Tor Browser Bundle 1.3.0 Released

by phobos | January 4, 2010

On December 31, 2009, I released the latest in the Tor Browser Bundle series, 1.3.0. The version bump from 1.2.10 to 1.3.0 is due to the change to Firefox 3.5.6 (from Firefox 3.0.15).

You can get the latest TBB in 12 languages at https://www.torproject.org/torbrowser/

Torbutton 1.2.4 fixes a number of privacy and anonymity issues with the Firefox 3.5.x code base.

The official changelog is:

- upgrade Firefox to 3.5.6
- update Pidgin to 2.6.4
- update Torbutton to 1.2.4

Feel free to file bugs at
https://bugs.torproject.org/flyspray/index.php?tasks=all&project=4.

The original announcement is at http://archives.seul.org/or/talk/Jan-2010/msg00037.html

Comments

Please note that the comment area below has been archived.

January 03, 2010

Permalink

Thanx guys 4 making another tbb . Tor Rocks! i wish there would be a tork software in windows tbb so people can choose which country 2 enter& which country 2 exit. I hope tor project team will take neccesary steps 2 build this on windows.

January 19, 2010

In reply to phobos

Permalink

Hello, I now running a Torbrowser from late last year and would like to know the difference between allowing only Tor and Firefox out the Zonealarm firewall, or in addition allow also the Vidalia and Polipo out the firewall? As far I can see, everything works fine with only Tor and Firefox, and the rest blocked in Zonealarm. Thanks for a good prog!

January 03, 2010

Permalink

Can one update the individual components: Firefox, TorButton and (when applicable) Pidgin within version 1.2.10 and continue using it securely?

Thank you for continued work and dedication.

if you use the same software we do, portable pidgin, yes. Or rather than going through all that, just use the latest bundle which has all of the updates in it.

January 05, 2010

In reply to phobos

Permalink

1.) I think it may be easier to just update FF and my add-ons (NoScript, ABP and Tor Button) than having to install them from scratch, along with all of my personal settings and preferences.

I don’t use Pidgin yet.

2.) I learned the hard way that one needs to disable Tor before updating Firefox or add-ons (or at least before restarting once updates have downloaded).

I wanted to share this for the benefit of others.

3.) Can people assume that barring something unforseen that may occur, it will be safe to update to Firefox 3.5.7 when it becomes available? (and so on, until the next build)

Thanks again for everything. The Bundle is quite impressive.

There is one person working on torbutton. Torbutton may work for Firefox 3.5.7 when it is released, but generally, assuming something may have changed and we need to review the code changes first. This takes time. We're happy to have more help in keeping up with the changes.

January 07, 2010

In reply to phobos

Permalink

Thank you again for replying.

I did not mean to convey impatience or pressure in any way and I’m sorry if you took me that way.

I appreciate the non-profit nature of the project and the dedication of the volunteers who make it possible for and allow anyone to benefit from their work.

I was merely _asking_ whether or not one should apply updates to Firefox and add-ons as they become available.

“assuming something may have changed and we need to review the code changes first.”

Is it just Firefox, then, that one should never update without being certain? What about add-ons? And the other components of the bundle; was I wrong to update Tor Button at the prompting of Firefox before the next bundle had been released? (From your reply, it seems I should _not_ have updated Firefox to 3.0.16 but how was I to know?)

Again, please don’t take this the wrong way; I mean no pressure or lack of gratitude but isn’t this essential, basic information that should be stated clearly and prominently in a place such as the download page itself?

I am certain that I am not alone in not finding this clear at all and in my searching, I actually did come across one or more other posts asking this very question but no answers.

And, finally, if there is a forum that would be more appropriate for questions, it would be much appreciated if someone could post a link to it.

“We're happy to have more help in keeping up with the changes.”

I’m afraid I’m far from having such capabilities.

Sorry if I gave the impression of angst. It was really meant as a statement of fact.

As for updates, it depends how paranoid you are, or need to be, versus being secure with the latest updates. Generally, minor upgrades are safe. Firefox generally doesn't revamp the codebase between 3.5.6 and 3.5.7. Mozilla generally just fixes bugs in minor point releases.

