Tor Browser 4.0.5 is released

by gk | March 23, 2015

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.0.5 is based on Firefox ESR 31.5.3, which features important security updates to Firefox. Additionally, it contains updates to Tor and NoScript.

Note to Tor Browser alpha users: There won't be a corresponding alpha release based on Firefox ESR 31.5.3 this time as we are currently in the midst of preparing releases based on ESR 31.6.0. Alpha users that can't wait another week are strongly recommended to use the Tor Browser 4.0.5 meanwhile.

Here is the changelog since 4.0.4:

  • All Platforms
    • Update Firefox to 31.5.3esr
    • Update Tor 0.2.5.11
    • Update NoScript to 2.6.9.19

Comments

Please note that the comment area below has been archived.

March 23, 2015

Permalink

Same problem was with 4.0.4
AVG flagged 4.0.5 as an unknown threat, and killed the exe file

March 24, 2015

Permalink

thanks so much !
i love Alpha version more than stable .coz i am able to see tor circuite.it's very useful

How/where are you able to see the circuit in the browser? One of the TBB devs showed me this feature on their computer months ago but thought it still wasn't released yet because I don't have it in 4.5a4 on Linux (Tor Button 1.8.1.3). I want this feature!!

It is in the alpha series available. Make sure you are not on a local website (like about:tor) and click on the green onion. Then you should see the circuit for the website you have open. If that does not work, please give steps to reproduce your issue.

March 24, 2015

In reply to gk

Permalink

Tor circuit is not available at all! it just available while using some Transports(obf3,obf4,fte..) at least for as i said

March 25, 2015

In reply to gk

Permalink

The steps to reproduce are here: https://trac.torproject.org/projects/tor/ticket/12745

I don't know if this issue affects the automatic upgrader, but it certainly still affects Tor Browser Launcher (which remains the only way to install Tor Browser on Debian/Ubuntu that doesn't involve a terminal, which average humans shouldn't need to be asked to do) as well as the manual-upgrade method (which many reasonable people still use because the built-in upgrader apparently doesn't very GPG sigs yet).

I get the feeling that the importance of TBL is not appreciated by the core TBB devs; if so, you should really come to a cryptoparty sometime and see what happens when novice linux users attempt to install TBB without TBL.

March 25, 2015

In reply to gk

Permalink

As I said in another reply which is still in the moderation queue, I am still affected by trac ticket #12745 (which I filed 8 months ago). But after just following the steps I posted on that ticket to get the latest Tor Button (moving me from 1.8.1.3 to 1.9.0.0), and also after trying again with a completely fresh 4.5a4, I still don't have the circuit display. I've never seen it on my computer. I'm running debian wheezy.

My apologies!

It turns out I wasn't seeing the circuit display because I set the TOR_CONTROL_PORT, TOR_CONTROL_PASSWD, TOR_SKIP_LAUNCH, TOR_SOCKS_HOST, and TOR_SOCKS_PORT environment variables to use my system tor. I am seeing the circuit display now if I let TBB launch its own tor.

Ticket #12745 (upgrading by untarring the new release over the old one, as Tor Browser Launcher does, results in using an old version of the Tor Button extension) still remains a reproducible issue, though.

March 24, 2015

Permalink

After installing (Windows 7) an starting Tor Browser 4.0.5 I often get "tor.exe is damaged". The only stable version on my Windows 7 enterprise is Tor Browser 3.5.6.

March 24, 2015

Permalink

Thank you again for all your hard work.
Unfortunately with the 4.0.5 update my Gmail inbox has rendered a mess. Messages in the inbox view are now taking up 3 times as much space and a normal message usually does on the screen.

Not sure if this is a TBB problem or a GMail one but thought I'd mention it in case anyone else has the same issue.

March 24, 2015

Permalink

Shouldn't https://www.torproject.org/projects/torbrowser/RecommendedTBBVersions stop recommending 4.5a4 since it has critical bugs?

