New Tor Browser Bundles with Firefox 17.0.6esr

by erinn | May 14, 2013

There is a new Firefox 17.0.6esr out and all of the Tor Browser Bundles (stable and alpha branches) have been updated. The new stable TBBs have a lot of new and updated Firefox patches, so those of you who were experiencing crashes should no longer be seeing that behavior. Please let us know if you do by opening a ticket with details.

The stable Tor Browser Bundles are available at their normal location.

The alpha Tor Browser Bundles are available here.

Tor Browser Bundle (2.3.25-8)

  • Update Firefox to 17.0.6esr
  • Update HTTPS Everywhere to 3.2
  • Update Torbutton to 1.5.2
  • Update libpng to 1.5.15
  • Update NoScript to 2.6.6.1
  • Firefox patch changes:
    • Apply font limits to @font-face local() fonts and disable fallback
      rendering for @font-face. (closes: #8455)
    • Use Optimistic Data SOCKS handshake (improves page load performance).
      (closes: #3875)
    • Honor the Windows theme for inverse text colors (without leaking those
      colors to content). (closes: #7920)
    • Increase pipeline randomization and try harder to batch pipelined
      requests together. (closes: #8470)
    • Fix an image cache isolation domain key misusage. May fix several image
      cache related crash bugs with New Identity, exit, and certain websites.
      (closes: #8628)
  • Torbutton changes:
    • Allow session restore if the user allows disk actvity (closes: #8457)
    • Remove the Display Settings panel and associated locales (closes: #8301)
    • Fix "Transparent Torification" option. (closes: #6566)
    • Fix a hang on New Identity. (closes: #8642)
  • Build changes:
    • Fetch our source deps from an https mirror (closes: #8286)
    • Create watch scripts for syncing mirror sources and monitoring mirror
      integrity (closes: #8338)

    Tor Browser Bundle (2.4.12-alpha-2)

    • Update Firefox to 17.0.6esr
    • Update NoScript to 2.6.6.1

Comments

Please note that the comment area below has been archived.

May 14, 2013

Permalink

This release has again been built with a rather 'modern' version of GTK ... too modern for me! Shame, really. I haven't been able to use any of the TBBs since 2.3.25-2 came out. Are there any plans to do something about this?

May 14, 2013

In reply to phobos

Permalink

> Why don't you open a ticket?

I will. But first I have to figure out how to do this :-) It's probably best to suggest that future browser bundles will be built with the same GTK version that Mozilla use for their ESR releases.

I just noticed that it is impossible to open a ticket without registering first. Since I don't want to do that ... can someone who has already registered please open a ticket regarding the GTK version? Thanks!

May 16, 2013

In reply to phobos

Permalink

Multiple tickets already exist, and in fact, have existed for quite a while, for this. See 8352, 8401.

May 14, 2013

Permalink

Thank you! downloading :D

Fixed in Firefox ESR 17.0.6

MFSA 2013-48 Memory corruption found using Address Sanitizer
MFSA 2013-47 Uninitialized functions in DOMSVGZoomEvent
MFSA 2013-46 Use-after-free with video and onresize event
MFSA 2013-44 Local privilege escalation through Mozilla Maintenance Service
MFSA 2013-42 Privileged access for content level constructor
MFSA 2013-41 Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6)

https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html

May 14, 2013

Permalink

Thanks to all of you for your hard work and dedication. You make the world a better place

May 14, 2013

Permalink

What about the slow UI performance of Tor Browser Bundles on Linux 32-bit systems? People will be using older versions of TBB (those built on Firefox 10) until they are fixed.

Onion sites are already encrypted from your Tor process to their Tor process, and some have said that the additional HTTPS encryption is unnecessary. However, I think it can help in some cases. If their services are on a network behind a Tor gateway, I'd be concerned that they could have an eavesdropper. Also, if you already know their certificate, that's another layer of verification in addition to their .onion.

