New Tor Browser Bundles

by erinn | November 12, 2011

The Tor Browser Bundles have been updated to Firefox 8. There was a slight delay as we adjusted to their new add-on management scheme, but everything should be working normally now. Please let us know if you have any issues!

https://www.torproject.org/download

Tor Browser Bundle (2.2.34-2)

  • Update Firefox to 8.0
  • Update Libevent to 2.0.15-stable
  • Update NoScript to 2.1.8
  • Add extensions.autoDisableScopes to allow TBB's Firefox to launch with its extensions enabled

Comments

Please note that the comment area below has been archived.

November 11, 2011

Permalink

Oddly, check.torproject.org says "There is an update available for the Tor Browser Bundle" upon opening TBB even though I'm running 2.2.34-2.

It's OK now, I downloaded 34-2 immediately after it was posted here and it seems check.torproject.org (or whatever component that does the actual check) took a few minutes to catch up, about 10 minutes after I posted that message I restarted TBB and the message was gone.

Funny, I had sort of the opposite issue: Close to a day (if not longer) after 2.2.34-3 was announced here on November 24, the previous version (2.2.34-2) was was still not telling me to update.

Hello I'd like to share your opinion about this version of Tor Browser 2.2.34-2. This version is bad. Since the script can not stand it, resets it. CAPTCHA opens with an error. No mutations both. And if they were, not significant. Previous versions were much better and more successful.

I am having the same problems with Tor 2.234.2. The previous version was much better and worked faster but I do not know about the anonymity status. Can we still use the previous version ? Suggest the previous version be made available for download too till the latest version's snags are fixed.

Yeah, I got this myself when I installed over a past installation. Do a CLEAN install every time with it and just move your bookmarks file or import it into the NEW TOR installation.

Something is messed up when upgrading a TOR Browser Bundle standalone installation by copy and pasting.

November 12, 2011

Permalink

I'm no tor expert, but upon install, this version for mac had global scripts enabled, and javascript and cookies enabled in the browser.

Same with the Linux bundle since several versions. It has been brought up before but the developers think it's a good idea. User friendly trumps secure.

Of course it's the wrong decision, especially since Firefox doesn't do sandboxing like Chrome, IE and now Safari. Every JavaScript related code execution vulnerability can be used not only to fully compromise browser sessions, saved cookies, history and passwords but your entire user account on your OS, all files and most importantly, your IP address!

The window of several days between the upstream release of security patches for Firefox and TBB releases doesn't help. Add the lack of auto updating (all you get is a warning/notice on the default homepage) and I'm sure a good portion of Tor users is vulnerable because of this decision.

NoScript white-list consisting of only https domains would be a better default and still offer a reasonable user-experience. The real solution however would be to add some level of sandboxing (be that built into the browser, the OS like MIC, Apparmor, SeLinux or seatbelt or through a 3rd party standalone application like a VM or sandboxie). This would not only protect against simple JS exploits but also vulnerabilities in the HTML or image file rendering code.

November 12, 2011

Permalink

hi
i download the last version of tor browser
but i can see flsh movie on youtube with tor
igo addon on firefox and see tor dont have flash plugin
please help me

For security reasons, Flash, Java, and other plugins are currently disabled for Tor. Plugins operate independently from Firefox and can perform activity on your computer that ruins your anonymity.

Most YouTube videos work with HTML5, and it is possible to view these videos over Tor. You need to join the HTML5 trial on the YouTube website (https://www.youtube.com/html5) before you can use the HTML5 player. Note that the browser will not remember that you joined the trial once you close it, so you will need to re-join the trial the next time you run the Tor Browser Bundle.

Youtube also serves html5 videos, no flash plugin required for that. It's built into recent browsers, including the bundled Firefox in TBB.

November 12, 2011

Permalink

I got that same pop up a few weeks ago. I contacted tor support and they seemed to think it was okay, but I was already up to date. Feels sketchy to me.

November 12, 2011

Permalink

Hello I'd like to share your opinion about this version of Tor Browser 2.2.34-2. This version is bad. Since the script can not stand it, resets it. CAPTCHA opens with an error. No mutations both. And if they were, not significant. Previous versions were much better and more successful.

November 12, 2011

Permalink

Hello I'd like to share your opinion about this version of Tor Browser 2.2.34-2. This version is bad. Since the script can not stand it, resets it. CAPTCHA opens with an error. No mutations both. And if they were, not significant. Previous versions were much better and more successful.

