Tor Browser 4.5.1 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.5.1 is based on Firefox ESR 31.7.0, which features important security updates to Firefox.

The 4.5.1 release also addresses several regressions and usability issues discovered during the 4.5 release. The most notable change is that we have slightly relaxed the first party isolation privacy property, due to issues encountered on several file hosting sites as well as other sites that host content on multiple subdomains. Tor Circuit use and tracking identifiers are now all isolated to the base (top-level) domain only, as opposed to the full domain name. This change is also consistent with the browser URL bar - isolation is now performed based on the bold portion of the website address in the URL bar.

We also have temporarily disabled the NoScript ClearClick clickjacking protection, as it was experiencing false positives due to changes in Tor Browser that cause errors in NoScript's evaluation of the content window. These issues were most commonly experienced with ReCaptcha captcha input, but occurred elsewhere as well.

With this release, 4.0 users will now be updated automatically to the 4.5 series.

Note to MacOS users: The update process for Mac OS 10.6 and 10.7 users will unfortunately not be automatic. You will be instructed to perform a manual download instead. Moreover, as of this release, 32 bit Macs are now officially unsupported. For more information, see the original end-of-life blog post.

Here is the list of changes since 4.5:

  • All Platforms
    • Update Firefox to 31.7.0esr
    • Update meek to 0.18
    • Update Tor Launcher to 0.2.7.5
      • Translation updates only
    • Update Torbutton to 1.9.2.3
      • Bug 15837: Show descriptions if unchecking custom mode
      • Bug 15927: Force update of the NoScript UI when changing security level
      • Bug 15915: Hide circuit display if it is disabled.
      • Translation updates
    • Bug 15945: Disable NoScript's ClearClick protection for now
    • Bug 15933: Isolate by base (top-level) domain name instead of FQDN
    • Bug 15857: Fix file descriptor leak in updater that caused update failures
    • Bug 15899: Fix errors with downloading and displaying PDFs
  • Windows
    • Bug 15872: Fix meek pluggable transport startup issue with Windows 7
  • Build System
    • Bug 15947: Support Ubuntu 14.04 LXC hosts via LXC_EXECUTE=lxc-execute env var
    • Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
Anonymous

May 16, 2015

In reply to by Anonymous (not verified)

Permalink

I wanna thank anyone and everyone involved in help provided to keep what we say and do private. From regular Joe's like me to other's who must be incognitoI once again thank everyone for what do.

Anonymous

May 12, 2015

Permalink

This happened also on previous updates.

When tor is updated, timestamp on log output wrap
to UTC time (I assume)

[geshifilter-code]
May 13 06:28:06.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
ERROR: Error verifying signature.
ERROR: Not all signatures were verified.
May 13 07:37:27.000 [notice] Owning controller connection has closed -- exiting now.
1431491849254 addons.update-checker WARN HTTP Request failed for an unknown reason
1431491849255 addons.update-checker WARN HTTP Request failed for an unknown reason
1431491849255 addons.update-checker WARN HTTP Request failed for an unknown reason
1431491849256 addons.update-checker WARN HTTP Request failed for an unknown reason
May 13 04:37:30.136 [notice] Tor v0.2.6.7 (git-ac600bec40c14864) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1m and Zlib 1.2.3.3.
May 13 04:37:30.136 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
[/geshifilter-code
]

Are you concerned about the errors? They are essentially false positives

You mean that

  1. ERROR: Error verifying signature.<br />
  2. ERROR: Not all signatures were verified.<br />
  3. May 13 07:37:27.000 [notice] Owning controller connection has closed -- exiting now.<br />

OK.

When tor is updated, timestamp on log output wrap to UTC time (I assume)

Of couse log output timestamp return to correct when tor is manually restarted.

  1. <br />
  2. May 13 04:37:31.000 [notice] Bootstrapped 100%: Done<br />
  3. May 13 04:37:32.000 [notice] New control connection opened from 127.0.0.1.<br />
  4. May 13 04:37:32.000 [notice] New control connection opened from 127.0.0.1.<br />
  5. May 13 04:44:27.000 [notice] Owning controller connection has closed -- exiting now.<br />
  6. <b>removed</b>:~$<br />
  7. <b>removed</b>:~$ tor --verbose<br />
  8. May 13 07:44:40.550 [notice] Tor v0.2.6.7 (git-ac600bec40c14864) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1m and Zlib 1.2.3.3.<br />
  9. May 13 07:44:40.550 [notice] Tor can't help you if you use it wrong! Learn how to be safe at <a href="https://www.torproject.org/download/download#warning
  10. May" rel="nofollow">https://www.torproject.org/download/download#warning<br />
  11. May</a> 13 07:44:40.550 [notice] Read configuration file "/home/<b>removed</b>/.tor-browser/Browser/TorBrowser/Data/Tor/torrc-defaults".<br />

Seems that tor does not preserve timezone information when it restarts itself?

