Tor Browser Bundle 3.5rc1 Released

by mikeperry | December 13, 2013

The first release candidate in the 3.5 series of the Tor Browser Bundle is now available from the Tor Package Archive:
https://archive.torproject.org/tor-package-archive/torbrowser/3.5rc1/.

This release includes important security updates to Firefox.

Moreover, the Firefox 17esr release series has been deprecated by Mozilla. This means the imminent end of life for our 2.x and 3.0 bundle series. All 3.0 users are strongly encourage to update immediately, as we will not be making further releases in that series. If this release candidate survives the next few days without issue, this release candidate will be declared stable, and we will officially deprecate the current stable 2.x Tor Browser Bundles and declare their versions out of date as well.

Here is the complete changelog:

  • All Platforms
    • Update Firefox to 24.2.0esr
    • Update NoScript to 2.6.8.7
    • Update HTTPS-Everywhere to 3.4.4tbb (special TBB tag)
      • Tag includes a patch to handle enabling/disabling Mixed Content Blocking
    • Bug 5060: Disable health report service
    • Bug 10367: Disable prompting about health report and Mozilla Sync
    • Misc Prefs: Disable HTTPS-Everywhere first-run tooltips
    • Misc Prefs: Disable layer acceleration to avoid crashes on Windows
    • Misc Prefs: Disable Mixed Content Blocker pending backport of Mozilla Bug 878890
    • Update Tor Launcher to 0.2.4.1
      • Bug 10147: Adblock Plus interferes w/Tor Launcher dialog
      • Bug 10201: FF ESR 24 hangs during exit on Mac OS
      • Bug 9984: Support running Tor Launcher from InstantBird
      • Misc: Support browser directory location API changes in Firefox 24
    • Update Torbutton to 1.6.5.1
      • Bug 10352: Clear FF24 Private Browsing Mode data during New Identity
      • Bug 8167: Update cache isolation for FF24 API changes
      • Bug 10201: FF ESR 24 hangs during exit on Mac OS
      • Bug 10078: Properly clear crypto tokens during New Identity on FF24
      • Bug 9454: Support changes to Private Browsing Mode and plugin APIs in FF24
  • Linux
    • Bug 10213; Use LD_LIBRARY_PATH (fixes launch issues on old Linux distros)

Comments

Please note that the comment area below has been archived.

December 13, 2013

Permalink

Not a good idea to depreciate the older TOR Bundle versions. Numerous of us NEED Vidalia and it's functionalities to ban various nodes that run 'filtering' software and therefore keep us from getting to perfectly legal content in our country of origin.

You don't need Vidalia for excluding relays. That's done with Tor. You can edit the torrc in tbb3 as easily as you can edit it in tbb2. (I'll grant you that Vidalia has a somewhat graphical way to edit the torrc file, but it's mostly broken and has been no end of headache for us.)

As for whether it's a good idea to deprecate the older bundles, we're working hard to keep up with Firefox versions as they change, and we don't have the cycles to keep that many different bundles going. Perhaps somebody else wants to maintain them?

Seems like the better answer is for somebody to write up some instructions on how to attach your Vidalia binary to your TBB3.5 Tor.

December 13, 2013

Permalink

Hello.
I have been having a problem with running the new 3.5 browser bundle. First time I used it, it connected to the network, but I noticed that I couldn't access some websites (getting a 403 error) and one example was www.trisquel.info
No matter how many times I would use torbutton's new identity option, it would always give me the same results. Using the 3.0 browser all worked ok. I decided to delete the folder of 3.5 and use a new extract. Now I can't get the broswer to load anymore. It always get's stuck in the "loading relays" part.
So... any chance you guys know what is going on??
I know this sounds weird, but it's the truth =/

December 13, 2013

Permalink

TBB 2.x - features of 2nd generation of Tor application environment, TBB 3.0 - features of 3rd generation based on Firefox 17esr, 3.5 - features of 3rd gen based on Firefox 24esr and (maybe) Firefox 31esr. Hope I understand the version naming logic right.

What do you mean by repositories?

It's on archive.torproject.org right now because it's so big (with all the translated versions) and we haven't set up our main website to be able to handle so many big files. Eventually (when it replaces TBB 2.x), I hope it'll be in a more traditional place.

If you mean "debian repositories", see the various trac tickets on the topic, e.g.
https://trac.torproject.org/projects/tor/ticket/3994

December 15, 2013

In reply to arma

Permalink

In the documentation you provide instuctions how to install Tor on Debian/Ubuntu:
https://www.torproject.org/docs/debian.html.en#ubuntu

The repo is:
deb http://deb.torproject.org/torproject.org (DISTRIBUTION) main

It would be a nice way to distribute and update TBB via your own repositories - easy and fast updates, and packages signature is checked automatically. I asked about Debian repos under your last blog post and concluded that only Debian Stable has up-to-date security updates. They only recently (2-3 days ago) updated Iceweasel from 17.0.9 to 17.0.10 in Testing branch. Firefox is today the main vector of attack for most exploits and keeping it updated is crucial. Unfortunatelly this is not possible in Debian Testing, so your own repository would help (of course if you have resources).

