Tor Browser 3.5.3 is released

by mikeperry | March 19, 2014

The 3.5.3 stable release of the Tor Browser Bundle is now available on the Download page. You can also download the bundles directly from the distribution directory.

This release also includes important security updates to Firefox.

As a reminder, this is the stable series of the Tor Browser Bundle. It does not include the Pluggable Transport support mentioned in the 3.6 release post, and in this release MacOS archives are still in zip format. If you would like those features, we encourage you to use 3.6-beta-1 instead, and report any issues you encounter.

Here is the complete changelog for 3.5.3:

  • All Platforms
    • Update Firefox to 24.4.0esr
    • Update Torbutton to 1.6.7.0:
      • Bug 9901: Fix browser freeze due to content type sniffing
      • Bug 10611: Add Swedish (sv) to extra locales to update
    • Update NoScript to 2.6.8.17
    • Update Tor to 0.2.4.21
    • Bug 10237: Disable the media cache to prevent disk leaks for videos
    • Bug 10703: Force the default charset to avoid locale fingerprinting
    • Bug 10104: Update gitian to fix LXC build issues (for non-KVM/VT builders)
  • Linux:
    • Bug 9353: Fix keyboard input on Ubuntu 13.10
    • Bug 9896: Provide debug symbols for Tor Browser binary
    • Bug 10472: Pass arguments to the browser from Linux startup script

A list of frequently encountered known issues with the Tor Browser can be found on our bugtracker. Please check that list and help us diagnose and arrive at solutions for those issues before contacting support.

Comments

Please note that the comment area below has been archived.

You don't need a zip package, the installer doesn't write anything to registry.
I've checked it with RegShot before and after running the installer.

March 19, 2014

Permalink

why has this update still saying need update ? is there some sort of spoofing attack in progress ?

March 20, 2014

In reply to arma

Permalink

thank for reply... i did remove the old version and install new version as i always have done for years with no problem... btw i used the new tor browser bundle today after my reported experience and it seem the issue has gone away :D

TBB uses Firefox ESR. Current version is 24.4.0.

TLS 1.1 and TLS 1.2 were not enabled by default until Firefox 27.

Next Firefox ESR release will be 31.

March 20, 2014

Permalink

Whats wrong with you?
We dont want install TBB like a program.
We need an portable TBB!

March 20, 2014

Permalink

This might be a total noob question, but what's the difference between exporting bookmarks to an HTML file, versus backing up bookmarks to a JSON file?

I ask because everytime I download a newer version of the TBB, I have to re-populate the bookmarks menu.

Thanks for all the work you guys do.

From what I could find, restoring from JSON will replace your bookmarks with only what is in the backup file. Using a HTML backup will just add to your existing bookmarks. (source: https://support.mozilla.org/en-US/questions/950445)

It sounds like you know how to do so, but just in case: restoring bookmarks can be done the Show All Bookmarks window (Ctrl+Shift+O). To restore from JSON, use the "Import and Backup" -> "restore" -> "Choose File" and to restore bookmarks from HTML, use "Import and Backup" -> "Import Bookmarks from HTML."

March 21, 2014

In reply to arma

Permalink

Yeah, overwriting TBB's will cause issues ranging from wrong version of X extension to just not wanting to boot up.

I've pretty much resigned myself to "Have to go the clean installation in a new directory and just import bookmarks!" route when I am updating to a new TBB.

March 20, 2014

Permalink

I download the files:

https://sedvblmbog.tudasnich.de/dist/torbrowser/3.5.3/sha256sums.txt
https://sedvblmbog.tudasnich.de/dist/torbrowser/3.5.3/sha256sums.txt-mikeper…
https://sedvblmbog.tudasnich.de/dist/torbrowser/3.5.3/tor-browser-linux64-3…
https://sedvblmbog.tudasnich.de/dist/torbrowser/3.5.3/tor-browser-linux64-3…

Previous version files are missing:

sha256sums.txt-erinn.asc
sha256sums.txt-linus.asc

I run the script:

########
#! /bin/bash

echo "" | cat - > file.txt

sha256sum -c sha256sums.txt 2>&1 | grep OK >> file.txt

echo >> file.txt

for a in sha256*.asc ; do
gpg --verify $a sha256sums.txt >> file.txt 2>&1 ;
echo >> file.txt
done

echo >> file.txt

gpg --verify tor-browser-linux64*.asc >> file.txt 2>&1

echo >> file.txt
#########

Running less file.txt I can see a singnatures mess:

gpg: Signature made Wed 19 Mar 2014 09:25:30 PM MSK using RSA key ID 63FEE659
gpg: Good signature from "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659

gpg: Signature made Wed 19 Mar 2014 09:26:01 PM MSK using RSA key ID 63FEE659
gpg: Good signature from "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659

I check "mikeperry" signature manually:

gpg --verify sha256sums.txt-mikeperry.asc sha256sums.txt

gpg: Signature made Wed 19 Mar 2014 09:25:30 PM MSK using RSA key ID 63FEE659
gpg: Good signature from "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE
E659

Why Mike Perry signature displayed as Erinn?
Where is the other signatures?

