New Firefox 17.0.4esr and Tor 0.2.4.11-alpha bundles

by erinn | March 14, 2013

We've updated the stable and alpha Tor Browser Bundles with Firefox 17.0.4esr and Tor 0.2.4.11-alpha. These releases have numerous bug fixes and a new Torbutton as well.

https://decvnxytmk.oedi.net/download

Tor Browser Bundle (2.3.25-5)

Update Firefox to 17.0.4esr
Update NoScript to 2.6.5.8
Update HTTPS Everywhere to 3.1.4
Fix non-English language bundles to have the correct branding (closes: #8302)
Firefox patch changes:

Remove "This plugin is disabled" barrier

This improves the user experience for HTML5 Youtube videos:
They "silently" attempt to load flash first, which was not so silent
with this barrier in place. (closes: #8312)

Disable NoScript's HTML5 media click-to-play barrier (closes: #8386)
Fix a New Identity hang and/or crash condition (closes: #6386)
Fix crash with Drag + Drop on Windows (closes: #8324)

Torbutton changes:
- Fix Drag+Drop crash by using a new TBB drag observer (closes: #8324)
- Fix XML/E4X errors with Cookie Protections (closes: #6202)
- Don't clear cookies at shutdown if user wants disk history (closes: #8423)
- Leave IndexedDB and Offline Storage disabled. (closes: #8382)
- Clear DOM localStorage on New Identity. (closes: #8422)
- Don't strip "third party" HTTP auth from favicons (closes: #8335)
- Localize the "Spoof english" button strings (closes: #5183)
- Ask user for confirmation before enabling plugins (closes: #8313)
- Emit private browsing session clearing event on "New Identity"

Tor Browser Bundle (2.4.11-alpha-1)

Update Firefox to 17.0.4esr
Update Tor to 0.2.4.11-alpha
Update NoScript to 2.6.5.8
Update HTTPS Everywhere to 4.0development.6
Update PDF.js to 0.7.236
Fix non-English language bundles to have the correct branding (closes: #8302)
Firefox patch changes:

Remove "This plugin is disabled" barrier

This improves the user experience for HTML5 Youtube videos:
They "silently" attempt to load flash first, which was not so silent
with this barrier in place. (closes: #8312)

Disable NoScript's HTML5 media click-to-play barrier (closes: #8386)
Fix a New Identity hang and/or crash condition (closes: #6386)
Fix crash with Drag + Drop on Windows (closes: #8324)

Torbutton changes:

Fix Drag+Drop crash by using a new TBB drag observer (closes: #8324)
Fix XML/E4X errors with Cookie Protections (closes: #6202)
Don't clear cookies at shutdown if user wants disk history (closes: #8423)
Leave IndexedDB and Offline Storage disabled. (closes: #8382)
Clear DOM localStorage on New Identity. (closes: #8422)
Don't strip "third party" HTTP auth from favicons (closes: #8335)
Localize the "Spoof english" button strings (closes: #5183)
Ask user for confirmation before enabling plugins (closes: #8313)
Emit private browsing session clearing event on "New Identity"

Comments

Please note that the comment area below has been archived.

I downloaded and installed

I downloaded and installed the latest update - Tor Browser Bundle (2.3.25-5), and after re-starting, the "Are you using Tor?" page still says "There is a security update available for the Tor Browser Bundle.". I re-downloaded and installed again and still get that message. I checked the dates on the various updated files and they all have 3/12/13. Seems this has happened before, but can't re-call what fixed it.

after installing new version

after installing new version i still get

" There is a security update available for the Tor Browser Bundle."

Add me to the list of still

Add me to the list of still getting the message there is an update. Just to be sure, I checked the versions of all the programs update to and they all check.

Tools / Options / Advanced /

Tools / Options / Advanced / General / Browsing

[x] check my spelling as i type

Who and why someone checks my (secret) spelling as I type?

It is good for your security

It is good for your security to have your spelling mistakes pointed out to you. One way to identify who has written something is to look for certain, recurring misspellings.

It is not a human that does this, but the browser software, of course.