May 15, 2013

Permalink

When updating to this new bundle (I am a Mac user) do I need to delete and replace my previous version of TorBrowser_en.US in the Applications folder? When launching from that location even after updating, I am still being notified of an available update from the home page and the 'About' screen is showing Firefox ESR 17.0.5 ("up to date" when I run update check).

I unzipped the TBB zip file, and then dragged the TorBrowser.app into my Applications. Was prompted to overwrite, which I did, and then I launched from Applications as usual - I'm now running Firefox 17.0.6 and the update notification is gone.

Basically, if you have a TBB in Applications, then yes overwrite it with the new one. I suppose you can also execute the new one outside of Applications, but keeping a new release outside Applications and an old release inside Applications sounds like a recipe for confusion!

yes, you might want to export any bookmarks you have first though: menu Bookmarks -->Show All Bookmarks. then click the star icon drop down on top of the "library" window that opens. Select Backup. Save the .json.

Then drag your Tor Browser Bundle to the trash. Replace with new one you d/led. Then restore the .JSON file the same way.

May 15, 2013

Permalink

My IP doesn't seem to change much (if at all), when I click on "Use a New Identity" and then go to the torcheck page.

I'm using the latest TorBrowserBundle in Windows 7 64bit.

May 16, 2013

Permalink

The TorButton has never worked for me in the past (left and right clicks did nothing), and I always deleted the entire Tor Browser folder before installing the new one. But now with the latest version, the TorButton is functional - but here's the catch: I'm unable to move it from the Navigation Toolbar! :(

May 16, 2013

Permalink

Hi
tor does not work anymore in iran from weeks ago..
even all bridges or ....
even changing every tweaks and tricks are no use..
If u have a way u should release a special version for Iran... plz..
tks

May 16, 2013

Permalink

tor has stopped working in Iran from months ago..

all bridges and other tor software no more working..

we tried all tricks and tweaks no use..
if u have any way plz release a special version for Iran so that al can use it easily.. plz.....
we need it ..even psiphon 3 and freegate doesnot work..
by psiphon we can connect to youtube but after two minutes it disconnects..
all socks and vpn and port 443 are no more able to open youtube.. even by adding https to youtube the site can be open but can't play videos..

please help Iranian
tks
mah_deh@yahoo.com

May 16, 2013

Permalink

Forgive me if I sound like an idiot, but to update to the latest Tor Browser do you just delete the folder titled "Tor Browser" and download this file, then follow the same procedures as before (extracting, etc.)?

I suggest renaming the outdated "Tor Browser" folder to "Old Tor Browser" or something like that before extracting the new Tor Browser. This way, if there are any unforeseen problems with the new Tor Browser, you can go back to the outdated version without losing bookmarks and extensions.

May 17, 2013

Permalink

Hi,
I downloaded the new version but doesn't connect , while the other version works normally

May 17, 2013

Permalink

i have a new problem with tor bundle browser, after clicking start tor browser the vidalia control panel starts and within a second it connected with tor network but tor's modified firefox browser did not open. if i mannually starts tbb-firefox it shows unable to connet network,proxy settings changed.even installing new one the behaviour not changed. Can you please answer the reasons?

May 17, 2013

Permalink

Are the default values of the Tor Firefox Browser different than what they are for the non-Tor Firefox Browser? For example, according to the MozillaZine website, the default value of "network. http. keep-alive. timeout" is 300 seconds, but the Tor Firefox Browser indicates in "about:config" the default value is 20.

May 17, 2013

Permalink

Hey man
HELP IRANIAN USER
THERE IS NO WAY HERE LEFT CONNECTING TOR
even obfs can't connect
even with new bridge
plz show new trick
WHat are u waiting for?

May 17, 2013

Permalink

I have been using TOR for a while now with no issues.So I downloaded and installed new one
for Windows (I am running Windows 7 64bit). I deleted my old install of the Tor Bundle before installing the new one.

