Tor Browser Bundle 3.5rc1 Released

The first release candidate in the 3.5 series of the Tor Browser Bundle is now available from the Tor Package Archive:
https://archive.torproject.org/tor-package-archive/torbrowser/3.5rc1/.

This release includes important security updates to Firefox.

Moreover, the Firefox 17esr release series has been deprecated by Mozilla. This means the imminent end of life for our 2.x and 3.0 bundle series. All 3.0 users are strongly encourage to update immediately, as we will not be making further releases in that series. If this release candidate survives the next few days without issue, this release candidate will be declared stable, and we will officially deprecate the current stable 2.x Tor Browser Bundles and declare their versions out of date as well.

Here is the complete changelog:

  • All Platforms
    • Update Firefox to 24.2.0esr
    • Update NoScript to 2.6.8.7
    • Update HTTPS-Everywhere to 3.4.4tbb (special TBB tag)
      • Tag includes a patch to handle enabling/disabling Mixed Content Blocking
    • Bug 5060: Disable health report service
    • Bug 10367: Disable prompting about health report and Mozilla Sync
    • Misc Prefs: Disable HTTPS-Everywhere first-run tooltips
    • Misc Prefs: Disable layer acceleration to avoid crashes on Windows
    • Misc Prefs: Disable Mixed Content Blocker pending backport of Mozilla Bug 878890
    • Update Tor Launcher to 0.2.4.1
      • Bug 10147: Adblock Plus interferes w/Tor Launcher dialog
      • Bug 10201: FF ESR 24 hangs during exit on Mac OS
      • Bug 9984: Support running Tor Launcher from InstantBird
      • Misc: Support browser directory location API changes in Firefox 24
    • Update Torbutton to 1.6.5.1
      • Bug 10352: Clear FF24 Private Browsing Mode data during New Identity
      • Bug 8167: Update cache isolation for FF24 API changes
      • Bug 10201: FF ESR 24 hangs during exit on Mac OS
      • Bug 10078: Properly clear crypto tokens during New Identity on FF24
      • Bug 9454: Support changes to Private Browsing Mode and plugin APIs in FF24
  • Linux
    • Bug 10213; Use LD_LIBRARY_PATH (fixes launch issues on old Linux distros)
PETER

December 27, 2013

Permalink

You tor folks keep releasing new versions of tor, now like what 2.5+, and I wonder, Why does tor still use 1024-bit encryption? Why right at the edge of insecurity, or is it per the request of the NSA? or perhaps GHCQ?

Because crypto migration is hard when you have a lot of users and not enough developers.

See:
https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/216-ntor…

https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/220-ecc-…

https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/ideas/xx…

including the discussions about these proposals on the tor-dev mailing list:
https://www.torproject.org/docs/documentation#MailingLists

Help us evaluate whether they're the right way forward!

"Because crypto migration is hard when you have a lot of users and not enough developers."

Would not a more accurate statement be something to the effect of,

"Crypto migration is never easy. All the more so when, such as in our case, you have many users but few developers."

?

Oh, I should also add for clarity that nearly all of our 1024-bit encryption is gone -- see the first two 'major features' sections of
https://lists.torproject.org/pipermail/tor-announce/2013-December/00009…

But it isn't all gone -- relay identity keys and hidden service identity keys are among the big issues that remain. But relay onion keys are switched over already, and they're the most critical part imo.

PETER

December 30, 2013

Permalink

Hello,

I am a screen reader user. Firefox 24.2 usually works with any screen reading software, but I don't understand why this is not the case in Tor 3.browser bundle 5. The Version before, there weren't any troubles.
Thanks for your Answer,
Jane

PETER

January 02, 2014

Permalink

@arma, Holy moly I am so impressed at how patiently, persistently, and well you're answering everyone's questions. It makes me crazy when people feel so entitled. I wish I could be more zen about it like you :-)

PETER

January 24, 2014

Permalink

To the Tor team

I know I don't have to blow your trumpet because you know the value you are adding to a transparent decentralised web. I have only one request for you to consider and that is how you release versions. The size of the firefox team versus your team may be completely out of proportion and will keep you guys busy rewriting the wheel unneccesarily whilst trying to stay abreast of the illusive upgrade cycle of the world wide web. If we keep going at the rate we are now, firefox may be at version 100.0 in the next ten years. I find that very wasteful in purpose and execution since most browsers today do pretty much what they are meant to barr for running webgl and flash in tor, but no-one thinks of trimming the fluff down and "robustifying" a persistent browser. What if we had a tor browser package that focussed on hardening one specific version until that one single browser package became impenetrable? What if that one version was robust enough to last for five years until the next bullet proof version? Anyway these are comments worth thinking about in an age of overly excessive releases of new versions of every kind of software under the sun.

What I ask for is a package release system like f-droid. One matched package for one source bundle, in a list of most recent to oldest. The reason is that I do not like the idea of a git repo that can't roll back to a specific version I need (or if it does can someone tell me how to do it), but also it allows the releasing of matching package and source versions that can be used for better penetration testing, since the matching package/source bundle are indirect mirrors of each other (indirect since the package goes through a compiler).

Please check out f-droid and see how they release software. It is really an excellent approach to free software.

https://whyweprotest.net/community/threads/the-age-of-transparency.1161…

anon