Tor Browser 4.0.2 is released

by gk | December 3, 2014

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.0.2 is based on Firefox ESR 31.3.0, which features important security updates to Firefox. Additionally, it fixes a regression in third party cache isolation (tracking protection) that appeared in 4.0, and prevents JavaScript engine locale leaks. Moreover, we believe we have fixed all of the Windows crashes that were due to mingw-w64 compiler bugs. DirectShow is still disabled by default, though, to give the respective mingw-w64 patch another round of testing.

Here is the changelog since 4.0.1:

  • All Platforms
    • Update Firefox to 31.3.0esr
    • Update NoScript to 2.6.9.5
    • Update HTTPS Everywhere to 4.0.2
    • Update Torbutton to 1.7.0.2
      • Bug 13019: Synchronize locale spoofing pref with our Firefox patch
      • Bug 13746: Properly link Torbutton UI to thirdparty pref.
    • Bug 13742: Fix domain isolation for content cache and disk-enabled
      browsing mode
    • Bug 5926: Prevent JS engine locale leaks (by setting the C library
      locale)
    • Bug 13504: Remove unreliable/unreachable non-public bridges
    • Bug 13435: Remove our custom POODLE fix (fixed by Mozilla in 31.3.0esr)
  • Windows
    • Bug 13443: Fix DirectShow-related crash with mingw patch.
    • Bug 13558: Fix crash on Windows XP during download folder changing
    • Bug 13594: Fix update failure for Windows XP users

Comments

Please note that the comment area below has been archived.

Anonymous (not verified) said:

December 03, 2014

Permalink

As a release version this rightly triggered an autoupdate alert for me. The autoupdater is however seriously broken, This time, in addition to the warning (correctly or incorrectly, cannot tell) that my user profile is missing, I am inundated with additional messages that indicate TBB cannot start because it is executing multiple firefox.exe instances, and I'm fatally looped on each try.

Not sure what is going on, honestly, as I have never seen this behavior. It might be the best to start over with a fresh new bundle and check whether the update to the next Tor Browser version behaves the same which might indicate that there is indeed a bug that is not detected yet.

Anonymous (not verified) said:

December 04, 2014

Permalink

The new update did block everything on my PC. I could not open Tor anymore. Something is wrong with this update. I had to delete it. After I took it of my PC everything worked fine again.

The Autoupdate functionality is seriously borked. Even though it is supposed to be an option, I have just been downloading the TBB bundle and doing the old 'manual upgrade' route because of the horror stories I have read on the internet.
An auto-updating secure browser sounds good in theory but in practice, considering the number of locations where people might put it? It just does not work.

Anonymous (not verified) said:

December 03, 2014

Permalink

which one should we use ? Tor Browser 4.5-alpha or Tor Browser 4.0.2 ? i mean which on is more safe?

Anonymous (not verified) said:

December 03, 2014

Permalink

Great update to the browser. Wondering however why the TBB Bundle was live for hours before this blog entry appeared.

I don't know actually. Looking at my chat log there is just one hour delay between updating the website and getting the updater related pieces sorted out + getting this blog post live.

Anonymous (not verified) said:

December 03, 2014

Permalink

Here's to hoping for the best. Thanks for making the world a bit more private. Tired of living in fucking big brother without getting paid for it, atleast :)

Now, now, is that any way to talk of our noble and benign corporate masters?

Not only do they provide sub-par service for bloated prices, not only do they snoop and spy on your every click and keystroke, but then they turn around and sell all that data to the highest bidder.

How could anyone not be grateful?

Anonymous (not verified) said:

December 03, 2014

Permalink

I downloaded TBB 4.0.2 from: https://sedvblmbog.tudasnich.de/download/download-easy.html.en. Next, I clicked on torbrowser-install-4.0.2_en-US.exe with Tor Browser 4.0.1 open on Win 8.1 desktop. I got a message that TBB 4.0.2 install would perform "update". Next got a message inside progress box: "Connecting to Update Server". I canceled the progress box, deleted 4.0.1 TBB and ran 4.0.2 install again and installation seems to have worked correctly. I did not note exact wording of "Update feature" so my comments are from my recollection. I could not find any Tor Browser documentation that ver 4.0.2 would perform an "update" rather than a full install and under what conditions and why would TBB install connect to "Update Server" if .exe file contains complete install. Please document this function so others will not be surprised.

