Tor Browser Bundle 3.5 is released

Update 12/20: Test builds of Pluggable Transport bundles are now available. See inline and see the FAQ link for more details.

The 2.x stable series of the Tor Browser Bundle has officially been deprecated, and all users are encouraged to upgrade to the 3.5 series.

Packages are now available from the Tor download page as well as the Tor Package archive.

For now, the Pluggable Transports-capable TBB is still a separate package, maintained by David Fifield. Download them here: https://people.torproject.org/~dcf/pt-bundle/3.5-pt20131217/. We hope to have combined packages available in a beta soon.

For people already using TBB 3.5rc1, the changes are not substantial, and are included below.

However, for users of TBB 2.x and 3.0, this release includes important security updates to Firefox. All users are strongly encouraged to update immediately, as we will not be making further releases in the 2.x or 3.0 series.

In terms of user-facing changes from TBB 2.x, the 3.x series primarily features the replacement of Vidalia with a Firefox-based Tor controller called Tor Launcher. This has resulted in a vast decrease in startup times, and a vast increase in usability. We have also begun work on an FAQ page to handle common questions arising from this transition -- where Vidalia went, how to disable JavaScript, how to check signatures, etc.

The complete changelog for the 3.x series describes the changes since 2.x.

The set of changes since the 3.5rc1 release is:

  • All Platforms
    • Update Tor to 0.2.4.19
    • Update Tor Launcher to 0.2.4.2
      • Bug 10382: Fix a Tor Launcher hang on TBB exit
    • Update Torbutton to 1.6.5.2
      • Misc: Switch update download URL back to download-easy
Anonymous

December 26, 2013

Permalink

WARNING: IP LEAKAGE
It is to inform you that when I run the decloacking test in the new version of TBB 3.5 through the site ip-score(dot)com, it leaked my address in the category "Windows Media Player". Two standalone applications are responsible for it:
(1) Internet Download manager - which loads a video file when run the decloacking test, and starts automatically when we even exit IDM.
(2) Keepass Password Manager: secondly, after deleting IDM, I checked the TBB and there was no IP leak. But when i opened the Keepass manager to log into the accounts, it leaked the IP address which I by chance tried to check through this site.

I tried Better Privacy addon and configured it to delete cookies and LSOs at the time of starting TBB, but it again leaks my IP address in some of the tests.

I am now afraid because in the last two days I have leaked a lot of sensitive docs against someone.

Anonymous

December 26, 2013

Permalink

Oh, and it's named after Snowden simply because he exposed PRISM and is now in Russia.

You don't need people's permission to name something after them. If it make sense and is easy to remember, then that's good enough for me.

People might think that he was involved in the project if it bears his name. You can't sell a Crapple iPoop and not expect to face legal consequences. It's deceptive to hawk something that bears another's name/likeness and they will make sure you cease-n-desist, pay up, or get pounded-in-the-ass by a Big man named Tiny. If Edward was (hopefully not) 'dispatched' and 'they' made it look self-inflicted or a disturbingly hilarious auto-erotic asphyxiation mishap or some other nonsense in which there was clearly outside involvement+motive+tampering of evidence, then naming something in honor of his memory would be fine. But if he didn't work on the project that bears his name, then people might think he did when he didn't.

We're not talking about dictionary definitions here, I don't think you really understand how naming things in the real world works.

Anonymous

December 26, 2013

Permalink

Why do i have to instal something with the new 3.5 tor browser bundle ? Is'nt the whole principle of this bundle being instalation free ?

Anonymous

December 26, 2013

Permalink

This is the most stupid move I've ever seen.
No control, no JS button in FF (about:config hidden)
People will try to hack and get caught, FAQ reports you are working on.... just blabla

Too early, just plain nonsense and CRAP
are you working for NSA ?

