Tor Browser 3.6 is released

by mikeperry | April 29, 2014

The Tor Browser Team is proud to announce the first stable release of the 3.6 series. Packages are available from the Tor Browser Project page and also from our distribution directory.

For users upgrading from Tor Browser 3.5.x, the 3.6 series features fully integrated Pluggable Transport support, including an improved Tor Launcher UI for configuring Pluggable Transport bridges. The Pluggable Transport code is also fully disabled for users who do not configure them. The 3.6 series also changes the MacOS archive format from zip to DMG, which should improve installation usability for Mac users.

This release also includes important security updates to Firefox.

Please see the TBB FAQ listing for any issues you may have before contacting support or filing tickets. In particular, the TBB 3.x section lists common issues specific to the Tor Browser 3.x series. We also maintain a list of frequently encountered known issues in our bugtracker.

Here is the complete changelog since TBB 3.5.4:

  • All Platforms
    • Update Firefox to 24.5.0esr
    • Include Pluggable Transports by default:
      • Obfsproxy3 0.2.4, Flashproxy 1.6, and FTE 0.2.13 are now included
    • Bug 11586: Include license files for component software in Docs directory.
    • Bug 9010: Add Turkish language support.
    • Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion.
    • Update NoScript to 2.6.8.20
    • Update Tor Launcher to 0.2.5.4
      • Bug 9665: Localize Tor's unreachable bridges bootstrap error
      • Bug 10418: Provide UI configuration for Pluggable Transports
      • Bug 10604: Allow Tor status & error messages to be translated
      • Bug 10894: Make bridge UI clear that helpdesk is a last resort for bridges
      • Bug 10610: Clarify wizard UI text describing obstacles/blocking
      • Bug 11074: Support Tails use case (XULRunner and optional customizations)
      • Bug 11482: Hide bridge settings prompt if no default bridges.
      • Bug 11484: Show help button even if no default bridges.
    • Update Torbutton to 1.6.9.0:
      • Bug 11242: Fix improper "update needed" message after in-place upgrade.
      • Bug 10398: Ease translation of about:tor page elements
      • Bug 9901: Fix browser freeze due to content type sniffing
      • Bug 10611: Add Swedish (sv) to extra locales to update
      • Bug 7439: Improve download warning dialog text.
      • Bug 11384: Completely remove hidden toggle menu item.
    • Backport Pending Tor Patches:
      • Bug 9665: Report a bootstrap error if all bridges are unreachable
      • Bug 11200: Prevent spurious error message prior to enabling network.
      • Bug 5018: Don't launch Pluggable Transport helpers if not in use
      • Bug 9229: Eliminate 60 second stall during bootstrap with some PTs
      • Bug 11069: Detect and report Pluggable Transport bootstrap failures
      • Bug 11156: Prevent spurious warning about missing pluggable transports
  • Mac:
    • Bug 4261: Use DMG instead of ZIP for Mac packages
    • Bug 9308: Prevent install path from leaking in some JS exceptions on Mac and Windows
  • Linux:
    • Bug 11190: Switch linux PT build process to python2
    • Bug 10383: Enable NIST P224 and P256 accel support for 64bit builds.
  • Windows:
    • Bug 9308: Prevent install path from leaking in some JS exceptions on Mac and Windows

Here is the changelog since the 3.6-beta-2:

  • All Platforms
    • Update Firefox to 24.5.0esr
    • Update Tor Launcher to 0.2.5.4
      • Bug 11482: Hide bridge settings prompt if no default bridges.
      • Bug 11484: Show help button even if no default bridges.
    • Update Torbutton to 1.6.9.0
      • Bug 7439: Improve download warning dialog text.
      • Bug 11384: Completely remove hidden toggle menu item.
    • Update NoScript to 2.6.8.20
    • Update fte transport to 0.2.13
    • Backport Pending Tor Patches:
      • Bug 11156: Additional obfsproxy startup error message fixes
    • Bug 11586: Include license files for component software in Docs directory.
  • Windows and Mac:
    • Bug 9308: Prevent install path from leaking in some JS exceptions on Mac and Windows builds

Comments

Please note that the comment area below has been archived.