The update is happening within Tor Browser. You don't have to download a brand new version. To trigger an update manually click on the "hambuger" button (menu button), then the question mark on the bottom and then "About Tor Browser".

Anonymous (not verified) said:

December 03, 2014

Permalink

Updated but not synced with available Firefox ESR 31.3.0 functions

- "Page Info" (function)
"Security" info tab, "Media" info tab ("Feeds" info tab) still missing.

All the former and present Firefox ESR versions have these info tabs present (when relevant on webpages).

But Tor did just deleted it several browser versions ago.
Does security really matter or not (anymore)?
Why don't we get an satisfying answer to this or is this crucial info-functionality placed back the way it is in the Firefox ESR?

What is the (info & Security) deal here?

Anonymous (not verified) said:

December 04, 2014

Permalink

Thank you for answering, but

This ticket, as already stated earlier by people, is not complete!

"Media" tab is another important tab that is missing (yes also important in security / privacy check matters) and the "Feeds" tab as well .
These tabs are also broken (deleted) since Torbrowser version 3.6.6., quite a while now.

So, 4 issues on 3 tabs ; "Media", "Feeds", "Security" .

Would it be possible to add this to this ticket or make a new one for Media and Feeds as well?

Thank you in advance GK

Anonymous (not verified) said:

December 05, 2014

Permalink

What about "View Cookies" on that "Security" tab always showing an empty list? Is there supposed to be another place to check what cookies are set, or is this part of ticket #13254, or another bug altogether?

Anonymous (not verified) said:

December 06, 2014

Permalink

With the cumulative total of time and effort put into managing firefox it seems that a small lightweight browser with basic capabilities (at first), would eventually allow for more effort to be direct toward the main goal...anonymity and security. Look at orweb, from my understanding there is only one developer with maybe a few volunteer bug hunters at the forefront. The TBB team with all of it's new experience could design an ugly but usable browser with security and anonymity in mind. Having to patch, rewrite, and audit code every single tedious time a new version of ESR arrives must fucking suck. It likely isn't fun and probably feels like a chore. It's sad that the talented dev's working on the TBB use precious time to work non such a monotonous task. For all we know, one or some could have solved a portion of the critical issues tor faces within that time. The tor button was a perfect example of this. Micromanagement leads to exhaustion and eventual loss of interest. As it is the TBB must be maintained but please consider slowly and very carefully building a barebones browser in parallel. Coded to be modular so that members from this expanding community could add the features they desire (initially features like flash, java, pdf, etc). Only audits would then occur on your end or the team itself could write un-convoluted airtight code. I believe experience in the cutting edge of security and anti-surveillance has granted some of the team this ability.

Cheers!

I'm using TAILS 1.2.1, which comes with Tor Browser 4.0.2, right now. "Page Info" shows me three 'tabs': "General", "Permissions" and "Security". I vaguely remember a "Media" tab, now I see it mentioned, but neither that nor "Feeds" appears. I can confirm that the "Technical Details" heading at bottom of "Security" has nothing below.

What bothers me though is cookies. Tor Browser always claims none are stored and "View Cookies" always shows an empty list. I can't believe that there are always no cookies set, and I would really like to check them. It seems to have been the case certainly for TAILS 1.2, and maybe earlier.

Is there supposed to be another way to check cookies? Or, is cookie blindness part of ticket #13254?

Anonymous (not verified) said:

December 03, 2014

Permalink

Does this fix the no-Javascript browser kill which has been scourging the wilds of .onion-land?

(Works on Linux; Javascript not required.)

What?! Please post more details, so some experts can analyze this. Even if this is bug was fixed, if there is something crashing the previous TBB on multiple onion sites it would be good to know what it is!

Anonymous (not verified) said:

December 03, 2014

Permalink

Important request at torproject.org

Since Torbrowser is also part of Tails, Tails is part of torproject.org and there is no place to comment on Tails;

please, could someone from the Torproject please ask or tell the Tails developers to make their downloads available over httpS instead of http ?