Before this and the previous

Before this and the previous stable release, the Tor Browser had its own icon and was grouped itself - please bring this back. Aside from being a bit of a PITA, it allows for the possibility of mistakenly bringing up the regular browser. It goes without saying, that wouldn't be good.

Using Ubuntu 12.10 x64

Is this something that you

Is this something that you could do yourself? I would be scared of the icon attracting the attention of nosy cyber cafe staff.

What's the point of allowing

What's the point of allowing users to enable plugins? They may as well stop using Tor Browser if they don't need anonymity. Disabling all of NoScript's hardening measures only expands attack surface for browser exploits. With each new version Tor Browser gets increasingly more dangerous for users who don't adjust their settings manually and go with the default config, it will inevitably lead to a massive security disaster someday.

Well I guess the logic goes

Well I guess the logic goes like this: you wish to watch a kinky video on YouTube, and you just can't help against the site (i.e. Google) knowing that you are watching that video, but you are still interested in not announcing it to your employer whose network you are using. Even with vulnerable plugins, but Tor still keeps all sorts of middlemen unaware of what you are doing.

And you can disable them as you wish.

How can I disable PDF.js ?

Why would you do that? Do

Why would you do that? Do you not prefer to read PDF's in the browser window before (or instead of) downloading and then opening the PDF?

Click on the "TorBrowser"

Click on the "TorBrowser" menu button and select "Add-ons". Then click "Extensions". Find the extension labelled "PDF Viewer" and click "Disable".

I don't see any such

I don't see any such extension in my TBB. (gnu-linux-i686-2.3.25-5-dev-en-US)

Where does one download the

Where does one download the Tor Browser Bundle (2.4.11-alpha-1)? You can download the 2.3.x version from the Downloads page, but not the 2.4.x version.

Also, when will 2.4.11-alpha be available in the torproject RPM repo for RHEL/CentOS 6?

Yes, where can I download

Yes, where can I download Tor Browser Bundle (2.4.11-alpha-1)?
and I'm new to tbb, I feel it (esr firefox) slow than normal firefox a lot.

Thank you.

I found that.

I found that. :)

https://decvnxytmk.oedi.net/projects/torbrowser.html.en

https://decvnxytmk.oedi.net/dist/torbrowser/linux/tor-browser-gnu-linux-…

any hope for

any hope for flashproxy-pyobfsproxy new version?

I am a little nervous about

I am a little nervous about trying any TBB since last time I did my computer got infected with a virus after I unpacked the file. I had a heck of a time cleaning out the virus! Is the TBB safe and clean?

That might have been a false

That might have been a false positive. One recent version of TBB trigged I think two different anti-virus programs (claiming the same kind of virus). The anti-virus companies looked into it and concluded their virus definition file was wrong and fixed it a few days later (iirc).

Of course, make sure you are downloading TBB from "torproject.org" over an HTTPS encrypted connection (https://).

SSL/HTTPS has been shown

SSL/HTTPS has been shown again time and again to be quite vulnerable and should not be considered a substitute for properly verifying a download by using the digital signature.

I knew I smelled a troll . .

I knew I smelled a troll . . . now, where's his/her bridge (not the good kind of Tor Bridge ;) )?!

"my computer got infected

"my computer got infected with a virus after I unpacked the file."

/If/ the TBB download really was to blame, then it must have been rogue. Did you verify the signature?

I had the same problem with

I had the same problem with recurring update prompts, but it went away the next day I started the browser.
The problem that remains is with https sites that do not have valid certificates. There seems no way to store exemption permanently as that box is grayed out.. And there seems to be no way to change private browsing mode for the same reason= grayed out.
It's a PITA to have to confirm exemption every time logging on to a site.

I have a suggestion for

I have a suggestion for making things simpler for people who log on to https sites that they know well, but that do not have valid certificates - a setting in tools that once set, skips the security certificate query.
That way, no personal data need be stored, i.e. no "exceptions".

Imagine this scenario:

Imagine this scenario: Secret police search your pockets and find a USB key. They find TBB on it. They check to see what certificates it has saved. Now they know some of the places you browse.

