Tor Browser 4.5a3 is released

The third alpha release of the 4.5 series is available from the extended downloads page and also from our distribution directory.

Note: The individual bundles of the alpha series are signed by one of the subkeys of the Tor Browser Developers signing key from now on. You can find its fingerprint on the Signing Keys page. It is:

pub 4096R/0x4E2C6E8793298290 2014-12-15
Key fingerprint = EF6E 286D DA85 EA2A 4BA7
DE68 4E2C 6E87 9329 8290

Tor Browser 4.5a3 is based on Firefox ESR 31.4.0, which features important security updates to Firefox. Its updater now contains the code for verifying signed update files and does not accept unsigned ones anymore. Moreover, this release includes an updated Tor, 0.2.6.2-alpha, an updated meek, 0.15, which is now working again, and a bunch of additional improvements and bugfixes.

Here is the changelog since 4.5-alpha-2:

  • All Platforms
    • Update Firefox to 31.4.0esr
    • Update Tor to 0.2.6.2-alpha
    • Update NoScript to 2.6.9.10
    • Update HTTPS Everywhere to 5.0developement.2
    • Update meek to 0.15
    • Update Torbutton to 1.8.1.3
      • Bug 13998: Handle changes in NoScript 2.6.9.8+
      • Bug 14100: Option to hide NetworkSettings menuitem
      • Bug 13079: Option to skip control port verification
      • Bug 13835: Option to change default Tor Browser homepage
      • Bug 11449: Fix new identity error if NoScript is not enabled
      • Bug 13881: Localize strings for tor circuit display
      • Bug 9387: Incorporate user feedback
      • Bug 13671: Fixup for circuit display if bridges are used
      • Translation updates
    • Update Tor Launcher 0.2.7.1
      • Bug 14122: Hide logo if TOR_HIDE_BROWSER_LOGO set
      • Translation updates
    • Bug 13379: Sign our MAR files
    • Bug 13788: Fix broken meek in 4.5-alpha series
    • Bug 13439: No canvas prompt for content callers
Anonymous

January 31, 2015

Permalink

obfs4 is now blocked in china. they are so fast.. is it possible to bring it back?

Anonymous

February 02, 2015

Permalink

Does Tor work on Windows 8.1?
When you go to the Download Tor page, it say's,
Tor browser 4.0.3 for Windows 8,7,Vista and XP.

Anonymous

February 05, 2015

Permalink

Could someone please enumerate what exactly the positions in the security slider are doing at this point, and perhaps where they'll be headed? From https://trac.torproject.org/projects/tor/ticket/9387 Mike Perry explained his initial thoughts...

Position 0: Current TBB defaults (Most usable)
Position 1: Javascript is disabled for all non-https URLS
Position 2: HTML5 media and fonts click-to-play/disabled
Position 3: All scripts and media are disabled (Most secure)

...but it is unclear this is all that's going on. For example, specific object and HTLM5 canvas blocking seem to be happening at positions 1-3, even if the user allows the domain in NoScript. This is quite different than the traditional method of forbidding JavaScript globally and then decidedly allowing, say, YouTube -- which is something I imagine many users do. To enable HTML5 video the user must either use Position 0 (sub-optimal) or finesse other positions (risking fingerprinting). I worry this will have negative outcomes in other areas as well.

Yes, this is on my ToDo list. Alas, it won't make it into 4.5a4 due next week but the release after that one should have some explanation on the slider as well. The best we currently have is comment 43 in the ticket you mentioned.

Canvas blocking is a different beast as it can be used to track you with an identifier cross-domain.

Anonymous

February 06, 2015

Permalink

Hi torproject
give this free for all only when you think its ok.

In the past i've tested some guard nodes with downloading bigger files.

In a graphical interface i have seen maybe conspicuous behaviour.
At one node reproducible.All few seconds a big Zig Zag, high low KB/s in the graph.
Only with one guard node.I dont know his present behaviour.It was a not spanish provider located in spain.

Reminds me at a comment in the NSA(?) docs that a flat continuous download stream
would be harder to hunt down.

Anonymous

February 06, 2015

Permalink

Hi, is it javascript, flash or is it Tor that has changed?
this might be a hell of coincident or new updates on made by
many at same time.
however, there has never been any problems with opening videos
from youtube or addons with tor in in firefox before.
but since the 4.0.3 release i get a clickjack varning on every
square or video i hit on. so what i need to do IF i am able to see
the name of that add or video is to go to youtube and manually
search for it and THEN open in up. this happen on ALMOST
every site that i try starting a video on.

another thing is that sites i've never had any problems starting up before
now suddenly became a problem. in other firefox, none tor based browser
it will open up, but not with tor. for example, thehackernews never been
a issue before until version 4.0.3 and it just says that The connection was interrupted.

another thing i've also noticed is that on earlier versions of the TBB
is that html5 videos on youtube for example loaded really quickly.
but now it starts and stops every 2-5 second. it's really annouying.

could any of these reasons have accured because of the raid
on the exit nodes?

i'm really greatfull and thankfull for all of the work and effort you guys put
into this. best regards

Anonymous

February 07, 2015

Permalink

Hi guys,
Have you heard the Episode #493 of "Security Now!" from 03 Feb 2015 titled Tor: Not so Anonymous: After catching up with a few important security events of the week, Leo and I revisit and dissect the anonymity promises of TOR in light of scores of academic papers which have questioned its anonymity guarantees"?

