Tor Browser 4.0 is released

Thanks. Tor was bust for

Thanks. Tor was bust for ages. Tried everything nothing worked. Until I shut down Rapport. Excellent thanks.

Do you have trusteer ? Shut

Do you have trusteer ? Shut it down and try running TOR was perplexed myself but it worked as soon as Trusteer was shutdown.

N o the Gov. got involved...

N o the Gov. got involved... Tor 4.0 firefox is broken...

My download is not corrupted

My download is not corrupted , it is just incomplete..! My download has firefox deactivated! It is not working. period...1

Same fault with two

Same fault with two downloads of TOR 4 (one to Win 7 64-bit; one to Win 7 32-bit).

Both machines had previously downloaded several upgrades of TOR up to and including 3.6.6 and all had worked without problems. What has changed in the TOR process?

Installed fine for me except for a problem with unpacking in a Truecrypt volume. The unpacking refuses to create a symiink for the starter. The Browser folder unpacks just fine however and the starter is located in it.
Thanks for your work! I just donated.

Thanks!

awesome! thanks a lot for

awesome! thanks a lot for your endless effort.
Can you please answer my question? isn't it negative to my anonymity if google and amazon know that I'm using tor, know my real ip, my first hop, and my second hop? doesn't it make it much easier to deanonmize me my the -you-know-who agency my merely requesting this data from google and amazon with a single letter to the latter? all what's left is finding out my exit node (third hop) which is pretty easy since they know all my previous hops?

Not sure I follow here but

Not sure I follow here but if they already know your real IP the game is over. I don't know either why you think they already know your first and your second hop. That should not be the case. And knowing that you use Tor is not singling you out with respect to Google and Amazon given that there are a lot of Tor users using these services.

as i understand meek

as i understand meek connects to google/amazon/microsoft and so using meek-google and meek-amazon and meek-azure doesn't it make it obvious to google and amazon and microsoft that I'm using tor? and if so, they know my real ip, and since they're my first hop they know my second hop (isn't the connection to the second hop reouted thru their services?) and if I'm logged in to one of their services (from a different browser but same ip) for example to gmail, amazon, or hotmail they know my real identity and much more. isn't that denaonymizing?

Amazon/Azure/Google only

Amazon/Azure/Google only know your first hop, not your second hop. Amazon/Azure/Google are not your first Tor hop; they are something you pass through on the way to your first Tor hop. Check this comment on a previous blog post and the graphic in the meek overview.

There's a proposal to, in the future, use four hops for circuits that use a bridge, so there are three client-chosen hops after the first bridge hop.

You are right that the situation is worse when you are using meek and you are also browsing Amazon/Azure/Google. Then Amazon/Azure/Google sees both your entry and your exit traffic, and they can try to do timing correlation in order to deanonymize you. (But keep in mind that the same problem exists when you are using an ordinary bridge that is running on e.g. Amazon EC2.)

Most of the people who are

Most of the people who are going to need meek aren't going to be very worried about those services finding out who they are.

Afaik meek actually uses "4

Afaik meek actually uses "4 hops", the first one being google/amazon/... and the rest being Tor relays.

tor is growing strongly. we

tor is growing strongly. we just to need how strong adversaries hunt specific users

Thanks Tor.

Meek-azure/amazon works in mainland China, but azuer bridge is so slow that it takes about 6 minutes to connect Tor network.

Thank you for trying it.

Thank you for trying it. Here are tickets we're working on that will make meek faster.

#12428 Make it possible to have multiple requests and responses in flight
#12778 Put meek HTTP headers on a diet
#12857 Use streaming downloads

How to change the tabs style

How to change the tabs style to the classic? I would like the classic style of tabs. How to change it in new Tor Browser 4.0?

It's probably safe to

It's probably safe to install classic theme restorer to fix the defective Chrome like so called user interface.

https://addons.mozilla.org/en-US/firefox/addon/classicthemerestorer/

Has anyone audited that

Has anyone audited that addon for security vulnerabilities or fingerprinting? Because "probably safe" doesn't really help users who depend on tor and doesn't come off as well informed about the issue.

Hey i have so big problem:

Hey i have so big problem: ssl_error_no_cypher_overlap
How can i fix this?

in about:config set

in about:config set security.tls.version.min to 0. BUT: be aware this is not recommended due to the recent attack on SSLv3: https://vbdvexcmqi.oedi.net/blog/new-sslv3-attack-found-disable-sslv3-t…

How to disable Australis

How to disable Australis (hate this thing)?
Is it safe to install the theme classic theme restorer?

One thing Classic Theme

One thing Classic Theme Restorer did for me was it changed the window height by one pixel. Tiny thing, but still identifying information... I got around it by adding the setting "extensions.torbutton.window.innerHeight" (integer) and setting it to 901. There could be other problems too, of course.

It should be, classic theme

It should be, classic theme restorer is unlikely to add anything new that could be exploitable though if you don't disable javascript it might add a new exploit path.

It may if you've got javascript enabled make you easier to fingerprint compared to those who suffer through ChromeFox.

Just wanted to add that

Just wanted to add that getting back the add-ons bar is not merely a cosmetic concern.

For example, add-on bar visibility is needed for TBB users to be able to use the CipherFox extension which provides, by default, UI-visible information about the ciphers/CAs in use on a tab.

