Tor Browser 3.6-beta-2 is released

by mikeperry | April 11, 2014

The Tor Browser Team is proud to announce the second beta in the 3.6 series. Packages are available from the Tor Browser Project page and also from our distribution directory.

This release is an important security update over 3.6-beta-1. This release updates OpenSSL to version 1.0.1g, to address potential client-side vectors for CVE-2014-0160.

The browser itself does not use OpenSSL, and is not vulnerable to this CVE. However, this release is still considered an important security update, because it is theoretically possible to extract sensitive information from the Tor client sub-process.

This beta also features a Turkish language bundle, experimental Javascript hardening options, fixes for pluggable transport issues, and a fix for improper update notification while extracting the bundle over an already existing copy.

Here is the complete changelog since 3.6-beta-1:

All Platforms
- Update OpenSSL to 1.0.1g
- Bug 9010: Add Turkish language support.
- Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion.
- Update fte transport to 0.2.12
- Update NoScript to 2.6.8.19
- Update Torbutton to 1.6.8.1
  - Bug 11242: Fix improper "update needed" message after in-place upgrade.
  - Bug 10398: Ease translation of about:tor page elements
- Update Tor Launcher to 0.2.5.3
  - Bug 9665: Localize Tor's unreachable bridges bootstrap error
- Backport Pending Tor Patches:
  - Bug 9665: Report a bootstrap error if all bridges are unreachable
  - Bug 11200: Prevent spurious error message prior to enabling network.
Linux:
- Bug 11190: Switch linux PT build process to python2
- Bug 10383: Enable NIST P224 and P256 accel support for 64bit builds.
Windows:
- Bug 11286: Fix fte transport launch error

A list of frequently encountered known issues with the Tor Browser can be found on our bugtracker. Please check that list and help us diagnose and arrive at solutions for those issues before contacting support.

Comments

Please note that the comment area below has been archived.

I thought the 3.5-4 release

I thought the 3.5-4 release had openssl fixed.

TBB 3.5.4 does indeed have a

TBB 3.5.4 does indeed have a fixed openssl. (3.5.3 did not.)

TBB 3.6-beta-2 also has a fixed openssl. (3.6-beta-1 did not.)

The NSA has exploited

The NSA has exploited Heartbleed bug for years, Bloomberg reports.

Do you still believe in TOR!?

I'm assuming that particular

I'm assuming that particular article is nonsense until somebody shows up with some actual details. I guess it's hot to point at NSA conspiracies these days. But doing it in this case undermines the *actual* NSA conspiracies that we should indeed be upset about.

And yes, pretty much no matter how this particular story goes, you'll still be happier that you used Tor than that you didn't, over the past years. The Internet is a rough place without something like Tor.

what a coincidence, these

what a coincidence, these "reliable sources" just reveal this astonishing information after the heartbleed bug was well known.
Plus, the snowden papers refer to TOR and the NSA try to break it, it also refers to how the NSA have its hands on a lot of ssl certificates, but it doesn't tell a word about the heartbleed bug so far.
Bloomberg is just exploiting the situation to make some buzz in my opinion.

Downloaded, installed and

Downloaded, installed and running on Win 8.1 Pro. 32bit. No problems so far. Thanks for the update!

TBB hangs on 'loading relay

TBB hangs on 'loading relay information'. I have to close TBB and restart it 3 or more times before TBB will connect. I am using PT-obfs 3. Maybe all the obfs 3 bridge relays are busy?

TBB continues to hang on

TBB continues to hang on 'loading relay information'. Eventually connects after several exits and restarts.

Thanks for the rapid update

Thanks for the rapid update to 3.6-beta releases!
There used to be an annoying gap between normal releases and PT bundles.

Newbie question maybe, but I

Newbie question maybe, but I now have Norton Hotspot Privacy VPN. Since I use Tor Browser are there still benefits to using the Norton VPN?

without know the product in

without know the product in question i would say, in general , commercial VPN sw and services are USELESS for maintaining your anonymity.

