Tor Browser 4.5-alpha-1 is released

The first alpha release of the 4.5 series is available from the extended downloads page and also from our distribution directory.

This release features a circuit status reporting UI (visible on the green Tor onion button menu), as well as isolation for circuit use. All content elements for a website will use a single circuit, and different websites should use different circuits, even when viewed at the same time. The Security Slider is also present in this release, and can be configured from the green Tor onion's Preferences menu, under the Privacy and Security settings tab. It also features HTTPS certificate pinning for selected sites (including our updater), which was backported from Firefox 32.

This release also features a rewrite of the obfs3 pluggable transport, and the introduction of the new obfs4 transport. Please test these transports and report any issues!

Note to Mac users: As part of our planned end-of-life for supporting 32 bit Macs, the Mac edition of this release is 64 bit only, which also means that the updater will not work for Mac users on the alpha series release channel for this release. Once you transition to this 64 bit release, the updater should function correctly after that.

Here is the complete changelog since 4.0.1:

  • All Platforms
    • Bug 3455: Patch Firefox SOCKS and proxy filters to allow user+pass isolation
    • Bug 11955: Backport HTTPS Certificate Pinning patches from Firefox 32
    • Bug 13684: Backport Mozilla bug #1066190 (pinning issue fixed in Firefox 33)
    • Bug 13019: Make JS engine use English locale if a pref is set by Torbutton
    • Bug 13301: Prevent extensions incompatibility error after upgrades
    • Bug 13460: Fix MSVC compilation issue
    • Bug 13504: Remove stale bridges from default bridge set
    • Bug 13742: Fix domain isolation for content cache and disk-enabled browsing mode
    • Update Tor to 0.2.6.1-alpha
    • Update NoScript to 2.6.9.3
    • Bug 13586: Make meek use TLS session tickets (to look like stock Firefox).
    • Bug 12903: Include obfs4proxy pluggable transport
    • Update Torbutton to 1.8.1.1
      • Bug 9387: Provide a "Security Slider" for vulnerability surface reduction
      • Bug 13019: Synchronize locale spoofing pref with our Firefox patch
      • Bug 3455: Use SOCKS user+pass to isolate all requests from the same url domain
      • Bug 8641: Create browser UI to indicate current tab's Tor circuit IPs
      • Bug 13651: Prevent circuit-status related UI hang.
      • Bug 13666: Various circuit status UI fixes
      • Bug 13742+13751: Remove cache isolation code in favor of direct C++ patch
      • Bug 13746: Properly update third party isolation pref if disabled from UI
  • Windows
    • Bug 13443: Re-enable DirectShow; fix crash with mingw patch.
    • Bug 13558: Fix crash on Windows XP during download folder changing
    • Bug 13091: Make app name "Tor Browser" instead of "Tor"
    • Bug 13594: Fix update failure for Windows XP users
  • Mac
    • Bug 10138: Switch to 64bit builds for MacOS
Anonymous

November 19, 2014

Permalink

Hello and thank you so much for all the work on TBB and other associated projects.

I'm using Win 7 32 bit (don't laugh)

I always test my TBB using the ip-check.info site from JonDo to make sure all my settings haven't changed every time I open it to browse the web.

My 4.0.1 stable release only has 5 sections which are orange and therefore medium safe for tracking purposes:

Cookies
HTTP session
Referer
Do-not-track
Browser Window

I've just downloaded and successfully verified the new 4.5-alpha-1 TBB and everything on the ip-check.info site is the same except for one new area which went from green 'protected' (good) to angry red (danger):

Authentication

"This allows 3rd party tracking using HTTP authentication headers"

Is this a problem or should I not worry too much about it?

I'm so used to having all my sections green and orange, it would be a shame to lose that calming effect.

Loving the new TOR Circuit data btw, thank you whoever did that. :)

Anonymous

November 19, 2014

Permalink

@ "...and different websites should use different circuits, even when viewed at the same time..."

Unfortunately, they do not! 6tabs w/ diff sites open, but only 2 diff circuits for 6 of them. This would be a great feature, if it actually works.