Try "The Addon Bar

Try "The Addon Bar (Restored)" v 3.2. It's a Firefox add-on.

As for putting tabs back on the bottom where they belong :-) try this:

(1) Select Help->Troubleshooting Information
(2) For Profile Folder: push the [Show Folder] button
(3) Navigate into the chrome folder. If it is not already there, create a subdirectory called chrome and navigate into it.
(4) Edit or create the userChrome.css. Make sure these lines are in the file and save it.

@namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"); /* only needed once */

#TabsToolbar{-moz-box-ordinal-group:10000!important}

(5) Close all Firefox windows and dialogs and restart Firefox.

The above is from: http://forums.mozillazine.org/viewtopic.php?f=38&t=2825513

Very exciting!

Very exciting! Thanks.

Regarding the following point:

"While we do not recommend per-element whitelisting due to fingerprinting, users who insist on keeping this functionality may wish to check out RequestPolicy."

Can't we retain this feature by changing the settings in NoScript? I have re-enabled the cascading scripts by going into NoScript's Settings>Advanced>Trusted and un-checking "Cascade top documents permissions".

Does this not achieve the same thing without the need for installing a new add-on?

To explain, I favor this cascading, as it means I can allow the page to work while blocking the (often extensive) tracking scripts that would otherwise load with it.

I agree completely! Such as

I agree completely! Such as Google Analytics can be blocked with NoScript while allowing site specific script to run.

GTK: Could you please give you input on this good question? Thanks so much

Your suggested use case was

Your suggested use case was exactly what this change was supposed to make impossible; by allowing some scripts and not others you make yourself easily fingerprintable. Sites can detect when some of the javascript is running but not all of it, and your particular selection may actually be unique to you.

So what to do about GA and

So what to do about GA and other things I would never let run?

This isn't a good solution. All or nothing is not really ever a good thing to offer, there should always be some fined grained control.

I for one will be using sub-scripts.

I realize Tor thinks it's helping users, but with nearly every new "feature" TB becomes less usable. Like the bullhshit about removing the NEWNYM feature and forcing using to trash an entire session just to get a new IP, even if they don't care about linking sessions... (I don't like how Tor forces me into some decisions)

Over the next few weeks I'm going to write a script to do those things Tor Project has refused to allow us to do. Usability has to be important...

We're pushed into a lot of

We're pushed into a lot of the design decisions based on changes in Firefox. Tor Browser development is largely about triaging to make sure we get rid of all the really bad new things in each Firefox. And Tor Browser has very few developers compared to all the things that need to be done. Please help!

this made me laugh out

this made me laugh out loud.. "all the really bad new things in each Firefox" ..but it's so true.

roger, if it were up to me, you'd be running mozilla and it would only ship the tor browser bundle, for everyone, by default....and mozilla would actually be financially independent to make decisions to benefit users and devs instead of perpetuating the schizophrenia of claiming to be pro-privacy while constantly, if subtly, giving users up to Google and other advertisers on issue after issue.

hear hear!

arm -i bang keyboard then

arm -i
bang keyboard then press enter
press "N"

There, new IP without trashing browser session or preventing javascript from knowing it's really the same session with a different exit node.

Oh yea, see what I wrote in

Oh yea, see what I wrote in this sub-topic:
I.e. all the NoScript allowed scripts are only temporary, for that time-frame at the web site (or page). Not using white-list.

It seems unlikely to be only

It seems unlikely to be only me considering the OP is a different person and I use it the same way.

Me again: When allowing site

Me again:

When allowing site specific scripts to run as the OP suggests, I only use "temporarily allow" so there is no whitelist...

In

In https://decvnxytmk.oedi.net/about/contact.html.en you never mentioned which key should be used for encryption :)

I'm wondering too which key

I'm wondering too which key to use.

Right -- doing a group

Right -- doing a group encryption key is no fun in terms of usability.

You could mail us individually. But we might not answer, since we're flooded with people mailing us individually already.

Finding us on irc might be the best answer, but that's not so good in terms of usability for you.

Basically we need a more thorough support team, and currently we don't have the resources or people to do that well. Please help!

How to run Tor Browser

How to run Tor Browser without Tor?

First off, I have to wonder:

First off, I have to wonder: why?

If you really want to do it for some reason, you might try to check the Whonix documentation to see some of their changes, but be sure you're doing what you think you're doing.

Why would you want to do

Why would you want to do that?

I do the same for two

I do the same for two reasons:

1. To use a more secure browser without anonymity ;-)

2. To use JAP when Tor IP exits are blocked.

Firefox with NoScript and

Firefox with NoScript and HTTPS everywhere in an identical setup provide equivalent security to TBB.

Uh, sorry, this isn't

Uh, sorry, this isn't true.

See
https://decvnxytmk.oedi.net/projects/torbrowser/design/
and
https://decvnxytmk.oedi.net/docs/torbutton/en/design/
and
https://gitweb.torproject.org/torbrowser.git/tree/master:/src/current-p…

Depending I guess on what you meant by "identical setup" -- perhaps you meant identical including all the patches and config changes? :)

They may have an isolating

They may have an isolating proxy.

In about:config set

In about:config set extensions.torlauncher.start_tor to false

Tor browser crashes

Tor browser crashes everytime I use NoScript "Temporary allow..."

