Tor Browser 4.0.6 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.0.6 is based on Firefox ESR 31.6.0, which features important security updates to Firefox.

Note to MacOS users: This is the last planned release that will run on 32 bit MacOS versions. Users of Mac OS 10.8 (Mountain Lion) and newer versions will be automatically updated to the 64 bit Tor Browser 4.5 when it is stabilized in April, and we expect this transition to be smooth for those users. However, the update process for 10.6 and 10.7 users will unfortunately not be automatic. For more details, see the original end-of-life blog post.

Here is the complete changelog since 4.0.5:

  • All Platforms
    • Update Firefox to 31.6.0esr
    • Update meek to 0.16
    • Update OpenSSL to 1.0.1m
khled.8@hotmai.com

April 01, 2015

Permalink

AVG picked up malware on updating C:\Users\....\Documents\Tor Browser\Browser\TorBrowser\Tor\tor.exe? is this of concern?

khled.8@hotmai.com

April 01, 2015

Permalink

Windows 8.1 warned about "harmful file" when I tried to run the 4.0.6 update.
Should I ignore and install?

khled.8@hotmai.com

April 01, 2015

Permalink

It seems that no matter how many people address the cloudfare issue, it still seems to be a non-issue??

All the way up to version 3.6.3 Tor never had any issues.

So, over a 8 plus month span to correct this?

it would also help if there were some obfuscation measures taken to actually not let other websites know that a Tor user is making a connection.

Thanks!

It isn't an issue with Tor, it's an issue with cloudflare; if they see you exiting a Tor exit node, they will captcha you. All a server (including cloudflare) needs to do is look up the ip address that the connection is coming from and see if it is a Tor exit. Yes, this would be harder if the list of Tor exit nodes wasn't published, but it wouldn't be much harder and then Tor users will get even less goodwill; forget captchas, you'll just be blocked. With that said, nothing is stopping you from using a CGI proxy or similar from within Tor Browser. Of course, you could also try to convince the admin of whichever site you're having trouble with to stop using Cloudflare.

Which issue?

About captchas: see answer in the thread.

WTF?!? Are you doing a new release a week now?

Hey, just trying to keep up with Mozilla and their surprise releases. :)

Works fine here so far, thanks.

@Users: With Tor: the new captchas from cloudflare are unsolvable. U have same problem? Any idea? Thanks

It is a terrible answer, but it might help you short-term: the captchas sure are a lot easier to solve if you run their javascript.

That's why! Thanks for the help.

i understand your concern. at least my ip is still hidden, it's the most important thing.

if i'm wrong about the ip, pls clarify, thanks!

Well, it looks like Vidalia lovers are shafted again. Can't run Vidalia with this version (even though the "Vidalia-like" features aren't incorporated in this version." Running Vidalia generates a message saying "Tor requires authentication cookie". Do you want to browse for "control_auth_cookie"? It appears it doesn't exist.

I know Vidalia is being deprecated, but many of us use it for much more than "new identity". I'm sure there will be many complaints forthcoming, or many people will simply choose to run 4.0.5 since that version is still compatible.

Vidalia was deprecated years ago. If you need the features from 4.5 run 4.5; you're probably less likely to run into a security vulnerability that way.

"Vidalia was deprecated years ago."

And yet, Tails still uses Vidalia!

"If you need the features from 4.5 run 4.5; you're probably less likely to run into a security vulnerability that way."

Poster you were replying-to said "4.0.5", not 4.5.

Either way, how could you possibly say that using any deprecated version of Tor Browser would make one, "less likely to run into a security vulnerability"?! (The truth is just the opposite.)

Especially just after pointing-out that "Vidalia was deprecated years ago."?!

Today obfs3 bridges connection stopped to work, tried several bridge addresses including today's set. The loading line stays grey. Non-bridges connection works. What could be wrong?

old new problem: starting tor browser but no browser appears. but task mozilla tor is running. have to close this and restart tor browser.

This is really an issue for me as I have to try to open the Tor Browser several times before it opens. Keep hoping it will be fixed sometime.

If it doesn't have a ticket number on trac.torproject.org, it probably won't make much progress towards being fixed.

only at the beginning i had the problems. now it works without problems.

Unfortunately I will probably just keep my head in the sand for now. Like the other anonymous user commented, it seems to run in spurts and right now it is opening more than not.

On Mac trying to verify 4.06 (yes I've downloaded the new key):

gpg: Signature made Tue 31 Mar 15:27:31 2015 using RSA key ID D40814E0

gpg: BAD signature from "Tor Browser Developers (signing key) "

Any ideas.

No verify, no use.

gpg: Signature made Tue 31 Mar 2015 10:27:31 AM EDT using RSA key ID D40814E0
gpg: Good signature from "Tor Browser Developers (signing key) "

I just fetched the TorBrowser-4.0.6-osx32_en-US.dmg and checked it.

My guess is that you have only a partial download, or something like that.

$ sha256sum TorBrowser-4.0.6-osx32_en-US.dmg
283bb75db6266266cb9d891c652feada2d515c8f4e275bc0858c83233474a00a TorBrowser-4.0.6-osx32_en-US.dmg

Mozilla just updated ff with security fixes

That's the ESR that's in this release.

Unless you meant something more, in which case, details?

They updated the regular release to 37.0.1 with security updates but nothing in the ESR page https://www.mozilla.org/en-US/firefox/37.0.1/releasenotes/

spell check not working

Window size can be increased slightly by using the max/min icon a few times and then dragging the window down. Very annoying on a large screen only being able to view half size. Why all other versions of TOR not screen fixed like this one? Does it mean all earlier versions were insecure?

Are you talking about the alpha 4.5a5 compared to 4.0.6? If so, this might be another bug in our current "fix" for #14429. And, yes, maximizing the window without something like a fix for #14429 might make you easier recognizable due to your unusual screen/window size.

I am using 4.5a5. Is there a fix for window problem in 4.06?

Tor Browser 4.0.6 is the stable version, and it doesn't have the experimental window resizing feature in it.

Tor Browser 4.5a5 is the experimental branch, and it has experimental features like that one in it.

How do I force this browser to just give me US IP's? I've done it for previous versions by updating the "torrc" file but now it's not working. Any help? Thanks!

The in browser updater crashes ubuntu 14.10 every time i use it.

Crashes Ubuntu? Sounds like an Ubuntu bug? More details would be useful.

All these new Tor realeases got so many captchas ,so annoying! Please solve that problem _
But anyway _ am on Debian linux - Parrot OS and it has anon surf on it so no sweat though! :)

waahh :-(( ----I use tor-browser vers 4.08 and it doesn't tell me about updates to 4.5 / 4.6 now - I am quite desperate ...!!! ( next life I'll be reborn as a digital machine from the very beginning, I swear ) HELP! ( no I won't start internet &/ evolution, sorry folks :)