Tor Browser Bundle 3.0alpha3 Released

The third alpha release in the 3.0 series of the Tor Browser Bundle is now available from the Tor Package Archive:

https://archive.torproject.org/tor-package-archive/torbrowser/3.0a3

This release includes important security updates to Firefox. Here is the complete ChangeLog:

  • All Platforms:
    • Update Firefox to 17.0.8esr
    • https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#…

    • Update Tor to 0.2.4.15-rc
    • Update HTTPS-Everywhere to 3.3.1
    • Update NoScript to 2.6.6.9
    • Improve build input fetching and authentication
    • Bug #9283: Update NoScript prefs for usability.
    • Bug #6152 (partial): Disable JSCtypes support at compile time
    • Update Torbutton to 1.6.1
      • Bug 8478: Change when window resize code fires to avoid rounding errors
      • Bug 9331: Hack a correct download URL for the next TBB release
      • Bug 9144: Change an aboutTor.dtd string so transifex will accept it
    • Update Tor-Launcher to 0.2.1-alpha
      • Bug #9128: Remove dependency on JSCtypes
  • Windows:
    • Bug #9195: Disable download manager AV scanning (to prevent cloud
      reporting+scanning of downloaded files)
  • Mac:
    • Bug #9173 (partial): Launch firefox-bin on MacOS instead of TorBrowser.app
      (improves dock behavior).

As usual these binaries should be exactly reproducible by anyone with Ubuntu and KVM support (though there are some issues in LXC).
To build your own identical copies of these bundles from source code, check out the official repository and use git tag [geshifilter-code]<a href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tag/22456…] (commit [geshifilter-code]<a href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/commit/49…]).

These instructions should explain things from there. If you notice any differences from the official bundles, I would love to hear about it!

Anonymous

August 09, 2013

Permalink

XML Parsing Error: unexpected parser state
Location: jar:file:///C:/Tor%20Browser/Tor%20Browser/FirefoxPortable/App/Firefox/omni.ja!/chrome/toolkit/content/global/netError.xhtml
Line Number 311, Column 58: &netInterrupt.longDesc;
---------------------------------------------------------^

i updated it, then i was going to a lix.in site to see if works and this message appears.
i had my chrome opened as well as tor and this was shown in tor. what the damn is this???????????? never ever saw at least like this. is dangerous??!

i didnt launched tor again after this message was shown in red. i have no idea of what any of that code means, all i wanted to know is if anything looks dangerous. or what does it mean at all.

@arma
I have seen this before, and no it is not repeatable.

This error message appears often, but not always, in conjunction with the "The proxy server is refusing connections" error.

I speculate that the "XML Parsing Error: unexpected parser state" error is caused by a timeout exception that is not caught in upstream Mozilla code. But I repeat: it is undeterministic and therefore not repeatable.

On a side-note: I believe that I have found the root cause to the "The proxy server is refusing connections" error and posted it here:
https://trac.torproject.org/projects/tor/ticket/9413#comment:5

Anonymous

August 09, 2013

Permalink

crashes on startup immediately after install. windows 8 (not 8.1) 64bit with all updates. I installed it onto a non-default directory on a secondary hard drive.

Add this line to your prefs.js file when TorBrowser is not running. Prefs.js is created only after the first run of TorBrowser.

Tor Browser > FirefoxPortable > Data > profile > "prefs.js"

user_pref("gfx.direct2d.disabled", true);
user_pref("layers.acceleration.disabled", true);

Anonymous

August 09, 2013

Permalink

Hi, I'm new to the Tor Browser. Is Tor updated when I re-download the Tor Bundle and overwrote "Start Tor Browser.exe." The exe file I saved is now dated 8/8/2013 10:44 am.

Anonymous

August 09, 2013

Permalink

The 32-bit bundle tor-browser-linux32-3.0-alpha-3_en-US.tar.xz won't run at all ...

> ./start-tor-browser: line 119: getconf: not found
> ./start-tor-browser: line 120: file: not found
> Wrong architecture? 32-bit vs. 64-bit.

... what's getconf anyway? I haven't got it.

> Are you on a 64-bit platform?

... yes, I am. It's a Pentium D-820, also known as 'the heater'. But uname identifies it as i686, and I'm not so sure about that. Shouldn't it be x86-64? I was trying out the 32-bit version because my Linux and all the applications are 32 bit.

Anonymous

August 09, 2013

Permalink

Am I using the .asc file wrong? Is someone else signing the alpha? What's the mp-asc file for?