Anonymous

November 19, 2014

Permalink

can anyone Explain about mac addresses:

i have heared Iran's cyber police does not need to IP addresses.they figures out and nabs Offenders By system MAC addresses(or modem mac addresses ).is it true?if Yes I'm curious to know how??

Anonymous

November 19, 2014

Permalink

唉,还是不行,必须双重代理,中国湖北联通网络。
opps,cannot work by meek-amazon/azure here, in China...

Anonymous

November 19, 2014

Permalink

New identity "Tor circuit for this site" function error ?

When you visit the page " https://check.torproject.org/ "
and follow the link "Atlas" to the page
https://atlas.torproject.org/#details/(a-Fingerprint-number-follows)
you will see the ip address as well as the country of the exit node.

Comparing the country and ip address of the 3rd 'station' before the 'internet' in the new Torbutton pane under "Identity" gives totally different results when compared to the results given on the Atlas page! (tested several times).

Which one gives the right country location of the exitnode?
And if the Torbutton is not giving the exitnode location in the 3rd 'station' during browsing, why not?
It seems to me that the exitnode country location information the info is what users want to see.

How do we know for sure that the new Torbutton pane is giving the right data?

The exit node you are seeing in the Torbutton pane is an exit node from ONE of Tor's (multiple) circuits but not necessarily the exit node you are exiting from; if you want to know your REAL exit node it would be best to use an IP checking service and just ignore whatever the Torbutton browser panel is saying.

it would be best to use an IP checking service

No I don't think so.
Some populair IP checking services do give a lot of times very different (or no) geo location/country results compared to the atlas results.
This experience is based on comparisons using Torbrowser 3.5 /3.6 versions and do not have anything to do with the new Torbutton function in Torbrowser 4.5.
I tended to believe the Atlas results.

Btw, A visible country flag (or Country code top-level domain extention like Us, Ca, Aq, ) of the exitnode next to the Torbutton and NoScript button would be even more awesome.

Thanks for answering anyway

A lot of IP checking services do give the (local) time but are unable to check the (system) time unless javascript is enabled.

The behavior you are seeing makes perfect sense. The circuit is made dependent on the domain in the URL bar. Thus, first the domain is check.torproject.org and the fingerprint you find in the link to atlas is for the exit relay used for this domain. Now you go to atlas.torproject.org which is a different domain. Atlas shows the exit relay you used to visit check.torproject.org but if you look at the circuit UI while being on atlas.torproject.org you see the circuit used for reaching atlas.torproject.org which is very likely a different one.

Anonymous

November 19, 2014

Permalink

I'm getting this error on Mac OS "A copy of Firefox is already open. Only one copy of Firefox can be open at a time." even though FireFox is closed. I restarted my computer and still got the same error.

Some thoughts on this Mac (only?) problem

Sounds familiar, I think it could be the result of wrong file permissions on files and folders.
Although the security-concept of "Read only" permissions on files is an attracting idea, it is not working on all the files in your Torbrowser application.

What you could do, just check the permissions on this folder (and some of their enclosed items) within your Torbrowser.app (ctrl-klick on the app an choose "Show package contents).

- "TorBrowser" (directory within the Torbrowser.app)
Path: TorBrowser.app/TorBrowser/

When the user permissions on this folder and enclosed items are all set to "Read only" (select the folder and open the info pane with keys "cmd" "i") you will get the same FF warning while trying to start your Torbrowser.
At least one user in the permissions list (the .. local user/owner user, not "wheel" or "everyone") should have "Read & Write permissions (when changing permissions, in this case also use the "Apply to enclosed items" option to that "Torbrowser" folder).

I don't know if this is permission issue is directly related to your problem and if it's solving it. For me it did the trick.
But when it does, could it be that you did put your Torbrowser in a folder somewhere, set the permissions on read only for that folder while using the option "Apply to enclosed items"?
Then all the items within the enclosed application will get the "Read only" status as well and that won't work because Torbrowser has 'swallowed' a whole read & write directory with a lot of browser files you usually find in your local library, mozilla browser directory like (path) ~/Library/Application\ Support/Firefox.
These files change (at least some) while using your browser and therefore the permissions do need to have the status read and write.
Another possibility, from my experience is when you duplicate an already installed Torbrowser.app it sometimes will be (± 1 mb) smaller (files missing in the Torbrowser folder) and also not working.

