Tor Browser 4.5-alpha-1 is released

The first alpha release of the 4.5 series is available from the extended downloads page and also from our distribution directory.

This release features a circuit status reporting UI (visible on the green Tor onion button menu), as well as isolation for circuit use. All content elements for a website will use a single circuit, and different websites should use different circuits, even when viewed at the same time. The Security Slider is also present in this release, and can be configured from the green Tor onion's Preferences menu, under the Privacy and Security settings tab. It also features HTTPS certificate pinning for selected sites (including our updater), which was backported from Firefox 32.

This release also features a rewrite of the obfs3 pluggable transport, and the introduction of the new obfs4 transport. Please test these transports and report any issues!

Note to Mac users: As part of our planned end-of-life for supporting 32 bit Macs, the Mac edition of this release is 64 bit only, which also means that the updater will not work for Mac users on the alpha series release channel for this release. Once you transition to this 64 bit release, the updater should function correctly after that.

Here is the complete changelog since 4.0.1:

  • All Platforms
    • Bug 3455: Patch Firefox SOCKS and proxy filters to allow user+pass isolation
    • Bug 11955: Backport HTTPS Certificate Pinning patches from Firefox 32
    • Bug 13684: Backport Mozilla bug #1066190 (pinning issue fixed in Firefox 33)
    • Bug 13019: Make JS engine use English locale if a pref is set by Torbutton
    • Bug 13301: Prevent extensions incompatibility error after upgrades
    • Bug 13460: Fix MSVC compilation issue
    • Bug 13504: Remove stale bridges from default bridge set
    • Bug 13742: Fix domain isolation for content cache and disk-enabled browsing mode
    • Update Tor to 0.2.6.1-alpha
    • Update NoScript to 2.6.9.3
    • Bug 13586: Make meek use TLS session tickets (to look like stock Firefox).
    • Bug 12903: Include obfs4proxy pluggable transport
    • Update Torbutton to 1.8.1.1
      • Bug 9387: Provide a "Security Slider" for vulnerability surface reduction
      • Bug 13019: Synchronize locale spoofing pref with our Firefox patch
      • Bug 3455: Use SOCKS user+pass to isolate all requests from the same url domain
      • Bug 8641: Create browser UI to indicate current tab's Tor circuit IPs
      • Bug 13651: Prevent circuit-status related UI hang.
      • Bug 13666: Various circuit status UI fixes
      • Bug 13742+13751: Remove cache isolation code in favor of direct C++ patch
      • Bug 13746: Properly update third party isolation pref if disabled from UI
  • Windows
    • Bug 13443: Re-enable DirectShow; fix crash with mingw patch.
    • Bug 13558: Fix crash on Windows XP during download folder changing
    • Bug 13091: Make app name "Tor Browser" instead of "Tor"
    • Bug 13594: Fix update failure for Windows XP users
  • Mac
    • Bug 10138: Switch to 64bit builds for MacOS

"It depends on the malware. Disabling javascript is not a cure-all. Many attacks on browsers rely on javascript, but also many don't rely on it."
I just want to know if it can still download and run a virus/rat/rootkit/etc... can it?

Anonymous

November 25, 2014

Permalink

"Bug 8641: Create browser UI to indicate current tab's Tor circuit IPs "
I can;t find this UI anywhere! (Yes, I clicked the tor button and still nothing)

Anonymous

November 25, 2014

Permalink

I wanted to open the following ticket, but then I saw the "Register" button. So I'm just going to write it here:
Mention TAILS and OrBot in about:tor

Anonymous

November 25, 2014

Permalink

The "Reset To Browser" in safe boot modus is still breaking the Torbrowser by throwing away the "profile.default" folder and replacing it with another having exotic names like this "3uizc0hnh.default-49752159205" (changed it a bit, don't know if its some kind of a code? It also looks like a nice, more unique, fingerprint).