March 21, 2014

In reply to arma

Permalink

Yes, I use "WebRoot Internet Security", I just turn it off webroot and Tor is working right now. Thank you very much.

Option 1, complain to webroot that their thing is flagging Tor when it shouldn't. Then wait for them to fix it. Apparently this worked once in the past.

Option 2, whitelist Tor in your webroot config. I don't use Windows, so I don't know what you need to click.

Option 3, stop using webroot (and optionally replace it with something else from the same protection racket genre).

Please feel free to chip in with a good option 4 here. :)

March 20, 2014

Permalink

It does not let me update my Tor bundle when I try to write over the same directory. Why is this? It can't extract anything and I have to abort the install.

March 21, 2014

Permalink

Windows 7 - Services

Could someone from Tor please advise if there are any 'Services' that start up automatically which, for the sake of security, users should either change to 'manual' or even 'disable'. Equally, are there any that we should not change to 'manual' or 'disable'?

Thanks

March 21, 2014

Permalink

I'm on Windows XP and found that this issue of Tor has repeatedly either made my PC crash and/or can't be opened at all that I have to resort to 'nude' browsing with Firefox. Is it something to do with the software? This is something very abnormal, never experienced something like this before after some 8 years and I've checked that everything else should be normal.

March 21, 2014

Permalink

I'm download a file from hyperspeeds.com at 1.2 MB/s using the latest version of Tor. That doesn't seem possible. Is there something wrong with my program?

March 21, 2014

Permalink

I can't open .onion websites, only "regular" websites. Why? It's a security problem?

March 21, 2014

Permalink

Just got to the new TBB but every time I try to open it, I repeatedly get "Tor Unexpectedly Exited-Please Restart This Application" with a mini window saying "Tor Launcher-Tor Unexpectedly Exited". Sorry for the noobie question, but this is the first TBB that has done this and I want to get back to my browsing!

March 21, 2014

Permalink

I can run Tor-browser-2.3 on very old hardware: AMD K6-2 @ 500 Mhz - RAM: 384 MB.
Starting with version 3.5, Tor will not run on this old computer, it fails when trying to install it, and if I install it on a newer PC and create a zip package to extract in the old one, it also fails when launching "Start Tor Browser.exe"

  1. DrWtsn32:<br />
  2. Application exception occurred<br />
  3. Exception number: c000001d (illegal instruction)<br />

I have Firefox 28 installed and running in this old machine, so the problem is with Tor.
Is this new version using SSE2 instructions?
Any chance to fix Tor to work again with old hardware?

Wow, I haven't seen mention of that processor family in years.

A few things:

a) The Mozilla Firefox binaries are built with Visual Studio not GCC, which does code generation differently. It is worth noting that the official binaries for Linux built with gcc target i686 and will also not execute on your processor family.

b) There is more that is lacking in K6-2 versus what is expected of a modern ia32 processor than just SSE2. The relevant instructions in this case would be CMOV/FCMOV, introduced for the Pentium Pro.

If you can convince the developers that building the bundle with an i586 target is worth the time, then it should work (for now), though it is unlikely that they can spare build engineer time for that task.

Thanks for the info., but according to this my AMD K6-2 is i686, not i586:
i386 - Intel i386/80386 (in 1985) or AMD386 / AM386 (in 1991)
i486 - Intel i486/80486 (in 1989) or AMD486 / AM486 (in 1993)
i586 - Intel Pentium (in 1993) or AMD-K5 (in 1996)
i686 - Intel Pentium Pro (in 1995) or AMD-K6 (in 1997)
i786 - Intel Pentium 4 (in 2000) or AMD-K7 (in 1999)

So, Tor Browser 3.5.3 shouldn't fail with this processor if compiled with i686 target.
Checking in about:buildconfig I see they changed the compiler from "cl 15.00.30729.01" to "gcc v. 4.6.3" since Tor-Browser 3.0.
The last TBB version I can run with this old machine is Tor-Browser 2.4.18-rc-1

No matter what Pentium family AMD K6-2 is closer, it doesn't support all i686 instructions. Compiling for i686 platform means using of CMOV instruction.

https://www.mozilla.org/en-US/firefox/28.0/system-requirements/
Mozilla claims needs of Pentium 4 or newer processor that supports SSE2.
It's probably bug that it's still works for AMD K6-2, in result.

