Tor Browser Bundle 3.5 is released

Update 12/20: Test builds of Pluggable Transport bundles are now available. See inline and see the FAQ link for more details.

The 2.x stable series of the Tor Browser Bundle has officially been deprecated, and all users are encouraged to upgrade to the 3.5 series.

Packages are now available from the Tor download page as well as the Tor Package archive.

For now, the Pluggable Transports-capable TBB is still a separate package, maintained by David Fifield. Download them here: https://people.torproject.org/~dcf/pt-bundle/3.5-pt20131217/. We hope to have combined packages available in a beta soon.

For people already using TBB 3.5rc1, the changes are not substantial, and are included below.

However, for users of TBB 2.x and 3.0, this release includes important security updates to Firefox. All users are strongly encouraged to update immediately, as we will not be making further releases in the 2.x or 3.0 series.

In terms of user-facing changes from TBB 2.x, the 3.x series primarily features the replacement of Vidalia with a Firefox-based Tor controller called Tor Launcher. This has resulted in a vast decrease in startup times, and a vast increase in usability. We have also begun work on an FAQ page to handle common questions arising from this transition -- where Vidalia went, how to disable JavaScript, how to check signatures, etc.

The complete changelog for the 3.x series describes the changes since 2.x.

The set of changes since the 3.5rc1 release is:

  • All Platforms
    • Update Tor to 0.2.4.19
    • Update Tor Launcher to 0.2.4.2
      • Bug 10382: Fix a Tor Launcher hang on TBB exit
    • Update Torbutton to 1.6.5.2
      • Misc: Switch update download URL back to download-easy

Well, linux binary should work fine with new enough glibc and glib/gtk. Here's a port against CentOS 6 libs. One important difference with stock TBB is it stores mutable Data (firefox profile, tor cache/settings) under /tmp by default while everything else is installed under read-only directory. The data is, of course, removed upon port deinstall.

https://trillian.chruetertee.ch/freebsd-gecko/browser/trunk/www/linux-t…

You should be more concerned at why Mike Perry (we all know who he works for and runs 16 TOR exit nodes for) has taken away the ability to see who you are connected to. Don't forget that UK GCHQ run their own private TOR network that sucks in traffic to analyse it.
(Newtons Cradle it is known as). Take away the ability to see what a person is connected to, switch on JAVA and SCRIPTS by default and you fall straight in to the hands of GCHQ and NSA.
No doubt they have some new exploits and needed the help of Mike Perry again. He helped them last time when Freedom Hosting was attacked. He made sure NSA could infect people by not enabling ScriptBlock and by switching JAVA on ready. Most users trusted the TOR project.
I suspect that the TOR Project are now assisting the NSA and GCHQ. They have been forced to - otherwise TOR traffic will be stopped. It is a great shame they are not honest with their users who fund them (apart from NSA sponsorship).

I guess there will always be people with conspiracy theories trying to rip the privacy community apart.

And the sad part is that there *are* conspiracies out there, and we all need help fighting them and providing tools to let people stay safe despite the massive government (and heck, corporate too) surveillance.

(To briefly respond: Mike doesn't run 16 exits, see https://www.torproject.org/docs/faq#TBBJavaScriptEnabled which I wrote (not Mike), and see the FAQ entries linked above for how to hook up a standalone Vidalia to your TBB 3.5 if you want to see your circuits, and for how to disable JavaScript in TBB 3.5.)

Well... yes, as long as there are MASSIVE numbers of docs like Snowden released, there will be "theorists." If it's actually happened / still happening, is it still just a "theory?"

The other thing that gives a great # of "experts" pause, is Tor Project's LONG standing relationship w/ U.S. armed forces. Taking large sums from them. Sure, many say, "But it's open source & anyone, anywhere can examine it."

That's absolutely true. It's also true (for human nature), that the adages are true, "Perception is reality," & "You're judged by the company you keep." People running for public office don't pal around w/ known crime bosses.

From "thinking" private users' perspective of anonymity & security , it has & always will be a stupid, stupid idea to take large sums from "one of the enemy." It MAY be that funding from other sources is hard to find, but it's still STUPID.

No one can really expect NOT to raise suspicion when organizations take large sums from (one of) the very groups that it's trying to help users avoid.