After reset, Torbrowser will not connect to the Tor network anymore and looks like a normal Firefox without internet (still, you can use it as a local html page viewer then, very private and safe ;)

I don't know why you should use the reset function anyway. A fresh clean installation of Torbrowser seems anyhow a better idea to me, it's very easy (be sure that you backup first the necessary bookmarks, if you have, or other changes, if you have, for an easy import in the fresh Torbrowser).

Anonymous

November 25, 2014

Permalink

I really like the new feature that allows us to see where the used relays are located.

That made me see a security threat - sometimes all three relays are based in the same country or the entry and exit. I think there should be additional code added to make sure this never happens, imagine the chaos when exit and entry node is from the USA and controlled by NSA. Overall the Tor Browser 4.5-alpha-1 is great.

Anonymous

November 28, 2014

Permalink

Torbutton - Entry Guards & Exitnodes

Would it be an idea to introduce a "New Entry Guard" option beside the "New Identity" option in the Torbutton menu, so people can change easily their (unwanted country) entry guard?

Now you have to reinstall a fresh Torbrowser copy or throw some files away from the app internals to accomplish getting rid of an entry guard you feel not comfortable with.

Regarding the eavesdropping lab experiments news
Would, could it be possible to avoid the possibility that the entry guard and the exit node are the same country?
It happens quite often, even 3 times the same country in the Tor Circuit list.
Avoiding this maybe would make it harder to accomplish eavesdropping by connecting data analysis from entry guards and exitnodes?

See
https://trac.torproject.org/13843
for more discussion on this topic.

The short answer is that you're right that it could help against certain attacks, but it also likely hurts against certain attacks. So it probably isn't wise to expose this sort of thing to users, who will all use whatever their intuition is and end up splintering the anonymity set. The better answer would be to write up the known upsides and known downsides so people can make more informed decisions. See (and help with!) the ticket.

Anonymous

November 29, 2014

Permalink

Just set up TOR 45-alpha-1. I have a problem with the tabs and wonder if anyone knows a fix? With the older 3 series if you shut down one tab a new one opened automatically so the program stayed open. With this new version if I close the only tab that is open the whole program shuts which is a real annoyance. Anything in the settings that I can change to avoid this?

Win XP pro3

Anonymous

December 01, 2014

Permalink

I would like to run Torbrowser in read-only media, is this possible? I just extract the Torbrowser folder to read-only media and tried to run it, but the program broke when he tried to modify read-only files on it. Torbrowser works in live mode?

That's what I also wrote in this (long) post

On November 25th, 2014 Anonymous said:

Some thoughts on this Mac (only?) problem ...

It won't work.
Besides, on usb fat formatted disks you can't even set filepermissions (or am I wrong?). Setting file permissions will work on Mac hfs formatted usb sticks or disks. But you can't set all the internal app files to read only (see post).

Anonymous

December 02, 2014

Permalink

Startpage behaviour

People already mentioned Cloudfront is showing unacceptable behavior towards Torbrowser users.
We know Google (if you are using it) let's you fill in Capchas for simple services as well (quite dualistic behavior when they are part of the meek options in Torbrowser).

Now for a while Startpage has started asking you on a regular basis (a lot of times) to do the same thing, very annoying because you have to refresh the whole connection (there goes another open webpage besides your search) and it seems you sometimes even first have to start a renewed search attempt with another search term too ! (to avoid another captcha message)

Time for a constructive talk with Startpage company about this?
Or switch to another standard more 'legitimate' search engine for the best experience for Torbrowser users?

Their message in this very degrading service experience

Startpage

As part of StartPage's ongoing mission to provide the best experience for our users, we occasionally need to confirm that you are a legitimate user. Completing the CAPTCHA below helps us reduce abuse and improve the quality of our services.

Thank you,
The StartPage Team
Please enter the text below to continue using StartPage.

Text in image is case-sensitive.
Having trouble reading the CAPTCHA?Please click here to view a new CAPTCHA.
You may do this as many times as you need.
Time remaining for this CAPTCHA : 02:00

..............

Submit

(I know the Manage Search options, btw)