I just can't believe that such an important (and big, thus long) download is offered over a plain insecure http connection.
(a download of 20/30/.. minutes makes at least 1 or 2 changes of exitnodes, so you cannot 'manage' your download by looking for a 'trustworthy' exitnode to download with because they're changing during the download anyway to another you don't know or maybe is less trustworthy in your opinion).

Wasn't there some recent news about adding malware to downloads on some exitnodes?
Isn't there a general global policy or idea about security within (https)torproject.org about security that all the people from different projects could, should follow ?

Would it be possible to offer all downloads (and all information) from torproject.org via https ?

Thank you very much in advance

The insecure Tails Link : http://dl.amnesia.boum.org/tails/stable/tails-i386-1.2.1/tails-i386-1.2…

As the Tails website itself points out, HTTPS "still leaves open the possibility of a man-in-the-middle attack even when your browser is trusting an HTTPS connection."[0]

Don't trust the CA cartel. If you value security, you MUST verify[1] your Tails download with PGP! Do you check PGP signatures on your downloads from https://oiyfgiixvl.tudasnich.de/? If not, you are opening yourself to attack by anybody who can break into the server and/or coerce a CA to issue a fake certificate. Repeat, do NOT rely on HTTPS only to protect your downloads; this is horrible security posture.

Also, this information is totally incorrect: "a download of 20/30/.. minutes makes at least 1 or 2 changes of exitnodes," Read the Tor docs and src again. An unbroken connection does NOT hop between exit nodes (handoff of the circuit between middle nodes is long proposed, but would not affect exit nodes and is not implemented anyway). It is for this reason, connections to certain ports use nodes marked with the "Stable" flag.

Also, it is not correct that "Tails is part of torproject.org" as the poster asserts.

(As an aside, it may be a good idea to provide Tails downloads via HTTPS for reasons of defense in depth, and toward the greater good of encrypting the entire Web. However, this may also provide a false sense of security... as shown by the post to which this replies.)

I post this, to deter/debunk bad security advice and incorrect information. But it is off-topic; please do not continue here. The Tails release post itself says, "For support and feedback, visit the Support section on the Tails website."[2] If they wanted comments on Torblog, they would enable comments here (duh).

[0] https://tails.boum.org/doc/about/warning/index.en.html#man-in-the-middle

[1] https://tails.boum.org/download/index.en.html#index3h1

[2] https://ocewjwkdco.tudasnich.de/blog/tails-121-out

I agree, tails should have an onion available so that all this MITM stuff isnt a threat. Tails should also not open up to tails website with javascript enabled (as it is by default) as a compromise of tails server with malicious js targeted for tails OS could compromise alot of users rather easily.

But then again tails devs have been warned for years now that non-persistent guard nodes is a very dangerous security issue, one that they refuse to address, at least for its persistence users.

1) this anonymous hacker totally agrees with you that Tails' default download locations should be HTTPS.

2) I thought there was a ticket about this in the tails issue tracker, but I couldn't find it. I did find this, though: https://labs.riseup.net/code/issues/7161 :/ I do recall that the reason for not having HTTPS mirrors is that they want to use round-robin DNS to balance between mirrors and obviously that wouldn't work with TLS (distributing the private key to mirror operators would sort of defeat the purpose). Wrong decision, imho.

3) the tor project does maintain an HTTPS mirror of the tails website, including the latest ISO and signature, here: https://archive.torproject.org/amnesia.boum.org/tails/stable/

4) in their defense, tails does at least provide file hashes and GPG signatures over HTTPS, though this is difficult or impossible to use safely on a fresh windows system (downloading GPG4win over HTTP -> sad panda)

4) you're mistaken about exit nodes changing during a download. streams cannot migrate to a new circuit in tor's current design. So, any single HTTP(S) download will use the same exit for the duration.

5) choosing a "trustworthy" exit node is easier said than done. internet is a hostile place.

For what it's worth:

Since Tails isn't distributing the large iso-files themselves (maybe because that would be too expensive), HTTPS won't provide much if any security. The mirrors can be malicious either way. SHA256 or GPG must be used. That neither SHA256 or GPG is available on Windows by default is a recognized problem. The Tails developers are planning to implement or review a Firefox addon which can be used to check SHA256 sums (there is a ticket about it). This should work for users regardless of operating system, but isn't realized yet.

