Tor Browser 4.5.1 is released

by mikeperry | May 13, 2015

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.5.1 is based on Firefox ESR 31.7.0, which features important security updates to Firefox.

The 4.5.1 release also addresses several regressions and usability issues discovered during the 4.5 release. The most notable change is that we have slightly relaxed the first party isolation privacy property, due to issues encountered on several file hosting sites as well as other sites that host content on multiple subdomains. Tor Circuit use and tracking identifiers are now all isolated to the base (top-level) domain only, as opposed to the full domain name. This change is also consistent with the browser URL bar - isolation is now performed based on the bold portion of the website address in the URL bar.

We also have temporarily disabled the NoScript ClearClick clickjacking protection, as it was experiencing false positives due to changes in Tor Browser that cause errors in NoScript's evaluation of the content window. These issues were most commonly experienced with ReCaptcha captcha input, but occurred elsewhere as well.

With this release, 4.0 users will now be updated automatically to the 4.5 series.

Note to MacOS users: The update process for Mac OS 10.6 and 10.7 users will unfortunately not be automatic. You will be instructed to perform a manual download instead. Moreover, as of this release, 32 bit Macs are now officially unsupported. For more information, see the original end-of-life blog post.

Here is the list of changes since 4.5:

  • All Platforms
    • Update Firefox to 31.7.0esr
    • Update meek to 0.18
    • Update Tor Launcher to 0.2.7.5
      • Translation updates only
    • Update Torbutton to 1.9.2.3
      • Bug 15837: Show descriptions if unchecking custom mode
      • Bug 15927: Force update of the NoScript UI when changing security level
      • Bug 15915: Hide circuit display if it is disabled.
      • Translation updates
    • Bug 15945: Disable NoScript's ClearClick protection for now
    • Bug 15933: Isolate by base (top-level) domain name instead of FQDN
    • Bug 15857: Fix file descriptor leak in updater that caused update failures
    • Bug 15899: Fix errors with downloading and displaying PDFs
  • Windows
    • Bug 15872: Fix meek pluggable transport startup issue with Windows 7
  • Build System
    • Bug 15947: Support Ubuntu 14.04 LXC hosts via LXC_EXECUTE=lxc-execute env var
    • Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds

Comments

Please note that the comment area below has been archived.

May 16, 2015

In reply to by Anonymous (not verified)

Permalink

I wanna thank anyone and everyone involved in help provided to keep what we say and do private. From regular Joe's like me to other's who must be incognitoI once again thank everyone for what do.

May 12, 2015

Permalink

This happened also on previous updates.

When tor is updated, timestamp on log output wrap
to UTC time (I assume)

[geshifilter-code]
May 13 06:28:06.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
ERROR: Error verifying signature.
ERROR: Not all signatures were verified.
May 13 07:37:27.000 [notice] Owning controller connection has closed -- exiting now.
1431491849254 addons.update-checker WARN HTTP Request failed for an unknown reason
1431491849255 addons.update-checker WARN HTTP Request failed for an unknown reason
1431491849255 addons.update-checker WARN HTTP Request failed for an unknown reason
1431491849256 addons.update-checker WARN HTTP Request failed for an unknown reason
May 13 04:37:30.136 [notice] Tor v0.2.6.7 (git-ac600bec40c14864) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1m and Zlib 1.2.3.3.
May 13 04:37:30.136 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://sedvblmbog.tudasnich.de/download/download#warning
[/geshifilter-code
]

May 13, 2015

In reply to gk

Permalink

Are you concerned about the errors? They are essentially false positives

You mean that

  1. ERROR: Error verifying signature.<br />
  2. ERROR: Not all signatures were verified.<br />
  3. May 13 07:37:27.000 [notice] Owning controller connection has closed -- exiting now.<br />

OK.

When tor is updated, timestamp on log output wrap to UTC time (I assume)

Of couse log output timestamp return to correct when tor is manually restarted.

  1. <br />
  2. May 13 04:37:31.000 [notice] Bootstrapped 100%: Done<br />
  3. May 13 04:37:32.000 [notice] New control connection opened from 127.0.0.1.<br />
  4. May 13 04:37:32.000 [notice] New control connection opened from 127.0.0.1.<br />
  5. May 13 04:44:27.000 [notice] Owning controller connection has closed -- exiting now.<br />
  6. <b>removed</b>:~$<br />
  7. <b>removed</b>:~$ tor --verbose<br />
  8. May 13 07:44:40.550 [notice] Tor v0.2.6.7 (git-ac600bec40c14864) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1m and Zlib 1.2.3.3.<br />
  9. May 13 07:44:40.550 [notice] Tor can't help you if you use it wrong! Learn how to be safe at <a href="https://sedvblmbog.tudasnich.de/download/download#warning
  10. May" rel="nofollow">https://sedvblmbog.tudasnich.de/download/download#warning<br />
  11. May</a> 13 07:44:40.550 [notice] Read configuration file "/home/<b>removed</b>/.tor-browser/Browser/TorBrowser/Data/Tor/torrc-defaults".<br />

Seems that tor does not preserve timezone information when it restarts itself?

There is no TZ variable in the environment (when tor is started from command line).

Also seems that tor browser (that version and previous version) also crashes sometimes.

