New Tor Browser Bundles with Firefox 17.0.10esr

by erinn | November 1, 2013

Firefox 17.0.10esr has been released with several security fixes and all of the Tor Browser Bundles have been updated. All users are encouraged to upgrade.

https://sedvblmbog.tudasnich.de/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.3.25-14)

Update Firefox to 17.0.10esr
https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#…
Update LibPNG to 1.6.6
Update NoScript to 2.6.8.4
Update HTTPS-Everywhere to 3.4.2
Firefox patch changes:

Hide infobar for missing plugins. (closes: #9012)
Change the default entry page for the addons tab to the installed addons page. (closes: #8364)
Make flash objects really be click-to-play if flash is enabled. (closes: #9867)
Make getFirstPartyURI log+handle errors internally to simplify caller usage of the API. (closes: #3661)
Remove polipo and privoxy from the banned ports list. (closes: #3661)
misc: Fix a potential memory leak in the Image Cache isolation
misc: Fix a potential crash if OS theme information is ever absent

Tor Browser Bundle (2.4.17-rc-1)

Update Firefox to 17.0.10esr
https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#…
Update LibPNG to 1.6.6
Update NoScript to 2.6.8.4
Downgrade HTTPS-Everywhere to 3.4.2 in preparation for this becoming the stable bundle
Firefox patch changes:

Hide infobar for missing plugins. (closes: #9012)
Change the default entry page for the addons tab to the installed addons page. (closes: #8364)
Make flash objects really be click-to-play if flash is enabled. (closes: #9867)
Make getFirstPartyURI log+handle errors internally to simplify caller usage of the API. (closes: #3661)
Remove polipo and privoxy from the banned ports list. (closes: #3661)
misc: Fix a potential memory leak in the Image Cache isolation
misc: Fix a potential crash if OS theme information is ever absent

applications

Comments

Please note that the comment area below has been archived.

Great! And thank you for the

Great! And thank you for the good work!

Now if you would add 2.4.17-rc-1 for OS X to [geshifilter-code]https://sedvblmbog.tudasnich.de/dist/torbrowser/osx/[/geshifilter-code], everything would be even greater ;-) Funnily, the signature files are already there…

In the message log for the

In the message log for the OSX version of TBB 2.4, I see a lot of these entries:

Error setting SO_REUSEADDR flag: Invalid argument

This occurs in both the 32- and 64-bit versions. Next to zero activity in the bandwidth graph. No problems with 2.3 which shows a lot of activity in the bandwidth graph (20Mbps in both directions almost continually). Operating an exit node.

Problem existed in Mountain Lion. Problem remained after a format/install of Mavericks.

This sounds like a real bug.

This sounds like a real bug. Can you go to trac.torproject.org and open a ticket, with Tor 0.2.4.x as the milestone? Thanks!

Done. Hope it gets fixed

Done. Hope it gets fixed soon.

https://trac.torproject.org/projects/tor/ticket/10081

The requested URL

The requested URL /dist/torbrowser/linux/tor-browser-gnu-linux-x86_64-2.4.17-rc-1-dev-en-US.tar.gz was not found on this server.

Download link at

Download link at https://sedvblmbog.tudasnich.de/projects/torbrowser.html.en for Linux is 404ed...

Download link for Tor

Download link for Tor Browser Bundle 2.4.17-rc-1 for Windows is broken.

The 2.4.17 exe file is

The 2.4.17 exe file is missing

Looks like the files are now

Looks like the files are now all there. Sorry for the unsynchronized announcement. (Let us know if any are still missing.)

Could someone please help

Could someone please help me, I'm new to this and I'm not sure how to go through the update process... it seems like I have to download the bundle all over again, extract it, and then are there 2 copies on my computer? I'm confused on how to do this. Please advise as to how to email or ask someone for help on this. Thank you kindly! *S.

Yep -- the safest and

Yep -- the safest and simplest approach is just to download the new one, and delete the old one. If you want to get more complex you can export stuff like bookmarks from the old one and import them into the new one. It depends how much you customize your TBB vs just use it.

In the glorious future we'll have a variant of the Firefox updater able to do this for you, in place without losing changes you make.

As for where to get help, you might like
https://sedvblmbog.tudasnich.de/about/contact#support

Looking forward to an update

Looking forward to an update for the TBB pluggable- transports version.

Right -- when Erinn said

Right -- when Erinn said 'all' I think she actually meant about half -- the PT TBBs will come soon, as will another 3.0 alpha-or-beta.

Are the fixes/updates in Tor

Are the fixes/updates in Tor Browser Bundle (2.3.25-14) already present in Tails 0.21?

Tails 0.21 was released just a few days ago on October 29, 2013 and version 0.22 will only be out on December 11.