Is it just me, that isn't able to verify 'sha256sums.txt',....

Follow these steps:

1. Import Mike Perry's keyfile whose fingerprint is C963 C21D 6356 4E2B 10BB 335B 2984 6B3C 6836 86CC

(In one of Tor's web pages, it is stated that Mike Perry is responsible for signing TBB 3.x series)

2. Surf to https://archive.torproject.org/tor-package-archive/torbrowser/3.5rc1/ and download the following files: sha256sums.txt, sha256sums.txt.asc and sha256sums.txt.mp-asc

Do not forget to download the TBB corresponding to your OS.

3. Verify sha256sums.txt.mp-asc against sha256sums.txt

December 14, 2013

Permalink

Downloading TBB 3.5 rc1, I have to notice that the PDF.JS addon is still missing. What a pity! Will it come back one day?

https://blog.torproject.org/blog/tor-browser-bundle-30rc1-released says
"Unfortunately, we have decided to remove the PDF.JS addon from this bundle, as the version available for Firefox 17 has stopped receiving updates. Built-in PDF support should return when we transition to Firefox 24 in the coming weeks."

See also https://trac.torproject.org/projects/tor/ticket/7501

December 15, 2013

In reply to arma

Permalink

TBB 3.5 rc1 already uses Firefox ESR 24.2.0. Does this mean, that the installation of PDF.JS addon has failed?

It seems that TBB 3.5 rc1 already includes PDF.js, but whether a given PDF is displayed in-browser by PDF.js or whether Torbrowser displays the download/open-with-external-program dialog seems to depend on the HTTP headers sent by the server; e.g. if there is a "Content-Disposition: attachment" header, then Torbrowser won't display it with PDF.js.

December 14, 2013

Permalink

Torbrowser 3.5 is still unable to access some websites (apparently something to do with project honeypot, as it directs to that website).
Any idea why?

Most likely this is a case of certain websites treating Tor exit relays specially. That's a problem with the Tor network, but not a problem with TBB 3.5 in particular (i.e. it would be a problem with earlier TBB's too).

December 14, 2013

Permalink

Thanks Tor and Tails developers for your hard work, but.....

Does Tails 0.22 contain the updates as described in the changelog of Tor Browser Bundle 3.5rc1?

If it does not, I would strongly recommend users of Tails 0.22 to switch to the stable release of TBB 3.5 when the latter is available for download later this month.

P.S.: I just wish that there is more co-ordination and co-operation among Tor and Tails developers. I am currently using Tails 0.22 but will switch to TBB 3.5 (stable) as I suppose the latter contains the latest bug fixes and better anonymizing components.

Tails 0.22 contains the development state TBB 3.5 RC was in a few days before the Tails release 11 December. The Tails developers were communicating with Mike Perry (TBB developer) to coordinate the migration, see tails-dev mailing list archives.

As for you in Tails switching to TBB 3.5 FINAL when it is released, I would recommend against doing so unless a critical security issue is found in the version in Tails. Tails doesn't use TBB as is, and if you try to run vanilla TBB in Tails, this may accidentially disable some of Tails anonymity/security features without you noticing.

I would recommend against doing so unless a critical security issue is found in the version in Tails.........

Thank you for taking the time to clarify my doubt.

December 14, 2013

Permalink

How do I make it use a new identity without it also getting rid of everything I'm looking at? the trayicon used to let me do that but it appears to be missing.

December 16, 2013

In reply to arma

Permalink

So I'll just have to keep using an older version and hope javascript being disabled is enough.

But what is the exact security problem with not throwing everything away? Is it only a problem if javascript is enabled (which of course it shouldn't be)?

Agree that this was not a step forward.

Suggestions on using telnet to connect didn't help me (tried connecting to the control port, tried fiddling with the config file, no use, all that happened was the damn thing closed the connection as soon as I tried to type anything), and I didn't run across the suggestion to use Vidalia.

My suggestion would be to simply 'fix' the 'New Identity' button in TorButton to work the way people who actually use it think it should work. Pretty simple.

  • Go to the 'Data\Browser\profile.default\extensions' directory.

  • Rename 'torbutton@torproject.org.xpi' to 'torbutton@torproject.org.zip'.

  • Unzip this file in the extensions directory. Using the file name as the directory name might be necessary for this to work. Your zip program will probably do this automatically.

