New Tor Browser Bundles

by erinn | February 3, 2012

The Tor Browser Bundles have all been updated to the latest Firefox (10.0) as well as a number of other software version updates.

https://sedvblmbog.tudasnich.de/download

Tor Browser Bundle (2.2.35-5)

  • Update Firefox to 10.0
  • Update Qt to 4.7.4
  • Update OpenSSL to 1.0.0g
  • Update zlib to 1.2.6
  • Update HTTPS Everywhere to 1.2.2
  • Update NoScript to 2.2.8
  • New Firefox patches
    • Limit the number of fonts per document

Linux changes

  • Put documentation in remove-shared-lib-symlinks debug dumps (closes: #4984)

Windows changes

  • Make sure mozconfig always gets copied into the Firefox build directory
    (closes: #4879)

Comments

Please note that the comment area below has been archived.

Just edit the tbb-firefox.exe properties and run it as Windows XP SP3 (under the Compatibility tab).

This is a temporary fix to the problem =)

February 03, 2012

Permalink

Hi, not sure why an update took so long but it's do!

Also, not sure why I couldn't D/L the alpha version (think I needed to be a tor-talk member?)

Anyways, this comment is to inform the Tor's staff that the 'minimize/maximize/close' buttons are still blacked out when 'Menu Bar' is ticked. Thanks, and hope you do end up fixing this, as it's been an issue for awhile now.

February 03, 2012

Permalink

HTTPS Everywhere and maybe extensions.torbutton.redir_url.4 is messing with scroogle.org which is inaccessible with TBB. Disabling only the related rule is not enough, only fully disabling the extension and deleting the torbutton value in about:config seems to fix it.

February 03, 2012

Permalink

i love tor software, its amazing, so useful thanks!

one thing i have noticed with this latest version is that the firefox icon in the top window bar on the left hand side has reverted back to the Firefox Logo, i preferred the old one that had the Aurora logo, as then if i had a normal version of firefox that was not connected to Tor, and the firerfox that is bundled in the Tor bundle runnign at the same time, i could easily differentiate between the 2 browsers at a glance, i wonder if it would be possible to use a custom Tor icon for this in the future, or give the user an option to set that icon, i think it would be most useful, thanks again, and best regards.

It seemed that the Tor developers had reverted the bundled Mozilla Aurora to the final release of Mozilla Firefox. That said, it is now using the same channel version as your regular Mozilla Firefox.

To know more, or to differentiate your browser, change your regular Mozilla Firefox to other channels, eg. the Mozilla Aurora.

https://www.mozilla.org/en-US/firefox/channel/

Outside of TAILS/Tor I'm using Seamonkey. That seems to be the intelligent choice to glean what "stability" remains to be had among the current Mozilla Project options. Especially in light of the FF team's announced intention to begin automatic collection of user "statistics" for "product improvement" purposes. Right. "Jump the shark", much, fellas? I'm distressed to write that the real question here is, "how long to stay with Tor if they continue to follow Firefox into the privacy abyss?" See: http://seclists.org/fulldisclosure/2012/Feb/145

Torproject maintains for all intents and purposes a fork of Firefox. If Mozilla does something that decreases privacy Torproject will patch it. If not you are free to take the code, remove the "feature" (or hire someone to do it for you).

February 03, 2012

Permalink

Still have the black minimize, maximize, close buttons (#4879) with this release.

February 03, 2012

Permalink

Panopticlick shows that HTTP_ACCEPT Headers changed in the latest version (Windows build) - is that correct? The new values don't blend as well in the crowd :(

February 03, 2012

Permalink

I noticed that (on Linux) Firefox is called Firefox now, and not Aurora like on the previous version.

This is normal?

It's the same on Mac OS X.

And unless the Tor Project developers have received permission from the Mozilla Foundation/Corporation, a possibility but not highly likely, to use the official Mozilla Firefox logo and wordmark they are in violation of the rules.

The rules can be found at the following URL under the heading "Software Distribution".

http://www.mozilla.org/foundation/trademarks/policy.html

February 03, 2012

Permalink

Thank you for a Great project.