(I wonder what happens to TBB's new upgrader when all recommended versions are older than the current one. I'm pretty sure torbrowser-launcher (an old version of which accidentally upgraded to the alpha due to it having "a" instead of "alpha" in its version string) isn't going to be happy; i'm working on submitting a patch to it to allow it to switch between stable and testing releases).

Good question. We are basically about to start building a new alpha based on 31.6.0 and decided that a warning on the blog is enough for now. Not ideal but we have nothing better for this one week gap. Regarding the auto-updater: It is not bound to the RecommendedTBBVersions. If you don't have a recommended version (e.g. a nightly) then your green onion starts flashing but there is no (other) (update) hint.

March 24, 2015

Permalink

Hi. Can't post here:
forums.hardwarezone.com.sg

Did the forum banned tor?

March 25, 2015

In reply to gk

Permalink

are you using any special settings?
try with and without obfs3, can't log in...

This might be unrelated to your problem.
httpseverywhere trouble in tbb 4.0.5 is described in https://support.mozilla.org/en-US/questions/970533 "The connection has timed out" -- solved by disabling site rule.
The site is ((should i declare site, or this a secret?)) is noscript friendly. I load page from https bookmark and far as i know, site always loads as https. Perhaps the page loads some urls that cause cause the trouble.
I had not visited the site for many (6?) months, so the trouble may not be new in recent tbb or httpseverywhere.

March 24, 2015

Permalink

Trusting the tor project blindly (foolish) I updated to the new bundle but ... all my whitelist options and bookmarks were gone! So I guess I'll have to start all over again. Can't this issue be solved any other way? Also I notice that when I open a new tab to start a new search on the start page field, the field is not empty but keeps the intended search of the previous tab. All in all minor issues considering the great job the Tor broser and Tor Project does, thank you!!

yeah, i've gotten in the habit of always backing up my noscript prefs and bookmarks before installing a new version.

it has the added bonus of serving as a regular back-up, in case anything happens (for example accidentally deleting a bookmark).

i don't whitelist any noscript domains, as that could have some impact on anonymity.

You can backup your bookmarks. Bookmarks - Show all bookmarks - then click on Backup button. Anyone know about whitelist though?

as of only months ago, and for many years preceding. noscript's domains and afaik all settings have been in firefox' prefs.js

March 24, 2015

Permalink

Thanks for the quickly updated release.

One question, will a future update include updated OpenSSL libraries (updates released on the 19th of March) to resolve any issues that affect Tor? Thank you.

March 24, 2015

Permalink

do any other linux users have the issue where the initial connection dialog (ie connect or censored) once you press connect and the connection initialization window causes alt-tab to stop working. Only for the duration of the existence of that window? am using Fedora 21.

March 24, 2015

Permalink

Downloaded 4.05 bundle today on Macbook Pro using OS X Yosemite. Prior version of Tor worked fine but now browser opens only to start page. When a search is attempted, I receive a gray box Saying "unable to find the proxy server" and "Firefox is configured to use a proxy server that can't be found."

I opened Preferences, Advanced, Network, Settings. I tried each of the Proxy options to no avail. (The manual configuration boxes are empty, so no surprise there.)

Also, what happened to my Bridges? I don't even find anywhere to add bridges anymore.

Any advice?

March 24, 2015

Permalink

gpg: Signature made Mon 23 Mar 2015 07:42:41 AM EDT using RSA key ID D40814E0
gpg: Good signature from "Tor Browser Developers (signing key) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0

Subkey fingerprint is nowhere to be found at
https://www.torproject.org/docs/signing-keys.html.en

March 24, 2015

Permalink

I used the auto-updater to update from Tor Browser 4.0.4 to 4.0.5 with Linux 32bit on Debian Wheezy. After auto-updating I click the 'restart' button. Tor restarts and then the configuration window comes up asking me if I want to connect directly to Tor or use a bridge.