It's also true that every time we find out some new gov't (or private) agency's previously unimaginable capability, we're surprised! Why? Are we really that short on memory? I guess so.

I totally agree with you about the perception thing, and that's why we need to be extra sure to be transparent and communicate well. Also, I'd love to get some more funding so we can make our government funding sources a smaller fraction of our budget. Along those lines, also see my statements in our 30c3 talk today (video coming soon if it's not out already):
http://events.ccc.de/congress/2013/Fahrplan/events/5423.html

But let me draw a distinction between your quite reasonable (and reasonably presented) concern, and the ad hominem rant of the earlier post.

Block javascript off by default and turn "Temporarily allow" on by default and we can talk.

I don't know what you guys are thinking, but nobody who uses Tor wants to load Google analytics javascript by default, or all the other billion javascripts by default for that matter, this should be a no brainer.

Dude, exactly why do you believe the Tor staff is above reproach? Why do you have this savior mentality regarding the Tor staff?

You think they can't be bought? You think government isn't interested in buying them? You can see what government has been doing.

Do you honestly believe that they have not already tried to find ways of cracking the anonymity of such a wide-spread and popular anonymous network of internet users?

My point is, you sitting here bashing people as conspiracy nuts for simply stating their concerns and opinions regarding the integrity of an anonymous internet network makes you sound like you have a stake in people simply dismissing him as a conspiracy nut.

You have a reason to say what you say, then state it. You continue to resort to bashing those you don't want people to agree with, and you become the person suspected of lying. Well, I suppose to anyone who's liberal, the bashing thing works rather well, but still, anyone serious about anonymity, you need to give the respect they deserve and don't be bashing people. You need to give reason to refute their claims, not simply call them a conspiracy nut. It's easy to label someone, and rather childish in the face of something as serious as government's overreaching eyes. Give reason or just shut your mouth because you obviously have nothing real to say.

How can we verify *you* are not bought. At some point paranoia must take a break, and we must trust someone. Otherwise we're forever trapped in full-time paranoia.

Tor is trustworthy because it's Free Software - where many people looks carefully at how it works. I trust this web-of-trust.

I used to defend the tor proejct but frankly this release is a bit questionable. they offer the ARM package and even support it on the home page but to actually run it with TBB is "unsupported" by the project. Once again taking JS lightly, etc etc. I think i'll donate bandwidth to Hyperboria instead :(

If somebody wrote up instructions for hooking up arm to TBB, then people could do it. I bet it would be pretty easy -- the main issue would probably be changing the controlport, and making sure that arm knows how to do cookie authentication for the controlport.

Maybe the small changes would be made even easier by making a 'standalone arm' bundle or something like the standalone VIdalia bundle? Or maybe people who want to use arm are willing to edit text files? I'm not sure.

Shouldn't we be more concerned that he creates the Tor Browser? Also he is responsible for the path bias. And shouldn't we blame the developers of Firefox that created the security hole in the first place. They probably got paid by Google and they got paid by the NSA (National Security[?] Agency) or the NASA (North American Spy Agency).

Please let us hear even more entertaining conspiracy theories. (Well, you better don't)

I was unaware that the Tor Browser ships with Java and that Java would also be enabled, but you might have an answer on how that can happen.

Beside that you still can add Vidalia back to the Tor Browser, even though Vidalia is a bit buggy.

Instead of ranting, improve the Tor settings.
Go to www.ip-check.info, check your settings and see your exit relay. After changing a few settings I get two orange markings that are "http session" and "window size" the rest is green - as private as it gets with Tor.
If you know a different or better website to check, please add it.

Yes, FreeBSD should be supported. I run it on notebook after it was found that Linux has its random number generator backdoored (fixed in kernel 3.13). NSA is more productive that i ever expected.

I bet it will run on KfreeBSD, with experimental in your sources list, with apt-get build-dep tor, then apt-get -b source tor, then dpkg -i *.deb

Anonymous

December 19, 2013

Permalink

Anyone can make PageInfo-Security GUI window in Torbrowser/Firefox more informative?Exact used crypto alrorithm.Like in Seamonkey -Mozilla,too.
Firefox/torbrowser GUI is going more and more the Microsoft 'dont use your brain'Mickey Mouse way.
Mozilla Company seems to have to much money.........