No problems here with the

No problems here with the latest alpha update. Running Windows 8 Pro 32-bit. No virus reported. Using Avira Free, heuristics set to 'high'.

After install I have to

After install I have to adjust so many settings manually to improve security that I need a to do list !!!

Well don't. Any change in

Well don't.

Any change in the setting you make will decrease your anonymity, so keep the changes to a minimum.

Really, the only change worth doing is disabling JavaScript using NoScript. This will also decrease your anonymity, but will increase security against exploits.

Firefox - Disabling Java -

Firefox
- Disabling Java
- Activate I do not want be tracked
- Use custom settings for History and than disabling Accept cookies from sites
- Override automatic cache management: Limit cache 0MB of space

Firefox about:config
browser.cache.disk.enable; false
browser.cache.memory.enable; false
extensions.torbutton.banned_ports; 8118,8123,9050,9051,9150,9151
network.security.ports.banned; 8118,8123,9050,9051,9150,9151

Noscript
Disable Script Globally Allowed
Activate Forbid Java
Activate Forbid Adobe Flash
Activate Forbid Microsoft Silverlight
Activate Forbid Othe plugins
Activate Forbid font@face
Activate Forbid Audio/Video
Activate ABE

Installing plugin RefControl

Take a look at http://ip-check.info/?lang=en

How does you foot feel after

How does you foot feel after you most likely just shot off a few toes?!

(I doubt your smarter than all the Tor devs combined . . . )

are you a windows users,

are you a windows users, right ?

Would you share those

Would you share those settings with us?

Beware that many of those

Beware that many of those changes may be making you more identifiable.

Support obfs2 bridge?

enable plugins doen't

enable plugins doen't work.once i uncheck it it rechecks on its own..

My Slitaz Live CD still uses

My Slitaz Live CD still uses gtk+ 2.16.5 and there's no way for me to upgrade gtk+ as this would mean to rebuild practically the entire distribution from scratch. Unlike TBB 2.3.25-2 this latest version of TBB no longer works for me because once again (it has happened before) someone has built the package using a later version of gtk+ ...

libxul.so: undefined symbol: gtk_widget_set_can_focus

... and I'm wondering why? Shouldn't TBB function in the greatest possible number of environments? Unless there are security issues with older gtk+ versions I see no reason why you are using a version that leaves some of your users behind. Firefox 17.0.4esr works perfectly on my computer. If Mozilla can do it, why can't the Tor-Project?

I think the Tor-Project should be using a well specified, standardized build-box to produce its browser bundles so that the outcome no longer depends on who happens to run the build procedure. It would also be a good idea to publish minimum requirements together with the change log for each new TBB.

I saw a ticket on Tor

I saw a ticket on Tor Projects bug tracker that they are working towards making their build machines match those of Mozilla better.

I noticed that NoScipt is

I noticed that NoScipt is not enabled by default in this version. I don't get that. Scripts are flagged in the usage guidelines as being potentially dangerous, but the system inside Tor Browser designed to keep them at bay is disabled unless you enable it?

What about people who believe what it says on the Tor download page about the Browser Bundle being "ready to go"? Correct me if I'm wrong on something here, but really - where's the logic in that?

Disabling JavaScript using

Disabling JavaScript using NoScript is not required to make Tor Browser safe. Tor Browser includes its own patches and special configuration that blocks the dangerous parts of JavaScript, while still allowing the safe JavaScript to work.

Disabling JavaScript altogether breaks many more sites than it need to. This is bad for the less computer literate users.

You're wrong. TBB is safe

You're wrong. TBB is safe and *meant* to be used with NoScript to globally allow all scripts. This issue comes up, well, at least once every week.

I think TBB should launch a window explaining all the FAQ's people post here without doing a simple search on the topic before they post . . . [rolls eyes]

"I noticed that NoSc[r]ipt

"I noticed that NoSc[r]ipt is not enabled by default in this version."

NoScript /is/ enabled but set to enable scripts globally. This is addressed in the FAQ:
https://decvnxytmk.oedi.net/docs/faq.html.en#TBBJavaScriptEnabled

(NoScript still provides at least /some/ protection with this setting.)

