New Tor Browser Bundles with Firefox 17.0.3esr

by erinn | February 22, 2013

We've updated all of the bundles with Firefox 17.0.3esr. This includes significant changes to Torbutton and its interaction with Firefox, in addition to many new patches being added to Firefox, which are outlined below.

Very important: if you've been using the Tor Browser Bundles with Firefox 10.0.x, you must not attempt to overwrite it with the new bundle. Open these into their own directory and do not copy any profile material from older TBB versions.

https://decvnxytmk.oedi.net/download

Tor Browser Bundle (2.3.25-4)

  • Update Firefox to 17.0.3esr
  • Downgrade OpenSSL to 1.0.0k
  • Update libpng to 1.5.14
  • Update NoScript to 2.6.5.7
  • Firefox patch changes:
    • Exempt remote @font-face fonts from font limits (and prefer them).
      (closes: #8270)
      • Remote fonts (aka "User Fonts") are not a fingerprinting threat, so
        they should not count towards our CSS font count limits. Moreover,
        if a CSS font-family rule lists any remote fonts, those fonts are
        preferred over the local fonts, so we do not reduce the font count
        for that rule.
      • This vastly improves rendering and typography for many websites.
    • Disable WebRTC in Firefox build options. (closes: #8178)
      • WebRTC isn't slated to be enabled until Firefox 18, but the code
        was getting compiled in already and is capable of creating UDP Sockets
        and bypassing Tor. We disable it from build as a safety measure.
    • Move prefs.js into omni.ja and extension-overrides. (closes: #3944)
      • This causes our browser pref changes to appear as defaults. It also
        means that future updates of TBB should preserve user pref settings.
    • Fix a use-after-free that caused crashing on MacOS (closes: #8234)
    • Eliminate several redundant, useless, and deprecated Firefox pref settings
    • Report Firefox 17.0 as the Tor Browser user agent
    • Use Firefox's click-to-play barrier for plugins instead of NoScript
    • Set the Tor SOCKS+Control ports to 9150, 9151 respectively on all platforms
      • This fixes a SOCKS race condition with our SOCKS autoport configuration
        and HTTPS-Everywhere's Tor test. Firefox 17 appears to cache proxy
        settings per URL now, which resulted in a proxy error for
        check.torproject.org if we lost the race.
  • Torbutton was updated to 1.5.0. The following issues were fixed:
    • Remove old toggle observers and related code (closes: #5279)
    • Simplify Security Preference UI and associated pref updates (closes: #3100)
    • Eliminate redundancy in our Flash/plugin disabling code (closes: #1305)
    • Leave most preferences under Tor Browser's control (closes: #3944)
    • Disable toggle-on-startup and crash detection logic (closes: #7974)
    • Disable/remove toggle-mode code and related observers (closes: #5279)
    • Add menu hint to Torbutton icon (closes: #6431)
    • Make Torbutton icon flash a warning symbol if TBB is out of date (closes: #7495)
    • Perform version check every time there's a new tab. (closes: #6096)
    • Rate limit version check queries to once every 1.5hrs max. (closes: #6156)
    • misc: Allow WebGL and DOM storage.
    • misc: Disable independent Torbutton updates
    • misc: Change the recommended SOCKSPort to 9150 (to match TBB)

The following Firefox patch changes are also included in this release:

  • Isolate image cache to url bar domain (closes: #5742 and #6539)
  • Enable DOM storage and isolate it to url bar domain (closes: #6564)
  • Include nsIHttpChannel.redirectTo API for HTTPS-Everywhere (closes: #5477)
  • Misc preference changes:
    • Disable DOM performance timers (dom.enable_performance) (closes: #6204)
    • Disable HTTP connection retry timeout (network.http.connection-retry-timeout) (closes: #7656)
    • Disable full path information for plugins (plugin.expose_full_path) (closes: #6210)
    • Disable NoScript's block of remote WebFonts (noscript.forbidFonts) (closes: #7937)

Tor Browser Bundle (2.4.10-alpha-2)