For more paranoid users, read through the changelog to see what fixes were applied and new features added. Sometimes, there are changes that cause torbutton to fail. you may never know about them unless you start parsing the code yourself. Or setting up torbutton in full debug logging mode.

We are working on a forum. It should be ready soon.

Regarding FF extensions and settings: Chuck Baker maintains three FF extensions named FEBE, CLEO and OPIE. Those extensions allow you to back-up your FF environment (FEBE), selectively package extensions (CLEO) and export and import extension preferences (OPIE). This functionality does not work perfectly for all extensions, but it works far more often than not. Baker's tools are invaluable in cloning FF behavior between unique installs, and I highly recommend them for use in a TBB/PFF upgrade.

Regarding FF extensions and settings: Chuck Baker maintains three FF extensions named FEBE, CLEO and OPIE. Those extensions allow you to back-up your FF environment (FEBE), selectively package extensions (CLEO) and export and import extension preferences (OPIE). This functionality does not work perfectly for all extensions, but it works far more often than not. Baker's tools are invaluable in cloning FF behavior between unique installs, and I highly recommend them for use in a TBB/PFF upgrade.

January 04, 2010

Permalink

This comment is unrelated to this post but I am not aware of a TOR forum and I really don't know how to get in touch with your developers.

I just wanted to say that https://check.torproject.org/cgi-bin/TorBulkExitList.py

Is not working correctly. For the past few weeks it has been incredibly unresponsive and often throws out python errors instead of an actual blocklist. I would very much like to host this python script locally but I cannot find any instructions on how to run it and my webhost wont execute it for some reason (although they will execute normal python 'hello world' scripts so that has me baffled).

Just thought I'd let ya know :)

Right. We've been migrating the services from one box to another, and we got stuck half-way through.

Specifically, there are two services involved -- check.tp.o, and exitlist.tp.o. If you put them on locations far apart from each other, it turns out things degrade in surprising ways.

I've put them both back together on the old location for now. Hopefully that won't kill our incentive to move them to the new, more robust location. :)

Thanks!

January 04, 2010

Permalink

1.) What about a GNU+Linux Live CD (or USB Flash) w/ Tor Browser Bundle built-in?

2.) Some strange behavior of https://check.torproject.org I've experienced:

- defaults to
https://check.torproject.org/?lang=en-US&small=1
and displays absurdly tiny text

- will a # of times show a _dif._ IP than sites such as ipid.shat.net , cmyip.com and whatismyipaddress.com

- will sometimes say "Sorry, you are not using Tor", yet nonetheless show an IP I am sure is dif. from my real one.

1) There are a few, the best right now is incognito, http://anonymityanywhere.com/incognito/.

2) this is a font problem between firefox and your system.

3) this is how circuits work, you get different circuits over time, so you should see different IP addresses.

4) yes, it's possible to get false negatives. check is running a standard tor client and the python code checks against the cached-consensus file. new relays that aren't in the consensus can result in a false negative.

January 05, 2010

In reply to phobos

Permalink

1.) Latest Incognito version appears to be June 2009 (beta) yet all Tor Browser Bundle components have been updated several times since then.

I’ve searched but have not found anything else that appears maintained/current.

This seems surprising, when one considers that:
-Tor Browser Bundle is designed for [i]Windows[/i]

- The odds that any given system running Windows is infected with malware are high

- Running TBB from a Live *nix environment would, presumably, circumvent not only any malware that may already be present on the host OS (excluding something like a hardware keylogger, of course) but also the many vulnerabilities inherent to any system running Windows.

2.) Problem seems to be exclusive to https://check.torproject.org ; don’t have it at other sites.

3.) Even when, after refreshing the pages several times, the IP shown at check.torproject.org is still different from that shown by other IP-check sites?

4.) Does that mean that even when https://check.torproject.org says
“you are not using Tor", as long as:
a) the IP shown is not the one from one’s ISP (or LAN, etc.)
and
b) one is not using any other proxy,
one is, in fact, using Tor?

Thank you for the detailed reply and all your work on the project.

1. Incognito is maintained by volunteers. They are happy to have additional help. I believe they are switching the base operating system from gentoo to debian or ubuntu for future releases. This is why not much has come out lately.