November 12, 2011

Permalink

Hello I'd like to share your opinion about this version of Tor Browser 2.2.34-2. This version is bad. Since the script can not stand it, resets it. CAPTCHA opens with an error. No mutations both. And if they were, not significant. Previous versions were much better and more successful.

November 12, 2011

Permalink

why won't my tor work says mine is to old 2.2.34.2 can't find any newer ones on the site

November 13, 2011

Permalink

Is there any particular reason why the do-not-track flag (Options>>Privacy>>Tracking) is disabled in the TBB Firefox config? Is there some subtle loss of anonymity when this is enabled?
.

November 13, 2011

Permalink

[off topic] Hy dudes

Did you guys heard about the Phantom software?
Do you have any comments on it?

code.google.com/p/phantom

November 14, 2011

Permalink

Same problem with above the flash player dont play :( and i have it install it in my windows i tried to uninstall it and reinstall it but the tor browser dont recognise it

November 14, 2011

Permalink

How exactly can the check.torproject.org website see what version of tor bundle you are running? That isn't exactly anonymous browsing.

November 14, 2011

Permalink

Symantec's SONAR detects "Start Tor Browser.exe" as something evil and quarantines it (started with TBB 2.2.34-1).

November 14, 2011

Permalink

I too continue to receive update notices after updating. Also when Aurora loads chrome there is always a failure when it gets to loading the cookie-jar-selector.js.

November 14, 2011

Permalink

Since using this version, favicons do no longer load/display. Is this intended or may I have misconfigured my system?

It's a problem with Firefox 8, not Tor Browser. I have the same issue with my native Firefox 8, as with Tor Browser and Aurora 8 (i.e., Tor Project version of Firefox 8).

November 16, 2011

Permalink

Why does my antivirus software (SYMANTEC) detect malware when I try to install the tor browser bundle? Did you guys put a trojan in???

Others have reported that symantec, eset, and others report that their systems tells them that the software is 'unknown' and therefore must be bad, so it asks if you want to quarantine it or not. also realize that symantec and others are recording every executable you run on your system, when it was run, and from where (ip address) to build a database of good/bad software.

November 16, 2011

Permalink

There are a lot of questions here that require answers from the developers.

Shouldn't there be an official _forum_ for such questions? Seems like that would be a far more efficient and usable medium for many of the questions and issues that (apparently due to a lack of alternative) get covered in the comments to these blog posts.

I will now reiterate and elaborate-upon some of the specific issues already mentioned by other posters above me.

(Note that I am using the *GNU/Linux* version of TBB)

- Tor Button:
The previous version of TBB had an onion icon in the navigation toolbar of the browser (Aurora). Among the options that presented upon clicking on this icon, were "Use new identity" (which unlike its counterpart in the _sys tray_ onion icon, would actually close any tabs and additional windows open as well as clear all cookies).

Is there a reason why this feature appears to have been removed in the latest version of TBB?

- JavaScript enabled by default:

I, too, find the default configuration of TBB with regard to JavaScript puzzling and even alarming. Is it not the case that JavaScript has long been known for its ability to leak a user's real IP?

Why, then, does TBB come with both JavaScript enabled _and_ NoScript set to "allow scripts globally"?

Doesn't allowing scripts globally defeat the whole purpose of NoScript?

- Favicons gone
I have also had my favicons disappear in this latest TBB

And an additional concern that I have not seen mentioned before:

Why is "sessionstore.resumefromcrash" _enabled_ by default?

I mean, doesn't this defeat the whole point of disabling history? (Which are _disabled_ by default in TBB)

I thank the developers for their continual efforts of the obviously dedicated development team and their making this product/service available to the public free-of-charge (as well as "free as in freedom").)

November 18, 2011

In reply to phobos

Permalink

Link won't load (just hangs at "connecting to ...).

Does it explain why Tor Button was removed from this version of TBB?

Why is no mention of this made here, in this announcement?

Thanks.

November 21, 2011

In reply to phobos

Permalink

As I noted in my original post, the green onion icon just to the left of the _URL bar_ is missing for me in this latest version of TBB (GNU/Linux). (Was present in the previous version)

The icon in the _taskbar_ is still there as before but it does not offer the same options. The larger green onion icon that
was next-to the URL bar had options to manage "cookie protections" (as you just pointed-out in the TAILS thread). I do not see these anywhere in the _taskbar_ onion icon. Same with the option to toggle Tor status, etc.

