Tor Browser Bundle 3.5 is released

Update 12/20: Test builds of Pluggable Transport bundles are now available. See inline and see the FAQ link for more details.

The 2.x stable series of the Tor Browser Bundle has officially been deprecated, and all users are encouraged to upgrade to the 3.5 series.

Packages are now available from the Tor download page as well as the Tor Package archive.

For now, the Pluggable Transports-capable TBB is still a separate package, maintained by David Fifield. Download them here: https://people.torproject.org/~dcf/pt-bundle/3.5-pt20131217/. We hope to have combined packages available in a beta soon.

For people already using TBB 3.5rc1, the changes are not substantial, and are included below.

However, for users of TBB 2.x and 3.0, this release includes important security updates to Firefox. All users are strongly encouraged to update immediately, as we will not be making further releases in the 2.x or 3.0 series.

In terms of user-facing changes from TBB 2.x, the 3.x series primarily features the replacement of Vidalia with a Firefox-based Tor controller called Tor Launcher. This has resulted in a vast decrease in startup times, and a vast increase in usability. We have also begun work on an FAQ page to handle common questions arising from this transition -- where Vidalia went, how to disable JavaScript, how to check signatures, etc.

The complete changelog for the 3.x series describes the changes since 2.x.

The set of changes since the 3.5rc1 release is:

  • All Platforms
    • Update Tor to 0.2.4.19
    • Update Tor Launcher to 0.2.4.2
      • Bug 10382: Fix a Tor Launcher hang on TBB exit
    • Update Torbutton to 1.6.5.2
      • Misc: Switch update download URL back to download-easy

You wrote: I'm confused. Is this a bug report on your openvpn configuration, where you were hoping it would capture outgoing TCP streams but it didn't capture all of them?

No, my above feedback is not a bug report on my OpenVPN configuration. On the contrary it is a feedback on the strange behavior of Tor 3.5 FINAL.

The following is what I discovered after posting my earlier feedback:

    Scenario #3

I deleted the extracted contents of Tor 3.5.
I double-clicked on torbrowser-install-3.5_en-US.exe to re-extract/re-expand its contents.
I launched OpenVPN and connected to one of the gateways given by my VPN service provider.
I double-clicked on Start Tor Browser.exe to launch Tor.
I surfed to a website.
In an elevated command prompt window, I typed netstat -bn and the results were:
local address for both openvpn.exe and openvpn-gui.exe were 127.0.0.1:port number
foreign address for both openvpn.exe and openvpn-gui.exe were 127.0.0.1: port number

Conclusion: If users wish to access Tor via OpenVPN regularly, the very first step after extracting/installing the contents of torbrowser-install-3.5_en-US.exe is to connect to their VPN gateway and only then launch their Tor browser.

Oh! So a paraphrase of the conclusion is "if you start Tor Browser Bundle before you start your VPN, then TBB's connections to the network won't go over your VPN, and if you start your VPN later it doesn't magically switch them"? Yes indeed.

But that should have been the case for earlier TBB's too.

Unless I misunderstood you?

To: arma

I would like to clarify your paraphrase:
"The very first time after extracting/installing the contents of torbrowser-install-3.5_en-US.exe, if you launch Start Tor Browser.exe before connecting to your VPN gateway, TBB's current and future connections to the internet will not go over your VPN. That is to say, the next time you first connect to your VPN gateway and then launch Start Tor Browser.exe, TBB's connections to the internet will still not go over your VPN."

The above strange behavior does not occur in TBB 2.x series, for example, tor-browser-2.3.25-15_en-US.exe.

Anonymous

December 23, 2013

Permalink

i dont will use it! it have ver big secure leaks. tor has now support for us nsa/fbi? lokks like so! tor no more serious at all.

if anyone use it: us govement can very good spy you with this version.

Details please?

(Two can play at this game -- for example, it strikes me that this is the sort of comment that an nsa/fbi person would leave. Ha, now neither of us can refute each other.)

Anonymous

December 23, 2013

Permalink

ha ha moderated... so you will dont let see users the us govement support messages. fuck u usa!

Ah, I assume you're the same person as above.

Yes, we don't let comments go up automatically. About 95% of the comments are SEO spam or the like, so I get rid of all of those first.

I'm also basically the last Tor person willing to tolerate this hackish blog comment system, so alas new comments wait on me.