  • Go to the 'torbutton@torproject.org\chrome\content' directory.

  • Open the 'torbutton.js' file, and search for 'function torbutton_do_new_identity()'. A '{' follows this text. Add the text '/*' after the '{'.

  • Search for 'torbutton_log(3, "New Identity: Sending NEWNYM");'. Add the text '*/' just prior to this text.

  • Search for 'torbutton_log(3, "Ending any remaining private browsing sessions.");'. Add the text '/*' just prior to this text.

  • A little bit further on in the file there will be the text '// Close the current window for added safety' then 'window.close();' Add the text '*/' just after 'window.close();'.

  • Save the file and launch the TBB. You're done.

I would suggest using Notepad++ rather than Windows Notepad for this, as it makes it a lot easier to see what you're doing.. but even without using Notepad++ it's just a couple minutes work all up.

That sounds a lot more difficult than setting "ControlPort 9051" in torrc and running

#!/bin/bash
(echo authenticate '""'; echo signal newnym; echo quit) > /dev/tcp/localhost/9051

But whatever works for you, go with it :)

December 14, 2013

Permalink

sha256sums.txt signed with key 0x1E8BF34923291265... Is this a new signing key?

$ gpg --verify sha256sums.txt.asc

  • gpg: armor header: Version: GnuPG v1.4.12 (GNU/Linux)
  • gpg: assuming signed data in `sha256sums.txt'
  • gpg: Signature made Thu 12 Dec 2013 03:10:16 PM UTC
  • gpg: using RSA key 0x1E8BF34923291265
  • gpg: Can't check signature: public key not found
  • sha256sums.txt signed with key 0x1E8BF34923291265... Is this a new signing key?

    Follow these steps:

    1. Import Mike Perry's keyfile whose fingerprint is C963 C21D 6356 4E2B 10BB 335B 2984 6B3C 6836 86CC

    (In one of Tor's web pages, it is stated that Mike Perry is responsible for signing TBB 3.x series)

    2. Surf to https://archive.torproject.org/tor-package-archive/torbrowser/3.5rc1/ and download the following files: sha256sums.txt, sha256sums.txt.asc and sha256sums.txt.mp-asc

    Do not forget to download the TBB corresponding to your OS.

    3. Verify sha256sums.txt.mp-asc against sha256sums.txt

    December 14, 2013

    Permalink

    torbrowser-install-3.5-rc-1_en-US.exe

    Why is this called a bundle when there Vidalia is not included in the package?

    December 17, 2013

    In reply to arma

    Permalink

    To: arma or any Tor developer

    You wrote: Because there's a browser and a tor. That in essence is what a Tor Browser Bundle is

    My question: There's no Vidalia in TBB 3.5rc1. So how do I change to a new identity?

    Click on the green onion in your TBB's taskbar, and select 'new identity'.

    Be careful though, since it will close your current tabs -- that's part of how it keeps you safe, but it's also surprising the first time it happens.

    December 20, 2013

    In reply to arma

    Permalink

    It also decreases the bundle's functionality a lot. Its poor design not to have a work around or a quick way to save the open tabs.

    Right click the tab bar, click "Bookmark all tabs", choose a name, "New Identity", then right click the folder, "Open in all tabs". Again, even this is bad for anonymity because it can repeatedly associate the same URLs with a single circuit.

    Lots of repeat questions, too, it /is/ (many for which the answers could have been found in no more than a few minutes of reading/searching)

    December 15, 2013

    Permalink

    Hi, when I open Tor 3.5, it links to instructions on setting up a relay. Yet, the instructions tell me how to use Vidalia to do that.

    How do I run a non-exit relay without Vidalia? Can I do that?

    I've searched around for an answer to this, but have found nothing.

    December 15, 2013

    Permalink

    people, could someone PLEASE explain why is it that TBB3.5 can't access www.trisquel.info

    I have tried countless times now!
    On the upper hand, this version seems to be working all right, and it's very fast. NoScript and HTTPSEverywhere are working fine, no problems here. Only problem is the fact that I can't access some pages.... LIke trisquel.info =(
    Any help??

    December 16, 2013

    In reply to arma

    Permalink

    But I am able to access the website using the older versions of TorBrowserBundle.
    I don't want to say that it's impossible to be their fault (they sometimes are a real pain in the ass) but it seems to be also a problem with the new version :S

    I think it's a coincidence that you happened to get an exit not on their blacklist while using the older TBB version.

    http://ioerror.us/bb2-support-key?key=d453-9712-2b02-1b1f

    "Your IP address appeared on the third-party Project Honey Pot list as a source of spam or other malicious activity.

    To resolve this problem, first clean your computer of viruses and other malware. Then, click the link below to visit Project Honey Pot and request removal of your IP address."