We users hope there IS communication, co-ordination and teamwork between the people working on Tor and those working on Tails.

The various groups do

The various groups do communicate yes.

Tails 0.21 includes this latest Firefox too, among other changes.

are you guys moving to ESR

are you guys moving to ESR 24.1 in the next beta? Please let it be so. Many addons are dropping older FF versions and won't work.

Keep an eye

Keep an eye on
https://trac.torproject.org/projects/tor/query?status=!closed&keywords=…

Mike et al aren't done fixing all the privacy disasters introduced in FF24. But they know they'd best be done real soon now.

Thanks alot for your

Thanks alot for your efforts. Is the delay due to a lack of resources ? Do you need more donations.

Do we need more donations?

Do we need more donations? Yes, undirected donations are really great because they give us the flexibility to work on the things that most need attention now, rather than the things we convinced a funder a year ago that we should work on.

In this case, the delay is due both to lack of enough of the right developers and also lack of funding. We're in the process of trying to fix the latter issue, which will in turn let us fix the former issue. Help would be greatly appreciated.

That said, we're likely to wait until nearly the last minute to switch from one ESR to the next anyway, since it gives everybody the most time to discover issues in the new ESR.

are you guys moving to ESR

are you guys moving to ESR 24.1 in the next beta? Please let it be so. Many addons are dropping older FF versions and won't work.

Are these "many addons" safe to use, I mean, do they break anonymity?

IMHO addons are of secondary importance if they do NOT enhance anonymity.

We use TBB and Tails because they provide anonymity, not the latest gizmos.

https://sedvblmbog.tudasnich.de/do

https://sedvblmbog.tudasnich.de/docs/faq.html.en#TBBOtherExtensions

Browser add-ons that may

Browser add-ons that may improve anonymity:
has anyone tried Self-Destructing Cookies?

It zaps the cookies and LSO right after you finish visiting a site, close its tab and open a new tab; also can clear the browser's cache on timer.
Needed when you can't switch the Identity or restart the browser right away - normally in this case one would have to remember to clear the cookies manually or drag them along the rest of the browser session, neither of which is optimal. Such auto-protection would be just great to have in Tor Browser.

Released under GNU GPL2 license; requires minimum FF version 21 (I think), so it doesn't run on v.17 ESR.
BTW, I'm not related to its dev in any way - was just looking for the automatic cookie deletion within the same browser session.
If anyone has experience auditing the code and using the network sniffers, I'd appreciate checking this add-on for any privacy leaks.

I was using

I was using "Self-Destructing Cookies" for a few months, and was happy with the results. But, one thing that disappointed me was that SDC did NOT remove LSO cookies. You need to also install the "Better Privacy" addon to remove LSOs.

I repeat, SDC removed every other kind of cookie except LSO cookies.

Also, do NOT use the Ghostery addon. I was using it for months untill I discovered Ghostery making requests to some odd server. Just stick with SDC + Better Privacy.

Are you talking about

Are you talking about ghostrank? Just keep it disabled.

SDC doesn't manage LSO cookies, better privacy is for that.

And I was so happy with

And I was so happy with ghostery untill I read your post. I still don't know how to find who is tracking me when Ghostery tells me someone is tracking you

Ghostery is perfect, I have

Ghostery is perfect, I have been monitoring it closely, it just requests to GhostRank server, if you disable it, nothing will happen.

Thank you guys! I'm

Thank you guys! I'm downloading it!

The latest TBB without

The latest TBB without Vidalia (beta version) is not out for this release, it seems. Thank you!

Could someone tell me WHERE

Could someone tell me WHERE the settings for the following warning message are stored (sqlite file, ini file etc):

"This website attempted to access image data on a canvas. Since canvas image data can be used to discover information about your computer, blank image data was returned this time."

thx

Just downloaded and

Just downloaded and installed and it is asking me for a password. I've never put a password in the program. Tried the system password and that didn't work. Any suggestions please!

You might like

You might like https://sedvblmbog.tudasnich.de/docs/faq#VidaliaPassword

Every SSL-secured site I

Every SSL-secured site I attempt to go to with the latest 64-bit TBB, gives me the following error message:

Secure Connection Failed

An error occurred during a connection to sedvblmbog.tudasnich.de.

SSL peer reports incorrect Message Authentication Code.

(Error code: ssl_error_bad_mac_alert)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

Help please! I am getting

Help please! I am getting ERROR all the time with
tor-browser-gnu-linux-x86_64-2.3.25-14-dev-en-US

Tor Browser Bundle pop-up warning square:
Vidalia exited abnormally. Exit code: 2

2 empty txt-documents pops up in the folder, named
(invalid encoding) (invalid encoding) with strange unicode letters above
when trying to start vidalia from: start-tor-browser (run)

Ubuntu 12.10

this is the second latest release of the tor browser bundle that i can not run.
no firewall, vpn, proxy should be able to block anything
since i havent done any changes since i removed the older version.