There is no TZ variable in the environment (when tor is started from command line).

Also seems that tor browser (that version and previous version) also crashes sometimes.

  1. <br />
  2. (firefox:5265): GStreamer-CRITICAL **: gst_plugin_feature_get_name: assertion `GST_IS_PLUGIN_FEATURE (feature)' failed<br />
  3. /home/<b>removed</b>/bin/tor: line 368: 5265 Segmentation fault TOR_CONTROL_PASSWD=${TOR_CONTROL_PASSWD} ./firefox --class "Tor Browser" -profile TorBrowser/Data/Browser/profile.default "${@}" &gt; /dev/null<br />
  4. <b>removed</b>:~$ Jun 01 12:46:43.000 [notice] Owning controller connection has closed -- exiting now.</p>
  5. <p><b>removed</b>:~$<br />

This is not a only case.

Anonymous

May 12, 2015

Permalink

Jondonym's anonymity test on http://ip-check.info/index.php?lang=en shows a red field marked "bad": window.name is traceable. Your unique ID: ###### (the same number as the "local storage" ID which is marked orange (medium risk)).

With the "Smart Referer" Firefox extension installed and configured as follows:
Mode > send nothing as referer
Strict (treat subdomains as different domains) > unchecked

the test shows a green field marked "good": window.name has been anonymized.

So Tor Browser really needs an additional extension to prevent tracking???

You don't need an additional extension. If you move the security slider under Onion -> "Privacy and Security Settings" to high, JavaScript gets disabled, and window.name disappears.

Anonymous

May 13, 2015

Permalink

32bit Debian Wheezy user here. I successfully auto-updated from TBB 4.0.8 to 4.5.1 . Auto-update worked perfectly for me! Thank you.

Anonymous

May 13, 2015

Permalink

13.05.2015 11:19:56.100 [NOTICE] Opening Socks listener on 127.0.0.1:9150
13.05.2015 11:19:56.779 [NOTICE] Bootstrapped 80%: Connecting to the Tor network
13.05.2015 11:20:05.776 [WARN] Problem bootstrapping. Stuck at 80%: Connecting to the Tor network. (Permission denied [WSAEACCES ]; RESOURCELIMIT; count 10; recommendation warn; host 5C69846F6B71D1C55475987FEAD2F96D62A4CD92 at 89.163.227.28:9001)
13.05.2015 11:20:07.320 [WARN] Problem bootstrapping. Stuck at 80%: Connecting to the Tor network. (Permission denied [WSAEACCES ]; RESOURCELIMIT; count 11; recommendation warn; host 3018E8B182E44AA4AEFA19972BA71B34E4A183C2 at 188.230.91.135:9001)
13.05.2015 11:20:07.775 [WARN] Problem bootstrapping. Stuck at 80%: Connecting to the Tor network. (Permission denied [WSAEACCES ]; RESOURCELIMIT; count 12; recommendation warn; host E2BD5F4F366DB494EA1FAD785CFA53F9439BB110 at 162.248.94.205:5277)

Anonymous

May 13, 2015

Permalink

"The update process for Mac OS 10.6 and 10.7 users will unfortunately not be automatic." Why is that?

Anonymous

May 13, 2015

Permalink

My default search engine was changed to disconnect.me in this update, instead of the ol' Startpage. Can anyone offer a comparison of the privacy they guarantee to help me choose?

Thanks Tor Team for this update, by the way!

I hadn't seen that additional search engine.
I tried a search. The site creates a unique url that omits search terms. the unique part looks like about 20 hex characters plus dash characters,
i reloaded the url and the page showed the same results and search terms. But assuming this url is a "permalink", a bookmark would need manually added information, because the url doesn't give a clue.