Anonymous (not verified) said:

December 03, 2014

Permalink

Great.
I had problems with 4.0.1 and it kept crashing all the time which was annoying.
I hope 4.0.2 does not crash like the previous one.

Anonymous (not verified) said:

December 03, 2014

Permalink

I believe all the way up to version 3.6 no problems had existed for connectivity to websites. Every release after that has been trouble.
Something must've been taken out of the code or weakened?

Can we please address this cloudfare issue??? Every other site flags Tor now? It is obvious that when you advertise the browser as Tor... it isn't a common browser name and it is known for obfuscating.

Why don't you spoof the name of the browser as well so it doesn't stick out when a website notices that it isn't a common browser so it blends in with the others?

Every one knows what Tor is suppose to be about. Instead of advertising it to all of the global adversaries can you look into more unique ways to hide the fingerprints? That is something that should've been taken care of long ago...Thanks

The TBB actually advertises itself to websites as a standard release of Firefox running on Windows 7 (regardless of the OS you're using). Cloudflare recently started detecting Tor exit nodes based on their IP addresses, something that's always been possible and that the TBB can't do anything to avoid. The only thing that's changed here is Cloudflare's policies.

Anonymous (not verified) said:

December 03, 2014

Permalink

On Windows 7 64 bit, updating Tor Browser 4.0.1 to 4.0.2 using torbrowser-install-4.0.2_en-US.exe installer it seems that Torbutton is not updatetd to 1.7.0.2: both the "Add-ons Manager" and the "About Torbutton" still report version 1.7.0.1.
Also doing a "Check for updates" from the "Add-ons Manager" does not update Torbutton.
I had to use "Install Add-on From File" from the "Add-ons Manager" and select \Browser\TorBrowser\Data\Browser\profile.default\extensions\torbutton@torproject.org.xpi in order to properly update Torbutton to 1.7.0.2 version.

You don't need to update to a new version with a while new bundle. The update happens now within your browser (see my above answer on where to click). That said downloading a fresh 4.0.2 en-US Windows Tor Browser gives me a Torbutton 1.7.0.2.

Anonymous (not verified) said:

December 04, 2014

Permalink

I did not have much confidence in the proper functioning of the new update method... I'll try next time.

Anonymous (not verified) said:

December 07, 2014

Permalink

However in the Tor Browser 4.0 release announcement, mikeperry
wrote: "Please also be aware that the security of the updater depends on the specific CA that issued the sedvblmbog.tudasnich.de HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures."
So my uncertainty using the in-browser updater!

Anonymous (not verified) said:

December 03, 2014

Permalink

The TBB 4.0.2 release I downloaded appears to be signed by Erinn Clark as previously, except I thought she no longer worked for the Tor Project.

Is this correct?

Anonymous (not verified) said:

December 03, 2014

Permalink

Download doesn't complete properly in OS X Yosemite (10.10.1). Firefox .part file loads to about 600KB and then no more downloading takes place.

Anonymous (not verified) said:

December 04, 2014

Permalink

Есть ли какой-нибудь способ использовать meek-google в Tails OS?

Anonymous (not verified) said:

December 04, 2014

Permalink

When running the Tor Installer for 4.0.2 on Windows 8.1 - as either an update to existing folder OR as a fresh install - all attempts to execute Tor Browser get the infamous "Couldn't load XPCOM".

Running Tor Installer for 4.0.0 is the only way I could get back.

Any thoughts on how to get 4.0.2 installed? Is there some shared component being saved to the file system outside of the target install folder?

This was a familiar error message. Which antivirus software was it that caused this now again? Anyway, disabling the antivirus software was enough to make Tor Browser work again, if it is the same problem.

Anonymous (not verified) said:

December 04, 2014

Permalink

This version, same as with v4, graphics look unusual at the bottom of browser window, it doesn't refresh properly and keeps bits of previous windows, so looks like its going to crash (but doesn't). Shading for the tabs at top look weird too very blocky. Seems a bit better than previous version 4.0.