Please change the current browser icon (Firefox) to the previously used (Aurora) as using Tor Browser along with default Firefox may lead to the confusion and worse. Please avoid the specific icons either as it could compromise one. If the idea behind icon replacement was in better obfuscation I suggest that You also should hide the Tor Button, NoScript and HTTPS icons by default. To protect one from even bigger confusion I suggest to add some functionality to the Vidalia CP context menu that would highlight the Tor Browsers window(s). I think it is better to make two more clicks for that which confused than to risk.

February 03, 2012

Permalink

Thank you, Erinn for both the update and the blog entry announcement here.

Thank you for updating so many of the related TBB components.

I'm curious if you could please add some of the regular Tor tools in a future TBB update:

torsocks
usewithtor
tor-resolve

and others, so we can torify applications apart from the browser while still using the bundle.

And, could you add to the about:config options in a future version, ipv6 disabled and prefetching (not the dns option) disabled? It's important to disable prefetching for many reasons, but here's two:

1. Prefetching through sites loads many pages which the user may never visit!

2. Prefetching may, through loaded links in a page, aid in tracking by bar 4d parties. Example: User visits a political blog and comments, some blog comments are linked to "front" sites headed by corporate and/or governmental entities or hacker orgs to capture traffic to these sites, especially bad for people in China and Iran who are struggling for freedom.

Thank you Erinn.

February 03, 2012

Permalink

Hi,

I did some basic tests.
First one ( http://ip-check.info/?lang=en ) shows orange onion now! Obviously it should be green.
Problems are with charsets and signature. Both have "medium" security now. "Good" results were before.

Unfortunately my second test ( https://panopticlick.eff.org/ ) shows huge regress.
Older Tor Bundle result was ~800
Result from the new bundle: ~30000
Smaller value is better.

I will stay with older bundle.

February 03, 2012

Permalink

tbb startup loads the tor check page @ torproject.org,
how does it determine whether or not my tbb requires an update?
is it code modified within the aurora browser? however it is designed, can this be exploited by bad exit nodes or web sites?

when i change the torcheck url in aurora to something other than default tor check, exit tbb and reload tbb script the previous torcheck url reappears, is this hardcoded into aurora and how can this be changed?

one reason to change this behavior is personal preference, another is because a remote or local adversary may be expecting your tbb launch by the fingerprint of the first page it loads, which all tbb load on start, this could be discovered by traffic analysis.

i suggest the tor check page should load tiny but randomized images out of a large pool of images, maybe some of them autogenerated and randomly created with different sizes and checksums on the fly so they cannot be fingerprinted.

Your startpage is changed everytime TBB is started to the Tor Check page. Letting the user set his own startpage is a very bad idea, since Tor Check page can be used to give very important security information to the user.

It is usually mostly used for notifying about new security updates, since no fuctionality for automatic software updates exists in the Tor Browser Bundle yet. I think it is TBB that makes the version check itself and then sets different Tor Check URLs depending on the result. But the connection is HTTPS encrypted, so no exit node will gain any useful information.

February 04, 2012

Permalink

Why proceed back from Aurora to Firefox?
I'd expect the changes to include either later versions of Aurora or at least Firefox Beta to include quick fixes?

The Aurora TBB used is not the same Aurora as from Firefox website. TBBs Aurora is just a rebranded version of the latest stable release of Firefox, but with some custom anonymity/privacy improving changes from the Tor developers.

February 04, 2012

Permalink

Dear hard working Tor team,

why don't you include in the bundle the Scroogle SSL searching engine?
Redirect is great, but still when are people used to Google, this would
save them a lot of time.

Thank you for your consideration and for your hard work!

February 04, 2012

Permalink

aha, i figured out how to set a custom Icon for the Firefox Title Bar, so i can tell whether i am using the Portable Firefox that comes with the Tor bundle, rather than my normal firefox installation.

heres the method (for microsoft windows version):

you need to put the icon you want to use in the following directory
%Tor installation directory%\FirefoxPortable\App\Firefox\chrome\icons\default\
and you need to name it "main-window.ico"

it has to be in the windows icon format, but you can easily convert any image to that format via the following online converter : http://iconverticons.com/

February 04, 2012

Permalink

I'm unable to connect to Tor.Vidalia control panel says:

"Connecting to relay directory failed(insufficient resources)"

This isn't the first time i've had this problem.It's happened about 4 times before.It's always after downloading the new version of Tor.After a day or two, I'm once again able to connect to Tor,without having had to do anything to fix it.Why does this happen?Am I the only one who has this problem? If this isn't supposed to happen, how do i fix it?

