Tor Browser Bundle 3.5 is released

Update 12/20: Test builds of Pluggable Transport bundles are now available. See inline and see the FAQ link for more details.

The 2.x stable series of the Tor Browser Bundle has officially been deprecated, and all users are encouraged to upgrade to the 3.5 series.

Packages are now available from the Tor download page as well as the Tor Package archive.

For now, the Pluggable Transports-capable TBB is still a separate package, maintained by David Fifield. Download them here: https://people.torproject.org/~dcf/pt-bundle/3.5-pt20131217/. We hope to have combined packages available in a beta soon.

For people already using TBB 3.5rc1, the changes are not substantial, and are included below.

However, for users of TBB 2.x and 3.0, this release includes important security updates to Firefox. All users are strongly encouraged to update immediately, as we will not be making further releases in the 2.x or 3.0 series.

In terms of user-facing changes from TBB 2.x, the 3.x series primarily features the replacement of Vidalia with a Firefox-based Tor controller called Tor Launcher. This has resulted in a vast decrease in startup times, and a vast increase in usability. We have also begun work on an FAQ page to handle common questions arising from this transition -- where Vidalia went, how to disable JavaScript, how to check signatures, etc.

The complete changelog for the 3.x series describes the changes since 2.x.

The set of changes since the 3.5rc1 release is:

  • All Platforms
    • Update Tor to 0.2.4.19
    • Update Tor Launcher to 0.2.4.2
      • Bug 10382: Fix a Tor Launcher hang on TBB exit
    • Update Torbutton to 1.6.5.2
      • Misc: Switch update download URL back to download-easy

I installed the Quick Java add on to enable single click control over my JAVA, JAVAScript, Flash, Silverlight, Image, Animated Image and CSS controls.

Very handy.

Just enable Add-On Bar after your install and you can customize what button you have on the bottom right of your browser.

For safety and speed I disable all plugins except image and CSS style.

To be safe, I've also got the Better Privacy LSO persistent flash cookies add on to remove all flash cookies created upon exit.

My COMODO defense kept pestering me Firefox.exe to access my COM section of my registry. Didn't have this issue in my last TOR Browser bundle.

Anonymous

December 21, 2013

Permalink

The main bundle has improved lots and is fast so thanks for all the hard work.

As many of the users have mentioned their frustration with lack of graphic controller (Vidalia) I also have to say, it is very frustrating.

Vidalia is more than just world map. It gives a much better control over functionality of every thing. Which the little button in Firefox does not.

I think it should have stayed until a better alternative with "ALL" same functions is made, instead of first removing it and then pointing to an FAQ for getting it back. A bit of a round about way to do it.

That being said all future bundles should still be compatible with Vidalia (standalone) and support control through it. Also keep Vidalia around for it.

As for start up times. You can just start browser as is in 3.5 and then automatically start Vidalia after Firefox has started. Instead of users doing it manually. That way you get both speed for main browser connection and graphic controller. And you dont have to change much for it to work.
Also may be add it to the main bundle package for download so people don't have to go around looking for answers.

I'd like to keep the Vidalia workaround working for as long as we can, yes.

The main rush here was getting something with FF24 working and out, because FF17 is no longer maintained. And our FF24 work didn't include getting Vidalia working with it.

One of the other big reasons for switching to Tor Launcher is that it will make secure updates much much easier (since it's only a browser and Firefox already has a way to do updates).

I'm not really excited to put Vidalia back into TBB3.5 by default -- maybe you have figured out all the things not to click because they are broken in confusing ways, but all the folks who think they can edit the torrc graphically (you can't, it's mostly broken) or set up a hidden service graphically (also broken), etc? There are a lot of Vidalia haters out there too, and for a good reason since it's been unmaintained for years now.

[...] all the folks who think they can edit the torrc graphically (you can't, it's mostly broken) [...]

Other things being harder, yes, you can edit torrc in Vidalia. Have been doing it until now... Working around that Vidalia torrc editor's "Save" bug is easy: simply remove the commented lines in torrc (those starting with the # symbol) before saving it.

Anonymous

December 21, 2013

Permalink

'kay Mike Perry and ama

Yeah, I'm that non-techie type from above.

Y''all kindly put me onna right track by pointing out that Javascript was now controlled by NoScript and that disabling Java is also a good idea.

And the test drive was an enormous success! Thank you...

Vidalia had, imho, many interesting features to play with but I ain't gonna miss it.

I'm still using XP and thus also IE8. To me, TBB 3.5 is now more like IE8 than it eva was before. Once installed one can now forget about it.

