Tor Browser 4.0.8 is released
A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.
This release contains a fix for the update loop issue present in 4.0.7. It is otherwise identical to that release.
Both 4.0.7 and 4.0.8 contain an update to the included Tor software, to fix two crash bugs in the version of the Tor software included prior to 4.0.7. One crash bug affects only people using the bundled tor binary to run hidden services, and the other crash bug allows a malicious website or Tor exit node to crash the underlying tor client by inducing it to load a resource from a hidden service with a malformed descriptor. These bugs do not allow remote code execution, but because they can be used by arbitrary actors to perform a denial of service, we are issuing a security update to address them.
There will be no corresponding 4.5-alpha release for this fix, to allow us to focus on stabilizing that series for release in ~2 weeks.
Note to MacOS users: This is the last planned release that will run on 32 bit MacOS versions. Users of Mac OS 10.8 (Mountain Lion) and newer versions will be automatically updated to the 64 bit Tor Browser 4.5 when it is stabilized in April, and we expect this transition to be smooth for those users. However, the update process for 10.6 and 10.7 users will unfortunately not be automatic. For more details, see the original end-of-life blog post.
Here is the complete changelog since 4.0.6 (covering 4.0.7 and 4.0.8):
- All Platforms
- Bug 15637: Fix update loop due to improper versioning
- Update Tor to 0.2.5.12
- Update NoScript to 2.6.9.21
Comments
Please note that the comment area below has been archived.
the
the https://sedvblmbog.tudasnich.de/download/download-easy.html links to 4.0.6 which isn't available either.
Works for me?
Works for me?
Hijacked Firefox browser
Hijacked Firefox browser ..new install! Made a post using Tor and Got a security threat that took over firefox and My DNS! when I cleaned Firefox..it pointed to a joining of Tor with Firefox that my firewall killed all connection! had to do a backup and a browser reinstall!
"We've also made
"We've also made improvements to our display resolution fingerprinting defenses to automatically resize the browser window to a 200x100 pixel multiple after resize or maximizatio" what happend to this? i can still resize the window however i see fit in 4.0.8
Are you perhaps getting the
Are you perhaps getting the stable Tor Browser 4.0.x versions confused with the experimental Tor Browser 4.5.x versions?
well that´s confusing. so
well that´s confusing. so there are updates released individually for two different versions? When can we expect 2.5.x to be released as "stable"?
Usually alpha and stable
Usually alpha and stable updates are released almost simultaneously. So, yes, to your first question. 4.5 should be the new stable next week or the week thereafter.
oh ! what a soon . thank
oh ! what a soon .
thank you for your great hard work.
Good job
gpg --list-sigs
gpg --list-sigs 0x4E2C6E8793298290
pub 4096R/93298290 2014-12-15
uid Tor Browser Developers (signing key)
sig R 8B9E4469 2015-03-15 [User ID not found]
sig CD62C2F3 2015-03-25 [User ID not found]
gpg --recv-keys 8B9E4469 CD62C2F3
gpgkeys: key 8B9E4469 can't be retrieved
gpgkeys: key CD62C2F3 can't be retrieved
normal?
It's fine to have signatures
It's fine to have signatures from keys you've never heard of or can't fetch.
It's the keys that you *can* fetch, and consider trust in, that you should be looking at.
i feel Alpha version is
i feel Alpha version is faster and lighter than stable version !Does someone else has experienced it?
Me 2 do agree with U
Me 2 do agree with U
I absolutely love the new
I absolutely love the new feature of running Tor as a VPN on Android. We totally need this feature on PC too!
me too
me too
Having Tor function
Having Tor function similarly to a VPN is a dangerous route, given that a major reason for such a setup is to allow users to use software that does not have or respect proxy settings to be routed through Tor. Software like that (if it's closed source) could easily be designed to NOT use a VPN connection and use methods to connect directly without going through the VPN-like Tor.
My Tor asked me if I wanted
My Tor asked me if I wanted to update to 4.08. I chose to accept. It then installed. I also saw under the Window menu a "software update" option.
I found it a bit suspicious later because I thought you could only manually update directly from the website. I decided to then reinstall 4.08 by downloading straight from the website. All of a sudden I no longer see a "software update"option under the Window menu... only 'minimize' 'zoom' and 'about..' Should I be concerned that the auto-update I initially experienced was not a legitimate software bundle? Was I hacked?
I viewed a pop up window
I viewed a pop up window that asked to update to 4.08. I did. Then tor browser would not run. The error message is XPCOM will not load.
