Tor Browser 4.5.1 is released
A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.
Tor Browser 4.5.1 is based on Firefox ESR 31.7.0, which features important security updates to Firefox.
The 4.5.1 release also addresses several regressions and usability issues discovered during the 4.5 release. The most notable change is that we have slightly relaxed the first party isolation privacy property, due to issues encountered on several file hosting sites as well as other sites that host content on multiple subdomains. Tor Circuit use and tracking identifiers are now all isolated to the base (top-level) domain only, as opposed to the full domain name. This change is also consistent with the browser URL bar - isolation is now performed based on the bold portion of the website address in the URL bar.
We also have temporarily disabled the NoScript ClearClick clickjacking protection, as it was experiencing false positives due to changes in Tor Browser that cause errors in NoScript's evaluation of the content window. These issues were most commonly experienced with ReCaptcha captcha input, but occurred elsewhere as well.
With this release, 4.0 users will now be updated automatically to the 4.5 series.
Note to MacOS users: The update process for Mac OS 10.6 and 10.7 users will unfortunately not be automatic. You will be instructed to perform a manual download instead. Moreover, as of this release, 32 bit Macs are now officially unsupported. For more information, see the original end-of-life blog post.
Here is the list of changes since 4.5:
- All Platforms
- Update Firefox to 31.7.0esr
- Update meek to 0.18
- Update Tor Launcher to 0.2.7.5
- Translation updates only
- Update Torbutton to 1.9.2.3
- Bug 15837: Show descriptions if unchecking custom mode
- Bug 15927: Force update of the NoScript UI when changing security level
- Bug 15915: Hide circuit display if it is disabled.
- Translation updates
- Bug 15945: Disable NoScript's ClearClick protection for now
- Bug 15933: Isolate by base (top-level) domain name instead of FQDN
- Bug 15857: Fix file descriptor leak in updater that caused update failures
- Bug 15899: Fix errors with downloading and displaying PDFs
- Windows
- Bug 15872: Fix meek pluggable transport startup issue with Windows 7
- Build System
- Bug 15947: Support Ubuntu 14.04 LXC hosts via LXC_EXECUTE=lxc-execute env var
- Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
Maybe disconnect.me gives
Maybe disconnect.me gives good search results, but it do not have proxy service as startpage.com does. The latter provides an alternative link for each search result. If the destination server requires a captcha for Tor users, one can follow the link to proxy request and avoid the captcha. This is frequent situation.
I noticed this too. I use
I noticed this too.
I use the ixquick/startpage proxy to avoid captcha and access sites that block tor exit relays hundreds of times per day. I find it very useful.
US$.02
I use it all the time. Many
I use it all the time. Many sites block Tor completely with no captcha.
Being in Europe I can trust StartPage more than Disconnect.me.
There is a bug in Tor browser home page. When I change my search engine in the drop-down to StartPage. I can search in the search box on the "congratulations" page and uses disconnect.me. If I open a new tab and search in the box on the blank tab, it uses my choice StartPage.
Sounds like a great thing to
Sounds like a great thing to open a ticket about (https://bugs.torproject.org/)
There seems to be a problem
There seems to be a problem with 4.5.1 and Chatzilla, socket problem
Could you be a bit more
Could you be a bit more specific? Filing a bug at https://bugs.torproject.org might be a good idea as well.
"We also have temporarily
"We also have temporarily disabled the NoScript ClearClick clickjacking protection, as it was experiencing false positives due to changes in Tor Browser that cause errors in NoScript's evaluation of the content window. These issues were most commonly experienced with ReCaptcha captcha input, but occurred elsewhere as well."
If the problem is false positives, is there any harm in a user enabling ClearClick protection? I'd rather be safe than sorry, so false positives are fine with me as long as Tor + NoScript catch 100% of true positives.
But I'm not a technical person, so I'd greatly appeciate a simplified explanation if enabling ClearClick protection is not advised.
Thank you for your hard work!
for a few seconds, I had an
for a few seconds, I had an idea that instead of temporarily disabling, add temporary note to clearclick option. but users wouldn't know to look in clearclick option when they experienced the unpredicted new (temporary) behavior caused by clearclick complication.
bah.