While the taskbar icon does have a new "Use new identity" option, it differs considerably from the same-named one that had been in the icon next to the URL bar, as I noted and described in detail in my original post.

I would appreciate if others who have tried this current version of TBB *for GNU/Linux* would reply and make it known whether what I have described has been true for them as well.

November 23, 2011

In reply to phobos

Permalink

Phobos, have you actually tried looking for the green onion icon *next to the URL BAR* in this version of TBB *for GNU/Linux*?

This icon was in the previous version but it is *NOT* in the current version. At least not for me.

At this point, I am pleading and begging for someone to respond to this and give me some idea of what gives.

(Please see my previous post for more details)

It is. I just ran the 0.2.3.34-2 TBB in ubuntu 11.10, debian 6, and fedora 32bit and 64bit virtual machines. The green onion is after the "back" and "forward" buttons, and before the noscript button.

If you don't see the back and forward buttons, then you are likely running the wrong TBB for your OS. 32-bit OSes need 32-bit TBB. 64-bit OSes need 64-bit TBB. If you try to run a 32bit TBB in 64bit OSes, specifically Ubuntu, you'll see odd things, like missing menus and the like. It seems ubuntu messed around with 32bit gtk and other libs in 64-bit systems that break TBB/firefox in odd ways.

November 29, 2011

In reply to phobos

Permalink

"I just ran the 0.2.3.34-2 TBB"

"0.2.**3**.34-2"?!

2.2.34-2 was the previous version of TBB for GNU/Linux, released back on November 11th, and the latest one, released on November 24th, is 2.2.34-3.

Unless "0.2.3.34-2" is an _alpha_ or some other _nonstandard_ release, I suspect the highlighted '3' was a typo.

In any event, it was the _previous_ version ( 2.2.34-2, November 11) in which the green onion Tor Button icon was missing from the navigation bar for me.

In the _current_ version (2.2.34-3, November 24), said icon has returned.

"If you don't see the back and forward buttons,"

I absolutely _did_ see the back and forward buttons, as well as everything else I expected to see in the navigation bar.

And I do not recall noticing anything else missing or particularly odd. (If there would have been anything as significant as the missing Tor Button icon, I would have remembered it!)

I run only the 32-bit TBB versions on a 32-bit OS (PCLinuxOS).

Perhaps you can check with your colleagues whether there have been any other reports of the Tor Button icon missing from the previous (2.2.34-2, November 11) release of TBB for GNU/Linux.

Thank you very much for replying.

November 18, 2011

Permalink

Bluescreen using update 2.2.34-2 on Win7/64
6.1.7601 Service Pack 1 Build 7601
Opening the first time Vidalia via taskbar button firefox is opening (Firefox isn't installed separately, IE9 is used) and confirm that tor is working properly. Closing the window and starting via the taskbar button 2nd time > Bluescreen!! Has anybody the same phenomenon? And found a solution?

November 18, 2011

Permalink

I couldn't figure out your bug tracker, so here I go:

== Critical bug - Bypassing Tor ==

Requests for drag-and-drop thumbnails in Tor Browser is not sent through the Tor network, but instead plain-text HTTP request.

How to reproduce:
- Download and start Tor Browser Bundle version 2.2.34-2 (current, this one)
- Start up Wireshark and start logging your network interactively
- Using the Tor Browser, visit "www.gnome.org" (or any other HTTP site)
- See Wireshark sending all traffic encrypted to various Tor nodes
- When the site have loaded, drag the big image on the site
- See Wireshark logging a DNS request for "www.gnome.org" with reply
- See Wireshark logging a HTTP HEAD request for
"/wp-content/uploads/2011/09/gnome-3.2.png" on host "www.gnome.org",
sending this directly unencrypted to the IP returned from the DNS request.

That one screwed my anonymity on another site, luckily me I had a Wireshark window open. I don't even dare thinking of all other times I accidentally dragged the image instead of clicked it ...

The one that is able to create a bug report, please give the link to it here.

November 18, 2011

Permalink

Just thought that I would inform again that the issue that I mentioned on the Windows 8 Developer Preview where you are unable to get to .onion websites (any of them) is still present.
Though, it might be because of an interaction between NIS2012 and Windows 8 Developer Preview. I believe I was able to use TOR correctly on Windows 8 without NIS2012 installed.

