Tor Browser 3.6-beta-2 is released

by mikeperry | April 11, 2014

The Tor Browser Team is proud to announce the second beta in the 3.6 series. Packages are available from the Tor Browser Project page and also from our distribution directory.

This release is an important security update over 3.6-beta-1. This release updates OpenSSL to version 1.0.1g, to address potential client-side vectors for CVE-2014-0160.

The browser itself does not use OpenSSL, and is not vulnerable to this CVE. However, this release is still considered an important security update, because it is theoretically possible to extract sensitive information from the Tor client sub-process.

This beta also features a Turkish language bundle, experimental Javascript hardening options, fixes for pluggable transport issues, and a fix for improper update notification while extracting the bundle over an already existing copy.

Here is the complete changelog since 3.6-beta-1:

  • All Platforms
    • Update OpenSSL to 1.0.1g
    • Bug 9010: Add Turkish language support.
    • Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion.
    • Update fte transport to 0.2.12
    • Update NoScript to 2.6.8.19
    • Update Torbutton to 1.6.8.1
      • Bug 11242: Fix improper "update needed" message after in-place upgrade.
      • Bug 10398: Ease translation of about:tor page elements
    • Update Tor Launcher to 0.2.5.3
      • Bug 9665: Localize Tor's unreachable bridges bootstrap error
    • Backport Pending Tor Patches:
      • Bug 9665: Report a bootstrap error if all bridges are unreachable
      • Bug 11200: Prevent spurious error message prior to enabling network.
  • Linux:
    • Bug 11190: Switch linux PT build process to python2
    • Bug 10383: Enable NIST P224 and P256 accel support for 64bit builds.
  • Windows:
    • Bug 11286: Fix fte transport launch error

A list of frequently encountered known issues with the Tor Browser can be found on our bugtracker. Please check that list and help us diagnose and arrive at solutions for those issues before contacting support.

Comments

Please note that the comment area below has been archived.

April 11, 2014

Permalink

The NSA has exploited Heartbleed bug for years, Bloomberg reports.

Do you still believe in TOR!?

I'm assuming that particular article is nonsense until somebody shows up with some actual details. I guess it's hot to point at NSA conspiracies these days. But doing it in this case undermines the *actual* NSA conspiracies that we should indeed be upset about.

And yes, pretty much no matter how this particular story goes, you'll still be happier that you used Tor than that you didn't, over the past years. The Internet is a rough place without something like Tor.

what a coincidence, these "reliable sources" just reveal this astonishing information after the heartbleed bug was well known.
Plus, the snowden papers refer to TOR and the NSA try to break it, it also refers to how the NSA have its hands on a lot of ssl certificates, but it doesn't tell a word about the heartbleed bug so far.
Bloomberg is just exploiting the situation to make some buzz in my opinion.

April 11, 2014

Permalink

Downloaded, installed and running on Win 8.1 Pro. 32bit. No problems so far. Thanks for the update!

TBB hangs on 'loading relay information'. I have to close TBB and restart it 3 or more times before TBB will connect. I am using PT-obfs 3. Maybe all the obfs 3 bridge relays are busy?

April 11, 2014

Permalink

Thanks for the rapid update to 3.6-beta releases!
There used to be an annoying gap between normal releases and PT bundles.

April 12, 2014

Permalink

Newbie question maybe, but I now have Norton Hotspot Privacy VPN. Since I use Tor Browser are there still benefits to using the Norton VPN?

without know the product in question i would say, in general , commercial VPN sw and services are USELESS for maintaining your anonymity.

They work for circumventing DNS/IP range blocking and thats about it.

VPNs can also be useful for protecting against eavesdroppers on public/untrusted networks, such as public WiFi.

(But remember that the VPN sees all your traffic. And if you think they won't hand over all they know about you under any pressure...)

but I now have Norton Hotspot Privacy VPN.

Ditch Norton products. Symantec/Norton is a close partner of NSA. Have you heard of Edward Snowden, NSA's whistleblower?

You are wasting your money.

Yup. Didn't know Norton connexion though. Thanks for pointing it out. What about Hidemyass for anonymous browsing? And Hushmail for email? They were mentioned in Coke Stryker's book, 'Hacking the Future".

Hidemyass is famous for turning over some kid who was maybe part of Anonymous. And when he confronted them, the conversation went something like "well, what did you expect, you did something a government didn't like" "but you're named hide my ass!"

Hushmail on the other hand is famous for turning over the mailboxes of its users to various law enforcement groups, despite claims that they technically can't do it. See e.g. https://blog.torproject.org/blog/trip-report-october-fbi-conference

The lesson here is that all of these centralized for-profit companies that claim privacy are still in fact still centralized. It's privacy by promise, not privacy by design:

https://svn.torproject.org/svn/projects/articles/circumvention-features…

April 17, 2014

In reply to arma

Permalink

"Hidemyass is famous for turning over..."