  1. <br />
  2. (firefox:5265): GStreamer-CRITICAL **: gst_plugin_feature_get_name: assertion `GST_IS_PLUGIN_FEATURE (feature)' failed<br />
  3. /home/<b>removed</b>/bin/tor: line 368: 5265 Segmentation fault TOR_CONTROL_PASSWD=${TOR_CONTROL_PASSWD} ./firefox --class "Tor Browser" -profile TorBrowser/Data/Browser/profile.default "${@}" &gt; /dev/null<br />
  4. <b>removed</b>:~$ Jun 01 12:46:43.000 [notice] Owning controller connection has closed -- exiting now.</p>
  5. <p><b>removed</b>:~$<br />

This is not a only case.

May 12, 2015

Permalink

Jondonym's anonymity test on http://ip-check.info/index.php?lang=en shows a red field marked "bad": window.name is traceable. Your unique ID: ###### (the same number as the "local storage" ID which is marked orange (medium risk)).

With the "Smart Referer" Firefox extension installed and configured as follows:
Mode > send nothing as referer
Strict (treat subdomains as different domains) > unchecked

the test shows a green field marked "good": window.name has been anonymized.

So Tor Browser really needs an additional extension to prevent tracking???

You don't need an additional extension. If you move the security slider under Onion -> "Privacy and Security Settings" to high, JavaScript gets disabled, and window.name disappears.

May 13, 2015

Permalink

32bit Debian Wheezy user here. I successfully auto-updated from TBB 4.0.8 to 4.5.1 . Auto-update worked perfectly for me! Thank you.

May 13, 2015

Permalink

13.05.2015 11:19:56.100 [NOTICE] Opening Socks listener on 127.0.0.1:9150
13.05.2015 11:19:56.779 [NOTICE] Bootstrapped 80%: Connecting to the Tor network
13.05.2015 11:20:05.776 [WARN] Problem bootstrapping. Stuck at 80%: Connecting to the Tor network. (Permission denied [WSAEACCES ]; RESOURCELIMIT; count 10; recommendation warn; host 5C69846F6B71D1C55475987FEAD2F96D62A4CD92 at 89.163.227.28:9001)
13.05.2015 11:20:07.320 [WARN] Problem bootstrapping. Stuck at 80%: Connecting to the Tor network. (Permission denied [WSAEACCES ]; RESOURCELIMIT; count 11; recommendation warn; host 3018E8B182E44AA4AEFA19972BA71B34E4A183C2 at 188.230.91.135:9001)
13.05.2015 11:20:07.775 [WARN] Problem bootstrapping. Stuck at 80%: Connecting to the Tor network. (Permission denied [WSAEACCES ]; RESOURCELIMIT; count 12; recommendation warn; host E2BD5F4F366DB494EA1FAD785CFA53F9439BB110 at 162.248.94.205:5277)

May 13, 2015

Permalink

"The update process for Mac OS 10.6 and 10.7 users will unfortunately not be automatic." Why is that?

May 13, 2015

Permalink

My default search engine was changed to disconnect.me in this update, instead of the ol' Startpage. Can anyone offer a comparison of the privacy they guarantee to help me choose?

Thanks Tor Team for this update, by the way!

I hadn't seen that additional search engine.
I tried a search. The site creates a unique url that omits search terms. the unique part looks like about 20 hex characters plus dash characters,
i reloaded the url and the page showed the same results and search terms. But assuming this url is a "permalink", a bookmark would need manually added information, because the url doesn't give a clue.

May 13, 2015

Permalink

According to Tails' blog posted a few hours earlier than mikeperry's post, it's stated "We disabled in Tails the new circuit view of Tor Browser 4.5 for security reasons. You can still use the network map of Vidalia to inspect your circuits."

If Tails' developers are correct, why do Tor developers not disable it in the Tor Browser Bundle 4.5.1?

Would mikeperry, erinn or arma wish to clarify?

This is **exactly** what I wanted to ask in the Tails blog post, but they don't allow asking questions in their blog here (which is pretty lame, IMO!). Also, Tails doesn't have their own blog at their site, or easy way to contact them :(

I would really like to get a response on this, as well.

Looking at the tails changelog I see this:

"Unfortunately its per-tab circuit view did not make it into Tails yet since it requires exposing more Tor state to the user running the Tor Browser than we are currently comfortable with. (Closes: #9031, #9369)"

But it looks like this issue is about #9333?
https://labs.riseup.net/code/issues/9333

I don't see why allowing it via. Vadalia is better, or more conformable? And what exit node would Vadalia show, considering each website may use a different exit node with current TorButton?

And I don't see why it's a security risk to have the per-tab circuit view.

Comments from experts would be very welcome.

I really think if Tails has a blog here they should allow comments for each post. Or if not, they should include info on how best to contact them regarding blog post xyz.

Tails has a different threat model, in that they need to account for other application's traffic going out over a system-wide Tor instance, vs just Tor Browser's traffic (the bulk of the Tor Browser users).

I'm not particularly convinced that allowing Vidalia (long since unmaintained) full control port access is any better than allowing Tor Browser (which is maintained but presents a much larger attack surface) control port access, but I am not a Tor Browser developer, and can be quite paranoid at times.

See: https://trac.torproject.org/projects/tor/ticket/8369

May 16, 2015

In reply to lunar

Permalink

Thank, but less snark next time would be nice. Even better, would be Tails blog post adding a little context next time they claims something isn't secure.

May 13, 2015

Permalink

ip-check.info couldn't detect or display computer time here, is it being protected by TBB or just a trick?

May 13, 2015

In reply to by Anonymous (not verified)

Permalink

FreeGate is not an open source project and is developed by US government, be care.

FreeGate is indeed not open source, and is probably bad news for a variety of reasons. But I know some of the FreeGate developers, and as far as I know they are not "the US government".