I'm curious about LibPNG.

I'm curious about LibPNG. Why is it in the bundle?

I can use the tor browser to

I can use the tor browser to visit any other page except the one it is supposed to start first, the check.torproject.org. It was doing this before and after I installed the new update, was working fine yesterday. Message I get is : The proxy server is refusing connections. Firefox is configured to use a proxy server that is refusing connections.

So, is it safe to use my tor browser? Any thoughts if I need to download/install/whatever anything else? Thank you in advance!

I, too, have the "refusing

I, too, have the "refusing connections" error message. Vidalia shows a green torbutton, but the browser page shows a red slashed button and won't connect me anywhere, while giving me the above error message.

I am not able to paste

I am not able to paste anything from outside of tor on any site.
like copy encrypted message from notepad and then paste into tor.
is any one else having this issue?

Thanks

bug in

bug in https://check.torproject.org page.

if you get the message that theres a security update available on that page, then close your browser. download and install the update. when you reopen the browser, in some circumstances (and this is just a guess, as it might be something else causing it - perhaps the browser is set to on restart to always open the pages that were open at the time the browser was closed) the check.torproject.org page announcing theres an update available opens again, this is very confusing, as it seems like the update you have downloaded and installed hasnt worked...

i would suggest as a fix for this, to put an actual check on the following page
https://check.torproject.org/?lang=en-US&small=1&uptodate=0
to check whether the current tor version is actually up to date, as it doesnt seem to be checking at present. you can test this by visiting that page with your up to date tor browser bundle. it will still report that there is an update available...

Despite using it on a

Despite using it on a portable drive, it is still splattering files to C:\Users\myaccountname\AppData\Local\Vidalia such as C:\Users\myaccountname\AppData\Local\Vidalia\vidalia.pid and looks for files like geoip in that folder, instead of in a relative and local folder on windows 7. I wonder if firefox creates temp files for downloads in C:\Users\admin1\AppData\Local\Temp .

I still have the "proxy

I still have the "proxy configured to refuse connection problem" after a clean installation (winxpsp3, noadm priv, using a http/s proxy, tor client only from usb stick). After reading comments everywhere I found out that the only stable solution for me is to delete the line HashedControlPassword to make tor work (I tried to use the cookie authentication or a fixed password but they don't work either). In the manual you say this creates a security breach. Is there a safe(r) solution to this issue? This problem affects me only starting from late spring 2013 distributions. Thanks!

big thanks to the tor

big thanks to the tor project people

NEW VERSION TOR-14 BUG

NEW VERSION TOR-14

BUG RELATED TO/ WINDOWS XP

Firefox>Bookmarks>Backup> file= "anybookmark"

A series of annoying scripts appears which highjacks the transfer of bookmarks from Tor13 to Tor14

Script: chrome://browser/content/places/browserPlacesViews.js:583

Nice new upgrade. pretty smooth except for this bug, thanks!

Tor Browser is

Tor Browser is fingerprinting users by default!

Upon starting TBB, a list of all installed extensions is sent to mozilla's addon server to check against a blocklist.

https://support.mozilla.org/en-US/kb/how-stop-firefox-automatically-mak…

TBB should immediately start defaulting this to false.
extensions.blocklist.enabled;false

This check goes over Tor

This check goes over Tor though, right?

I totally agree that giving Mozilla all this data, even anonymized, is scary. See also my discussions on this ticket:
https://trac.torproject.org/projects/tor/ticket/9769

There's pretty clearly a tradeoff between keeping you up-to-date and sending Mozilla details (over Tor) about your configuration.

Yes, the check goes over

Yes, the check goes over TOR.

I thought I saw a request to a mozilla blocklist server that submitted a variable along the lines of "GET_INSTALLED_ADDONS" however I've been unable to reproduce what I saw.

The blocklist URL string does not contain this var so it must have been something else.
https://wiki.mozilla.org/Firefox3.1/Blocklisting_Security_Review

I will reply here if I am able to reproduce what I originally thought I witnessed. I apologize if I was incorrect.

TBB do not sends a list of

TBB do not sends a list of installed extensions, it fetches a list of blocked extensions instead.

Problem with generated URL itself, and not only for blocklist case as TBB fetching many another stuff from mozilla's addon server.
List of used vars for URLS, that can be individual:
%BUILD_ID%
%BUILD_TARGET%
%LOCALE%
%CHANNEL%
%OS_VERSION%
%PING_COUNT%
%TOTAL_PING_COUNT%
%DAYS_SINCE_LAST_PING%
etc

You can't fix it just by extensions.blocklist.enabled;false