Problem with AMD K6-2 began when TBB developers started building with gcc instead of cl (Visual Studio).
Up to TBB 2.4.18-rc-1 they used cl as Mozilla developers, but target never changed, also was i686 with cl, so the "bug" is due to gcc.
I've checked with "about:buildconfig" that up to Firefox 2-0-0-x target is i586, and starting with Firefox 3-0-x target is i686.
From Firefox 3.0.x to 3.6.x Minimum Hardware Requirements are the same:
[geshifilter-code]Pentium 233 MHz (Recommended: Pentium 500MHz or greater)
64 MB RAM (Recommended: 128 MB RAM or greater) ...
https://www.mozilla.org/en-US/firefox/3.0/system-requirements/
https://…
]
So, if it is a bug that Firefox 28 runs perfectly with AMD K6, this bug is seven years old. ;)
Starting with Firefox 4, they only listed "Recommended" Hardware (not Minimum)
[geshifilter-code]https://www.mozilla.org/en-US/firefox/4.0/system-requirements/[/geshifi…]
By the way, SeaMonkey still has a "Minimum" Hardware requirements page...
[geshifilter-code]Pentium 233 MHz (Recommended: Pentium 500MHz or greater)...
http://www.seamonkey-project.org/releases/seamonkey2.25/#install[/geshi…]

Now I've tested latest TBB 3-5-3 with a Pentium III @ 450 Mhz and it works fine!

It's no brain to use tor with WinXP even if AMD K6, at least it's possible to find some another browser and to compile all for i586.
Try to use with i486 with almost zero ram and win98 if you want extremal experience.

"at least it's possible to find some another browser"

Using Tor with any other browser besides Firefox/Iceweasel is explicitly NOT supported and not recommended.

"win98"

Windows 98 (as well as Windows 2000 and very soon Windows XP as well) has not been supported with critical security updates for years now. Using any unsupported OS is downright dangerous. (with the possible exception of a strictly NON-NETWORKED box).

"Firefox/Iceweasel is explicitly NOT supported and not recommended."
Firefox dropped 32bit platforms actually. You need to have more than 4GB of virtual memory to build browser.
It's wrong that such browser only supported, overbloated software with kludges and security holes by design.

This is documented in http://gcc.gnu.org/bugzilla/show_bug.cgi?id=8243

The bug in question is discussing pre-Nehemiah VIA C3, but the brain damage is the same in the K6-2. Code generated with -march=i686 by gcc will use CMOV, and will fail on your processor.

I doubt the tor build people would ever use cl (Visual Studio) to build TBB again as well, given all of the work that has been done on deterministic builds.

This is orthogonal to "AMD K6-2 is a potato and is unsupported by TBB binary packages", but ok, I'll bite.

For what it's worth on Ivy Bridge Linus' synthetic benchmark is faster with CMOV, so there's that (I did increase the iteration count up since the code as is was fairly inconclusive).

There are certainly cases where CMOV would be a bad idea, and the Intel 64 and IA-32 Architectures Optimization Reference Manual has a detailed description of the tradeoffs. There's also at least one GCC bug open regarding cases where CMOV is used when it should not http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56309

There was a patch back in the 2.4.x kernel days (when not-quite Pentium Pro "i686" processors were relevant) that trapped illegal instructions and emulated CMOV in software to allow binaries to run with *terrible* performance for situations like "oh god, fsck on my rescue image is i686 targeted and I have a dinky AMD processor", but it didn't get mainlined AFAIK.

If to stop no need services while to keep tor. Then possible to surf some pages even.

amnesia@amnesia:~$ free
total used free shared buffers cached
Mem: 384652 369220 15432 0 38244 137200
-/+ buffers/cache: 193776 190876
Swap: 0 0 0

If you need Tor enough to consider a change of operating system, I'd recommend Puppy Linux. Its designed for getting the best performance out of old hardware with very limited RAM and the new Tor Browser bundles work on it. Warning: default user is root - you may want to downgrade to user "spot" via command line for security.

"Warning: default user is root - you may want to downgrade to user "spot" via command line for security."

Most important warning indeed.

Have you had success running TBB as 'spot'?

>.exe

You're running Windows on those specs?

Any version of Windows able to run on such old hardware, with only 384 MB RAM would be an old one that hasn't been supported with security updates for a long time.

I can only hope that your use of this box and certainly your running Tor on it, is for nothing more than testing/playing purposes.

The minimum hardware requirements for Windows XP Professional include:
At least 64 megabytes (MB) of RAM (128 MB is recommended)

WinXP supported with security updates till April 2014.