In the end I think a reinstall of your Torbrowser app would be a better option than changing the read and write permissions within your app (but I could not resist to share some thoughts about this issue).

.. One last thing, Warning!
If you are experimenting with file permissions on your Mac ..
Be really really really careful with that, especially with the "Apply to enclosed items" option, extra especially with important (system)folders. Doing this on system directories or maybe on a whole hard disk can get you in deep trouble which will cost you a lot of work to get things working again, if so (disk utility won't help you with that, make sure you have at least a recent trustworthy back up of everything to replace the unfortunate results of too much experiment enthusiasm).

Good luck

Anonymous

November 19, 2014

Permalink

"circuit status reporting UI (visible on the green Tor onion button menu)". Doesn't work with tor bridges tried obfs3, obfs4, scramblesuite. No circuit status UI comes up!!!!

Anonymous

November 19, 2014

Permalink

The tor circuit satus UI is not working in Bridge mode. The following have been tested: obfs3 obfs4 scramblesuit

Anonymous

November 20, 2014

Permalink

Is it feasible to add support for more flexible proxy configuration with PAC scripts to Torbutton? Currently Torbutton only knows manual proxy setting (network.proxy.type 1) or direct connection (network.proxy.type 0) for transparent torification, but not network.proxy.type 2 for automatic proxy configuration with a PAC script (network.proxy.autoconfig_url with file:///... URL pointing to a local script).

With this feature and an appropriate PAC script it would be possible to connect to the open web and onion sites via Tor SOCKS and to other "darknets" via other proxies, e.g. connect to .i2p domains via the HTTP proxy port of the local I2P relay.

Anonymous

November 20, 2014

Permalink

None of meeks and obfs3 obfs4 scramblesu does not work in Iran .
indeed Tor works only directly and by suing custom bridges

Hmm, that's interesting. Lacking a vantage point in there to test things for myself, it's sort of hard to look into this further, though I'm surprised that they allow connections to the DirAuths and public relays, but explicitly block the default bridges and a bunch of cloud providers.

I assume if you obtain obfs3, obfs4 and ScrambleSuit bridges from BridgeDB that they work?

Anonymous

November 20, 2014

Permalink

Good news:The obfs4 bridge can work normally in China.
Bad news:Where is the circuit status reporting UI?I can`t find it anywhere!(TBB 4.5.1a zh-cn windows version )
And I still can`t edit certs in TBB.Please fix it as soon as possible.

Anonymous

November 20, 2014

Permalink

"All content elements for a website will use a single circuit, and different websites should use different circuits, even when viewed at the same time."

From a general point of view, without being privy to the Tor protocol details, it occurs to me that recent changes like only one entry guard and the aforementioned single circuit per website reduces complexity for an observer. Indeed I would have wished for this as an observer: With less elements involved and a clear separation of streams per site there is less doubt about who does what and correlation appears much easier to me.

Is there an objective analysis backing these design decisions? Because for me they are counterintuitive.

Exactly! Mixing circuits is like a built-in fuzzer! Now I understand it may be necessary for the implementation of the circuit status reporting.... but what exactly will that do? Hopefully it will be worth the tradeoff. And even more importantly, hopefully Tor soon implements some channel masking measures to thwart traffic correlation attacks.

Anonymous

November 20, 2014

Permalink

I downloaded the mac version and when I tried to open it it gave me error "firefox is still running, close firefox..." even though firefox was not running.

I got that on Windows 7 today. I had to hard kill obs4 exe, it kept running after Tor and the Tor Browser (FF) were shutdown.

Anonymous

November 20, 2014

Permalink

Does the per-site circuit isolation also isolate cookies, in-memory cache objects, etc.?

