Tor Browser Bundle 3.0alpha4 Released

The third alpha release in the 3.0 series of the Tor Browser Bundle is now available from the Tor Package Archive:

This release includes important security updates to Firefox. Here is the complete ChangeLog:

  • All Platforms:
    • Bug #8751: Randomize TLS HELLO timestamp in HTTPS connections
    • Bug #9790 (workaround): Temporarily re-enable JS-Ctypes for cache
      isolation and SSL Observatory
    • Update Firefox to 17.0.9esr
    • Update Tor to
    • Update NoScript to
    • Update Tor-Launcher to 0.2.2-alpha
      • Bug #9675: Provide feedback mechanism for clock-skew and other early
        startup issues
      • Bug #9445: Allow user to enter bridges with or without 'bridge' keyword
      • Bug #9593: Use UTF16 for Tor process launch to handle unicode paths.
      • misc: Detect when Tor exits and display appropriate notification
    • Update Torbutton to
      • Bug 9492: Fix Torbutton logo on OSX and Windows (and related
        initialization code)
      • Bug 8839: Disable Google/Startpage search filters using Tor-specific urls

    As usual these binaries should be exactly reproducible by anyone with Ubuntu and KVM support. To build your own identical copies of these bundles from source code, check out the official repository and use git tag [geshifilter-code]<a href="…] (commit [geshifilter-code]<a href="…]).

    These instructions should explain things from there. If you notice any differences from the official bundles, I would love to hear about it!


September 26, 2013


Tor Browser Bundle 3.0alpha4 uses an old stable version of HTTPS-Everywhere (3.3.1). Does it make sence to update to a newer version?

If so, should I prefer the stable one (3.4.1) or the development release (4.0 - 12) ?


September 26, 2013


Bug #9445: Allow user to enter bridges with or without 'bridge' keyword

What is different with or without 'bridge' keyword?
Is that same or a new option?


September 26, 2013


A good release, but does anyone know of a fix for when one of the nodes is 'blocking' certain website connections?

I.E. I am trying to go to a website that is perfectly legal anywhere in the world via TOR, yet one of the entrance or exit nodes is blocking the connections to that website for some stupid reason.

Sometimes, clicking on "New Identity" in the Onion button fixes the issue but it makes me lose all the pages I am looking at via TOR at that moment.

Or, is there some way to find out which node is blocking that website and block them in my TOR settings?

No, it is the node that is blocking or filtering certain TOR traffic to certain websites.

I have excluded nodes that I notice are always or near always the third or exit node in my TOR configuration file using "ExcludeNodes" and "ExcludeExitNodes" and it solved my issue.

Someone needs to look into this and see why this is being done.

Nope, you are wrong. The website is blocking certain Tor exits, because they have recieved spamming, hacking attempts, trolling or similar from people using Tor, that happen to have used the same exit nodes.

That is just usual IP banning basically all wiki sites, forum sites, blog sites etc implements.

New identity and Exclude* will help here, yes, unless they decided to block the whole Tor network.

You entry node would not be able to block traffic based on what website you visit. The entry does not know your destination.

you won't lose the pages if you request "New Identity" from the Vidalia control panel. You may also right-click the vidalia icon (in the running tasks toolbar) and select "New Identity".

coupla questions:

1. how do I verify / confirm whether I am connected through a bridge?

2. If more than one bridge is listed in torrc, does tor select a bridge randomly or is it the first one in the list?

1) There isn't an easy interface in Tor Browser for doing that I believe. I'd like one too, but I can also see the "stop adding in so much stuff, you'll never be able to maintain it all" approach. One option is that you could use wireshark or equivalent to watch your Tor traffic and see where it goes.

2) It selects a bridge randomly for each circuit.


netstat (which I believe is preinstalled on all Windows and Linux at least), may be easier than wireshark. "netstat -46n" (on Linux) will list all currently open connections. Verify the bridge is the one connected too.

you folks need to implement a strong defense mechanism for tor very soon before a few selfish ones with a bot net break the network. like other attacks and vulnerabilities, we see this one is for real and needs a fix. If the fix creates less convenience well so be it.

If you've got any good ones nearby, we're happy to hear about them. is the parent ticket.

Why the 3 day delay between the build and this announcement? Just curious.

It would be nice if the bug numbers in these blog posts were hyperlinked to the bug tracking system; looking up the bug numbers manually is a bit tedious.

Is this new version safe from the FBI Javascript exploit?

Yes. But alas, that doesn't make it safe from all future Firefox vulnerabilities (whether in Javascript or in some other part of the code).