Sticking to facts on critiques of closed-source systems will help people learn to reason about them better. :)

You might also enjoy
https://svn.torproject.org/svn/projects/articles/circumvention-features…

May 13, 2015

Permalink

Could I please direct gk's attention to (the last two) my posts under 4.5 regarding a possible problem with DNS lookup?

Since the above changes to 4.5.1 do not mention any change to dns look up, presumably the problem will still affect 4.5.1.

Thank you

There is no bug with respect to DNS lookups that we know of. Not sure what your setup is like but Vidalia is not included anymore in Tor Browser for a while now as it is unmaintained. We strongly recommend using Tor Browser instead of some home-grown setups.

May 15, 2015

In reply to gk

Permalink

GK thank you for your response:

a - I use Tor Browser, plus Vidalia since, disappointingly, the new TOR versions do not give as much information as Vidalia did/does.

b- Just because Vidalia is no longer maintained does not mean that it no longer works.

c- I still feel that there is a problem re DNS (but due to the indecipherable catchas on Trac Tor I cannot report it) or else why would I see the warning: ""Potentially Dangerous Connection! - One of your applications established a connection through Tor to "XXX:XXX" using a protocol that may leak information about your destination. Please ensure you configure your applications to use only SOCKS4a or SOCKS5 with remote hostname resolution." ??

Thank you

May 13, 2015

Permalink

I wanted to congratulate the team again for closing the window between Firefox releases and TBB releases. I believe this has a real, positive impact on user security and comfort with TBB, and I appreciate the work it's taken to orchestrate everything to make this possible.

May 13, 2015

Permalink

"Tor Circuit use and tracking identifiers are now all isolated to the base (top-level) domain only, as opposed to the full domain name."

Updated from 4.0.x. This doesn't work. Worse, I used to fix it with a new circuit using Vidalia. Now that doesn't work either.

Can it be disabled?

May 13, 2015

Permalink

"Tor Circuit use and tracking identifiers are now all isolated to the base (top-level) domain only, as opposed to the full domain name."

Isn't that like .com and .org?

More like .torproject.org .torproject.co.uk which is why we used "base domain" and in included "(top-level)" implying that there are no subdomains involved anymore.

May 13, 2015

Permalink

1. What is the latest stable Tor version?

2. Is the website tor standalone for windows up to date?

3. Why would the tor included in windows browser downloads be a newer version ever then the stand alone offered?

4. Why does the windows stand alone use Libevent 2.0.21-stable when .22 is available?

5. For security best practices, why are there so many different webpages, with inconsitant changelogs, varying from OS to OS, using confusing to the masses unix style presentation?

6. Why discontinue vidalia without a replacement? Isnt bringing tor to the attention of the masses a good thing? Where is the windows ease and understanding?

you guys do some VERY good things, but then you do some VERY dumb things. Every month you should approach your project as if a complete outsider! How does it appear/function communicate/empower someone with no knowledge whatsoever. etc. Clear concise transperentcy, with expected routine standardize practices would do you so well!

Instead we have different keys signing, different amounts of info released depending on whom does it, a mailing list from 1994 AOL, etc. I know this sounds like a rant, but THANK GOD for the tor blog. at least theere is some kind of modern interaction with the people.

tor blog (here) is OK, except I must enable images to see text. To repair this, I could import a stylesheet in usercontent.css, but it seems easier is to make ocewjwkdco.tudasnich.de readable with images disabled.
really,this is a minor complaint, but also very easily fixed.

and thanks for tor, tbb, and the necessary backing projects.

As for 5. here you can find the reason:
https://tor.stackexchange.com/questions/1075/what-happened-to-vidalia
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#…
The short answer is: Tor Browser Button (TBB) replaced Vidalia (and it's features), because Vidalia because has no active developer who is working on it and it's source is some years old.

And as you can see at the first link there is also another way where you can get information about Tor - Tor stackexchange.

May 13, 2015

Permalink

i get failure from drain FD, with latest tor, any ideas? it seems to work ok, but sometimes i get massive numbers of them, supressing 7200 in last etc.. ....

I get this error too.
Jun 13 11:29:24.000 [notice] Self-testing indicates your DirPort is reachable from the outside. Excellent.
Jun 13 11:29:24.000 [warn] Failure from drain_fd
Jun 13 11:29:24.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Jun 13 11:29:28.000 [notice] Performing bandwidth self-test...done.
Jun 13 17:29:23.000 [notice] Heartbeat: Tor's uptime is 6:00 hours, with 2 circuits open. I've sent 3.30 MB and received 9.70 MB.
Jun 13 17:29:23.000 [notice] Average packaged cell fullness: 98.818%. TLS write overhead: 21%
Jun 13 17:29:23.000 [notice] Circuit handshake stats since last time: 0/0 TAP, 4/4 NTor.
Jun 13 17:29:23.000 [notice] Since startup, we have initiated 0 v1 connections, 0 v2 connections, 0 v3 connections, and 23 v4 connections; and received 0 v1 connections, 12 v2 connections, 30 v3 connections, and 499 v4 connections.
Jun 13 18:08:58.000 [warn] Failure from drain_fd [3 similar message(s) suppressed in last 7200 seconds]
Jun 13 20:10:36.000 [warn] Failure from drain_fd [10 similar message(s) suppressed in last 7200 seconds]
Jun 13 22:15:03.000 [warn] Failure from drain_fd [12 similar message(s) suppressed in last 7200 seconds]

May 13, 2015

Permalink

The problems with Google recaptcha system still continue.
It is important to remember that Google has changed the old text verification system to a images verification system. Now the images of recaptcha system are not displayed via the TOR browser and apparently this is a unique Tor browser problem.
Even completely disabling HTTPS Everywhere and Noscript extensions to leave it as close to the Firefox the problem still occurs.
Please take a close look at this because Google recaptcha is used in many many sites.