March 22, 2014

Permalink

TAILS seems have the same Browser(TBB) configuration? .Have questions:

WHY new(er) Browser version use WEAKER crypto? **WTF**
On lot off https://..........sites OLDER Browser: camellia_256 / aes_256 etc. .

NEW Browser version: max. aes_128 .............*WTF* again.
TLS 1.0 only activated? Why?
And who is responsible for that? I don't really like to now,but please change it.

Plus someone can make 'Connection Encrypted' info useable.Like Seamonkey.Or
why not?
If i would like browsing with thoughtless lollypolly Disney fastfood feeling,IE/Chrome would be my fav.

The new Firefox 30 look is......funny(-:,too

March 22, 2014

Permalink

Re screen-size

Under 3.5.2.1 I posted the following reply on the 17th:

"GK
Thanks for your response. I read the bug report you mentioned. Since I am a relative newcomer to this and I am not very knowledgeable about the workings of computers/browsers/Tor I didn't follow what was said very well.
All I can say is that I have used Tor for about 18 months and have always used ip-check.info as a test, The screen-size (ip-check calls it Browser Window - inner size) has NEVER been rounded to 100.
For Tor versions 3.5.2 and 3.5.2.1 I have also checked it with Panopticlick and (with Javascript enabled) Panopticlick gives the same screen-size as ip-check. IP Check gets the screen size whether JS is enabled or disabled.
Sorry, the above may not be much help but if you can tell me what else to check or which settings to change, if any, I will.
Thanks for your help."

I have just carried out the same tests with 3.5.3 and, guess what, exactly the same results as with 3.5.2 and 3.5.2.1.

If other people are getting 'rounded to 100' screen sizes it is possible that one of my settings is wrong, but I don't know what to do.
Please help.
Thanks

ip-check.info ?

Still plain, unencrypted http. That means an exit node can tamper with the results.

If the JonDo folks behind ip-check can't or won't even bother to make the site HTTPS-encrypted and authenticated, then how can they be trusted?

As you obviously know more about these things than I do, I understand what you say.

However, as I have said, Panopticlick (with JS enabled) gets exactly the same screen-size as ip-check.info, so I think there must be more to it than tampering.

Also, ip-check can get the screen-size without JS.

Personally, I don't trust ip-check. Not that I think it's malicious, but aside from it's obvious commercial purpose, it makes up the unsubstantiated claim that a longer stream sessions such as the 10 minute one Tor uses is bad for anonymity, and encourages naive users to switch from Tor to JohnDonym as a solution, calling itself "stateless". In reality, a fully stateless anonymity system like that results in *less* anonymity, as it gives a passive adversary more opportunities to surveil and a greater chance of mounting a successful traffic correlation attack. If I recall, there are even several acedemic studies that show the reason why rapidly changing circuits is harmful to anonymity. JohnDonym doesn't even think to look this up before shouting to the naive masses that their commercial product is superior. It's not just problematic because it's dishonest, but because it gives that company a larger profit at the *expense* of the innocent user's anonymity. That's not all they've done to harm people. Who could forget that backdoor JohnDonym added to it's software at the request of the German government. With these points in mind, I urge people not to link to services such as ip-check because it lies to people in an attempt to sway them from a more secure alternative. Now, they aren't as bad as some companies (I'm looking at you, HMA), but they still don't deserve the extra traffic that comes to them when there are already plenty of less biased anonymity-checking websites.
/end rant

All valid points.

Additionally, the failure of JonDoNym to use HTTPS authentication by default for ip-check.info (and any other sites of theirs) should give pause to anyone.

I did not mean to suggest that the results you reported were the result of tampering. Nor that I had knowledge of any evidence of such tampering having ever occurred with ip-check.info.

Rather, I was merely pointing-out that the risk exists. And even if it would be determined to be relatively low, the mere failure, whatever the reason, of the JonDoNym folks to implement SSL/TLS across all of their WWW properties seems cause for concern to me.

March 26, 2014

In reply to gk

Permalink

GK

As I have said, I have read the bug report but don't really understand it. All I can say is that with Windows 7 and Tor 3.5.2 , 3.5.2.1 and 3.5.3 I NEVER get a rounded widow size - Panopticlick (with JS enabled) gets exactly the same window size as ip-check (with and without JS enabled).
To answer your specific question: No, I am not resizing my window. I don't know how to.

April 04, 2014

In reply to gk

Permalink

GK

As you have suggested, I have just tried to create a new ticket but when I go to the page that you have stated I just get:

"TICKET_CREATE privileges are required to perform this operation. You don't have the required permissions."

Pls let me know what I have to do.

Thanks

Sorry, I don't know what you mean by: "do you know how to reproduce never rounded widow size?".