2. Tor Browser Bundle was not designed for Windows. Someone funded us to make TBB work on Windows, so we did it. There is a TBB for Linux set of patches in svn, undergoing testing, and will eventually be maintained equivalently to the Windows TBB. There's also the start of a TBB for OS X.

Building and compiling the software is one thing, doing the research to see what risks are created, and what signatures are left behind is far more intensive. We're not going to ship anything for linux nor osx until we know what is left behind. We'll work to minimize traces and then work to remove them on exit of the app.

3. Circuits rotate. This is why your exit IP shows up different for each refresh over time. Different sites may get pushed to different circuits, so the IP address the site reports will be different.

January 07, 2010

In reply to phobos

Permalink

I appreciate the detailed reply and took note of the explanation, clarification and corrections it contained.

I am grateful for the work of the all the volunteers and, as with my previous posts, I did not mean to complain or pressure but was merely _inquiring_ and expressing some thoughts and concerns.

I realize it is probably beyond the scope of this blog to elaborate in detail but perhaps someone could just clarify whether or not there is a way to safely use Incognito or a similar distro at this point. Presumably, one would need to update all of the individual components?

Perhaps someone can provide a link for more information on this.

Thank you again (to all).

NOTE: The system ignored all paragraph breaks in my previous post. I therefore added two extra lines b/w each paragraph to this post.

updating incognito is a plausible step if you are already familiar with building your own linux distribution. If not, it's safer to wait.

My point about the volunteers running incognito isn't to apply pressure, it's just that we're dependent on them to update the software. In a perfect world, we'd have this automated, so all updates magically rolled into incognito every night and a shiny iso was waiting for download in the morning.

January 07, 2010

In reply to phobos

Permalink

"...it's safer to wait. "

Then is it reasonably safe, anonymity-wise, to use the latest currently available version of Incognito as-is?
......

"In a perfect world,"

Reminds me of those Walgreen's commercials...

Would appreciate any comments on the relative safety/security of using the current Incognito release- now over six months old.

Thanks.

January 05, 2010

Permalink

你们为世界的信息自由做出了很有意义的贡献!
祝贺你们的成果同时感谢你们!

January 07, 2010

Permalink

Thanks for having the new version ready before the end of support for Firefox 3 and for all your work.

A problem I've had a lot when using 1.2.10 is that my posts to forums, including this one, do not appear -- even with multiple page refreshes-- until much later.

I know it has to be a problem w/ something in the TBB, because the same posts do appear immediately when using FF without Tor or even sometimes when using a web-proxy via FF _within_ TBB.

January 07, 2010

Permalink

Anyone have any comments on Xb Browser (formerly TorPark) and how it compares with TBB?

What about OperaTor (besides the obvious dif. that it uses Opera and not FF)?

Also, any way to improve the Captcha? Can be very hard to decipher.

January 13, 2010

Permalink

I'm having issues with random crashes and unexpected proxy timeouts with the new bundle on Windows. I simply had to revert to the version based on Firefox 3.0.13. What seems to make things go haywire is when changing the referer-settings in Firefox.
When I change the environment variables (about:config) to:
network.http.sendRefererHeader;0
network.http.sendSecureXSiteReferrer;false
...the browser either crashes on exit or starts with Tor button diable the next time the browser/bundle is restarted. The value of:
extensions.torbutton.disable_referer;true
doesn't seem to have any effect on preventing refferer data to be sent (according to torcheck.xenobyte.eu).

It seems to me that something is wrong with the browser (3.5.6) in the new bundle.
Are the above problems known issues?

January 13, 2010

Permalink

Hello, I am running Windows XP and there is no run option once I download this update...there is only a save option and then the eventual "open with" selection. What am I supposed to open the download with? Thanks

January 13, 2010

Permalink

Yeah I'm running Windows XP as well and have FireFox. Personally, I don't think Tor is a stable platform to run on windows XP. I downloaded it/ran it and it crashed my computer (blue screen of death) multiple times before I was able to get it up and running again. I've read in other forums that loads of people running xp cant seem to keep this program stable. I'm not saying there are not you lucky few that can get it to work I'm just saying more people can't get it to work as advertised. As for me; thanks but no thanks. Don't know what else to tell you bro, do an update on your xp and maybe you can download tor. You do have to save the file but you should also be able to open the file as well; there should not be "open with" when opening. Good luck, I hope it works for you.