This probably is a dumb
This probably is a dumb question (on this blog with many savvy posters). I installed the latest version (4.0.8) today and, unlike with prior new updates, couldn't figure out how to change the home page to one I prefer. Please help. Thanks.
Go o Tools--Options-Gwneral
Go o Tools--Options-Gwneral nd change the URL
Question on the preferred
Question on the preferred way to update:
TBB can be updated in-place via Help -> About Tor Browser (works similar to how regular Firefox will update itself in-place.) After this in-place update, About Tor Browser reports the current correct v4.08. However, plugins must then be manually checked/updated.
Is this process the same as / better than / worse than "updating" TBB by downloading and running the "torbrowser_install_xxxx.exe" package? How should TBB updates be correctly performed?
I'd say it's about the same.
I'd say it's about the same. The only exception might be if you want to verify signatures before installing a 4.0x package. In that case, you'd have to download the bundle in order to verify it. In 4.5x, I think (but am not completely positive) it's going to have signature verification built into the self-updater, so at that point there will be even less of a difference between the two update methods.
A very good question! Please
A very good question! Please answer on this, thanks!
Is it okay for me to update
Is it okay for me to update https everywhere to ver 5.0.2? Because TBB 4.0.8 still uses ver 4.1.3
Good Question! Please answer
Good Question! Please answer on this, thx.
After New Identity change
After New Identity change Tor often stops working(pages do not load).
Is this reproducible? If so,
Is this reproducible? If so, how?
You can use
You can use https://github.com/CrowdStrike/Tortilla
To make it accross all connection on Windows
When was version 4.0.7
When was version 4.0.7 released?
Why is it that my Tor browser version 4.0.6 was unable to detect/inform me that version 4.0.7 was released?
Note: In the settings for version 4.0.6, I have the chosen the option of being informed of any upates via my Tor browser.
Because 4.0.7 was pulled
Because 4.0.7 was pulled almost immediately due to a severe bug: https://ocewjwkdco.tudasnich.de/blog/tor-browser-407-released has some information.
arma, as a Tor developer,
arma, as a Tor developer, what do you use to program? Like Vim or Emacs?
+1 what?
+1 what?
Segfault at exit - select
Segfault at exit - select File/Work Offline and close the browser.
This is
This is https://bugs.torproject.org/10761 and should be fixed in the 4.5 stable and the next alpha version.
Is there a way to enable
Is there a way to enable "limited script" for Tor users? This would allow Javascript that makes a web site function properly but disable any code that accesses identifying information. It is likely that Facebook is identifying Tor users which would make it easier to identify everybody else.
Another idea is to give priority to users of little bandwidth over users who are using massive amounts.
And another thought: I suspect that major email providers are blocking clearnet emails from darknet email providers. Even if they are allowed through in some cases, the darknet email providers need to have a delayed send feature. Otherwise the timing of Tor access can be correlated with the timing of an email.
I prefer this too "limited
I prefer this too "limited script".
If we cant trust java among
If we cant trust java among the reasons are security issues revealing our your identity +++, why are we forced to enable java to use the Atlas?!
Anon
Atlas use handful of
Atlas use handful of javascript modules - thus requires a temp allow to render said content.
If you wish to work on a solution for the former caveat regarding sec, can one suggest contributing to the project (ala, https://git.torproject.org/atlas.git).
Anoone
your reply doesnt help it
your reply doesnt help it merely shifts the responsibiity to the Tor user
Anon (Original Poster)
your comment states the
your comment states the obvious "uses a handful of javascript...", yes, thats what this is about java/javascript
Anon (call me no-java-please)
Java =/= Javascript.
Java =/= Javascript.
как на русские
как на русские поставить язык
Regarding my previous
Regarding my previous comment, I did not intend to come across as purely critical. It was my intention to kindly offer suggestions. Tor is free and a great tool. I know that a lot of volunteer work from experts and resources are put into this project. Thank you.
>Tor is free Tor is NOT
>Tor is free
Tor is NOT free: the devs putting their hearts and minds and time and effort are payed for by donations. PLEASE stop saying Tor is free! it's obviously NOT!
are you paying to use it?
are you paying to use it? Probably no. So basically, if you don't pay or even give a donation you use it for free.
You don't understand the
You don't understand the concept of "free software." Tor is licensed under BSD and Tor Browser under GPL. That makes it free software.
What makes you think Tor
What makes you think Tor Browser is licensed under the GPL?
How do I get "Trusteer
How do I get "Trusteer Rapport" to work on Tor v.4.0.8?
Getting this on
Getting this on forums.hardwarezone.com.sg, can't log in also.
This Connection is Untrusted
You have asked Tor Browser to connect securely to secureforums.hardwarezone.com.sg, but we can't confirm that your connection is secure.
Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.
What Should I Do?
If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.
for me it says that it is a
for me it says that it is a virus 4.0.8,i cannot use it
Previous versions blocked
Previous versions blocked the popup ads now they coming streaming through. Any way to stop them?
Not sure what you mean but
Not sure what you mean but Tor Browser is not shipping with any ad blocker. And we changed nothing in this regard compared to 4.0.6 either.
a firefox addon "ad blocker"
a firefox addon "ad blocker" would have helped you but I dont think its being developed anymore...
While not specifically an
While not specifically an add blocker, disabling javascript can significantly reduce the number of popups. Have you changed how you're using noscript? Also, are you sure that the website(s) in question haven't changed behavior?
Appeal to Tor
Appeal to Tor developers:
Please elect a scripting language/programming language to replace java/javascript and continue to build on that..
we cannot trust java
as a user we have very little control of java apart from disabling it with noscript in the browser
what would be nice (not making this Tor developers responsibility here), is a sort of app-firewall/apparmor for java or a COMPLETELY security safe java-like to replace the existing java which is being rammed down our throats; java is being used because developers (java) are lazy and want to code once, well guess what python, perl etc also runs on many platforms...
Its simply a contradiction here, Tor users are "advised" to use noscript to disable javascript yet developers continue to expand on its use especially with the Tor apps.
no-java Anon
You will confuse many people
You will confuse many people by continuing to say 'java' when you (I think?) mean 'javascript'. They are two totally different things.
however java, javascript,
however java, javascript, jvm are interrelated in the context of a browser session, a Tor user expects use with maximum security possible.
perhaps my previous comment should state "javascript" then...apologies
no-java Anon
No; Java (which uses the
No; Java (which uses the Java Virual Machine) and Javascript (which doesn't use the JVM) are not in most cases interrelated. Yes, you can use javascript to for some (extremely limited) control of java applets, but from a security standpoint they are two very different technologies. Please, research the issue before posting; there's plenty of information on the web about Jav and Javascript and the difference between the two.
but javascript seems to be
but javascript seems to be associated with popups, adsite on a page, loading adsite for every godam webpage these days I know noscript deals with lots of things.
nothing personal, but I have no interest in either i just want the page from the domain I'm browsing.
thankyou for clarification
no-java Anon
From Torbrowser's
From Torbrowser's perspective, ads and popups are near to the end of the list of concerns from javascript. They're not at the end but they make tracking easier. Of course you don't need either of them to track with javascript, and there are more dangerous things than tracking that javascript can accomplish.
I appreciate that Tor
I appreciate that Tor developers have core pieces to look after
security is important but, from our perspective, popups and ads are *king nuisance have spoilt the internet experience
i dont care about ads helping to finance something, get a million billion dollar corporation to pay for it, same logic as food packaging don't make it the consumers problem get the manufacturers to comply thats the source of the problem.
remove porn, ads, popups, marketing depts pull push bs and we would have a better world.
non-java Anon
yes netscape called it that
yes netscape called it that for so called marketing purposes
they intended to confuse and they've succeeded.
whatver its called its sh*t
thanks
no-java Anon
dart is or was google's
dart is or was google's replacement for javascript however
http://www.infoworld.com/article/2902074/javascript/google-dart-will-no…
http://tobyho.com/2010/03/11/how-much-of-the-web-actually/
is actually quite interesting how ebay site is still relatively functional without javascript enabled proof of what is possible depending on the code and whats required.
Tor
as security sensitive Tor, onion and hidden services are why consider using javascript at all?
are the inclusions deliberate? are some aspects of insecurity included for some purpose?
a lean Atlas page displaying just the facts isnt as sexy as it is current but then who cares how pretty it looks I'm using the Tor bundle with security in mind?!
no-java Anon
CSS3 replaces javascript
CSS3 replaces javascript functionality
http://www.techrepublic.com/blog/web-designer/css3-technology-replaces-…
no-java Anon
That's only an (extremely
That's only an (extremely limited) subset of javascript. It's hardly a replacement.
its a start isn't it
its a start isn't it !?
no-java Anon
It really isn't because
It really isn't because there's no intention to expand it to include all of javascript's functionality and if it was expanded there's no reason to believe it would be safer.
so what would be "safer" in
so what would be "safer" in this case?
non-java Anon
why are we forced to enable
why are we forced to enable ecmascript which we don't believe is safe?!