I don't know if the problem
I don't know if the problem lies with TorBrowser or Chatzilla, but since the update, I get a "error creating socket" message when launching Chatzilla.
You can try editing
You can try editing torrc-defaults and adding a new SocksPort as such:
SocksPort 8150 NoIsolateSOCKSAuth
Then edit the proxy settings in Chatzilla to use Socks port 8150. The 'NoIsolateSOCKSAuth' means no username and password is required in Chatzilla's proxy settings.
torrc-defaults is located at 'tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc-defaults'
I have OPs problem; "error
I have OPs problem; "error creating socket".
I've added SocksPort 8150 NoIsolateSOCKSAuth below SocksPort 9150.
What do i put in Chatzilla >> Preferences >> Global Settings >> Proxy Type: ?
Neither of http://chatzilla.hacksrus.com/faq/#proxy settins works, where can I chose the new port?
Thx so far!
I downloaded the new Tor
I downloaded the new Tor browser bundle 4.5.1. It put a new shortcut icon on my desktop when it hadn't before on previous updates. It's just a globe (slightly larger than the older icon) instead of the previous globe inside a folder icon. Before I would have to click open the older folder icon, then click the globe to start running Tor. Can I delete the older shortcut icon which was a globe inside a folder icon?
Updated yesterday to
Updated yesterday to 4.5.1
Now I cannot use youtube videos.
Tried global allow noscript, still would not work. I managed to get one youtube video to play that was embedded on another site by clicking in the blank area and receiving a message from noscript and temporarily allowing what it asked.
Am I doing something wrong, or is youtube now completely blocked by torbrowser >4.5.1?
You have to set security to
You have to set security to low; youtube doesn't seem to like the video & audio click to play feature.
I'm using Tails and don't
I'm using Tails and don't understand something:
https://blog.torproject.org/blog/tails-14-out
"In Tor Browser 4.5, all such content, from the main website as well as the third-party websites, goes through the same Tor circuits."
"Tor Browser 4.5 now keeps using the same Tor circuit while you are visiting a website."
Tails1.4 is using TBB4.5.1.
https://blog.torproject.org/blog/tor-browser-451-released
"Isolate by base (top-level) domain name instead of FQDN"
While browsing, i have 2 circuits or more in same time for same domain.
Circuits are changing periodically like? all TBBs before.
TBB 4.5.1 -in Tails- seems
TBB 4.5.1 -in Tails- seems to have a lot of circuit changing with Javascript ON; with not allowed in NoScript, too?
Why 2 circuits on blog.torproject.org, too? Cookies?.
"New identity" a little bit delayed? ~1/2 second
No automatic update for
No automatic update for 4.5.1 on Win 32.
You have to download the whole 34 mb package then delete old ver and install the new.
In your
In your https://dist.torproject.org/torbrowser/4.5.1/ site, there is no sha256sums.txt listed. There is, however, a file named
sha256-unsigned-build.txt. In it, the checksum listed for torbrowser-install-4.5.1_en-US.exe does not match the checksum you get
you run sha256sum.exe on the torbrowser-install-4.5.1_en-US.exe download.
W.T.F.?!?
Is it safe to use a VPN then
Is it safe to use a VPN then run TOR?
I would like to know the
I would like to know the official answer to this too. If you watch some of the videos from "The Grugq", he says NO it isn't. He said Tor over VPN = go to jail, use Tor to a VPN. I am not sure how to do that and doubt you could use the Tor Browser Bundle in this way. It seems very complicated and a lot of users do not understand all this. All VPNs keep logs, no matter what they claim and we now know VPN traffic is recorded by GCHQ in the UK and NSA is the USA.
It probably depends what you are doing, but if any of the experts can give us an answer it would be good. We are all here to learn and we all had to start somewhere!