    Trisquel is outsourcing their "who should I refuse to serve my website to" decisions, and it seems they made a poor decision.

    If it's not a coincidence, it probably has to do with the fact that the old TBB used an older Tor versions, which may have an impact on which exit nodes Tor chooses. They are probably blocking based on an exit list for the newest version.

    December 16, 2013

    Permalink

    What's the reason for Vidalia in TAILS - no problem ?
    Vidalia in Windows - RECENTLY big problem ?

    Now TBB 'needs' NO Vidalia, why was it 'necessary' in the past ?
    I thinks it's more than necessary if .....somebody aren't trust routes
    like US-US/DK/SW-US, SW-RU-US/DK, RU-x-RU, FR-US-FR etc.. arm is not graphical enough for most. Without this Tor users are 'blind'. Desired )-:?

    But the big question is: Why no? problem in Tails, Why -recently- not in TBB ?

    In TAILS closed Control Port=no NewNym in Torbutton problem is solved ?
    Respectively every close Browser-open Browser now DON'T open connection
    to check.torproject.org? Would be really nice. Have not test it yet.

    "[...]problem is solved?[...]"

    lol NO, unfortunately not.
    It's really little bit strange TAILS/amnesia is for best near anonymous communication
    and in TAILS you cannot use the normal New Nym function of Torbutton.
    When you try simulate New Identity in Torbutton you must close Browser,click New Identity in Vidalia and open (new) Browser.
    RESULT: Connection to check.torproject.org:443 ........every time i need New Identity
    ..........can somebody explain why?? :-o
    And HARDCORE: there is no normal way to stop this.
    If you are no Linux crack and try the normal way like look to about:config,about:support+user.js/prefs.js(extensions.torbutton.versioncheck_enabled:false is nonpersistent after Browser/session close), gksudo in etc-iceweasel;no way.And why you cannot change user.js in SquashFS with gksudo?
    Really strange. And annoying.

    TBB without Vidalia is another ......funny story.

    December 16, 2013

    Permalink

    When TBB 3.5-RC1 goes stable, what is the suggested course of action for those of us with Tor Browser Bundle v2.3.25-15 set up as bridge relays?
    I mean we still want the client (browser) functionality but cannot afford a dedicated IP/server to run a Tor node.
    Will we still be able to contribute to the network with Tor Browser Bundle somehow?

    By the way, v3.5 is blazingly fast!
    Congratulations and thank you all for your ongoing efforts :-D

    December 16, 2013

    Permalink

    The "Cookie Protections" option on the tor browser button no longer seems to list any cookies ever. Though the "Remove All But Protected" button on that dialogue is clickable (even when you've just started and shouldn't yet have any cookies). I've dug through Firefox's settings to search for cookies and can't find any there either, despite extensive browsing which should result in plenty of cookies.

    Issue is with tor-browser-linux64-3.5-rc-1_en-US.tar.xz (just in case not all os/lang have the problem)

    December 16, 2013

    Permalink

    This update is not yet reflected on the torproject page. Please update, thank you <3

    December 17, 2013

    Permalink

    This is entirely unrelated but has anyone noticed CloudFlare increasing its blocking of Tor exit nodes recently? It's almost impossible to access any CloudFlare site over Tor without entering in a CAPTCHA now. Fucking hypocritical dumbass web community claiming to be so worried about NSA surveillance while constantly trying to hobble the best tool we have against it.

    December 17, 2013

    Permalink

    I have just download torbrowser-install-3.5-rc-1_en-US.exe and verified using the usual GPG verification methods. No problems with the verification.

    However upon double clicking it, it wanted to install itself on my PC. Horror of horrors! I quickly clicked Cancel.

    Why can't it just extract its own contents like tor-browser-2.3.25-15_en-US.exe?

    As we all know, tor-browser-2.3.25-15_en-US.exe does NOT install on any PC. You just extract its contents and one of those contents is the start tor browser.exe for you to double click in order to launch Tor. I hope Tor developers keep to this method of launching Tor.

    We watched many Windows users click on TBB, and select 'open' rather than 'save'. Then everything worked great, but when they wanted to run it a second time, it was nowhere to be found (since they never saved it anywhere).

    So for Windows we now have a simple installer that simply unpacks stuff and sticks it into the self-contained directory, just like before. I would hope that it encourages you to "install" it in about the same place it used to go. If not, please help us make that part more obvious for WIndows users!

    December 17, 2013

    Permalink

    It would be nice to include an https-everywhere rule for tor.stackexchange.com, now that that site supports https.

    December 18, 2013

    Permalink

    I wish to thank Tor for setting up tor.stackexchange.com

    At present Tails maintains a mailing list of subscribers. The latter ask questions and have their answers delivered via the aforementioned mailing list.