Anonymous

December 23, 2013

Permalink

Is there a way, or are there plans to re-implement the ability to configure hidden services? Or is that something that is, sadly, gone forever?

Wow, you managed to make that work with Vidalia? It always turned into a disaster whenever I tried it.

The current answer is that you should edit the torrc file in TBB and add them. If you're going to set up a hidden service on your own, editing a text file is probably one of the easier steps.

That said, if somebody wrote that into Tor Launcher in a usable way (including not confusing users who don't know what a hidden service is), I bet the Tor Launcher team would take it.

Anonymous

December 23, 2013

Permalink

Wow, this new torbrowser starts really fast!

Amazing work you guys! Thanks for the effort and time you put into this continuously.

One side question: Why do you not disable RC4 ciphers already? The guardianproject does this currently in the Orfox builds. One Tor project member that I know of considers RC4 as broken, so why the hesitation?

Anonymous

December 23, 2013

Permalink

So confused.
I'm not too into the technical side of tor.
I don't exactly know much at all to be honest.
However, since the new update to 3.5, every time I try to run Tor it freezes on
"Connecting to Directory Server"...
If anyone knows how to fix..please reply.

Sorry to hear that. If you provide many more details, somebody might have a guess for you. (When providing details, pretend we can't read your mind. So don't leave something out because 'surely' we'll know it.)

Thanks!

What I said is literally all I know.
When I open Tor and click "Connect"
it just stays on "connecting to directory server"
I'll leave it for hours and it just stays like that.
Before the update it worked perfectly.
I don't understand.

Tor Launcher has a 'copy log to clipboard' button, which you can then paste into a text file or notepad or whatever to read. It's not as fun, but it should work (until somebody can make a better way to see Tor's logs).

Anonymous

December 23, 2013

Permalink

This version is too bad, it has multiple issues:

Cloudfare blocking is annoying.

The browser restarts when having a new ID

I used to download stuff from different hosts with simultaneous downloads and when I was doing this, I was able to change my ID every time without loosing the stuff. (up to 6 or 7 downloads at a time)
Goodbye to all of this!! it's awful. Now I have been receiving multiple "Wrong IP" messages when trying to download stuff.
The new ID feature seems like it's not working properly.
If you are lucky, you will be able to do one download at a time.
With the Vidalia stuff TOR was great, now it is a terrible waste of time. Now this thing really slow and you have to re-start over and over.
The new version is a BIG step back .

The recent Cloudflare blocking isn't a function of what TBB you're running. It has to do with whether some jerk has been abusing the Tor network lately in a way that made somebody at Cloudflare decide to discard a million Tor users because of the jerk.

As for the new identity question,
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#…
A workaround for you in the mean time might be to use Vidalia's new identity button. But be aware that you aren't discarding application-level data (though you weren't back when you were using Vidalia for it anyway).

DDoS actually isn't the issue:
https://www.torproject.org/docs/faq-abuse#DDoS

The issue is application-level attacks, like somebody leaving a comment saying somebody else is a jerk, or somebody accessing a URL that gives them more access to a website than the website operator intended, etc.

A lot of this type of abuse on the Internet these days is actually commercial in nature -- for example, if somebody is paying you to hype up a restaurant on yelp, you use all the resources you can to appear to be as many people as you can.

He's right, it's too much of pain in the ass. Filehosting services block IPs for certain time (one download per IP), so one should be able to get a new IP without restarting the browser.

There aren't actually that many exit relays total, especially if you look at fast ones. So "keep switching" is a pretty crappy answer in terms of load on the Tor network vs success rate.

I guess the better answer might be for these services to know what Tor is, and use Tor Bulk Exit List:
https://check.torproject.org/cgi-bin/TorBulkExitList.py
to make a list of all the Tor IPs that can reach their website, and then just lump them into one big bucket and rate limit it as they like.

Though, that approach would make it easier for a greedy Tor user to use up the quota.

The actual better answer would be to base the rate limiting mechanism on something that isn't IP addresses. A fine open research question. See
http://freehaven.net/anonbib/#oakland11-formalizing

HEY, Stop using/abusing the tor network to download your porno from the file locker sites like Rapidshare et al.

The tor network can hardly cope as it is with the amount of traffic compared to the number of exit nodes and here is you, using 6-7 different connections to download porn through it.

Porno consists of HUGE binary files unlike text based www pages.

