Tor Browser 4.0.8 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release contains a fix for the update loop issue present in 4.0.7. It is otherwise identical to that release.

Both 4.0.7 and 4.0.8 contain an update to the included Tor software, to fix two crash bugs in the version of the Tor software included prior to 4.0.7. One crash bug affects only people using the bundled tor binary to run hidden services, and the other crash bug allows a malicious website or Tor exit node to crash the underlying tor client by inducing it to load a resource from a hidden service with a malformed descriptor. These bugs do not allow remote code execution, but because they can be used by arbitrary actors to perform a denial of service, we are issuing a security update to address them.

There will be no corresponding 4.5-alpha release for this fix, to allow us to focus on stabilizing that series for release in ~2 weeks.

Note to MacOS users: This is the last planned release that will run on 32 bit MacOS versions. Users of Mac OS 10.8 (Mountain Lion) and newer versions will be automatically updated to the 64 bit Tor Browser 4.5 when it is stabilized in April, and we expect this transition to be smooth for those users. However, the update process for 10.6 and 10.7 users will unfortunately not be automatic. For more details, see the original end-of-life blog post.

Here is the complete changelog since 4.0.6 (covering 4.0.7 and 4.0.8):

  • All Platforms
    • Bug 15637: Fix update loop due to improper versioning
    • Update Tor to 0.2.5.12
    • Update NoScript to 2.6.9.21
Tags
tor browser bundle
tor browser
tbb
tbb-4.0

While not specifically an add blocker, disabling javascript can significantly reduce the number of popups. Have you changed how you're using noscript? Also, are you sure that the website(s) in question haven't changed behavior?

Anonymous

Anonymous (not verified) said:

April 13, 2015

Permalink

Appeal to Tor developers:

Please elect a scripting language/programming language to replace java/javascript and continue to build on that..

we cannot trust java
as a user we have very little control of java apart from disabling it with noscript in the browser

what would be nice (not making this Tor developers responsibility here), is a sort of app-firewall/apparmor for java or a COMPLETELY security safe java-like to replace the existing java which is being rammed down our throats; java is being used because developers (java) are lazy and want to code once, well guess what python, perl etc also runs on many platforms...

Its simply a contradiction here, Tor users are "advised" to use noscript to disable javascript yet developers continue to expand on its use especially with the Tor apps.

no-java Anon

however java, javascript, jvm are interrelated in the context of a browser session, a Tor user expects use with maximum security possible.
perhaps my previous comment should state "javascript" then...apologies

no-java Anon

No; Java (which uses the Java Virual Machine) and Javascript (which doesn't use the JVM) are not in most cases interrelated. Yes, you can use javascript to for some (extremely limited) control of java applets, but from a security standpoint they are two very different technologies. Please, research the issue before posting; there's plenty of information on the web about Jav and Javascript and the difference between the two.

but javascript seems to be associated with popups, adsite on a page, loading adsite for every godam webpage these days I know noscript deals with lots of things.
nothing personal, but I have no interest in either i just want the page from the domain I'm browsing.

thankyou for clarification

no-java Anon

From Torbrowser's perspective, ads and popups are near to the end of the list of concerns from javascript. They're not at the end but they make tracking easier. Of course you don't need either of them to track with javascript, and there are more dangerous things than tracking that javascript can accomplish.

I appreciate that Tor developers have core pieces to look after
security is important but, from our perspective, popups and ads are *king nuisance have spoilt the internet experience
i dont care about ads helping to finance something, get a million billion dollar corporation to pay for it, same logic as food packaging don't make it the consumers problem get the manufacturers to comply thats the source of the problem.
remove porn, ads, popups, marketing depts pull push bs and we would have a better world.

non-java Anon

Anonymous

Anonymous (not verified) said:

April 14, 2015

Permalink

dart is or was google's replacement for javascript however
http://www.infoworld.com/article/2902074/javascript/google-dart-will-no…

http://tobyho.com/2010/03/11/how-much-of-the-web-actually/
is actually quite interesting how ebay site is still relatively functional without javascript enabled proof of what is possible depending on the code and whats required.

Tor
as security sensitive Tor, onion and hidden services are why consider using javascript at all?
are the inclusions deliberate? are some aspects of insecurity included for some purpose?
a lean Atlas page displaying just the facts isnt as sexy as it is current but then who cares how pretty it looks I'm using the Tor bundle with security in mind?!

no-java Anon

It really isn't because there's no intention to expand it to include all of javascript's functionality and if it was expanded there's no reason to believe it would be safer.

Anonymous

Anonymous (not verified) said:

April 14, 2015

Permalink

First of all, Java =/= Javascript; in fact, they're not remotely related from a technical standpoint. Javascript was originally named livescript but was remained to Javascript for marketing reasons after the first Java plugin was made for Netscape (some type of 'wave' of "Java-" technologies.)Second, Tor project developers are hardly ramming javascript down anyones throat. Sure, the web is more and more dependent on javascript every day, but it's not like someone can simply write a replacement for javascript and expect all the web developers to move over, especially when a scripting language is only supported by it is only supported by one browser. Microsoft tried that with vbscript back when IE held far more of the market share and they failed. That's not even mentioning the fact that coders would have to recode everything and despite what you think, that's a substantial job especially given they'd have to learn a whole new language to code with. In addition, any new language, like any new piece of software, is going to be buggy; such a solution is going to add to the number of security vulnerabilities in the initial period. That's where a good number of the Javascript security threats are: bugs. A new scripting language is simply adding to that problem; sure, Javascript was not designed with all of the threats that Torproject thinks about but those threats aren't the only or even primary reason to disable Javascript. Yes, disabling Javascript is the easy answer (Torbrowser contains patches to make Java itself incredibly hard to enable,) but that's because for most users that all they need to know. However, if you're going to give actual suggestions or make appeals it might be a good idea to know what you're actually talking about. It may be cool to jump on the Javascript hating bandwagon, but if you don't know why you're there you really aren't in any place to give advice.

