Tor Browser 4.0.5 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.0.5 is based on Firefox ESR 31.5.3, which features important security updates to Firefox. Additionally, it contains updates to Tor and NoScript.

Note to Tor Browser alpha users: There won't be a corresponding alpha release based on Firefox ESR 31.5.3 this time as we are currently in the midst of preparing releases based on ESR 31.6.0. Alpha users that can't wait another week are strongly recommended to use the Tor Browser 4.0.5 meanwhile.

Here is the changelog since 4.0.4:

  • All Platforms
    • Update Firefox to 31.5.3esr
    • Update Tor 0.2.5.11
    • Update NoScript to 2.6.9.19

where is the onion program which allows you to view the connections made by tor? when windows downloads tor its only the browser?

Anonymous

March 23, 2015

Permalink

Same problem was with 4.0.4
AVG flagged 4.0.5 as an unknown threat, and killed the exe file

Anonymous

March 24, 2015

Permalink

thanks so much !
i love Alpha version more than stable .coz i am able to see tor circuite.it's very useful

How/where are you able to see the circuit in the browser? One of the TBB devs showed me this feature on their computer months ago but thought it still wasn't released yet because I don't have it in 4.5a4 on Linux (Tor Button 1.8.1.3). I want this feature!!

It is in the alpha series available. Make sure you are not on a local website (like about:tor) and click on the green onion. Then you should see the circuit for the website you have open. If that does not work, please give steps to reproduce your issue.

The steps to reproduce are here: https://trac.torproject.org/projects/tor/ticket/12745

I don't know if this issue affects the automatic upgrader, but it certainly still affects Tor Browser Launcher (which remains the only way to install Tor Browser on Debian/Ubuntu that doesn't involve a terminal, which average humans shouldn't need to be asked to do) as well as the manual-upgrade method (which many reasonable people still use because the built-in upgrader apparently doesn't very GPG sigs yet).

I get the feeling that the importance of TBL is not appreciated by the core TBB devs; if so, you should really come to a cryptoparty sometime and see what happens when novice linux users attempt to install TBB without TBL.

As I said in another reply which is still in the moderation queue, I am still affected by trac ticket #12745 (which I filed 8 months ago). But after just following the steps I posted on that ticket to get the latest Tor Button (moving me from 1.8.1.3 to 1.9.0.0), and also after trying again with a completely fresh 4.5a4, I still don't have the circuit display. I've never seen it on my computer. I'm running debian wheezy.

My apologies!

It turns out I wasn't seeing the circuit display because I set the TOR_CONTROL_PORT, TOR_CONTROL_PASSWD, TOR_SKIP_LAUNCH, TOR_SOCKS_HOST, and TOR_SOCKS_PORT environment variables to use my system tor. I am seeing the circuit display now if I let TBB launch its own tor.

Ticket #12745 (upgrading by untarring the new release over the old one, as Tor Browser Launcher does, results in using an old version of the Tor Button extension) still remains a reproducible issue, though.

I had the same problem, the solution was that my system tor needed to be updated to 2.6 for this feature to work

After installing (Windows 7) an starting Tor Browser 4.0.5 I often get "tor.exe is damaged". The only stable version on my Windows 7 enterprise is Tor Browser 3.5.6.

Thank you again for all your hard work.
Unfortunately with the 4.0.5 update my Gmail inbox has rendered a mess. Messages in the inbox view are now taking up 3 times as much space and a normal message usually does on the screen.

Not sure if this is a TBB problem or a GMail one but thought I'd mention it in case anyone else has the same issue.

Shouldn't https://www.torproject.org/projects/torbrowser/RecommendedTBBVersions stop recommending 4.5a4 since it has critical bugs?

(I wonder what happens to TBB's new upgrader when all recommended versions are older than the current one. I'm pretty sure torbrowser-launcher (an old version of which accidentally upgraded to the alpha due to it having "a" instead of "alpha" in its version string) isn't going to be happy; i'm working on submitting a patch to it to allow it to switch between stable and testing releases).