February 04, 2012

Permalink

Ummm, did someone forget something in this release (for Windows)?

Hint #1: It's the first word of a natural phenomenon seen in the skies of Alaska.

Hint #2: We don't want Tor to break any legal protections for modified Firefox source ...

Apart from Firefox, Firefox Beta and Firefox Nightly, the Firefox Aurora (or knwon merely as Aurora) is bundled and released by the Mozilla Project, not TOR or the EFF.
Check https://www.mozilla.org/en-US/firefox/channel/

So, as for Hint 2, Aurora is officially by Mozilla, so it will, if it even will, put Tor at the same exact legal status as using the final release of Mozilla Firefox.

The source code of the program is open, no legal risks. Mozilla only cares about two things: The name "Firefox" and the artwork (the fox icon). Aurora has neither. Therefore it does not put anyone at any risk when distributing it in any form whatsoever.

/IANAL

I think #1 does not matter. The reason it said Aura before is because the default compilation sets it to that. They got around to making the tweak so that it sets it to Firefox.

#2 is probably important from a legal perspective as there are prohibitions on calling the browser Firefox (a trademark) if you make changes to the code.

February 05, 2012

Permalink

When running under Windows 7 with the new taskbar Tor browser and regular firefox get stacked if they have the same major version. I just found out from an online forum that the problem lies within a file: Application.ini. Although labeled Aurora and being part of the Tor browser bundle, the Vendor and Application name are the same. Couldn't be that be tweaked to make a difference? For sure the vendor is different.

February 05, 2012

Permalink

in iran goverment has blocked https site we can use tor for normal http but if the site is https tor cannot open it and show problem loading page.what should we do?

February 05, 2012

Permalink

Hey guys , how are you? thanks for the update. I just had a quick question and wasnt sure where else to ask. I recently downloaded Tor and Vidalia and am wondering if my internet service provider(ISP) can recognize that my ip address is connecting to other ip addresses all over the world and in different countries, and whether i can get in trouble for this. i dont want my isp to find it strange that im connected to other places or anything of the sort.I have comcast here in america. I use Tor so i can maintain my privacy and so i can feel safer when accessing banking websites or filling out job applications. i dont want any of my family's personal info stolen and i feel this is a great way to ensure that it doesnt. so would using tor for all my browsing alarm my isp? should i use it only sparingly , or does it matter? Sorry if this is a dumb question, im just new to this whole thing and was not sure how else to ask. Thanks again for the update and for making a great software

Isn't "accessing banking websites or filling out job applications" an excellent example of what NOT do to using Tor, especially if one want to avoid having personal data stolen. Tor is if you want to/need to stay anonymous. For non-anonymous stuff the only effect of using Tor is switching from your normal "trusted" ISP that is unlikely to steal your personal data, switching to a random individual running a Tor exit node that is way more likely to want your data. Using HTTPS (encrypted HTTP) is what you want.

As for your question, your ISP can with 100% certainly prove that you are using Tor at any time, because your computer is connecting to known Tor nodes. What your ISP will not see is what you are doing while running Tor. Your ISP knowing you run Tor is usually never a problem.

i say fuck the isp's anyway. i couldnt possibly care less. they just jacked my internet up 4 bucks a month to $49. ill do what what i want. i dont download movies or music anymore, but ill sure as hell get on the tor network if i want to...

February 05, 2012

Permalink

Is there anyway to prevent TOR from using United States connections? Many of the filesharing services my friends overseas use to upload stuff are going "NO UNITED STATES!' so I would really like to know a method to do that.

February 06, 2012

Permalink

Will a captcha reveal one's real IP address? It is no longer possible to open an anonymous gmail account anymore. Now Google asks for phone number, gender and a captcha has to be keyed in. Does anyone know how to bypass these? Thanks.