HTTPS-Everywhere 3.5.x switched to using SQLite for storing rulesets, and the build process that generates this sqlite db is not yet reproducible/deterministic (See Bug 11630). We had to build+include the 3.4.5 version for TBB 3.6 builds to be reproducible.

We're trying to decide what to do about this, and should have some form of fix or stopgap by the next TBB release.

May 03, 2014

In reply to mikeperry

Permalink

HTTPS-Everywhere will try to update automatically to latest version after Tor-Browser first run

April 30, 2014

Permalink

[warn] Controller gave us config lines that didn't validate: You have configured more than one proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy|ClientTransportPlugin)

every time I try to connect through proxy it gives this... why?

I get this type of error during configuration:

Unable to save Tor settings.

Unacceptable option value: You have configured more than one proxy type.

April 30, 2014

Permalink

I have obfs2,3 standard, fte, and flashproxy in my custom bridges list.
While obfs3,2, standard work fine, I can't make fte & flashproxy bridges to work under "custom bridges" option. Why is this?

Where did you get the FTE bridges from? AFAIK, BridgeDB doesn't give out FTE bridges yet. Are you sure the FTE bridges work?

Do you get some kind of error when you try to add FTE bridges?

April 30, 2014

Permalink

AND, yet again, "important security updates to Firefox".

Many of which fix bugs that allow arbitrary code execution, and therefore give away your real IP address, MAC address, and whatever else can be found on the computer.

Just like every other release so far. That Firefox change log is red all over.

You have had years with the TBB. During that time, Firefox, like every other browser, has had a continuous stream of critical vulnerabilities. Those have been exploited to unmask Tor users in very public incidents and presumably in many more non-public incidents.

You have never had a single secure release, ever.

You have never had a single release that couldn't be broken with ONE single exploit.

How long is it going to take you to realize that relying on the browser alone to prevent Web sites from finding the user's identity can never work?

Your whole approach is broken. You are putting your users at risk. The browser WILL be subverted. You are going to have to find a reliable way to hide the computer's identity from the browser. Preferably more than one layer. You can't trust ANYTHING to not have bugs.

No web browsers are free of security bugs. Should TOR stop shipping any web browser?

TAILS and Whonix also use Firefox, protected by read only media and firewalls. Is that what you want? Or should TAILS and Whonix not ship a web browser either?

Same person here.

I didn't say "don't ship Firefox". I said "don't rely on the browser alone" and "hide the computer's identity from the browser".

Whonix is an improvement. It's not perfect, but it's an improvement.

With the TBB, if you break out of the Web browser, you immediately get the user's real IP address, MAC address, etc. One zero-day and the user is owned. Tails is basically the same; it gives you additional protection against local attacks, but nothing much against attacks from the network.

On the other hand, if you break out of the Web browser in Whonix, you may get information about the user's anonymous activities, but it's anonymous information about anonymous activities.

Unless the user has actively (and unwisely and against advice) put identity information inside the Whonix "workstation" VM, you get nothing identifiable until you ALSO break out of the "workstation" VM or compromise the "gateway" VM. You have to be able to break either VirtualBox, Tor, or the kernel on the Whonix "gateway" VM. And even that attack surface can be reduced with hardware isolation.

It takes TWO bugs in TWO different pieces of software to find the user's identity in Whonix, versus ONE bug in TBB or Tails. That is a radical improvement. Qubes with a Tor-based network VM is similar to Whonix.

It's true that really tough opponents may have libraries of zero-days in both browsers and kernels/Tor, but a lot more opponents are going to have just a zero-day in Firefox.