  1. $ gpg --verify sha256sums.txt.asc sha256sums.txt<br />
  2. gpg: Signature made Thu 08 Aug 2013 07:41:59 AM PDT using RSA key ID AC3A821D<br />
  3. gpg: Can't check signature: No public key</p>
  4. <p>$ gpg -k<br />
  5. ------------------------------<br />
  6. pub 2048R/63FEE659 2003-10-16<br />
  7. uid Erinn Clark <<a href="mailto:erinn@torproject.org" rel="nofollow">erinn@torproject.org</a>><br />
  8. uid Erinn Clark <<a href="mailto:erinn@debian.org" rel="nofollow">erinn@debian.org</a>><br />
  9. uid Erinn Clark <<a href="mailto:erinn@double-helix.org" rel="nofollow">erinn@double-helix.org</a>><br />
  10. sub 2048R/EB399FD7 2003-10-16</p>
  11. <p>pub 4096R/C5AA446D 2010-07-14<br />
  12. uid Sebastian Hahn <<a href="mailto:mail@sebastianhahn.net" rel="nofollow">mail@sebastianhahn.net</a>><br />
  13. sub 2048R/A2499719 2010-07-14<br />
  14. sub 2048R/140C961B 2010-07-14

Sorry for not providing much info, I don't remember having trouble with this before and I don't know what has changed. Did I just forget how to use gpg?

The 3.0alpha packages are signed by Mike Perry (that's the mp-asc file) as well as whoever else manages to reproduce them -- that's one of the main features of the reproducible build design, where several people can build packages independently and produce exactly the same output.

In this case though, Mike screwed up the signature files, putting Georg Koppen's signature in that file that's confusing you.

Yes, so how to verify it?

gpg --verify sha256sums.txt.mp-asc tor-browser-linux32-3.0-alpha-3_en-US.tar.xz
gpg: Signature made Sat 10 Aug 2013 01:02:14 AM HKT using DSA key ID DDC6C0AD
gpg: BAD signature from "Mike Perry "

The .mp-asc and .asc files are signatures on the sha256sums.txt file.

The sha256sums.txt file contains sha256 hashes of every file in the directory.

Run 'sha256sum file' to compute that file's sha256 hash.

Ok, understand now.
sha256sums.txt.mp-asc is for sha256sums.txt.
but what is sha256sums.txt.asc for ?? (how to use it)
thank you.

gpg --verify sha256sums.txt.mp-asc sha256sums.txt
gpg: Signature made Sat 10 Aug 2013 01:02:14 AM HKT using DSA key ID DDC6C0AD
gpg: Good signature from "Mike Perry "
gpg: aka "Mike Perry "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: BECD 90ED D1EE 8736 7980 ECF8 1B0C A30C DDC6 C0AD

Anonymous

August 09, 2013

Permalink

Works for me on Windows 8. Only issue is NoScript still enabled javascript by default.

Anonymous

August 10, 2013

Permalink

For me (on Windows 7), on running Start Tor Browser.exe, the Tor Network Settings box appears, but it is empty.

It doesn't go into a "Not Responding" state, I can move it, resize it etc, but it's completely empty and nothing happens after this point.

Add this line to your prefs.js file when TorBrowser is not running. Prefs.js is created only after the first run of TorBrowser.

Tor Browser > FirefoxPortable > Data > profile > "prefs.js"

user_pref("gfx.direct2d.disabled", true);
user_pref("layers.acceleration.disabled", true);

Anonymous

August 10, 2013

Permalink

excuse me but i'm kinda new with tor...
i've dnled the latest tor and also the 3alpha, but what exactly do i do with the files in the 3alpha folder?
i'm using win. thanks for your time and cheers to all that are involved in this project

Thanks for the answer first of all!!

could you tell me the differences between these 2?
I mean if it's best for me to run the alpha, I'll do. although I tried the alpha yesterday and there were some glitches in the graphics when any popup menu was clicked, but I think this has to do with my pc.

Btw I use it in my android too (orbot/orweb) and they are excellent!!

Anonymous

August 10, 2013

Permalink

1.6.1? I updated my TOR Browser Bundle and it is still on 1.6.0? What is the deal?

Anonymous

August 10, 2013

Permalink

Tor Network Settings window comes up blank, then nothing more. Win7 64, installed in Desktop, logged in as an admin.

Yes, this is the SAME exact problem I told mike about for the alpha1 and apha2. I even wrote it about on Tor-talk on the blog.

The problem is BOTH of these lines have to be added to prefs.js, and Mike is choosing to only add the first, even after I told him 3 times BOTH have to be added.

Maybe Mike's distance for Windows is the reason for this carelessness?

Man, too often are the releases screwed up in some way . . . :(

If only the first is added the the blank box that these people are complaining about happens, i.e. "Tor Network Settings" is blank and the program seems to have frozen. This happens by only trying to set the "XP compatibility mode."

user_pref("gfx.direct2d.disabled", true);
user_pref("layers.acceleration.disabled", true);

https://lists.torproject.org/pipermail/tor-talk/2013-June/028564.html

Add this line to your prefs.js file when TorBrowser is not running. Prefs.js is created only after the first run of TorBrowser.