Do you have steps to

Do you have steps to reproduce your problem?

I tried many times and could

I tried many times and could not. I used Huffingtonpost as the test site (lots of scripts).

After temp. allowing all scripts it loaded fine.

I get crashes like this in

I get crashes like this in win8.1:
gmail
- Login
- temporarily enable scripts
- page starts loading, but tor stops working before it finishes.

Using win8.1 I get the same

Using win8.1 I get the same crash when logging into gmail. It happens right after I've logged in. I can use gmail for a little bit but then it crashes. No more than 10 seconds. I don't enable scripts and it does it.

Also using windows 8.1 here

Also using windows 8.1 here and have the same issue. I've noticed that Gmail works up until the point where gchat would load. Then it crashes. I haven't had a chance to try it using the HTML only fallback version.

Interestingly enough, on the

Interestingly enough, on the same connection, when I booted to Linux Mint, I didn't have any issues with Gmail. It appears to be a problem only in the Windows version.

The problem is very reproducible, load gmail from the latest tor browser 31.2.0, tor browser 4.0 on windows 8.1 (and judging from other comments on windows 7 as well). As soon as google chat loads, the browser crashes. This happened on two separate machines, but did not happen when I booted into Linux Mint.

I have the same problem with

I have the same problem with Tor 4.0 on Win 7. I temporarily allow scripts on Gmail for login. Login is successful, but Tor crashes completely in about 10 seconds. Reverted to Tor 3.6.6, and it works fine as usual.

I also had this issue with

I also had this issue with Win 7. It seems to crash just as the chat/hangouts applet is loading.

Same problem here on Win7 x86

I have same problem. but

I have same problem. but when I login in basic HTML format, it works properly

AVG detection on installer

AVG detection on installer and tor launcher.
http://www.avgthreatlabs.com/virus-and-malware-information/info/unknown…

AVG detection on Browser

AVG detection on Browser itself !

Yeah, if you read some of

Yeah, if you read some of the comments on that page it's hilarious.

AVG has been detecting Tor browser for some time. That doesn't mean there's a virus, and saying Tor Browser is a type Adware called Unknown... AVG is just setting up a wide net and dumping everything that their scanner comes up as possibly questionable in unknown.

libssp-0.dll is missing from

libssp-0.dll is missing from my computer.
I has windows 7, and only unzipped tor , did not install. i always use it without install.
Tried to copy libssp-0 in c:\windows\system32 but still same error...

Right -- you can't just

Right -- you can't just unzip it, you have to install it. The installer rearranges the files to be in the right places.

Some people want it to be different. You should submit a patch so the zip file can be used too.

There is no reason for not

There is no reason for not running the installer.
It just extracts files, no registry entries are created.
If you run the installer, libssp-0.dll right location will be:

Tor Browser\Browser\libssp-0.dll<br />
Tor Browser\Browser\TorBrowser\Tor\libssp-0.dll

There is no reason to USE

There is no reason to USE installer! An archiver can extract files and set directories. Why force installer usage? Dumb following commercial practice? "no registry entries are created" -- now, but what about tomorrow?

I managed to make it

I managed to make it work.
My shit windows is 64 bit, and the dll directory is c:\windows\s68wow ... something.

looks like off to shaky

looks like off to shaky start on Ubuntu 14.

- menus are not there
- bookmarks button is not there.

You can enable the menu bar

You can enable the menu bar by right-clicking on the toolbar and you find the bookmarks button behind the Open Menu button on the right side of the toolbar.

I know how to do that but be

I know how to do that but be sured that many many people does not.

They can dl and use tor

They can dl and use tor browser but can't to a simple task as decorating.. pls..

No, this is a bug. See my

No, this is a bug. See my post about Win 7 and my ticket, here: https://trac.torproject.org/projects/tor/ticket/13438

New version 4 will not even

New version 4 will not even run on ubuntu 14.04 x64 for me. Tried multiple times, no luck at all. Had to return to previous version 3.6.6

I could not get it to run

I could not get it to run either if i download and run tor browser bundle but when used/install with torbrowser-launcher it works fine.

also the download and home

also the download and home button are missing

yes mine too

Right click next to the

Right click next to the search bar, then click customize.

The NoScript secureCookies

The NoScript secureCookies option breaks logins to multiple sites (see e.g.
https://trac.torproject.org/projects/tor/ticket/13332).
Are there plans to turn this off in future releases?

Not yet. We need to

Not yet. We need to investigate this issue properly first.

Could some Tor

Could some Tor experts/developers tell me whether Tor Browser 4.0 (Linux-64bit) leaked personal details when the following errors were encountered, in particular my Tor browser ID 1413456385345:

Oct 16 18:37:17.000 [notice] New control connection opened from 127.0.0.1.
console.error:
[CustomizableUI]
[Exception... "Component not initialized" nsresult: "0xc1f30001 (NS_ERROR_NOT_INITIALIZED)" location: "JS frame :: chrome://noscript/content/noscriptOverlay.js :: noscriptOverlay<._customizableUIListener.onWidgetAfterDOMChange :: line 362" data: no] -- undefined:362
Oct 16 18:46:25.000 [warn] Rejecting SOCKS request for anonymous connection to private address [scrubbed].
1413456385345 addons.update-checker WARN HTTP Request failed for an unknown reason
1413456385345 addons.update-checker WARN HTTP Request failed for an unknown reason
1413456412233 addons.xpi WARN Download of https://www.eff.org/files/https-everywhere-4.0.2.xpi failed: 2147500037
Oct 16 18:46:52.000 [notice] New control connection opened from 127.0.0.1.
console.error:
[CustomizableUI]
[Exception... "Component not initialized" nsresult: "0xc1f30001 (NS_ERROR_NOT_INITIALIZED)" location: "JS frame :: chrome://noscript/content/noscriptOverlay.js :: noscriptOverlay<._customizableUIListener.onWidgetAfterDOMChange :: line 362" data: no] -- undefined:362
console.error:
[CustomizableUI]
[Exception... "Component not initialized" nsresult: "0xc1f30001 (NS_ERROR_NOT_INITIALIZED)" location: "JS frame :: chrome://noscript/content/noscriptOverlay.js :: noscriptOverlay<._customizableUIListener.onWidgetAfterDOMChange :: line 362" data: no] -- undefined:362

No, I don't think so. This

No, I don't think so. This happens after all your browser state got cleared. This issue is tracked in https://bugs.torproject.org/13377 btw.

No, I don't think so. This

No, I don't think so. This happens after all your browser state got cleared. This issue is tracked in .......

Thanks for your reply.

Referring to my previous post, are the numbers 1413456385345 and 1413456412233 unique to my Tor browser? Will they deanonymize me?

Looks more like timestamps

Looks more like timestamps involved although I don't know the context to make more than a guess.

side-channel to measure have

side-channel to measure have long server/client decrypt/encrypt packets

I have also seen the

"addons.update-checker WARN HTTP Request failed for an unknown reason"

error message and can confirm it's thrown at times when my browser state is not being cleared.

Do you know why this would happening, especially given all the recent attention to the updating mechanism?

Kudos on a great release!

Might be due to us pointing

Might be due to us pointing to https://127.0.0.1 for Tor Launcher/Torbutton updates (#10682) and there being no proxy exception for it anymore (#10419).

thanks! i somehow had not

thanks! i somehow had not noticed the corresponding tickets earlier

same here

This is from my

This is from my terminal

<br />
Oct 26 17:45:55.000 [notice] Bootstrapped 90%: Establishing a Tor circuit<br />
Oct 26 17:45:56.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.<br />
Oct 26 17:45:56.000 [notice] Bootstrapped 100%: Done<br />
Oct 26 17:45:58.000 [notice] New control connection opened from 127.0.0.1.<br />
Oct 26 17:51:57.000 [warn] Rejecting SOCKS request for anonymous connection to private address [scrubbed].<br />
1414363917043   addons.update-checker WARN    HTTP Request failed for an unknown reason<br />
1414363917045 addons.update-checker WARN    HTTP Request failed for an unknown reason<br />
[\code]<br />
what just happened?

It's harmless, but I agree

It's harmless, but I agree it's scary-sounding.

https://trac.torproject.org/projects/tor/ticket/13129

I get these errors too man

I get these errors too man Why noone from TOR is answering here?

thsnks a lot why you jumped

thsnks a lot
why you jumped to version 31 ESR, while it is still in 24.8.x branch?
please blog back an answer

Because there are no

Because there are no security updates provided anymore for ESR 24.

Because there are no

Because there are no security updates provided anymore for ESR 24.

When there are no more security updates for ESR 24, it must mean that ESR 24 has NO security vulnerabilities. It must mean that ESR 24 is THE most stable and secure version, yes?

no more security updates

no more security updates means they stopped providing support.

No, it means that Mozilla no

No, it means that Mozilla no longer supports the old ESR version. It's quite the opposite from what you said. :)

YOU are right, historically

YOU are right, historically there are _always_ significantly more security holes in "newest exiting etc." software. Seems tor joined race for "new release every week", not ready? - push it and collect users replies.

Well, a) this isn't the

Well, a) this isn't the newest exciting software. We have joined the FF31 extended support release part-way through its cycle. And b) indeed, we were pushed onto FF31 by having FF24 no longer supported. At least they gave us a schedule so we knew it would happen.

If you know of other better browsers out there for adapting, I'm all ears.

In the mean time, also be sure to read the bottom of
https://vbdvexcmqi.oedi.net/blog/isec-partners-conducts-tor-browser-har…

Why at least not to give

Why at least not to give user a _choice_ to select new or previous release? And as you have skilled people who know where to change code to make it more secure for FF24 why should they run for FF31...FFnn?
OK, may be hardenedTM and shinyTM versions of tbb? Isn't it a choice of compiling options? So what about such a little step? And it's fine have just "This package requires no installation. Just extract it and run." for HardenedTBB for windowz.
iSEC Partners ... they can just try to fill a bug report.
btw it's not mozilla writing browser code, it's people.

It is indeed people writing

It is indeed people writing browser code, but it's hundreds of them, not the three or four that we have on Tor Browser. You'll have to take my word for it that trying to maintain an old abandoned Firefox with three or four people is a really bad move.

Or if you don't believe me, I invite you to go do it for us. :)

how do I enable the

how do I enable the "bookmarks toolbars" I can not get to "view" menu on Ubuntu?

What a worthless ugly POS

What a worthless ugly POS browser. There has got to be something useable out there?