But worse with this version 4.0.2 is the fact the downloads view ctrl+J or from the menu, is now just still image, it doesn't update or show info until you refresh, ie just stays on minutes left, download speed, nothing is moving now, before on every version you would see the time changing and speed jumping about. Also if you add a shortcut for the download button to the window frame/toolbar it doesn't do anything. Doesn't show you the download section, minutes remaining nothing now.

Whats going on?

Anonymous (not verified) said:

December 04, 2014

Permalink

Download button on toolbar now works properly and times and speeds move about after several closing and re-openings of tor. So thats good news.

The graphics still look weird though at the bottom with old graphics remaining on the lower prob 1cm of the window frame and the browser tabs having a bit of white to the left and right and a rectangle in the centre, so something possibly to do with shading, could this be some opengl graphics problem? Forgot to say before using win xp sp3.

Works for me both with 4.5-alpha-1 on a 32 bit Debian testing and with 4.0.2 on a 64bit Ubuntu Precise box. Not sure what is going on.

Anonymous (not verified) said:

December 04, 2014

Permalink

Why don't receive the Vidalia and expert bundles for Windows any updates any more? They are still at 0.2.4.23 which has been released months ago - stable is already at 0.2.5.10 and 0.2.4.23 is known to be buggy/slow with hidden services.

Anonymous (not verified) said:

December 06, 2014

Permalink

I've downloaded TOR 0.2.5.10 and if I run tor.exe there is no output to the console.
How can I enable it again ?
Thanks.

Anonymous (not verified) said:

December 04, 2014

Permalink

The crashes are not fixed in this 4.0.2 version. 4.0 was crashing from time to time, disabling direct draw slightly reduced crash rate. 4.0.1 was crashing so much that it was completely unusable. It crashed while displaying blank page. 4.0.2 also crashes for no apparent reason.

Please fix these crashes. It is most important to do than making more features. 4.0x series are unusable. 3.6x lineage that was rock stable. I dont want to return to 3.6 because of old Firefox security flaws susceptible to freedom hosting-style attacks.

Windows XP SP3, clean install, two different computers.

Anonymous (not verified) said:

December 05, 2014

Permalink

I have no realtime antivirus or 3rd party firewall installed. ClamWin does not have real-time engine and using Windows XP built-in firewall. No other software can interfere with Tor Browser too. I suspect this is due to using different compiler than 3.6 series or Mozilla uses.

The error is

Faulting application firefox.exe, version 31.3.0.0, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x00019af2.

Please fix this. Tor Browser crashes mostly at random and according to murphy law it crashes when most critical manipulations are done.

Anonymous (not verified) said:

December 04, 2014

Permalink

have there been any additional changes since 4.0.1 not noted above, which impact the use of bridges other than obfs3? Asserting others in torrc seems to cause crashes on startup (and "missing profile" messages) whereas such problems did not occur for me in v4.0.1.

Anonymous (not verified) said:

December 04, 2014

Permalink

I have Tor Browser 4.0.0 running on Windows 8.1. When I download and run the full 4.0.2 installer, either a fresh install or an upgrade - I end up with a defective install. Running Tor gets "Couldn't load XPCOM". I can only recover the system by reinstalling 4.0.0.

Anonymous (not verified) said:

December 04, 2014

Permalink

i am new to this Blog but looking at the about:config i saw something that was highlighted in bold that i never noticed before..under the JAVA category... " javascript.default_local ........ value = en-US

what is this ?

See the changelog above: we spoof the locale for the JavaScript engine now. For instance trying to induce error messages while you are surfing makes them always en-US formatted now while that was not the case before. Bug 5926 has more information.

Anonymous (not verified) said:

December 04, 2014

Permalink

startpage starts to suck massively!
----------------------------------------------------
As part of StartPage's ongoing mission to provide the best experience for our users, we occasionally need to confirm that you are a legitimate user. Completing the CAPTCHA below helps us reduce abuse and improve the quality of our services.

Thank you,
The StartPage Team

JavaScript appears to be disabled in your web browser. To complete the CAPTCHA, please enable JavaScript and reload the page.