Whonix is at least giving security a real try. I can't say that for the TBB or TAILS. As far as I can tell, they're emphasizing ease of use, and just turning off their brains to avoid thinking about how easy they are to break. That excessive emphasis on ease of use just encourages people who don't understand the risks to expose themselves.

There are other things you could do to lock things down, too, mostly involving confining the browser more, so it's harder to use it to attack VMs or whatever. Tails could do them. I don't think the TBB is architecturally able to do them, because you're going to need kernel support.

Yes, I'd love to have more people looking into Whonix, WiNoN, etc. Seems like one nice way forward would be for Tails to put more things into VMs if you have hardware virtualization support (and not do it if you don't). Another option to explore is how to do this from within Windows, for those who feel they need to stick to it, though of course having yours Windows OS underneath everything, with all your spyware/etc already installed, is not a great situation.

The Tor Browser team is all full up trying to keep the serious privacy issues under control in Firefox. We need help from others to try to make these other pieces usable for normal people. Please help!

May 19, 2014

In reply to arma

Permalink

Meanwhile, it seems like usually no more than several days pass between the time that Firefox ESR releases a new version with one or more critical security fixes and the time that a new TBB based on this is released.

This does NOT, however, appear to be the case for Tails, with its 6-week release cycle.

I realize it is not realistic or even fair to expect Tails to come out with new releases any more often than this (and even every six weeks seems rather impressive). But how secure is using Tails more than a few days after one or more critical vulns in its Firefox/Iceweasel version (or any of the other software Tails runs) have been reported?

Perhaps the Tails folks should include a warning along these lines, urging people to continually follow the security disclosures and make risk-benefit decisions accordingly.

May 19, 2014

In reply to arma

Permalink

What about working on a TBB based on a text-only browser and encouraging/educating people (those at high risk, at least) to recondition themselves into making-do with text-only?

Wouldn't a text-only browser eliminate MANY of the threats that every full-fledged browser is rife with?

May 19, 2014

In reply to arma

Permalink

In the meantime, by the time a given Tails release is, say a week or two old, perhaps the option of using TBB within an ordinary just-released or updated live system should be considered as a potentially safer alternative. (Depending, of course, upon specific usage case and threat model.)

Yes, just like there has never been a completely secure operating system. By adding additional layers, you're just increasing the attack surface; you're just increasing the number of possible vulnerabilities to exploit.

You are never going to get 100% safety using Tor; even Whonix (an isolating proxy) can't insure for certain your IP isn't leaked. An bugs in the VM could de-anonymize you. But if you're looking to be completely safe, the only way to do that is not to use a computer at all.

April 30, 2014

Permalink

I've been downloading TBB releases for a while now, and this is the first time I've gotten this message on my Mac:

“TorBrowser.app” can’t be opened because it is from an unidentified developer.
Your security preferences allow installation of only apps from the Mac App Store and identified developers.

Are you guys aware of this issue?

April 30, 2014

Permalink

Proxy setting don't work for TBB 3.6 on Linux (32 bit - haven't tried on the 64 bit machine.)

If I try to configure the proxy setting at startup I get this error:

Unacceptable option value: You have configured more than one proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy|ClientTransportPlugin)

I'm back to using the last version which works flawlessly.

Can't please all the people all the time, I guess.

There were many users clamoring for DMGs and uncertain what to do with zips, before. Many of the Apple users I've talked to are happy we've finally moved to DMGs, since they're "the standard" and "what everybody expects".

May 01, 2014

In reply to arma

Permalink

As a Mac user, it's cool and all you did that, but it's hardly an important feature. If there are Mac users out there who don't know how extract a zip, perhaps they have no business using Tor or even computers at all.

It's more simpler using zips than DMG. DMG you have to double click, wait, then drag the application to wherever you want, then eject DMG. ZIP just double click then drag wherever you want, its easier.

The target audience of Tor isn't restricted to those who are computer wizards. It aims to serve those who aren't as well; everyone uses a computer these days no matter their skill level, and not all of them want governments and/or corporations finding out their activities online.

