New Tor Browser Bundles with Firefox 17.0.10esr

by erinn | November 1, 2013

Firefox 17.0.10esr has been released with several security fixes and all of the Tor Browser Bundles have been updated. All users are encouraged to upgrade.

https://www.torproject.org/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.3.25-14)

  • Update Firefox to 17.0.10esr
    https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#…
  • Update LibPNG to 1.6.6
  • Update NoScript to 2.6.8.4
  • Update HTTPS-Everywhere to 3.4.2
  • Firefox patch changes:
    • Hide infobar for missing plugins. (closes: #9012)
    • Change the default entry page for the addons tab to the installed addons page. (closes: #8364)
    • Make flash objects really be click-to-play if flash is enabled. (closes: #9867)
    • Make getFirstPartyURI log+handle errors internally to simplify caller usage of the API. (closes: #3661)
    • Remove polipo and privoxy from the banned ports list. (closes: #3661)
    • misc: Fix a potential memory leak in the Image Cache isolation
    • misc: Fix a potential crash if OS theme information is ever absent

Tor Browser Bundle (2.4.17-rc-1)

  • Update Firefox to 17.0.10esr
    https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#…
  • Update LibPNG to 1.6.6
  • Update NoScript to 2.6.8.4
  • Downgrade HTTPS-Everywhere to 3.4.2 in preparation for this becoming the stable bundle
  • Firefox patch changes:
    • Hide infobar for missing plugins. (closes: #9012)
    • Change the default entry page for the addons tab to the installed addons page. (closes: #8364)
    • Make flash objects really be click-to-play if flash is enabled. (closes: #9867)
    • Make getFirstPartyURI log+handle errors internally to simplify caller usage of the API. (closes: #3661)
    • Remove polipo and privoxy from the banned ports list. (closes: #3661)
    • misc: Fix a potential memory leak in the Image Cache isolation
    • misc: Fix a potential crash if OS theme information is ever absent

Comments

Please note that the comment area below has been archived.

November 01, 2013

Permalink

In the message log for the OSX version of TBB 2.4, I see a lot of these entries:

Error setting SO_REUSEADDR flag: Invalid argument

This occurs in both the 32- and 64-bit versions. Next to zero activity in the bandwidth graph. No problems with 2.3 which shows a lot of activity in the bandwidth graph (20Mbps in both directions almost continually). Operating an exit node.

Problem existed in Mountain Lion. Problem remained after a format/install of Mavericks.

November 01, 2013

Permalink

The requested URL /dist/torbrowser/linux/tor-browser-gnu-linux-x86_64-2.4.17-rc-1-dev-en-US.tar.gz was not found on this server.

November 01, 2013

Permalink

Download link for Tor Browser Bundle 2.4.17-rc-1 for Windows is broken.

November 01, 2013

Permalink

Could someone please help me, I'm new to this and I'm not sure how to go through the update process... it seems like I have to download the bundle all over again, extract it, and then are there 2 copies on my computer? I'm confused on how to do this. Please advise as to how to email or ask someone for help on this. Thank you kindly! *S.

Yep -- the safest and simplest approach is just to download the new one, and delete the old one. If you want to get more complex you can export stuff like bookmarks from the old one and import them into the new one. It depends how much you customize your TBB vs just use it.

In the glorious future we'll have a variant of the Firefox updater able to do this for you, in place without losing changes you make.

As for where to get help, you might like
https://www.torproject.org/about/contact#support

November 02, 2013

Permalink

Are the fixes/updates in Tor Browser Bundle (2.3.25-14) already present in Tails 0.21?

Tails 0.21 was released just a few days ago on October 29, 2013 and version 0.22 will only be out on December 11.

We users hope there IS communication, co-ordination and teamwork between the people working on Tor and those working on Tails.

November 02, 2013

Permalink

are you guys moving to ESR 24.1 in the next beta? Please let it be so. Many addons are dropping older FF versions and won't work.

November 02, 2013

In reply to arma

Permalink

Thanks alot for your efforts. Is the delay due to a lack of resources ? Do you need more donations.

