New Tor Browser Bundles

by erinn | December 23, 2011

The Tor Browser Bundles have been updated to Firefox 9.0.1. Originally they were updated to Firefox 9 and both changelogs are listed below.

https://www.torproject.org/download

Tor Browser Bundle (2.2.35-3)

  • Update Firefox to 9.0.1

Tor Browser Bundle (2.2.35-2)

  • Update Firefox to 9.0
  • Update Torbutton to 1.4.5.1
  • Update Noscript to 2.2.4
  • New Firefox patches
    • Provide client values only to CSS Media Queries and disable several Mozilla extensions that seem fingerprintable

Comments

Please note that the comment area below has been archived.

i think this depends on choosing the most common headers (fingerprinting) versus early adoption of progressive concept.
but afaik, DNT has no enforcement, and abusers do not obey when disobeying incurs neither carrot nor stick. So Do Not Track is effectively only pr fluff.

fingerprinting is a poor argument: Tor users already stick out because exit node IPs are public and no one else is still on Firefox 5.0. Look at the adoption curve, the most common user agent will always the latest stable followed by the long term release (currently 3.6 soon to be version 10).

DNT is not just fluff. Honest players (and those that are so big that they are kept honest by their competitors, NGOs and govs) will respect it sooner or later. Sooner if more people use it. Only a reason to enable it by default.

1. NGOs often operate more openbooks, but NGOs aren't significant on the net.

2. By shame-able government, you mean Dick Cheney's government? Ayatollah Khomeini's? Hugo Chavez's? Mugabe's?

3. To profit-making decision-makers, DNT was never more than a one-time laugh. They knew better than to even TRY using DNT for false marketing.
Exhibit 1: f@cebook
As long as many fools feed f@cebook with data, f@cebook will be a juggernaut.

Either government or business (DNT misuse or non-use) would quickly smother NGOs faithful use. So quickly, that both government and business would smother NGOs imperceptibly faster.

Tor could enable DNT only if FF enables by default, but as you write, Tor users already stick out... (from other firefox visitors)
And DNT is just cruft that will disappear 'quietly' from mozilla code within a few years.
So, Tor should always disable DNT, to prevent DNT becoming a tell tale between different tbb versions when DNT disappears.

December 23, 2011

Permalink

Why Google search is not SSL enabled ? There is a search addon for it. And why there is no duckduckgo search bar?

you could edit the searchplugin xml.
change
http://www.google.
to
https://www.google.
or to
https://encrypted.google.
to avoid your edit being overwritten,be sure to
1. delete the Update lines (delete autosuggest lines also, if you dislike Suggest)
2. rename the searchname(s)
3. rename the xml file
I do all 3, but maybe only #1 is necessary.
#3 prevents you forgetfully replacing your edited xml. Firefox installer from overwrites the complete searchplugins folder (in install folder, but leaves alone searchplugins folder in your profile)

Googlebar Lite has option for https://www.google.
you could hack Googlebar for Seamonkey.
Internet Explorer search engines are in registry SearchScopes.
for Opera and K-meleon, you can easily edit search engines in prefs UI, or in editor when browser shut down.

December 23, 2011

Permalink

Bug in Firefox from 2.2.35-3 bundle.

Part of the top of firefox is not showing. The close, minimize and restore buttons area is only showing black with not buttons showing on my Windows 7 Home Premium 64bit.

December 23, 2011

Permalink

Using TOR browser bundle 2.2.35-3 in Windows Vista, I find that if I use Aurora with the 'Menu' bar unticked (ie hidden) then I only get a black box in top right of browser page where the maximise/minimise/cancel buttons normally are.

Ticking the 'Menu' bar gives access to the buttons.

This doesn't happen in the Linux version (I'm using Puppy).

Anyone else noticed this?

December 23, 2011

Permalink

I am getting a blank black square where the close/minimize buttons should be on aurora.

December 24, 2011

Permalink

Thank you very much for the updated TorButton 1.4.5.1. Am using it with Mac OS 10.6 with Firefox 9.0.1. Works very well for enabling Tor.

But there is an odd complication.

When this add-on is enabled, I can't copy images to the Desktop! That is, when I grab and drag an image to the Desktop, no image file is created there (or anywhere, as far as I can tell). Doesn't matter if Tor is enabled or not. Copying images to the desktop just doesn't work. Works just fine, as usual, when I disable the TorButton add-on.

Does anyone else see this?

Correct, this version fixed a privacy leak where if you drag images/urls from firefox to the desktop, some people noticed their systems bypassing tor and directly getting the image/url.