Anonymous

May 13, 2015

Permalink

According to Tails' blog posted a few hours earlier than mikeperry's post, it's stated "We disabled in Tails the new circuit view of Tor Browser 4.5 for security reasons. You can still use the network map of Vidalia to inspect your circuits."

If Tails' developers are correct, why do Tor developers not disable it in the Tor Browser Bundle 4.5.1?

Would mikeperry, erinn or arma wish to clarify?

This is **exactly** what I wanted to ask in the Tails blog post, but they don't allow asking questions in their blog here (which is pretty lame, IMO!). Also, Tails doesn't have their own blog at their site, or easy way to contact them :(

I would really like to get a response on this, as well.

Looking at the tails changelog I see this:

"Unfortunately its per-tab circuit view did not make it into Tails yet since it requires exposing more Tor state to the user running the Tor Browser than we are currently comfortable with. (Closes: #9031, #9369)"

But it looks like this issue is about #9333?
https://labs.riseup.net/code/issues/9333

I don't see why allowing it via. Vadalia is better, or more conformable? And what exit node would Vadalia show, considering each website may use a different exit node with current TorButton?

And I don't see why it's a security risk to have the per-tab circuit view.

Comments from experts would be very welcome.

I really think if Tails has a blog here they should allow comments for each post. Or if not, they should include info on how best to contact them regarding blog post xyz.

Tails has a different threat model, in that they need to account for other application's traffic going out over a system-wide Tor instance, vs just Tor Browser's traffic (the bulk of the Tor Browser users).

I'm not particularly convinced that allowing Vidalia (long since unmaintained) full control port access is any better than allowing Tor Browser (which is maintained but presents a much larger attack surface) control port access, but I am not a Tor Browser developer, and can be quite paranoid at times.

See: https://trac.torproject.org/projects/tor/ticket/8369

Anonymous

May 13, 2015

Permalink

ip-check.info couldn't detect or display computer time here, is it being protected by TBB or just a trick?

Anonymous

May 13, 2015

Permalink

is Tor still safe while Running via a Local Proxy ? (For example :Freegate )

Anonymous

May 13, 2015

In reply to by Anonymous (not verified)

Permalink

FreeGate is not an open source project and is developed by US government, be care.

FreeGate is indeed not open source, and is probably bad news for a variety of reasons. But I know some of the FreeGate developers, and as far as I know they are not "the US government".

Sticking to facts on critiques of closed-source systems will help people learn to reason about them better. :)

You might also enjoy
https://svn.torproject.org/svn/projects/articles/circumvention-features…

Anonymous

May 13, 2015

Permalink

Could I please direct gk's attention to (the last two) my posts under 4.5 regarding a possible problem with DNS lookup?

Since the above changes to 4.5.1 do not mention any change to dns look up, presumably the problem will still affect 4.5.1.

Thank you

There is no bug with respect to DNS lookups that we know of. Not sure what your setup is like but Vidalia is not included anymore in Tor Browser for a while now as it is unmaintained. We strongly recommend using Tor Browser instead of some home-grown setups.

GK thank you for your response:

a - I use Tor Browser, plus Vidalia since, disappointingly, the new TOR versions do not give as much information as Vidalia did/does.

b- Just because Vidalia is no longer maintained does not mean that it no longer works.

c- I still feel that there is a problem re DNS (but due to the indecipherable catchas on Trac Tor I cannot report it) or else why would I see the warning: ""Potentially Dangerous Connection! - One of your applications established a connection through Tor to "XXX:XXX" using a protocol that may leak information about your destination. Please ensure you configure your applications to use only SOCKS4a or SOCKS5 with remote hostname resolution." ??

Thank you

Anonymous

May 13, 2015

Permalink

I wanted to congratulate the team again for closing the window between Firefox releases and TBB releases. I believe this has a real, positive impact on user security and comfort with TBB, and I appreciate the work it's taken to orchestrate everything to make this possible.

Anonymous

May 13, 2015

Permalink

"Tor Circuit use and tracking identifiers are now all isolated to the base (top-level) domain only, as opposed to the full domain name."

Updated from 4.0.x. This doesn't work. Worse, I used to fix it with a new circuit using Vidalia. Now that doesn't work either.

Can it be disabled?

Anonymous

May 13, 2015

Permalink

"Tor Circuit use and tracking identifiers are now all isolated to the base (top-level) domain only, as opposed to the full domain name."