Just select DuckDuckGo as search engine in the drop-down box instead. They work flawlessly using Tor, and also provides high-quality search results.

Anonymous (not verified) said:

December 04, 2014

Permalink

I am using Windows 7 64-bit.

I accepted the automatic update notification popup window, and it automatically updated Tor Browser from within Tor Browser. It appeared the update was successful, with no error messages.

Now, my desktop shortcut to start Tor Browser no longer works. When I went to the folder and clicked on the "Start Tor Browser" shortcut there, it still didn't work. Only when I went to the Firefox executable in the "updated" folder, did Tor Browser start.

Automatic updates shouldn't change how the program starts up.

Anyone got a clue?

Anonymous (not verified) said:

December 05, 2014

Permalink

As I described, I simply said yes to the update, it did the update, reporting no errors, and it has broken the shortcuts, including its own. Vidalia also stopped working.

I tried to tweak the settings today, but have resorted to a clean install, just as I have always had to do in the past. So the automatic update feature appears to be buggy for me.

Anonymous (not verified) said:

December 05, 2014

Permalink

When I originally tried to download Tor browser 4.0.2 from this website, my antivirus software, Trend Micro, said, "This file is not commonly downloaded and could harm your computer".
My antivirus software also said that this file "Does not have a valid signature".
My antivirus software attempted to block me from downloading Tor browser 4.0.2.
Also when I try to connect to the public Tor relay's two message's come up saying, "Unable to connect to Tor" and, "You do not have permission to use Tor".
I downloaded Tor browser 4.0.2 from this website, over the default https connection.
So my point is,
My antivirus software is falsely detecting that Tor browser 4.0.2 is a virus,
and,
I think that my ISP is blocking me connection's to the public Tor relay's.
I live in Australia and Tor is legal to use here, my ISP shouldn't be blocking me connection's to the public Tor relay's.
I have used Tor for years and have never had this bizarre problem.
So how can I get to use Tor bridge's to circumnavigate this blocking to the public Tor relay's?

The "You do not have permission to use Tor" line sounds like some other application or part of your operating system -- it's not a message that Tor Browser would give you.

So I think it is still something wrong on your system, not censorship that your ISP is doing to you.

Anonymous (not verified) said:

December 05, 2014

Permalink

Any reason why in 3.6 if you closed an open tab a new tab opened. In 4.2 if you close an open tab the whole program shuts down. Anything different in settings that can fix that?

Thanks

Anonymous (not verified) said:

December 05, 2014

Permalink

This page now comes up when I try to do a StartPage search. This has never been the case before this update:

"As part of StartPage's ongoing mission to provide the best experience for our users, we occasionally need to confirm that you are a legitimate user. Completing the CAPTCHA below helps us reduce abuse and improve the quality of our services.

Thank you,
The StartPage Team

JavaScript appears to be disabled in your web browser. To complete the CAPTCHA, please enable JavaScript and reload the page."

Why is StartPage now requiring me to enable javascript in Tor Browser to do a search? I thought they were all about privacy?

Duckduckgo as a seach engine, also has an onion site: it apparently is more highly dedicated to privacy than other search engines like StartPage

Startpage/Ixquick has been around for a long time and doing a great job protecting its users from tracking. There was a similar issue a while ago when TBB first defaulted to using them as the default search engine but they worked with Tor project reps to resolve it. Maybe they are getting a larger volume of traffic from the top exit nodes than they planned on and haven't adjusted their filter to keep up.

Because StartPage feeds off it's users like a google leech. It's all about data mining with false promises of privacy hopes & dreams.

Let's see StartPage staff challenge me on this.

Anonymous (not verified) said:

December 05, 2014

Permalink

http://ip-check.info no longer works.

I put a shortcut to ipcheck.info in my bookmarks tool bar, and when I click on it it just spins and spins, and nothing happens. Then, if I click on the shortcut again, the opening window comes up. This behavior makes no sense.

Then, when I click on "Start Test!", is does absolutely nothing.

This is new behavior that only began on the 4.0.1 update, and continues in 4.0.2

ip-check.info works correctly in Firefox.

"ip-check.info"?