First read:
https://www.torproject.org/docs/faq#TBBJavaScriptEnabled

It turns out that a) some parts of Firefox's JavaScript engine are responsible for a lot of its JavaScript security vulnerabilities, and b) you can disable those parts without actually disabling JavaScript. It makes things slower (because Firefox uses slower but more secure versions to do everything instead), but it doesn't actually disable the functionality.

So we've turned those parts off, and we'll see what users think.

May 04, 2014

In reply to arma

Permalink

That's why TBB 3.6 is so sloooooooower compared to TBB 3.5.4?

Tested on not-so-new hardware (Pentium IV @ 2.4 GHz), with this ugly results:

Your SPEED-BATTLE result*:

TBB 3.6
Calculate / Store / Render / OVERALL SCORE
3.01 / 1.88 / 6.92 / 11.81

TBB 3.5.4
Calculate / Store / Render / OVERALL SCORE
30.57 / 309.13 / 6.02 / 345.72

(Similar results for TBB 3.6 on Dual Core 2.00 GHz)

TBB 3.6 is unusable for me! :-(

Well, that test is explicitly measuring JavaScript speed. Therefore, it is no surprise that 3.6 is not as good as 3.5.4 in this regard. That said whether that matters and is responsible for the slowness you describe is hard to tell. We tested these settings quite a bit and did not recognize a slowdown during day-to-day browsing. What sites do you have issues with?

April 30, 2014

Permalink

Hi, I can't access panopticlick.eff.org using Tor Browser.

I tried several times, it says Untrusted Connection and there is only one option, "Get me out of here!" and the Technical Details. Nothing else. I can't continue to website. Is this normal?

(Details: panopticlick.eff.org uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided.)

May 01, 2014

Permalink

Thanks for the new release. Two questions about your distribution process: 1. do you provide the sources to your changes to Firefox and your launcher, and 2. could you provide a Windows version that can be extracted without user interaction, either as command line parameters to the installer or as an alternative ZIP distribution?

1) https://gitweb.torproject.org/builders/tor-browser-bundle.git
https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/HEAD…
https://gitweb.torproject.org/tor-launcher.git/tree

For the patches, it looks like we moved from "have a directory with diffs in it" to "have a git repo that you can see the commits on". Here it is:
https://gitweb.torproject.org/tor-browser.git/log/refs/heads/tor-browse…

2) Several people have asked for this. The best way to make it happen is to open a trac ticket and write a patch. (Thanks in advance! :)

May 01, 2014

Permalink

Unfortunately I received this error after download

"Could not load XPCOM"

Using Windows 7 64 Bit

Regards

May 06, 2014

In reply to arma

Permalink

I did all the things people suggested with this problem and it still doesn't seem to fix anything whatsoever... I don't get why this is such a huge problem... I disable my webroot like it suggested with everything closed down and try using the new browser and still get the same message... then turn my web root back on and scan and have adware... Lol lovely... would love to here a solution to this that's guaranteed to work and doesn't involve putting my computer at risk with no antivirus

May 01, 2014

Permalink

Hi!
I can't to any pages since this new release on my Mac however my Torbutton is green

May 01, 2014

Permalink

Can't remember the answer to this, but why isn't TBB also distributed via default (i.e. non torproject.org) aptitude repositories for ubuntu/debian?

May 01, 2014

Permalink

I have no real need for anonymity. I haven't downloaded Tor to hide spurious web browsing or for financial or business protection. My last browser became buggy. I looked over the various browsers on offer & found Tor. I don't do social networking, and although I have nothing to hide I resent the ever present Gestapo feel of information mining today.
I am not technically aware. I can't be certain that Tor is more secure than a plasticine padlock, but the thought that it just might be a thorn in the side of Big Brother is good enough reason for me.
Thanks

Tails left out the patch about disabling js jit and so on for the 1.0 release, to see if it worked out well in TBB first. Expect it in the next Tails release.