They work for circumventing DNS/IP range blocking and thats about it.

VPNs can also be useful for

VPNs can also be useful for protecting against eavesdroppers on public/untrusted networks, such as public WiFi.

(But remember that the VPN sees all your traffic. And if you think they won't hand over all they know about you under any pressure...)

If I use vpn then I use Tor

If I use vpn then I use Tor , can vpn see my traffic

I would use just Tor

I would use just Tor Browser. Norton have worked with the NSA and there is a chance their VPN service could log all your activity.

but I now have Norton

but I now have Norton Hotspot Privacy VPN.

Ditch Norton products. Symantec/Norton is a close partner of NSA. Have you heard of Edward Snowden, NSA's whistleblower?

You are wasting your money.

Yup. Didn't know Norton

Yup. Didn't know Norton connexion though. Thanks for pointing it out. What about Hidemyass for anonymous browsing? And Hushmail for email? They were mentioned in Coke Stryker's book, 'Hacking the Future".

Hidemyass is famous for

Hidemyass is famous for turning over some kid who was maybe part of Anonymous. And when he confronted them, the conversation went something like "well, what did you expect, you did something a government didn't like" "but you're named hide my ass!"

Hushmail on the other hand is famous for turning over the mailboxes of its users to various law enforcement groups, despite claims that they technically can't do it. See e.g. https://ocewjwkdco.tudasnich.de/blog/trip-report-october-fbi-conference

The lesson here is that all of these centralized for-profit companies that claim privacy are still in fact still centralized. It's privacy by promise, not privacy by design:

https://svn.torproject.org/svn/projects/articles/circumvention-features…

"Hidemyass is famous for

"Hidemyass is famous for turning over..."

"Hushmail on the other hand is famous for turning over.."

Perhaps you meant to write, 'infamous'?

Thank you for the advice.

Thank you for the advice. Norton subscription cancelled.

how to create windows

how to create windows shortcut for new
identity

Where can I find Vidalia's

Where can I find Vidalia's Network settings page in this version? Thank you.

https://sedvblmbog.tudasnich.de/do

https://sedvblmbog.tudasnich.de/docs/faq#WhereDidVidaliaGo

This method is not

This method is not work-----Linux ubuntu 12.04

Dates of certificate

Dates of certificate issuing:

ocewjwkdco.tudasnich.de (05:CA:*): 2014-04-09
*.torproject.org (09:48:*): 2013-10-22

Are you planning to get a new cert for the latter?

Today is the first time I

Today is the first time I noticed these torproject certs.

*.torproject.org —
SHA1:
84:24:56:56:8E:D7:90:43:47:AA:89:AB:77:7D:A4:94:3B:A1:A7:D5
Serial Number:
09:48:B1:A9:3B:25:1D:0D:B1:05:10:59:E2:C2:68:0A
Issued: 10/22/2013 Exp.: 05/03/2016

ocewjwkdco.tudasnich.de ocewjwkdco.tudasnich.de — SHA1:
DE:20:3D:46:FD:C3:68:EB:BA:40:56:39:F5:FA:FD:F5:4E:3A:1F:83
Serial Number:
05:CA:2A:A9:A5:D6:ED:44:C7:2D:88:1A:18:B0:E7:DC
Issued: 04/08/2014 Exp.: 06/14/2017

If the one for *.torproject.org was issued back in October, why it is first being used now?

Below are the certs I had been seeing prior to today. What happened to them?

*.torproject.org
SHA1:
1F:9D:30:6E:8B:FC:CF:CB:03:98:1A:71:A2:7A:9F:5D:1E:08:76:CE

ocewjwkdco.tudasnich.de ocewjwkdco.tudasnich.de
SHA1:
0E:09:14:64:17:CD:7E:7A:4A:CA:98:C1:8E:92:C2:59:66:85:8D:BA

I asked Andrew, and

I asked Andrew, and apparently we rekeyed the cert in place. Who knew such a thing could be done?