Last I checked, site was a plain, unencrypted, unauthenticated http; not httpS SSL/TLS.

That means when you visit the site, you are at the mercy of your exit node, which can tamper with and manipulate the content.

And yet people continue to take this "ip-check.info" seriously?

Am I missing something here?

Anonymous (not verified) said:

December 06, 2014

Permalink

why is mixed content (https + http) allowed by default?

This is significantly less secure and isn't firefox's default with the used browser version for active content. So why go out of your way to reduce the security of tor?

- Mixed content
I Agree, but it is Firefox default to allow this while it should not.
You can toggle this off in the about:config preference

security.mixed_content.block_display_content

By clicking on it from "false" to "true" you won't have the mixing http content anymore.
Meaning less images on the mixed content sites (you can't have everything )

- Simple Toggle button?
To me it would be ideal if there was a toggle button for that preference in (Tor)browsers, or NoScript, Torbutton or other addons like an Adblocker addon (such a pity that I can't make addons).
If people could and would not accept the mixed content 'thing' anymore when a browser offered them to do so, then maybe websites would change their bad security habits and users would be more secure.

- About security, SSLStrip MITM Attack
By the way, would an sslstrip attack work on an exitnode in mixed content cases?
And if so, could it be recognised by the user the same way; in the url bar by showing only a http connection instead of an https connection? (assumed you were planning to visit a https website and very sure expecting to have a https connection?).

But people usually maybe won't notice the difference missing visual security indicators that easy (even in case of possible visible social engineering like a moving extra generated fake lock-icon to the tab-icon space. "Look I see a lock-icon so I guess it's 'safe'!" ?).

In those cases it would be nice if people could consider in advance to switch off the mixed content (about:config preference) function and switch it on again when they think they need it.
Like using NoScript in strong security modus, only activating javascripts when you really really need them (the ' Very-"High"-custom Torbutton modus ' in Torbrowser 4.5 alpha).

- Change it yourself?
Anyway, so people who are concerned about security can manage this setting themselves in the about:config.
And if enough people are concerned about this and change this setting in 'refusing standard', you also won't be that more unique anymore.

Anonymous (not verified) said:

December 07, 2014

Permalink

Harrumph!

The issue on my XP not being allowed to designate an alternate download file has now been fixed. Well done. Imho it was always redundant anyway. Thank y'all very much!

For all XP sp3 32 bit users who haven't heard the good news.

DOS updates are available through to April 2019. Google "extend XP updates" for details. I've been using it successfully since June 2014. No issues at all. Regrettably, this don't apply to the 64 bit architecture.

Now all you bustards at Tor - GO HOME! You've done enough this year! It's the holiday season an' you should be kicking back in the sunshine.

Oooops, I forgot! You're going to be shoveling snow out of driveways instead. LOL

Anonymous (not verified) said:

December 09, 2014

Permalink

On my Windows 7 Enterprise-System Tor Browser 3.6.5 runs perfectly. Tor Browser 4.02 and Firefox run (as I can see in the Task Manager) but I can't work with it, because no windows appears.

Anonymous (not verified) said:

December 09, 2014

Permalink

GData blocks 4.0.2 due to suspicious code. 4.0.1 is fine however.
Same for the Alpha

Anonymous (not verified) said:

December 10, 2014

Permalink

For all XP sp3 32 AND 64 bit users who haven't heard the good news.

DOS updates are available through to April 2019. Google "extend XP updates" for details. I've been using it successfully since June 2014. No issues at all.

You would need to hunt around a bit on these sites to find the 64 bit tweak. Check the original blog for a link. It's there, I've seen it.

Anonymous (not verified) said:

December 13, 2014

Permalink

The most recent iteration of FF takes around 15 seconds to load onto my screen.

TBB 4.0.2 takes around 10 seconds longer.

TBB is no longer the clunky and slow app which it was 8 or so years ago.

So why would I still need FF as a poor substitute for IE8? To my tiny mind FF has just too many tracking and monitoring devices for my "overhead" costs.

Just remember to keep a fresh copy of Favourites/Bookmarks handy for importing into the latest TBB version and you're done.