This is how its been in TBB for as long as I can recall. What was the last version of TBB you tried?

Wow. I just clicked on a

Wow. I just clicked on a youtube video and it played.

Is this a bug or a feature?

Did I lose anonymity?

Could be life-threatening for me.

I'm using

tor-browser-gnu-linux-x86_64-2.3.25-5-dev-en-US.tar.gz

Hope this is the right place to post this...

OK, it looks to be related

OK, it looks to be related to recent change:

"...
Firefox patch changes:

Remove "This plugin is disabled" barrier
This improves the user experience for HTML5 Youtube videos:
They "silently" attempt to load flash first, which was not so silent
with this barrier in place. (closes: #8312)
Disable NoScript's HTML5 media click-to-play barrier (closes: #8386)

..."

Nah, it was noscript set (by

Nah, it was noscript set (by default??) to allow scripts globally. Sheesh. Good thing I tested it before going live.

It was HTML5. That's a good

It was HTML5. That's a good thing.

thx all

Recently work have been done

Recently work have been done towards supporting HTML5 video (which unlike flash video is safe to use inside Tor Browser). At least some videos on YouTube works using HTML5 too, without flash.

See the changelog posted in the top of this thread for more information.

It may be html5 videos

HTML5; it's supposed to

HTML5; it's supposed to happen :) https://www.youtube.com/html5

Many YouTube videos now

Many YouTube videos now support html5, an alternative to Flash for watching video. As far as I know, these should play in TBB.

Maybe you tell us the reason

Maybe you tell us the reason why you don't can't or want support PowerPC-Macs …

Do you think, that these machines will stop they're work soon or what?

Please recompile Vidalia

Please recompile Vidalia with the latest Qt - 4.8.4.

Can anybody tell me why I

Can anybody tell me why I keep getting a warning ("external application needed...") everytime I try to download a file by right-clicking on the link and selecting "Save link as" ? I'm using the latest official version of TBB.

I'm not talking about opening the file in the browser, only downloading. It's scary because it happens most of the times, but not always, even with the same file. It simply makes no sense.

Opening the file in the

Opening the file in the browser is safe. Downloading means you have to open the file with another application (external application), which may not be safe.

For example, say you download a .mp3 audio file. This should be safe by itself, but when you later start playing this file in your media player, your media player might think it is a good idea to download additional metadata for this .mp3 file (look for artist/album info, cover image, song lyrics, etc). Your media player is an external application, and will not be using Tor. And anyone observing your connection can see you has this file.

Make sure to either configure your external applications so they do not use Internet, or use the Tails live system or similar there someone have done the configuration for you.

Not really. Actually opening

Not really. Actually opening a file in the browser might be dangerous, if it is done by another application (i.e., the browser doesn't play video files by itself, even if it displays the output).

Instead, downloading should actually be safe, as long as the user right-click and selects "save files as". There's really no reason why TOR should display the "launch application" warning in this case, especially if one is using TBB, which should already be safely configured.

I found many other users complaining about the same problem.

I think torproject disabled

I think torproject disabled NoScript and enabled "Flash" beacuse the TBI OWNED TBB or maybe i am wrong ? and how many relays / nodes / servers are HONEYPOTS ?

NoScript is not disabled,

NoScript is not disabled, but safe JavaScript is allowed.

Flash *is* disabled. If it isn't for you, it is a bug, report it.

Tor is designed to keep its anonymity properties even if there is a few "honeypots".

TOR Internet connection was

TOR Internet connection was working fine in version 2.3.25-2 with the Internet connection selection set to “Manual proxy configuration” and Socks: 127.0.0.1 set to port 9050.

After installing either of releases -4 and -5 the TOR browser will not allow connection to the Internet, and gives the message: The proxy server is refusing connections.

After running Test Settings from the TOR Button, the test is successful.

Attempting to connect to the Internet gives the message:
What changed from -2 to -4 and 2 to -5 to cause the connection to stop working with settings that worked in version -2?

I had the same problem, and

I had the same problem, and the reason was that I had edited my torrc file.
Solution:
Check the torrc file you are using.
Make sure that your file has these values:

ControlPort 9151<br />
SocksPort 9150<br />

If not, edit them after you have stopped Tor in the Vidalia Control Panel.
Then try again.

