New Tor Browser Bundles for Windows

by Sebastian | May 25, 2012

The Windows Tor Browser Bundles have been updated to fix a security issue which could allow attackers to retrieve the path that the Tor Browser Bundle was installed in. All Windows users are strongly encouraged to update.

https://www.torproject.org/download

Windows Tor Browser Bundle (2.2.35-13)

  • Fix Firefox build to sanitize file paths (closes: #5922)

Comments

Please note that the comment area below has been archived.

May 25, 2012

Permalink

Today I installed Tor on Win 7.

The browser-window looks strange. I miss the close/enlarge button there. The window-color is different from my own settings too.

Did I do something wrong?

May 25, 2012

Permalink

I have read among the comments that browsers extensions could alter the browser ID string. Well, it makes sense. But, now, at it is the TOR browser could there be an option to freeze / simplify that ID string?

I remember from the PanOptiClick of EFF that a lot of info is usually spit out by the browser. But can that be controlled so the choice of extensions won't impact that output?

Which leads to my reason to open this comment: is it possible to add RequestPolicy to the audited and hopefully to the included extensions along with HTTPSeverywhere and NoScript? It does make a lot of difference. And it can really help in making a visit / presence invisible to certain services. Also RequestPolicy can make some sites far less friendly, but it can also avoid touching Google, Facebook and other data gathering services.

I'm a big fan of RequestPolicy too. The challenge for the TBB is how to change as little as possible from what normal users expect. If Facebook breaks because we put RequestPolicy into TBB, people will think Tor breaks Facebook.

Maybe in some glorious future when we can build, maintain, and QA a lot more TBBs in parallel, we should have the "TBB by itself" and the "TBB with adblock, request policy, something for cookies, etc"?

May 26, 2012

In reply to arma

Permalink

Sure. It makes perfect sense what you are saying. On the other hand, having anything to do with google, facebook and other information harvesters is plain bad. And it kills the smaller and a lot nicer players as people don't even care about alternatives. Myself I'm a bit on the extreme side and lately I prefer sites that do their own coding and not too much cross site activity. Sure, googleapis are nice, but with so many open source packs around a site hardly has any excuse. Also, with Request Policy I have come to be aware of something that never crossed my mind: how much information is leaked because of plain developer stupidity.

So people who do have to use TOR should take the time to learn at least the basics. It's for their own good, otherwise they might just sign a confession that might lead to death in a couple of cases. But there have to be a lof of other users for TOR. Because I have read in more than one forum TOR is slow, only people who need it should use it. And, in fact, the more trafic it is on TOR, the harder it is to spot some particular activity.

I see you can sign your own posts. Is there a way one can do the same and bring an identity to this discussion?

Also, it's probably quite uncomfortable to have talks split up in comments to each post. Is there such a thing as a TOR forum? Or a TOR discussion mailing list?

May 25, 2012

Permalink

I think NoScript maybe too complex for some people, at least at first. An alternative would be an Addon that allows the user to toggle Javascript On/Off from the browser window, rather than having to go into the browser's "Options." There are several Addons that do this. But of course people have to understand Javascript when "on" is a major vulnerability.

May 25, 2012

Permalink

I haven't updated my TOR in a while, today when I started it said I wasn't connected to the TOR network. I decided to download the new one Tor Browser Bundle but now when I use it, it connects to the Tor network but the Tor Browser (Seems new) keeps coming up as Not Responding and no amount of waiting is changing it.

Are you able to access your message log? If so what does it tell you?

Often after reinstall I must re-teach/re-enable my firewalls program control to allow them again else it may not allow Tor/Vidalia to execute..

May 25, 2012

Permalink

Is there a possibility to actually include the latest available Https Everywhere addon per package?
I've tested every Developer version and all works great, plus the additional rules and minor bug fixes.
Every time I update Tor Browser, it reverts back to the redundant and old.
Just an opinion though, since I do understand that stability are a priority.

Sounds like you should encourage the https everywhere developers to put out a new stable version of https everywhere. That would make it an easy choice on our part.

May 29, 2012

In reply to arma

Permalink

In the Windows bundle tor.exe gives this information:
"Tor v0.2.2.36 (git-736fb31d97dc4645). This is experimental software. Do not rely on it for strong anonymity."

May 26, 2012

Permalink

sir will my isp know what file i am downloading , i mean the name of the file and the url of that site, When i am using tor...

When you use the right click "save as" there will be one of two possiblilities.

1. you are instantly asked to save "with an external program". Saying yes can leak your true identity to the website with download,etc. because the external program could ba Google API or almost anything which will almost assuredly sniff out your true ID and download your file in the clear. (outside a Tor protected encrypted tunnel). In this case your ISP could conceivably see everything. I would not accept any offer to use an "external program" period, I would rather forego the download than take the risk.

or

2. You will get prompted immediately to enter the folder you want to save to without an "external program" prompt. This is generally safe and the download will proceed inside of Tor according to my best understanding. You can go to "View the Network in Vidalia console and actually see what circuit your download is using. All your ISP would see is the encrypted connection.