I'm sorry to see these youngers resist change so vehemently - they'll soon grow out of it and become more flexible in their ways as they start getting older and more mature. LOL

Seasonal blessing to you and all yer cronies. Thanks for the efforts to keep us safe - we are all very grateful even though we like to complain a lot.... more LOL

Great, thanks!

One question though -- I hope "Once installed one can now forget about it" doesn't mean that you're using it wrong, e.g. running your IE and thinking that you're using Tor? :)

@ arma
LOL .

I use IE8 without Java or Javascript enabled. I stuffed my "hosts" file" with verboten cookie urls. I also use the IE8 "InPrivate" nonsense only from force of habit. No add-ons or accelerators permitted. Google "basic" used as search engine. No "flash" nonsense either.

TBB3.5 loads, for me, in a wink - as does IE8. I can access all my favourite sites even with NoScript activated. Using Duck whatever as a search engine. My isp can now only verify the time and length of my browsing sessions.

Although I live in a third world community where internet speeds and bandwidth are reckoned in kb/sec I get a more robust and constant download speed with TBB3.5. Let's see if this persists?

Mozilla is, for me, unnecessarily complex and too many bells and whistles.

What's more to want - y'all provided me with the best seasonal present for 2014. Heaps of gratitudes...

But like I say - 'parently the youth are too hidebound in their choices and werry resistant to change - double LOL.

Y'all at Tor enjoy the break, hear!

Return refreshed for the 2014 fray. Who be knowing what surprises to expect next...

Anonymous

December 21, 2013

Permalink

What about relay configuration in 3.5? How to set up a relay in absence of Vidalia? I actually have no clue how to do it on Windows right now! I've always done it the easy way, graphically that is, thanks to the manual on site ( https://www.torproject.org/docs/tor-doc-relay.html.en ). In fact, the Tor browser sends me right there ( ->"Run a Tor Relay Node" ), even though this is still targeting the previous version(s), cum Vidalia. But now it won't be of much help anymore, or am I missing something? Is standalone Vidalia the only option left or is there some achievable way to set it up manually on Windows too? At least the website doesn't mention, it only describes how to do it on Linux. :-(

Thanks!

Anonymous

December 21, 2013

Permalink

downloaded the latest build of Tor Browser Bundle 3.5 to this update, I used the same assembly and organized output node network. I do not see in the assembly Vidalia, how do I turn on the relay? OS Linux mint

Anonymous

December 22, 2013

Permalink

Thank you for all the fine work that you all do at torproject !

All of us users owe all of you developers/volunteers/etc a great deal of gratitude and I guess a great deal more seeing as we get to use this liberty safeguarding software for absolutely free...

I have a question.

Do the instructions provided by torproject for setting up torchat with linux still apply now that V 3.5 is out ? (which were almost impossible to follow BTW)

If not, can someone update the tutorial on how to set it up please ?

And just how dangerous (ball park, I know you cannot be specific) would it be to use TC with the older version of tor installed via apt get seeing as TC is end to end encrypted as apposed to using exit nodes ?

Thx

I'm afraid there are no instructions provided by torproject for setting up torchat -- in fact, none of the Tor people wrote or evaluated Torchat. Sorry for the confusion from the name. As to how dangerous it is to use, even with the new Tor... who knows? Somebody should do a security audit of its design and code.

Anonymous

December 22, 2013

Permalink

Creating a new identity stops running downloads. The older version kept downloading processes and provided a new identity as well. Will this feature come back?

Anonymous

December 22, 2013

Permalink

Roger, you're a kind soul for answering so many questions patiently and respectfully. Something for the rest of us to aspire to, especially during the holiday season :-)

It's also kind of amazing how many people appear to have scrolled past various comments/questions on this post, only to ask basically the same question or make the same comment...

Anonymous

December 22, 2013

Permalink

help needed: downloaded tor 3.5. for osx. it starts fine, seems to connect to tor network ( 8 serves show up as being contacted in little snitch) but does NOT connect to any website. means: no websurfing at all. previous tor bundles with vidalia never had any problems at all on same osx installation.

where to start here ? no vidalia log that could indicate and provide info which could be posted here for guidance. guidance appreciated.

There's the 'copy Tor log to clipboard' option, and then you can paste it into a file or notepad or whatever you like and read it and see if there are any hints.