Took my installation to my other Windows 7 64-bit computer and it worked just fine, even for getting to .onion sites.

November 21, 2011

In reply to phobos

Permalink

Tried to put in a bug report there, it kept on telling me to 'log-in' but I have no log-in ID for that website so..... anyone care to direct me to a guide to submitting a bug report?

November 19, 2011

Permalink

hi everybody!this new version is TOO slower than 2.2.34-1!!
and please learn us how we can made our bundle package!

Your speed is dependent upon your circuit selection. If you have slow guard nodes, or just a slow circuit, then everything will be slow. The circuits are randomly selected over time.

In general, we've lost capacity in the tor network due to a few high bandwidth exit relays going offline. This has increased latency in the tor network overall. See https://metrics.torproject.org/performance.html for more details.

November 19, 2011

Permalink

>Rumors of Tor's compromise are greatly exaggerated
Posted October 24th, 2011 by phobos

>Tor 0.2.2.34 fixes a critical anonymity vulnerability where an attacker
can deanonymize Tor users. Everybody should upgrade.
Posted October 27th, 2011 by erinn

Oh, the irony.

http://www.ics.forth.gr/news/angelos_keromytis_lecture3.html

There are ways to fix this. Let people waste bandwidth if they want higher anonymity.

- JavaScript enabled by default in TBB. (bug or feature?)
- Three tunnels within the same country shouldn't be allowed.
- Any software signed by the Mozilla Foundation can't be trusted anymore.

Sorry, but some of us have had enough.
Phantom is the future.

To be clear, these are two completely different posts. Eric Filliol's attacks aren't so much attacks as they are lots of press. The bug fixed in 0.2.2.34 was reported to us anonymously via a very good bughunter and quietly with a suggested fix. Usually, the quieter the bug report, the more severe the bug.

Yes, javascript is enabled in tbb, but between noscript protections and torbutton integration, we feel torbrowser running javascript is fairly safe.

Current research shows that restricting via country doesn't make your circuit safer. Restricting by Autonomous System (AS) may help a bit, but not as much as you think. See http://www.cs.rpi.edu/~edmanm2/ccs159-edman.pdf, "AS-awareness in Tor path selection".

As for Mozilla, debatable.

Good luck with Phantom.

November 20, 2011

Permalink

Hi, I see a lot of people coming here and complaining like you owe them or something, so I just wanted to say thanks for creating and maintaining Tor, and I'll definitely donate when I can!

November 21, 2011

Permalink

Hi, I just want to say that yahoo mail don't let me to login with new tor browser bundle, and beside it, I tried several days and I would like to ask:
is it possible that main server at university hack my tor access in the sense that I get VERY OFTEN the same beginning IP address: 199.48.147.42 and second begin with 173....these 2 IP addresses are 70-80% my first IP address always when I start Tor.

November 23, 2011

Permalink

Hi & Hello
Where is 8118 port?
in past Tor works with http proxy (127.0.0.1:8118) but now dosn't work.
Why i need it?
cause of i use "Internet Download Manager" and Proxy set on this software must be Http Proxy, Mean IDM dosnt Sopport SOCKS Proxy.
and i can't download videos from YouTube, Please help me, mean think of this problem.

Sorry for my words, i can't speak (or write) fully English.

Thanks.

November 24, 2011

Permalink

This package doesn't have Firefox 8 as advertised, it's pre-pre-release Firefox! please update to latest stable release.

November 24, 2011

Permalink

QUOTE
==========
Hi, I see a lot of people coming here and complaining like you owe them or something, so I just wanted to say thanks for creating and maintaining Tor, and I'll definitely donate when I can!
==========

People are not complaining, they have legit questions. If you make a security product that and it has vulnerability's that can expose your anonymity, this can be an issue. It doesn't matter if this is free and donated, it is a piece of work with an very established and trusted name. If something is broke, or the developers missed something, people SHOULD question it and the developers should make that processes easy if they want their software name to be in good standing with the community.

And even more reason if they want donations. Security is not about being nice, It either works or it doesn't

December 11, 2011

Permalink

There is nothing you can do with that new tor version! There is no way to send emails, for example. I can't log in to yahoo mail anymore since tor is updated!

April 17, 2012

Permalink

After downloading the new tbb tor browser won't launch. What gives? Wrong version for my system maybe?