  • Update Firefox to 17.0.3esr
  • Downgrade OpenSSL to 1.0.0k
  • Update libpng to 1.5.14
  • Update NoScript to 2.6.5.7
  • Firefox patch changes:
    • Exempt remote @font-face fonts from font limits (and prefer them).
      (closes: #8270)
      • Remote fonts (aka "User Fonts") are not a fingerprinting threat, so
        they should not count towards our CSS font count limits. Moreover,
        if a CSS font-family rule lists any remote fonts, those fonts are
        preferred over the local fonts, so we do not reduce the font count
        for that rule.
      • This vastly improves rendering and typography for many websites.
    • Disable WebRTC in Firefox build options. (closes: #8178)
      • WebRTC isn't slated to be enabled until Firefox 18, but the code
        was getting compiled in already and is capable of creating UDP Sockets
        and bypassing Tor. We disable it from build as a safety measure.
    • Move prefs.js into omni.ja and extension-overrides. (closes: #3944)
      • This causes our browser pref changes to appear as defaults. It also
        means that future updates of TBB should preserve user pref settings.
    • Fix a use-after-free that caused crashing on MacOS (closes: #8234)
    • Eliminate several redundant, useless, and deprecated Firefox pref settings
    • Report Firefox 17.0 as the Tor Browser user agent
    • Use Firefox's click-to-play barrier for plugins instead of NoScript
    • Set the Tor SOCKS+Control ports to 9150, 9151 respectively on all platforms
      • This fixes a SOCKS race condition with our SOCKS autoport configuration
        and HTTPS-Everywhere's Tor test. Firefox 17 appears to cache proxy
        settings per URL now, which resulted in a proxy error for
        check.torproject.org if we lost the race.
  • Torbutton was updated to 1.5.0. The following issues were fixed:
    • Remove old toggle observers and related code (closes: #5279)
    • Simplify Security Preference UI and associated pref updates (closes: #3100)
    • Eliminate redundancy in our Flash/plugin disabling code (closes: #1305)
    • Leave most preferences under Tor Browser's control (closes: #3944)
    • Disable toggle-on-startup and crash detection logic (closes: #7974)
    • Disable/remove toggle-mode code and related observers (closes: #5279)
    • Add menu hint to Torbutton icon (closes: #6431)
    • Make Torbutton icon flash a warning symbol if TBB is out of date (closes: #7495)
    • Perform version check every time there's a new tab. (closes: #6096)
    • Rate limit version check queries to once every 1.5hrs max. (closes: #6156)
    • misc: Allow WebGL and DOM storage.
    • misc: Disable independent Torbutton updates
    • misc: Change the recommended SOCKSPort to 9150 (to match TBB)

Comments

Please note that the comment area below has been archived.

February 21, 2013

Permalink

hi bodies.I have used flash bundle for 1 month.i am from iran! Suddenly today the line connecting between relays in "view the network" changed to an bold line.i upload it and there is it's link.please watch it and tell that it is safe and normal or it is suspect and at risk.
http://i49.tinypic.com/k170vo.jpg
thanks

Looks fine to me. The network map page is actually *supposed* to have those green lines between relays on the map. But it only draws the lines when it knows where the relays are, and it has trouble guessing where the flash proxy bridges are.

February 21, 2013

Permalink

I just updated to 2.3.25-4, overwriting my old files. Nothing worked until I removed the old folder (it would be good if the download page or the "There is an update" page contained a hint, not just the blog).
Now, I'm seeing a blinking yellow triangle in the onion icon of Tor Browser. What does that mean?
Vidalia's logs don't seem to contain anything special. Wireshark shows only torified traffic...

then why not have a HOW TO UPGRADE page? ffs i have to fuck about for hours scouring the net to find out how to keep my bookmarks? fucking shit program, cant it update itself and work??????????

lol i hear ur frustration man, it just happened to me last night :/
the program is security oriented, having an auto-update feature would just be another vector for attack

I have the same problem since last night when I updated to
tor-browser-gnu-linux-x86_64-2.3.25-4-dev-en-US.tar.gz

The yellow triangle keeps blinking and when the vidalia starts (Firefox ESR 17.0.3) it says there is a new update available.

I'm running Linux Ubuntu 12.04 (updated to date) 64 bit

It connects to all sites with no trouble anyway
I did set the bridges i received from tor and the problem still exists.

I don't know about others but I do the following.

- Create a folder "TBB", inside TBB create folder "2.3.25-4" (to store the zip file and signature file), "settings" (to backup the settings for the TBB i.e. bookmarks, about:config changes that need to be made with each new version) and "tor-browser_en-US" (this is the extracted folder from the zip file).

After doing that all I do is delete the old "tor-browser_en-US", verify the signature of the new package and extract a new "tor-browser_en-US" to the TBB folder and apply some settings that always are on to off, recover the bookmarks. In my specific case NoScript always comes out of the box allowing scripts globally which I turn it off and then I just downalod CS cookie to handle the cookies and don't touch anything else.

Funny after any update TBB complains that I need to update the system, even though is bran-spanking-new and after a few days it stops asking.

As for the blinking yellow triangle, it means we screwed up the "is there an upgrade" test at first. Then we applied a work-around, so the blinking yellow triangle should be gone. Until there actually is an upgrade available at least.

February 22, 2013

Permalink

Does this TBB release have new system requirements (i.e. minimum supported versions of Windows/Mac OSX?) This info might be useful for new users or users who are upgrading.

February 22, 2013

Permalink

I want to ask if I fill the proxy box which in the Tor setting panel with 127.0.0.1:9050, that means another Tor is running, will this method downgrade the security?

You are suggesting to send your Tor's traffic through another Tor running on the same machine? Proxying Tor through Tor will slow down all your traffic a lot. And I don't think it will improve your security any.

February 22, 2013

Permalink

I deleted the old folder and moved my savedbookmarks folder only, the new TBB keeps flashing and reporting new updates. whats going on?

February 22, 2013

Permalink

ok so i just deleted it and started again, no copy of files this time and hey guess what, yep you got it, the god damn thing still wants to update. whats going on?

February 22, 2013

Permalink

1.) Just downloaded, verified and extracted this (GNU/Linux).

Cannot get it to run:
When I double-click on the 'start-tor-browser' file/icon, it just opens a text file.

2.) I had been successfully using tor-browser-gnu-linux-i686-2.3.25-2-dev-en-US.tar.gz.asc

For the past several days, the message about a new version being available would always show at startup. But when I went to the download page, I never saw a newer version available.