Thanks for the update, love the new 3.0 bundle, even easier with vidalia.
Will you be adding a point and click way to run a relay sometime in the future?
That feature in vidalia made it easy for me to learn about relays and try one out.
I run an exit through Debian's tor package now, but I may have never discovered it if I hadn't seen the server option in vidalia. Just a suggestion, still great without.
Thanks for all your hard work, you're definitely helping, and enabling others to help, a lot of people.

you know what would be great? if noscript came with a feature enabling the disabling of scripts on certain domains, in this case .onion domains. thus effectively enabling js on the clearnet by default while also disabling js on the deep web by default too.

I believe this may be possible to do already, try this:

Go to noscript->preferences->whitelist. Here use the wildcard (*) to match all addresses in a top domain, e.g. add "*.com", "*.org", "*.net" and so on (without the quotes).

Then set noscript to block javascripts by default. As long as "*.onion" is not in the whitelist, scripts will be blocked there.

I just tried it, it didn't work.
I also tried to do it via about:config noscript.untrusted and it also didn't work.
Looks like we should contact Giorgio Maone noscript's dev.

He's pretty receptive to feature requests I hear.

Why don't you, a s tor dev, contact him? doesn't it concern you?

What information is given to Microsoft when the tbb-firefox.exe crashes and Windows Error Recovery (WER) is enabled?

Should we be concerned?

I don't know anything about Microsoft / Windows, but there may be reasons to concern.

At least on Ubuntu in the past, when any application crashed, the crash reporter immediately connected to Ubuntus servers to lookup information about the crashed application, therefore giving away the fact you used Tor Browser, and the way it crashed. This without the user even clicking on Report problem.

How about asking Microsoft themselves, or try using Wireshark to determine what is sent (if anything) yourself. Or maybe better just disable it to be safe.

You could just disable the service or block it with your firewall if you're concerned.

last post should say Windows Error Reporting (WER)

Now that Firefox 24esr has been released, is there any reason to keep TBB on the old 17esr?

No, besides the quite involving work to audit the whole browser for newly introduced privacy risks, and porting all the Tor Browser patches to this new ESR series (including writing patches for the new risks).

I have heard that work may be done about the same time 17esr goes end of support.

when a 'New Identity' is requested, are all nodes replaced or only the exit node is replaced? Thx

Complete new circuits are built, so all nodes is replaced. But Tor is configured to always try using the same first hop / guard node (out of three choices), so it may and mostly do end up the same.

Using Windows commands, how would one find IP of the first hop / entry node. 'netstat -f' gives me a big list of various Tor servers?

In case anyone's having the empty Tor Network Settings page issue, details are here:

Is this something that can be fixed in future builds, all four alphas so far have had this issue.

The fix you need to apply before running TBB 3.0 on Windows is:

Add this line to your prefs.js file when TorBrowser is not running. Prefs.js is created only after the first run of TorBrowser.

Tor Browser > FirefoxPortable > Data > profile > "prefs.js"

user_pref("gfx.direct2d.disabled", true);
user_pref("layers.acceleration.disabled", true);

I pointed #9838 and #9438 to each other -- they sound like the same issue.

Thanks for sticking with this.

obfs2/3 bridges are disappear in bridgedb, how can the pttbb connect to tor network in some country

I am using a MAC would the linux version be the right one to use or am i limited to vidalia?

Mac means OS X.

Should work fine if it's a recent enough OS X.

When I launch TBB 3.0a4, it launches a launcher, and then a single app with the Vidalia icon called TBB which seems to be only the I no longer get the Vidalia control panel I get when launching the stable version of TBB (where Vidalia and a separate TorBrowser app with a globe icon both launch). Is this by design? Possible to have it work the old way?

It is by design. Vidalia has been unsupported for years, and many people are confused to have two programs that they think of as "Tor". See the original TBB 3.0a1 announcement for details:

I have no idea how to get Tor Browser Bundle 3.0alpha4 operational ... It seams that everything is deffrent here with TBB 3.0alpha4 (install part) compered to official TBB 2.3 . I downloaded TBB 3.0alpha4 from :,,, or is there maybe some another site for downloading TBB 3.0alpha4 where you can installed TBB 3.0alpha4 the same like offical TBB 2.3 ...Some help would be appreciated .. Thank you...

I think the download is broken, tried it twice but after unpacking I get the message the procedure _vsnprintf_s can not be found in msvcrt.dll

Sounds like you hit
which will hopefully be fixed in TBB 3.0 alpha 5.

This is a bug ( which will hopefully be fixed in the next release.

I am using this on a Mac. Does 3 alpha have a relay function built in?