If your concerned about the legality of your porn enough to want to use tor to get it, then I suggest that you DON'T DOWNLOAD IT AT ALL !

Stop being so selfish, it is widely promoted that tor is not to be used for porno for the reasons I have stated above and I know that you have read that before and chosen to ignore it.

To the tor developers... please consider hard-wiring into the code for the exit nodes a list of IP's from the porno file-locker services and have the node refuse or close connections to those services so that selfish tor users cannot ruin the download speed for the rest of us of non porno sites.

Until a critical mass is achieved sufficient to sustain that kind of leech traffic I mean.

Anonymous

December 24, 2013

Permalink

Still not a "techie" type but

I imagine y'all have had download clients of TBB 3.5 inna hundreds of thousands.

but y'all have, evidentially, only 200 -250 users with their issues reported here.

Good metrics for you - Good job, Torfellers.

Now be getting yourselves home - the family waiting anxiously for you

Yes indeed, that's a nice way of looking at it. Thanks.

Or from the pessimist's perspective, many of our users have no idea that Tor has a blog at all. :)

Once you're up in the hundreds of thousands of users, most of them don't understand the 'community' side of Tor. But hey, we do what we can.

Anonymous

December 24, 2013

Permalink

I want to manually stop and start Tor network connection without closing browser. How can I do that with 3.5 bundle? Current documentation about "how to start Tor Relay Node" is no longer work for 3.5.

I don't think there's an easy way.

But there *is* an easy way to tell Tor to do it (i.e. to set DisableNetwork on and off), so this is just a Tor Launcher interface question.

I bet if you or somebody figured out a good interface for a "Suspend connections to the Tor network" option, it would be easy to put in. The main barrier I see is that we're trying not to overwhelm normal users with options they won't understand.

Anonymous

December 24, 2013

Permalink

With the circuit status missing, and the new version of Firefox where crucial settings are missing, it will just take a short time to hear in the news that many onion users got arrested.
Without overview and control you should defiantly *not* use Tor. (!)

Anonymous

December 24, 2013

Permalink

I have some questions regarding this release and i hope Arma or someone else can answer my questions :)

First thing first, I'm on Windows and i always download the expert release or Tor Bundle / Tor Bundle with Pluggable Transports or basically whichever the newest Tor version available to download for me because i prefer to configure everything manually (that means no Vidalia, not using the Tor Browser Bundle itself and only download the Bundle just to get a newer binaries of tor and pluggable transports to replace the old binaries).

And here is my questions:

  1. I just downloaded the new TBB3.5 (both pluggable version and non pluggable) but when i ran tor.exe there's no Console Window displayed although the tor process seems to be running fine (and to stop it i have to kill it / SIGKILL it via Task Manager). Why is that? and also would it be bad if the process gets terminated by SIGKILL?
  2. Because there's no console window displayed, i downloaded the expert unstable release (0.24.19), and found out that version still displaying the old console window. My questions for this is; is it okay If i use the tor.exe binary from the expert unstable combined with the pluggable transports binaries from the TBB3.5 pluggable? i've been doing this for quite sometime with the old releases (using the newer tor binary with older pluggable binaries) and found no problem but just wanted to make sure :)

Thanks.

1) https://trac.torproject.org/projects/tor/ticket/10297

Killing your Tor client by sigkill is fine with me.

2) You'll much prefer the 0.2.4.20 tor.exe when it comes out. But sure, feel free to mix and match Tor binaries if you like it more.

But: if you're trying to browse the web over your chimera contraption, and you think you don't need Tor Browser, make sure you've read all of
https://www.torproject.org/projects/torbrowser/design/
and
https://www.torproject.org/torbutton/en/design/

Anonymous

December 25, 2013

In reply to by arma

Permalink

Thanks for the quick response! and yes, i read the tor browser design a long time ago and bookmarked it since because it contains a lot of useful informations, and implemented some of the things listed there.

And lol at the chimera contraption, you'd be surprised on what my whole setup looks like if i have to write it here but to put it simply, it is a Frankenstein :D. The way i'm using tor in my browser (latest firefox not the esr release) at the moment is just if it detects certain keywords, sites or patterns i've designed, it'll goes through tor automatically because i want some privacy :). Obviously if i wanted a more anonymity i'd use TBB and run specific Linux distro designed for this.