    Since Tails is mentioned as one of Tor's projects on Tor's homepage, it would be good if tor.stackexchange.com includes a separate section solely to deal with Tails' users' questions. What I mean is Tails can migrate the mailing list to tor.stackexchange.com

    IMHO my suggestion makes for a more efficient and productive way for both Tor and Tails. (Some of Tails' users' questions are basically about Tor and if the Search function on tor.stackexchange.com site is efficient, the users are recommended to search for answers already posted.)

    Pooling of both Tor's and Tails' resources is highly recommended.

    The Tails folks are welcome to encourage their users to use the tor SE. I agree with you that it's on-topic and would be helpful on both sides.

    That said, people also have some reasonable concerns about the privacy policies, logging policies, etc of the SE websites. So I can understand why they hesitate.

    I suggest you propose it to the Tails people, which is not the same as adding a comment to a blog post about TBB. :)

    December 18, 2013

    Permalink

    Why is the Tor 3.5 series not easily found on the main Tor website (you have to know the browser directory)? By default they want to serve up Tor BB 2.3 and if you jump a little you can get to Tor BB 2.4 RC1.

    Are there any reasons to stay with 2.x series? If 3.x looks stable get it some more attention. If there are reasons give a little matrix on the page explaining when one would want one vs the other.

    December 18, 2013

    Permalink

    Constantly removing functionality is just going to make users stick to old and less secure versions. What is "not safe" or "useless" in your academic discussions may not be so in every context, or the safety risk may be offset by another problem the user needs to solve.

    For example, plenty of exit nodes ironically originate from countries that block certain websites. If I want to visit one of these websites and Tor happens to pick a circuit with an exit node that blocks it, then in this new TBB my choices are to wait ten minutes or to erase my entire browser session.

    This is just one example of Tor becoming less useful over time, a process which started with the release of the original browser bundle and has continued since. Casual users who want to visit the "deep web" once to see if there are really secret alien drug dealing child porn stars and the mythical Syrian rebels who only use Tor once a month when they get injured on the battlefield are being promoted over habitual users who want to preserve their privacy consistently and aren't afraid to learn a bit about how Tor works. You're consistently pissing off the exact audience that knows Tor, might like to contribute to it, and will defend it from threats.

    This new Tor Launcher is frankly uglier and less inviting than Vidalia too for any type of user. I don't understand why a superior program was replaced with an inferior version.

    Things that really need to be changed:

    1. Let users restart Firefox (after it has crashed) without reconnecting to the Tor network. Firefox will always be buggy so this is completely necessary. This was easy to do before Tor Browser was made to exit if not started from the main bundle executable.

    2. Give us Vidalia back or an adequate substitute. Using Tor in practice is a frustrating gauntlet of IP blocks, CAPTCHAs, CloudFlare error pages, and exit node censorship. A little circuit control eases the pain. It would be even better if we could have .exit back and if users could pick the circuit their next connection would run through.

    3. If you're not going to make it easier to run multiple copies of TBB on the same computer then at least quit making it harder. I could change the ports on the old one but this one just won't play nicely.

    These would be small steps toward restoring the large amount of functionality that has been slowly stripped from Tor and TBB over time. Please consider wrapping warnings around features you think are dangerous instead of just outright yanking them. It makes TBB jarring to use. I am a BTC early adopter and would probably donate a good amount to Tor but not with the way it's been going.

    Sorry for the rough edges. I used to agree with you about using my own browser, until I read https://www.torproject.org/projects/torbrowser/design/ and https://www.torproject.org/torbutton/en/design/ and then read some of the NSA's leaked slides, e.g. see my quotes in http://arstechnica.com/security/2013/10/how-the-nsa-might-use-hotmail-o…

    Now I am a strict TBB fan. :)

    1) If your Tor Browser crashes, restart it. It shouldn't be much extra effort for its Tor to reconnect.

    2) Here's the Vidalia workaround: https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#…

    You can get .exit back by setting "AllowDotExit 1" in your torrc. But take note of the sentence in the man page, "Disabled by default since attacking websites and exit relays can use it to manipulate your path selection."

    3) https://trac.torproject.org/projects/tor/ticket/10439

    Hope that helps!

    December 18, 2013

    Permalink

    what about different online games, videos and a lot of what things that 'really push it to the limits?' Previously its said additional plugins needed to peform 60% of things i have done. It turns into some issue again or endlessly usually. It is like the whole thing... just running in circles.

    December 18, 2013

    Permalink

    The connection has timed out

    The server at check.torproject.org is taking too long to respond.

