Tor Browser 3.6-beta-2 is released
The Tor Browser Team is proud to announce the second beta in the 3.6 series. Packages are available from the Tor Browser Project page and also from our distribution directory.
This release is an important security update over 3.6-beta-1. This release updates OpenSSL to version 1.0.1g, to address potential client-side vectors for CVE-2014-0160.
The browser itself does not use OpenSSL, and is not vulnerable to this CVE. However, this release is still considered an important security update, because it is theoretically possible to extract sensitive information from the Tor client sub-process.
This beta also features a Turkish language bundle, experimental Javascript hardening options, fixes for pluggable transport issues, and a fix for improper update notification while extracting the bundle over an already existing copy.
Here is the complete changelog since 3.6-beta-1:
- All Platforms
- Update OpenSSL to 1.0.1g
- Bug 9010: Add Turkish language support.
- Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion.
- Update fte transport to 0.2.12
- Update NoScript to 2.6.8.19
- Update Torbutton to 1.6.8.1
- Update Tor Launcher to 0.2.5.3
- Bug 9665: Localize Tor's unreachable bridges bootstrap error
- Backport Pending Tor Patches:
- Linux:
- Windows:
- Bug 11286: Fix fte transport launch error
A list of frequently encountered known issues with the Tor Browser can be found on our bugtracker. Please check that list and help us diagnose and arrive at solutions for those issues before contacting support.
Comments
Please note that the comment area below has been archived.
I thought the 3.5-4 release
I thought the 3.5-4 release had openssl fixed.
TBB 3.5.4 does indeed have a
TBB 3.5.4 does indeed have a fixed openssl. (3.5.3 did not.)
TBB 3.6-beta-2 also has a fixed openssl. (3.6-beta-1 did not.)
The NSA has exploited
The NSA has exploited Heartbleed bug for years, Bloomberg reports.
Do you still believe in TOR!?
I'm assuming that particular
I'm assuming that particular article is nonsense until somebody shows up with some actual details. I guess it's hot to point at NSA conspiracies these days. But doing it in this case undermines the *actual* NSA conspiracies that we should indeed be upset about.
And yes, pretty much no matter how this particular story goes, you'll still be happier that you used Tor than that you didn't, over the past years. The Internet is a rough place without something like Tor.
what a coincidence, these
what a coincidence, these "reliable sources" just reveal this astonishing information after the heartbleed bug was well known.
Plus, the snowden papers refer to TOR and the NSA try to break it, it also refers to how the NSA have its hands on a lot of ssl certificates, but it doesn't tell a word about the heartbleed bug so far.
Bloomberg is just exploiting the situation to make some buzz in my opinion.
Downloaded, installed and
Downloaded, installed and running on Win 8.1 Pro. 32bit. No problems so far. Thanks for the update!
TBB hangs on 'loading relay
TBB hangs on 'loading relay information'. I have to close TBB and restart it 3 or more times before TBB will connect. I am using PT-obfs 3. Maybe all the obfs 3 bridge relays are busy?
TBB continues to hang on
TBB continues to hang on 'loading relay information'. Eventually connects after several exits and restarts.
Thanks for the rapid update
Thanks for the rapid update to 3.6-beta releases!
There used to be an annoying gap between normal releases and PT bundles.
Newbie question maybe, but I
Newbie question maybe, but I now have Norton Hotspot Privacy VPN. Since I use Tor Browser are there still benefits to using the Norton VPN?
without know the product in
without know the product in question i would say, in general , commercial VPN sw and services are USELESS for maintaining your anonymity.
They work for circumventing DNS/IP range blocking and thats about it.
VPNs can also be useful for
VPNs can also be useful for protecting against eavesdroppers on public/untrusted networks, such as public WiFi.
(But remember that the VPN sees all your traffic. And if you think they won't hand over all they know about you under any pressure...)
If I use vpn then I use Tor
If I use vpn then I use Tor , can vpn see my traffic
I would use just Tor
I would use just Tor Browser. Norton have worked with the NSA and there is a chance their VPN service could log all your activity.
but I now have Norton
but I now have Norton Hotspot Privacy VPN.
Ditch Norton products. Symantec/Norton is a close partner of NSA. Have you heard of Edward Snowden, NSA's whistleblower?
You are wasting your money.
