Tor Browser 4.5-alpha-1 is released

The first alpha release of the 4.5 series is available from the extended downloads page and also from our distribution directory.

This release features a circuit status reporting UI (visible on the green Tor onion button menu), as well as isolation for circuit use. All content elements for a website will use a single circuit, and different websites should use different circuits, even when viewed at the same time. The Security Slider is also present in this release, and can be configured from the green Tor onion's Preferences menu, under the Privacy and Security settings tab. It also features HTTPS certificate pinning for selected sites (including our updater), which was backported from Firefox 32.

This release also features a rewrite of the obfs3 pluggable transport, and the introduction of the new obfs4 transport. Please test these transports and report any issues!

Note to Mac users: As part of our planned end-of-life for supporting 32 bit Macs, the Mac edition of this release is 64 bit only, which also means that the updater will not work for Mac users on the alpha series release channel for this release. Once you transition to this 64 bit release, the updater should function correctly after that.

Here is the complete changelog since 4.0.1:

  • All Platforms
    • Bug 3455: Patch Firefox SOCKS and proxy filters to allow user+pass isolation
    • Bug 11955: Backport HTTPS Certificate Pinning patches from Firefox 32
    • Bug 13684: Backport Mozilla bug #1066190 (pinning issue fixed in Firefox 33)
    • Bug 13019: Make JS engine use English locale if a pref is set by Torbutton
    • Bug 13301: Prevent extensions incompatibility error after upgrades
    • Bug 13460: Fix MSVC compilation issue
    • Bug 13504: Remove stale bridges from default bridge set
    • Bug 13742: Fix domain isolation for content cache and disk-enabled browsing mode
    • Update Tor to 0.2.6.1-alpha
    • Update NoScript to 2.6.9.3
    • Bug 13586: Make meek use TLS session tickets (to look like stock Firefox).
    • Bug 12903: Include obfs4proxy pluggable transport
    • Update Torbutton to 1.8.1.1
      • Bug 9387: Provide a "Security Slider" for vulnerability surface reduction
      • Bug 13019: Synchronize locale spoofing pref with our Firefox patch
      • Bug 3455: Use SOCKS user+pass to isolate all requests from the same url domain
      • Bug 8641: Create browser UI to indicate current tab's Tor circuit IPs
      • Bug 13651: Prevent circuit-status related UI hang.
      • Bug 13666: Various circuit status UI fixes
      • Bug 13742+13751: Remove cache isolation code in favor of direct C++ patch
      • Bug 13746: Properly update third party isolation pref if disabled from UI
  • Windows
    • Bug 13443: Re-enable DirectShow; fix crash with mingw patch.
    • Bug 13558: Fix crash on Windows XP during download folder changing
    • Bug 13091: Make app name "Tor Browser" instead of "Tor"
    • Bug 13594: Fix update failure for Windows XP users
  • Mac
    • Bug 10138: Switch to 64bit builds for MacOS
Anonymous

November 17, 2014

Permalink

This release features a circuit status reporting UI (visible on the green Tor onion button menu), as well as isolation for circuit use. All content elements for a website will use a single circuit, and different websites should use different circuits, even when viewed at the same time.

I'm curious. How does/will this work when using a system-wide tor instance for the Tor Browser instead of TorLauncher?

Anonymous

November 17, 2014

Permalink

Is it safer to use Tor browser 4.5-alpha-1 than to use Tor browser 4.0.1?
Also when I go to the Download Tor page, I right click on my mouse and I click on "properties", and this is what it tells me,
Protocol: HyperText Transfer Protocol with Privacy
Type: Chrome HTML Document
Connection: Not Encrypted
Zone: Internet | Protected Mode: On
Address: Unknown
(URL)
Size: Not Available
So my point is, is their an encryption problem with the Tor browser download page?

Where are you clicking? I don't get a "Properties" menu entry. And I'd suggest using 4.0.1 as the alpha contains new stuff which is not so good tested yet that might break in interesting ways...

Anonymous

November 18, 2014

Permalink

Hi,
infos about Torbutton config are hard to find,however, can i set extensions.torbutton.debug to 'false' in Tails or is it a problem?Set extensions.torbutton.loglevel to 4 or 5 would be really nice,too?
Searching details about Torbutton config is like searching for Windows sourcecode(-:

Anonymous

November 18, 2014

Permalink

Great news.
If one uses Torsocks (or Torbidry for example) while running this version of TBB, which circuit will be used? The last one will be the "default one" or will the first one stay as "default one" until it rotates 10 minutes later?

