Tor Browser 4.5.3 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.5.3 is based on Firefox ESR 31.8.0, which features important security updates to Firefox.

Moreover, it contains an updated OpenSSL, NoScript and Torbutton, a fix for a crash bug visible with the security slider level set to "High" and a backport of a Tor patch to improve usability on websites.

Here is the complete changelog since 4.5.2:

  • All Platforms
    • Update Firefox to 31.8.0esr
    • Update OpenSSL to 1.0.1o
    • Update NoScript to 2.6.9.27
    • Update Torbutton to 1.9.2.8
      • Bug 16403: Set search parameters for Disconnect
      • Bug 14429: Make sure the automatic resizing is disabled
      • Translation updates
    • Bug 16397: Fix crash related to disabling SVG
    • Bug 16403: Set search parameters for Disconnect
    • Bug 16446: Update FTE bridge #1 fingerprint
    • Bug 16430: Allow DNS names with _ characters in them (fixes
      nytimes.com) (Tor patch backport)
Anonymous

July 03, 2015

Permalink

Thanks for update. Is there any plan to improve and rerelease Vidalia. It´s really help me to set up non exit relay. I´m really curious how to easy set up it on Windows OS and help to Tor, cause it seems to me Vidalia is dead project.

Anonymous

July 03, 2015

Permalink

Why are options like "Forbid Java, Microsoft Silverlight etc." in embeeddings within NoScript not checked?

Probably because they're disabled much more thoroughly at the browser level than whatever Noscript does?

But that said, it might be wise for the Tor Browser folks to check those boxes anyway, not because they are the way the protection is provided, but to avoid confusing users.

Maybe you should file a ticket on trac suggesting this (so they see it)?

Anonymous

July 03, 2015

Permalink

Many thanks for this update. Would you also consider updating the python27.dll that is included in the following folder?

Tor Browser\Browser\TorBrowser\Tor\PluggableTransports

The DLL is v2.7.5. 2.7.10 is the latest release from that branch. Versions after 2.7.5 include important bug and security fixes. Full details are available in the release notes:

https://hg.python.org/cpython/raw-file/15c95b7d81dc/Misc/NEWS

Apologies if I have misunderstood how this DLL relates to the Python runtime version 2.7.10. Thanks again.

Anonymous

July 03, 2015

Permalink

Thanks for the update.

So far it is stable, but I have a problem with Youtube. I'm not experienced with youtube with Tor. So I tried first time today.

First I read https://www.torproject.org/docs/faq.html.en#TBBFlash

and did the recommended things. Changed default player on youtube to html5-player. Videos don't work: "an error occurred please try again later." And noscript sign is also in the window.

What did I wrong or is this a known problem? thx.

I've also had issues with Yt. It used to work without any issues. Could an adblocking filter be causing these problems, N0Script, or my priv.-and-sec. settings (set at medium-high)?I also tried yt/html5 but couldn't get it to work.

Anonymous

July 03, 2015

Permalink

OT: I miss a referer control. It's an important privacy setting. Is there a known problem with addon "ref control"?

I checked browser fingerprint at https://panopticlick.eff.org/ with "ref control" on. The results are the same without the addon.

Thanks

Anonymous

July 03, 2015

Permalink

First, thank you for this important program which enhances our safety.

I hope that with 4.5.3, or at least soon, installing a new version will no longer require extraordinary action to protect my bookmarks and plug-ins from being ignored in the upgrade.

Six months ago I thought I saw a trend starting, toward seamless, almost effortless upgrades---textbook perfect. But lately the process has regressed. I would appreciate knowing what the team's strategy is for re-achieving those seamless upgrades.

Again, many thanks for your great work.

You can export and import bookmarks. Before I update manually, I always export my important bookmarks so I can import them into the new TBB.

How many plugins do you need? Just reinstall them.

Anonymous

July 03, 2015

Permalink

Is tor compromised? Despite changing IDs and tor circuit it still keeps aiming to an IP in Austria. Seen others saying same thing.

Anonymous

July 03, 2015

Permalink

Cheers!

All the more reason to make sure that what they can conclude from the recording is "you were using Tor". To me that seems like a whole lot better than a full dossier of exactly which sites you visit.

https://www.torproject.org/docs/faq#GetTor

Your website is blocked in my country. How do I download Tor?

Some government or corporate firewalls censor connections to Tor's website. In those cases, you have three options. First, get it from a friend — Tor Browser fits nicely on a USB key. Second, find the google cache for the Tor mirrors page and see if any of those copies of our website work for you. Third, you can download Tor Browser via email: log in to your email account and send an email to 'gettor@torproject.org' with one of the following words in the body of the message: windows, osx or linux (case insensitive). You will receive a reply with links from popular cloud services to download Tor Browser for Windows, Mac OS X or Linux, depending on the option you chose. Currently, the only cloud service supported is Dropbox. If you send a blank message or anything different from the options mentioned, you will receive a help message with detailed instructions to ask for Tor Browser via email. Please note that you can use this service from any email address: gmail, yahoo, hotmail, riseup, etc. The only restriction is that you can do a maximum of three requests in a row, after that you'll have to wait 20 minutes to use it again. See the GetTor section for more information.

Be sure to verify the signature of any package you download, especially when you get it from somewhere other than our official HTTPS website.