Do we need more donations? Yes, undirected donations are really great because they give us the flexibility to work on the things that most need attention now, rather than the things we convinced a funder a year ago that we should work on.

In this case, the delay is due both to lack of enough of the right developers and also lack of funding. We're in the process of trying to fix the latter issue, which will in turn let us fix the former issue. Help would be greatly appreciated.

That said, we're likely to wait until nearly the last minute to switch from one ESR to the next anyway, since it gives everybody the most time to discover issues in the new ESR.

are you guys moving to ESR 24.1 in the next beta? Please let it be so. Many addons are dropping older FF versions and won't work.

Are these "many addons" safe to use, I mean, do they break anonymity?

IMHO addons are of secondary importance if they do NOT enhance anonymity.

We use TBB and Tails because they provide anonymity, not the latest gizmos.

Browser add-ons that may improve anonymity:
has anyone tried Self-Destructing Cookies?

It zaps the cookies and LSO right after you finish visiting a site, close its tab and open a new tab; also can clear the browser's cache on timer.
Needed when you can't switch the Identity or restart the browser right away - normally in this case one would have to remember to clear the cookies manually or drag them along the rest of the browser session, neither of which is optimal. Such auto-protection would be just great to have in Tor Browser.

Released under GNU GPL2 license; requires minimum FF version 21 (I think), so it doesn't run on v.17 ESR.
BTW, I'm not related to its dev in any way - was just looking for the automatic cookie deletion within the same browser session.
If anyone has experience auditing the code and using the network sniffers, I'd appreciate checking this add-on for any privacy leaks.

I was using "Self-Destructing Cookies" for a few months, and was happy with the results. But, one thing that disappointed me was that SDC did NOT remove LSO cookies. You need to also install the "Better Privacy" addon to remove LSOs.

I repeat, SDC removed every other kind of cookie except LSO cookies.

Also, do NOT use the Ghostery addon. I was using it for months untill I discovered Ghostery making requests to some odd server. Just stick with SDC + Better Privacy.

November 10, 2013

In reply to by Anonymous (not verified)

Permalink

Are you talking about ghostrank? Just keep it disabled.

SDC doesn't manage LSO cookies, better privacy is for that.

December 24, 2013

In reply to by Anonymous (not verified)

Permalink

And I was so happy with ghostery untill I read your post. I still don't know how to find who is tracking me when Ghostery tells me someone is tracking you

November 02, 2013

Permalink

The latest TBB without Vidalia (beta version) is not out for this release, it seems. Thank you!

November 02, 2013

Permalink

Could someone tell me WHERE the settings for the following warning message are stored (sqlite file, ini file etc):

"This website attempted to access image data on a canvas. Since canvas image data can be used to discover information about your computer, blank image data was returned this time."

thx

November 02, 2013

Permalink

Just downloaded and installed and it is asking me for a password. I've never put a password in the program. Tried the system password and that didn't work. Any suggestions please!

November 02, 2013

Permalink

Every SSL-secured site I attempt to go to with the latest 64-bit TBB, gives me the following error message:

Secure Connection Failed

An error occurred during a connection to www.torproject.org.

SSL peer reports incorrect Message Authentication Code.

(Error code: ssl_error_bad_mac_alert)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

November 03, 2013

Permalink

Help please! I am getting ERROR all the time with
tor-browser-gnu-linux-x86_64-2.3.25-14-dev-en-US

Tor Browser Bundle pop-up warning square:
Vidalia exited abnormally. Exit code: 2

2 empty txt-documents pops up in the folder, named
(invalid encoding) (invalid encoding) with strange unicode letters above
when trying to start vidalia from: start-tor-browser (run)

Ubuntu 12.10

this is the second latest release of the tor browser bundle that i can not run.
no firewall, vpn, proxy should be able to block anything
since i havent done any changes since i removed the older version.

November 03, 2013

Permalink

I can use the tor browser to visit any other page except the one it is supposed to start first, the check.torproject.org. It was doing this before and after I installed the new update, was working fine yesterday. Message I get is : The proxy server is refusing connections. Firefox is configured to use a proxy server that is refusing connections.