"Hushmail on the other hand is famous for turning over.."

Perhaps you meant to write, 'infamous'?

April 16, 2014

In reply to arma

Permalink

This method is not work-----Linux ubuntu 12.04

April 12, 2014

Permalink

Dates of certificate issuing:

blog.torproject.org (05:CA:*): 2014-04-09
*.torproject.org (09:48:*): 2013-10-22

Are you planning to get a new cert for the latter?

Today is the first time I noticed these torproject certs.

*.torproject.org —
SHA1:
84:24:56:56:8E:D7:90:43:47:AA:89:AB:77:7D:A4:94:3B:A1:A7:D5
Serial Number:
09:48:B1:A9:3B:25:1D:0D:B1:05:10:59:E2:C2:68:0A
Issued: 10/22/2013 Exp.: 05/03/2016

blog.torproject.org blog.torproject.org — SHA1:
DE:20:3D:46:FD:C3:68:EB:BA:40:56:39:F5:FA:FD:F5:4E:3A:1F:83
Serial Number:
05:CA:2A:A9:A5:D6:ED:44:C7:2D:88:1A:18:B0:E7:DC
Issued: 04/08/2014 Exp.: 06/14/2017

If the one for *.torproject.org was issued back in October, why it is first being used now?

Below are the certs I had been seeing prior to today. What happened to them?

*.torproject.org
SHA1:
1F:9D:30:6E:8B:FC:CF:CB:03:98:1A:71:A2:7A:9F:5D:1E:08:76:CE

blog.torproject.org blog.torproject.org
SHA1:
0E:09:14:64:17:CD:7E:7A:4A:CA:98:C1:8E:92:C2:59:66:85:8D:BA

April 13, 2014

Permalink

Is something going on with the tor network? Connecting with the normal bundle is difficult and using obs3 in the beta is slow.

The speed of obfs3 depends a lot on the speed of the bridge you're using.

obfs2 and obfs3 shouldn't be any slower than normal Tor, if the underlying bridges / relays are the same speed.

Maybe you should spin up your own obfs3 bridge, e.g. on Amazon cloud or some VPS somewhere, and route through it?

April 13, 2014

Permalink

Any comment about the connections to IP 213.163.64.74 immediately after startup ?

That looks like one of the 5000+ Tor relays.

I assume you started your Tor, it picked some guards, and now when you start your Tor again it makes some circuits for you, so they will be ready when you try to use them, and one of those circuits was to that guard.

https://www.torproject.org/docs/faq#EntryGuards

So in short, "totally normal, and I encourage you to learn how Tor works".

April 13, 2014

Permalink

I love how OpenSSL put the whole world in grave danger out of sheer incompetence and no one dared say anything to them.

April 15, 2014

Permalink

Could not connect to news media and blog.torproject.org over
exit node bandito 1AAB39E97C7E4CFCA585265D17A03F8D3390D841

Other exit node right after that no problem.

Seriously, Windows 2000? Isn't that, like, unsupported for a long time now?

I think Tor should work there, but I think Firefox (and thus Tor Browser) won't.

If the Tor binary doesn't work, you should file tickets about what goes wrong, and help us fix it. Going to an older version is likely a poor idea -- check out the changelog of things we've fixed recently.

April 16, 2014

Permalink

It looks like 'torrc' ini file is deprecated.

Where do settings such as limiting exit nodes by country, specifying bridges etc. go now?

thanks

April 16, 2014

Permalink

Awesome! Congrats :) Is this version going to keep my local settings when I updated it to the next one (first time I'm using beta)? Thanks!

April 16, 2014

Permalink

The bug #9387 changes ("Disable JS JIT, type inference, asmjs, and ion. ") seem to involve turning off everything which is intended to make JavaScript fast.
Has there been any systematic attempt to evaluate what effect this may have on performance?
Has there, for that matter, been any systematic attempt to evaluate what additional security benefit this brings, e.g. what proportion of past Firefox vulnerabilities would users have been protected against if each of these features were disabled?

While your suggestion of going thru past issues may sound systematic and smart, the low hanging fruit for bad guys is using already disclosed -- but unfixed -- vulnerabilities. So the past is somewhat irrelevant.

Regarding speed....well that's one of the benefits of having a beta to evaluate.

April 16, 2014

Permalink

I entered about:config and typed "www" or ".com" or ".org" and then there are 50 built in urls that can potentially leak information. Why are they in there?

I Remove most of them in about:config by either deleting or changing the URL. I suggest all google links are removed as those bastards are monitoring everything on the net.

April 17, 2014

Permalink

Not bad not bad. I see a lot of bitching and moaning ^ but also a lot of valid points which I wont point out to you again.

People moaning about speed - Learn how Tor works
People moaning about losing addons and bookmarks after updating - What do you expect?

Keep up the good work Tor. Much love.

April 17, 2014

Permalink

I'm connecting thru VPN, when I first launch the TBB should I click "connect" or "configure"?