Tor Browser 4.5.3 is released

by gk | July 3, 2015

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.5.3 is based on Firefox ESR 31.8.0, which features important security updates to Firefox.

Moreover, it contains an updated OpenSSL, NoScript and Torbutton, a fix for a crash bug visible with the security slider level set to "High" and a backport of a Tor patch to improve usability on websites.

Here is the complete changelog since 4.5.2:

  • All Platforms
    • Update Firefox to 31.8.0esr
    • Update OpenSSL to 1.0.1o
    • Update NoScript to 2.6.9.27
    • Update Torbutton to 1.9.2.8
      • Bug 16403: Set search parameters for Disconnect
      • Bug 14429: Make sure the automatic resizing is disabled
      • Translation updates
    • Bug 16397: Fix crash related to disabling SVG
    • Bug 16403: Set search parameters for Disconnect
    • Bug 16446: Update FTE bridge #1 fingerprint
    • Bug 16430: Allow DNS names with _ characters in them (fixes
      nytimes.com) (Tor patch backport)

Comments

Please note that the comment area below has been archived.

July 03, 2015

Permalink

Thanks for update. Is there any plan to improve and rerelease Vidalia. It´s really help me to set up non exit relay. I´m really curious how to easy set up it on Windows OS and help to Tor, cause it seems to me Vidalia is dead project.

July 03, 2015

Permalink

Why are options like "Forbid Java, Microsoft Silverlight etc." in embeeddings within NoScript not checked?

Probably because they're disabled much more thoroughly at the browser level than whatever Noscript does?

But that said, it might be wise for the Tor Browser folks to check those boxes anyway, not because they are the way the protection is provided, but to avoid confusing users.

Maybe you should file a ticket on trac suggesting this (so they see it)?

July 03, 2015

Permalink

Many thanks for this update. Would you also consider updating the python27.dll that is included in the following folder?

Tor Browser\Browser\TorBrowser\Tor\PluggableTransports

The DLL is v2.7.5. 2.7.10 is the latest release from that branch. Versions after 2.7.5 include important bug and security fixes. Full details are available in the release notes:

https://hg.python.org/cpython/raw-file/15c95b7d81dc/Misc/NEWS

Apologies if I have misunderstood how this DLL relates to the Python runtime version 2.7.10. Thanks again.

July 03, 2015

Permalink

Thanks for the update.

So far it is stable, but I have a problem with Youtube. I'm not experienced with youtube with Tor. So I tried first time today.

First I read https://www.torproject.org/docs/faq.html.en#TBBFlash

and did the recommended things. Changed default player on youtube to html5-player. Videos don't work: "an error occurred please try again later." And noscript sign is also in the window.

What did I wrong or is this a known problem? thx.

I've also had issues with Yt. It used to work without any issues. Could an adblocking filter be causing these problems, N0Script, or my priv.-and-sec. settings (set at medium-high)?I also tried yt/html5 but couldn't get it to work.

July 03, 2015

Permalink

OT: I miss a referer control. It's an important privacy setting. Is there a known problem with addon "ref control"?

I checked browser fingerprint at https://panopticlick.eff.org/ with "ref control" on. The results are the same without the addon.

Thanks

July 03, 2015

Permalink

First, thank you for this important program which enhances our safety.

I hope that with 4.5.3, or at least soon, installing a new version will no longer require extraordinary action to protect my bookmarks and plug-ins from being ignored in the upgrade.

Six months ago I thought I saw a trend starting, toward seamless, almost effortless upgrades---textbook perfect. But lately the process has regressed. I would appreciate knowing what the team's strategy is for re-achieving those seamless upgrades.

Again, many thanks for your great work.

You can export and import bookmarks. Before I update manually, I always export my important bookmarks so I can import them into the new TBB.

How many plugins do you need? Just reinstall them.

July 03, 2015

Permalink

Is tor compromised? Despite changing IDs and tor circuit it still keeps aiming to an IP in Austria. Seen others saying same thing.