If, in fact, I do understand what you mean, I don't have to "reproduce" a 'never rounded" window size, I just have to check it via ip-check.info with or without JS enabled and via Panopticlick with JS enabled.

If I haven't understood you correctly, could you please explain what you mea. Thanks.

March 22, 2014

Permalink

Sometimes when I start the program it just refuses to open. I have to kill it ctrl+shift+esc and restart. This happens on all 3 of my computers. Has been happening since the first 3.x version. What's wrong?

April 15, 2014

In reply to gk

Permalink

It happens randomly. It rarely/never happens with 3.5.3, but it happens often with every other version. Might be coincidental, either way it stinks.

March 23, 2014

Permalink

What happened to the stable and unstable Expert Bundles for Windows? Are we supposed to build our own now? And please don't waste my time by telling me I *should* be using the browser bundle...

March 24, 2014

Permalink

There is a bug in TBB 3.5.3.

I am using OpenVPN to connect to one of the VPN gateways/servers, the protocol is TCP.

Next in a terminal window -I am using Debian- I launched TBB.

When I surf to a website, for example, Tails, I launch a root terminal window and type in the command netstat -rn

The results are:

  1. Kernel IP routing table<br />
  2. Destination Gateway Genmask Flags MSS Window irtt Iface<br />
  3. 0.0.0.0 10.8.0.5 0.0.0.0 UG 0 0 0 tun0<br />
  4. 10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0<br />
  5. 10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0<br />
  6. 45.27.157.184 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0<br />
  7. 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0<br />

Notice that on eth0 and gateway 192.168.1.1, the destination corresponds to the IP address of the OpenVPN gateway/server.

The above did not happen with earlier versions of TBB.

I hope Tor developers can look into the above issue.

March 24, 2014

In reply to arma

Permalink

It has nothing to do with (that is, no influence on) what your netstat says your gateways are.

Thanks arma for your reply.

About the steps that I undertook in my earlier post: what IP address will the destination website see? Tor's exit node IP address? or the IP address of my OpenVPN gateway/server? or both?

Would you be able to offer some suggestions on why some websites and forums recommend Tor users to use Tor over VPN or VPN over Tor?

March 24, 2014

Permalink

I was wondering if I need start page and Ixquick which provide proxy and encryption. I noticed in this version of TOR bundle, HTTPS Anywhere is provided. Should I just get rid of start page and Ixquick?

HTTPS Everywhere have been bundled with the Tor Browser for a long time.

You are already using Tor, so you do not need to use ixquicks/startpages proxy service. Tor provides all the anonymity you need.

If the remote website you visit does not support end-to-end encryption (HTTPS), when it doesn't matter if you are using yet another proxy (ixquick/startpage), an attacker can still inject and observe data at some point (even if they cannot trace you).

Startpage is still a good alternative to use as a search engine.

Thanks for the reply. I just noticed HTTPS Everywhere does not encrypt some sites, and what is strange is that ixquicks does allow me to encrypt the same sites that HTTPS does not encrypt, and I can see in the URL address starts with https when I get connected. Can I trust this connection?

That is because that site does not support HTTPS. Your connection to ixquicks proxy is encrypted using HTTPS, but the connection between ixquick and the actual site is not.

"If the remote website you visit does not support end-to-end encryption (HTTPS), when it doesn't matter if you are using yet another proxy (ixquick/startpage), an attacker can still inject and observe data at some point (even if they cannot trace you)."

Let's see if we can unpack this...

A web proxy, such as the one ixquick/startpage offers, could indeed tamper with any content it fetches before returning it to you. This is just as an exit node could. But ixquick is far more trusted than a random exit node that could be rogue.

True, sort of.

Also anywhere in the network between ixquick and the destination website could mess with the traffic (just as, without ixquick, anywhere in the network between the exit relay and the destination website can mess with it).

If you trust ixquick more than your exit relay, and also your destination doesn't support https, then it may make sense. This is similar to using Tor to reach your VPN, and then accessing all the destination websites via the VPN provider.

One downside though is that you're centralizing your outbound traffic, such that an adversary who watches ixquick's network gets to see all your traffic, where before maybe they wouldn't get to see it at all. Seeing the outbound side of your circuits is not the end of the world (they need to see the inbound side too in order to win), but it does get them halfway there.

March 24, 2014

Permalink

Why is torrc blank??? I tried writing in it and tor doesn't open...

I overwrote 3.5.2 and running in a Trucrypt encrypted drive...

Thanks

torrc is blank because it uses both torrc and torrc-defaults. Only new modifications go into torrc.

As for "I added lines to torrc and now Tor doesn't open", it sounds like you added bad lines. :)

As for overwriting, be aware that this may or may not work for you. If you get weird behavior, try doing a fresh install.