Good question. We are basically about to start building a new alpha based on 31.6.0 and decided that a warning on the blog is enough for now. Not ideal but we have nothing better for this one week gap. Regarding the auto-updater: It is not bound to the RecommendedTBBVersions. If you don't have a recommended version (e.g. a nightly) then your green onion starts flashing but there is no (other) (update) hint.

Hi. Can't post here:
forums.hardwarezone.com.sg

Did the forum banned tor?

Works for me.

are you using any special settings?
try with and without obfs3, can't log in...

This might be unrelated to your problem.
httpseverywhere trouble in tbb 4.0.5 is described in https://support.mozilla.org/en-US/questions/970533 "The connection has timed out" -- solved by disabling site rule.
The site is ((should i declare site, or this a secret?)) is noscript friendly. I load page from https bookmark and far as i know, site always loads as https. Perhaps the page loads some urls that cause cause the trouble.
I had not visited the site for many (6?) months, so the trouble may not be new in recent tbb or httpseverywhere.

Trusting the tor project blindly (foolish) I updated to the new bundle but ... all my whitelist options and bookmarks were gone! So I guess I'll have to start all over again. Can't this issue be solved any other way? Also I notice that when I open a new tab to start a new search on the start page field, the field is not empty but keeps the intended search of the previous tab. All in all minor issues considering the great job the Tor broser and Tor Project does, thank you!!

Did that happen while using the built-in updater? If so, could you give us steps to reproduce this behavior?

As for the search bar behaviour, the Searchload Options add-on might be a good sollution; works for me.
https://addons.mozilla.org/en-us/firefox/addon/searchload-options/

yeah, i've gotten in the habit of always backing up my noscript prefs and bookmarks before installing a new version.

it has the added bonus of serving as a regular back-up, in case anything happens (for example accidentally deleting a bookmark).

i don't whitelist any noscript domains, as that could have some impact on anonymity.

You can backup your bookmarks. Bookmarks - Show all bookmarks - then click on Backup button. Anyone know about whitelist though?

as of only months ago, and for many years preceding. noscript's domains and afaik all settings have been in firefox' prefs.js

Thanks for the quickly updated release.

One question, will a future update include updated OpenSSL libraries (updates released on the 19th of March) to resolve any issues that affect Tor? Thank you.

It will eventually but the bugs found are not urgent in the context of Tor. Thus, it might happen that the update is taking a bit.

Sounds good. Thanks again.

do any other linux users have the issue where the initial connection dialog (ie connect or censored) once you press connect and the connection initialization window causes alt-tab to stop working. Only for the duration of the existence of that window? am using Fedora 21.

Works for me on an Ubuntu 12.04.

Are you going to provide a feature to force new identity for all upcoming connections?

No.

Downloaded 4.05 bundle today on Macbook Pro using OS X Yosemite. Prior version of Tor worked fine but now browser opens only to start page. When a search is attempted, I receive a gray box Saying "unable to find the proxy server" and "Firefox is configured to use a proxy server that can't be found."

I opened Preferences, Advanced, Network, Settings. I tried each of the Proxy options to no avail. (The manual configuration boxes are empty, so no surprise there.)

Also, what happened to my Bridges? I don't even find anywhere to add bridges anymore.

Any advice?

gpg: Signature made Mon 23 Mar 2015 07:42:41 AM EDT using RSA key ID D40814E0
gpg: Good signature from "Tor Browser Developers (signing key) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0

Subkey fingerprint is nowhere to be found at
https://www.torproject.org/docs/signing-keys.html.en

It is. I just found it there.

EDIT: sub 4096R/0x2E1AC68ED40814E0 2014-12-15. I see what you mean. There is actually https://bugs.torproject.org/15253 which I'll fix in the coming days.