Now, when this new version IS available, my old TBB no longer displays the new version alert!

What's going on?!

February 22, 2013

Permalink

Followup to previous post:

I noticed that "Make the file executable" was not checked, so I checked it.

Then, after double-clicking on "start-tor-browser", I got:

"Vidalia exited abnormally. Exit code: 126"

Sounds like you should get rid of whatever you downloaded, and download a fresh copy.

Also, make sure you're fetching the 32-bit version if you're on a 32-bit OS, or 64-bit if on 64-bit.

February 27, 2013

In reply to arma

Permalink

"Whatever [I] downloaded" was nothing other than this latest version of TBB that is the subject of this blog entry, directly from the Tor web site:
https://decvnxytmk.oedi.net/download

The file, to be exact, is:
"tor-browser-gnu-linux-i686-2.3.25-4-dev-en-US.tar.gz"

I verified the signature.

(The previous post I referred-to was "647/18793")

This is the correct architecture, 32-bit, for my 32-bit system.

The previous version, "tor-browser-gnu-linux-i686-2.3.25-2-dev-en-US.tar.gz", is still working for me (what I'm using to post now), as have all of the older versions for as back as I can recall. Both my hardware as well as software are the same.

The current release of Tails, 0.17, also works fine for me, as have the previous ones.

February 27, 2013

In reply to arma

Permalink

Okay, just after submitting my previous followup regarding "tor-browser-gnu-linux-i686-2.3.25-4-dev-en-US.tar.gz", I figured-out what the problem was and corrected it.

I had extracted the file to the same FAT 32 volume that I had downloaded to and then copied and pasted the resulting folder to the home directory of the GNU/Linux system I am running.

I have now extracted the tar.gz file DIRECTLY to my home directory, and was able to launch and run the new TBB without incident thus far.

February 22, 2013

Permalink

I just downloaded tor-browser-gnu-linux-i686-2.3.25-4-dev-en-US.tar.gz. On the first run, it tells me that I need to download an update. While I like the notification, is there some way to turn it off when it is in error?

February 22, 2013

Permalink

Emsisoft, current release, has flagged the tbb-firefox.exe with Gen:Variant.Kazy.31094

Sent to them for review.

Virus Total finds 1/41; F-Secure rather than Emsisoft this time.

Zen

February 22, 2013

Permalink

Downloaded 2.3.25-4

Bitdefender 2013 says virus in the tbb-firefox.exe

Gen:Variant.Kazy.31094

February 22, 2013

Permalink

i wish you would stop this gawd damn thing flashing at me before i throw it out the f'ing window. torbutton whats going on?

If you dont sort it today then i'll be having a word with Beelzebub and you wouldn't want that would yer!!!

February 22, 2013

Permalink

If you want something done then you've just gotta do it by yerself.

flashing torbutton update requests

about:config

extensions.torbutton.updateneeded
toggle to 'false' results in annoyingly flashing torbutton being turned off.

not that I had the flashing torbutton problem myself, but I just checked that setting and mine is already set to false which is it's default setting, so has it been disabled by default in the last few days?

February 22, 2013

Permalink

My antivirus software has detected Variant.Kazy.31094 in tbb-firefox.exe (v2.3.25-4). Might be false alarm as it seemed to be last year.

Anybody else having this issue?

February 22, 2013

Permalink

FSecure's saying tbb-firefox is infected with Gen:Variant.Kazy.31094

Surely just a false positive, but you ought to be informed

I also have that problem.
Bit Defender destroys tbb-firefox as soon as I decompress the bundle.
Previous versions run without any problem but of course they immediately warn me about the update I need to install.

February 22, 2013

Permalink

The latest TBB for Linux has a bug where Torbutton always flashes saying TBB is out of date when I am running the latest version.

February 22, 2013

Permalink

Are the browser bundles clean? When I ran the new alpha bundle I got a virus.

February 22, 2013

Permalink

Thanks!
Version 2.3.25-4 - Windows 8, 7, Vista, and XP:

torrc: SocksPort 9050

but

TorButton Proxy Settings: port 9051

so that didn't work :)

February 22, 2013

Permalink

I have been using TOR for a while now with no issues. However, today after I ran the previous version it notified me to download the latest version because of a security issues. So I downloaded and installed
Version 2.3.25-4 for Windows (I am running Windows 7 64bit). I deleted my old install of the Tor Bundle before installing the new one.

I clicked on the Start TOR Browser.exe as usual and the Vidalia Control panel launches, the status says it connected to the TOR network, but the Browser never launches and after about 12 seconds Vidalia control panel just closes.

I tried reinstalling it and the same thing keeps happening. Any ideas?

I get this exactly on my Windows 8 64-bit as well. I'm pretty sure its down to the new Firefox 17 included, Does anyone know where I can get the last version containing Firefox 10 ?

I have Firefox 19 general release installed, I wonder if it is having an effect?

I'm on win XP 64-bit (because I'm old) and having the same issue with the new release.
I initially overwrote the previous installation, but have since tried deleting the directory and starting from scratch. The browser just won't launch. Seems like all the previous comments are from 64-bit windows users also.