Captchas is absolutely no problem. For the rest the bypass is to use something else than Google. There exists plenty of free webmail sevices, just do some searching.

February 06, 2012

Permalink

I prefer the Aurora logo as well. Makes it clearer that it's the Tor browser, and not just regular Firefox. Can be confusing if you have both.. plus, to be honest, it just looks way cool.

February 06, 2012

Permalink

Unable to install add-ons 'Ghostery' and 'Adblock Plus' with this version. Going back to previous version.

February 06, 2012

Permalink

I too was surprised at the browser’s name now being Firefox. If you also have a standard build of Firefox installed, you’re left wondering whether that has been used with the custom Tor Browser profile. I’d assumed The Tor Project were using the Aurora development name because Mozilla won’t allow the Firefox brand name on modified code. Have Mozilla given The Tor Project’s modifications their blessing?

Can you not just call it “Tor Browser”?

February 06, 2012

Permalink

I received notification that the most recent bundle, Tor Browser Bundle (2.2.35-5) was avaliable for download. I went ahead and downloaded same to the downloaded software folder in XP's program files. Then I closed down Tor Browser Bundle (2.2.35-4) and deleted it from my system and ran CCleaner. I then moved Tor Browser Bundle (2.2.35-5) to a new folder with a different designation in XP's Program files and activated it. Imagine my surprise when I was again notified that the most recent bundle, Tor Browser Bundle (2.2.35-5) was avaliable for download even though I was using the selfsame bundle!

Why so erratic? What are y'all smoking? Is this the reason for y'alls caveat that this is experimental software and shouldn't be trusted?

After watching y'all duck, dive,weave and tap-dance in response to queries over the past few years I'm not convinced y'all are together on the same page. One day it's Firefox, the next its Aurora or some-such and then it's Mozilla/Firefox. Are we unable to be decisive?

Mostly y'all simply post a obscute sentence in response to a question and let it go at that. No proper answer provided. I note there are similar queries in the stack ahead of me but I'm betting y'all too introverted to answer clearly.

OK now ignore me or censor me or ban me or whatever y'all do when your comfort zone is breached. But don't, heaven forbid, give a clear and concise answer...

Cheers

I disconnected from the internet

February 07, 2012

Permalink

Tor is becoming with every patch a honeypot! this update is fail!!!
ipcheck.info
Signature: medium! (not standard tor browser signature!)
Charset: medium! wtf
HTTP_ACCEPT Headers: allowed! (why not block this???) in the past updates it was blocked!

https://panopticlick.eff.org/
12.41 bits way too big with configuration, first it was around 8 with configuration! now with configuration in the default settings it is around 18

The bigest fail is this:
during any tor start up u connect again and again with the same relays/ips in the united states!!! again with same relays and IP.

the default settings are a total farce! i think it is time let the people know that tor browser is not connecting to random relays/ip. but connect to companys in the united states! and this companys are analysing our trafic!!!

Panopticlick works by checking your browser settings against all previous visitors to their site so obviously when you're one of the first to visit with a new configuration, it's going to give a bad score. That score doesn't translate into the real world very well. It implies that you stand out in a crowd but really you still look just like every other Tor Browser Bundle user and once enough of them visit Panopticlick, the numbers will begin to reflect that again.

oh gawd ... it's not ... not ... not ... that darn honeybee is it?! Say it ain't so, pha-lease!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

February 07, 2012

Permalink

Tor is becoming with every patch a honeypot! this update is fail!!!
ipcheck.info
Signature: medium! (not standard tor browser signature!)
Charset: medium! wtf
HTTP_ACCEPT Headers: allowed! (why not block this???) in the past updates it was blocked!

https://panopticlick.eff.org/
12.41 bits way too big with configuration, first it was around 8 with configuration! now with configuration in the default settings it is around 18

The bigest fail is this:
during any tor start up u connect again and again with the same relays/ips in the united states!!! again with same relays and IP.

the default settings are a total farce! i think it is time let the people know that tor browser is not connecting to random relays/ip. but connect to companys in the united states! and this companys are analysing our trafic!!!