The file
The file sha256sums-unsigned-build.incrementals.txt from https://dist.torproject.org/torbrowser/4.5.1/ contains SHA256 a0627fa49687142a8d2b21efd32b60fc334948528845a48721de8a6e988d6c60 but when downloading the file the SHA256 is bf4f0141752aac07a0a6a76ad9e237e5be24d238c35ac4694df62b0493707702 for file tor-browser-win32-4.5-4.5.1_en-US.incremental.mar
What is wrong?
Hey, me too. Great question.
Hey, me too. Great question. I'll point the TB folks to this one.
[Edit: Ah, I wonder it has to do with this:
https://blog.torproject.org/blog/tor-browser-45-released#Security -- the windows packages are now signed the Windows way too, which modifies them from the original build.]
[Edit later: Here is your answer: https://trac.torproject.org/projects/tor/ticket/15864 ]
Thanks to TBB developers for
Thanks to TBB developers for the long-awaited security slider! Still testing it.
What is the latest advice on whether or not to choose the "disable all scripts (recommended)" option in NoScript?
Don't use that one. If you
Don't use that one. If you really want to disable all scripts set the security slider to "High".
Since TBB 4.5.1 update, Tor
Since TBB 4.5.1 update, Tor remains disabled (on TorButton) and can't find a way to enable it, main TBB page says it is configured to use tor, but can't connect to onion sites.
I'm using Privoxy chained with TBB, on previous versions didn't had any issues with that.
I am having the same issue.
I am having the same issue. Has anyone solved this ?
How do you enable and
How do you enable and disable the circuit display on Torbutton?
By flipping
By flipping "extensions.torbutton.display_circuit" in about:config.
Hey, after I installed the
Hey, after I installed the update, I got a runtime error trying to open tor.
It says:
Microsoft Visual C++ Runtime Library
Runtime Error
Program: C:/ Users/Admin/Desktop/TorBrowser/Browser/TorBrowser/Tor/tor.exe
This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information.
Any ideas? I'm not so good with technical jargon. All I know is that the browser worked before the update, but now it doesn't.
I am having the exact same
I am having the exact same issue. Even tried reinstalling Visual C++ runtime library, tried the experimental version, even tried reverting to 4.5, not working. Empty log too.
Any ideas are appreciated... I was running fine through many updates until this happened.
I'm having the same issue
I'm having the same issue here, I'm on WIn7 64x
Try deleting the directory
Try deleting the directory where the Tor browser is located then reinstall.
Something changed. Not sure
Something changed. Not sure what, and I had to redo my Debian config, using TBB as my default-for-everything browser. I note with immense approbation that the *start-tor-browser* script now passes along all user-supplied command-line arguments to *firefox*, including --allow-remote. This allows me to decommit my own cobbled-together script, which I'm calling progress.
In grateful return and in humble support of herd immunity from surveillance, I've decided not to maximize my browser window, anymore.
Is it safe to allow saving
Is it safe to allow saving of web history in TBB or no?
That depends on your threat
That depends on your threat model. If someone gets access to your computer and goes through your browsing history, then no.
I noticed some changes in
I noticed some changes in the start-tor-browser script (new options supported) and a brand new file: start-tor-browser.desktop, but neither of these are mentioned in the changelog, or on the blog.
In the future, please provide some documentation when you make changes to such important files!
If other users are interested, you can find some info in the following tickets:
https://trac.torproject.org/projects/tor/ticket/13375
https://trac.torproject.org/projects/tor/ticket/15747
(and probably some other tickets?)
I also noticed the startup script doesn't log messages to the terminal window anymore, which was the default behaviour (and useful); can you please document a way to get that back working?
>I also noticed the startup
>I also noticed the startup script doesn't log messages to the terminal window anymore
Type this in the terminal window :
./start-tor-browser.desktop --verbose
or
./start-tor-browser.desktop --help
i have several problems
i have several problems since the update. websites does not load, the new search field does not show any result.
connection seems to timeout, "new identity" solve this
but before i did not have such problem
on my linux vm, these problems are not happening
Comodo Firewall: firefox.exe
Comodo Firewall: firefox.exe could not be recognized and it is about to modify the protected registry key HKUS\Software\Microsoft\CurrentVersion\Internet Settings\ProxyEnable. You must be sure firefox.exe is a safe application before allowing this request.