Rantlingtruth

Anonymous

December 26, 2013

Permalink

I finally upgraded, and at first, the start-screen & what I am assuming was TorLauncher appeared to be phishy when I first launched the new build; I felt even more uneasy when I didn't see Vidalia in my tray. As you have stated, it had numerous holes since it was unmaintained, so I can't defend it, since I honestly don't know much about it. But since I've gotten used to it over the years, the sudden disappearance was a bit shocking. I (at least I think) was able to hook up Vidalia from an earlier build to the new TBB, but I don't feel secure, mainly because I used to be able to select 'Stop Tor' from Vidalia's context menu and then exit. Now, when I try that, there are still open TCP connections from the new thingamajig( TorLauncher?). Also, I'd have to assume selecting New Identity from the Vidalia context menu (not TorButton's located in the Browser) probably won't work the same either. I'm not complaining about the lack of Vidalia in this new version, I'm just a bit confused since I was so used to it being there. Thank you for any support you can offer. The things that I use Tor for are rarely, if ever malicious, and quite often actually benign, but that doesn't mean I don't value my privacy. Also, I was wondering if others were having issues with CloudFlare/Goog? blocking them from access to a large number of sites. It's been happening more often the past few months and is becoming increasingly annoying.

The new way to close TBB is to close the browser. Then everything else will shut down (except Vidalia, if you launched it separately -- you'd need to close that yourself).

The 'new identity' button in Vidalia does what it did before -- it expires currently-used circuits so new streams won't get attached to them. The 'new identity' button in TorBrowserButton does what it did before too -- it expires circuits as above, but it also throws out your browser-level state so websites can't link old-you to new-you. But see https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#… for what might be a surprise.

And yes, Cloudflare and google have been increasingly blocking Tor exits lately. Anybody have a contact at Cloudflare who can help us get started explaining what they're missing out on?

Anonymous

December 27, 2013

Permalink

Hi torproject!

WHY DID YOU STOP PACKAGING SELF-EXTRACTING ARCHIVES 7ZIP (FOR WIN)?

WTF???!!!

YOUR EXE-INSTALLER LOOKS SUSPICIOUS!

Anonymous

December 27, 2013

Permalink

I am no longer able to use bridges with TBB 3.5. As soon as I insert a few bridges TBB simply stops functioning. When I quit TBB and relaunch it, it bootstraps only to 5% only and gets stuck there. As soon as I remove the bridges it works again!

Thank you for your advice. The log shows quite a few 'warnings' with failed connection. Most of the bridges were obtained via gmail. With the previous TBB even if a few bridges failed (sometimes up to 11!) TBB still worked and I could continue using it. With this version of TBB this is not possible. Currently I have 17 bridges. Not all of them failed but I got the warning 'Tor Network unreachable' and was stuck there.

I am a novice user. My system: Macosx 10.9.

Anonymous

December 27, 2013

Permalink

I've been using 3.5 overnight and had no issues until this morning. I didn't change any settings in between last night when it was working fine and this morning, but now some sites don't seem to be loading properly. Only some text is visible, no background, no images or anything. Just partial text. Usually this happens, now and sometimes it doesn't. I also had something happen in TBB that I've never seen on FF. Usually when I select view image, a zoom icon ('+' '-') lets me do just that. Now, a cursor or arrows(stretch/size) appear. It also

I tried to re-install but nothing changed. I was wondering if un-installing Tor works differently with the new build?

same poster here; I didn't get an answer yet and I would like to know how to un-install 3.5 so I could re-install it.I wasn't sure if deleting it like the old bundle would be sufficient since there are .dll and other files I thought might still be hanging around.

Uninstalling should just be deleting the directory -- it's meant to be standalone so there should be nothing outside the directory. (I guess in Windows-land these are still called folders? :)

Anonymous

December 27, 2013

Permalink

While I understand the practical reasons for TorButton 'Refreshing' the Browser when selecting 'New Identity', is there any way to have a Vidalia-like option which doesn't clear all tabs in addition to how TorButton currently handles the 'New Identity' command?I'm not suggesting Vidalia was safer, as you've clearly stated that it wasn't, but sometimes I have important text that I don't want to lose, and Vidalia would make subsequent connections appear as new without clearing everything if I didn't need it to, like TorButton does.
Thank You.

Anonymous

December 28, 2013

Permalink

Wow great work Tor developers!! tbb is blazing fast starting up now (in gnu/linux at least). I know many are complaining about vidalia and it is true it was informative but thanks to the fast start I almost don't use firefox anymore :)

The only times i still use it is to get torrents from pirate bay as tbb doesn't support magnet linking into transmission. Is there any plans to support magnet links in the future? I'll be moving to the UK in the future and considering pirate bay is blocked there and I wont use shady proxies i'm left with pirate browser :X

Anonymous

December 28, 2013

Permalink

On Windows, is it possible to have TBB's Window always open up maximised, or remember the window position and size between runs? Thanks.