Tor or any of the browser bundle programs should not crash your Windows computer by themselves . If you get blue screens, check for:
1) bad RAM
2) hard disk errors
3) viruses or other malware
4) leftover or badly behaving security software
5) missing Windows updates

Having used the Tor browser bundle for a month or 2 with no issues I am now frustrated as it always crashes my PC, not just a program crash bur full blue screen death. I have followed the check list above and updated to the latest version of the Tor browser but it still happens always a few seconds after firefox starts up. I can only think it is conflicting with a program I have recently installed, thats would be some canon printer software, a flash player update and ooVoo, but they shouldn't make Tor crash my PC. It was all working fine 2 weeks ago. I have windows 7 home premium, fully up to date on an acer 4810TGZ laptop

This is odd, because I do all the development and testing on Windows XP SP3. I personally bought and donated the WinXP licenses to Tor. Microsoft recently donated Windows 7 to us, but it comes with some draconian legal agreements we're not happy about; so we may return the donation.

January 14, 2010

Permalink

Dear Tor developers, do you consider porting Tor to android mobile? When will it be available in Android Market for downloading :? Thank you for contributions to the great Tor.

January 23, 2010

In reply to phobos

Permalink

____begin paragraph____

I meant the way it gives the version for _Tor_ itself and not for _TBB_, despite identifying the download on the left as,
"Tor Browser Bundle for Windows
(Contains Tor, Vidalia, Torbutton, Polipo, and Firefox)"

___end paragraph_____

____begin paragraph_____

Also, is there a reason why that URL ( http://www.torproject.org/download.html.en ) is not SSL/https?

Wouldn’t that be more secure?

___end paragraph____

____begin paragraph____

Regarding posting to the blog:

1.) Has anyone else found that lines and paragraphs do _not_ "break automatically" in their posts?

___new line___

2.) I would also like to add to a number of other comments I've seen regarding the CAPTCHA; it is one of the most difficult to decipher I've ever seen.

_____end paragraph____

___new paragraph___

Please don’t take any of my comments or questions as implying a lack of appreciation for all of the work and dedication on behalf of all who make Tor and its related projects possible.

___end paragraph____

January 20, 2010

Permalink

thanks for your noble efforts. Will you consider creating a blacklist feature that prevents visits to specified websites unless Torbutton is active? That would prevent slip-ups by users.

No. For the same reason Internet censorship by domain names and Ip addresses is a futile task, blacklisting the bad is the same sort of task. It won't work, and sites you may trust get infected and then you've lost.

January 21, 2010

Permalink

Why is JavaScript enabled in Firefox by default?!

And why is automatically check for updates disabled?

And, in both cases, aren't these settings a reversal from the previous TBB release?

Thanks for all the work.

Javascript has always been enabled. Torbutton protects from all known javascript-enabled privacy exploits.

Automatic updates are disabled because they be used to de-anonymize you.

These are consistent with past releases.

January 21, 2010

Permalink

http://archives.seul.org/or/talk/Jan-2010/msg00161.html

You should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha:
https://www.torproject.org/download.html.en

In early January we discovered that two of the seven directory
authorities were compromised (moria1 and gabelmoo), along with
metrics.torproject.org, a new server we'd recently set up to serve
metrics data and graphs. The three servers have since been reinstalled
with service migrated to other servers.

We made fresh identity keys for the two directory authorities, which is
why you need to upgrade.

October 03, 2010

Permalink

Hi I may be missing something but when I download tor and try to start it the control panel opens but then freezes and will do nothing. I have the same tor on another computer and it works. What am i doing wrong

October 11, 2010

Permalink

I've been using vidalia with pidgin and firefox portable for some time but since my office moved I can not use tor. I've been searching for some time now still couldn't find the solution to problem bootstrapping stuck at 10% even latest version doesn't work anybody who can help?