May 02, 2014

Permalink

Upgrading on OS X 10.6.8 from 2.3.25-14 (which works fine, not an option to go back obviously); connecting to Tor network claims to be successful but browsing all connections time out. Tried obvious settings things, not figuring it out here.

May 02, 2014

Permalink

Hi i downloaded the update for my Tor browser but wen i try to open it, i get this msg " This app can't run on your pc, please check with the software publisher for a compatible version" I'm using windows 8.1 on my Toshiba Dynabook.
Can you advise please....

May 03, 2014

Permalink

GK

Screen size

I can understand that you are busy but I am disappointed that I have not yet had a reply to my post of the 16th of last month.

As I reported, I tried to comply with your: “Could you test the latest .xpi attached there and report back whether it fixed your issue?” but I got the results that I reported in the said post.

I accept that I may not have done things correctly but, quite frankly, I don’t know how to “test the latest xpi”. I would like to do so but, as I suspect would be the case with many people who use Tor, without instructions, I don’t know how to.

As one other user also reported that he cannot get a ‘rounded’ screen-size, it seems that I am not alone.

Without your help I will not be able to solve the problem I have and, indirectly, help the Tor developers to decide if there is a bug in the programme.

Thank you

I am sorry about this. But these blog comments are probably the worst way to keep in contact. I'd suggest using Trac as I get notified when a bug gets updated. That said reading your old comment I think you did everything correctly. Sad that it did not work. I might find some time until the next release comes out to implement a better stopgap. A proper solution is not possible without patching Firefox.

May 03, 2014

Permalink

Where are the public keys downloads for Tor 0.2.41 and Tor 0.2.5.4-alpha?

Since the public keys are necessary for installation to verify the signing, why is their location a state secret?

The installation instructions for Linux for Tor-0.2.4.21.tar.gz on the Tor wiki doesn't even mention the words public key or verify.

There should multiple servers to download the public key files.

And no, I don't trust key servers in the wild.

May 03, 2014

Permalink

Pluggable transports don't start, Vidalia log reports warning "Failed to create child process Tor/Pluggable Transports/obfsproxy". I know it's because of firewall, but you understand that advice "Turn off firewall at all" can't be a decision. Tell about the detailes of launch: which process is parent for obfsproxy, if only obfsproxy needs allowing policies, should I provide to obfsproxy the access to defined registry keys, libraries, etc.
It would be nice if you tested the bundles with most popular security software on different systems and published resulting rulesets.

May 04, 2014

Permalink

Tor is suck
Update process difficult not without problems

after update can't connection :(
"Unacceptable option value: You have configured more than one proxy
type. (Socks4Proxy|Socks5Proxy|HTTPSProxy|ClientTransportPlugin)
"
HELPPPPPPPPPPPPP

May 05, 2014

Permalink

Unacceptable option value: You have configured more than one proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy|ClientTransportPlugin)

May 07, 2014

Permalink

[Bug Report]

It would seem that GeoIP in TBB 3.6 is mis-configured to be located in the sytem folder (windows 7).

"[WARN] Failed to open GEOIP file C:\Users\USERNAME\AppData\Roaming\tor\geoip6. We've been configured to use (or avoid) nodes in certain countries, and we need GEOIP information to figure out which ones they are."

The following torrc setting is ignored:

GeoIPFile C:\Users\USERNAME\Desktop\Tor Browser\Data\Tor\geoip

Regards,

May 07, 2014

Permalink

after downloaded Tor B.B. everything looks good,but i can´t open the sites i would like too...i dont know what to do,i am really not good with computers!!! It was easy to download the "old" Tor browser...

May 07, 2014

Permalink

Hi, apparently there's already a version 3.6.1 today. No changelog for it? Also, how come my torbutton didn't have that blinking warning thingy that used to alert me when there is a new version available? TIA

You can look at https://check.torproject.org/RecommendedTBBVersions for the list of versions that are still considered safe to run.