Running the Tor website as a hidden service would not help this person at all. The problem was that he couldn't get Tor. Giving him an onion address, when he can't get Tor, is probably not going to help matters.

Anonymous

July 03, 2015

Permalink

thanks for all the great work.

Can't wait til tb is based on the next ff exr so it starts supporting html5 videos much more better

Anonymous

July 03, 2015

Permalink

A problem that appeared to start with 4.5.2 still exists. The arrow down key now controls webpages via the text cursor as if you are in a word processing program, not on a webpage. This results in sudden jumps and unsmooth movement when controlling the webpage scrolling with the up and down arrow keys.

It will suddenly jump to the bottom for example, when it was near the top. Sometimes it jumps multiple paragraphs at once with a single press. This has rendered the shift+arrow key text selection process as annoying and unusable in some cases. What is happening here? Is this a deliberate change, perceived as a supposed improvement for some reason or a bug? Can we change it back?

Regards

Anonymous

July 03, 2015

Permalink

Why is it we can have a mobile app that routes all internet traffic through Tor, but not a windows desktop program or something built in to the tor browser that does the same thing? I know there is tails, but that is a different OS in it's own right with compatibility issues. I mean something that works in windows so absolutely everything without any doubt MUST go through the Tor network. I know you can configure individual programs but it is a faff and I spent hours trying to get it to work with chrome once with no luck. Imagine that for all your programs! And even if you did, you couldn't be sure something you'd overlooked or couldn't control wasn't bypassing Tor. This is something there is a great need for I think. Is there anything in the pipeline or plans/chat about something like this guys? Unless there is something fundamentally different about the windows desktop OS than android that is making this very difficult, I can't understand why it doesn't exist already or wasn't higher priority than Orbot. The world needs it! But anyway, still great work in terms of what you already do guys. Essential work for the survival of life and freedom as we know it on earth! Your work is appreciated.

Thanks Guys

I actually think it was probably an unwise move for the Orbot folks to move to that.

If you don't configure each application to know about privacy, it's probably going to end up hurting you.

https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea
https://www.torproject.org/docs/faq#TBBOtherBrowser

https://lists.torproject.org/pipermail/tor-relays/2014-October/005544.h…

Orbot isn't actually very safe; you're depending on the apps you're running on android to behave nicely and not try to circumvent Orbot; that same problem exists on Windows as well, except Windows (at least older versions) have less finely grained permissions on what programs can do (which makes it more risky.) Sure, if you can trust the app/program to behave nicely you're fine, but can you trust it.
That is, of course, a separate issue from fingerprinting concerns of poorly configured software

I have feared some apps or processes might be able to bypass orbot also. I gave this whole issue a lot of thought in terms of how to make everything you do on any OS go through Tor without having to worry about it, (but without having to use tails). The solution I came up with first was to tether to a mobile which was running orbot and sending all traffic through it. Then I wouldn't need to do anything on the OS I was using as it was handled after it connected to the hotspot. However I then found out that a bug with orbot does not allow any device tethering to an android device to route the connection through orbot/Tor! It just doesn't work. There has been a thread on this for the best part of a year but it was still an unfixed issue last time I checked a couple of months ago unfortunately. Secondly, you now seem to be saying orbot can't be trusted anyway to route everything through? (or would it be an issue with whether the program that handled the tethering connection process could be trusted?)

An alternative solution I plan to look in to is either connecting through another computer or through a raspberry pi. So I guess I would either connect physically or have to see if I could tether to one of them and then configure it somehow on the pi or the other computer so it routed all the traffic from the connected/tethered device through the tor network. I've read brief articles which seem to explain that this is possible.

Does anyone know any of these work arounds to work or have a better idea?

"you now seem to be saying orbot can't be trusted anyway to route everything through" -- that's actually not the issue, even if it's true. The issue is that even if Orbot does perfectly route everything through Tor, you could still be screwed, because the traffic that it routes through Tor is likely to identify you or otherwise link your behavior to other behavior, if the application doesn't know about Tor or otherwise plan to keep you safe at the application level.

In my opinion, the right behavior is to configure safe applications to use Tor, and block the rest from being able to use your network connection at all. Any situation where you shove traffic from a Tor-unaware complex application is asking for trouble. Re-read the URLs above for more explanations.

You are assuming that the device you are using links to other information about behaviour because it has been used with other "identities" or ips addresses linked to a person etc. If you use a device completely disconnected from your real identity or anything your real identity uses (wifi connections etc) then your problem does not exist. So best to use a completely different computer and different wifi. If one can do that and find a solution to the problem I suggested, then life would be so much easier.

Anonymous

July 04, 2015

Permalink

"Save Page As..." only allows the title of the page with a - z or A - Z, or saving page will not proceed.

Anonymous

July 04, 2015

Permalink

Still the issue with screen size settings. Panopticlick result ist really bad. The user agent Value also should be changed.

Anonymous

July 04, 2015

Permalink

Since yesterday, the default search engine 'disconnect' does not accept any more queries from Tor users.

Anonymous

July 04, 2015

Permalink

FTE bridge bug not repaired, two fingerprints are opposite, needed to be manually interchanged, please repair them asap.

Anonymous

July 04, 2015

Permalink

Verizon DSL & Tor do not play well. Websites don't like it either. I Guess the control and surveillance of "We The Slaves & Prisoners" is getting pretty complete. Finally!