Come to think of it, I will try this myself :P But would like to hear from you what is the "best option". Maybe Tor could use a "main circuit" for the proxy setup and just create new ones for the tabs and windows the user opens...

Anonymous

November 18, 2014

Permalink

  1. <br />
  2. $ curl -O <a href="https://archive.torproject.org/tor-package-archive/torbrowser/4.5-alpha-1/sha256sums.txt&#10" rel="nofollow">https://archive.torproject.org/tor-package-archive/torbrowser/4.5-alpha…</a>;$ curl -O <a href="https://archive.torproject.org/tor-package-archive/torbrowser/4.5-alpha-1/sha256sums.txt.asc&#10" rel="nofollow">https://archive.torproject.org/tor-package-archive/torbrowser/4.5-alpha…</a>;$ gpg --verify sha256sums.txt.asc<br />
  3. gpg: Signature made Fri Nov 14 14:53:44 2014 PST using RSA key ID D2F1E186<br />
  4. gpg: BAD signature from "Mike Perry (Regular use key) <<a href="mailto:mikeperry@fscked.org" rel="nofollow">mikeperry@fscked.org</a>>" [unknown]<br />
  5. $ openssl sha -sha256 -r sha256sums.txt*<br />
  6. 37f6fe5f4de2d891e94b0b4c9d6c5b5190c5f80f00ecf32a83604f6140084667 *sha256sums.txt<br />
  7. 3c3343ecdbba31256872e7545aa66971986c7ecf03d759a48da9099ee5209eaf *sha256sums.txt.asc<br />
  8. $ du -b sha256sums.txt*<br />
  9. 13128 sha256sums.txt<br />
  10. 801 sha256sums.txt.asc<br />
  11. $<br />

Anonymous

November 18, 2014

Permalink

Great work!

However, I would really suggest adding a text window that pops up when the slider is moved to give a short explanation of what each setting does, such as "disables JavaScript and cookies" or whatever.

Without that info I know I was left thinking "well, how do I know what level I want if I don't have a clue about what each level does?"

I will open a ticket for this feature request, unless it's already planned?

On second thought, there seems to be lots of space next to the four slider setting terms (low, med-low, med-high, and high), maybe add a short description of each setting next to the setting on the slider?

Also, wouldn't these be better in terms of they're more accurate description of security?:
Weak (default)
Medium-Weak
Medium-Strong
Strong

Yes, there are some tooltips/help buttons planned explaining things. Whether "weak"/"strong" are better here I don't know. I think using "low"/"high" if one describes a certain level might be good (enough).

Anonymous

November 18, 2014

Permalink

On Windows 7 this release seem MUCH faster to surf the 'net than previous releases. Page load times are very noticeably reduced! :) (using the highest security setting)

Was this intended? Or am I just the only one using Tor right now so that's why it's so fast?! :)

Stop telling lies! Another fool that don`t read the research paper.Look at this:" Our method revealed
the actual sources of anonymous traffic with 100% accuracy for
the in-lab tests, and achieved an overall accuracy of about 81.4%
for the real-world experiments, with an average false positive rate
of 6.4%"
"the real-world experiments"is equal to "the actual wilds of the Tor network"?Are you kidding?
https://blog.torproject.org/blog/traffic-correlation-using-netflows
Hi
I am here to myself clarify all misconceptions. Firslty, they have blow it a bit out of proportion by saying that "81% of Tor traffic", which is not true. It was only 81.4% of our experiments, and we have spoken about this upfront in our paper. Secondly, its only a case of experimental validation and the challenges involved in it that is the highlight of the paper. In my thesis I have also tried to address how to solve this particular attack, which might work for other attacks as well...
Regards
Sambuddho

no it's true. just ask your net admin - he can show you that there are several order of traffic amount difference in established connections for tor users compared to others short lived connections without reference to an entry guard address. and who say silly words about 100% accuracy in court decisions?

Anonymous

November 18, 2014

Permalink

my system was crashed and shut down when i Run obfs4 transport!!!
also my antivirus acted (Bitdefender)

Hmm, that's odd. The code doesn't do anything all that special, and I know that it works on Windows (tested on Win 8.1 64 bit/Win 7 32 bit). It certainly shouldn't be able to bring your whole system down since it's a extremely straight forward piece of software.

Anything special about your setup? What version of Windows is it? On what architecture?