All the more reason to make sure that what they can conclude from the recording is "you were using Tor". To me that seems like a whole lot better than a full dossier of exactly which sites you visit.

https://www.torproject.org/docs/faq#GetTor

Your website is blocked in my country. How do I download Tor?

Some government or corporate firewalls censor connections to Tor's website. In those cases, you have three options. First, get it from a friend — Tor Browser fits nicely on a USB key. Second, find the google cache for the Tor mirrors page and see if any of those copies of our website work for you. Third, you can download Tor Browser via email: log in to your email account and send an email to 'gettor@torproject.org' with one of the following words in the body of the message: windows, osx or linux (case insensitive). You will receive a reply with links from popular cloud services to download Tor Browser for Windows, Mac OS X or Linux, depending on the option you chose. Currently, the only cloud service supported is Dropbox. If you send a blank message or anything different from the options mentioned, you will receive a help message with detailed instructions to ask for Tor Browser via email. Please note that you can use this service from any email address: gmail, yahoo, hotmail, riseup, etc. The only restriction is that you can do a maximum of three requests in a row, after that you'll have to wait 20 minutes to use it again. See the GetTor section for more information.

Be sure to verify the signature of any package you download, especially when you get it from somewhere other than our official HTTPS website.

July 19, 2015

In reply to arma

Permalink

why can't you just start a hidden service for that website? or is it hard to find information? or you don't know how to do this?

Running the Tor website as a hidden service would not help this person at all. The problem was that he couldn't get Tor. Giving him an onion address, when he can't get Tor, is probably not going to help matters.

July 03, 2015

Permalink

thanks for all the great work.

Can't wait til tb is based on the next ff exr so it starts supporting html5 videos much more better

July 03, 2015

Permalink

A problem that appeared to start with 4.5.2 still exists. The arrow down key now controls webpages via the text cursor as if you are in a word processing program, not on a webpage. This results in sudden jumps and unsmooth movement when controlling the webpage scrolling with the up and down arrow keys.

It will suddenly jump to the bottom for example, when it was near the top. Sometimes it jumps multiple paragraphs at once with a single press. This has rendered the shift+arrow key text selection process as annoying and unusable in some cases. What is happening here? Is this a deliberate change, perceived as a supposed improvement for some reason or a bug? Can we change it back?

Regards

July 03, 2015

Permalink

Why is it we can have a mobile app that routes all internet traffic through Tor, but not a windows desktop program or something built in to the tor browser that does the same thing? I know there is tails, but that is a different OS in it's own right with compatibility issues. I mean something that works in windows so absolutely everything without any doubt MUST go through the Tor network. I know you can configure individual programs but it is a faff and I spent hours trying to get it to work with chrome once with no luck. Imagine that for all your programs! And even if you did, you couldn't be sure something you'd overlooked or couldn't control wasn't bypassing Tor. This is something there is a great need for I think. Is there anything in the pipeline or plans/chat about something like this guys? Unless there is something fundamentally different about the windows desktop OS than android that is making this very difficult, I can't understand why it doesn't exist already or wasn't higher priority than Orbot. The world needs it! But anyway, still great work in terms of what you already do guys. Essential work for the survival of life and freedom as we know it on earth! Your work is appreciated.

Thanks Guys

I actually think it was probably an unwise move for the Orbot folks to move to that.

If you don't configure each application to know about privacy, it's probably going to end up hurting you.

https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea
https://www.torproject.org/docs/faq#TBBOtherBrowser

https://lists.torproject.org/pipermail/tor-relays/2014-October/005544.h…

Orbot isn't actually very safe; you're depending on the apps you're running on android to behave nicely and not try to circumvent Orbot; that same problem exists on Windows as well, except Windows (at least older versions) have less finely grained permissions on what programs can do (which makes it more risky.) Sure, if you can trust the app/program to behave nicely you're fine, but can you trust it.
That is, of course, a separate issue from fingerprinting concerns of poorly configured software

I have feared some apps or processes might be able to bypass orbot also. I gave this whole issue a lot of thought in terms of how to make everything you do on any OS go through Tor without having to worry about it, (but without having to use tails). The solution I came up with first was to tether to a mobile which was running orbot and sending all traffic through it. Then I wouldn't need to do anything on the OS I was using as it was handled after it connected to the hotspot. However I then found out that a bug with orbot does not allow any device tethering to an android device to route the connection through orbot/Tor! It just doesn't work. There has been a thread on this for the best part of a year but it was still an unfixed issue last time I checked a couple of months ago unfortunately. Secondly, you now seem to be saying orbot can't be trusted anyway to route everything through? (or would it be an issue with whether the program that handled the tethering connection process could be trusted?)