What's wrong with it? If you

What's wrong with it? If you are moaning about captchas that's not Tor's fault, if you're moaning about youtube videos not playing simply refresh the page and it works fine. Otherwise I don't know your problem.

https://addons.mozilla.org/en

https://addons.mozilla.org/en-US/firefox/addon/classicthemerestorer/ can give a usable interface, probably won't cause the NSA to bust you.

Different behavior between

Different behavior between new started browser 4 and "new identify". (win 7, noscript: done: forbit settings globally)

Start 4.0. Open http://ip-check.info/ for privacy test. A window appears "Authentication request". This is a test, click cancel. Then Site loads and you can click start test. And later the result comes.

Now "new identify". Open http://ip-check.info/ for privacy test again. NO window appears anymore with "Authentication request". Most of the times it loads and don't stop. I retry with same URL. Sometimes you got on the page for the test. But no window "Authentication request".

If you close and start the browser, and open http://ip-check.info/, the window "Authentication request" appears again.

I always thought "New Identify" is the same with closing and starting the browser. As this example shows, there must be a difference. Is this a security/privacy problem? What is the difference between "New Identity" and closing/opening new browser? Best is to close and reopen the whole browser, not "New Identity" IMO.

Thanks for comments.

I always knew that it's not

I always knew that it's not the same, simply by the much shorter time frame that "new identity" button took to "restart" the browser in comparison to manually restarting it (e.g. through disabling an add-on and clicking "restart now").

"While we do not recommend

"While we do not recommend per-element whitelisting due to fingerprinting", but if you "revoke temporary permissions" before going to any website and then allow only the scripts that are necessary to view the page, and you do this with every website, can they fingerprint you?

Fingerprinting due to

Fingerprinting due to per-element whitelisting is excluded then. Not sure whether this behavior opens up new holes as you would probably be the only one doing this cumbersome ritual. Might be dependent on what you mean with "they".

Exactly what I have been

Exactly what I have been writing: simply don't use a whitelist with NoScript. Allow temp. scripts per page, every time, and then revoke permissions.

I wonder if NoScript has a feature that the temp. permissions can be auto-revoked when the page is no longer loaded?

tor browser bundle 4.0 not

tor browser bundle 4.0 not working at all on windows 8.1 64bit, no gui pops up, tor.exe appears in task manager for a few seconds then disappears

Thank you so much for your

Thank you so much for your unrelenting efforts! (So cool about Meek!)

A surprise: I am embarrassed to comment that the upgrade pooted my year's glut of bookmarks. This I did not expect because always before they remained intact, ergo, this time I did _not_ make a back-up. Heh. (Linux 32-bit english, btw.)

So be warned and be not lazy like me.

Thank you again, Tor folks!

I was surprised when mine

I was surprised when mine were erased as well. I don't usually read the release notes for TBB updates before I download the newest version. If the home page tells me to update, I just automatically do it. I don't know why, but I do.
Anyway, If you still have, I think it was 3.6.6, open the browser, and export the bookmarks as an html. Then just open 4.0 and import it.

WHY???? Problem signature:

WHY????

Problem signature:
Problem Event Name: APPCRASH
Application Name: firefox.exe
Application Version: 31.2.0.0
Application Timestamp: 00000000
Fault Module Name: xul.dll
Fault Module Version: 31.2.0.0
Fault Module Timestamp: 00000000
Exception Code: 80000003
Exception Offset: 0105d1e4
OS Version: 6.1.7601.2.1.0.256.1
Locale ID: ----
Additional Information 1: --
Additional Information 2: --
Additional Information 3: --
Additional Information 4: --

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

Aero is broken again with

Aero is broken again with v4.0 on Win 7. And this time so is the buttons for options, help, etc.

This is the same problem that happens some releases ago. Can you please fix TB so it correctly works with Aero?

See:
http://i.imgur.com/Fr3UyJL.png

I opened a ticket:

TBB does not like the standard theme on Windows XP, Vista, and 7 (part 2)

https://trac.torproject.org/projects/tor/ticket/13438

apropos "pooted bookmarks"

apropos "pooted bookmarks" posted above (by me):

Embarrassed again - I found them! It appears that the new TBB's "show all bookmarks" and "restore" option did not go to the right place to find the backups.

Sorry. (I do not know which comment has the greater "doh!" factor!)

Thank you again.

Remarks on : - Torbrowser 4

Remarks on :

- Torbrowser 4 functionality
.

Final extended feedback-remarks on :

- Dropping Mac support !!
- Bringing back separate tor network connection bundle

.

1) Torbrowser 4.0 browser feedback

- Media tab is still missing in page information while this tab is available in firefox ESR versions and torbrower 3.6.5 and before.

- Security tab, Technical details is still empty.

- Port management function tab is just deleted, missing

- Alternative connections, config bridge questions
a) Some bridges need Python application to connect internet.
Why is python needed, what are the extra security risks when python versions are not the latest.

b) Alternative to not using python connections is using meek-Google, meek-amazon, what about these companies using behavior analytics, device profiling in return?
What about user privacy?

c) Custom bridges, gives opportunity to manage ports but is absolutely non friendly in distributing system when people are looking for certain ports.

see remarks down

.