4.0.4 was configured to use the meek-google bridge. I don't click on any configure buttons and Tor 4.0.5 gets to 100% connection status and connects to meek-google bridge automatically, but Tor web browser doesn't launch and the configure window just sits there blocking Tor web browser from launching.

So I close the configure window, which disconnects Tor. Then relaunch Tor, but this time the configure window doesn't come up and the Tor web browser launches when the connection status gets to 100%. A window pops up saying "Tor has been successfully updated."

Sorry to post this here. I know I'm supposed to use a bug report.

March 25, 2015

Permalink

I have noticed this with a lot of SSL/TLS websites, they accept either SSL 3.0 or the RC4 cipher. Why do some SSL/TLS websites accept SSL 3.0 or RC4 when SSL 3.0 is unsecure and when RC4 is also unsecure?
I'm glad torproject.org does not accept SSL 3.0 and RC4.

March 25, 2015

Permalink

Anyone else experiencing massive problems with CloudFlare ever since the 4.0.5 update? It has always been very very annoying, but now there's an infinite CAPTCHA loop which cannot be overcome anymore at all :/

My longer comment got blown out when i looked away...
So short reply is:
use google cache. google blocks tor, but google cache does not.

1. find on web or create a google cache bookmarklet
or my choice:
2. create a "Quicksearch" keyword search bookmark for google cache
create title that indicates is Quicksearch type bookmark. i add % symbol and place Quicksearches in a separate folder.
this is url of my google cache bookmark:
https://webcache.googleusercontent.com/search?q=cache:%s
create a keyword that you will remember as is not a real word.

usage: move cursor to beginning of url in adderssbar. enter your keyword and a space character. press Enter key (or click goto button)

btw, quicksearch is not keyword search. the latter can be privacy hazard. To avoid hazard, i disable the pref keyword.enabled

March 25, 2015

Permalink

First: Thank you for TB!! Great and good work!

Unfortunately, browsing the web with your latest TOR-Browser I can't solve any captchas anymore! Neither UL.to nor share-online.biz ... you name it....

So downloads became impossible since yesterday :-(
Does anybody else experience the same?

March 25, 2015

Permalink

I still cannot edit the certificates in Tor browser,please fix it as soon as possible!

One more thing: why not consider to delete CNNIC Root in default?

http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-ce…

"On Friday, March 20th, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC "

CNNIC belongs to Chinese government,and China is a totalitarian country.CNNIC Root and other Chinese certificate cannot be trusted by anyone!

i believe disabling 'edit certificates' in tb are made for purpose. it makes more difficult for you to have your own decision whom you trust and strictly bind you to decisions made by browser designers. and they are controlled by ceo. and ceo follows recomendations from fascist governments.
btw why chinese ca is less trusted then us ca while us is a police state? will you feel more comfortable if google certificate was issued by some nsa affiliate and such https site is placed at your internet provider? for now who controls ca controls internet security.
funny, google.nsa talk about 'unauthorized digital' certificates. in real any certificate is legal for browser/windows if it is signed by trusted ca. so you are forced trust all those secretly updated root cas in your browser/windows bundle.

March 25, 2015

Permalink

Cloudflare captcha's aren't checked properly it seems.
Stuck in endless loop.
Clean install 4.0.5.

March 25, 2015

Permalink

Please sort out the GPG signatures. My download of TBB 4.0.5 have this accompanied signature that gives me this result:

Signed on 2015-03-23 13:40 with unknown certificate 0xBA1EE421BBB45263180E1FC72E1AC68ED40814E0.

This appears not to be a valid subkey of any known signing keys (and there are too many of them already) of tor project. For me it looks like attack.

March 27, 2015

In reply to gk

Permalink

It came down to a bug in Kleopatra that is shipped with Gpg4Win 2.2.3. GPA works fine and verifies the signature properly and also shows the right subkeys.

March 25, 2015

Permalink

from today i cant acces marketglory.com by tor browser.Cloud flare repeats infinetly.Is this site blocked for tor users?