An alternative solution I plan to look in to is either connecting through another computer or through a raspberry pi. So I guess I would either connect physically or have to see if I could tether to one of them and then configure it somehow on the pi or the other computer so it routed all the traffic from the connected/tethered device through the tor network. I've read brief articles which seem to explain that this is possible.

Does anyone know any of these work arounds to work or have a better idea?

"you now seem to be saying orbot can't be trusted anyway to route everything through" -- that's actually not the issue, even if it's true. The issue is that even if Orbot does perfectly route everything through Tor, you could still be screwed, because the traffic that it routes through Tor is likely to identify you or otherwise link your behavior to other behavior, if the application doesn't know about Tor or otherwise plan to keep you safe at the application level.

In my opinion, the right behavior is to configure safe applications to use Tor, and block the rest from being able to use your network connection at all. Any situation where you shove traffic from a Tor-unaware complex application is asking for trouble. Re-read the URLs above for more explanations.

September 02, 2015

In reply to arma

Permalink

You are assuming that the device you are using links to other information about behaviour because it has been used with other "identities" or ips addresses linked to a person etc. If you use a device completely disconnected from your real identity or anything your real identity uses (wifi connections etc) then your problem does not exist. So best to use a completely different computer and different wifi. If one can do that and find a solution to the problem I suggested, then life would be so much easier.

July 04, 2015

Permalink

"Save Page As..." only allows the title of the page with a - z or A - Z, or saving page will not proceed.

July 04, 2015

Permalink

Still the issue with screen size settings. Panopticlick result ist really bad. The user agent Value also should be changed.

July 04, 2015

Permalink

Since yesterday, the default search engine 'disconnect' does not accept any more queries from Tor users.

July 04, 2015

Permalink

FTE bridge bug not repaired, two fingerprints are opposite, needed to be manually interchanged, please repair them asap.

July 04, 2015

Permalink

Verizon DSL & Tor do not play well. Websites don't like it either. I Guess the control and surveillance of "We The Slaves & Prisoners" is getting pretty complete. Finally!

July 04, 2015

Permalink

Tor Browser 4.5.3 in Tails runs much faster than Tor Browser 5.0a2 (Portable) on my computer. Both Browsers using USB 2.0 flash drives and computer ports.

July 04, 2015

Permalink

Hi guys.

I've been experimenting with manual incremental updates and
noticed that the "mar-tools-linux64.zip" file in the
distribution directory changes between Tor Browser releases
(the executables inside the archive also change).

I've seen it change at least twice between the two most
recent releases. The signatures were good.

Questions:

  1. Is the code in the tools being changed or is this
    some artifact of the build/distribution system?
  2. If the code changes, are you guys doing it or are you
    just pulling from Mozilla?
  3. Is there a changelog anywhere?

Thanks!

July 05, 2015

Permalink

There's still a Chatzilla problem on Linux, when trying to connect it says: "error creating socket".

I've tryed adding SocksPort 8150 NoIsolateSOCKSAuth below SocksPort 9150 in torrc-defaults as someone suggested.

What do i put in Chatzilla >> Preferences >> Global Settings >> Proxy Type: ?

Neither of http://chatzilla.hacksrus.com/faq/#proxy settings works. Thank you!

No, it's just that we don't have anybody going through and getting rid of the blog spam consistently. Maybe one day we'll move to the newer blogging system -- the tradeoff with better blog spam handling is more centralized blog spam handling.