Anonymous (not verified) said:

December 14, 2014

Permalink

I get lots of random crashes since 4.0.1 on XP. Seems Firefox sucks more and more, maybe get rid of it and use a better browser?

No worries at all with the Expert Bundle. Tor+Privoxy FTW! :-)

Anonymous (not verified) said:

December 18, 2014

Permalink

The new version of TOR browser is nearly unusable on my XP SP3 installation, so I've been forced to revert to 3.6.6. The tab bar colors are all messed up, and mouse wheel scrolling isn't working at all, on any pages or menus. Also, I can't even see the about:config menu, because it's been changed to use fixed colors instead of the OS colors, which don't play nice with the dark windows theme I'm using.

I attribute most of these problems to the shitty Australis UI, and they aren't fixed even after installing CTR, so I give up. I've spent too much time trying to fix it already. Can the TOR project please consider an alternative browser base like Pale Moon? I won't be updating as long as Mozilla is bent on pushing such a buggy, crippled UI.

Anonymous (not verified) said:

December 19, 2014

Permalink

according to http://ip-check.info/?lang=en dom.storage.enabled is enabled and this is a problem. the site recommend it to change to false.

is it a wrong setting of 4.0.2? will you fix it in the next update? ty

Anonymous (not verified) said:

December 22, 2014

Permalink

Wouldn't it be better to just add an http-proxy interface to the Tor client? Maybe with simple header rewriting to unify the user-agent and such. Should be easy enough to do, right? Any browser could be used then without worrying about DNS-leaks from socks. Bundling such a monster browser as Firefox is hard enough, let alone making it secure. It's not a big step from a crash to an exploit and we have seen how users were deanonymized on Freedom Hosting. It's no good when everyone is using the same browser. Some diversity would protect us better from attacks.

Anonymous (not verified) said:

December 26, 2014

Permalink

That's surely great, but what does it help when Firefox crashes all the time? A better browser with a lean and safe code base is needed here, not a mainstream jack of all trades browser that is not built with anonymity and security in mind from the start.

Don't get me wrong, Tor developers do a great job in getting this monster secure, but Tor would benefit a lot more if they didn't have to fight with the browser so much and could concentrate on the core more. Maybe Firefox developers want to work together with Tor and not just pump out new features? Maybe fork and gut it out? I know there's not really another browser that would be suitable.

Ok, there is still Tails of course. Brings its own OS with the browser.

Anonymous (not verified) said:

December 26, 2014

Permalink

Complexity is the enemy of security. Bundling a whole browser must be a nightmare already as it is.

Anonymous (not verified) said:

January 11, 2015

Permalink

obfsproxy.exe and fteproxy.exe unable to run on windows 8.1 x64:

fteproxy.exe :
Traceback (most recent call last):
File "fteproxy", line 14, in
File "fteproxy\__init__.pyc", line 13, in
File "fteproxy\record_layer.pyc", line 6, in
File "fte\encoder.pyc", line 11, in
File "fte\dfa.pyc", line 6, in
File "fte\cDFA.pyc", line 12, in
File "fte\cDFA.pyc", line 10, in __load
ImportError: DLL load failed: The specified module could not be found.

obfsproxy.exe:
Traceback (most recent call last):
File "obfsproxy", line 15, in
File "obfsproxy\pyobfsproxy.pyc", line 12, in
File "obfsproxy\network\launch_transport.pyc", line 2, in
File "obfsproxy\transports\transports.pyc", line 6, in
File "obfsproxy\transports\scramblesuit\scramblesuit.pyc", line 20, in
File "obfsproxy\transports\scramblesuit\mycrypto.pyc", line 9, in
File "Crypto\Hash\HMAC.pyc", line 66, in
File "Crypto\Util\strxor.pyc", line 12, in
File "Crypto\Util\strxor.pyc", line 10, in __load
ImportError: DLL load failed: Invalid access to memory location.

Anonymous (not verified) said:

January 12, 2015

Permalink

When I right click a link that has a binary file (e.g., PDF file) and select the "Save Link As" option, sometimes I get a "Download External File Type" dialog, and other times this dialog is being bypassed and I just get a file name and directory selection "Save As" dialog. How do I force always getting the Download External File Type dialog, for any file type?