I clicked on the Start TOR Browser.exe as usual and the Vidalia Control panel launches, the status says it connected to the TOR network, but the Browser never launches.
i installed previous one but same problem persists.
I tried reinstalling it and the same thing keeps happening. Any ideas?

May 19, 2013

Permalink

Thanks!

The only bad thing that happened to me with this release is that the RequestPolicy extension -- https://www.requestpolicy.com -- now makes the browser crash. I don't know if that happens in Firefox 17.0.6esr (neither did I contact the extension's developer yet). Could anyone confirm that?

May 21, 2013

Permalink

Thanks again for continued updates! Is it possible to post the MD5 for quick verification rather than using gnu sigs?

To verify the file containing the SHA256 sums:

1.) Download the following two files from
https://people.torproject.org/~erinn/qa/stable/2.3.25-8/

- sha256sums-2.3.25-8.txt
- sha256sums-2.3.25-8.txt.asc

2.) Follow the instructions for verifying TBB ( https://decvnxytmk.oedi.net/docs/verifying-signatures.html.en ), replacing the TBB file with the sha256sums file:

gpg --verify sha256sums-2.3.25-8.txt.asc

BTW, why do the Tor Project signature files not end in .gpg as the Debian, Ubuntu and (apparently most others) do?

May 23, 2013

Permalink

According to the Tor FAQ, Google search engine is just fine with TorBrowser. The reality is somewhat different. Every 10 mins or so Tor changes nodes to create a new identity and, if you are using Google, it is meant to provide you with a simple CAPTCHA page to go on. However, most of the time it does not and instead produces one of two dreaded "Google Screens of Death" with no CAPTCHA option at all. This has been increasingly the case of late to the point where now most new Google sessions in Tor are effectively being barred. Creating a fresh new identity and deleting all Google's cookies doesn't help much either (and causes other problems in itself).

It seems Google is quietly suppressing Tor/anonymous traffic--which doesn't exactly fit into their revenue model--while maintaining that they are not anti-tor because they (sometimes) provide a simple CAPTCHA. Well, actions speak loudest, and Google is definitely blocking most Tor sessions now.

And before people start recommending Startpage/DDG, they are all well and good but only up to a point. Google has monopolized most of the world's data which these small companies do not have access too. That is our (the world's) data Google is hoarding and we need access to it.

This is an issue you guys really need to take up with Google before they've quietly suppressed most of the anonymous traffic. Yet I see absolutely no discussion of this issue on the blog besides the misleading information mentioned above.

While Startpage "scrapes" from Google, the results often differ from those obtained from Google directly. And it is not uncommon, alas, for the latter to be absolutely necessary.

  1. Yes. Google doesn't play nice with TorBrowser.
  2. Yes. Google makes money from displaying directed ads based on identifying a users search terms and search history, and if Google allows anonymous usage the value of an advertisers dollar decreases.
  3. Yes. Google is hoarding our shared knowledge and thoughts.

Conclusion: Google IS EVIL.

What to do?
Vote with your feet: use Startpage/DuckDuckGo.
In time (I hope) their search results may improve.

I fully agree. However, in the meantime (while access is still needed to a good deal of that Google hoard), the resistance still needs to press Google hard for continued (and much improved) anonymous/Tor access to it, in addition to supporting the alternatives whenever we can.

It would also be a good idea to directly test Tor against Google in a systematic way, and to update the Tor FAQ accordingly (i.e. to establish a successful:unsuccessful Tor sessions ratio to determine how the average success rate is changing over time, and then to use this as ammunition to throw at Google when they inevitably come up with their disingenuous, half-baked counter claim).

DON'T (admit to) BE(ing) EVIL.

I've been trying all day to search on Google and almost every single request (out of dozens) is being blocked with the "Google sorry" screen (no CAPTCHA in sight). The page just says "We're sorry... but your computer or network may be sending automated queries (NOT!!) To protect our users, we can't process your request right now. See Google Help for more information. © 2009 Google - Google Home". Absolutely no CAPTCHA. Same's been true last few days. Looks like Google has definitely clamped down very recently and is locking up all its stolen treasure.

