Tor Browser Bundle 3.0alpha4 Released

by mikeperry | September 26, 2013

The third alpha release in the 3.0 series of the Tor Browser Bundle is now available from the Tor Package Archive:
https://archive.torproject.org/tor-package-archive/torbrowser/3.0a4/

This release includes important security updates to Firefox. Here is the complete ChangeLog:

  • All Platforms:
    • Bug #8751: Randomize TLS HELLO timestamp in HTTPS connections
    • Bug #9790 (workaround): Temporarily re-enable JS-Ctypes for cache
      isolation and SSL Observatory
    • Update Firefox to 17.0.9esr
    • Update Tor to 0.2.4.17-rc
    • Update NoScript to 2.6.7.1
    • Update Tor-Launcher to 0.2.2-alpha
      • Bug #9675: Provide feedback mechanism for clock-skew and other early
        startup issues
      • Bug #9445: Allow user to enter bridges with or without 'bridge' keyword
      • Bug #9593: Use UTF16 for Tor process launch to handle unicode paths.
      • misc: Detect when Tor exits and display appropriate notification
    • Update Torbutton to 1.6.2.1
      • Bug 9492: Fix Torbutton logo on OSX and Windows (and related
        initialization code)
      • Bug 8839: Disable Google/Startpage search filters using Tor-specific urls

    As usual these binaries should be exactly reproducible by anyone with Ubuntu and KVM support. To build your own identical copies of these bundles from source code, check out the official repository and use git tag [geshifilter-code]<a href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tag/22456…] (commit [geshifilter-code]<a href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/commit/d1…]).

    These instructions should explain things from there. If you notice any differences from the official bundles, I would love to hear about it!

Comments

Please note that the comment area below has been archived.

September 26, 2013

Permalink

Tor Browser Bundle 3.0alpha4 uses an old stable version of HTTPS-Everywhere (3.3.1). Does it make sence to update to a newer version?

If so, should I prefer the stable one (3.4.1) or the development release (4.0 - 12) ?

September 26, 2013

Permalink

Bug #9445: Allow user to enter bridges with or without 'bridge' keyword

What is different with or without 'bridge' keyword?
Is that same or a new option?
thanks.

September 26, 2013

Permalink

A good release, but does anyone know of a fix for when one of the nodes is 'blocking' certain website connections?

I.E. I am trying to go to a website that is perfectly legal anywhere in the world via TOR, yet one of the entrance or exit nodes is blocking the connections to that website for some stupid reason.

Sometimes, clicking on "New Identity" in the Onion button fixes the issue but it makes me lose all the pages I am looking at via TOR at that moment.

Or, is there some way to find out which node is blocking that website and block them in my TOR settings?

September 28, 2013

In reply to arma

Permalink

No, it is the node that is blocking or filtering certain TOR traffic to certain websites.

I have excluded nodes that I notice are always or near always the third or exit node in my TOR configuration file using "ExcludeNodes" and "ExcludeExitNodes" and it solved my issue.

Someone needs to look into this and see why this is being done.

Nope, you are wrong. The website is blocking certain Tor exits, because they have recieved spamming, hacking attempts, trolling or similar from people using Tor, that happen to have used the same exit nodes.

That is just usual IP banning basically all wiki sites, forum sites, blog sites etc implements.

New identity and Exclude* will help here, yes, unless they decided to block the whole Tor network.

you won't lose the pages if you request "New Identity" from the Vidalia control panel. You may also right-click the vidalia icon (in the running tasks toolbar) and select "New Identity".

September 27, 2013

Permalink

coupla questions:

1. how do I verify / confirm whether I am connected through a bridge?

2. If more than one bridge is listed in torrc, does tor select a bridge randomly or is it the first one in the list?

1) There isn't an easy interface in Tor Browser for doing that I believe. I'd like one too, but I can also see the "stop adding in so much stuff, you'll never be able to maintain it all" approach. One option is that you could use wireshark or equivalent to watch your Tor traffic and see where it goes.

2) It selects a bridge randomly for each circuit.

September 28, 2013

In reply to arma

Permalink

thanks

September 30, 2013

In reply to arma

Permalink

netstat (which I believe is preinstalled on all Windows and Linux at least), may be easier than wireshark. "netstat -46n" (on Linux) will list all currently open connections. Verify the bridge is the one connected too.

September 27, 2013

Permalink

you folks need to implement a strong defense mechanism for tor very soon before a few selfish ones with a bot net break the network. like other attacks and vulnerabilities, we see this one is for real and needs a fix. If the fix creates less convenience well so be it.

September 28, 2013

Permalink

It would be nice if the bug numbers in these blog posts were hyperlinked to the bug tracking system; looking up the bug numbers manually is a bit tedious.

September 28, 2013

Permalink

Thanks for the update, love the new 3.0 bundle, even easier with vidalia.
Will you be adding a point and click way to run a relay sometime in the future?
That feature in vidalia made it easy for me to learn about relays and try one out.
I run an exit through Debian's tor package now, but I may have never discovered it if I hadn't seen the server option in vidalia. Just a suggestion, still great without.
Thanks for all your hard work, you're definitely helping, and enabling others to help, a lot of people.

