Tor Browser 4.0.8 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release contains a fix for the update loop issue present in 4.0.7. It is otherwise identical to that release.

Both 4.0.7 and 4.0.8 contain an update to the included Tor software, to fix two crash bugs in the version of the Tor software included prior to 4.0.7. One crash bug affects only people using the bundled tor binary to run hidden services, and the other crash bug allows a malicious website or Tor exit node to crash the underlying tor client by inducing it to load a resource from a hidden service with a malformed descriptor. These bugs do not allow remote code execution, but because they can be used by arbitrary actors to perform a denial of service, we are issuing a security update to address them.

There will be no corresponding 4.5-alpha release for this fix, to allow us to focus on stabilizing that series for release in ~2 weeks.

Note to MacOS users: This is the last planned release that will run on 32 bit MacOS versions. Users of Mac OS 10.8 (Mountain Lion) and newer versions will be automatically updated to the 64 bit Tor Browser 4.5 when it is stabilized in April, and we expect this transition to be smooth for those users. However, the update process for 10.6 and 10.7 users will unfortunately not be automatic. For more details, see the original end-of-life blog post.

Here is the complete changelog since 4.0.6 (covering 4.0.7 and 4.0.8):

  • All Platforms
    • Bug 15637: Fix update loop due to improper versioning
    • Update Tor to 0.2.5.12
    • Update NoScript to 2.6.9.21
Anonymous

April 19, 2015

In reply to by Anonymous (not verified)

Permalink

Hijacked Firefox browser ..new install! Made a post using Tor and Got a security threat that took over firefox and My DNS! when I cleaned Firefox..it pointed to a joining of Tor with Firefox that my firewall killed all connection! had to do a backup and a browser reinstall!

Anonymous

April 09, 2015

Permalink

"We've also made improvements to our display resolution fingerprinting defenses to automatically resize the browser window to a 200x100 pixel multiple after resize or maximizatio" what happend to this? i can still resize the window however i see fit in 4.0.8

Anonymous

April 09, 2015

Permalink

gpg --list-sigs 0x4E2C6E8793298290
pub 4096R/93298290 2014-12-15
uid Tor Browser Developers (signing key)
sig R 8B9E4469 2015-03-15 [User ID not found]
sig CD62C2F3 2015-03-25 [User ID not found]

gpg --recv-keys 8B9E4469 CD62C2F3
gpgkeys: key 8B9E4469 can't be retrieved
gpgkeys: key CD62C2F3 can't be retrieved

normal?

It's fine to have signatures from keys you've never heard of or can't fetch.

It's the keys that you *can* fetch, and consider trust in, that you should be looking at.

Anonymous

April 09, 2015

Permalink

i feel Alpha version is faster and lighter than stable version !Does someone else has experienced it?

Anonymous

April 09, 2015

Permalink

I absolutely love the new feature of running Tor as a VPN on Android. We totally need this feature on PC too!

Having Tor function similarly to a VPN is a dangerous route, given that a major reason for such a setup is to allow users to use software that does not have or respect proxy settings to be routed through Tor. Software like that (if it's closed source) could easily be designed to NOT use a VPN connection and use methods to connect directly without going through the VPN-like Tor.

Anonymous

April 09, 2015

Permalink

My Tor asked me if I wanted to update to 4.08. I chose to accept. It then installed. I also saw under the Window menu a "software update" option.

I found it a bit suspicious later because I thought you could only manually update directly from the website. I decided to then reinstall 4.08 by downloading straight from the website. All of a sudden I no longer see a "software update"option under the Window menu... only 'minimize' 'zoom' and 'about..' Should I be concerned that the auto-update I initially experienced was not a legitimate software bundle? Was I hacked?

Anonymous

April 09, 2015

Permalink

This probably is a dumb question (on this blog with many savvy posters). I installed the latest version (4.0.8) today and, unlike with prior new updates, couldn't figure out how to change the home page to one I prefer. Please help. Thanks.

Anonymous

April 09, 2015

Permalink

Question on the preferred way to update:

TBB can be updated in-place via Help -> About Tor Browser (works similar to how regular Firefox will update itself in-place.) After this in-place update, About Tor Browser reports the current correct v4.08. However, plugins must then be manually checked/updated.

Is this process the same as / better than / worse than "updating" TBB by downloading and running the "torbrowser_install_xxxx.exe" package? How should TBB updates be correctly performed?

I'd say it's about the same. The only exception might be if you want to verify signatures before installing a 4.0x package. In that case, you'd have to download the bundle in order to verify it. In 4.5x, I think (but am not completely positive) it's going to have signature verification built into the self-updater, so at that point there will be even less of a difference between the two update methods.

Anonymous

April 10, 2015

Permalink

Is it okay for me to update https everywhere to ver 5.0.2? Because TBB 4.0.8 still uses ver 4.1.3

Anonymous

April 10, 2015

Permalink

When was version 4.0.7 released?

Why is it that my Tor browser version 4.0.6 was unable to detect/inform me that version 4.0.7 was released?

Note: In the settings for version 4.0.6, I have the chosen the option of being informed of any upates via my Tor browser.

Anonymous

April 11, 2015

Permalink

Is there a way to enable "limited script" for Tor users? This would allow Javascript that makes a web site function properly but disable any code that accesses identifying information. It is likely that Facebook is identifying Tor users which would make it easier to identify everybody else.

Another idea is to give priority to users of little bandwidth over users who are using massive amounts.

And another thought: I suspect that major email providers are blocking clearnet emails from darknet email providers. Even if they are allowed through in some cases, the darknet email providers need to have a delayed send feature. Otherwise the timing of Tor access can be correlated with the timing of an email.

Anonymous

April 11, 2015

Permalink

If we cant trust java among the reasons are security issues revealing our your identity +++, why are we forced to enable java to use the Atlas?!

Anon

your comment states the obvious "uses a handful of javascript...", yes, thats what this is about java/javascript

Anon (call me no-java-please)

Anonymous

April 12, 2015

Permalink

Regarding my previous comment, I did not intend to come across as purely critical. It was my intention to kindly offer suggestions. Tor is free and a great tool. I know that a lot of volunteer work from experts and resources are put into this project. Thank you.

>Tor is free

Tor is NOT free: the devs putting their hearts and minds and time and effort are payed for by donations. PLEASE stop saying Tor is free! it's obviously NOT!

You don't understand the concept of "free software." Tor is licensed under BSD and Tor Browser under GPL. That makes it free software.

Anonymous

April 12, 2015

Permalink

Getting this on forums.hardwarezone.com.sg, can't log in also.

This Connection is Untrusted

You have asked Tor Browser to connect securely to secureforums.hardwarezone.com.sg, but we can't confirm that your connection is secure.

Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.
What Should I Do?

If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.

Anonymous

April 12, 2015

Permalink

Previous versions blocked the popup ads now they coming streaming through. Any way to stop them?