Quoted :

"Note to MacOS users: We intend to deprecate 32bit OSX bundles very soon. If you are still using 32bit OSX 10.6, you soon will need to either update your OS to a later version, or begin using the Tails (https://tails.boum.org/) live operating system."

.

2) Mac dropping - regarding this remarkable decision

- It seems a developer only decision that is taken by bypassing users in a sort of developer background discussion for which people had to register to take part!
Registering to take part in a discussion about a anonymous browser?
That wass not a really user friendly option, it's more a way to threshold user feedback.
.

A reason to give a final feedback on this now and here.
.

- It seems a decision that seems not to be taken on a fact basis.
About specific user usage facts per country for example to actually serve the Torbrowser user group.
Just mentioning a world wide average number does not make sense in any way at all. You cannot compare the countries you are serving in many ways an therefore not use one general statistical number.
.

- It just could be that the target group of the Torbrowser users are not all capable to buy new and fast computers.
Forcing users to buy new, newer or computers with an other os does not have anything to do with working on a realistic solution and will lead as usual to a common user solution for which some developers will not understand nor see nor recognize, working with unsupported versions of software because the user cannot upgrade anymore and does not feel the urge to throw away working hardware.
.

- Did the developers actually seriously try out their own suggested OS X solutions working with tails?
I don't believe so, take a bunch of 2006/2007 Macs and try in yourself.
Then, just invite a average computer user and ask them to do it.
Will they succeed? In how many day's?

Impression, Tails is not actually such a lightweight distro and seems not to be mend for 2006 computers to run.

Suggesting that making a bootable OS X tails usb is not so easy, or, but preferred tot do is far from every reasonable OS X user reality.
Besides, it will probably not work anyhow what makes this more like a 9th circle area exercise. Not the kind of energy people are looking for.
A exercise that OS X users are not used to, will not seriously consider, maybe also not in the least because it's far too difficult, beside pgp check troubles, and leads them to a complete change of operating system to just make one browser work?
What do you think?

The result will be in advance or again that people stay using old unsupported Torbrowser versions because they have no choice.

A supported 32 version would maybe not 99.99% secure but more secure and far more wanted than a unsupported Torbrowser.
Give people the opportunity to decide and don't push them to more insecure behavior.

.

3) 100% security dream - back to reality - real OS X threads

Dropping support arguments against real threads, what is actually the problem ?

The perception that some things in the Torbrowser are not safe?
It is a good thing to recognize, to look for and work on solving that.
So, although it seems a good idea to work on extra security it seems that the argument department is not really clear nor convincing, seems at least not in a realistic balance.

To put in in another way, there seems to be some misbalance between high advanced possibly possible risks and threads that are used as arguments to drop down support while the easier solutions or threads are still unsolved.
Why not begin with and first finish all the issues that all could be solved within the existing Torbrowser, they still had not in 3.6.6. as reported by user feedback over here and in the Torbrowser security analysis report.

.

Some examples
.

- Why taking the possible ASLR exploits as an Mac dropping support argument while not having solved the most easy basic and essential solutions in the Torbrowser and addons itself as mentioned in the report.
Javascript technique is commonly used in infection routines, could affect lots of people, and should have had more priority than this sudden sophisticated possible exploit argument which is fare more rare.
Remarkable Security risk balance.
.

- Some time ago the Torbrowser team had having a big report written about security threads for OS X and the Torbrowser.

But not having investigated the basic issue of one very uncommon Torbrowser solution in OS X that maybe could lead to bad permission privilege escalation.
Privilege escalation possibly served by placing the Torbrowser in the general applications folder, which is normal, but not really normal with a direct write permission to that environment because it is continually storing it's temporary files inside the bundle instead in a local user library like all other apps usually used to do.

It's clear why everything is in one bundle, it's not clear if placing the Torbrowserbundle in the application directory is actually really safe.
This is a big security related decision that has effects for all OS X versions and is not investigated while the security of the browser and Os X was analyzed by a security research company?

Bit remarkable to only focus on the 64 bit discussion and take Chrome as a example for 64 bit security while they even only had a beta version at that time. Firefox ESR is 64 bit and is even working on 32 bit Mac's without a problem.
Possible Privilege escalation Security risk related for all OS X versions.
.

- More security thread misbalance?
In what way is the Torbrowser protected when running from an usb stick?
It seems that any malware can change the browser files because the usb stick is running in the same local user permission area.
USB infection Security risk related for all OS X versions.
.

- In which way the Torbrowser is getting safer by enlarging the attack surface in the usage of extra processes that need internet connection?

This new Torbrowser 4.0 version even needs a python application to make access to the internet?
That makes two, or three applications connecting to the internet for the usage of one browser.
Users have to monitor the security status of their Python application as an extra, manually updating python in OS X is not a easy thing to do for average users and Apple security updates for python are not that common or taking place that often.

Besides, the big malware outbreak in 2012 with the flashback malware used Java and python functionality. The difference is that in Mac OS X there is no option to monitor the Python application or even a preferences pane like Java has.
Python and internet usage, security risk?
Anyhow related to all OS X versions, but especially for the not the newest versions.
.

- Degrading security by deleting port config options.

Why is the managing ports security option totally removed?
That was actually not a bug but a security feature.

Some people want to manage their computer ports instead of leaving them all open. So, removing a security option because some users did not understand the way it worked?
What is the balance here in the whole security discussion perspective?