March 25, 2015

Permalink

cloudflare captcha worked fine before update 4.0.5 now i enter the text and it just refreshes the screen with a new captcha. why did you break cloudflare captcha?

March 25, 2015

Permalink

is anyone else not able to open after updating? Getting #11999 error forcing try again, but when you click try again, it flashes back to error screen.

March 25, 2015

Permalink

Starting with 4.0.4, Tor Browser is having problems downloading some images from posts on Tumblr. This may be related to Tumblr moving some of this content out into a content development network on edgecast.net.

From any browser on a static IP, the photos will download. From any node on the Tor Network, the photos will give errors that the server refuses to download with AccessDenied.

Here is a photo of a famous singer that is in a Tumblr post and it gives a server AccessDenied from every Tor Node I could test, but works from every static IP I tested:

https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/15166cf2c8442ce5…

Is the Tor Network being specifically blocked? Is there any workaround for this?

Yes I use Tumler and have the same problem in 4.04. A few photos show but most don't. It may be they are using more JS scripts than before as of course that is disabled in TOR, or at least it is by anyone with any sense!! Similar problems on flickr if JS is not enabled.

March 26, 2015

Permalink

I d/l'd the Tor Brower Bundle Update to update from 4.0.4 to 4.0.5 but it won't update. I keep getting an error box which says:

"The update could not be installed. Please make sure there are no other copies of Firefox running on your computer, and then restart Firefox to try again."

But I don't have any other copies of Firefox running. I've tried numerous times but keep getting the same error. Any help would be appreciated.

Thanks.

BTW, I have Windows 7

March 30, 2015

In reply to gk

Permalink

Your reply prompted me to move 4.0.4 back to where I d/l'd the 4.0.5 bundle and it installed fine.

Thanks!

March 26, 2015

Permalink

The the built-in updater broke my tbb install after restarting tbb.
it failed to start properly.
Debian 8 x64.

March 27, 2015

Permalink

Hello there, I'm having a problem but I don't know if my IP censored it or not. I didn't have problems last night until 12-12:30AM (North America Eastern time). The tor browser just wasn't responding (loading pictures on tumblr and other sites) so I changed the identity but when I did that I was signed out. I tried to connect again but the loading bar always stops at "Loading Network Status" and never goes past that stage. Is this IP censorship or is there something going on with the Tor network?

March 29, 2015

Permalink

Just checking that you all over at tor are keeping the deployment of "Stingray" in your sights.

http://www.extremetech.com/mobile/184597-stingray-the-fake-cell-phone-t…

Now, the ability to track and locate my whereabouts isn't important to me.

But "stingray is a false cell phone tower that can force phones in a geographical area to connect to it. Once these devices connect, the stingray can be used to either hone in on the target’s location or, with some models, actually eavesdrop on conversations, text messages, and web browser activity."

Please tell me you're ahead of the curve - and likely to stay there...

March 29, 2015

Permalink

PLEASE HELP

The past few TBB issues have the spelling-checker disabled and I can find no way to reverse this.

My regular Mozilla browser, with the same settings, isn't similarly afflicted. And I can't accept I'm the only person with this complaint. It's a serious security issue. Imagine being able to identify others simply through their consistently repeated spelling errors?

I have posted here on this topic before but there was a distinct lack of any response.

Do your good deed for 2015 - it's not to late...

TIA

April 01, 2015

In reply to gk

Permalink

@ GK

As I wrote above, my FF settings and TBB settings Tools/Options/Advanced/General settings are identical.

As are both Options/Content settings except for, ooops, "Allow pages to choose their own fonts" - disabled on FF but enabled on TBB.

Now my font colour stays black instead of blue, as I'd prefer and TBB 4.0.6 - just downloaded - now has an active spell check. Why would this setting - or rather - should this setting influence spell check?