December 28, 2011

In reply to phobos

Permalink

That's fine, but when Tor isn't enabled (such that you've decided that you DO want to bypass Tor), it should let you drag images to the desktop. It doesn't. As I said, enabling Tor via Torbutton isn't what makes this problematical, it's simply having the Torbutton plug-in installed on the browser. While Tobutton is really very nice as a quick entry to Tor, this problem is a strong disincentive to me for keeping Torbutton installed.

I guess I have to install it every time I want to use it, or use a different browser for copying images from the desktop. I guess I could keep two versions of FF around. One with TorBrowser installed, and one not, but that really seems like an inelegant solution.

I can drag urls from tbb into text editor.
I keep a text file ready. I save the text file before using a batch file that runs wget.
these are minimum wget options

--input-file=your_textfile
--user-agent="Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0"
--proxy
--execute=http_proxy=127.0.0.1:8118/

i use the port 8118 so wget goes through polipo.
wasteful drawback is that if the file download is an image in web page, wget is downloading it a second time.

but I just now tried right click "save image as..", and it downloads and opens in image viewer. the only strangeness is that the download manager shows nothing downloaded.

(windows xp)

December 24, 2011

Permalink

When trying to save image files (JPG, JPEG, GIF, PNG) I continue to *intermittently* get "Warning: External application required...".

Sometimes I've gotten this warning even when merely trying to *open* such images in a new tab or window within TBB.

December 25, 2011

Permalink

HI Erinn,

I've had intermittent problems with a "Load external content" pop-up using the previous browser bundle but since installing the 2.2.35-3 browser bundle a coupla days ago I cotinually get this unwanted pop-up every time I click on "Save this link" which I've been using for the past mumblety mumble years.

Now I gotta use "Save image in new tab" which involves a lot of manual opening and closing of tabs and I fear I may inadvertently miss an important message while working this labour intensive system as my deadline approaches.

Is there a way around this pop-up please?

Cheers,
James

The prompt should allow you to 'always' allow the content launching, which in reality just brings up the native firefox save/load options.

December 28, 2011

In reply to phobos

Permalink

I "hear" you but The warning given on this pop-up - viz: "NOTE: External applications are NOT safe by default and can unmask you!" is therefore simply a device to keep your brother-in-law out of mischief and has no actual bearing on the matter? And when my organisation is "unmasked" y'all gonna explain to the judge you wern't "serious" or what?

To my mind your reponse in answer to my very serious query is dismissive and inadequate and I expect you to see it in that context please. Either a warning is meaningful or it should be dismounted.

I look forward to your full and adequate reply please...

December 28, 2011

In reply to phobos

Permalink

So then why the warning in the first place?

Isn't using "the native Firefox save/load" options safe?

December 26, 2011

Permalink

Are there any issues with using a separate, "non-Torified"/non-proxied browser (for non-sensitive browsing) simultaneously with TBB?

For example, let's say I'm browsing with TBB and I decide to look-up a neutral word or term. Since I don't need the cloak of Tor for this, I'd prefer to use a sep. browser that will use my direct Internet connection, as doing so will be much faster (and will also spare the Tor network some unnecessary extra load). Is there any risk to doing this? (Other than the obvious one of getting mixed-up and using the non-Torified browser for something I intended to use TBB for)

What about using the other browser to log-into an email, bank or merchant account tied to one's real identity?

I could see a possible risk with doing anything like this simultaneously with running Tor but I don't know enough to really have any idea just how great such a risk would be, or even if it would truly exist in the first place.

December 27, 2011

Permalink

Regarding the missing buttons in Portable Firefox (Aurora) 9.0.1 (see my previous comment), just wanted to add that I'm using Windows 7 Professional SP1. Also tried adding themes, resetting toolbars, running in safe mode, pressing F11 repeatedly etc., but nothing worked.

December 27, 2011

Permalink

You guys should really create a forum with anonymous posting allowed. Where you can post without having to register and posts have to go through approval the same way as here on the blog.

How hard can it be just get one of the open source forums and install on the torproject server. Enable SSL encryption.

It would be nice to have a bit of organized discussions about privacy, security, new tor releases....

Posts on this blog are confusing and it's very hard to see who's a tor programmer since almost everybody posts as "anonymous". Not that there's anything wrong with that but it would be more credible to get responses from a registered tor dev on a forum.

We're working on it, see https://trac.torproject.org/projects/tor/ticket/3592. The problem is generally twofold:

1. finding forum software that isn't filled with exploits
2. finding forum mods willing to pay attention to the forums to filter out spam and stop stupid conversations about conspiracy theories and alien invasions. Or at least moving the latter to topics out of the normal forums.

