Tor Browser 4.5.1 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.5.1 is based on Firefox ESR 31.7.0, which features important security updates to Firefox.

The 4.5.1 release also addresses several regressions and usability issues discovered during the 4.5 release. The most notable change is that we have slightly relaxed the first party isolation privacy property, due to issues encountered on several file hosting sites as well as other sites that host content on multiple subdomains. Tor Circuit use and tracking identifiers are now all isolated to the base (top-level) domain only, as opposed to the full domain name. This change is also consistent with the browser URL bar - isolation is now performed based on the bold portion of the website address in the URL bar.

We also have temporarily disabled the NoScript ClearClick clickjacking protection, as it was experiencing false positives due to changes in Tor Browser that cause errors in NoScript's evaluation of the content window. These issues were most commonly experienced with ReCaptcha captcha input, but occurred elsewhere as well.

With this release, 4.0 users will now be updated automatically to the 4.5 series.

Note to MacOS users: The update process for Mac OS 10.6 and 10.7 users will unfortunately not be automatic. You will be instructed to perform a manual download instead. Moreover, as of this release, 32 bit Macs are now officially unsupported. For more information, see the original end-of-life blog post.

Here is the list of changes since 4.5:

All Platforms
- Update Firefox to 31.7.0esr
- Update meek to 0.18
- Update Tor Launcher to 0.2.7.5
  - Translation updates only
- Update Torbutton to 1.9.2.3
  - Bug 15837: Show descriptions if unchecking custom mode
  - Bug 15927: Force update of the NoScript UI when changing security level
  - Bug 15915: Hide circuit display if it is disabled.
  - Translation updates
- Bug 15945: Disable NoScript's ClearClick protection for now
- Bug 15933: Isolate by base (top-level) domain name instead of FQDN
- Bug 15857: Fix file descriptor leak in updater that caused update failures
- Bug 15899: Fix errors with downloading and displaying PDFs
Windows
- Bug 15872: Fix meek pluggable transport startup issue with Windows 7
Build System
- Bug 15947: Support Ubuntu 14.04 LXC hosts via LXC_EXECUTE=lxc-execute env var
- Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds

Try visiting

Try visiting https://panopticlick.eff.org/ . Run the test while using Tor. It should show you the "User Agent" (Browser ID) being displayed to the website.

I'm also on Linux, and this is my Tor Browser User Agent.

Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0

the test at that location

the test at that location NOW gives a
User Agent
6.6

37.32
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0

so it should be some windwos sort.

I'll have a look at that mail from google support and give more info if I can provide useful info from that.

thanks!

Another option is that they

Another option is that they fingerprinted the exit relay that your traffic came from.

thanks to you and the other

thanks to you and the other helpful user.
the browser test gave win ...nt (see above)

your idea is very likely.
gmail sent a second mail with some more specific info, in short:
### 1st email:
Hi john,
Your Google Account john@gmail.com was just used to sign in on Linux.
john doe
john@gmail.com
Linux
Friday, May 15, 2015 xxxx PM (Central European Summer Time)
### 2nd email:
We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:
Saturday, May 16, x:xx PM GMT
IP Address: 188.138.1.229 (ncc-1701-a.tor-exit.network)
Location: Unknown

-->nothing happened, but I have to memorize new pw, gmail forced me to choose a new one.
thanks

Some issues here. Tor

Some issues here.
Tor browser is useless if don't work with google recaptcha.
Actually there are thousands of websites using recaptcha

This issue is not confined

This issue is not confined to Tor. Actually, the current problem with google recaptcha happens with non Tor traffic as well. It used to work okay until a few days ago. If you typed the two words correctly it would validate, and you could have Javascript disabled. Now, with Javascript Disabled, even if you type the two words correctly letter by letter it does not recognize them. Google should fix things so that we could use recaptcha with Javascript disabled. I hope this is not an attempt to exploit a vector attack by enabling people to enable Javascript.

Bridges and PT_MISSING Tor

Bridges and PT_MISSING

Tor 4.5.1 for GNU/Linux can't connect to any bridges. Working obfs3 bridges, which work perfectly if you use them with the previous Tor version or with Tails, do not work with Tor 4.5.1. The default bridges provided do not work either. Could you fix this?

[warn] We were supposed to connect to bridge 'x.x.x.x:x' using pluggable transport 'obfs3', but we can't find a pluggable transport proxy supporting 'obfs3'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.