Cookies: Obvious concern.

Cache: Evercookie-style tracking via last-modified, etag, etc. using appropriate HTTP headers (If-Modified-Since/If-None-Match). Perfect for linking sessions loaded with "Like/Tweet/+1" buttons, and other assorted evil web bugs.

Local storage: (Does Tor Browser even allow this at all? It shouldn't.)

Separate questions:

* Do Security Slider's higher settings disable remotely-loaded webfonts? (CUT YOUR ATTACK SURFACE, always disable these when you disable script! Font rendering code is complicated, and often ignored from a security perspective; it has been subject of exploits before. Obviously, disabling HTML5 fonts while permitting script would be stupid, and allow some fingerprinting.)

* Do Security Slider's higher settings disable HTML5 audio/video, or at least make them require user action to play? (Same issue, codecs are complicated beasts...)

Thanks!

No, the per-site circuit isolation has no influence on the the cookie/cache etc. isolation. We are already binding e.g. the cache to the URL bar domain. Have a look at https://www.torproject.org/projects/torbrowser/design/#identifier-linka… for where we are now in this regard.

For the security slider related questions see:
https://bugs.torproject.org/9387#comment:43 Disabling MathML and SVG is still missing all the other things should be implemented accordingly.

Anonymous

November 20, 2014

Permalink

How can I remove the annoying search bar from a blank page?

Anonymous

November 20, 2014

Permalink

A bug? If the open tab is shut using the X the whole browser closes. This did not happen on the 3 series TOR. If you clicked on the tab to close it a new tab opened.

Anonymous

November 21, 2014

Permalink

how should i get obf3 bridges for Tails?
why Tor Browser on tails does not support obf3 ??!!!

which one do you Recommend?

using my own windows and Tor Browser 4.5-alpha-1?(ofcourse with changing mac address)

or

Tails operating system??

i am not able to config bridges on Tails ! it connects directly

-"how should i get obf3 bridges for Tails?"
Copy pste them from bridges.torproject.org to a .txt file and move them to a usb/flash, and when you boot tails and asked for bridges copy paste the ones on the usb/flash stick

-" why Tor Browser on tails does not support obf3 ??!!!"
It does support obfs3, it even supports scramblesuit

-"using my own windows and Tor Browser 4.5-alpha-1?(ofcourse with changing mac address) or Tails operating system??"
Tails on a dvd (much better than on usb) is definitely recommended over any other operating system, even linux. I would have explained the reasons, but there's simply no enough space here for it.

-"i am not able to config bridges on Tails ! it connects directly "
that's because you have to choose "more options" after you boot it, then a new window will appear, at the bottom of this long window there's a box that begins with "my connection is censored..." click it and then click login. after you connect to a wifi connection it will ask you about bridges.

thanks so much ! it now works fine .
but when i verify tails.iso this messages appear: Bas signal

it means i should Redownload iso image ???

Anonymous

November 21, 2014

Permalink

"...Tor Browser 4.5 series...restoring one of the features most missed by users following the removal of the now-defunct Vidalia interface from Tor Browser — the ability to quickly visualize the Tor circuit that the current page is using."
(blog.torproject.org/blog/tor-weekly-news-—-november-19th-2014)

A Vidalia main feature is 'Close Circuit' -for privacy highlights like US-US-US(-:.
I get this,too?

Anonymous

November 22, 2014

Permalink

Thanks for listing obfs4 in the Tor Metrics> Users> Graph: Bridge users by transport.

Anonymous

November 23, 2014

Permalink

Weird connection issue.

I noticed that after several 'new identity' reloads that if I then checked the 'tor circuit for this site' charts, the first hop was always 173.255.249.222 which seems to be a location in the USA. Looking up 'who is' it is not traceable. As I am not in the USA I find this peculiar as I thought the whole route was changed if the browser was reloaded. Incidentally i reloaded it about 20 times to check and used http://ipcim.com/hu/ to check.

Anonymous

November 23, 2014

Permalink

if i visit a malware website with js disabled **using tor** would i get infected with malware?