May 26, 2012

Permalink

I recently switched my OS to Widows 7. TBB only connects to 3 nodes? I can never reach any .onion sites? Please help, thank you!

May 28, 2012

In reply to arma

Permalink

arma, mikeperry, et al.,

I've noticed quite a large uptick in your response time, and in your response number. And I wanted to thank you. I'm not the OP of that message, but I appreciate greatly you guys/gals taking your time, even with questions like these (that have been asked/answered many times). I am a long time Tor user, and it's nice to see so much hand-holding of newbs, I think it's what many/most need. Thanks again! :)

May 26, 2012

Permalink

I've had one part or another of the Tor Browser Bundle identified as malware by Symantec recently. Kick them on their shins or send them some information on your updates will ya? ;-)

May 27, 2012

Permalink

Can anyone tell me how to setup Tor to run with Xampp ?? So that i can run some scraping scripts from home ??

May 28, 2012

Permalink

'Plus one' other Anonymous above !

Can someone please resolve the confusion re. version numbering ?

Stable version 0.2.2.36 of Tor has been announced BUT apparently is only offered as a source tarball. Precompiled versions for all supported platforms appear to be 0.2.2.35.13.

Are they the same thing, or should we wait for site updating ?
This kind of ambiguity is extremely annoying to people who like me are relaying the announcements and prescribing download.

thanks,

--
Noino

"Stable version 0.2.2.36 of Tor has been announced"? I put the tarball on the website, but I haven't sent any announcements yet. That's mainly because I'm waiting for people to make packages.

If you want to hear when new stable Tor releases are ready, subscribe to the tor-announce list (linked from the documentation page on the website).

May 28, 2012

Permalink

Some suggestions about default settings of the next tbb-firefox
(ref. Tor Browser\FirefoxPortable\Data\profile\prefs.js):

user_pref("network.http.sendRefererHeader", 0);
user_pref("privacy.donottrackheader.enabled", true);
user_pref("browser.privatebrowsing.autostart", true);

user_pref("accessibility.typeaheadfind", true);
user_pref("browser.download.manager.showWhenStarting", false);
user_pref("browser.startup.homepage", "about:blank");
user_pref("browser.startup.page", 0);
user_pref("browser.tabs.warnOnClose", false);
user_pref("browser.tabs.warnOnOpen", false);
user_pref("general.smoothScroll", true);

user_pref("noscript.autoReload", true); // or delete this line
user_pref("noscript.global", false); // or delete this line
user_pref("noscript.options.tabSelectedIndexes", "0,0,0");
user_pref("noscript.showAddress", true);
user_pref("noscript.showBaseDomain", true); // or delete this line
user_pref("noscript.showDomain", true);
user_pref("noscript.showDomain", true);
user_pref("noscript.showGlobal", false);
user_pref("noscript.showRevokeTemp", true); // or delete this line
user_pref("noscript.showTemp", true); // or delete this line
user_pref("noscript.showTempAllowPage", true); // or delete this line
user_pref("noscript.showTempToPerm", true); // or delete this line

user_pref("extensions.torbutton.dodge_google_captcha", false);
user_pref("extensions.torbutton.normal_exit", true);
user_pref("extensions.torbutton.startup", true);

So the not expert user can netsurf immediately.

regards

This could happen because you have configured your Tor to be an exit relay.

It could also happen if your ISP just switched your IP address to a new one, and your neighbor had been recently running an exit relay on that new one.

May 29, 2012

Permalink

has anyone written a script for auto updating the tor browser bundle for windows?
so we always have the latest version? whenever i use it there always seems to be a new update available, and i have to update it manually, quite annoying, though i do appreciate that its a lot of work for the developers to keep updating the bundles when security issues arise etc

I think the plan going forward is to switch to the Firefox "Extended Support Release", which will hopefully mean fewer releases on our side. It will depend if Firefox keeps putting out security problems and then putting out security updates. :)

As for auto updates, we have some very nice scripts that will do what you want (google for Thandy), but they're still a pain to get working right on Windows. It's on our todo list to get a developer to make that work.

June 06, 2012

In reply to arma

Permalink

>I think the plan going forward is to switch to the Firefox "Extended Support Release",

I have to wonder why you didn't decide to do this sooner.
.......

Regarding auto-update scripts, arma wrote,

"they're still a pain to get working right on Windows."

So then these scripts work well on GNU/Linux?

Mac?

May 30, 2012

Permalink

When I launch tbb my status bar on Vidalia Control Panel briefly says "Unrecognized startup status". Why is this?

PS: PLEASE DON'T REFER ME TO "Ticket #5109" ( https://trac.torproject.org/projects/tor/ticket/5109 ) -I have read all the comments posted and don't understand anything.

I'm using the latest version of tbb (2.2.35-13)

Please explain in simple English why this the status bar says this and if it's a problem or not.

It's a bug in Vidalia, which was fixed in Vidalia 0.2.18, which was released on May 14 and is not yet a part of the Tor Browser Bundle.