Before fixing the openssl,

Before fixing the openssl, what is bad made to tor user?

https://ocewjwkdco.tudasnich.de/b

https://ocewjwkdco.tudasnich.de/blog/openssl-bug-cve-2014-0160

Is something going on with

Is something going on with the tor network? Connecting with the normal bundle is difficult and using obs3 in the beta is slow.

yes, obfs3 is very slow.

The speed of obfs3 depends a

The speed of obfs3 depends a lot on the speed of the bridge you're using.

obfs2 and obfs3 shouldn't be any slower than normal Tor, if the underlying bridges / relays are the same speed.

Maybe you should spin up your own obfs3 bridge, e.g. on Amazon cloud or some VPS somewhere, and route through it?

Any comment about the

Any comment about the connections to IP 213.163.64.74 immediately after startup ?

That looks like one of the

That looks like one of the 5000+ Tor relays.

I assume you started your Tor, it picked some guards, and now when you start your Tor again it makes some circuits for you, so they will be ready when you try to use them, and one of those circuits was to that guard.

https://sedvblmbog.tudasnich.de/docs/faq#EntryGuards

So in short, "totally normal, and I encourage you to learn how Tor works".

I love how OpenSSL put the

I love how OpenSSL put the whole world in grave danger out of sheer incompetence and no one dared say anything to them.

Welcome to today's Internet.

I have the old version of

I have the old version of TOR running. Can I drop in a 0.9 version of OpenSSL?

The old version? How old? It

The old version? How old? It probably has other major security problems.

how do you update this so

how do you update this so called update erases all existing settings and addons

Yeah, it's not really an

Yeah, it's not really an update so much as an updated version.

See e.g. https://tor.stackexchange.com/questions/318/how-do-i-keep-my-tor-browse… for details.

Were Tor Browser for Mac OSX

Were Tor Browser for Mac OSX also vulnerable? It read that Mac OS X still used Openssl 0.98.

I think the TBB on OSX used

I think the TBB on OSX used a newer openssl, so we could take advantage of the better security from the new ciphers.

So, yes, TBB on OSX was also vulnerable.

Could not connect to news

Could not connect to news media and ocewjwkdco.tudasnich.de over
exit node bandito 1AAB39E97C7E4CFCA585265D17A03F8D3390D841

Other exit node right after that no problem.

Today does not work

Offtopic: Tor 0.2.4.20 does

Offtopic: Tor 0.2.4.20 does not starts on Windows 2000. Where can I get older version of Tor?

Seriously, Windows 2000?

Seriously, Windows 2000? Isn't that, like, unsupported for a long time now?

I think Tor should work there, but I think Firefox (and thus Tor Browser) won't.

If the Tor binary doesn't work, you should file tickets about what goes wrong, and help us fix it. Going to an older version is likely a poor idea -- check out the changelog of things we've fixed recently.

There something wrong tor

There something wrong tor doesn't connect

It looks like 'torrc' ini

It looks like 'torrc' ini file is deprecated.

Where do settings such as limiting exit nodes by country, specifying bridges etc. go now?

thanks

https://sedvblmbog.tudasnich.de/do

https://sedvblmbog.tudasnich.de/docs/faq#torrc

the beta works fine so far

Awesome! Congrats :) Is this

Awesome! Congrats :) Is this version going to keep my local settings when I updated it to the next one (first time I'm using beta)? Thanks!

Not yet,

Not yet, alas.

https://tor.stackexchange.com/questions/318/how-do-i-keep-my-tor-browse…

The bug #9387 changes

The bug #9387 changes ("Disable JS JIT, type inference, asmjs, and ion. ") seem to involve turning off everything which is intended to make JavaScript fast.
Has there been any systematic attempt to evaluate what effect this may have on performance?
Has there, for that matter, been any systematic attempt to evaluate what additional security benefit this brings, e.g. what proportion of past Firefox vulnerabilities would users have been protected against if each of these features were disabled?

Keep up the good work Tor. Much love.