Anonymous

December 24, 2013

Permalink

Is it just me, I can't find a way to launch the Tor Launcher..
I see the plugin in firefox but no way to launch it...

I do see it when I start firefox but where does it go after? no menu anymore to access anything??
I just have firefox...

Once you "Start Tor Browser" (or whatever it's called depending on your OS), Tor Browser includes an extension called Tor Launcher that automatically starts Tor in the background.

So assuming you have a window called 'Tor Browser', you're done.

Anonymous

December 25, 2013

Permalink

Thank you, it seems to work fine, but sometimes displays the following warning:

uri.host is explosive!
(about:tor)

What does it mean?

Not easily (at present).

Your best shot might be to run WiNon or Whonix and try to get Flash working inside that. It will be quite a bit of work though.

Anonymous

December 25, 2013

Permalink

Where is the dialog where you can see and manually close the circuits? I don't want to download a separate Vidalia package, this is supposed to be a BUNDLE.

Anonymous

December 25, 2013

Permalink

##################################################################
# The Snowden Config
##################################################################

#Default Tor Settings
AvoidDiskWrites 1
DataDirectory .\Data\Tor
GeoIPFile .\Data\Tor\geoip
Log notice stdout
SocksListenAddress 127.0.0.1
SocksPort 9150
ControlPort 9151

##################################################################
# The PRISM surveillance program
# http://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29
##################################################################
# Bypass all nodes in Prism first tier partner countries,
# also known as the Five Eyes Alliance.
#
# Also bypass some known second tier partners.
# Germany is known to be compromised, but you need to connect
# to Russia exit nodes somehow and Germany has one of the
# largest pool of relay nodes for you to hide in the crowd,
# add {de} to the list if you want to bypass Germany. But
# you'll be easilly singled out because you'll end up
# connecting to your first nodes in a small country all the time.
#
##################################################################
ExcludeNodes {au},{ca},{gb},{nz},{us},{fr},{ir},{it}

##################################################################
# Only use exit nodes from Russia,
# the only place NAS don't dare to raid and put pressure on.
##################################################################
ExitNodes {ru}

Well, feel free, but here are three points of caution before you try this:

A) If your adversary thinks you're running with this configuration, then any circuits they see that have no relays in those countries are more likely to be yours (and circuits that do use a relay in those countries definitely aren't yours). So you're shrinking the set of circuits that you blend with. See also
http://freehaven.net/anonbib/#ccs2011-trust

B) If your adversary thinks you're running with this configuration, he can actively seek to control or run relays that you're willing to use. And since you've removed a big chunk of the Tor network (especially if you exclude Germany too), it's cheaper for him to become a given fraction of the remaining relays.

C) Whether this config is safe is hugely dependent on where on the Internet you start out, and where your destination is. For example, if you start in the US and exclude US relays, 1) that will be funny-looking over time, and 2) you already start out being surveilled by your adversary even if your first relay is in Poland -- how do you get to Poland but by going through the US? And it's worse than that, because many Internet links go through one of your above countries even when they're going between two relays that aren't in your excluded list. So you are both dangerously overexcluding and also not accomplishing the goal you have in mind. See also
http://freehaven.net/anonbib/#ndss13-relay-selection

(Oh, and it's a bit rude to call it the Snowden configuration unless he has in some way said that he uses it, yes?)

That may be true, but the fact is if NSA is already monitoring all the border traffic of partner countries, then connecting to these countries is a dead give away.

As long as they have access to the border routers and undersea cables, knowing which IP connected to which IP at which millisecond, they can easily analyze which one is the first source IP, which is your IP.

When they own the whole system, bypassing those countries is the lesser of two evils.

Are you sure the NSA perfectly monitors those six countries, and doesn't monitor the others at all? That seems like a really funny-shaped assumption -- especially with stories about collaboration with Sweden over their FRA law, the Germany concerns raised above... you name a country, I bet there's a plausible discussion somewhere of the NSA trading data with them. (And even if you name Russia, I'll name Sweden as one of their major upstreams.) This centralization of the Internet is bad news.

The point is you need to ensure there is at least 1 node in a country that is out of NSA's reach, and the default configuration doesn't do that.

New document shows the NSA is recording all encrypted deep sea cable traffic for at least 15 years. That means they have the ability to can replay the entire data stream.

Forcing the first node to be Russia might work:

EntryNodes {ru}