March 25, 2014

In reply to arma

Permalink

same adds---

---------------------------------
ExitNodes {US}
StrictNodes 1
------------------------------
works on 3.5.2 which I am on now... I will try 3.5.3 again but please confirm this is the right ditty...

I just want to save my settings and avoid a fresh install but if I have to I will...

Thank you for your help,,, I am not a complainer just lazy :)

March 25, 2014

Permalink

How do I know if the data between my server and the onion site is actually encrypted? We are told it is but how can that be proved?

Been having lots of problems with Noscript and no longer trust it.

March 29, 2014

In reply to arma

Permalink

With HTTPS, one can verify the fingerprints of the certificate.

Is there anything comparable when it comes to .onion sites?

(A means of authenticating that is comparably simple and quick?)

Tor does it for you.

For normal https, checking the certificate makes sense, because it's signed by one of 300 or more certificate authorities, most or all of which have nothing to do with the website you're trying to reach. The traditional CA model is a disaster.

But for Tor hidden services, the addresses are self-authenticating. Tor will verify, for sure (unless the crypto is broken), that you really are reaching the site whose address you told Tor to go to.

Of course, you have to make sure to be trying to go to the right address. If you click on one from a random website that *looks* like your intended hidden service address but actually it's one letter off, then all bets are off.

March 25, 2014

Permalink

disregard last comment,,, This is Trucrypt weirdness the overwrite and addition of
--------------------------------------------
ExitNodes {US}
StrickNodes 1
-------------------------------------------

in torrc worked outside of the trucrypt container...

I then added the lines
--------------------------------------------
ExitNodes {US}
StrickNodes 1
-------------------------------------------
to the torrc-default in the truecrypt drive and FF did not open but when I pulled the lines out of torrc-default the torrc addition worked as you noted...

Thanks!!!

March 25, 2014

Permalink

Seems bizarre that an app that needs to be kept up to date requires manual uninstallation and reinstallation (plus bookmark migration) on every upgrade. Could the installer not handle this, hopefully including bookmark migration? Preferably via transparent automatic / approved update within the app itself, per normal browser updates.

Thanks to the team for their invaluable work!

March 26, 2014

Permalink

A question to TAILS. =TBB ?

Everytime you open new browser,
connections to check.torproject.org:443 (customs here ! ?) AND

Wikipedia , Google ! Whats that?

My bet is that the favicons for those two sites is not bundled with the browser for some reason, but is required by the search bar. So they are downloaded on first startup.

But that is just a guess.

TTB is tor plus browser etc that you install on your HD.

Tails is a linux live disk that includes tor and much else. It is set up so it never writes anything to your HD

March 26, 2014

Permalink

@ Arma,

My system date and time were old(but I didn't know that) due system problems.
But I saw this after a while, when trying to connect with Tor on the internet.
After changing the system date and time, the problem with Tor was over.

March 26, 2014

Permalink

when right click on the -"Start Tor Browser" (exe) icon- in windows, it says "Date Modified: Saturday, ‎January ‎01, ‎2000, ‏‎2:00:00 AM" -.... IS IT NORMAL?

March 27, 2014

In reply to arma

Permalink

but MINE DOESN'T SHOW 1999... It shows 2000!!!!!!!! HAS IT BEEN TAMPERED WITH????

March 29, 2014

In reply to arma

Permalink

Arma is saying that the time/date stamp in question (Saturday, ‎January ‎01, ‎2000, ‏‎2:00:00 AM) is not evidence of tampering.

But, for any download, the only way to actually answer the question,
"HAS IT BEEN TAMPERED WITH????", with any degree of certainty, is through proper verification of the downloaded file. In the case of TBB, this means following the instructions for verifying the digital signature.

March 26, 2014

Permalink

A Tor Browser Bundle repository for linux would be nice. That way updates are handled automatically.

But what would be involved in implementing a sufficient degree of authentication for anything and everything obtained through said repo?

March 27, 2014

Permalink

startpage.com is not safe!!. i cant believe you guys are using it as standard search engine on tor browser. startpage tracks your IP adress and sends it on to google. want to see the proof??? go search for a normal word. for instance you can search for a company name. then look at the top results. look at the sponsored results AND the top non sponsor results too. they are based on your IP adress. if you search from SPAIN IP adress first couple of results will be from SPAIN sites. search for same term from US IP adress. results will be from US sites. THIS DOESN'T HAPPEN FOR ALL KEYWORD. TRY IT WITHOUT USING TOR then it will be more clear. the results will be specific to your country

startpage and ixquick SUCKS. They send your IP address to Google. They are the biggest online marketing fraud Ive seen. If you use TOR you should be protected. Many people dont use tor and trust them

"Are you sure that startpage doesn't first deduce the location from the IP address and then forward only the location to Google?"

they only deduce the location.... then disregard the IP.... hahaha sure.... Trust them with your data

Even if thats all they do with your ip...they are still a fraud and lie in their privacy policy

I think you are right regardless of what startpage says re/ their sending anonymous requests to google. What browser do you use with Tor bundle?