I am having the same problem with Google's new multi-image reCAPTHCA puzzles that have replaced the old "twisted and distorted letters," making it impossible for me to access a number of websites using Tor Browser. The images necessary to solve the puzzle are not displayed. I can confirm that the problem is NOT solved by disabling plugins (HTTPS-Everywhere, NoScript) and/or enabling third-party cookies (but even if these steps did solve the problem, it wouldn't be a good thing).

The select-images reCAPTCHA is rolling out across every site on the web. I am now locked-out from every site I want to use. I can only use Firefox which has no privacy at all.

I can confirm it doesn't work even when you disable the add-ons. I can select the images. But I can't see the images I am selecting.

Is this a problem with Tor using different circuit for images and main reCAPTCHA frame?

Is Google doing deliberately to damage anonymity?

May 13, 2015

Permalink

Maybe disconnect.me gives good search results, but it do not have proxy service as startpage.com does. The latter provides an alternative link for each search result. If the destination server requires a captcha for Tor users, one can follow the link to proxy request and avoid the captcha. This is frequent situation.

I noticed this too.

I use the ixquick/startpage proxy to avoid captcha and access sites that block tor exit relays hundreds of times per day. I find it very useful.

US$.02

I use it all the time. Many sites block Tor completely with no captcha.

Being in Europe I can trust StartPage more than Disconnect.me.

There is a bug in Tor browser home page. When I change my search engine in the drop-down to StartPage. I can search in the search box on the "congratulations" page and uses disconnect.me. If I open a new tab and search in the box on the blank tab, it uses my choice StartPage.

May 13, 2015

Permalink

"We also have temporarily disabled the NoScript ClearClick clickjacking protection, as it was experiencing false positives due to changes in Tor Browser that cause errors in NoScript's evaluation of the content window. These issues were most commonly experienced with ReCaptcha captcha input, but occurred elsewhere as well."

If the problem is false positives, is there any harm in a user enabling ClearClick protection? I'd rather be safe than sorry, so false positives are fine with me as long as Tor + NoScript catch 100% of true positives.

But I'm not a technical person, so I'd greatly appeciate a simplified explanation if enabling ClearClick protection is not advised.

Thank you for your hard work!

for a few seconds, I had an idea that instead of temporarily disabling, add temporary note to clearclick option. but users wouldn't know to look in clearclick option when they experienced the unpredicted new (temporary) behavior caused by clearclick complication.
bah.

May 13, 2015

Permalink

I don't know if the problem lies with TorBrowser or Chatzilla, but since the update, I get a "error creating socket" message when launching Chatzilla.

You can try editing torrc-defaults and adding a new SocksPort as such:

SocksPort 8150 NoIsolateSOCKSAuth

Then edit the proxy settings in Chatzilla to use Socks port 8150. The 'NoIsolateSOCKSAuth' means no username and password is required in Chatzilla's proxy settings.

torrc-defaults is located at 'tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc-defaults'

May 14, 2015

Permalink

I downloaded the new Tor browser bundle 4.5.1. It put a new shortcut icon on my desktop when it hadn't before on previous updates. It's just a globe (slightly larger than the older icon) instead of the previous globe inside a folder icon. Before I would have to click open the older folder icon, then click the globe to start running Tor. Can I delete the older shortcut icon which was a globe inside a folder icon?

May 14, 2015

Permalink

Updated yesterday to 4.5.1

Now I cannot use youtube videos.

Tried global allow noscript, still would not work. I managed to get one youtube video to play that was embedded on another site by clicking in the blank area and receiving a message from noscript and temporarily allowing what it asked.

Am I doing something wrong, or is youtube now completely blocked by torbrowser >4.5.1?

May 14, 2015

Permalink

I'm using Tails and don't understand something:

https://ocewjwkdco.tudasnich.de/blog/tails-14-out
"In Tor Browser 4.5, all such content, from the main website as well as the third-party websites, goes through the same Tor circuits."
"Tor Browser 4.5 now keeps using the same Tor circuit while you are visiting a website."
Tails1.4 is using TBB4.5.1.
https://ocewjwkdco.tudasnich.de/blog/tor-browser-451-released
"Isolate by base (top-level) domain name instead of FQDN"

While browsing, i have 2 circuits or more in same time for same domain.
Circuits are changing periodically like? all TBBs before.

May 14, 2015

Permalink

TBB 4.5.1 -in Tails- seems to have a lot of circuit changing with Javascript ON; with not allowed in NoScript, too?
Why 2 circuits on ocewjwkdco.tudasnich.de, too? Cookies?.

"New identity" a little bit delayed? ~1/2 second

May 14, 2015

Permalink

No automatic update for 4.5.1 on Win 32.

You have to download the whole 34 mb package then delete old ver and install the new.

May 14, 2015

Permalink

In your https://oiyfgiixvl.tudasnich.de/torbrowser/4.5.1/ site, there is no sha256sums.txt listed. There is, however, a file named
sha256-unsigned-build.txt. In it, the checksum listed for torbrowser-install-4.5.1_en-US.exe does not match the checksum you get
you run sha256sum.exe on the torbrowser-install-4.5.1_en-US.exe download.

W.T.F.?!?