Anonymous

December 19, 2013

Permalink

I am having a hard time figuring out how to dictate what exit nodes to use in this new version (the mac one specifically). Vidalia had previously been helpful in not only locating the server names for specific countries and the supposed strength of the signals, but also in implementing those strict exit nodes. Will there be directions available soon to solve this issue?

Going through the comments on this and other blog entries, I'm noticing a lack of answers to questions the above type of problem. Under the FAQ for 3.5, it states that one can access the torrc file via: "the TBB directory under Data/Tor/Torrc". Unfortunately (unless these are hidden files), such a path cannot be found for the MacOS version, which I would've thought to have been: MacintoshHD/Library/ApplicationSupport under which one would find a directory for TBB.

Should I assume the lack of an application support folder is due to the absence of a standard installation process? This seems to be supported by the fact that the only searchable trace of TBB is the unzipped application. This then still makes the editable torrc file essentially non existent on a MacOS.

Even if the torrc file can indeed be accessed, the navigation of the new online replacement for Vidalia's "View the Network", Atlas, is not quite helpful either. Will there be a function to search by country code and not just name of specific servers? The problem seems to be when one needs to exit through a specific country: if your current exit nodes don't correspond to the correct country, or the ones you have accessed are down or working at minimum efficiency, there is no clear way to research new nodes with the right specifications.

Will someone from TorProject please lend some insight to the issue?

You are right that helping people select their exit country isn't high on our (already overly long) priority list. Maybe you want to help make it easier or make some better documentation for folks who want it? Thanks!

Please can we not litter OS X with billions of trace files all over the system. Please keep ALL TBB contained to /Applications/TorBrowser_en-US/. Lets not go back to the old days of data all over the place in /var /private /etc and so on.

OS X already came out the worst in a study of any system in leaving traces of Tor:

Can we keep torrc files within the bundle:

/Applications/TorBrowser_en-US/

Sounds great. Make it happen! This is a community with plenty of room for more people to make things happen. If you're thinking of this as "those Tor people who make and support Tor" and "us users who just use it", you're looking at it wrong.

See https://blog.torproject.org/blog/tor-browser-bundle-35-released#comment… for more thoughts.

[Edit: arm -i 9151 will do it]

Anonymous

December 19, 2013

Permalink

I can't seem to find the 64-bit versions for OSX and Windows... but neither were they in the set of files for rc1. I can understand if building them takes time, and they might show up later. Or is the policy to not make them anymore (though I could not find anything indicating that - what did I miss)? If so, what is recommended for users of 64-bit systems? Stick with 2.4, or run the 32bit version 3?

You should run the 32-bit version of 3.5 for now. I've been doing some work on 64-bit Windows, and I am confident we will begin doing 64-bit OSX bundles again, but I can't give you a timeframe.

Anonymous

December 19, 2013

Permalink

I'm frustrated about what's happened to Vidalia. I find it useful and informative and I certainly don't want to be without it. Tor Launcher refused to let me start Firefox at all until I let it connect to Tor, which I didn't want to do because (1) I wanted to examine it more before letting it connect, and (2) I use Tor separately of Firefox and didn't need Tor Launcher trying to start a second copy. So I deleted Tor Launcher from Firefox and downloaded Vidalia and found the standalone Vidalia bundle is missing libgcc_s_dw2-1.dll and mingwm10.dll, so it doesn't run at all. I had to get those DLLs from an older TBB. It does work fine now though.

In terms of startup times, the only reason Vidalia is slow is because in the GUI it redraws the list of nodes for every node it adds to it (O(n²) complexity!). If it added all the nodes and then redrew it once it would start more quickly and wouldn't periodically stall single-CPU systems every time it decides to refresh the list in the background.

Don't get me wrong: I'm really ever so grateful for Tor, but some things could use improvement.

Well, you could, but he was really just a friendly fellow helping out while Vidalia was unmaintained.

You could as well say that somebody should tell Matt Edman (the original Vidalia author) about it. Alas, he too has long since decided that maintaining a Qt app was no fun. Vidalia has been unmaintained for years now.

Perhaps you (yes, you) want to pick it up? :)