To manage ports, there is a one very non practical option left.
This option is to enter custom bridges and look for addresses connected to certain ports? Thats is a lot of manual work! Especially if one wants to change the addresses once in a while.

Remarkable is that people can ask a list of bridges by email and the suggestion to use a gmail account.
Gmail? Google? Privacy?
.

- More about privacy.
What does the usage of amazon and Google Meek with the privacy of Torbrowser users?
Another new profiling addition to Google analytics, exitnode analytics, system profiling analytics?

Torbrowser seems to have a very dualistic moral and practical relationship with Google on privacy matters and actual cooperation, Google search is still asking for captcha's in return for usage for example.

.

4) Security arguments and Security threads for Mac OS X

Slightly rhetorical question, could the security researchers and developers please tell the Torbrowser Mac users what the actual realistic malware threads are for OS X an the way targeted attacks take place?
Could they please give some figures and examples in which way the threads will be much higher for the older 32 bit Mac systems compared to 64 bit and newest Mac OS X'es?

Please show these big differences with figures about infected Mac's divided in older and newer OS X'es.
One should convince the users by comparing facts and arguments, right?

You will probably not find these figures or have these available because there is probably not such a big difference in infection rates by OS X version.
And when you even would find figures about older infected compromised Mac's even then the compromising reason is usually not the older OS X version itself.

For what I see, read and know, which is maybe not enough, is that far most malware and even targeted attacks are using methods which don't actually need the safer 64 bit browser functionality that hard.
Not a reason to not work on it.

By the way the original Firefox ESR is already a 64 bit browser is there for years and also runs on 32 bit systems by the way, so why cant the Torbrowser be?

.

General, most seen, more common, simple attack surface for Mac
.

a) Social engineering

- A user has to actively install a malware application with the help of giving admin permissions, ignoring warnings and active further cooperation.
Or even like just installing a normal application.
Working all day within a admin account helps malware developers a lot, a lot of people do and it's not smart. A safer browser won't help against this.
.

b) Internet browser

- The usage of javascripts which you can manage with noscript also in Torbrowser
- The misusage of browser plugins like flash and java, which are managed already in de config of Torbrowser
- The usage of feedback information the browser is giving, which are managed in the config settings of Torbrowser.
So a Mac Torbrowser is actually telling that it is a windows system which reduces the attack surface already. Most malware attacks are based on user agent strings. Windows malware does not work on OS X.

Although it seems that there is one hidden setting that can tell the outside world that it is a Mac Torbrowser!?
One will notice when there is a update available and get a specific Mac redirect.
Wouldn't it be safer to remove that option as well before it will be misused?
People are probably smart enough to choose between the Windows, Mac and Linux download button on that same download page.
.

c) Non apple non up to date software

- adobe flashplayer plugin
- java and java plugin
- ms office for Mac, 2004 for example
- adobe reader
- fake video codec's and misusage of non up to date video players like vlc player.
.

d) Non up to date apple software

- Safari browser, take Torbrowser as long as they are supporting it, otherwise 64 bit firefox
- Java Mac versions 6 is 1.6 and earlier

.

All these threads above do not really primarily have to do with the arguments to drop support for certain Mac's or older OS X'es.
.

With one exception,
(e) that people could simply avoid because it is not necessary!
Running Mac OS X 10.5 or 10.4 on a Mac with a intel processor. Just take at least OS X 10.6 on that intel Mac.
.

(f) Learning from out of support site threads !

When not having facts and figures available about OS X versions related to malware and targeted attacks, one could also learn from Mac malware in another way.
When malware seems to have another motive than a criminal motivation and targets specific groups or organizations, the malware is especially, almost always targeting and written for older Mac's with older unpatched program's.
Mac's Torbrowser even missed to support.

It is very easy to conclude from there that there especially is a possible need for Torbrowser support on older Mac's and also direct proof of the fact that older Mac's are still in more than main average figures used by people that especially can use that extra security too.

In plain english, the customer group Torbrowser is talking about and heading for.
The group that will not have support anymore, or even did not have at all because they use even older Mac's.
The group that, according to Torbrowser team, should buy newer, other computers or just go to Windows or Linux?

Maybe they do,
a lot of them probably won't, it's just the way things will not work. Something with everlasting gap between user behavior and developers future possible functions perception.

.

5) Smart behavior before even upgrading

Mainly all above threads are to stop by good and smart behavior within every OS X and using options that are already in the Torbrowser itself.

When using the possibilities that noscript will give a user or with the built in possibilities of changing some about config settings.
You do not need the latest OS X for that,
You do not need to upgrade you OS X for that,
although it is a very good idea to do if to can on that system.

One should be prepared to other attacks an make a safe browser and that is a good goal.
.

In this specific already former dropping Mac discussion I get the impression that it's not the arguments that are counting but possibly more other wishes like having less work, don't like a fat application to distribute.
While a lot of other developers made universal applications for OS X or just served two. But Torbrowser cannot?

Further on, one can understand that it is more trendy to market and to show having a 64 bit browser available. Does not count for the ones who will be abandoned by Torbrowser.
.

This discussion is more than a slightly different argument perspective and accent.
Something that is missing everywhere in the general developer progress arguments end wishes usually ending in fat system requirements.
That is probably why we also have to buy new computers again with more heavy specs to still do the same simple things we do the most, browsing, mailing, writing, watching some fotos and video.