July 05, 2015

Permalink

ATTENTION:
***************
Hello,
using Tor v4.5.1, I was requested to update with v4.5.3. I accepted and while the update was performed, my GData antivirus reported an infection, with keylogger tools trying to be installed (see log details below).
Hmmm, it can be that the DNS-name was re-routed to a fake, I am not quite sure. Well, I disconnected from internet, performed several scans, it seems the infection could be stopped. I re-installed v4.5.1 and will not perform any more updates!!
I just want to let the community know.

The log is in French, so what it says in substance is (part "actions"):
This program (updater.exe) executed actions in the name of another program
The program executes a connection to the network
The program records all keyboard inputs
An unknown process has been consulted
The program started another program in order to deactivate himself
==============================
Log details here below (in French sorry):
==============================
*** Processus ***

Processus: 5212
Nom de fichier: updater.exe
Chemin d'accès: c:\users\olivier\appdata\local\temp\mozupdater\bgupdate\updater.exe

Éditeur: Editeur inconnu

Démarrage à partir de: firefox.exe
Éditeur: Editeur inconnu

*** Actions ***

Ce programme a exécuté des actions au nom d'un autre programme.
Le programme génère une connexion à travers un réseau.
Le programme enregistre toutes les entrées clavier.
Un processus inconnu a été consulté.
Le programme a créé ou manipulé un fichier exécutable.
Le programme a lancé un autre programme de manière à se désactiver.

*** Quarantaine ***

Les fichiers suivants ont été envoyés en quarantaine:
C:\Users\olivier\AppData\Local\Temp\MozUpdater\bgupdate\updater.exe
c:\users\olivier\appdata\local\microsoft\windows\appsfolder.itemdata-ms
c:\users\olivier\appdata\local\microsoft\windows\appsfolder.itemdata-ms.bak
c:\users\olivier\appdata\local\microsoft\windows\appsfolder.itemdata-ms.new
c:\users\olivier\appdata\local\microsoft\windows\appsfolder.itemdata-ms~rfc396ba7.tmp
c:\users\olivier\appdata\local\microsoft\windows\explorer\iconcache_idx.db
d:\logiciels\tor browser\browser\browser\components\browsercomps.dll.moz-backup
d:\logiciels\tor browser\browser\firefox.exe.moz-backup
d:\logiciels\tor browser\browser\freebl3.dll.moz-backup
d:\logiciels\tor browser\browser\gkmedias.dll.moz-backup
d:\logiciels\tor browser\browser\libegl.dll.moz-backup
d:\logiciels\tor browser\browser\libglesv2.dll.moz-backup
d:\logiciels\tor browser\browser\mozalloc.dll.moz-backup
d:\logiciels\tor browser\browser\mozglue.dll.moz-backup
d:\logiciels\tor browser\browser\mozjs.dll.moz-backup
d:\logiciels\tor browser\browser\nss3.dll.moz-backup
d:\logiciels\tor browser\browser\nssdbm3.dll.moz-backup
d:\logiciels\tor browser\browser\nssutil3.dll.moz-backup
d:\logiciels\tor browser\browser\plugin-container.exe.moz-backup
d:\logiciels\tor browser\browser\plugin-hang-ui.exe.moz-backup
d:\logiciels\tor browser\browser\smime3.dll.moz-backup
d:\logiciels\tor browser\browser\softokn3.dll.moz-backup
d:\logiciels\tor browser\browser\ssl3.dll.moz-backup
d:\logiciels\tor browser\browser\torbrowser\data\browser\caches\firefox\updates\0\updater.exe
d:\logiciels\tor browser\browser\torbrowser\data\browser\profile.default\extensions\support@lastpass.com\platform\winnt_x86_64-msvc\components\lpxpcom_x86_64.dll
d:\logiciels\tor browser\browser\torbrowser\data\browser\profile.default\extensions\trash\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
d:\logiciels\tor browser\browser\torbrowser\data\browser\profile.default\extensions\trash\support@lastpass.com\platform\winnt_x86_64-msvc\components\lpxpcom_x86_64.dll
d:\logiciels\tor browser\browser\torbrowser\data\browser\profile.default\telemetry.failedprofilelocks.txt
d:\logiciels\tor browser\browser\torbrowser\docs\changelog.txt
d:\logiciels\tor browser\browser\torbrowser\tor\tor.exe.moz-backup
d:\logiciels\tor browser\browser\updater.exe.moz-backup
d:\logiciels\tor browser\browser\xul.dll.moz-backup
f:\mes_docs\_appdata_windows\roaming\stardock\fences\troubleshootinglog\fences_debug_info.txt