Little help?

exact same thing, here, usin win 7 64 bit as well.. vidalia boots up and says im connected but the browser doesnt appear, and then when i force it to open by going into the bundle folders whenever i try to connect to something it gives me an error message saying "the proxy server is refusing connections"

Win7/64 bit here as well. Vidalia control panel opens up fine and connects to Tor, but when I open the browser I also get "proxy server is refusing connections". Any help would be greatly appreciated.

The problem still persists:
"unable to find proxy server"
"Firefox is configured to use a proxy server"

Changing the network advanced settings for Firefox to No Proxy or Automatic makes no difference.

I just looked up and here the DoNotTrack is enable by NoScript by default, it is not enable by Firefox.

The only question I may have is what happens if I turn both on?
Would they create a conflict?

Don't know. Anybody knows how to test that?

When you notice that some creepy man is trying to follow you, and you have all the means to escape him with ease, would you love to first tell him that you do not want to be tracked, or would you prefer to just disappear in a puff?

February 22, 2013

Permalink

Hey I'm having this exact same problem, help please.

On February 22nd, 2013 Anonymous said:
I have been using TOR for a while now with no issues. However, today after I ran the previous version it notified me to download the latest version because of a security issues. So I downloaded and installed
Version 2.3.25-4 for Windows (I am running Windows 7 64bit). I deleted my old install of the Tor Bundle before installing the new one.
I clicked on the Start TOR Browser.exe as usual and the Vidalia Control panel launches, the status says it connected to the TOR network, but the Browser never launches and after about 12 seconds Vidalia control panel just closes.
I tried reinstalling it and the same thing keeps happening. Any ideas?

February 23, 2013

Permalink

I have been using TOR for a while now with no issues. However, today after I ran the previous version it notified me to download the latest version because of a security issues. So I downloaded and installed
Version 2.3.25-4 for Windows (I am running Windows 7 64bit). I deleted my old install of the Tor Bundle before installing the new one.

I clicked on the Start TOR Browser.exe as usual and the Vidalia Control panel launches, the status says it connected to the TOR network, but the Browser never launches and after about 12 seconds Vidalia control panel just closes.

I tried reinstalling it and the same thing keeps happening. Any ideas?

Having the exact same problem. I installed over the old version like I always do.

February 23, 2013

Permalink

I got the same virus notice from bitdefender that was mentioned previously. I guess I can't use tor until they update us. Shitty.

February 23, 2013

Permalink

Only serious firms hold it on the on the
"Do not track" rules. But many firms make tracking equal is default or not.

February 23, 2013

Permalink

Where to download the alpha version ? I can't find it on the download link that is provided above.

February 23, 2013

Permalink

/Tor Bundle/tor-browser_en-US/Data/profile/preferences/extension-overrides.js

  1. # NoScript Preferences:<br />
  2. pref("capability.policy.maonoscript.javascript.enabled", <b>"allAccess"</b>);

Shouldn't that be "noaccess" or something?

  1. // Now handled by plugins.click_to_play<br />
  2. pref("noscript.forbidFlash", false);<br />
  3. pref("noscript.forbidSilverlight", false);<br />
  4. pref("noscript.forbidJava", false);<br />
  5. pref("noscript.forbidPlugins", false);

Shouldn't those options be "true" instead of "false"

I suspect that this is what is causing some warnings to keep appearing
/Tor Bundle/tor-browser_en-US/Data/profile/compatibility.ini

LastVersion=17.0.3_20130220040246/20130220040246

You can also find some more preferences in:
/Tor Bundle/tor-browser_en-US/Data/profile/prefs.js

For the antivirus warnings it may be coming from here:
/Tor Bundle/tor-browser_en-US/Data/profile/safebrowsing/

Which is populated by a lot of test files.
I suspect they are the same as EICAR
https://en.wikipedia.org/wiki/EICAR_test_file

February 23, 2013

Permalink

My system spec: Linux Ubuntu 12.04 (updated to date) 64bit
Connecting from Iran

Preface
In Iran the security of the communication is a matter of life and prison.

Issue 1:
Since I've updated my OBSFProxy to
tor-flashproxy-pyobfsproxy-browser-gnu-linux-x86_64-2.4.7-alpha-1-dev-en-US.tar.gz
in the first run, it works normal.
In the 2nd run and afterwards, when vidalia starts, it says that there is a new update available.
When I go to the OBFS download page, the version is still the same that I'm already using.

When I exit Tor, and delete the extracted folder, and I re-extract the above zipped file, the cycle begins: the 1st run is ok and the next runs ask me to update.

Issue 2:
The firefox version for new download is still Firefox ESR 10.0.12

Issue 3:
When I'm running OBFS version, the default update message leads to standard Tor Bundle page, where it's logical that by clicking on the link the user is directed to OBFS download page

Issue 4:
The default Tor page needs to be more smart and there shall be a safe and reasonable method for the page to understand which version of OS (Linux, Win, Mac,...) and which architecture (32 bit, 64 bit) the user is using. then the page can redirect the user to the relevan download page and not to the current default windows download page.

As for your issue 4, you might be interested to learn that the download page *is* smart, but the Tor Browser Bundle is even smarter. The download page checks your OS, but TBB lies to it and pretends to be Windows, and so the download page presents you with the Windows version.

Suggestions appreciated, but on the whole I'd rather have TBB be smarter than our webpage. :)

February 23, 2013

Permalink

Are the OBFSPROXY versions included in this new release?