September 28, 2013

Permalink

you know what would be great? if noscript came with a feature enabling the disabling of scripts on certain domains, in this case .onion domains. thus effectively enabling js on the clearnet by default while also disabling js on the deep web by default too.

I believe this may be possible to do already, try this:

Go to noscript->preferences->whitelist. Here use the wildcard (*) to match all addresses in a top domain, e.g. add "*.com", "*.org", "*.net" and so on (without the quotes).

Then set noscript to block javascripts by default. As long as "*.onion" is not in the whitelist, scripts will be blocked there.

I just tried it, it didn't work.
I also tried to do it via about:config noscript.untrusted and it also didn't work.
Looks like we should contact Giorgio Maone noscript's dev.

September 28, 2013

Permalink

What information is given to Microsoft when the tbb-firefox.exe crashes and Windows Error Recovery (WER) is enabled?

Should we be concerned?

I don't know anything about Microsoft / Windows, but there may be reasons to concern.

At least on Ubuntu in the past, when any application crashed, the crash reporter immediately connected to Ubuntus servers to lookup information about the crashed application, therefore giving away the fact you used Tor Browser, and the way it crashed. This without the user even clicking on Report problem.

How about asking Microsoft themselves, or try using Wireshark to determine what is sent (if anything) yourself. Or maybe better just disable it to be safe.

September 28, 2013

Permalink

Now that Firefox 24esr has been released, is there any reason to keep TBB on the old 17esr?

No, besides the quite involving work to audit the whole browser for newly introduced privacy risks, and porting all the Tor Browser patches to this new ESR series (including writing patches for the new risks).

I have heard that work may be done about the same time 17esr goes end of support.

September 28, 2013

Permalink

when a 'New Identity' is requested, are all nodes replaced or only the exit node is replaced? Thx

Complete new circuits are built, so all nodes is replaced. But Tor is configured to always try using the same first hop / guard node (out of three choices), so it may and mostly do end up the same.

September 29, 2013

Permalink

In case anyone's having the empty Tor Network Settings page issue, details are here: https://trac.torproject.org/projects/tor/ticket/9438

Is this something that can be fixed in future builds, all four alphas so far have had this issue.

The fix you need to apply before running TBB 3.0 on Windows is:

Add this line to your prefs.js file when TorBrowser is not running. Prefs.js is created only after the first run of TorBrowser.

Tor Browser > FirefoxPortable > Data > profile > "prefs.js"

user_pref("gfx.direct2d.disabled", true);
user_pref("layers.acceleration.disabled", true);

September 30, 2013

Permalink

obfs2/3 bridges are disappear in bridgedb, how can the pttbb connect to tor network in some country

October 04, 2013

Permalink

I am using a MAC would the linux version be the right one to use or am i limited to vidalia?

October 04, 2013

Permalink

When I launch TBB 3.0a4, it launches a launcher, and then a single app with the Vidalia icon called TBB which seems to be only the browser...ie. I no longer get the Vidalia control panel I get when launching the stable version of TBB (where Vidalia and a separate TorBrowser app with a globe icon both launch). Is this by design? Possible to have it work the old way?

October 10, 2013

Permalink

I have no idea how to get Tor Browser Bundle 3.0alpha4 operational ... It seams that everything is deffrent here with TBB 3.0alpha4 (install part) compered to official TBB 2.3 . I downloaded TBB 3.0alpha4 from : https://archive.torproject.org/tor-package-archive/torbrowser/3.0a4/,,, or is there maybe some another site for downloading TBB 3.0alpha4 where you can installed TBB 3.0alpha4 the same like offical TBB 2.3 ...Some help would be appreciated .. Thank you...

October 10, 2013

Permalink

I think the download is broken, tried it twice but after unpacking I get the message the procedure _vsnprintf_s can not be found in msvcrt.dll

The underlying Tor program can be configured as a relay, but you have to edit the torrc file yourself. There's no interace in Tor launcher to do that.

It's up in the air whether we'll add such an interface later on. I can see good arguments in either direction.

October 13, 2013

Permalink

Huge improvement over the 2.0 series. Couple glitches here & there but nothing I can't handle. Using OSX 10.8.5. Here's what I've seen so far:

1. When changing New Identity it clears out any tabs I have open, seems to restart the browser. Very consistent behavior.

2. Miss the TBB log. I know I can copy the log to the clipboard but this is a PITA and no GUI.

3. Frequently get an error message that the Tor network is down for maintenance. I have a hunch this isn't legit and something else is going on but don't know what. Restarting the MAC resolves the problem.

Other than these issues really like it and use it all the time,

October 14, 2013

Permalink

When I downloaded 3.0 through the above link for my OSX I show through my download manager that the version is in fact 1.0 and last modified in 1999. Whats up? The other versions seem to show their correct version and dates. I just noticed this. Have I been using 1.0 for the last couple of weeks?

October 20, 2013

Permalink

is it possible to integrate tor button in the latest google chrome(business edition)

Or else
Are there any Tor-related extensions that work in Chrome browser.

November 04, 2013

Permalink

This Alpha version loads much faster than the official bundles; I'm liking it except for the fact that I cant import bookmarks. Previously, I used Febe and Cleo; but unfortunately, they both break the Alpha version, and simply removing them doesn't undo the damage. I hope this will be fixed. Thanks