Another important point that people seem to have overlooked is that if people know they can't use Tor with Google then an awful lot of people will not bother using Tor at all. The whole point of Tor is for as many people to adopt it as possible, i.e. this is a significant marketing blow for Tor.

I've noticed Google seems to be very sensitive to pressing the Enter button with tor (it actually asks you to do this with its "instant suggestions"). If you just let it produce searches without pressing enter it often comes up with a captcha, wheras pressing Enter almost always gets the Google Sorry page with no captcha. Pretty weird. It does seem to have got worse recently though. Never used to be this bad.

May 24, 2013

Permalink

How do you torify applications that give you a proxy option to set an IP address and a port now that Polipo has been removed?

I used to put
127.0.0.0 8118

in the applications config

but now I don't know what the heck to put there.

If I open up advanced/network settings, I do not see anything for TBB http config, only a socks port.

So what do I put in the apps proxy config now?
i.e. filezilla, a/v update via proxy

Thanks

If you're using the Vidalia package, then I think every port passes through Tor. So I think you'd set your proxy to no proxy (delete any proxy settings).
However I use TBB, and as Vidalia starts up, my software firewall alerts shows many communications through many ports, including IMAP. This implies that even the TBB 'torifies' all ports.
But I'm not sure about this.

May 25, 2013

Permalink

First time user and lets say it works out of the box so far !

Though has problems To start with I do have installed version of firefox and was concerned about this and firefox settings or other from this upsetting the system this I haven't checked so far.

I unpacked to c:\program files\ on winxp sp3 os as is made a shortcut for Start Tor Browser to the desktop so can start it easy. The rest is to now...

Though I do never use tabs and have never been able to get along using them with firefox. I have used the setting and unselected all tab setting boxes yet after Tor close and restart tabs are back !! Why ! Meanwhile the tab settings are all unselected though why starts with tabs. Maybe another restart is needed ?

Second issue before closing I did select to look at https everywhere and decided not to while page was loading. So then after restart why did https everywhere page load. This is not something I'm sure should not happen as privacy=privacy no page load on start unless is the start page. No cache I have checked is zero which is best for any browser, so unknown why it did this maybe though it had crashed but it hadn't

Ok so it is alpha but the version tor-browser-2.3.25-8_en-US is so far behind this version it is a joke why don't you make more releases so we don't have to resort to using alpha versions that contain bugs. Security alone means I need to use latest version. Heck knows what security holes are with and since tor-browser-2.3.25-8_en-US

Am I happy not with tabs, alpha version and page load where should never happen

Start page is Startpage if need to know. Everything is as installed nothing has been changed except tab settings for tor-browser-2.4.12-alpha-2_en-US

Excuse transmitting feedback here as you make it difficult to do so by any other means. Email=no | irc=no i don't | register to bug=never have anywhere or likely to make it available for everyone to post with registration I will post there.

Or use a web form that is easy to find to give feedback. Though you actually need to read the webform. This not to have people who scan webform without reading and relay poorly to you or robot to doing similar

So far everything looks ok not sure about https everywhere if that is intelligent so to add https everysite for every web site. Maybe that is how it works I don't know I did read the page but didn't see quick about to say this. Though it seems vastly slow to even the slowest internet. I realize bouncing around relays maybe you can speed it up. Also would like to choose country such as when download you need to have an ip for that country. Maybe with country chosen the relays stay for that country so speed up the connection vastly which it need to do

Please pass this on to developers if you are not directly connected to tor development. Or post this to bugs and feedback where necessary

May 25, 2013

Permalink

reading the above for google it is not the https that google complains for it is more likely it has problem with ip address or tor is seen as a problem maybe a certificate or similar issue

This is known because firefox itself for a while now makes sure all google https is used

As google no matter how big has the most information it is needed for any browser to use it. Tor would then need to add certificate that is needed as firefox has for it to work. Or is it some setting that google dislikes, totally no cookie allowed or similar ?