So, is it safe to use my tor browser? Any thoughts if I need to download/install/whatever anything else? Thank you in advance!

I, too, have the "refusing connections" error message. Vidalia shows a green torbutton, but the browser page shows a red slashed button and won't connect me anywhere, while giving me the above error message.

November 04, 2013

Permalink

I am not able to paste anything from outside of tor on any site.
like copy encrypted message from notepad and then paste into tor.
is any one else having this issue?

November 05, 2013

Permalink

bug in https://check.torproject.org page.

if you get the message that theres a security update available on that page, then close your browser. download and install the update. when you reopen the browser, in some circumstances (and this is just a guess, as it might be something else causing it - perhaps the browser is set to on restart to always open the pages that were open at the time the browser was closed) the check.torproject.org page announcing theres an update available opens again, this is very confusing, as it seems like the update you have downloaded and installed hasnt worked...

i would suggest as a fix for this, to put an actual check on the following page
https://check.torproject.org/?lang=en-US&small=1&uptodate=0
to check whether the current tor version is actually up to date, as it doesnt seem to be checking at present. you can test this by visiting that page with your up to date tor browser bundle. it will still report that there is an update available...

November 05, 2013

Permalink

Despite using it on a portable drive, it is still splattering files to C:\Users\myaccountname\AppData\Local\Vidalia such as C:\Users\myaccountname\AppData\Local\Vidalia\vidalia.pid and looks for files like geoip in that folder, instead of in a relative and local folder on windows 7. I wonder if firefox creates temp files for downloads in C:\Users\admin1\AppData\Local\Temp .

November 06, 2013

Permalink

I still have the "proxy configured to refuse connection problem" after a clean installation (winxpsp3, noadm priv, using a http/s proxy, tor client only from usb stick). After reading comments everywhere I found out that the only stable solution for me is to delete the line HashedControlPassword to make tor work (I tried to use the cookie authentication or a fixed password but they don't work either). In the manual you say this creates a security breach. Is there a safe(r) solution to this issue? This problem affects me only starting from late spring 2013 distributions. Thanks!

November 07, 2013

Permalink

NEW VERSION TOR-14

BUG RELATED TO/ WINDOWS XP

Firefox>Bookmarks>Backup> file= "anybookmark"

A series of annoying scripts appears which highjacks the transfer of bookmarks from Tor13 to Tor14

Script: chrome://browser/content/places/browserPlacesViews.js:583

Nice new upgrade. pretty smooth except for this bug, thanks!

November 10, 2013

In reply to arma

Permalink

Yes, the check goes over TOR.

I thought I saw a request to a mozilla blocklist server that submitted a variable along the lines of "GET_INSTALLED_ADDONS" however I've been unable to reproduce what I saw.

The blocklist URL string does not contain this var so it must have been something else.
https://wiki.mozilla.org/Firefox3.1/Blocklisting_Security_Review

I will reply here if I am able to reproduce what I originally thought I witnessed. I apologize if I was incorrect.

November 10, 2013

In reply to by Anonymous (not verified)

Permalink

TBB do not sends a list of installed extensions, it fetches a list of blocked extensions instead.

Problem with generated URL itself, and not only for blocklist case as TBB fetching many another stuff from mozilla's addon server.
List of used vars for URLS, that can be individual:
%BUILD_ID%
%BUILD_TARGET%
%LOCALE%
%CHANNEL%
%OS_VERSION%
%PING_COUNT%
%TOTAL_PING_COUNT%
%DAYS_SINCE_LAST_PING%
etc

You can't fix it just by extensions.blocklist.enabled;false

November 16, 2013

Permalink

Does it disable javascript by default?

Read Snowden's 'Tor Stink' leak, they mentioned Tor Browser has a weakness, which is javascript is enabled by default, and the NSA have been using it to their advantage.

January 25, 2014

Permalink

Couldn't Load XPCOM...Windoze 7... can't get Orbot or Orweb working on my Nexus 10 either... any help, seems horrible to be quite honest.