The TBB 3.6.1 update (and there is a changelog -- see e.g. the new blog post) fixes some bugs in usability (for example, you couldn't set a proxy easily), but those aren't security issues so we don't want to force everybody to upgrade.

May 11, 2014

Permalink

Downloaded the new release but Vidalia is not part of it. No Vidalia control panel, nothing. Tor starts but what happened to Vidalia. Is this a fake Tor?

May 16, 2014

Permalink

Hi guys, just now I tried to log in to Gmail, then the yellow "untrusted connection" page appears on Firefox. So please post feedback on google community forums everywhere to complain.

Why are normal users not allowed to use tor to log in?

Well, it's possible somebody actually was man-in-the-middle-ing your connection to gmail -- that could have been at the Tor exit relay, or at Google, or anywhere in between. I recommend not logging in if this happens. :)

May 16, 2014

Permalink

Hi, I'd like to report 2 things
1) About Tor Browser Bundle v3.6.1
When I go to: TorBrowser --> Help --> About TorBrowser and click on "Tor Project", instead of taking me to the home page ot the Tor Project (https://www.torproject.org/) it opens the mozilla's home page (www.mozilla.org)
A similar thing happens when I click on: TorBrowser --> Help, it takes me to https://support.mozilla.org/1/firefox/24.5.0/WINNT/en-US/firefox-help intead of a similar Tor's destination

2) About Tor's website
At https://www.torproject.org/ in "Our Projects" section where it says "Tails", there is still the old icon of Tails (sorry for reporting this here, I just didn't know where else to post it)

"At https://www.torproject.org/ in "Our Projects" section where it says "Tails", there is still the old icon of Tails"

Not to suggest that pointing this out is not legit, but I would be far more concerned about either of the following two points-- both apparent contradictions-- (and both at least tangentially on-topic here):

1.) The apparent contradiction that Tails is listed under the "Our Projects" heading of the official web site of the Tor Project, while the Tails devs insist that they are a completely separate entity from and not affiliated with the Tor Project. (At least that's what "Tails" would say in the former forum at tails.boum.org.)

2.) The discrepancy that persists to this day between TBB and Tails with regard to the AdBlock Plus add-on.

Tails includes it in the browser, TBB does not. This, when the overall general trend, from what I can see, has been to MINIMIZE the differences between TBB and the browser within Tails as much as possible.

This would appear to only make sense, wouldn't it? Tor users are already such a small minority of the total number of Internet users that the last thing we should want to do is to divide ourselves into even smaller, more easily fingerprintable sub-groups. And yet, this is exactly the effect of having Tails users browse with ABP while TBB users browse without ABP.

As has been pointed-out before (many times, in fact), there are valid reasons for including an ad-blocker. There are valid reasons for NOT including an ad-blocker. And there may even be valid reasons/arguments -- /in and of themselves/-- for Tails to do one way in this regard and TBB to do the other. But whatever such arguments may be, are they not clearly outweighed by the arguments for uniformity?

May 20, 2014

Permalink

Thanks another time, one most popular O.S from Tails.

Great creation, I always used this.

May 23, 2014

Permalink

I am rather new to all of this, I just found out a deep web existed today. I'm not looking to conduct any criminal ways, only to explore for my own curiosity. Would you recommend that I get this browser? And if so what would I do to set it up properly so that any site i access is anonymous? Thank you

May 23, 2014

Permalink

I have tor 3.6.1 on mac 10.9.3, i updated 2 days ago and i keep getting connection timed out when i try to access any websites. I also tried older version of tor, 3.5.4 and still no luck.

any help will be appreciated

May 26, 2014

Permalink

Running Mac OS X version 10.7.5

Downloaded TOR, installed it, opened it.

Cannot connect to the internet; I get a time-out message after a while.

Previous versions of TOR worked fine on my machine.

Any suggestions?