I'm almost certain that there are many Tor users. For that reason, Google often sees too many searches from exit node IPs.
But Google should ignore the massive searching, because Google should also see the header that tells that the IP is Tor.

This makes me think that person running the exit node must:
Run the exit node on another IP than their own browsing IP.
Or accept that they won't browse using Google.
But I'm not sure about this.

"I'm almost certain that there are many Tor users."

But that many still makes-up only a tiny fraction of total Internet users, doesn't it?

With the recent revelation that the U.S. NSA has been sweeping information from 9 major ISPs for the last 7 years on U.S. citizens and foreign nationals alike, maybe the use of Tor will increase. Provided Tor actually works regarding state security agencies. If it doesn't, state security agencies aren't likely to make that knowledge public, are they? Can you say, "honey pot"?

Unless I'm missing something, any major ISP could fairly trivially unmask its users who run Tor simply by operating enough exit nodes (and I'm not even sure it would take that much).

Call me paranoid but I think you'd have to be pretty naive not to think it highly likely that ISPs are doing this at the behest of TLAs.

And besides this, the original comment about Google (several comments above) is pointing out that Google, whatever the case, should just present its simple CAPTCHA screen, but instead terminally blocks the tor session by presenting a "Google Screen of Death" which doesn't even provide the option of entering a CAPTCHA code. It's clear Google just doesn't want Tor/anonymous traffic, which no doubt is upsetting the "shareholder interest". Why don't they just admit it and come clean . . .

May 27, 2013

Permalink

Tor Browser Bundle (2.4.12-alpha-2)

Crashes before it loads

Problem signature:
Problem Event Name: APPCRASH
Application Name: tor.exe
Application Version: 0.0.0.0
Application Timestamp: 5177f094
Fault Module Name: tor.exe
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 5177f094
Exception Code: 40000015
Exception Offset: 00064e01
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 2057
Additional Information 1: 887a
Additional Information 2: 887aa873844d1dd3f3e0257c981e4448
Additional Information 3: 0794
Additional Information 4: 0794aa118029c056c38da9365d5d92be

May 30, 2013

Permalink

Recently, Tor does not work in Iran due to government attempts on blocking the internet.
It's a real shame we, Iranians, can't find a way to connect the world wide web freely.I hope you find a way to solve this problem. :)

May 30, 2013

Permalink

Tor Project urges use of HTTPS/SSL but fact is that vast majority of WWW sites are regular HTTP.

Doesn't every current and potential user of Tor need to have some idea of how safe Tor can be considered for at least merely *viewing* non-SSL sites?

This is not at all clear to me from either the "Warning" at [geshifilter-code]https://decvnxytmk.oedi.net/download/download-easy.html.en#warning[/gesh…], the Overview at [geshifilter-code]https://decvnxytmk.oedi.net/about/overview.html.en[/geshifilter-code] or anywhere else in the documentation.

Specifically, how great are each of the following potential threats from exit node operators:

  • Subtle, not readily apparent tampering of content on pages
  • E.g., an article with critical details changed.

  • Malicious code injected into a page that appears indistuingishable from a trusted, familiar one
  • While this risk can be greatly reduced by disabling JavaScript, doing so presents its own set of problems. These include greatly reduced functionality and possible increased risk of profiling. A good intro/overview to this topic might be a recent thread in the Tails forum:
    [geshifilter-code]https://tails.boum.org/forum/JavaScript_and_NoScript/[/geshifilter-code]

  • Increased risk of profiling/ correlation by one or more exit node operators?
  • Could the far more specific, detailed traffic that is so easily sniffed over unencrypted HTTP provide an otherwise missing piece of the puzzle that could prove critical?