As far as the antivirus goes, it's probably a false positive. Complain to your AV vendor.

win 7/ultimate 32 bit
ofcourse as i said only when i Run obsf4
there are no problems when i connect directly or via bridges..
ISPs can figure out when we connect to tor?if Yes how we can prevent of it? by using VPN or Open DNS ( changing DNS )

i wonder does anyone know anything about security of Cyberghost VPN,Sumrand VPN and etc ? are they really encrypted?

also About Open DNS software ? is usefull?

an encrypted and safe Vpn can be helpful!
But not in all countries
For Example :if you use An encrypted and strong Vpn in iran ..is just safe for first use !
Once the ISP was informed of user connecting to the vpn ,creates a Fake Locally server (or host name) With the same name ..so User connected to the Fake server after second connecting ...

indeed In a country like Iran.The most secure VPN is only safe for the first time ! not at all

Anonymous

November 18, 2014

Permalink

- NoScript
NoScript Default : "Scripts Globally Allowed (dangerous)"

When you put this off (as you should) it will be set back to "Scripts Globally Allowed (dangerous)" every time you open a new tab or window.

Do we now have to disallow this every time we open a new tab or window, instead of maybe allow once in a while?

- Page info ... Security (Media, Feeds) ... still missing

It is 64 bit indeed ..

You can take advantage of the new security slider: click on the green onion -> Preferences... -> Privacy and Security Settings and change the value to "High". This disables JavaScript and a bunch of other things (see: https://trac.torproject.org/projects/tor/ticket/9387#comment:43 for the details) and is saved across New Identity/Restart. That said it might make sense to save custom settings this way as well. Should be available in the next release.

Thank you, I did found out the influence of the new slider function on NoScript after my posting.
Nice / Good function that deserves the attention.

But and please consider also to change at least one NoScript pre-setting under "medium High".
One cannot consider the "Scripts Globally Allowed (dangerous)" activated as 'Security' (my opinion, you can discuss about it) but especially not associate it with High security settings (Medium High).

Deactivated under both 'High-labeled' settings would also be more balanced (2 times activated under Low, 2 times deactivated High).

Compliments for the new Torbutton function showing the connection path with countries (saves a lot of time searching for trusted exit node countries, do not understand the need for entry nodes in Torbrowser user's own country / and maybe even direct nabor countries as well)!
Hopefully that internetroute function can be activated with a blank starting page as well, so people can judge a connection before they visit a website (now you have to visit an 'excuse' page first).

I did try to import the new Torbutton in the 4.0.1 browser, did succeed a bit but did not get the wanted extra internet connection path window working.
Would it be an idea to make this Torbutton version available for non-alpha users right away as well?
I hope so.

Thank you for answering my questions
Best regards

Anonymous

November 18, 2014

Permalink

My TOR browser keeps crashing, it show's a message saying, You are unable to connect to the TOR network. It is happening to me almost every time I try to use my TOR browser, can someone please tell me why my Tor browser 4.0.1 is crashing so often?

Anonymous

November 18, 2014

Permalink

I'd like to have an option for not closing the browser window upon changing identity.
There is already a preference "extensions.torbutton.close_newnym" for this in about:config, but it doesn't work because a "return" statement is missing after the preference test in chrome/content/torbutton.js:

  1. <br />
  2. function torbutton_close_on_toggle(mode, newnym):<br />
  3. []<br />
  4. if (newnym) {<br />
  5. if (!close_newnym) {<br />
  6. torbutton_log(3, "Not closing tabs");<br />
  7. }<br />
  8. } else if((mode && !close_nontor) || (!mode && !close_tor)) {<br />
  9. torbutton_log(3, "Not closing tabs");<br />
  10. return;<br />
  11. }<br />
  12. []<br />
  13. }<br />

Anonymous

November 18, 2014

Permalink

Tried to create a bug report, but that needs an account, so I'm posting it here.

NoScript is always reset to allow all on startup. To reproduce:
- Download linux64 4.5-alpha-1 tor bundle and open
- Run addons update to get NoScript 2.6.9.4
- Turn off scripts globally allowed
- Close and reopen browser
* Scripts will again be globally allowed

I get why it's initially enabled, but I'm really hoping this is a bug. Thanks.

See my reply above. Yes, this may indeed be a bug. We should save custom settings as well or better: we should not fall back to the currently selected security slider mode.

Here's the anon account access (as guest):

user: cypherpunks
pass: writecode

(To Tor folks: it's probably a good idea to make this guest pass wider known?...)