Tor Browser > FirefoxPortable > Data > profile > "prefs.js"

user_pref("gfx.direct2d.disabled", true);
user_pref("layers.acceleration.disabled", true);

Anonymous

August 10, 2013

Permalink

Can we PLEASE have a NEWNYM function in the alpha TorButton now that Vadalia GUI is gone? The "New Identity" feature in TorButton is not the same thing as NEWNYM, they do not serve the same function, not at all.

I've asked a few times and no one has responded :( I even asked Mike *directly* on Tor-talk . . .

Many times a user doesn't want to clear all their tabs and re-launch, they just want a new exit node.

Please, please, please, add the damn NEWNYM function.

Hm. Is this because the website you're trying to reach is trying to block Tor, and you're trying to find an exit relay that isn't blocked yet? Or some other issue?

I think a lot of the reasons people click newnym are somewhat harmful to the Tor network (more circuits made), so I'm torn.

Hi arma,

Thanks for your response :) And I'm very sorry for being a bit rude, it's been a long day and I'm kind of grumpy by nature. You guys are amazing for not being rude back, you're a better man than I.

The reason I like having newnym is:

a.) Try to find faster circuit, which may be "somewhat harmful to the Tor network" even though you guys added the forced delay (grayed out button) for N seconds after it was used.

b.) To prevent cross site traffic, e.g. I clear cookies and cache, then use NEWNYM when on site A, before I open a new tab to visit site B. I'm not sure if this is less 'safe' then clearing all tabs and re-lunching, but it sure is a lot better in terms of usage (being forced to close all tabs really sucks). I really dislike having to close all tabs when I want a new IP address, I often surf multiple sites concurrently, so the New Identity feature in TorButton is not an option for me.

I guess the best option here would be if Mike was able to figure out finer-grained cookie control (IIRC, that he wrote about before), e.g. per tab. Then there would be less of a need to re-launch TorBrowser when someone clicks "New Identity."

As always I defer to TPO's much greater knowledge than my own.

I really dislike having to close all tabs when I want a new IP address, I often surf multiple sites concurrently, so the New Identity feature in TorButton is not an option for me.

Then NEWNYM was providing you with a false sense of security: any cookies that had been set by a website would make it possible to link between the old and the new IP address. The Tor Browser does not close all the tabs just to annoy you, but because resetting the internal browser state is the only way to provide unlikable visits to the same site (or ad networks for that matter).

I understand this, and if you read the message, you would see I clear cookies and cache, the same thing TorBrower does by re-launching. That said, I'm aware this may not be as 'safe' as re-launching.

Regardless of WHY TorBrowser does the re-launch, it's very annoying and I won't use it.

I guess I'll just have to write a Windows script for NEWNYM to be used with TorBrowser alpha3.x and post it on Tor-talk list?

Anonymous

August 10, 2013

Permalink

How can I observe / control the circuit and the exit-IP I am using without vidalia?

I'm updating my old vbs script to issue NEWNYM command. I'll write a Tor-talk e-mail when it's done. So, if you're on Windows you can now, again, use NEWNYM.

However, the problem with my method is there is no forced delay before issuing it again, so, people can hurt the network if lots of people use this over and over again. Which is why Tor should really put the feature into TorBrowerButton.

See here: https://lists.torproject.org/pipermail/tor-talk/2006-August/001738.html

Anonymous

August 10, 2013

Permalink

I cant log onto certain websites using TOR since update?
This started yesterday not sure why it says
"can not connect to servers at 'the-website im-trying-to-go-to.onion.to'

Anonymous

August 11, 2013

Permalink

How can I change the exit node without closing all my tabs? I used to do it from Vidalia.

For info regarding what arma is referring to, see this thread from Tor-talk.

NEWNYM doesn't what it seems like it should do, as a rule, which is odd. Sadly, it seems the TorButton 'buckets' idea went nowhere. There really should be a command to kill all circuits and *force* a new exit node when the command is issued.

"Stricter NEWNYM?"
https://lists.torproject.org/pipermail/tor-talk/2011-March/019725.html

P.S. Arma: it would be great if you guys would ask for comments before making major changes that are going to confuse and annoy a lot of people. Sure, there's trac and bug/feature requsts, but that's not easy to follow. Big changes should come *after* a Tor-talk e-mail and blog post asking for input, in my opinion.

Anonymous

August 11, 2013

Permalink

Yeah well the question is does it STILL enable javascript by default?

Might as well enable JAVA+Javascript by default and open every backdoor available, since the torproject team only cares about "making life easier".

Anonymous

August 11, 2013

Permalink

Just a note, don't install the 3.0 alpha 3 over a previous bundle and expect it to work correctly. Install it to a totally new directory, import any bookmarks you might have, configure as needed, and then go.