Yup. Didn't know Norton
Yup. Didn't know Norton connexion though. Thanks for pointing it out. What about Hidemyass for anonymous browsing? And Hushmail for email? They were mentioned in Coke Stryker's book, 'Hacking the Future".
Hidemyass is famous for
Hidemyass is famous for turning over some kid who was maybe part of Anonymous. And when he confronted them, the conversation went something like "well, what did you expect, you did something a government didn't like" "but you're named hide my ass!"
Hushmail on the other hand is famous for turning over the mailboxes of its users to various law enforcement groups, despite claims that they technically can't do it. See e.g. https://vbdvexcmqi.oedi.net/blog/trip-report-october-fbi-conference
The lesson here is that all of these centralized for-profit companies that claim privacy are still in fact still centralized. It's privacy by promise, not privacy by design:
https://svn.torproject.org/svn/projects/articles/circumvention-features…
"Hidemyass is famous for
"Hidemyass is famous for turning over..."
"Hushmail on the other hand is famous for turning over.."
Perhaps you meant to write, 'infamous'?
Thank you for the advice.
Thank you for the advice. Norton subscription cancelled.
how to create windows
how to create windows shortcut for new
identity
Where can I find Vidalia's
Where can I find Vidalia's Network settings page in this version? Thank you.
https://decvnxytmk.oedi.net/do
https://decvnxytmk.oedi.net/docs/faq#WhereDidVidaliaGo
This method is not
This method is not work-----Linux ubuntu 12.04
Dates of certificate
Dates of certificate issuing:
vbdvexcmqi.oedi.net (05:CA:*): 2014-04-09
*.torproject.org (09:48:*): 2013-10-22
Are you planning to get a new cert for the latter?
Today is the first time I
Today is the first time I noticed these torproject certs.
*.torproject.org —
SHA1:
84:24:56:56:8E:D7:90:43:47:AA:89:AB:77:7D:A4:94:3B:A1:A7:D5
Serial Number:
09:48:B1:A9:3B:25:1D:0D:B1:05:10:59:E2:C2:68:0A
Issued: 10/22/2013 Exp.: 05/03/2016
vbdvexcmqi.oedi.net vbdvexcmqi.oedi.net — SHA1:
DE:20:3D:46:FD:C3:68:EB:BA:40:56:39:F5:FA:FD:F5:4E:3A:1F:83
Serial Number:
05:CA:2A:A9:A5:D6:ED:44:C7:2D:88:1A:18:B0:E7:DC
Issued: 04/08/2014 Exp.: 06/14/2017
If the one for *.torproject.org was issued back in October, why it is first being used now?
Below are the certs I had been seeing prior to today. What happened to them?
*.torproject.org
SHA1:
1F:9D:30:6E:8B:FC:CF:CB:03:98:1A:71:A2:7A:9F:5D:1E:08:76:CE
vbdvexcmqi.oedi.net vbdvexcmqi.oedi.net
SHA1:
0E:09:14:64:17:CD:7E:7A:4A:CA:98:C1:8E:92:C2:59:66:85:8D:BA
I asked Andrew, and
I asked Andrew, and apparently we rekeyed the cert in place. Who knew such a thing could be done?
Before fixing the openssl,
Before fixing the openssl, what is bad made to tor user?
https://vbdvexcmqi.oedi.net/b
https://vbdvexcmqi.oedi.net/blog/openssl-bug-cve-2014-0160
Is something going on with
Is something going on with the tor network? Connecting with the normal bundle is difficult and using obs3 in the beta is slow.
yes, obfs3 is very slow.
yes, obfs3 is very slow.
The speed of obfs3 depends a
The speed of obfs3 depends a lot on the speed of the bridge you're using.
obfs2 and obfs3 shouldn't be any slower than normal Tor, if the underlying bridges / relays are the same speed.
Maybe you should spin up your own obfs3 bridge, e.g. on Amazon cloud or some VPS somewhere, and route through it?
Any comment about the
Any comment about the connections to IP 213.163.64.74 immediately after startup ?
That looks like one of the
That looks like one of the 5000+ Tor relays.
I assume you started your Tor, it picked some guards, and now when you start your Tor again it makes some circuits for you, so they will be ready when you try to use them, and one of those circuits was to that guard.
https://decvnxytmk.oedi.net/docs/faq#EntryGuards
So in short, "totally normal, and I encourage you to learn how Tor works".