Isn't that like .com and .org?

More like .torproject.org .torproject.co.uk which is why we used "base domain" and in included "(top-level)" implying that there are no subdomains involved anymore.

Anonymous

May 13, 2015

Permalink

1. What is the latest stable Tor version?

2. Is the website tor standalone for windows up to date?

3. Why would the tor included in windows browser downloads be a newer version ever then the stand alone offered?

4. Why does the windows stand alone use Libevent 2.0.21-stable when .22 is available?

5. For security best practices, why are there so many different webpages, with inconsitant changelogs, varying from OS to OS, using confusing to the masses unix style presentation?

6. Why discontinue vidalia without a replacement? Isnt bringing tor to the attention of the masses a good thing? Where is the windows ease and understanding?

you guys do some VERY good things, but then you do some VERY dumb things. Every month you should approach your project as if a complete outsider! How does it appear/function communicate/empower someone with no knowledge whatsoever. etc. Clear concise transperentcy, with expected routine standardize practices would do you so well!

Instead we have different keys signing, different amounts of info released depending on whom does it, a mailing list from 1994 AOL, etc. I know this sounds like a rant, but THANK GOD for the tor blog. at least theere is some kind of modern interaction with the people.

tor blog (here) is OK, except I must enable images to see text. To repair this, I could import a stylesheet in usercontent.css, but it seems easier is to make blog.torproject.org readable with images disabled.
really,this is a minor complaint, but also very easily fixed.

and thanks for tor, tbb, and the necessary backing projects.

As for 5. here you can find the reason:
https://tor.stackexchange.com/questions/1075/what-happened-to-vidalia
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#…
The short answer is: Tor Browser Button (TBB) replaced Vidalia (and it's features), because Vidalia because has no active developer who is working on it and it's source is some years old.

And as you can see at the first link there is also another way where you can get information about Tor - Tor stackexchange.

Anonymous

May 13, 2015

Permalink

i get failure from drain FD, with latest tor, any ideas? it seems to work ok, but sometimes i get massive numbers of them, supressing 7200 in last etc.. ....

I get this error too.
Jun 13 11:29:24.000 [notice] Self-testing indicates your DirPort is reachable from the outside. Excellent.
Jun 13 11:29:24.000 [warn] Failure from drain_fd
Jun 13 11:29:24.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Jun 13 11:29:28.000 [notice] Performing bandwidth self-test...done.
Jun 13 17:29:23.000 [notice] Heartbeat: Tor's uptime is 6:00 hours, with 2 circuits open. I've sent 3.30 MB and received 9.70 MB.
Jun 13 17:29:23.000 [notice] Average packaged cell fullness: 98.818%. TLS write overhead: 21%
Jun 13 17:29:23.000 [notice] Circuit handshake stats since last time: 0/0 TAP, 4/4 NTor.
Jun 13 17:29:23.000 [notice] Since startup, we have initiated 0 v1 connections, 0 v2 connections, 0 v3 connections, and 23 v4 connections; and received 0 v1 connections, 12 v2 connections, 30 v3 connections, and 499 v4 connections.
Jun 13 18:08:58.000 [warn] Failure from drain_fd [3 similar message(s) suppressed in last 7200 seconds]
Jun 13 20:10:36.000 [warn] Failure from drain_fd [10 similar message(s) suppressed in last 7200 seconds]
Jun 13 22:15:03.000 [warn] Failure from drain_fd [12 similar message(s) suppressed in last 7200 seconds]

Anonymous

May 13, 2015

Permalink

The problems with Google recaptcha system still continue.
It is important to remember that Google has changed the old text verification system to a images verification system. Now the images of recaptcha system are not displayed via the TOR browser and apparently this is a unique Tor browser problem.
Even completely disabling HTTPS Everywhere and Noscript extensions to leave it as close to the Firefox the problem still occurs.
Please take a close look at this because Google recaptcha is used in many many sites.

I am having the same problem with Google's new multi-image reCAPTHCA puzzles that have replaced the old "twisted and distorted letters," making it impossible for me to access a number of websites using Tor Browser. The images necessary to solve the puzzle are not displayed. I can confirm that the problem is NOT solved by disabling plugins (HTTPS-Everywhere, NoScript) and/or enabling third-party cookies (but even if these steps did solve the problem, it wouldn't be a good thing).