February 07, 2012

Permalink

Now when I start up the bundle and at random moments, I am now getting a message from PGP that it has detected an SSL/TLS connection initiated by my mail client. I don't have a mail client up. The PGP message says I am connected to: static.8.58.4.46.clients.your-server.de

Is this something that the Tor Bundle is doing or should I be worried?

February 08, 2012

Permalink

After a few days running a exit node it crashed. I was using Skype via a normal connection parallel to TOR and trying to get the node slower. It doesn't get slower and finally TOR crashed.

February 09, 2012

Permalink

please update Tor Bundle
in this release Flash Plugin is not in plugin list
it is not activate by Firefox because the plugin is an old not secure version
thanks

Do -never- use any Flash plugin with Tor. Flash applications may leak sensitive data like your real IP address. If it is Youtube you can use their experimental HTML5 video mode instead, which is safe together with Tor.

February 09, 2012

Permalink

+1 for the change from Firefox.

On OS X Firefox is my default browser, all types of applications are now trying to use the Tor Browser Bundle version, rather than previously when they ignored it as it was the Aurora version.

For those on OS X you can get part of the way for the moment and be able to tell the difference in the dock by changing the icon for Tor’s version of Firefox (right-click > Show Package Contents > Contents > MacOS > Firefox).

I tried renaming Firefox there too, but that seems to have killed Vidalia! Now re-installing XD

Regards,
r

February 09, 2012

Permalink

Any reason why we cannot write comments in blogger (blogspot) through tor bundle?

February 11, 2012

Permalink

This is the output when I try to download TBB with wget:

  1. [<a href="mailto:guest@localhost" rel="nofollow">guest@localhost</a> guest]$ wget <a href="https://sedvblmbog.tudasnich.de/dist/torbrowser/tor-browser-2.2.35-5_en-US.exe
  2. --2012-02-12" rel="nofollow">https://sedvblmbog.tudasnich.de/dist/torbrowser/tor-browser-2.2.35-5_en-US.e…</a> 02:17:13-- <a href="https://sedvblmbog.tudasnich.de/dist/torbrowser/tor-browser-2.2.35-5_en-US.exe
  3. ERROR:" rel="nofollow">https://sedvblmbog.tudasnich.de/dist/torbrowser/tor-browser-2.2.35-5_en-US.e…</a> Cannot open directory /etc/openssl/certs.<br />
  4. Resolving <a href="http://sedvblmbog.tudasnich.de" rel="nofollow">sedvblmbog.tudasnich.de</a> (<a href="http://sedvblmbog.tudasnich.de" rel="nofollow">sedvblmbog.tudasnich.de</a>)... 86.59.30.36, 38.229.72.14, 38.229.72.16, ...<br />
  5. Connecting to <a href="http://sedvblmbog.tudasnich.de" rel="nofollow">www.torproject.org</a> (<a href="http://sedvblmbog.tudasnich.de" rel="nofollow">www.torproject.org</a>)|86.59.30.36|:443... connected.<br />
  6. ERROR: The certificate of `<a href="http://sedvblmbog.tudasnich.de&#039" rel="nofollow">www.torproject.org&#039</a>; is not trusted.<br />
  7. ERROR: The certificate of `<a href="http://sedvblmbog.tudasnich.de&#039" rel="nofollow">www.torproject.org&#039</a>; hasn't got a known issuer.<br />
  8. [<a href="mailto:guest@localhost" rel="nofollow">guest@localhost</a> guest]$

February 13, 2012

Permalink

I use tor bundle for linux 32bit (arch linux + kde). When i right-clicking -> save over a file link (like for example .pdf files), appear the torbutton alert about an application of the third-party that try to access asking what to do. I don't understand what is the problem, is a kde component's that try to connect to the site or is a false allarm?

February 18, 2012

Permalink

hi first thanks for helping me and other pls tel me how can i up grade my tor there is message on my tor said i need to up grade but from the site its impossible to downlod how can i get it?

May 23, 2012

Permalink

I can't connect to anything. Every time I try to go to a site, it says the connection timed out. What the fuck is this bullshit?