I love how OpenSSL put the
I love how OpenSSL put the whole world in grave danger out of sheer incompetence and no one dared say anything to them.
Welcome to today's Internet.
Welcome to today's Internet.
I have the old version of
I have the old version of TOR running. Can I drop in a 0.9 version of OpenSSL?
The old version? How old? It
The old version? How old? It probably has other major security problems.
how do you update this so
how do you update this so called update erases all existing settings and addons
Yeah, it's not really an
Yeah, it's not really an update so much as an updated version.
See e.g. https://tor.stackexchange.com/questions/318/how-do-i-keep-my-tor-browse… for details.
Were Tor Browser for Mac OSX
Were Tor Browser for Mac OSX also vulnerable? It read that Mac OS X still used Openssl 0.98.
I think the TBB on OSX used
I think the TBB on OSX used a newer openssl, so we could take advantage of the better security from the new ciphers.
So, yes, TBB on OSX was also vulnerable.
Could not connect to news
Could not connect to news media and vbdvexcmqi.oedi.net over
exit node bandito 1AAB39E97C7E4CFCA585265D17A03F8D3390D841
Other exit node right after that no problem.
Today does not work
Today does not work
Offtopic: Tor 0.2.4.20 does
Offtopic: Tor 0.2.4.20 does not starts on Windows 2000. Where can I get older version of Tor?
Seriously, Windows 2000?
Seriously, Windows 2000? Isn't that, like, unsupported for a long time now?
I think Tor should work there, but I think Firefox (and thus Tor Browser) won't.
If the Tor binary doesn't work, you should file tickets about what goes wrong, and help us fix it. Going to an older version is likely a poor idea -- check out the changelog of things we've fixed recently.
There something wrong tor
There something wrong tor doesn't connect
It looks like 'torrc' ini
It looks like 'torrc' ini file is deprecated.
Where do settings such as limiting exit nodes by country, specifying bridges etc. go now?
thanks
https://decvnxytmk.oedi.net/do
https://decvnxytmk.oedi.net/docs/faq#torrc
the beta works fine so far
the beta works fine so far
Awesome! Congrats :) Is this
Awesome! Congrats :) Is this version going to keep my local settings when I updated it to the next one (first time I'm using beta)? Thanks!
Not yet,
Not yet, alas.
https://tor.stackexchange.com/questions/318/how-do-i-keep-my-tor-browse…
The bug #9387 changes
The bug #9387 changes ("Disable JS JIT, type inference, asmjs, and ion. ") seem to involve turning off everything which is intended to make JavaScript fast.
Has there been any systematic attempt to evaluate what effect this may have on performance?
Has there, for that matter, been any systematic attempt to evaluate what additional security benefit this brings, e.g. what proportion of past Firefox vulnerabilities would users have been protected against if each of these features were disabled?
While your suggestion of
While your suggestion of going thru past issues may sound systematic and smart, the low hanging fruit for bad guys is using already disclosed -- but unfixed -- vulnerabilities. So the past is somewhat irrelevant.
Regarding speed....well that's one of the benefits of having a beta to evaluate.
I entered about:config and
I entered about:config and typed "www" or ".com" or ".org" and then there are 50 built in urls that can potentially leak information. Why are they in there?
I Remove most of them in
I Remove most of them in about:config by either deleting or changing the URL. I suggest all google links are removed as those bastards are monitoring everything on the net.
what does the "experimental
what does the "experimental Javascript hardening options" do exactly?
SENDS HARD-CODED ID TO THE
SENDS HARD-CODED ID TO THE NSA.
Thank you Mr Troll for
Thank you Mr Troll for wasting our time.
(Or alternatively, please file a ticket if you find an issue.)
Not bad not bad. I see a lot
Not bad not bad. I see a lot of bitching and moaning ^ but also a lot of valid points which I wont point out to you again.
People moaning about speed - Learn how Tor works
People moaning about losing addons and bookmarks after updating - What do you expect?
Keep up the good work Tor. Much love.
I'm connecting thru VPN,
I'm connecting thru VPN, when I first launch the TBB should I click "connect" or "configure"?
Tor is not working at all on
Tor is not working at all on Win 8.1 for me now . . . it worked fine before
This blog probably won't
This blog probably won't help you move forward with your problem. Try the help desk or the stackexchange forum.
https://decvnxytmk.oedi.net/about/contact
https://tor.stackexchange.com/