create a room bcz the buttons are unresponsive.

also i get a untrustworthy site message .

Anonymous

Anonymous (not verified) said:

February 28, 2015

Permalink

I had a few problems on the alpha releases, not the last one though.
there was several sites that i couldn't visit, videos was blocked on
every site. and videos on youtube for example was slow as hell,
stoped and started every 3 second, damn annoying.

however are now able to visit these sites again, are also able to
watch videos on other sites. if there is anything to point finger at
it is the loading of videos, doesn't matter if you wait or not since
the videos doesn't seem to load at all, they are stuck at the same
time lap as when you paused the video, so when you start running
it again it continue to stop, load, stop, load. this is not the case
everytime. if you find a good connection that allows videos to play
like the should, it's ok for a while, but after some time the connection
is interrupting it again.

so my only problem now seem to be videos. but that seem to be
the only case, everything else seem to work proparly and good.
so thank you guys for a great job!

keep it up!

Anonymous

Anonymous (not verified) said:

February 28, 2015

Permalink

Instead of this mess about verifying keys (how many people around the world can meet physically the Tor staff members ?)

WHY don't you simply give us a MD5 hash from each original file (not possibly modified by bad guys) ????

So it would be easy to know if we have DL the original file or not...

Anonymous

Anonymous (not verified) said:

February 28, 2015

Permalink

When collecting information on Tor Browser usage, how do you determine if a standalone Tor Browser is used or a Tor Browser included with Tails is used?

Anonymous

Anonymous (not verified) said:

February 28, 2015

Permalink

The key for Tor Browser Developers (signing key) could use some more signatures from Tor project people. That way, those of us who have met in person and confirmed keys can have slightly enhanced assurance levels, intead of entirely chaining through their signatures on Erinn's key.

Anonymous

Anonymous (not verified) said:

March 01, 2015

Permalink

Off Topic re Facebook's onion access 'portal'. Why is it that if you set up a profile through this portal and enter NO identifying information especially geo-location Facebook will ask you for the 'city in which you live'; one of these options WILL be your city and the other two two will be in close proximity (to where the first 'hop' on your ISP routing resides). Are Facebook using JavaScript or some other technique to uncover IP addresses. Have a creepy feeling that this Facebook onion portal is not as 'anonymous' as we are led to believe.

Anonymous

Anonymous (not verified) said:

March 01, 2015

Permalink

Incidentally, the Facebook onion 'portal' is complete and utter crap; it does nothing but constantly re-load the page; ah well, back to non-Tor access to Facebook... ;)

Anonymous

Anonymous (not verified) said:

March 01, 2015

Permalink

My 'anonymous' onion Facebook is now asking where I work; one of the option is a specific place just a few hundred metres away. How does Facebook manage this tracking stuff? Anyone know?

Anonymous

Anonymous (not verified) said:

March 01, 2015

Permalink

So it verified that this new version of TOR has been hacked and hijacked by big brother. I'm switching over to Freenet and I2p.
Last best version of Tor was 4.0.3.

Similar to what happened with Truecrypt 7.1a
Sad.

Anonymous

Anonymous (not verified) said:

March 01, 2015

Permalink

Why would I be seeing [ .../dev/?_escaped_fragment_=... ] on some http and onion sites? Could it be something I changed in NoScript? I'm not a developer and from my extremely limited understanding it has something to do with crawling.

Anonymous

Anonymous (not verified) said:

March 01, 2015

Permalink

I've been having an issue with 4.0.3, and now it's continued with the new release as well; It's not an issue with the build, but trouble I'm experiencing on my end.
Everything runs as expected the 1st time during installation; However when I close TBB and attempt to re-start it later, I'm unable to connect and receive an (win64) error message that includes:

Problem Event Name: APPCRASH

Fault Module Name: d2d1.dll

This started after I was having memory (leak?) issues and I tried to see if it could be resolved in about:memory, but I ended up screwing something up which started the issue with 'd2d1.dll'. I'm not sure why it would affect that specific .dll in the system folder, but I'm an idiot so I donno.

If d2d1.dll is corrupted, could I replace it and expect everything to work fine again?
And if so, could you recommend a reputable resource, as I never made a back-up disc or set a restore point.

Any help would be greatly appreciated...

I'm so sorry for not responding sooner, gk. I swear I checked every few minutes for days but didn't see my comment posted and grew increasingly frustrated since I had to repeatedly re-install Tor Browser. I gave up hope and have been begrudgingly re-installing TBB every other day :) .
I was searching the tubes through ddg and was surprised to find someone had the same problem. After clicking the link I wound up right back where I started a month ago. lol. I just saw your comment so I'm going to take your advice and report back.

Thanks again. Fingers Crossed!

Thank You Jeebus!!!

gk, You are the Best! It worked perfectly!

"gfx.direct2d.disabled" and "Layers.acceleration.disabled" were both set to "false." They were in bold in about:config, so I don't know how or when the change occurred, but yeah these were after clean installs. after installing, everything worked as expected when prompted to 'run tor browser', but after closing and re-starting Tor Browser, tor.exe wouldn't connect.

I'm curious as to what could have caused the modification to these specific application settings, since it's nearly identical to my firefox configuration?

anyway,

I just wanted to thank you again, gk. I feel guilty about bugging you guys with something every release, but you and arma always help out with any issues I have.

Thank You!!!

Anonymous

Anonymous (not verified) said:

March 02, 2015

Permalink

I have an impossible to update for "unknown reason". Where can I check for a log file to understand what went wrong? Thanks.