Eki 06 11:06:31.152 [Notice] Tor v0.2.1.26. This is experimental software. Do not rely on it for strong anonymity. (Running on Windows XP Service Pack 3 [workstation] {terminal services, single user})
Eki 06 11:06:31.152 [Notice] Initialized libevent version 1.4.13-stable using method win32. Good.
Eki 06 11:06:31.152 [Notice] Opening Socks listener on 127.0.0.1:9050
Eki 06 11:06:31.152 [Notice] Opening Control listener on 127.0.0.1:9051
Eki 06 11:06:31.152 [Notice] Parsing GEOIP file.
Eki 06 11:06:55.295 [Warning] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 1; recommendation warn)
Eki 06 11:06:55.311 [Warning] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 2; recommendation warn)
Eki 06 11:06:55.311 [Warning] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 3; recommendation warn)
Eki 06 11:06:55.311 [Warning] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 4; recommendation warn)
Eki 06 11:06:55.389 [Warning] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 5; recommendation warn)
Eki 06 11:06:55.389 [Warning] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 6; recommendation warn)
Eki 06 11:06:55.389 [Warning] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 7; recommendation warn)
Eki 06 11:06:55.389 [Warning] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 8; recommendation warn)
Eki 06 11:06:55.389 [Warning] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 9; recommendation warn)
Eki 06 11:06:55.389 [Warning] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 10; recommendation warn)
Eki 06 11:07:16.235 [Warning] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 11; recommendation warn)
Eki 06 11:07:16.235 [Warning] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 12; recommendation warn)
Eki 06 11:07:16.235 [Warning] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 13; recommendation warn)
Eki 06 11:07:16.235 [Warning] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 14; recommendation warn)
Eki 06 11:07:16.376 [Warning] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 15; recommendation warn)
Eki 06 11:07:16.376 [Warning] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 16; recommendation warn)
Eki 06 11:07:16.376 [Warning] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 17; recommendation warn)
Eki 06 11:07:16.376 [Notice] Bootstrapped 10%: Finishing handshake with directory server.
Eki 06 11:07:16.376 [Warning] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (DONE; DONE; count 18; recommendation warn)
Eki 06 11:07:16.376 [Warning] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 19; recommendation warn)
Eki 06 11:07:16.376 [Warning] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 20; recommendation warn)
Eki 06 11:07:16.376 [Warning] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (Socket is not connected [WSAENOTCONN ]; NOROUTE; count 21; recommendation warn)
Eki 06 11:07:16.376 [Warning] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (DONE; DONE; count 22; recommendation warn)

February 23, 2011

Permalink

I have had the green onion for years, thinking I was anonymous. I wasn't. My assumption was negligent. Tor had only established 3 "things" out of 5 needed. So I'm going to uninstall all the old TorVidaliaPrivoxy stuff and put the latest bundle in. Can I be assured that it will work now, for a dummy, (i can see the future but crap at maths)?
Auz
(@bigstring.com)

March 09, 2011

Permalink

I like Tor. I run as a relay. I start up with the Firefox browser. But when I close Firefox, sometimes by mistake, then the relay stops working too.
Is there a way to keep on relaying, when you close down Firefox?
I can't seem to find that solution anywhere.
Cheers.

The behavior you're experiencing with Firefox is because you're using the Tor Browser Bundle. If you prefer not leaving Firefox open, you could instead install the Vidalia bundle. That bundle assumes that you have your own Firefox install.

May 17, 2011

Permalink

I was using the Tor Browser Bundle successfully for a few weeks, suddenly today when I load it as soon as firefox is launched my PC CRASHES , FULL BLUE SCREEN DEATH. WHICH I HAVN'T SEEN SINCE WIN 98. I have checked the disc , ran malware scans , updated windows,updaded the Tor browser bundle TRIED RUNNING FROM A USB DRIVE but it still crashes, not just the programme but the whole OS, I dont get it, it was running fine a week ago, I use win 7 home premium , on an ACER 4810TGZ LAPTOP

April 03, 2012

Permalink

so been using tor here and there using tor browser bunsle always rember to update if itsneeded and so on today it wil not connect to tor or it open the starup that s check ok then mini firefox starts up and when the you are connected to tor is to come up nothing it just loads for a couple of mins then before it states connection runned out . i even try'd to delete the folder were tor bundle is in and install it again but no luck ... any help would be helpfull because i'm just clueless on whats wrong ...