further web searches
netscape called it javascript for marketing purposes but has no relation to java (and jvm); intention was to confuse with the jargon and its still called javascript to this day.
alternate names -jscript even suggests 'Java', or its original 'ecma'
without javascript enabled on a webpage we get just the main content, i have no all interest in scorecardsearch, adtech, every other useless adsite popups and related (thank god for noscript)
I think most people would agree we can do without the crap bolted on or called by javascript on just about every website these days = "rammed down our throats". my earlier comment doesnt say nor did I suggest it was just Tor browser teams its webadmins everywhere, surfing the web is not as pleasant experience as it was decades ago.
thankyou Tor developers for the great work.

no-java Anon

Anonymous

Anonymous (not verified) said:

April 27, 2015

Permalink

First of all, popup ads aren't nearly as bad as they used to be. After several years of most browsers having some limited form of blocking, their prevalence has definitely decreased as they aren't worthwhile from a revenue prospective. Second, javascript does far more than just ads. In fact, that's why in most browsers you can't simply disable it like the old days. Firefox (and therefore Torbrowser) uses javascript internally to do a whole bunch of things; it wouldn't work without javascript. Of course, that's separate from javascript from external sources.

are you suggesting we just enable javascript and wait for an ad related bit to do something and then work out if it was malicious or just a nuisance?!

non-java Anon

new software, buggy -thats not supposed to be an excuse for not using it, oh I just forgot developers want to develop and not go back and doing any fixing.
i answered 'ramming' in another post
i and many other will continue to block and disable ecmascript till it dies a death and never returns.
thankyou for your explanations

no-java Anon

Software being buggy is a very good reason not to use it when dealing with security; Javascript bugs are after all the number one reason to disable javascript. A bug in a webbrowser can easily be exploited to do a whole number of nasty things, like infecting your system with a trojan.

coders will have to recode...
technology comes and goes all the time, entire websites are rewritten all the time how is that different from any other week, month?!

no-java Anon

Yes, and every line of code can be buggy and that bug could be exploitable. Of course, that's true with old code as well, but the old code has had time for people to find the bugs. By the way, entire websites aren't rewritten all of the time. Most major (big) websites are significantly compartmentalized and they change one piece at a time; they don't throw out the whole thing and start over unless they have too.
But that's missing another major point: Any replacement for Javascript that handles most of the use cases for Javascript is going to have the same problems as javascript. It's not like we don't already have several different implementations of javascript already.

Anonymous

Anonymous (not verified) said:

April 13, 2015

Permalink

Tor Service Help

I have windows 7

I updated to 4.0.8 when the update message appeared. Now when I try to open the browser it hangs up while loading (the green screen line stops moving half way along).

Downloaded 4.0.8 directly from the web, same results.

Any suggestions?

Thank you for your support.

Anonymous

Anonymous (not verified) said:

April 13, 2015

Permalink

Hey Guys Isn't This Tor Version Compact With IDM (Internet Download Manager)

it Help Download accleration

Why should you trust a piece of closed-source software that might be leaking everything you do on your computer for "Download Acceleration," a task that has many other open-source solutions?

Anonymous

Anonymous (not verified) said:

April 14, 2015

Permalink

Since installing the latest version of tor last night AVG antivirus keeps blocking tor from running

AVG has never done this before, If i turn AVG off then tor will start and run

Any ideas?

Anonymous

Anonymous (not verified) said:

April 14, 2015

Permalink

Hello, I just tried to download and launch this newer version and I keep getting a (firefox.exe) error which prevents the browser from launching. I tried a number of different approaches and they all have failed. Some insight or tips would be appreciated.

Anonymous

Anonymous (not verified) said:

April 15, 2015

Permalink

sqlite is buggy,exploitable.

Should be patched.

Anonymous

Anonymous (not verified) said:

April 16, 2015

Permalink

Since this release opening the tor browser bundle is very slow for me. It used to take max 5 seconds with the previous release, now sometimes I have to wait 10 minutes. Why is this happening?

Anonymous

Anonymous (not verified) said:

April 17, 2015

Permalink

I just download

tor-browser-linux64-4.0.8_en-US.tar.xz
tor-browser-linux64-4.0.8_en-US.tar.xz.asc

and the key used to sign the tar file is

gpg: Signature made Thu 09 Apr 2015 10:44:53 AM PDT using RSA key ID D40814E0
gpg: Can't check signature: No public key

I can NOT find this key on the key signing page.

Anonymous

Anonymous (not verified) said:

April 17, 2015

Permalink

Opps - the RSA key ID is the last 8 characters.

The primary fingerprint appears to match but this no fingerprint for the RSA signing key of D40814E0. Where can I find the fingerprint?

Anonymous

Anonymous (not verified) said:

April 17, 2015

Permalink

about:config

experiments.enabled;true
network.http.sendSecureXSiteReferrer;true
beacon.enabled;true

?????????

Anonymous

Anonymous (not verified) said:

April 19, 2015

Permalink

FF31.6.0 Tor4.0.8 on Win7 SP1. Getting "another version of Firefox is already running" when trying to launch the browser for a second time. Only fix is to delete old browser and reinstall from install.exe.

Didn't have this issue when using Tor4.0.6.

(sorry for double posting, forgot to include tidbit about previous version)