The OBFSPROXY page with releases should include more details upon new release, date of release, version, more...

February 23, 2013

Permalink

Re: Erinn's signature

There's a discrepancy regarding the signature creation date. On this page ...

https://decvnxytmk.oedi.net/docs/verifying-signatures.html.en

... it says the date should be:
Wed 31 Aug 2011 06:37:01 PM EDT using RSA key ID 63FEE659

But the gpg verification actually displays this date:
Fri 22 Feb 2013 07:09:54 AM CET using RSA key ID 63FEE659

31 Aug 2011 was the date when we ran that command to produce the example.

The only way your gpg verification would display 31 Aug 2011 is if you ran your command on 31 Aug 2011 too.

February 23, 2013

Permalink

Huge problem with the latest Tor Browser Bundle and DownThemAll, it keeps on clearing the DTA downloads list when I exit, when I sometimes want to keep on downloading things the next time I open the browser.

Don't use DTA with TBB, it won't work. DTA is not safe, that is, it hasn't been proved safe by Tor people (or others Tor people trust); much better is wget through Privoxy or curl for single files.

Using atypical Firefox add-ons, relative to the whole Tor community using TBB, can make you stand-out from the crowd, especially considering those who use DTA tend to download files most people abhor (from what I gather reading tor-talk and elsewhere).

February 23, 2013

Permalink

To update my previous post, I have figured out the DTA problem. There is absoulutely no reason why you should automatically enable private browsing, if DTA automatically tells the browser to save nothing or has the 'best settings' in Options - Privacy.

It just causes many more problems than it solves.

"There is absoulutely no reason why you should automatically enable private browsing . . ."

Please provide your reasoning for such a bold claim, please include references to your source materiel.

February 24, 2013

Permalink

As a long-time user of the TBB I have found the latest version (2.3.25-4) for Windows to be very concerning, and I am considering regressing to the previous version (2.3.25-2).[Didn't see/get (2.3.25-3) for some reason?]

Now I understand the rationale for wanting sites to look good, however I see the changed @font-face attributes as a security threat as such external fonts can/are being used for tracking purposes.

What is more inexplicable is that the contents of my cache were exposed in this new version and I had to go into about:config to turn it off!

I went to ip-check.info to see if I was anonymous; these are the values I received:
cache (E-Tags): BAD
signature: MEDIUM
fonts: BAD (strange characters seen)

I have since disabled the cache and @font-face settings in about:config however, I think that you may have over-simplified the torbutton add-on.

Now that I have complained, I thank you for your efforts; nice job with plugin containment- I hope you see this as genuine concern and not just the usual fear of change.

P.S. Any ideas as to why my header signature is seen as atypical?

February 25, 2013

Permalink

I live in Iran. So far , I haven't had any problems with obfsflashproxy Bundle Alpha-1.
When I saw New Bundle 2.3.25-4 I downloaded it and deleted all other Tor ( obfs , etc.) .
Iused it ( 2.3.25-4 ) for couple of days and now suddenly won,t reboot and hangs at 10% bootstrapped !!!!.
I deleted eveything ( both 2.3.25-4 and obfsflashproxy ) and cleaned the registry and only send 2.3.25-4 to the computer,but unfortunately it only bootstrapped 10% and stopped.
I am sending this message through obfsflashproxy.
PLEASE PLEASE inform us what is wrong and give us simple ( REPEAT : SIMPLE ) instructions as how to fix the problem.
AS ALWAYS
THANKS A MILLION.

If you're in Iran, and the normal Tor Browser Bundle doesn't bootstrap, and the obfsflashproxy bundle does bootstrap, I suggest you stick with the one that works.

(I know Iran has been experimenting with all sorts of ways to make your network less fun to use, so I am not surprised.)

February 25, 2013

Permalink

Hopefully its just me, but when I downloaded the new Bundle and checked the certificates I saw that 3 by TurkTrust were still listed...this is a problem, yes?

February 26, 2013

Permalink

using the windows bundle for win-xp
keep getting the
"There is a security update available for the Tor Browser Bundle."
update message when i start up tor browser.
also the tor button in the browser (onion icon with a cross through it) indicates that Tor is Disabled.

please can you fix this?

February 26, 2013

Permalink

I want to know when are you guys going to fix this thing.Now i can even access the tor sites.It keep saying:
"Check the proxy settings to make sure that they are correct."
"Contact your network administrator to make sure the proxy server is
working."

I and also it keep saying there is an update.

what is going on here?

February 26, 2013

Permalink

On 32-bit Win XP, I deleted the existing subdirectories in the Tor Browser directory and unpacked 2.3.25-4. At first it looked okay but then I noticed that a TB's "Cookie Protections" showed the usual cookies the first time but then showed no cookies at all, when I have a site open that I know sets cookies. Also all the dialogs for cookies in the Privacy menu are not there any more. It feels like other menu items are missing too but I can't say exactly what. About half the time it wants to come up in Safe Mode but there's no indication why. In general the UI is very laggy compared to 10.X.

So I tried 2.3.25-4 on Linux x64 and I see the same thing.

Something is seriously not right. I'm dropping back to 2.3.52-2 for a while longer...