    The site could be temporarily unavailable or too busy. Try again in a few
    moments.
    If you are unable to load any pages, check your computer's network
    connection.
    If your computer or network is protected by a firewall or proxy, make sure
    that TorBrowser is permitted to access the Web.

    Do you have same problem?

    December 18, 2013

    Permalink

    I haven't used 3.5.x yet, but I think dumping Vidalia is a mistake, unless it's functionality has been replaced elsewhere else in the package, which it sounds like it hasn't.

    It's important to have visual access of what's going on with this kind of software and it's a good thing to see a list of nodes and countries so people can make decisions about whether to use a particular exit node if they have to. The more the end user can see about how Tor is working the better.

    Also it was useful sometimes to create a New Identity with Vidalia rather than the FF Tor button, as it kept cookies etc (Useful if you wanted to keep your session, but the connection was horrible that time)

    Editing torcc files is a giant leap backwards and just effectively makes the information invisible.

    Also disagree with dumping the Torcheck page. Again, what you're doing there sacrificing assurances and feedback that the software is working to the user for sake of your own convenience.

    Don't wish to be nitpicking but sometimes people involved with the FOSS movement don't have a great sense about usability and about software giving the user feedback, satisfaction and trust. And this isn't GIMP or something, but a really important piece of software where it is vital that the user can see and feel that the software is working in a way that suits the user, and what small changes can be tweaked, can be tweaked from within an accessible GUI.

    Agreed totally. All of these 'improvements' might have seemed like improvements to the TOR makers themselves, but if they would have discussed with users, they would have found that getting rid of portions of these things is a heap big bad idea.

    For the Vidalia workaround, see
    https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#…

    I'm really pleased to get rid of the Tor Check bottleneck,

    a) because when the website got overloaded all our users freaked out,

    b) because it sometimes gives false positives:
    http://tor.stackexchange.com/questions/190/why-does-check-torproject-or…

    c) because using a remote website actually allows some cool subtle attacks where a local network adversary can trick you:
    https://lists.torproject.org/pipermail/tor-talk/2013-November/031225.ht…

    and d) because loading a local homepage makes startup a lot faster (and makes it feel a lot faster too, since otherwise you're racing the Tor directory bootstrapping connections with your check.tp.o connection, so performance is even worse than it will be once you're done bootstrapping).

    (The Tor Check page is still there. It's even linked from the new about:tor page. Feel free to use it.)

    "And this isn't GIMP or something, but a really important piece of software"

    Oh, so GIMP is just chopped liver to you?

    What about all the people who depend upon the functions that GIMP provides?

    December 18, 2013

    Permalink

    Disappointed that the TOR Browser 3.5 does not include Vidalia nor an easy way to run Vidalia with it. I have to blacklist NUMEROUS TOR nodes because they are doing filtering of perfectly legal stuff in my country that is banned/blocked overseas (though is controversial enough in my country that I want to obfuscate that I am accessing it) that I need something like Vidalia to control nodes.

    Same here. I thought about doing it in about:config but yet again I have no clue which of that should I disable. I think it's a bad move to remove the "disable java script" option from the settings. Why you do this?

    December 18, 2013

    Permalink

    It's quite disappointing to see the developers have made it so hard for the average Joe to run a relay or an exit relay. I see there are different packages available with Vidalia for people who want to run a bridge or relay but there's no browser included in those packages and if you want the browser, there's no easy way to run a relay.

    This will effectively reduce the number of available relays for the community and slows the growth of the community as a whole.

    I'm slightly above the average Joe and have replaced the torrc file with my old torrc and I think I'm running an exit relay as before but still, I have no confirmation as to whether it's working or not. If I'm having trouble figuring it all out, I can't even imagine what the average Joe will have to go through in order to contribute to the community and not just be a user.

    December 24, 2013

    In reply to arma

    Permalink

    I agree, that's a start, but I also have to say nothing beats a single application that upon running would pop up and ask the user: "Would you like to help the community by becoming a relay? Yes / No ".

    Perhaps you can bundle both together in one downloadable file and if the user says Yes to the question, Then the Vidalia relay bundle would start after TBB. If the answer is No, then the relay portion wouldn't run at all.

    It would be nice if we strove to achieve that level of ease.

    Thanks for listening.

    December 21, 2013

    In reply to arma

    Permalink

    When you open a FTP connection, sometimes you are fortunate enough to have your exit router handle both connections, but sometimes you are not so fortunate, then you need to use Vidalia to weed out some circuits in real time so both connections use the same exit router in order to complete the transfer.
    Of course I'm willing to admit I'm an idiot and I might be wrong.