Hope this advice was useful to You.

I got the same problem, and

I got the same problem, and this does NOT fix it (my torrc was downloaded with the package, and contains the correct ports.
Anyone has a suggestion? Someone can indicate which programs are supposed to be running, and where they are supposed to be listening?
Thanks

Control port is strict and

Control port is strict and the same not automatic on the last two Linux TBB versions so it prevents the starting of two TBB simultaneously with default settings, is it because of the bug?

Windows 7 64 Tor Browser

Windows 7 64
Tor Browser Bundle (2.3.25-4) has been working for 2 weeks but today tor connects and starts firefox port but it closes immediately. I disabled antiv and set exclusions same behavior. Close all non essential programs same behavior. I downloaded alpha same behavior. I tested an old version of the tor-browser firefox port 3.6 and it runs

Thoughts

i have often app.exe crash.

i have often app.exe crash. how can i report it? Is there any log that i can e-mail you?

You should add Cryptocat to

You should add Cryptocat to the list of default addons in TBB. It's really a match made in heaven: CC encrypts and anonymizes the chat conversation, TBB obfuscates the IPs of the participants.

Just downloaded the new tbb,

Just downloaded the new tbb, my configure controlport automatically is already unchecked and the port is automatically 9151. Is this ok? I am trying to torify my bitcoin app? Are there any beginners guide to this new version of tbb?

Thanks

why the tbb's version

why the tbb's version firefox is slow than normal firefox a lot?
(even both use same profile)
anyone have this (slow) problem?
thank you.

If you mean the time it

If you mean the time it takes pages to load, then the answer is probably simply the bouncing between nodes that is the very function of Tor itself.

no, I mean is tbb slow that

no, I mean is tbb slow that (tor + normal firefox).
on my system, the tbb version firefox startup time need +10sec,
and normal firefox startup need +5sec,

Me too. When I open a local

Me too.
When I open a local html file (written by myself) in TBB it scrolls soooo slowly.
Opening the same file in normal firefox (with more addons) it scrolls fast and nice.
What gives?

Hi, is it safe to attach

Hi, is it safe to attach files or pictures to an email you are sending from a webmail client? Or can the attaching of files to an email (through tor) lead to revealing of your IP to the webmail server (such as gmail?)

When you attach a file to an email, the little windows explorer opens up and you look through your computer to find the file. Gmail then spends a couple of seconds uploading the file to the actual email. Can this uploading of a file to an email reveal identity? Or does this uploading (attaching files to an email) also happen through the tor network and is 100% safe?

The upload should happen

The upload should happen through Tor, but that still doesn't make it 100% safe. (Not least because Tor far from being "100% safe".) You should check your files carefully for potentially deanonymizing meta-data. A lot of cameras these days automatically tag images with GPS data, for instance. With that said, barring any metadata-associated privacy leaks, sending pictures via Gmail over Tor is likely no riskier than sending plaintext emails via Gmail over Tor.

Ever since upgrading to FF

Ever since upgrading to FF 17 ESR bundle (now on 17.0.4) my fonts seem to be readable. Never had this problem with the older bundles. This is all according to ip-check.info. Any information on this?

Firefox ESR 17.0.5 is out,

Firefox ESR 17.0.5 is out, ONLY Security fix

Changelogs:
https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html

Fixed in Firefox ESR 17.0.5
MFSA 2013-40 Out-of-bounds array read in CERT_DecodeCertPackage
MFSA 2013-38 Cross-site scripting (XSS) using timed history navigations
MFSA 2013-36 Bypass of SOW protections allows cloning of protected nodes
MFSA 2013-35 WebGL crash with Mesa graphics driver on Linux
MFSA 2013-34 Privilege escalation through Mozilla Updater
MFSA 2013-32 Privilege escalation through Mozilla Maintenance Service
MFSA 2013-31 Out-of-bounds write in Cairo library
MFSA 2013-30 Miscellaneous memory safety hazards (rv:20.0 / rv:17.0.5)