How concerned should the typical or average Tor user be over each of these potential threats?

An official response from the Tor devs to these questions would be most welcome and appreciated.

Thank for all you do to make Tor a reality.

May 31, 2013

Permalink

WHY is Prefetching not disabled in the Tor Brower? While I can see that the Tor developers have disabled DOM storage and GEO location, why did they leave prefetchig enabled? This is a huge security flaw!

"Firefox has a feature called Prefetching that downloads pages (in the background) that it thinks you are going to click on in the future. This is a serious security flaw since in order to make this guess it’s saving lots of information of your previously visited sites."

Please, people who use Tor, follow the instructions below in order to protect yourself, by turning prefetching off (until the tor devs realize their huge mistake and make the new TBB with the function off):

Type: about:config into the address bar of Firefox and press enter.
Agree to the warning about making changes to the system.
Type: network.prefetch-next into the search bar
Right click on the option and select Toggle to change the setting to False.

Assuming that's true, it seems to me that prefetching would add more network load to the Tor network.

And what if prefetching uses different Tor circuits? Would that be a way to connect different circuits to an individual user?

I have also wondered about this.

Checking now, I see that not only is network.prefetch-next set to true but also network.dns.disablePrefetch is as well.

When was the latter changed? I recall it being set to to true. Or was that (only) in Tails?

May 31, 2013

Permalink

Has anyone seen anything relating to whitelisted domains not saving between sessions of the windows install of this version of TBB?

I have to re-add sites to the cookie whitelist every time I open the TBB.

June 03, 2013

Permalink

To the Tor developers: Is it really true that disabling javascript in tor browser puts you at risk for profiling and can in that way be riskier than the risk which comes from javascript running bad scripts and revealing your true identity???

Just an anon here...

Start w/ this:
https://tails.boum.org/forum/JavaScript_and_NoScript/

Which threat is greater would depend upon individual use case: Who your adversaries are, the type of sites you visit, etc.

Note that the risk of profiling is greatest when JavaScript is enabled *selectively* for certain sites but not others. The rule seems to be: either block all or allow all.

June 03, 2013

Permalink

I always get this error when I start Tor browser for the first time: "Your Computer's Clock is Potentially Incorrect - Tor has determined that your computer's clock may be set to seconds in the future compared to the source..... If your clock is not correct, Tor will not be able to function. Please verify your computer displays the correct time." Does this mean that Tor isn't working correctly and I shouldn't use it?

June 07, 2013

Permalink

im using the latest tbb. a multi-lingual forum doest not display correct on windows version of tbb but displays correct on linux version of tbb.
on windows tbb the character encoding is set to "unicode utf-8" but reverts back to "western iso-8859-1" on every refresh or click.
how do i force windows tbb to use "unicode utf-8"?
ive asked support@mozilla but no solution.

June 10, 2013

Permalink

We are all (or should be) Tor users now. I like the browser in the TBB; it's just like iceweasel. I would like to make it my default browser. How can (should?) this be done? I have lots of applications that pop open URLs in the default browser, but there doesn't appear to be a way to pass a command-line parameter such as a link to display into the start-tor-browser script. Is there any other way to open a new tab in the Tor Browser?

June 13, 2013

Permalink

I have tor and am running it...I think...when checking IP-Check I still see the same IP address and my current location...How do I fix this?

You will always get your real IP address when running those tools within your own network, Your intelligent router or OS's has figured out that you are asking from within.
This is the basic explanation, you can search the net if you want more detailed info on this.

June 22, 2013

Permalink

I'd like to use my old mac mini power pc G4 running osx 10.5.8 as a tor relay. I can add a solid state 32GB disc to it if needed ( preferred) However, I cannot load Tor ( 32 bit version)

Normally that mini runs 10.4.8 - but with some effort I was able to convert one partioned part of the main disc to 10.5.8 as an alternate startup.

Any suggestions ??