    December 19, 2013

    Permalink

    I'd like to echo many of the negative sentiments expressed here about the removal of vidalia, the loss of control of some pretty important features and what seems to be a serious hobbling of functionality/usability ostensibly to help insulate inexperienced users from themselves. But if protecting the inexperienced user is the goal, why was the "Disable Javascript" box completely removed and NoScript set to default with "Allow Scripts Globally (dangerous)"? It seems irresponsible or counter-intuitive if you attempt to protect the user by removing features yet leave a vital security door wide open for them.

    December 19, 2013

    Permalink

    I concur with ALL of the complaints and concerns about 3.5. I tried it myself and is VERY disappointed.

    Removing Vidalia was a MISTAKE. It gave us better functionality, control, and improved peace of mind with it. Explain how people can trust the TBB without it? These changes are only going to discourage many Tor users and ultimately lose a lot of supporters in the process if they don't correct these MISTAKES called "improvements."

    Until they restore the TBB to it's former functionality or place some acceptable substitute similar to Vidalia, I will NOT use TBB any longer nor encourage new users. I'll be looking into other anonymous browsing alternatives in the meantime.

    Hope you're happy developers.

    December 19, 2013

    Permalink

    I' running Win 7 x64 and have downloaded the new TBB this morning (20 December 2013). I installed it and tried running it, which went really well up till the moment when I changed my history settings and needed to restart the browser. It didn't. Then I tried running it as administrator, and it asked whether I'd like it to run in safe mode or make it try to restore however much it could. It didn't restore all my setting either way, and encountered the same problems when I tried to restart it again.
    And syncing it with my other browser was agonising.

    So, in a nutshell: either I'm doing something wrong or this version of TBB has some serious problems with restarting.

    December 20, 2013

    Permalink

    I've now used TBB 3.5 without any visible issues. My only concern is that there appears to be no facility to disable Javascript as and when required.

    Can someone please help a clueless non-techie?

    Tia

    December 20, 2013

    Permalink

    Why in the world would you make such drastic changes? This version is absolutely useless to me. Perhaps that was the idea. Infiltrate the project and make it less useful.

    A lot of the changes you're seeing are the underlying changes from Firefox 17 to Firefox 24 (and the changes we needed to make for the transition). But yes, it sure is still rough around the edges. Please help!

    December 21, 2013

    In reply to arma

    Permalink

    Excuse my likely ignorance, but please clarify why is TBB only using Firefox 24 when Linux Mint has me up to firefox version 26 ?

    Because we're following the ESR (Extended Support Release) branch. FF17 was the last ESR, FF24 is the current one, and I guess FF31 will be the next.

    http://www.mozilla.org/en-US/firefox/organizations/

    The reason to choose the ESRs is because every new Firefox release ships surprising new privacy-invasive features that Mike has to fix:
    https://gitweb.torproject.org/torbrowser.git/tree/HEAD:/src/current-pat…

    https://trac.torproject.org/projects/tor/query?status=accepted&status=a…

    By the time he's dealt with some of them there's already a new release out.

    December 22, 2013

    In reply to arma

    Permalink

    Thank you for the comprehensive answer.... I now understand and feel much better :)

    December 21, 2013

    Permalink

    Why are the 'date stamps' for ALL the files and folders in the linux TBB 3.5_en-US.tar.xz set to the year 2001 ?

    And what is the weirs grey screen that pops up initially ?

    December 21, 2013

    Permalink

    I'm rather confused... I have been downloading files as directed by torbrowser when it tells me of a new security upgrade named in ascending sequence in the format of :
    tor-browser-gnu-linux-i686-2.4.18-rc-1-dev-en-US.tar.gz
    for many, many months now.

    All of a sudden, there is this new format of ".tar.xz" with all files and folders dated back in the year 01/01/2001 !
    named:
    tor-browser-linux32-3.5_en-US.tar.xz
    which is a very different version number to the ones I have been downing for months named like:
    tor-browser-gnu-linux-i686-2.4.18-rc-1-dev-en-US.tar.gz (as mentioned above)

    So, it like, have we gone from V2.4.18 straight to V3.5 ?
    Is that right ?, is this legit ?, it all seems wrong, never experienced such confusion at face value from the torproject until now....

    Whats more, there is a file named tor-0.2.4.19.tar.gz available for download that confuses me, although I suspect it is the stand alone tor without the firefox etc ?

    Yep, it's right.

    For why the date is so long in the past, that's part of the deterministic build process, so all the builders can produce exactly the same bundle:
    https://blog.torproject.org/blog/deterministic-builds-part-two-technica…

    For why the jump from 2.4.x to 3.5, you can see the history of Tor Browser Bundle 3.x at https://blog.torproject.org/category/tags/tbb-30 (all the way back to TBB 3.0alpha1 released in June).