I would like to know the official answer to this too. If you watch some of the videos from "The Grugq", he says NO it isn't. He said Tor over VPN = go to jail, use Tor to a VPN. I am not sure how to do that and doubt you could use the Tor Browser Bundle in this way. It seems very complicated and a lot of users do not understand all this. All VPNs keep logs, no matter what they claim and we now know VPN traffic is recorded by GCHQ in the UK and NSA is the USA.
It probably depends what you are doing, but if any of the experts can give us an answer it would be good. We are all here to learn and we all had to start somewhere!

May 14, 2015

Permalink

The file sha256sums-unsigned-build.incrementals.txt from https://oiyfgiixvl.tudasnich.de/torbrowser/4.5.1/ contains SHA256 a0627fa49687142a8d2b21efd32b60fc334948528845a48721de8a6e988d6c60 but when downloading the file the SHA256 is bf4f0141752aac07a0a6a76ad9e237e5be24d238c35ac4694df62b0493707702 for file tor-browser-win32-4.5-4.5.1_en-US.incremental.mar

What is wrong?

May 14, 2015

Permalink

Thanks to TBB developers for the long-awaited security slider! Still testing it.

What is the latest advice on whether or not to choose the "disable all scripts (recommended)" option in NoScript?

May 14, 2015

Permalink

Since TBB 4.5.1 update, Tor remains disabled (on TorButton) and can't find a way to enable it, main TBB page says it is configured to use tor, but can't connect to onion sites.
I'm using Privoxy chained with TBB, on previous versions didn't had any issues with that.

May 14, 2015

Permalink

Hey, after I installed the update, I got a runtime error trying to open tor.
It says:
Microsoft Visual C++ Runtime Library

Runtime Error
Program: C:/ Users/Admin/Desktop/TorBrowser/Browser/TorBrowser/Tor/tor.exe

This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information.

Any ideas? I'm not so good with technical jargon. All I know is that the browser worked before the update, but now it doesn't.

I am having the exact same issue. Even tried reinstalling Visual C++ runtime library, tried the experimental version, even tried reverting to 4.5, not working. Empty log too.

Any ideas are appreciated... I was running fine through many updates until this happened.

May 14, 2015

Permalink

Something changed. Not sure what, and I had to redo my Debian config, using TBB as my default-for-everything browser. I note with immense approbation that the *start-tor-browser* script now passes along all user-supplied command-line arguments to *firefox*, including --allow-remote. This allows me to decommit my own cobbled-together script, which I'm calling progress.

In grateful return and in humble support of herd immunity from surveillance, I've decided not to maximize my browser window, anymore.

May 15, 2015

Permalink

I noticed some changes in the start-tor-browser script (new options supported) and a brand new file: start-tor-browser.desktop, but neither of these are mentioned in the changelog, or on the blog.

In the future, please provide some documentation when you make changes to such important files!

If other users are interested, you can find some info in the following tickets:
https://trac.torproject.org/projects/tor/ticket/13375
https://trac.torproject.org/projects/tor/ticket/15747
(and probably some other tickets?)

I also noticed the startup script doesn't log messages to the terminal window anymore, which was the default behaviour (and useful); can you please document a way to get that back working?

>I also noticed the startup script doesn't log messages to the terminal window anymore

Type this in the terminal window :

./start-tor-browser.desktop --verbose

or

./start-tor-browser.desktop --help

May 15, 2015

Permalink

i have several problems since the update. websites does not load, the new search field does not show any result.
connection seems to timeout, "new identity" solve this
but before i did not have such problem

on my linux vm, these problems are not happening

May 15, 2015

Permalink

Comodo Firewall: firefox.exe could not be recognized and it is about to modify the protected registry key HKUS\Software\Microsoft\CurrentVersion\Internet Settings\ProxyEnable. You must be sure firefox.exe is a safe application before allowing this request.

May 15, 2015

Permalink

Starting from version 4.5.1, I can't chain Tor with Privoxy, I have configured Privoxy config file to forward socks5t and in TorbButton's network preferences have configured properly the socks proxy to use (127.0.0.1:9150).
In the browsers network options whenever I configure the HTTP proxy for (127.0.0.1:8118 -Privoxy's listen port), Tor gets disabled on the browser (TorButton marked with a red cross), and can't make any connections (http, https or onion).
On previous version I used (4.0.8), I was able to configure the HTTP/HTTPS proxy for Privoxy, but not on this version.
Can anyone give advice as how can I accomplish this? Thanks in advance.

Maybe your Privoxy problem has something to do with The Tor Browser (TBB) isolating Tor circuits based on the Top Level Domain Name your trying to visit. Tor's Socks port 9150 accomplishes this isolation using a unique proxy username/passwords for each Top Level Domain Name (I believe).

Try creating a new Socks port that doesn't require a username/password. Seeing as your proxy chaining Tor through Privoxy, chances are you're not going to be able to take advantage of Tor's new Top Level Domain Name circuit isolation feature anyway.

Instructions on how to create a new Tor Socks Port that doesn't require a username/password:

1. Go to 'tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc-defaults'
2. Open 'torrc-defaults' file
3. Add the below text to 'torrc-defaults' file

SocksPort 8150 NoIsolateSOCKSAuth

4. Then edit the privoxy settings to point to 8150 instead of 9150.

The 'NoIsolateSOCKSAuth' means no username and password is required to connect to Tor Socks Port 8150.

May 15, 2015

Permalink

This version of the Tor Browser for GNU/Linux does not allow the connection to proceed when you use obfs3 bridges. It displays an error as if the bridges did not work even if you use perfectly valid bridges.