February 26, 2013

Permalink

since you have removed the Torbutton option:
am I right in thinking that I need to set "extensions.torbutton.no_updates" in "about:config" to "true" to stop Torbutton from searching for and installing updates?

I believe Mike (thinks he) made it so Torbutton never updates itself ever again. The idea is that updates would come in new TBB's.

If this is different from what he actually did, please open a ticket on trac.

February 26, 2013

Permalink

running Win7 and just downloaded Firefox ESR 17.0.3 (Tor browser). The program keeps crashing after several minutes (crash message below). Also, icons of visited sites stored in bookmarks are retained, even after browser is closed and re-opened. Have AVG Internet Security 2012 and keep getting pop-up warnings that it cannot read encrypted e-mail traffic. Have never seen either of those things before.

Crash message:
Problem Event Name: APPCRASH
Application Name: tbb-firefox.exe
Application Version: 17.0.3.4799
Application Timestamp: 51247233
Fault Module Name: xul.dll
Fault Module Version: 17.0.3.4799
Fault Module Timestamp: 51247176
Exception Code: c0000005
Exception Offset: 00199a1c
OS Version: 6.1.7600.2.0.0.768.3
Locale ID: 2057
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789

"Have AVG Internet Security 2012 and keep getting pop-up warnings that it cannot read encrypted e-mail traffic." My guess is your Tor client is connecting to a Tor relay on some port that your AVG thinks could only possibly be used for encrypted email traffic. And since your AVG wants to spy on you, it kindly lets you know that it's having problems spying on you.

February 28, 2013

In reply to arma

Permalink

Downloaded the Tor update again and re-installed, this time entering my bookmarks manually instead of copying old ones from an exported html file. This fixed the AVG problem, but the program is still crashing, and it is retaining history and the icons of visited sites, even though the 'never keep history' option is enabled. I don't use a relay but might try this to see if that fixes anything.

Same problem here with ALL the latest releases, currently using ver. 17.0.5 from tor-browser-2.3.25-6_en-US.exe :

REGULAR CRASHES, always with xul.dll as the Fault Module Name.

Using Windows 7 as well, issues only began with update to a newer release of the tor browser bundle earlier this year. No other problems with my system or programs whatsoever, ram tests and hdd tests both without any errors. Tried reinstall, newer versions, all to no avail.

Tor may crash at any time, no matter if it has been running for hours or for just a few minutes, anywhere, no matter what site I'm on, but always during activity, often right after a right click, never when idling.

Very disapppointing that tor has become completely unstable all of a sudden over the course of several releases, although more people seem to have the same problem. I'm having some privacy issues as well, e.g. download locations are saved, although it's changed in the settings, tor made typing suggestions from previous visits although it had been closed in the meantime, and so on. Please fix!

February 26, 2013

Permalink

Usally Im using to get a verfication page. "You are now connected to TOR" or something similar in green text.

But with this boundle (2.3.25-4) I am just getting a blank page. And Im getting it immediately. It doesnt even semm to try to connect. But if I try to visit this or other pages, it connects. I'm not sure if TOR works or not.

If I Start the old boundle, it works as before. So the page is online.

Is this a bug, or is something changed that I have missed?

February 27, 2013

Permalink

Is there any way to have TBB on XP show the browser either maximised on startup, or remember the window state between sessions (position, size, whether maximised etc.)?

In previous versions I achieved this by setting extensions.torbbutton.resize_new_windows in about:config to "false", but this method does not work with this latest version.

February 27, 2013

Permalink

I am confused about how cookies are handled in this version of TBB.

Unlike in previous versions, I see no way to view any stored cookies in this version.

But it must be accepting cookies, since I am able to post here and at other sites with a Captcha.

Surely, there must be a way to see cookies and delete them individually, selectively?

Try this:
Preferences ➡ Privacy ➡ History heading: Torbrowser will 'Remember history' ➡ 'remove individual cookies' link

Remember to set it back to the default when done.

Next time, try the support site [1]; there's a section specifically on cookies [2]. If the information isn't there, ask the community [3], and maybe even contribute with whatever wasn't there [4]. Lastly, tell Mozilla that Firefox's cookie settings are buried in some obscure place so that they can fix it [5].

Also, before you ask, STFW.

footnotes
[1] https://support.mozilla.org/
[2] https://support.mozilla.org/en-US/kb/delete-cookies-remove-info-website…
[3] https://support.mozilla.org/en-US/kb/get-community-support
[4] https://support.mozilla.org/en-US/kb/superheroes-wanted
[5] https://input.mozilla.org/en-US/feedback/

February 28, 2013

Permalink

i have also APPCRASH with windows 7 when i have open 8-9 tabs and then push the exit button on vidalia.

February 28, 2013

Permalink

You ignore, that a PowerPC-User like I am, has no chance to work with Tor, Vidalia, Tails etc.

Bye, bye Tor.
Hello JonDo!

March 01, 2013

Permalink

May I ask:

Why the hell do bugs like the update bug so many people are complaining about get past Tor testers? That is, why didn't a single of your core Tor people test this and realize it's all eff'ed up?

This is an honest question, I've been using Tor for many years, and every now and then, you guys/gals really drop the ball, you end up looking silly, and then have to cancel updates, re-issue updates, and re-re-re-issue updates. ARRG!