[warn] Problem bootstrapping. Stuck at %: Connecting to directory server. (Can't connect to bridge; PT_MISSING;

I would like to ask a

I would like to ask a question about Tor Exit Nodes and the end user. I always thought that all traffic between the Exit Node and a User was encrypted. I now know it is if you use a HTTPS site, but not if you use a normal site. It appears everything can be monitored by your ISP. I only know as UK police requested records from my ISP when I was accused falsely of something. That matter was dropped, but it exposed what people can see and what ISPs are also recording!

Are there any plans for the future to try and incorporate a system to encrypt traffic between the Exit Node and End User?

I do realise it's probably a hugely complex task.

Traffic is indeed encrypted

Traffic is indeed encrypted between the user and the exit relay.

You might enjoy
https://svn.torproject.org/svn/projects/articles/circumvention-features…

and then playing with
https://www.eff.org/pages/tor-and-https

I'm not the man of

I'm not the man of knowledge, but I had trouble with a website that shall stay incognito here. with 4.18 and earlier no probs, with tbb live update from 4.18 to 4.51 on debian Linux that led to recaptchas thrown at me in the login phase after supplying pw and username.correctly.

Setting noscript to allow_all didn't change anything
Disabling noscript in tb - tools - addons cured the plague (login without recaptcha)
But that wasn't completely satisfying.
I started to 'play with various options inside the noscript 'options' complex and it was the advanced - https - cookies tab
enabled (after update) -- trouble
disabled manually -- > all fine
hth

another anon here: I've come

another anon here:
I've come across websites where this alarm pops up:
this website (...) attempted to extract html5 canvas image data
which may be used to uniquely identify your computer
should tor browser allow this website to extract html5 canvas image data?

# not now
# never for the future (recommended)
# allow in the future

not now isn't a miracle, but never and always don't work for me,

at every new login to the site (with pc off between it or tb closed) the old question

or is never/always meant for the actual browser session?

tia

It is meant for the actual

It is meant for the actual browser session.

Thanks for your info! I'd

Thanks for your info!
I'd propose to rename the options to
# never in this session (rec'd)
# always in this session

Opening TBB on Tails is

Opening TBB on Tails is distinguishable?

New TBB4.5.1 opens at least 2 different circuits(you-as-as-as-URL) or more. check.torproject.org is opening 1 circuit -with 2 connections- only.

Trying to use Tails 1.4 with

Trying to use Tails 1.4 with some obs4 bridges, but can't get them to work. I suspect my LAN router is blocking the outbound connections. If that sounds plausible, could someone explain what outbound ports I might need to block? Or should it work if I allow outbound 443?

Great software. But where

Great software. But where is the option to show the "Tor circuit for this site" in 4.5.1?

Click on the green onion

Click on the green onion next to the URL bar (on the left side). Then it should show up if you surf to a non-local website.

Thanks for your reply.

Thanks for your reply. Sometimes the "Tor circuit for this site" information will not show next to the Onion drop down list. This happens intermittently. Could this be a bug?

Yes. If you have steps to

Yes. If you have steps to reproduce that behavior we'd really love to hear them.

When left-clicking on the

When left-clicking on the green onion button the Tor circuit information *sometimes* does not show (even though I am successfully connected to an external site in the current tab). It can be difficult to reproduce, but the issue does happen quite often. I am using Windows XP Home SP 3.

> The most notable change is

> The most notable change is that we have slightly relaxed the first party isolation privacy property, due to issues encountered on several file hosting sites as well as other sites that host content on multiple subdomains. Tor Circuit use and tracking identifiers are now all isolated to the base (top-level) domain only, as opposed to the full domain name.

What if some sites host contents on multiple domains instead of subdomain, you reject per-domain isolation at all? On the other hand, each user of many social networks, like livejournal.com etc, has theirs own subdomain (user.livejournal.com), so observer can track and profile Tor clients by their graphs of social links. You can make this default behaviour, but there should be an option to switch so that stream isolation would be provided to domains of any level.

> This change is also consistent with the browser URL bar - isolation is now performed based on the bold portion of the website address in the URL bar.

This argument is inconsistent and ridiculous.

No, we don't reject per

No, we don't reject per domain isolation. In the livejournal (or wordpress, or...) case there is already the problem that the user can get tracked by the host with the help of cookies. So, there is not much win to isolate to user.livejournal.com while we would break quite some things following this path.

Each subdomain has its own

Each subdomain has its own cookies which are not accessible by others. For example, domain user2.livejournal.com can not access cookies of user.livejournal.com, and vice versa. If one comments journals on different subdomains anonymously, all their activity can be profiled as belonging to the same person, so anonymity degradates to pseudonymity.