Starting from version 4.5.1,
Starting from version 4.5.1, I can't chain Tor with Privoxy, I have configured Privoxy config file to forward socks5t and in TorbButton's network preferences have configured properly the socks proxy to use (127.0.0.1:9150).
In the browsers network options whenever I configure the HTTP proxy for (127.0.0.1:8118 -Privoxy's listen port), Tor gets disabled on the browser (TorButton marked with a red cross), and can't make any connections (http, https or onion).
On previous version I used (4.0.8), I was able to configure the HTTP/HTTPS proxy for Privoxy, but not on this version.
Can anyone give advice as how can I accomplish this? Thanks in advance.
Maybe your Privoxy problem
Maybe your Privoxy problem has something to do with The Tor Browser (TBB) isolating Tor circuits based on the Top Level Domain Name your trying to visit. Tor's Socks port 9150 accomplishes this isolation using a unique proxy username/passwords for each Top Level Domain Name (I believe).
Try creating a new Socks port that doesn't require a username/password. Seeing as your proxy chaining Tor through Privoxy, chances are you're not going to be able to take advantage of Tor's new Top Level Domain Name circuit isolation feature anyway.
Instructions on how to create a new Tor Socks Port that doesn't require a username/password:
1. Go to 'tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc-defaults'
2. Open 'torrc-defaults' file
3. Add the below text to 'torrc-defaults' file
SocksPort 8150 NoIsolateSOCKSAuth
4. Then edit the privoxy settings to point to 8150 instead of 9150.
The 'NoIsolateSOCKSAuth' means no username and password is required to connect to Tor Socks Port 8150.
Bump
Bump
This version of the Tor
This version of the Tor Browser for GNU/Linux does not allow the connection to proceed when you use obfs3 bridges. It displays an error as if the bridges did not work even if you use perfectly valid bridges.
Why do I sometimes get 2
Why do I sometimes get 2 different guard (first IP of tor circuit). Example I get a guard from US and from 5 open tabs then suddenly 1 of them will change to a Russian guard. But when I restart the browser or start a new circuit on that tab it will return to US. It's really weird this didn't happen in previous version.
Hi. TB 4.5.1 user here. I
Hi. TB 4.5.1 user here.
I used to switch “javascript.enabled” to “false” before. With the new security slider I've noticed that even the highest security setting leaves this preference in its default “true”. Granted, javascript is blocked (through noscript?) but PDF.js is fully capable of loading as far as I can see. Should it be accepted that the browser loads complex files in js if the user has opted for the highest security setting?
As always, great work.
Yes, JavaScript gets blocked
Yes, JavaScript gets blocked via NoScript. The whole browser UI is written using JavaScript and XUL you can't disable that as you won't have a browser then. With respect to PDF.js, yes, we could think about disabling PDF.js in the highest setting although it is by far not as risky as using Adobe's product.
Sorry for the noob question
Sorry for the noob question in advance..
Have tbb 4.51 updated from 4.08 under debian wheezy
I have tried to login to a googlemail (web) account from tor
ok, ok, not a great idea in general, but this google account is a throwaway one with no traces to me
In the login screen gmail came up with some complications, simply said, gmail didn'T 'believe' me to be the real allowed user
I killed that browser, hadn't even logged in.
Later I logged in from another PC at a friend (no TOR) and in the inbox there was a mail from google ala "linux station tried to login into your account"
I think, I triggered an event, as I usually work somewhere in middler europe and the login came from a tor exit node in asia or elsewhere.
So why can googlemail be aware of the fact that I'm running a linux machine? I Thought that tor browser is masked as one of the zillions of windows 7 browsers?
Thanks
The select-images reCAPTCHA
The select-images reCAPTCHA is rolling out across every site on the web. I am now locked-out from every site I want to use. I can only use Firefox which has no privacy at all.
I can confirm it doesn't work even when you disable the add-ons. I can select the images. But I can't see the images I am selecting.
Is this a problem with Tor using different circuit for images and main reCAPTCHA frame?
Is Google doing deliberately to damage anonymity?