You may read a transcription of the show here: https://www.grc.com/sn/sn-493.htm

I wander if tor developers can comment on that one.

Haven't watched the episode, but the mention of scores of academic papers questioning its anonymity sure sounds like somebody who doesn't understand how science works.

The scores of academic papers are exactly the *great* thing about Tor. It's the system that all the researchers want to look at, because it's the thing to beat (and because we put so much energy into presenting it to them in a way that makes it easy for them to analyze it).

Tor isn't perfect, but it's better than all the other systems out there. For more on why Tor is so appealing to academics, check out Section 1.2 of this NSF proposal:
https://svn.torproject.org/svn/projects/roadmaps/2009-07-24-measurement…

...Ok, I went and read the transcript in more detail. It sounds like Steve is shocked that Tor doesn't protect against traffic confirmation attacks. You can read more about those here:
https://blog.torproject.org/blog/one-cell-enough

And he trots out the "81%" paper that was (is) so thoroughly misunderstood:
https://blog.torproject.org/blog/traffic-correlation-using-netflows
(This paper didn't actually attack real Tor traffic, and the author himself said that the technique probably wouldn't work as-is against actual Tor traffic.)

But all of that said, many of Steve's underlying points are indeed probably correct. Tor isn't perfect. It's just better than our other options.

Anonymous

February 08, 2015

Permalink

hi,

a question please :

i am using tor quite regularly.

now i think about sign up to a vpn service.
(dont know which one yet, though, gut to check it out a while)

my question :

does it male sense using a VPN - AND tor (parallel)?
or do they disturb one another, maybe not work with oe another ?

(f.e. i use a service called premiumize.me for faster downloads at one.click-hosters
(like rapidgator,share-online.biz,uploaded etc.pp.
this service., according to their support, does NOT work with tor (probably because in browsers they use a script or addon, which Tor doesnt allow/suggest).

is it the same problem with VPN (a vpn service)?

thanks

7stone

Anonymous

February 14, 2015

Permalink

I don't like the new Tor.... It seems to select the country ip for me rather than letting me have an option to chose.

Anonymous

February 21, 2015

Permalink

Not use latest firefox he spy on you. Outgoing auto links to Amazon can't turn off.

Anonymous

February 24, 2015

Permalink

something's gone wrong in 4.5a3? using gpg suite

gpg --fingerprint 0x416F061063FEE659
pub 2048R/63FEE659 2003-10-16
Key fingerprint = 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659
uid [ unknown] Erinn Clark
uid [ unknown] Erinn Clark
uid [ unknown] Erinn Clark
sub 2048R/EB399FD7 2003-10-16

gpg --verify /Users/anon/Downloads/tor/TorBrowser-4.5a3-osx64_en-US.dmg.asc
gpg: Signature made Fri Jan 16 03:09:34 2015 EST using RSA key ID D40814E0
gpg: Good signature from "Tor Browser Developers (signing key) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0

gpg --verify /Users/anon/Downloads/tor/TorBrowser-4.5a3-osx64_en-US.dmg.asc /Users/anon/Downloads/tor/sha256sums.txt{.asc}
gpg: Signature made Fri Jan 16 03:09:34 2015 EST using RSA key ID D40814E0
gpg: BAD signature from "Tor Browser Developers (signing key) " [unknown]

Anonymous

March 03, 2015

Permalink

I've been having an issue with 4.0.3 as well as the newest releases (stable and alpha).
There's nothing wrong with the builds, but I've been dealing with problems on my end after I was having memory (leak?) issues. I tried to see if it could be resolved in about:memory, but I screwed something up.

Whenever I close TBB and try to "start t0r browser" again later, I've been unable to connect to the network and receive an (win64) error message that includes:

Problem Event Name: APPCRASH

Fault Module Name: d2d1.dll

(I took a screen-grab, but was concerned about embedded exif data, so changed my mind about uploading the image)

Everything works as expected on the first run during installation: browser opens, t0r connects to the network etc.; but after closing and running it again, I get the fault event notification Appcrash and have to re-install the t0rbrowser-install-#.exe for it to work (again, only through "run t0rbrowser" prompt during installation).

I thought with 4.0.4 and 4.5a4, it would be resolved, but I'm dealing with the same problem for the new releases.

I don't know if anyone that could help, arma or gk maybe, looks at old release blog comments, but if you could help it would be greatly appreciated.

aside: I'm not sure why my fuckery in about:memory would affect that specific d2d1.dll in the system folder, but I'm an idiot so I donno. If I could swap it for a new one, do you know any reputable place where I could obtainin it? I didn't create a system back-up disc or set a restore point because, as I said before, I'm a dumbass.

Thanks in advance