January 05, 2012

In reply to phobos

Permalink

what "exploits" are you talking about? Most people posting will generally be using Tor any way, so their privacy or security can't really be exploited. ALL boards have anonymous posting option usually with CAPTCHA module. Just install the board already. It should be easy to run over SSL, I'm assuming you have a dedicated IP for torproject.org along with SSL certificate. Most boards allow you to easily set up SSL.

phpBB is a good choice and it's open source.

Please install a forum already. all this posting back and forth comments on blog posts is confusing !!

I basically could ditto everything you wrote.

Just one thing, though:

"it's very hard to see who's a tor programmer since almost everybody posts as "anonymous"."

I believe that when the devs post, they always use their name. For all other posters, the default posting name of "Anonymous" does not even seem possible to change. So unless someone went to the trouble of actual hijacking the site, impersonating a dev doesn't even seem possible.

I believe you can fix this by clicking 'Remove' for your skin at 'Appearance' tab under Add-ons, and click the 'Undo' button when the removal is a success.
Restart the browser.
Works for me at Windows 7 32-bit.

December 28, 2011

Permalink

The fact that my post about the missing Forbid "web-bugs" option in this version of Noscript for this new version of TBB makes me wonder........

December 28, 2011

Permalink

Since comments are blocked in the "Thank you to our donors" post I'll comment here.

Maybe the Tor Project should focus on what it can do without more money to improve the performance of Tor, like encouraging Non-Exit Relays to be Exit Relays for at least Web and Secure Web pages. Please don't rely on the "There will be abuses" excuse because for Web pages there are few.

December 28, 2011

Permalink

I can only hope that a dev will very soon make a post here acknowledging the issue with the Aurora maximize/minimise buttons, etc. that so many posts here report.

December 29, 2011

Permalink

I have problems with graphics, like when I click the SSL encryption button next to URL it is transparent and barely visible.... Is this just a graphical problem or is there something more?? And is it a problem with the tor browser bundle or with firefox (aurora) 9.0.1?

January 01, 2012

Permalink

black square where minimize\cloze!!11 i posted that with screenshot about 3 weeks ago but message deleted

January 01, 2012

Permalink

I'm new to all this, but I am running the Tor Browser Bundle, and it works fine. The problem is that in today's world, a flash player is almost an essential item, especially if the information is on YouTube or something similar.
I read that installing software can disable your protection, and I'm sure that includes Adobe Flash player, but how badly or predictable is the damage done by installing this software? Is your anonymity totally disabled?

I don't know anything about this stuff, I can't imagine how someone can track you by running a YouTube video. I would think that Adobe is concerned about abuse using it's software, but maybe not.

January 03, 2012

Permalink

Doesnt work at all. Browser crashes. I guess People dont know who I am online because I cant be online with this torrent. NOTHING happens PLEASE FIX.

January 04, 2012

Permalink

In new firefox whole area, where is located buttons "close", "restore" and etc black colour. The Buttons simply is not seen.
I have Windows7 64 bit.

January 04, 2012

Permalink

Please forgive what is probably a stupid question but i am new to this. If you have downloaded the tor bundle, does that include the Polipo proxy or do we still need to download and configure that? Sorry for the noob question...

January 05, 2012

Permalink

Why no updates on the blog for so long? A new version has already been released, yet no information on the blog about it. Strange.

January 10, 2012

Permalink

Newer torbutton(s) protect me from myself, YUCK!!!

I can no longer rearrange (the order of) my FF browser tabs by dragging and dropping. (I can still drag, and the blue FF arrow still shows me where the tab should drop to, but it doesn't...)

older torbutton didn't screw up FF like this

January 13, 2012

Permalink

Hi,

I already asked that question in tor-talk but I hope to get a better answer here.

I'm a Linux user running TOR normally under the user debian-tor. Like
you suggested, I switched to TBB lately. That brings mi into some
trouble now as my firewall settings are based on the user debian-tor.
I'm not feeling very happy about opening the door for other
application nor running in a VM (nor boot tails).

I'm starting Firefox from the bundle that way:
./App/Firefox/firefox -no-remote -profile ./Data/profile

It seems to work without an issue.Is there any concern running it like this?

Thanks a lot for the great work!
Sam

January 14, 2012

Permalink

با درود مننون از شما. لطفاً ایمیل تان را نیز بگذارید.و مارا بیشتر راهنمائی کنید تا از شر فیلترینگ خلاص بشویم

January 16, 2012

Permalink

The windows bundle contains bookmarks for portable firefox (<--irrelevant) and news feed (<-- long known for being a privacy/fingerprinting issue)

May 29, 2012

Permalink

Can anyone tell me how to setup Tor browser Bundles to run with Xampp ?? So that i can run some scraping scripts from home ??