May 15, 2015

Permalink

Why do I sometimes get 2 different guard (first IP of tor circuit). Example I get a guard from US and from 5 open tabs then suddenly 1 of them will change to a Russian guard. But when I restart the browser or start a new circuit on that tab it will return to US. It's really weird this didn't happen in previous version.

May 16, 2015

Permalink

Hi. TB 4.5.1 user here.

I used to switch “javascript.enabled” to “false” before. With the new security slider I've noticed that even the highest security setting leaves this preference in its default “true”. Granted, javascript is blocked (through noscript?) but PDF.js is fully capable of loading as far as I can see. Should it be accepted that the browser loads complex files in js if the user has opted for the highest security setting?

As always, great work.

Yes, JavaScript gets blocked via NoScript. The whole browser UI is written using JavaScript and XUL you can't disable that as you won't have a browser then. With respect to PDF.js, yes, we could think about disabling PDF.js in the highest setting although it is by far not as risky as using Adobe's product.

May 16, 2015

Permalink

Sorry for the noob question in advance..

Have tbb 4.51 updated from 4.08 under debian wheezy

I have tried to login to a googlemail (web) account from tor

ok, ok, not a great idea in general, but this google account is a throwaway one with no traces to me

In the login screen gmail came up with some complications, simply said, gmail didn'T 'believe' me to be the real allowed user

I killed that browser, hadn't even logged in.

Later I logged in from another PC at a friend (no TOR) and in the inbox there was a mail from google ala "linux station tried to login into your account"

I think, I triggered an event, as I usually work somewhere in middler europe and the login came from a tor exit node in asia or elsewhere.

So why can googlemail be aware of the fact that I'm running a linux machine? I Thought that tor browser is masked as one of the zillions of windows 7 browsers?

Thanks

Try visiting https://panopticlick.eff.org/ . Run the test while using Tor. It should show you the "User Agent" (Browser ID) being displayed to the website.

I'm also on Linux, and this is my Tor Browser User Agent.

Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0

May 17, 2015

In reply to by Anonymous (not verified)

Permalink

the test at that location NOW gives a
User Agent
6.6

37.32
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0

so it should be some windwos sort.

I'll have a look at that mail from google support and give more info if I can provide useful info from that.

thanks!

May 17, 2015

In reply to arma

Permalink

thanks to you and the other helpful user.
the browser test gave win ...nt (see above)

your idea is very likely.
gmail sent a second mail with some more specific info, in short:
### 1st email:
Hi john,
Your Google Account john@gmail.com was just used to sign in on Linux.
john doe
john@gmail.com
Linux
Friday, May 15, 2015 xxxx PM (Central European Summer Time)
### 2nd email:
We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:
Saturday, May 16, x:xx PM GMT
IP Address: 188.138.1.229 (ncc-1701-a.tor-exit.network)
Location: Unknown

-->nothing happened, but I have to memorize new pw, gmail forced me to choose a new one.
thanks

May 16, 2015

Permalink

Some issues here.
Tor browser is useless if don't work with google recaptcha.
Actually there are thousands of websites using recaptcha

This issue is not confined to Tor. Actually, the current problem with google recaptcha happens with non Tor traffic as well. It used to work okay until a few days ago. If you typed the two words correctly it would validate, and you could have Javascript disabled. Now, with Javascript Disabled, even if you type the two words correctly letter by letter it does not recognize them. Google should fix things so that we could use recaptcha with Javascript disabled. I hope this is not an attempt to exploit a vector attack by enabling people to enable Javascript.

May 17, 2015

Permalink

Bridges and PT_MISSING

Tor 4.5.1 for GNU/Linux can't connect to any bridges. Working obfs3 bridges, which work perfectly if you use them with the previous Tor version or with Tails, do not work with Tor 4.5.1. The default bridges provided do not work either. Could you fix this?

[warn] We were supposed to connect to bridge 'x.x.x.x:x' using pluggable transport 'obfs3', but we can't find a pluggable transport proxy supporting 'obfs3'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.

[warn] Problem bootstrapping. Stuck at %: Connecting to directory server. (Can't connect to bridge; PT_MISSING;

May 17, 2015

Permalink

I would like to ask a question about Tor Exit Nodes and the end user. I always thought that all traffic between the Exit Node and a User was encrypted. I now know it is if you use a HTTPS site, but not if you use a normal site. It appears everything can be monitored by your ISP. I only know as UK police requested records from my ISP when I was accused falsely of something. That matter was dropped, but it exposed what people can see and what ISPs are also recording!

Are there any plans for the future to try and incorporate a system to encrypt traffic between the Exit Node and End User?

I do realise it's probably a hugely complex task.

May 17, 2015

Permalink

I'm not the man of knowledge, but I had trouble with a website that shall stay incognito here. with 4.18 and earlier no probs, with tbb live update from 4.18 to 4.51 on debian Linux that led to recaptchas thrown at me in the login phase after supplying pw and username.correctly.

Setting noscript to allow_all didn't change anything
Disabling noscript in tb - tools - addons cured the plague (login without recaptcha)
But that wasn't completely satisfying.
I started to 'play with various options inside the noscript 'options' complex and it was the advanced - https - cookies tab
enabled (after update) -- trouble
disabled manually -- > all fine
hth

May 17, 2015

Permalink

another anon here:
I've come across websites where this alarm pops up:
this website (...) attempted to extract html5 canvas image data
which may be used to uniquely identify your computer
should tor browser allow this website to extract html5 canvas image data?