non-java Anon
First of all, Java =/=
First of all, Java =/= Javascript; in fact, they're not remotely related from a technical standpoint. Javascript was originally named livescript but was remained to Javascript for marketing reasons after the first Java plugin was made for Netscape (some type of 'wave' of "Java-" technologies.)Second, Tor project developers are hardly ramming javascript down anyones throat. Sure, the web is more and more dependent on javascript every day, but it's not like someone can simply write a replacement for javascript and expect all the web developers to move over, especially when a scripting language is only supported by it is only supported by one browser. Microsoft tried that with vbscript back when IE held far more of the market share and they failed. That's not even mentioning the fact that coders would have to recode everything and despite what you think, that's a substantial job especially given they'd have to learn a whole new language to code with. In addition, any new language, like any new piece of software, is going to be buggy; such a solution is going to add to the number of security vulnerabilities in the initial period. That's where a good number of the Javascript security threats are: bugs. A new scripting language is simply adding to that problem; sure, Javascript was not designed with all of the threats that Torproject thinks about but those threats aren't the only or even primary reason to disable Javascript. Yes, disabling Javascript is the easy answer (Torbrowser contains patches to make Java itself incredibly hard to enable,) but that's because for most users that all they need to know. However, if you're going to give actual suggestions or make appeals it might be a good idea to know what you're actually talking about. It may be cool to jump on the Javascript hating bandwagon, but if you don't know why you're there you really aren't in any place to give advice.
further web
further web searches
netscape called it javascript for marketing purposes but has no relation to java (and jvm); intention was to confuse with the jargon and its still called javascript to this day.
alternate names -jscript even suggests 'Java', or its original 'ecma'
without javascript enabled on a webpage we get just the main content, i have no all interest in scorecardsearch, adtech, every other useless adsite popups and related (thank god for noscript)
I think most people would agree we can do without the crap bolted on or called by javascript on just about every website these days = "rammed down our throats". my earlier comment doesnt say nor did I suggest it was just Tor browser teams its webadmins everywhere, surfing the web is not as pleasant experience as it was decades ago.
thankyou Tor developers for the great work.
no-java Anon
First of all, popup ads
First of all, popup ads aren't nearly as bad as they used to be. After several years of most browsers having some limited form of blocking, their prevalence has definitely decreased as they aren't worthwhile from a revenue prospective. Second, javascript does far more than just ads. In fact, that's why in most browsers you can't simply disable it like the old days. Firefox (and therefore Torbrowser) uses javascript internally to do a whole bunch of things; it wouldn't work without javascript. Of course, that's separate from javascript from external sources.
achieve the same without
achieve the same without ecmascript
non-java Anon
are you suggesting we just
are you suggesting we just enable javascript and wait for an ad related bit to do something and then work out if it was malicious or just a nuisance?!
non-java Anon
new software, buggy -thats
new software, buggy -thats not supposed to be an excuse for not using it, oh I just forgot developers want to develop and not go back and doing any fixing.
i answered 'ramming' in another post
i and many other will continue to block and disable ecmascript till it dies a death and never returns.
thankyou for your explanations
no-java Anon
Software being buggy is a
Software being buggy is a very good reason not to use it when dealing with security; Javascript bugs are after all the number one reason to disable javascript. A bug in a webbrowser can easily be exploited to do a whole number of nasty things, like infecting your system with a trojan.
clue: apache non-java Anon
clue: apache
non-java Anon
coders will have to
coders will have to recode...
technology comes and goes all the time, entire websites are rewritten all the time how is that different from any other week, month?!
no-java Anon
Yes, and every line of code
Yes, and every line of code can be buggy and that bug could be exploitable. Of course, that's true with old code as well, but the old code has had time for people to find the bugs. By the way, entire websites aren't rewritten all of the time. Most major (big) websites are significantly compartmentalized and they change one piece at a time; they don't throw out the whole thing and start over unless they have too.
But that's missing another major point: Any replacement for Javascript that handles most of the use cases for Javascript is going to have the same problems as javascript. It's not like we don't already have several different implementations of javascript already.
Tor Service Help I have
Tor Service Help
I have windows 7
I updated to 4.0.8 when the update message appeared. Now when I try to open the browser it hangs up while loading (the green screen line stops moving half way along).
Downloaded 4.0.8 directly from the web, same results.
Any suggestions?
Thank you for your support.
Hey Guys Isn't This Tor
Hey Guys Isn't This Tor Version Compact With IDM (Internet Download Manager)
it Help Download accleration
I don't know what you're
I don't know what you're talking about, but it doesn't sound good.