"What browser do you use with Tor bundle?"

Did you, perhaps, mean to write, 'Which search engine do you use with Tor Bundle?"

March 27, 2014

Permalink

Hello
I just wonder;
What happen if I use "vpn gate" and "tor browser" together? I always use vpn gate and than I connect with the tor browser, is it ok? or I could get some security connection problem? Thanks for help.

March 28, 2014

Permalink

Seems to be a problem with the latest TOR and using flickr . If Javascript is enabled to sign on and view albums, with this version the comments do not show up. Tried everything with No Script to fix it but even if noscript is disabled when clicking on 'comments' it just reverts to the image. Could be a no script error or maybe a change with flickr scripts? Any ideas?

Perhaps you had disabled JavaScript via about:config and then forgotten that you had done so?

Another possibility: scripts from other domains than just flickr.com likely need to be enabled for comment functionality.

(Knowing which domains one must enable scripts from in order to get a give function, such as comments, etc., can be quite a challenge.)

Finally, do you have an Ad Blocker enabled?

Downloaded the new beta version and suddenly flickr is working again.

>do you have an Ad Blocker enabled?
Not an independent program, just as part of my firewall. Anyway the beta seems to have fixed it. Thanks for response.

March 29, 2014

Permalink

Hello,

Just installed the latest version of Tor Browser version 3.5.3 and looking at Firefox Addons found two addons that sound interesting. I am not sure if I need them with Tor so any input is appreciated

RequestPolicy: Block images not from site you are on ( advanced privacy ) addons . mozilla . org/en-US/firefox/addon/requestpolicy/

RefControl: Customize or block referrers per site
addons . mozilla . org/en-US/firefox/addon/refcontrol/

Noscript is the only addon I am using, but I did change the value in about:config from https://secure.informaction.com/ipecho/ to http://127.0.0.1/

Thanks

March 29, 2014

Permalink

Is adding more bridges adds more anonymity to my Tor session, or not?
By the way thank you for changing the captchas in the bridges page on bridges.torproject.org

Adding more bridges probably hurts your anonymity if anything. The more bridges you have, the greater the chances that one of the bridges is observable by your adversary. The ideal case would be to use one very safe (i.e. well located with respect to your location and the parts of the Internet your adversary can see, and also not operated by your adversary) and very stable bridge. The tradeoff of course is that maybe you don't have one.

This question is very related to the question of how many guards you should have:
https://ocewjwkdco.tudasnich.de/blog/improving-tors-anonymity-changing-guar…

If you click the warning you'll see that the certificate belongs to DuckDuckGo, verifying the connection's security and not the opposite: the server does belong to DDG and so does the ceritificate.

Copy and paste https://3g2upl4pq6kufc4m.onion and maybe you'll get the same message?

This is the message I get when trying https. I have tried a few times and the result was the same. I have tried many other https sites and all were fine except this site.

MESSAGE------------------------------------------------------------------------------

This Connection is Untrusted

You have asked TorBrowser to connect securely to 3g2upl4pq6kufc4m.onion, but we can't confirm that your connection is secure.

Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.
What Should I Do?

If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.

March 30, 2014

Permalink

Win 7 64
Fresh clean install of Tor bundle 3 5 3 (tried multiple times)
Message from Tor:
Congratulations!
This browser is configured to use Tor.
Test Tor Network Settings
HOWEVER, this browser is out of date.
Click on the onion and then choose Download Tor Browser Bundle Update.

Umm I am not out of date as I've downloaded and installed the latest bundle.
Any fix to this?

April 01, 2014

Permalink

Please make add-on updates disabled by default in clean TBB installs. I made clean install and as soon as I launched TBB it connected to Tor and updated HTTPS-Everywhere to version 3.4.5 even before I managed to open add-ons and disable automatic updates.

It is known danger that exit nodes can supply tampered add-ons. Even HTTPS is not a solution because powerful enemies can have target server private keys. Lavabit is example how they request SSL key copies.

Disabling automatic updates in TBB leads to a huge amount of users never updating their extensions which is bad. That said you should not have encountered the problem you describe in the first place as we a) ship TBBs with the latest extensions installed. Thus, if you update your old TBB in a timely fashion everything should be fine. And b) HTTPS-Everywhere is already shipped in version 3.4.5 since TBB 3.5.1.