# not now
# never for the future (recommended)
# allow in the future

not now isn't a miracle, but never and always don't work for me,

at every new login to the site (with pc off between it or tb closed) the old question

or is never/always meant for the actual browser session?

tia

May 20, 2015

In reply to gk

Permalink

Thanks for your info!
I'd propose to rename the options to
# never in this session (rec'd)
# always in this session

May 18, 2015

Permalink

Opening TBB on Tails is distinguishable?

New TBB4.5.1 opens at least 2 different circuits(you-as-as-as-URL) or more. check.torproject.org is opening 1 circuit -with 2 connections- only.

May 18, 2015

Permalink

Trying to use Tails 1.4 with some obs4 bridges, but can't get them to work. I suspect my LAN router is blocking the outbound connections. If that sounds plausible, could someone explain what outbound ports I might need to block? Or should it work if I allow outbound 443?

May 19, 2015

Permalink

Great software. But where is the option to show the "Tor circuit for this site" in 4.5.1?

May 20, 2015

In reply to gk

Permalink

Thanks for your reply. Sometimes the "Tor circuit for this site" information will not show next to the Onion drop down list. This happens intermittently. Could this be a bug?

May 24, 2015

In reply to gk

Permalink

When left-clicking on the green onion button the Tor circuit information *sometimes* does not show (even though I am successfully connected to an external site in the current tab). It can be difficult to reproduce, but the issue does happen quite often. I am using Windows XP Home SP 3.

May 19, 2015

Permalink

> The most notable change is that we have slightly relaxed the first party isolation privacy property, due to issues encountered on several file hosting sites as well as other sites that host content on multiple subdomains. Tor Circuit use and tracking identifiers are now all isolated to the base (top-level) domain only, as opposed to the full domain name.

What if some sites host contents on multiple domains instead of subdomain, you reject per-domain isolation at all? On the other hand, each user of many social networks, like livejournal.com etc, has theirs own subdomain (user.livejournal.com), so observer can track and profile Tor clients by their graphs of social links. You can make this default behaviour, but there should be an option to switch so that stream isolation would be provided to domains of any level.

> This change is also consistent with the browser URL bar - isolation is now performed based on the bold portion of the website address in the URL bar.

This argument is inconsistent and ridiculous.

No, we don't reject per domain isolation. In the livejournal (or wordpress, or...) case there is already the problem that the user can get tracked by the host with the help of cookies. So, there is not much win to isolate to user.livejournal.com while we would break quite some things following this path.

May 20, 2015

In reply to gk

Permalink

Each subdomain has its own cookies which are not accessible by others. For example, domain user2.livejournal.com can not access cookies of user.livejournal.com, and vice versa. If one comments journals on different subdomains anonymously, all their activity can be profiled as belonging to the same person, so anonymity degradates to pseudonymity.

May 19, 2015

Permalink

While I'm at school (not circumvention), I use Tor on my own personal laptop and have setup a firewall to only allow Tor traffic. Now that MacBooks are exploding in education, there's a *lot* of account that we have to make, or that are assigned to us, and, pretty typical of school systems, they don't take security into consideration at all, so most of these websites that we have to sign in to don't have SSL on any webpages, including the login transmissions. Because my goal isn't to hide from mass surveillance, in this specific scenario (especially since I have to *login* to things, defeating the purpose of hiding from mass surveillance), I decided to setup the Tor browser with a configuration similar to the system installed Tor instructions in the start-tor-browser Linux script. I would make the Tor Browser not start a background instance of Tor, and then I'd make Firefox use a SOCKS port from an SSH tunnel to route insecure website traffic back home, so Tor exit nodes couldn't capture my password and abuse my accounts. This has been working perfectly for me (aside from history being kept, since I didn't disable the control port checks and such, at the time). I have attempted the same setup with Tor Browser 4.5.1, and I have discovered that it will only connect to SOCKS ports that Tor instances (such as my real system installed Tor instance, that I use for another Tor browser) have kept open. When I, instead, connect that port to my SSH SOCKS tunnel, it acts like the website doesn't exist, and if I disable the SOCKS setting entirely, as if I was setting up transparent Torrification, Firefox says, "Unable to find the proxy server" despite having disabled all proxy settings, even the now-hidden ones in the Tor Button and Launcher with about:config.

Is there a new SOCKS connection test to see if the port is hosted by a Tor instance, and if so, how can I disable it for the purpose of transparent Torrification/other proxies? I don't want to have to remove/disable the Tor Button (because that fixes the proxy problem), because doing so would remove a bunch of features, and more importantly, it breaks about:addons with some XML error about "block-disable-button" or something similar to that.

May 20, 2015

Permalink

I'm actually running into problems just starting TBB. I updated to 4.5.1 on a windows XP computer, but when Tor tries to connect to a relay it just closes and fails to load. I have to manually Ctl-Alt-Del to shut down Tor and Firefox in order to try again. The logfile has "creating log file" twice, then nothing.

May 21, 2015

Permalink

yeah 'Technical Details Connection Encrypted' is visible again(-:
Especially cause of govshit like LogJam. Hardware/Firmware you cant trust is evil enough.

May 21, 2015

Permalink

Last comment for the disconnect search add-on on on mozillas add-on pages does not sound good.

https://addons.mozilla.org/en-us/firefox/addon/disconnect-search/review…

>This plugin should enhance security, but in fact is doing quite opposite.
Disconnect-search is regularly uploading plugin settings and usage data, along with unique user ID, browser Agent string and IP address not only to the developers website, but to third parties as well (amazon servers of unknown account and adobe stats servers).