Les entrées de registre suivantes ont été supprimées:

YGLRebIJKycoJiYnCC0nu2JicrILLie5LCfYcpL4cCp0gmJiQicIt3KCYmJygpArFp0nuZAuJygmJicIynKCYmJygqAtJycmJicHa3KiYmJyorApJyomJicKrHLCYmJywsAvJ+hiYnKCDpcmJygmJicIlycnKCYmJwinKxnpNWYrKRldY7ZykpFeY7aCcHtyonJycpJw23JyYmJycnD7cqJiYnKicOxygmJicoJw/HKCYmJygnCOcnIK9ycnKiYmJwr3LCcpJiYnCfcvJykmJicJaCknCAA
Version des règles: 5.0.57
OS: Windows 6.2 Service Pack 0.0 Build: 9200 - Workstation 64bit OS
Version de la bibliothèque de liens dynamiques : 51504

C:\Users\olivier\AppData\Local\Temp\MozUpdater\bgupdate\updater.exe "D:\Logiciels\Tor Browser\Browser\TorBrowser\Data\Browser\Caches\firefox\updates\0" "D:\Logiciels\Tor Browser\Browser\updated" 7016/replace "d:\Logiciels\Tor Browser\Browser" "D:\Logiciels\Tor Browser\Browser\firefox.exe"
MD5:
"D:\Logiciels\Tor Browser\Browser\firefox.exe"
MD5:

July 05, 2015

Permalink

I am having an issue with the Tor updater. Whenever Tor updates on my machine, it refuses to open. I have to re-download the full installer and completely reinstall Tor to get it working again. It seems like it is either a Tor updater issue, or possibly some kind of Norton360 interference.

Works fine here mate - Windows7-64 bit. maybe you have another local problem.

Are you getting the popup at the top of the screen that says "maximizing you browser allows your monitor size to be determined and allows you to be tracked?" with a press OK to continue button?

July 06, 2015

Permalink

I am very new to TOR and am still trying to figure out some aspects. I am by no means a computer genius, far from it. My problem is that on numerous pages I am asked if " I am human" and asked to decipher strings of alphanumeric symbols. Due to an abundance of security, I have javascript turned off. Many of these thell me to turn it on. It seems that without Javascript turned on I am finding it impossible to decipher these strings and therefor am unable to access the page. Can anyone educate me on how to correct this.

July 06, 2015

Permalink

I'm baffled. In preferences/advanced/network/settings for TBB 4.5.3, I have it set to no proxy (because I'm running Tor in transparent proxy mode on my local router), and I deleted the tor-launcher xpi file, per the instructions given on this blog long ago for TBB 3.5. Yet Firefox refuses to load any web pages, and says "firefox is configured to use a proxy server that can't be found".

Why in the world does it say it's configured to use a proxy, when in network settings it's set to NOT use a proxy? My transparent proxy router is working, and dig, nc, ssh, etc all work fine through it, but even if I had no network connection at all, that wouldn't explain Firefox's confusion about whether it's configured to use a proxy or not.

I did try disabling torbutton entirely, and restarted Firefox. That didn't change anything.

Why is Firefox behaving this way, and how can I get it to stop trying to use a proxy?

I don't want to just install vanilla Firefox, even though that would work. I need TBB despite my separate transparent proxy, to take advantage of all the TBB privacy customizations, so that Tor exit nodes and web servers can't distinguish me from ordinary TBB users.

What's even weirder is that TBB 4.0.5 and earlier worked fine when I set it to use no proxy. But 4.5.3 says it's configured to use a proxy, even though it isn't.