I used the auto-updater to update from Tor Browser 4.0.4 to 4.0.5 with Linux 32bit on Debian Wheezy. After auto-updating I click the 'restart' button. Tor restarts and then the configuration window comes up asking me if I want to connect directly to Tor or use a bridge.

4.0.4 was configured to use the meek-google bridge. I don't click on any configure buttons and Tor 4.0.5 gets to 100% connection status and connects to meek-google bridge automatically, but Tor web browser doesn't launch and the configure window just sits there blocking Tor web browser from launching.

So I close the configure window, which disconnects Tor. Then relaunch Tor, but this time the configure window doesn't come up and the Tor web browser launches when the connection status gets to 100%. A window pops up saying "Tor has been successfully updated."

Sorry to post this here. I know I'm supposed to use a bug report.

I added your comment to ticket #13247.

I have noticed this with a lot of SSL/TLS websites, they accept either SSL 3.0 or the RC4 cipher. Why do some SSL/TLS websites accept SSL 3.0 or RC4 when SSL 3.0 is unsecure and when RC4 is also unsecure?
I'm glad torproject.org does not accept SSL 3.0 and RC4.

Anyone else experiencing massive problems with CloudFlare ever since the 4.0.5 update? It has always been very very annoying, but now there's an infinite CAPTCHA loop which cannot be overcome anymore at all :/

My longer comment got blown out when i looked away...
So short reply is:
use google cache. google blocks tor, but google cache does not.

1. find on web or create a google cache bookmarklet
or my choice:
2. create a "Quicksearch" keyword search bookmark for google cache
create title that indicates is Quicksearch type bookmark. i add % symbol and place Quicksearches in a separate folder.
this is url of my google cache bookmark:
https://webcache.googleusercontent.com/search?q=cache:%s
create a keyword that you will remember as is not a real word.

usage: move cursor to beginning of url in adderssbar. enter your keyword and a space character. press Enter key (or click goto button)

btw, quicksearch is not keyword search. the latter can be privacy hazard. To avoid hazard, i disable the pref keyword.enabled

Can confirm. You can solve a capture x times and it always back to a new capture.

First: Thank you for TB!! Great and good work!

Unfortunately, browsing the web with your latest TOR-Browser I can't solve any captchas anymore! Neither UL.to nor share-online.biz ... you name it....

So downloads became impossible since yesterday :-(
Does anybody else experience the same?

Yeah I have same problem with captchas I cant see the pictures needed to solve captchas when using Tor Browser.

I still cannot edit the certificates in Tor browser,please fix it as soon as possible!

One more thing: why not consider to delete CNNIC Root in default?

http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-ce…

"On Friday, March 20th, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC "

CNNIC belongs to Chinese government,and China is a totalitarian country.CNNIC Root and other Chinese certificate cannot be trusted by anyone!

i believe disabling 'edit certificates' in tb are made for purpose. it makes more difficult for you to have your own decision whom you trust and strictly bind you to decisions made by browser designers. and they are controlled by ceo. and ceo follows recomendations from fascist governments.
btw why chinese ca is less trusted then us ca while us is a police state? will you feel more comfortable if google certificate was issued by some nsa affiliate and such https site is placed at your internet provider? for now who controls ca controls internet security.
funny, google.nsa talk about 'unauthorized digital' certificates. in real any certificate is legal for browser/windows if it is signed by trusted ca. so you are forced trust all those secretly updated root cas in your browser/windows bundle.

Cloudflare captcha's aren't checked properly it seems.
Stuck in endless loop.
Clean install 4.0.5.

Please sort out the GPG signatures. My download of TBB 4.0.5 have this accompanied signature that gives me this result:

Signed on 2015-03-23 13:40 with unknown certificate 0xBA1EE421BBB45263180E1FC72E1AC68ED40814E0.

This appears not to be a valid subkey of any known signing keys (and there are too many of them already) of tor project. For me it looks like attack.

That one is valid and mentioned as sub 4096R/0x2E1AC68ED40814E0 2014-12-15 on the signing key page.