I started this post with FF, copied it, downloaded and installed TBB 4.0.6 over 4.0.5 - that's a first - and then re-posted this using 4.0.6.

Usually, I delete the old browser - CCleaner then cleans the Registry - and then install the new 'un for my own security reasons. Never mind. I'll do it properly when I sign off here.

So I'm up and running again. But I'm still mystified.

Thank you for your interest. Any further insights would be welcome...

April 01, 2015

In reply to gk

Permalink

@ GK

Me again.

I've now installed 4.0.6 matching, as far as possible, my Mozilla browser which functions perfectly on regular sites - spell checker included.

The TBB spell checker works on this site but not on regular sites and not on tor sites. That previous "ooops" nonsense is just that. Sorry!

The only major difference I can find between the two browsers is that FF Options/Content/Advanced/Fonts has a Latin fonts designation while TBB ditto has a Western fonts designation. ??

Please let me have your opinion on this matter. Thank you for your patience...

Still no response to this security issue? LOL I'm also curious and I've thus also been waiting for some sort of clarity on this spell check matter from Tor.

March 30, 2015

Permalink

In response to the above:

"Such data “from all wireless devices in the immediate area of the F.B.I. device [cell site simulater] that subscribe to a particular provider may be incidentally recorded, including those of innocent, nontarget devices.”"

Wow, now I know why people in the U.S. are so paranoid, their government wants to know EVERYTHING about them, to use it against them should the opportunity arise. "it's in the name of Homeland Security!" they say, but then what constitutes protecting "homeland security"? If someone were to whistleblow, say like something about 9/11, the government could label this as a "threat" to homeland security and take these measures so long as it protects their interests. I don't know why there aren't public protests against this kind of stuff.

March 31, 2015

Permalink

This is what I am getting when trying to download tor on torproject website for tor browser 4.0. 6?? am typing in https://www.torproject.org
Not Found

The requested URL /torbrowser/4.0.6/torbrowser-install-4.0.6_en-US.exe was not found on this server.
Apache Server at dist.torproject.org Port 443

March 31, 2015

Permalink

I deleted my old tor 4.0.5 seeing that on this tor website that 4.0.6 is out and got that apache message and 404 error..now stuck without tor! this is the message I got again, plus I cannot dwnload tor at all...so what is going on?
Not Found

The requested URL /torbrowser/4.0.6/torbrowser-install-4.0.6_en-US.exe was not found on this server.
Apache Server at dist.torproject.org Port 443

March 31, 2015

Permalink

Thank you for fixing the problem. I was able to download the new version 4.0.6! love tor great work!

April 14, 2015

Permalink

using 4.5a5 (based on Mozilla Firefox 31.6.0, one site always gets Access Denied" no matter how many times I get "New Identity".

http://www.foxnews.com/ yields an:
---------------------------------
Access Denied
You don't have permission to access "http://www.foxnews.com/404error/" on this server.

Reference #18.16bd7a5c.1429010305.6ee5f69
----------------------------------

odd that. There have been many favorable, or at least neutral, articles on FN re Tor.

Last year ther was no problem. I don't recall exactly when it became impossible.

May 15, 2015

Permalink

For the last couple of days, i cannot get past google captcha screen. I enter the parameters but it asks for another captcha over and over...so annoying...Why did you try to fix something that already works?

June 09, 2015

Permalink

Cloudflare Captcha appears for me e.g. on 4chan, and it;s the hardest type to solve. I got quite good at solving them and occasionally I get one which I am sure was correctly entered, but I am **ALWAYS** without fail given another Captcha. I did screw with TOR's about:config to set lots of options to false, and I note the latest versions of Tor have some change to NoScript ClearClick (which was giving an issue with Tor + Captcha) but this hasn;t helped me.

About 1/3 of the internet is unusable to me.
It's ok when i can use a startpage proxy at the end of Tor to get there, but with just Tor, it gves me ENDLESS Captchas.
Any ideas??

Anyone Else?