April 03, 2014

In reply to gk

Permalink

Probably better solutions to add-on auto updates a) When updating TBB make installer install latest add-ons
b) encourage users to make clean installs (with backing up and later restoring bookmarks) as I do.

Updating TBB by writing over older versions can lead to various unexpected problems in addition to easier browser fingerprinting (various custom settings accumulated from previous versions that cold distinguish from clean install of latest TBB).

April 02, 2014

Permalink

I can't see the saved cookies in Browser.
How can i change this odd Browser behaviour??

extensions.torbutton.cookie_protections;false
extensions.torbutton.dual_cookie_jars;false
doesn't help.

April 04, 2014

Permalink

On all tor 3.5 versions, if choose option "use hardware acceleration", tor crushes (exit with error message) at next restart. Such behavior is detected on windows 7/8.

I suspect that the video driver is bad. Install best driver from video card manufacturer website and see what happens. If the crush (lol!) still exists then come back here.

April 05, 2014

Permalink

Hi, I'm getting:

gpg: Signature made Wed 19 Mar 17:25:31 2014 GMT using RSA key ID 63FEE659
gpg: BAD signature from "Erinn Clark "

for the Mac version

April 08, 2014

Permalink

no return to connect screen after hitting "open settings" button at start.

i miss the message log from vidalia control panel. it was very helpful if u ve a very slow inet connection.

April 08, 2014

Permalink

I just installed TBB 3.5.3 on a WIn 7 box by clicking on the downloaded file. However, the installer (1) didn't place anything in the START menu; (2) did not make any type of shortcut on the desktop; and most importantly (3) is not listed as being "installed" in the Windows Control Panel. Is TBB 3.5.3 some sort of a stand-alone product that isn't subject to a normal installation process? If this is the case, where and what executable do I click in order to start the TBB?

Thank you.

SLG

April 09, 2014

Permalink

I have two issues I frequently run into when installing TBB, as I did today on Mac OS X 10.9.2: First, TBB ignores the "normal" OS X way of installing as admin only (possibly additionally permitting them for others, too, as I was sometimes asked), but later using the applications as non-admin user, too. This doesn't work with TBB, but it forces me to install while logged in as the non-admin, who later wants to run TBB, but of course only with admin pass. Just weird.

Second: I have a local Apache webserver at
http://127.0.0.1/some-symlink-directory/
which serves for local development, and it is defined as homepage in all my browsers, but every new TBB refuses to connect.

April 11, 2014

Permalink

Hi dear Tor Team, You're SO great. Thank You, I mean it.

I would want to run two instances of Tor in the same system at the same time, because: I got running some music online flash sound site under Tor in my Linux Mint, but of course, using flash is only good for visual content and so mostly for video and or audio sites, and flash has "low security" in that sense, that in can betray one's IP adress. I would want to run another instance of Tor, where I blog. I already realized, that Tor starts slowly to maybe not at all, if the with mostly "US" ending directory, to which Tor is extracted under Linux, is renamed to anything else. But, the directory can be anywhere. So, I put the "Tor2", as I call it, by desktop link merely, into another directory, and if Tor1 from my normal Tor directory is not running, all is well, Tor2 works, and I can have two (or nor so many) sets of "profiles", so to speak, simply by cloning the first normal directory, copying it, into other directories, and always running, which as of now is only so possible, always only running ONE instance at a time. Because: I tried it out just before. It said, "Tor exited in an abnormal fashion", and it EVEN disturbed fundamentally the running Tor(2, as I call it) sound session with that flash site. Though, that the sound, the next playlist item running, on that flash sound site, did not ensue, can be another reason also, since it just now again stopped. Under Tor, okay, I do take some, well, A LOT of respect to Tor, AND I do hope, that loading youtube vids over Tor does not disturb the Tor servers, by the way, since that soundsite is accessing youtube vids, but of course, by going on that other site, I don't have to go directly on youtube. But, also a bug on that other site, which loads no playlist items anymore after any error occured like "not allowed in your country" (not funny I hate it as we all do!) is displayed, so I'll have to bug the maker of that sound site. What I would find great, is, if we could run at least two sessions, instances of Tor, at the same time, and those two Tor sessions being able to have fully different settings, different activated, installed plugins and all settings. Would be GREAT. Also, do tell people if the Tor Team does not wish people, Tor surfers, to use Tor for youtube-videos accessed by non-youtube sites, since the traffic amount stays the same. I'd say, there are at least 1000 Tor servers worldwide, and Tor MUST announce it BIGTIME on the FIRST upper part of their website, if people should not overload the Tor servers by accessing youtube or other video sites. Thank You, Tor Team, like Assange, we who are for him and You too in a different, technical way, we are the good Ones. Skol. Cheers.