That is confirmed in the discussion about a different bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1166692#c1

May 21, 2015

Permalink

Hi,
anyone can explain why Google CAPTCHAS -on google search- with TBB4.5.1 isn't working?
Recently the "why ....." on google search CAPTCHAS needs javascript......*F$%$*

Necessary?Really?

May 23, 2015

Permalink

Here's something that Tor users may find interesting: I tested sedvblmbog.tudasnich.de encryption strength on Qualys SSL Labs and it awarded this website an A.
The highest score that Qualys SSl Labs will give is an A+.

May 23, 2015

Permalink

i downloaded tor and it's signature from "https://www.torservers.net/mirrors/torproject.org/" ( as u can guess why ) and when i tried to check it with gpg4win i get the following massage "NO PUBLIC KEY FOUND" why i get this massage ? do i do something wrong or maybe there is something wrong with mirror site? pls help me i am new to all this, what i type in cmd is as below:

gpg --keyserver x-hkp://pgp.mit.edu --recv-keys 0x63FEE659
gpg --fingerprint 0x63FEE659
gpg --verify torbrowser-install-4.5.1_en-US.exe.asc torbrowser-install-4.5.1_en-US.exe

i also tried this bcs i thought Erinn Clark no longer sign bundles but i got same answer

gpg --keyserver x-hkp://pgp.mit.edu --recv-keys 0x0E3A92E4
gpg --fingerprint 0x0E3A92E4
gpg --verify torbrowser-install-4.5.1_en-US.exe.asc torbrowser-install-4.5.1_en-US.exe

  1. $ gpg --verify torbrowser-install-4.5.1_en-US.exe{.asc,}<br />
  2. gpg: Signature made Mon 11 May 2015 10:35:03 AM EDT using RSA key ID D40814E0<br />
  3. gpg: Good signature from "Tor Browser Developers (signing key) <<a href="mailto:torbrowser@torproject.org" rel="nofollow">torbrowser@torproject.org</a>>"<br />
  4. gpg: WARNING: This key is not certified with a trusted signature!<br />
  5. gpg: There is no indication that the signature belongs to the owner.<br />
  6. Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290<br />
  7. Subkey fingerprint: BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0

May 24, 2015

Permalink

Great software overall and highly recommended. Just a little bug I noticed and wanted to share with you. The bottom strip of the Tor Browser window does not render correctly, showing through the desktop contents underneath. I am using Windows XP Home SP 3.

May 30, 2015

Permalink

"tor circuit for this site" in the tbb is a great feature, simple and informative.

well done

no-java Anon

May 31, 2015

Permalink

What's the difference between the "New identity" and "New Tor Circuit for this site" option?

June 09, 2015

Permalink

Bug with Wordpress 4.2 ?

There seems to be a general problem with the Canvas fingerprinting warning on websites that have implemented the new Wordpress april version 4.2 code.
It seems to trigger the Torbrowser warning on code that seems to have something to do with emoticon functionality using canvas code.

Example website : https://wordpress.org/news/2015/05/wordpress-4-2-2/

Could it be that this is not correct warning behavior?
Or is it? Why?

June 09, 2015

Permalink

Hi. I have already installed several Tor Browser releases without any problem. But I downloaded torbrowser-install-4.5.1_en-US.exe (Windows XP) and when I double-click on it nothing happens. No error messages, no window, nothing. I have also tried with the french version. Same thing.
Can anyone help me ?

June 13, 2015

Permalink

(2nd time question attempt for a relevant question)

Canvas Warning Bug with Wordpress 4.2 sites?

There seems to be a general problem with the Canvas fingerprinting warning on websites that have implemented the new Wordpress april version 4.2(.2) code.
It seems to trigger the Tor Browser Canvas warning on some Wordpresscode that seems to have something to do with emoticon functionality using canvas functionality.

See for example this webpage : https://Wordpress.org/news/2015/05/Wordpress-4-2-2/

While there apparently already for some time has been a discussion going on in the Wordpress community, nobody (?) seems to have asked Torproject about it's point of view in this matter (to be sure).

https://reflets.info/wordpress-4-2-tor-browsers-and-canvas-privacy-warn…
https://wordpress.org/support/topic/42-admin-canvas-tracking?replies=10
https://core.trac.wordpress.org/ticket/32138

I, and probably a lot of other Tor Browser users and/or website owners too, am still curious if the Warning of Tor Browser on Wordpress 4.2 (and later) sites is legitimate in these cases or that it is a possible bug/technical false positive.

An answer from Torproject would help at least to clear that out because there are quite some Wordpress sites out there.
Does anybody have an answer regarding this issue?

(this is happening with Tor Browsers 4.5.1 and the beta 5 version as well)

June 20, 2015

Permalink

I have the same problem than the posted on
On May 15th, 2015
would someone convey to me how the solution is ? , also thanks in advance
Problem on windows 7.0 prof
Starting from version 4.5.1, I can't chain Tor with Privoxy, I have
configured Privoxy config file to forward socks5t and in TorbButton's
network preferences have configured properly the socks proxy to use (127.0.0.1:9150).
In the browsers network options whenever I configure the HTTP proxy for (127.0.0.1:8118 -Privoxy's listen port),
Tor gets disabled on the browser (TorButton marked with a red cross), and can't make any connections (http, https or onion).
On previous version I used (4.0.8), I was able to configure the HTTP/HTTPS proxy for Privoxy, but not on this version.
Can anyone give advice as how can I accomplish this? Thanks in advance