    The tor-0.2.4.19.tar.gz file is the source tarball for the Tor 0.2.4.19 release:
    https://lists.torproject.org/pipermail/tor-talk/2013-December/031392.ht…
    It's mostly used by packagers when building various bundles that include Tor, rather than by normal end-users.

    December 22, 2013

    Permalink

    I downloaded the new tor bundle (3.5) and after I install it and click to open tor nothing happens. the task manager logs that there is a tor process running, however, the connection screen and the browser do not appear. I've tried deleting and reinstalling 4 times now and nothing has worked.

    December 22, 2013

    Permalink

    i have error too on kali linux , previous release work like charm , even as root >>>>>>>> now recieving error as starting as root or user

    Oh, also, beside from the root issue, I don't think I'd run anything like TBB from "Kali Linux", except for strictly experimental, NON-CRITICAL usage.

    December 22, 2013

    Permalink

    Is there a guide anywhere on the internet to updating TBB *by only updating the parts that have actually changed*? E.g. "replace the Tor with such-and-such a version, replace the ESR with so-and-so ESR and then change this list of files, alter these prefs etc". There are customisations that can be done to the browser that I really like and that don't affect anonymity and I just refuse to keep having to do these over and over again from scratch with a totally new bundle that sends me back to square one every time. Logic suggests only the parts that have changed need to be changed, but it is very onerous and time consuming to try to work this out for myself and my concern is it taking dozens of hours if I were to try to do it, hence my desire for a how-to of some sort.

    If you want to attempt such a feat, you would be completely at your own risk-- and considerable risk at that. Other than for purely experimental/hobby purposes, I'd leave such tinkering to the experts.

    December 27, 2013

    Permalink

    You tor folks keep releasing new versions of tor, now like what 2.5+, and I wonder, Why does tor still use 1024-bit encryption? Why right at the edge of insecurity, or is it per the request of the NSA? or perhaps GHCQ?

    Because crypto migration is hard when you have a lot of users and not enough developers.

    See:
    https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/216-ntor…

    https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/220-ecc-…

    https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/ideas/xx…

    including the discussions about these proposals on the tor-dev mailing list:
    https://www.torproject.org/docs/documentation#MailingLists

    Help us evaluate whether they're the right way forward!

    January 12, 2014

    In reply to arma

    Permalink

    "Because crypto migration is hard when you have a lot of users and not enough developers."

    Would not a more accurate statement be something to the effect of,

    "Crypto migration is never easy. All the more so when, such as in our case, you have many users but few developers."

    ?

    Oh, I should also add for clarity that nearly all of our 1024-bit encryption is gone -- see the first two 'major features' sections of
    https://lists.torproject.org/pipermail/tor-announce/2013-December/00009…

    But it isn't all gone -- relay identity keys and hidden service identity keys are among the big issues that remain. But relay onion keys are switched over already, and they're the most critical part imo.

    December 30, 2013

    Permalink

    Hello,

    I am a screen reader user. Firefox 24.2 usually works with any screen reading software, but I don't understand why this is not the case in Tor 3.browser bundle 5. The Version before, there weren't any troubles.
    Thanks for your Answer,
    Jane

    January 02, 2014

    Permalink

    @arma, Holy moly I am so impressed at how patiently, persistently, and well you're answering everyone's questions. It makes me crazy when people feel so entitled. I wish I could be more zen about it like you :-)

    January 24, 2014

    Permalink

    To the Tor team

    I know I don't have to blow your trumpet because you know the value you are adding to a transparent decentralised web. I have only one request for you to consider and that is how you release versions. The size of the firefox team versus your team may be completely out of proportion and will keep you guys busy rewriting the wheel unneccesarily whilst trying to stay abreast of the illusive upgrade cycle of the world wide web. If we keep going at the rate we are now, firefox may be at version 100.0 in the next ten years. I find that very wasteful in purpose and execution since most browsers today do pretty much what they are meant to barr for running webgl and flash in tor, but no-one thinks of trimming the fluff down and "robustifying" a persistent browser. What if we had a tor browser package that focussed on hardening one specific version until that one single browser package became impenetrable? What if that one version was robust enough to last for five years until the next bullet proof version? Anyway these are comments worth thinking about in an age of overly excessive releases of new versions of every kind of software under the sun.

    What I ask for is a package release system like f-droid. One matched package for one source bundle, in a list of most recent to oldest. The reason is that I do not like the idea of a git repo that can't roll back to a specific version I need (or if it does can someone tell me how to do it), but also it allows the releasing of matching package and source versions that can be used for better penetration testing, since the matching package/source bundle are indirect mirrors of each other (indirect since the package goes through a compiler).

    Please check out f-droid and see how they release software. It is really an excellent approach to free software.

    https://whyweprotest.net/community/threads/the-age-of-transparency.1161…

    anon