July 06, 2015

Permalink

TBB 4.0.5 for Linux had a drop-down arrow next to the onion by the address bar, with a menu option for preferences. In there was a tab for proxy settings, with an option for transparent torification. In 4.5.3, there's no such option. Where did it go? How do you enable transparent torification in 4.5.3?

July 07, 2015

Permalink

Sorry, you're not allowed to access this page.

Your IP address is: 91.230.121.131

Please retry your request and contact Yelp if you continue experiencing issues.

July 07, 2015

Permalink

Everything is recorded, archived, and stored! There will never be absolute privacy!

July 07, 2015

Permalink

TOR interception

Document: Hacking Team Project X - Mass interception of encrypted connections

In an article of Arstechnica about the hacking team being hacked, one can find a referral to a document of hacking team wherein is stated that they are the only ones that can hack or break Tor security.

http://arstechnica.com/security/2015/07/massive-leak-reveals-hacking-te…

Is this suggested TOR interception an approach that the many world wide customers of hacking team could use?
Does Torproject has any opinion on this matter?

July 08, 2015

Permalink

7 out of 10 times Tor for Windows is unable to connect to the Tor network.Even with the firewall disabled.What Windows services must be enabled?

July 08, 2015

Permalink

hi friends, i'm the only one who had a 100% of cpu usage?, the browser use all my cpu for: open new tabs, open any new site or click link to open any new site and/or for refresh any tab, this happened in the version 4.5.2 and now in version 4.5.3, i use tor with a normal firefox at the same time. Normally i use version 0.2.3.25, now i try this versions for the "new circuit" but the cpu usage is too high.

July 11, 2015

Permalink

Not sure, if this is just an issue on my machine, but I keep getting a lot of incomplete page loads or even time-outs with this version. Never had an issue with previous versions and it's across multiple sessions, so not a network issue. Even Disconnect search option (upper right) doesn't work most of the time. :-/

July 11, 2015

Permalink

installed torbrowser-launcher.
Click Tor Browser icon in menu
"downloading and installing Tor Browser for the first time"
download completes, installer quits before installing anything.
Click Tor Browser icon in menu again
"downloading and installing Tor Browser for the first time" ....
Tried this 5 times, same result.

arma

July 11, 2015

In reply to by Anonymous (not verified)

Permalink

You are installing torbrowser-launcher separately? Oh, this isn't even tor launcher (the Firefox extension that's part of Tor Browser that you shouldn't try to install yourself).

I guess this torbrowser-launcher is some external thing, perhaps the one Micah works on? This blog comment is unlikely to get noticed by whoever makes torbrowser-launcher.

July 12, 2015

Permalink

Is there any safe way - with any release of Tor - to view H.264 video in MP4 files? I keep seeing messages about unsupported MIME type where the video should play, and this is apparently a long standing issue for browsers like Firefox.

July 17, 2015

Permalink

This TB 4.5.3 for 64-Bit Linux always chooses same first node in every circuit. For me this one is France (91.121.108.64). Was it so intended?

July 28, 2015

Permalink

hi friends, where i can post to get an asnwer for my problem, i try everything and still tor browser use 100% of cpu for: opening new tabs, opening any new site or click in link to open any new site, and/or for every time i refresh F5 any tab.

is a pain in the a** loose 10 or even more of 30 seconds of my pc, just for the browser charge any page.

anyone ????????????

What operating system is this? Is it the latest Tor Browser? We need more information before we can diagnose anything. We can try to figure this out here, but feel free to contact us on OFTC IRC or on one of the mailing lists.

July 29, 2015

In reply to kernelcorn

Permalink

i have xp, before i try these new version, i use 0.2.3.25 because this is the last version when i can get "new identity" without lost all the tabs. and with that version i could manage to have normal FF, tor, office and other programs. all without problems. i try 4.5.2, 4.5.3 and 5.0a3, all with the same results.

July 28, 2015

Permalink

i have xp, before i try these new version, i use 0.2.3.25 because this is the last version when i can get "new identity" without lost all the tabs. and with that version i could manage to have normal FF, tor, office and other programs. all without problems. i try 4.5.2, 4.5.3 and 5.0a3, all with the same results.