Anonymous

December 29, 2013

Permalink

Let's say I'm retrieving a resource over Tor. Let's then say my browser crashes while doing so, closing my connections to my entry guards and the exit node's connection to whatever I was retrieving at the same time. Let's then say that I immediately reopen Tor Browser, reconnecting to Tor, and immediately reconnect to the resource I was browsing. What are the timing correlation implications of this and other situations involving browser crashes?

Anonymous

December 30, 2013

Permalink

Cannot access LycosMail;

"The page isn't redirecting properly

"Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

"This problem can sometimes be caused by disabling or refusing to accept cookies".

http://www.mail.lycos.com/service/login?login_domain=lycos.com&availScr…

Is the anti-screen resolution fingerprinting mods breaking some websites?

Anonymous

December 31, 2013

In reply to by Anonymous (not verified)

Permalink

Tried accessing LycosMail using TBB [Tor v0.2.3.25 (git-17c24b3118224d65)]. with FireFox ESR 17.0.11.

No Problem.

I believe the problem lies with release 3.5 .

I guess I will have to continue to use the old version for some sites.

Anonymous

January 14, 2014

In reply to by Anonymous (not verified)

Permalink

Tied changing the privacy settings from "Do not tell sites anything about my tracking preferences" to "Tell sites I do not want to be tracked". Lycos still doesn't work.

Also tried "Tell sites that I do want to be tracked". Lycos still doesn't work.

Anonymous

December 30, 2013

Permalink

See http://www.csoonline.com/article/744697/report-accuses-bt-of-supplying-…

"[...] a secondary hidden network and IP address is assigned to a BT user's modem, which enables the attacker (in this case the NSA or GCHQ) direct access to their modem, and the systems on their LAN from the Internet.
[...] The authors also warn of Tor User/Content discovery via LAN packet fingerprinting.

"The attacker can stain packets leaving your network and before entering the Tor network, making traffic analysis much easier than was previously known. All Tor traffic can be redirected to a dedicated private Tor network controlled by the attacker, in this way the attacker controls ALL Tor nodes and so can see everything you do from end-to-end. This is not something the Tor project can fix," the paper explained.

To combat this, the paper recommends that Tor hidden services drop all traffic from un-trusted Tor nodes, so that clients running in the simulated Tor network will fail to connect to their destination."

Anonymous

December 31, 2013

Permalink

I just want to add another voice to the VERY MANY already saying....it is fucking retarded to remove vidalia, lots of people want to be able to just start vidalia to run other programs through the Tor network AND THEN start the browser bundle for browsing onion sites...please stop the process of going full retard...

Anonymous

December 31, 2013

Permalink

Hello Torproject
Secunia PSI shows a program " Python " which needs a less critical update.
do I have to update it to version 2.7.6 manually? or I have to wait for new version of tor pluggable transports?
OS : Windows XP

Anonymous

December 31, 2013

Permalink

the Vidalia bundles are broken, and cant find the exe, the error says

Anonymous

December 31, 2013

Permalink

Trying to run a standalone Vidalia with this new TBB not only didn't work but messed up Tor Browser's settings and forced a reinstall. What a debacle

Anonymous

January 01, 2014

Permalink

What!?
No Vidalia!? How can I watch my traffic through Vidalia's Network Map?
Javascript already on!? WTF! Tor gives less anomity than before!

All I just need is a Tor and Vidalia. I already have my own latest firefox build, so I don' t need a poor bbrowser.
http://chacha.d.estiva.org/blog.php

Anonymous

January 01, 2014

Permalink

Fuck this build. Give my huge donation back.

Just give me back my Vidalia. Vidalia AND Tor. Nothing else.
I don't need your shit broswer. Seriously.

Anonymous

January 01, 2014

Permalink

Isn't screen size basically a foolproof way to fingerprint Tor users individually? Why doesn't Tor Browser always simply report a particular standard size?

Anonymous

January 01, 2014

Permalink

I don't have any complaints about this new build, but I was wondering how we should uninstall it should an update be released in the near future? Is it the same as before, just delete the folder we extracted into?

Anonymous

January 02, 2014

Permalink

after updating my tor to 3.5 I cant get connected to the tor network can anyone help me