Imagine how this makes you look to people who don't understand that these things happen to the best of projects, i.e., your largest user base (those generally ignorant of advanced computer use).

Please answer. Do you need to improve your pre-release testing?! (hind: yes, you do!)

March 01, 2013

Permalink

1) Windows Bundle: The browser crashes in an uncontrolled manner whenever an image is dragged from a windows app such as a password manager to an online web form textbox.

To reproduce the problem open
http://forums.informaction.com/ucp.php?mode=login
Open your password manger and drag anything to the 'username' box on the web form. Observe that both Vidalia and Firefox close down in an uncontrolled manner without reporting.

Disabling the Tor Button 1.5 extension prevents the problem from happening.

2) The Windows Bundle is being shipped for new installs with NoScript set to 'Allow Scripts Globally (dangerous)'. It should be shipped with NoScript set to 'Forbid Scripts Globally (advised)'. A user unfamiliar with NoScript would be at risk with the present install arrangement.

March 01, 2013

Permalink

hi i downloaded the latest bundle, it connects to network, onion goes green, then after the pause at this stage after which firefox usually opens and you see a confirmation page it crashes, the whole thing shuts down and disappears ?

Is this a problem with the network ? my windows 7 os ? or this new bundle ?

March 01, 2013

Permalink

Tor Browser Bundle (2.3.25-4) keeps throwing a error about DNS not responding. I reverted to tor-browser-2.3.25-2_en-US and viola Tor works.

Using Win 7 64 bit on i7 box w/16GB Ram

March 02, 2013

Permalink

Is there a way to add more than one bridge at a time using the vidalia control panel ?
as I now have a long list of bridges that are becoming a pain to add one at a time every time that there is an update

March 02, 2013

Permalink

On my Windows 7 64-bit Tor browser crashes after
several minutes when I visit a website.
But not every website causes Tor browser to crash.
For instance Tor browser works fine when I visit
"torproject.org".

Crash message:
Problem Event Name: APPCRASH
Application Name: tbb-firefox.exe
Application Version: 17.0.3.4799
Application Timestamp: 51247233
Fault Module Name: xul.dll
Fault Module Version: 17.0.3.4799
Fault Module Timestamp: 51247176
Exception Code: c0000005
Exception Offset: 0018c70c
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 1043
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789

March 03, 2013

Permalink

I can't open the OSX bundles on Mountain Lion. An alert shows up saying ""TorBrowser_en-US.app" is damaged and can't be opened. You should move it to the Trash.".

This is a codesigning issue that has persisted for many releases. PLEASE FIX IT. Here are the files that are incorrectly signed:

$ codesign -vv TorBrowser_en-US.app
TorBrowser_en-US.app: a sealed resource is missing or invalid
resource modified: /Users/xxx/Desktop/TorBrowser_en-US.app/Contents/Resources/Data/Tor/geoip
resource modified: /Users/xxx/Desktop/TorBrowser_en-US.app/Contents/Resources/Docs/Tor/LICENSE
resource modified: /Users/xxx/Desktop/TorBrowser_en-US.app/Contents/Resources/Docs/Vidalia/LICENSE
resource modified: /Users/xxx/Desktop/TorBrowser_en-US.app/Contents/Resources/Docs/changelog
resource missing: /Users/xxx/Desktop/TorBrowser_en-US.app/Contents/Resources/Docs/Vidalia/LICENSE-OPENSSL

It is very likely that whatever make script you use CHANGED or ADDED these files AFTER codesigning has taken place. I have successfully transplanted these files from the PREVIOUS build, which then fixes the codesigning issues.

PLEASE fix this!

March 03, 2013

Permalink

It crashes because Firefox checks if there's already an instance running, which it shouldn't because it's suppose to be encapsulated.

March 04, 2013

Permalink

Intermittently unable to connect to MANY sites.

Get generic "unable to establish connection to the server at {domain}" message from Firefox.

Most recently:
03/04/13 0:11 UTC
check.torproject.org shows IP:
176.99.7.69

Only other site I was able to reach (of the ones I tried) was startpage.com

Has happened several times before while running TBB as well as Tails. Clicking "New Identity" in TorButton would also solve the problem but this time I just waited it out. As soon as I was again able to access http://cmyip.com/ , it showed 87.236.194.158, which was corroborated by check.torproject.org.

March 05, 2013

Permalink

Have used previous versions of Tor without problems but latest version opens for a few seconds and then crashes. Have removed previous versions and done two clean installs. Same problem both times. If it helps I managed to copy the messages from the advanced tab. Any suggestions would be gratefully received.