Why should you trust a piece
Why should you trust a piece of closed-source software that might be leaking everything you do on your computer for "Download Acceleration," a task that has many other open-source solutions?
is not appropriate to add
is not appropriate to add extensions
Since installing the latest
Since installing the latest version of tor last night AVG antivirus keeps blocking tor from running
AVG has never done this before, If i turn AVG off then tor will start and run
Any ideas?
what do the avg logs
what do the avg logs say?
no-java Anon
IDP Generic Whitelisted
IDP Generic Whitelisted
AVG says..Threat blocking
AVG says..Threat blocking tor.exe
try add the .exe in the
try add the .exe in the exception list
no got avg to test it for you sorry
no-java Anon
Hello, I just tried to
Hello, I just tried to download and launch this newer version and I keep getting a (firefox.exe) error which prevents the browser from launching. I tried a number of different approaches and they all have failed. Some insight or tips would be appreciated.
sqlite is
sqlite is buggy,exploitable.
Should be patched.
tor could not connect to tor
tor could not connect to tor control port
how can i access
Since this release opening
Since this release opening the tor browser bundle is very slow for me. It used to take max 5 seconds with the previous release, now sometimes I have to wait 10 minutes. Why is this happening?
I just download
I just download
tor-browser-linux64-4.0.8_en-US.tar.xz
tor-browser-linux64-4.0.8_en-US.tar.xz.asc
and the key used to sign the tar file is
gpg: Signature made Thu 09 Apr 2015 10:44:53 AM PDT using RSA key ID D40814E0
gpg: Can't check signature: No public key
I can NOT find this key on the key signing page.
Opps - the RSA key ID is the
Opps - the RSA key ID is the last 8 characters.
The primary fingerprint appears to match but this no fingerprint for the RSA signing key of D40814E0. Where can I find the fingerprint?
https://sedvblmbog.tudasnich.de/do
https://sedvblmbog.tudasnich.de/docs/signing-keys.html.en might be what you want. You can import the Tor Browser signing key with its subkeys and then e.g. check with your local GnuPG.
about:config experiments.enab
about:config
experiments.enabled;true
network.http.sendSecureXSiteReferrer;true
beacon.enabled;true
?????????
media.video_stats.enabled;tru
media.video_stats.enabled;true
device.sensors.enabled;true
...the pain, must stop...
It will, in Tor Browser 4.5.
It will, in Tor Browser 4.5. Stay tuned.
What is the problem with
What is the problem with these things in Tor Browser?
FF31.6.0 Tor4.0.8 on Win7
FF31.6.0 Tor4.0.8 on Win7 SP1. Getting "another version of Firefox is already running" when trying to launch the browser for a second time. Only fix is to delete old browser and reinstall from install.exe.
Didn't have this issue when using Tor4.0.6.
(sorry for double posting, forgot to include tidbit about previous version)
I have experienced that on
I have experienced that on occasion for as far as back as I can recall.
The following usually works (but will close any and all instances of regular Firefox that may be running). Open a terminal and execute the following command:
killall firefox
Then restart Tor Browser.
Sorry, it just hit me that
Sorry, it just hit me that my previous response assumed you were also a (GNU+)Linux user, when from your post it was clear that you are a Windows user.
Geo-Inference Attacks via
Geo-Inference Attacks via the Browser Cache: www.comp.nus.edu.sg/~jiayaoqi/publications/geo_inference.pdf
malware tor user attack
malware tor user attack found
http://www.deepdotweb.com/forum/viewtopic.php?f=6&t=353&sid=ec69f0c6b22…
Please allow "One Click"
Please allow "One Click" access in place of "Long Press" option in Orbot. I have faced this incident where accidentally my phone dropped out of the bag and when I tried again to use Orbot, I was no longer able to as I was told that my phone suffered some display issue and so I lost "Touch and Hold" functionality. I was trapped and had no option left to communicate with privacy
Please allow a simple one-tap access within the app.
I got a question. I recently
I got a question. I recently attained bookmarks from my firefox browser by exporting to HTML. I imported them into the new tor browser (4.0.8). Now I have bookmarks from my firefox browser in my tor browser. Is this OKAY? Do they use different coding? Will my ISP be able to tell that it's not actually firefox I'm using but Tor browser? They figured it out once when I opened both at the same time and blocked it. Can they figure it out from the bookmarks? Does it compromise my anonymity in any way?
Why aren't you answering my
Why aren't you answering my question? It's a serious question!
Great update
Great update
Tor warned me about someone
Tor warned me about someone trying to hack and get me to click something. Never seen that warning before. I closed tor immediately.
think you mean a noscript
think you mean a noscript hijacking warning?!
What domains do we need to
What domains do we need to authorize in order for the Google Capcha dialog to correctly display its images? This is the common capcha that Google is promoting now across the web for use by third party web sites.