My first thought is to wonder if you're running some sort of security or anti-virus or something program that prevents some part of Tor Browser from talking to itself.

i am running "little snitch" but have set rules to allow enabled TOR 3.5. to make in and outgoing connection without restrictions.

also running sophos anti-virus for mac

in osx firewall had TOR 3.5 entered with permission to incoming and outgoing connections

the above security programs are running since long time. they never obstructed any previous tor version , so why should they now ?

littl snitch shows tor connecting to some servers on start-up m but then no further broweser request to connect to the world wide web show any change in little snitch TOR 3.5 connection window. cant even connect to tor pages or use startpage serach from TOR start window.

TOR 3.5 log shows "time out" with any of the failed url connection attempts , no further comments in the log

no idea whats going on here ( or better whats NOT going on here)

Little different, but same problem here. Sophos seems to be blocking TB. I tried back and forth and when you switch off Sophos (which is not really an option) TB goes through. Have not yet found any workaround...
C.

I am having the exact same problem. If I turn Little Snitch OFF, Tor works. But I need to keep Little Snitch running. I never had problems before running Tor while Little Snitch was active. Hopefully someone has the answer - or someone can tell me where I can find previous versions of Tor.

Fixed! Just double check you rules "affecting" LS Agent. You can turn off outgoing connections - you will get windows asking permission for Tor to connect, allow it to do so. Other apps / processes will NOT automatically be allowed to connect to anything etc, you will be asked and simply deny. A bit of a hassle but it works fine, especially if you're not running a bunch of other apps in the bg.

sophos antivirus for mac appears to be the culprit here. switching it OFF made TOR 3.5. work at least with tor websites. sophos anti virus has several scanners, one called "web protection" the other download protection and what the call "on-acces" scan.

not sure which one is the tor-block as switching them off appears to have a delay.

so, why and how to have virus protection and still run TOR ?

interesting enough, sophos anti virus did NOT obstruct any previous tor editions.

You are right. The recent (free)) version of Sophos (9.0.6) has "Web Protection" switched on by default. But both have to be switched off in order to work with TB. I tried all other combinations. My other, previous version (8.02.1) on my macbook works perfectly with sophos because it lacks "Web Protection". Contacted Sophos-Support...
C.

Ditto - this is a new problem - Sophos on-access scanning can be left running but both the "malicious websites" AND the "malicious downloads" blockers in Sophos Anti-Virus>Preferences>Web Protection>General must be toggled off for TBB 3.5 to run on Mavericks 10.9.1

Anonymous

December 22, 2013

Permalink

Can someone please answer the following question regarding the upgrade to a new Firefox version in TBB 3.5. ?

Looking at this vulnerability located here:
https://www.mozilla.org/security/announce/2013/mfsa2013-116.html

and which is linked to from here:
https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#…

The 'brief description' given reads:

"Description
Google security researcher Michal Zalewski reported issues with JPEG format image processing with Start Of Scan (SOS) and Define Huffman Table (DHT) markers in the libjpeg library. This could allow for the possible reading of arbitrary memory content as well as cross-domain image theft. "

There is a link to the full details at the URL I pasted above.

.....does this vulnerability description convey what I think it does ?

I.E. that a suitably crafted .JPG file could read arbitrary memory locations including encryption keys in RAM ?

Holy cow !!

Holy cow indeed. Every Firefox update includes fixes for issues like this. :(

All the more reason for you to stay up-to-date with your TBB's -- and for us to get TBB's secure updater working.

As a non-programmer it strikes me that that their appears to be a preponderance of incompetent and/or malicious computer programmers out there for it to end up being the case that such blatantly dangerous exploits exist in the code for the most fundamental WWW features like simple .JPG renderers that have been available for security review/hardening for literally decades.

The programming community should be ashamed and lift their game and professional standards and root out the vast numbers of incompetents among them that seem to exist.

There is no excuse for this level of utter uselessness, it would not be tolerated in any other industry even if it did occur and in any case it doesn't occur in other industries to any great extent.

You don't see mechanical or civil engineers designing bridges or buildings with such fundamental design floors that undermine them such that they collapse or sway and snap or other such critical faults.

They need to be held accountable for such pathetic trade-craft and much, much higher standards need to be implemented and strictly adhered to or we will continue to have an insecure internet and therefore consumers cannot have confidence and ultimately e-commerce is restricted.

Grrrrr this preventable madness makes me furious !

The other industries you mention produce much smaller systems.

Things like Firefox are enormously complex compared to a bridge or even a building.

I guess a better comparison might be to our financial system, which has sure grown its share of complexity (and security bugs).

Anyway, this one is pretty far off-topic by now. Suffice to say that they're not idiots, and making large computing systems safe actually is hard to do right even for smart people. But that said, I think it would be fair to say that maybe Mozilla hasn't been putting their energy into the direction that would produce the most benefit security-wise.