Mar 05 12:03:09.774 [Notice] Tor v0.2.3.25 (git-17c24b3118224d65) running on Windows 7.
Mar 05 12:03:09.774 [Notice] Tor can't help you if you use it wrong! Learn how to be safe at https://decvnxytmk.oedi.net/download/download#warning
Mar 05 12:03:09.774 [Notice] Read configuration file "Y:\Tor Browser\Data\Tor\torrc".
Mar 05 12:03:09.882 [Notice] Initialized libevent version 2.0.21-stable using method win32. Good.
Mar 05 12:03:09.882 [Notice] Opening Socks listener on 127.0.0.1:9150
Mar 05 12:03:09.882 [Notice] Opening Control listener on 127.0.0.1:9151
Mar 05 12:03:10.102 [Notice] Parsing GEOIP file .\Data\Tor\geoip.
Mar 05 12:03:12.067 [Notice] No AES engine found; using AES_* functions.
Mar 05 12:03:12.067 [Notice] This OpenSSL has a good implementation of counter mode; using it.
Mar 05 12:03:12.067 [Notice] OpenSSL OpenSSL 1.0.0k 5 Feb 2013 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation
Mar 05 12:03:12.067 [Notice] Reloaded microdescriptor cache. Found 2777 descriptors.
Mar 05 12:03:12.067 [Notice] We now have enough directory information to build circuits.
Mar 05 12:03:12.067 [Notice] Bootstrapped 80%: Connecting to the Tor network.
Mar 05 12:03:12.067 [Notice] New control connection opened.
Mar 05 12:03:12.956 [Notice] Heartbeat: Tor's uptime is 0:00 hours, with 7 circuits open. I've sent 0 kB and received 0 kB.
Mar 05 12:03:13.181 [Notice] Bootstrapped 85%: Finishing handshake with first hop.
Mar 05 12:03:13.970 [Notice] Bootstrapped 90%: Establishing a Tor circuit.
Mar 05 12:03:15.500 [Notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Mar 05 12:03:15.500 [Notice] Bootstrapped 100%: Done.

March 05, 2013

Permalink

Download button doesn't work in PDF.js ?

Nothing happens if I click it (JavaScript off or on, doesn't matter)

i dont know how wise it would be to have pdf.js enabled
you might want to research that a bit before even enabling it
also, any deviation from other tbb users can be used to identify you

March 05, 2013

Permalink

I used to be able to load the tor browser bundle, then separately load pidgin set up with tor as a proxy. But in this browser bundle version, pidgin fails to connect "connection refused".

What changed? How to fix?

March 09, 2013

Permalink

will not upgrade untill there is a fix , the new ver will not let me "save passwords for sites" why the hell not? i have very long and complex passes and i have no idea what they are, TTB saves them and it knows, any new version will leave me high and dry. pointless fail upgrade?

March 10, 2013

Permalink

17.0.4 ESR has just been released. Any estimates for roll-out date of TBB w/ 17.0.4?

March 13, 2013

Permalink

Good day. I can't seem to use Google search services. Google thinks im a bot and always shows captcha every time i search. It's captcha after captcha.

How do i work around this? Is there something i need to do or not do so that this will not happen?

Here's what google says:
This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the Terms of Service. The block will expire shortly after those requests stop. In the meantime, solving the above CAPTCHA will let you continue to use our services.

This traffic may have been sent by malicious software, a browser plug-in, or a script that sends automated requests. If you share your network connection, ask your administrator for help — a different computer using the same IP address may be responsible. Learn more

Sometimes you may be asked to solve the CAPTCHA if you are using advanced terms that robots are known to use, or sending requests very quickly.

I disagree. Google (according to the Tor brothers) is not meaning to be killing tor traffic. So you should (according to the myth) be able to use it with TorBrowser without any undue problem (filling in a CAPTCHA every 10 minutes is not a big problem). HOWEVER, even this myth is not the case anymore, as Google doesn't even provide a CAPTCHA most of the time the tor node changes--instead it more often than not produces one of two "Google Screens of Death" without even the option of a CAPTCHA. This has been getting increasingly worse and means you have to scramble around with new identities, cleansing cookies, etc. Not good.

Intentional or not (and how can it, with all its coding armies, not be intentional) Google is effectively blocking most tor traffic after each automatic tor node change (i.e after every 10 mins or so).

Tor brothers ought to have a quiet word with Google BROTHER before this BROTHER (aka el fascisto Schmidt) quietly marginalizes all non-revenue-generating anonymous traffic for good.

Anonymous users still need to use Google over other search engines, some of the time, for the very simple reason that Google has monopolized all of our (the world's) data which other search engines just don't have access to. That's our data Google has locked up in its servers, and we still need access to it. Startpage and DDG are great (and need our support) but only up to a (very limited) point, which neither they or us can do anything about, and only Herr Schmidt can.

March 18, 2013

Permalink

I downloaded the latest TBB ( 2.3.25-5) yesterday after I saw the blinking yellow icon.

I scanned it with my various anti-virus software (Sophos, etc) and nothing came up.

To be extra safe, I then scanned it on VirusTotal and McAfee-GW-Edition provided this alert:

Heuristic.LooksLike.Win32.Suspicious.J!89

I am now unsure what to do next...

March 19, 2013

Permalink

After downloading the latest TBB, I noticed I can no longer leave comments on blog sites. Why is that?

April 06, 2013

Permalink

I can't get the latest tor bundle working with windows xp sp3 on my laptop. it won't authenticate. ISP is not blocking the connection, it just refuses to connect and run the browser. Using 2.3.25-5.

April 17, 2013

Permalink

What happen to For button allot of security options have been removed seems less secure. Is Google behind this?

May 17, 2013

Permalink

I can't get the latest version to open the firefox browser. I didn't overwrite anything, and the previous version continues to work. Go figure.

July 10, 2013

Permalink

Maybe these problems started when TOR developers started sleeping with Google?
I'm done with this tripe.
What a freaking joke.