While I'm at school (not

While I'm at school (not circumvention), I use Tor on my own personal laptop and have setup a firewall to only allow Tor traffic. Now that MacBooks are exploding in education, there's a *lot* of account that we have to make, or that are assigned to us, and, pretty typical of school systems, they don't take security into consideration at all, so most of these websites that we have to sign in to don't have SSL on any webpages, including the login transmissions. Because my goal isn't to hide from mass surveillance, in this specific scenario (especially since I have to *login* to things, defeating the purpose of hiding from mass surveillance), I decided to setup the Tor browser with a configuration similar to the system installed Tor instructions in the start-tor-browser Linux script. I would make the Tor Browser not start a background instance of Tor, and then I'd make Firefox use a SOCKS port from an SSH tunnel to route insecure website traffic back home, so Tor exit nodes couldn't capture my password and abuse my accounts. This has been working perfectly for me (aside from history being kept, since I didn't disable the control port checks and such, at the time). I have attempted the same setup with Tor Browser 4.5.1, and I have discovered that it will only connect to SOCKS ports that Tor instances (such as my real system installed Tor instance, that I use for another Tor browser) have kept open. When I, instead, connect that port to my SSH SOCKS tunnel, it acts like the website doesn't exist, and if I disable the SOCKS setting entirely, as if I was setting up transparent Torrification, Firefox says, "Unable to find the proxy server" despite having disabled all proxy settings, even the now-hidden ones in the Tor Button and Launcher with about:config.

Is there a new SOCKS connection test to see if the port is hosted by a Tor instance, and if so, how can I disable it for the purpose of transparent Torrification/other proxies? I don't want to have to remove/disable the Tor Button (because that fixes the proxy problem), because doing so would remove a bunch of features, and more importantly, it breaks about:addons with some XML error about "block-disable-button" or something similar to that.

https://weakdh.org/ Warning!

https://weakdh.org/

Warning! Your web browser is vulnerable to Logjam and can be tricked into using weak encryption. You should update your browser.

Logjam attack workaround you

Logjam attack workaround
you could edit some ssl3 settings in the about:config

http://forums.mozillazine.org/viewtopic.php?f=38&t=2935955

Maybe some sites won't work till a fix is present

I'm actually running into

I'm actually running into problems just starting TBB. I updated to 4.5.1 on a windows XP computer, but when Tor tries to connect to a relay it just closes and fails to load. I have to manually Ctl-Alt-Del to shut down Tor and Firefox in order to try again. The logfile has "creating log file" twice, then nothing.

https://dhe512.zmap.io/

yeah 'Technical Details

yeah 'Technical Details Connection Encrypted' is visible again(-:
Especially cause of govshit like LogJam. Hardware/Firmware you cant trust is evil enough.

Last comment for the

Last comment for the disconnect search add-on on on mozillas add-on pages does not sound good.

https://addons.mozilla.org/en-us/firefox/addon/disconnect-search/review…

>This plugin should enhance security, but in fact is doing quite opposite.
Disconnect-search is regularly uploading plugin settings and usage data, along with unique user ID, browser Agent string and IP address not only to the developers website, but to third parties as well (amazon servers of unknown account and adobe stats servers).

That is confirmed in the discussion about a different bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1166692#c1

Good find, Startpage ;) Does

Good find, Startpage ;)

Does the privacy policy at their web search site also apply to their search add-on?

ref: https://disconnect.me/privacy

Hi, anyone can explain why

Hi,
anyone can explain why Google CAPTCHAS -on google search- with TBB4.5.1 isn't working?
Recently the "why ....." on google search CAPTCHAS needs javascript......*F$%$*

Necessary?Really?

Here's something that Tor

Here's something that Tor users may find interesting: I tested www.torproject.org encryption strength on Qualys SSL Labs and it awarded this website an A.
The highest score that Qualys SSl Labs will give is an A+.

i downloaded tor and it's

i downloaded tor and it's signature from "https://www.torservers.net/mirrors/torproject.org/" ( as u can guess why ) and when i tried to check it with gpg4win i get the following massage "NO PUBLIC KEY FOUND" why i get this massage ? do i do something wrong or maybe there is something wrong with mirror site? pls help me i am new to all this, what i type in cmd is as below:

gpg --keyserver x-hkp://pgp.mit.edu --recv-keys 0x63FEE659
gpg --fingerprint 0x63FEE659
gpg --verify torbrowser-install-4.5.1_en-US.exe.asc torbrowser-install-4.5.1_en-US.exe

i also tried this bcs i thought Erinn Clark no longer sign bundles but i got same answer

gpg --keyserver x-hkp://pgp.mit.edu --recv-keys 0x0E3A92E4
gpg --fingerprint 0x0E3A92E4
gpg --verify torbrowser-install-4.5.1_en-US.exe.asc torbrowser-install-4.5.1_en-US.exe