Anonymous

December 22, 2013

Permalink

Downloaded 3.5. (windows) installed. run. connect.

"Congratualtions you are using Tor"

but no connectivity. cannot navigate to any site.

previously this was instal and play - now what?

Anonymous

December 22, 2013

Permalink

This Cloudflare blocking is getting ridiculous. 99% of Tor exit nodes have been blocked for at least four days out of the week and continuing. What can the Tor community do about this? Would Tor ever consider switching to a design that tries to hide exit node IPs? Websites just get more and more hostile to Tor.

Hiding exit IPs doesn't seem like a workable strategy.

I think the right answer is that we need to grow an outreach campaign to a) teach websites why it's valuable to hear from Tor users, and b) teach them how to handle abuse issues better at the application level rather than at the "well just block bad IPs and hope that's good enough" level.

This issue is indeed growing in importance, but there aren't enough core Tor people to work on it. Please help!

1. New relays would be seeded into being either an exit relay or entry node (to start) according to their preference.

2. Only after a long period of trust would entry nodes move up to being middle nodes.

3. Middle nodes would only be allowed to connect to a small subset of exit nodes so that compromising them won't compromise all exit nodes. Users would use middle guards instead of entry guards.

4. The exit node's IP plus other random IPs will be censored out of all traffic returning along a circuit ending with it.

5. zk-SNARKS* (http://eprint.iacr.org/2013/507) will be used to guarantee that your SSL traffic isn't modified beyond that.

6. Clients will be restricted to using a limited number of exit nodes via proof-of-work or some other proof-of-something to prevent them from harvesting exit node IPs using websites that they run.

Then you have somewhat hidden proxies. Genius, or crazy?

*I know that most of this post is crazy but I've wondered about this part. If you can use cryptography to prove that somebody has executed a program in particular way via a zero-knowledge proof (without them learning the inputs) then can't you use it to prove that a node has routed your traffic correctly without knowing what it is? Wouldn't this make mix networks obsolete and make single-hop connections safe? It could be the next step in anonymous communications. I know Tor has cryptographic geniuses on hand so I thought I'd bring it up.

Anonymous

December 22, 2013

Permalink

If I'm a Mac OX X user and I have the Tor Browser Bundle 3.5 running, does that mean I'm running a relay, or do I need to do something special to run a relay?

Anonymous

December 22, 2013

Permalink

Anyone else finding the TBB (3.5) just doesn't work? Windows 32bit version on a win7 64bit machine. Running from USB installation. Start up but that's it. Can't even find torproject.

Check prefs No Polipo - do I need it? Thought the TBB put an end to all that.

Or is TOR itself in difficulties today?

Anonymous

December 22, 2013

Permalink

um. Tor Browser Bundle doesn't (browse). dl'd today 3.5 and tor starts (checked firewall and is allowed) but no browsing. No sites available.

Anonymous

December 22, 2013

Permalink

The old version stopped browsing onion sites a few hours ago. I upgraded to 3.5 and can browse everything but onion.

Anonymous

December 23, 2013

Permalink

Serious leak in TBB 3.5 FINAL

    Relevant info:

Microsoft Windows 64bit
OpenVPN client 2.3.2-I003 64bit
tor-browser-2.3.25-15_en-US.exe
torbrowser-install-3.5_en-US.exe

    Scenario #1

I launched OpenVPN and connected to my VPN service provider via either TCP or UDP protocol. Next I launched Start Tor Browser.exe of tor-browser-2.3.25-15_en-US.exe

I surfed to some websites and launched a command prompt with admin privilege. In the command prompt window, I typed netstat -bn

Both openvpn.exe and openvpn-gui.exe showed 127.0.0.1:port number for both local address and foreign address

    Scenario #2

Same procedures as in Scenario #1 above except that I launched Start Tor Browser.exe of torbrowser-install-3.5_en-US.exe

Local address for both openvpn.exe and openvpn-gui.exe showed 127.0.0.1
However the foreign address for both of them showed 49.59.199.107

To Tor developers: Please fix the leak in TBB 3.5 FINAL as soon as possible to prevent NSA's hacks. Thanks.

I'm confused. Is this a bug report on your openvpn configuration, where you were hoping it would capture outgoing TCP streams but it didn't capture all of them?

49.59.199.107 looks like it's in Korea. I don't think it's a Tor relay of any sort. Perhaps it's where your OpenVPN was connected to? That case also doesn't sound like a Tor bug though.