But don't worry: it's not a problem. The bug is simply that it says the wrong thing.

June 02, 2012

In reply to arma

Permalink

Why aren't the Vidalia updated in the Browser Bundle then?
Since browser bundles are the major of TOR, updating them are the top priority!

May 30, 2012

Permalink

Why does Tor browser (firefox) COMPLETELY CHANGE its proxy (in firefox options -advanced-network-connection), if it is opened directly at FirefoxPortable-App-Firefox-tbbfirefox (and not thru the "start tor brower"

I thought it wouldn't work at all if the browser was opened directly from that folder. BUT it does work! It connect directly to the internet. With its settings changed. Can someone explain?

Indeed, the browser in TBB is supposed to exit if you run it directly. If yours doesn't, that's a bug we should investigate.

Can you clarify what "FirefoxPortable-App-Firefox-tbbfirefox" is? That's not what my browser in TBB is called.

June 03, 2012

In reply to arma

Permalink

I'm talking about the path (folders) where the Tor browser (firefox) .exe is located.

Tor Browser -> FirefoxPortable -> App -> Firefox -> tbb-firefox.exe

When I double click on tbb-firefox.exe (rather than starting TorBrower from "Start Tor Browser"), the Tor Browser DOES start up, without vidalia of course, but the proxy settings in firefox are also changed, so that it connects directly to the internet so there's no problem browsing the web...of course UNanonymous.

I think you should do so that either firefox can't start if you open it directly from the above folder, or if it does start up, it at least has the proxy settings enabled so that it won't connect to the internet when Tor/vidalia aren't on.

https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:… is the patch that does what you suggest. It's already applied. I just asked several users to test, and it works for them.

What Windows are you using? Which TBB version is it? Can you go to about:config in your normal (system) Firefox profile and search for 'torbrowser' and let us know if there's anything there (and if so, speculate about why it's there)?

June 11, 2012

In reply to arma

Permalink

arma- its windows vista and the latest version of TBB. At about:config there's no "torbrowser" in my normal browser. but on the TBB if I search in about:config it does find "torbrowser" (just says the version)

May 31, 2012

Permalink

Some add-ons that I find very useful:
Adblock Plus (2.0.3)
OptimizeGoogle (0.79.1)
User Agent Switcher (0.7.3)
Menu Editor (1.2.7)

Are they a risk for anonymity?
If no, I think that is a good idea to include them in next TBB.

regards

I only know about Adblock Plus, but that one is an anonymity risk if not all Tor users use it, only you and a few others. It blocks loading of advertisement, so your browser never request them. It is easy for someone to test if your browser is loading advertisement or not, and thus your anonymity set is reduced.

Also, user agent switcher sound like something that changes the user agent string sent by your browser, and if you change that one from the default, you are definitely making yourself uniquely identifiable.

Uniquely identifiable means someone can follow you as you move around the web. But they still cannot learn your ip-address easily.

June 02, 2012

Permalink

So, you are deleted!

Why? I had torbutton installed, but not used it since month. And then my ff has updated to your new buggy crappy version.

First: I don't need a button without function! So your program is void and as such deinstalled.

Second: I hate programmers, who think, that they are allowed to change many settings on THEIR purpose, without giving the user a chance to say: "ok, I want it so". When the button has lost its function, ok. Happens. But then you have to DEACTIVATE the button in the autoupdate-installment and give an information, that the button is deactivated, because the button is now a "perm-active-sign", and the user has to reactivate it manually.

Programmers who think, that they don't need such user-friendlyness, are not needed on my harddrive, I use Linux, because I don't want to be said by the software programmers how to use a computer (a reason for deinstalling Windows and newer installing Mac OS), so your behaviour is not suitable.

c. a tool, that kills my tab sessions and many settings with a smile... is windows crap and is not needed.

Goodbye!

June 02, 2012

Permalink

Your Torbutton, honestly, lies in my normal browser for emergency use, while anonymity is in my TOR browser. But now you forced it on??
Honestly, it is the least buggy thing there, since I used it very very often but yet in your side, you never never stop saying there was too many bugs and to fix it, forced us to keep it on? Stupid decision.

Sounds like you're behind some sort of censoring filter.

Here's what https://www.torproject.org/docs/faq#GetTor says:

Some government or corporate firewalls censor connections to Tor's website. In those cases, you have three options. First, get it from a friend — the Tor Browser Bundle fits nicely on a USB key. Second, find the google cache (https://encrypted.google.com/search?q=tor+mirrors") for the Tor mirrors page and see if any of those copies of our website work for you. Third, you can download Tor via email: log in to your Gmail account and mail 'gettor AT torproject.org'. If you include the word 'help' in the body of the email, it will reply with instructions. Note that only a few webmail providers are supported, since they need to be able to receive very large attachments.

Be sure to verify the signature (https://www.torproject.org/docs/verifying-signatures) of any package you download, especially when you get it from somewhere other than our official HTTPS website.