$ gpg --verify

$ gpg --verify torbrowser-install-4.5.1_en-US.exe{.asc,}<br />
gpg: Signature made Mon 11 May 2015 10:35:03 AM EDT using RSA key ID D40814E0<br />
gpg: Good signature from "Tor Browser Developers (signing key) <<a href="mailto:torbrowser@torproject.org" rel="nofollow">torbrowser@torproject.org</a>>"<br />
gpg: WARNING: This key is not certified with a trusted signature!<br />
gpg:          There is no indication that the signature belongs to the owner.<br />
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290<br />
     Subkey fingerprint: BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0

Great software overall and

Great software overall and highly recommended. Just a little bug I noticed and wanted to share with you. The bottom strip of the Tor Browser window does not render correctly, showing through the desktop contents underneath. I am using Windows XP Home SP 3.

"tor circuit for this site"

"tor circuit for this site" in the tbb is a great feature, simple and informative.

well done

no-java Anon

What's the difference

What's the difference between the "New identity" and "New Tor Circuit for this site" option?

Bug with Wordpress 4.2

Bug with Wordpress 4.2 ?

There seems to be a general problem with the Canvas fingerprinting warning on websites that have implemented the new Wordpress april version 4.2 code.
It seems to trigger the Torbrowser warning on code that seems to have something to do with emoticon functionality using canvas code.

Example website : https://wordpress.org/news/2015/05/wordpress-4-2-2/

Could it be that this is not correct warning behavior?
Or is it? Why?

Hi. I have already installed

Hi. I have already installed several Tor Browser releases without any problem. But I downloaded torbrowser-install-4.5.1_en-US.exe (Windows XP) and when I double-click on it nothing happens. No error messages, no window, nothing. I have also tried with the french version. Same thing.
Can anyone help me ?

I have the same problem too,

I have the same problem too, windows vista!

Hello, Finally I bypassed

Hello,

Finally I bypassed the problem by launching the installation program directly within a CMD window.

Hope it will help you.

Bye

(2nd time question attempt

(2nd time question attempt for a relevant question)

Canvas Warning Bug with Wordpress 4.2 sites?

There seems to be a general problem with the Canvas fingerprinting warning on websites that have implemented the new Wordpress april version 4.2(.2) code.
It seems to trigger the Tor Browser Canvas warning on some Wordpresscode that seems to have something to do with emoticon functionality using canvas functionality.

See for example this webpage : https://Wordpress.org/news/2015/05/Wordpress-4-2-2/

While there apparently already for some time has been a discussion going on in the Wordpress community, nobody (?) seems to have asked Torproject about it's point of view in this matter (to be sure).

https://reflets.info/wordpress-4-2-tor-browsers-and-canvas-privacy-warn…
https://wordpress.org/support/topic/42-admin-canvas-tracking?replies=10
https://core.trac.wordpress.org/ticket/32138

I, and probably a lot of other Tor Browser users and/or website owners too, am still curious if the Warning of Tor Browser on Wordpress 4.2 (and later) sites is legitimate in these cases or that it is a possible bug/technical false positive.

An answer from Torproject would help at least to clear that out because there are quite some Wordpress sites out there.
Does anybody have an answer regarding this issue?

(this is happening with Tor Browsers 4.5.1 and the beta 5 version as well)

I have the same problem than

I have the same problem than the posted on
On May 15th, 2015
would someone convey to me how the solution is ? , also thanks in advance
Problem on windows 7.0 prof
Starting from version 4.5.1, I can't chain Tor with Privoxy, I have
configured Privoxy config file to forward socks5t and in TorbButton's
network preferences have configured properly the socks proxy to use (127.0.0.1:9150).
In the browsers network options whenever I configure the HTTP proxy for (127.0.0.1:8118 -Privoxy's listen port),
Tor gets disabled on the browser (TorButton marked with a red cross), and can't make any connections (http, https or onion).
On previous version I used (4.0.8), I was able to configure the HTTP/HTTPS proxy for Privoxy, but not on this version.
Can anyone give advice as how can I accomplish this? Thanks in advance