.

6) What is actually wrong by offering two versions, 64 bit 32 bit?

Even offering a stripped 32 bit version with higher more strict security settings and less functionality if it could have security implications.
Strong example : Browsing with no javascript activated is always better than no opportunity to browse at all!

When offering a separate version, then you can also measure the need for the 32 bit browser and make a decision, at least based on facts by usage numbers.
Which is still not a guarantee for a acceptable moral decision, but it's a far better start then just dropping without knowledge.
Better than privacy and safety for the upperclass, rich and the west. Did not get the impression that is the main goal for offering tor.

Question,
When dropping support, please do so with fair arguments and listen to your users, next time give them a real anonymous opportunity to give feedback on important anonymous browser issues.

Unfortunately a long story, just the other side in this not so open browser discussion that I wanted to point at.
I agree on working at a good security product and I do appreciate the effort of all the people who did work on that a lot, no misunderstanding for that.

.

7) Food for thought

When supporting older systems or browser versions is not an option for the tor developers anymore.
Maybe it would be an idea to give users the option back to distribute a separate app again to separately connect with the Tor network.
Vidalia download option?

In this case, the abandoned users and even users with older Mac's could use another still supported mozilla fork browser in combination with the Tor functionality.

The Torbrowser developers that are dropping support could leave the possibility open for others to create some sort of a torbrowsing fork experience by using another combination with browsers that still are supported by other enthusiastic developers for even older OS X versions and a lot of even older Macs that are in business and used in other parts of the world.

.
If this long feedback on dropping Mac support contribution is placed, I hope so, Thank you very much for placing this user feedback.
Hopefully helping anyone with it,
especially the Torbrowser developer team.

All the best,

I mark a word in this forum

I mark a word in this forum and right click mouse and chose "search startpage [word]". new tab opens with site startpage, but without the marked word and with alert: "noscript filtered a potial post-site-scripting (XSS) attemts from [Chrome]; technical details have been logged in console."

in the console:

[NoScript XSS] Sanitized suspicious upload to [https://startpage.com/rto/search] from [chrome://browser/content/browser.xul]: transformed into a download-only GET request

this is all new for me, what should i do? thx.

I have this same problem

I have this same problem with vanilla Firefox. It seems to be a combination of NoScript blocking + a search engine that uses POST rather than GET. It is probably a bug in NoScript.

The mac download link on the

The mac download link on the main page gives the following error:

Not Found

The requested URL /dist/torbrowser/3.6.6/TorBrowser-3.6.6-osx32_en-US.dmg was not found on this server.
Apache Server at decvnxytmk.oedi.net Port 443

Apparently the link needs to be updated to point to the dmg files here: https://decvnxytmk.oedi.net/dist/torbrowser/4.0/
The English Mac version I downloaded from the distribution directory link works.

Yep. There was a momentary

Yep. There was a momentary hiccup that reverted all the links, and worse, caused 4.0 users to be told to upgrade. It should be fixed now. Sorry for the fuss!

See this thread
https://lists.torproject.org/pipermail/tor-talk/2014-October/035259.html
and this ticket
https://trac.torproject.org/projects/tor/ticket/13441
for more details about what happened.

"We intend to deprecate

"We intend to deprecate 32bit OSX bundles very soon. If you are still using 32bit OSX 10.6, you soon will need to either update your OS to a later version"

>> Okay, but I don't see any 64 bit OS X bundles available. Where can I download them ?

They are not ready yet but

They are not ready yet but will, of course, be available once we drop 32 bit support.

Hi, I downloaded TB 4.0 and

Hi,

I downloaded TB 4.0 and now it says that it's not updated and points me to the Torproject page, where I can only download TB 3.6.6.
Also, right now, https://decvnxytmk.oedi.net/download/download-easy.html only offers TB 3.6.6. Is this intended?

Yep. See the comment

Yep. See the comment above.

In fact, there are like 20 of these comments below, so I'm going to prune them all to keep this comment section more reasonable.

On October 16th, 2014

On October 16th, 2014 Anonymous said:
...
> Is it safe to install the theme classic theme restorer?

I don't know, but ... I did it anyway, first thing, and the devs should be aware that a lot of us probably will.

The fact that a lot of us

The fact that a lot of us are installing it should help prevent fingerprinting from being too effective though unless a majority of us use a decent UI we'll still show up a bit when we enable js.

Feds are funding

Feds are funding Tor?
http://reason.com/blog/2014/07/30/feds-gave-tor-project-18m-while-also-…

Government funding Tor?
http://www.theguardian.com/technology/2014/jul/29/us-government-funding…

Tor bugs leaked
http://www.bbc.com/news/technology-28886462

NSA targets Tor Users more!
http://arstechnica.com/tech-policy/2013/06/use-of-tor-and-e-mail-crypto…

Why are you posting a pile

Why are you posting a pile of URLs? There sure are a lot of URLs out there you can choose from.

See all the discussion at
https://vbdvexcmqi.oedi.net/blog/being-targeted-nsa

and then also the discussion at
https://vbdvexcmqi.oedi.net/blog/transparency-openness-and-our-2013-fin…

I installed on 2 different

I installed on 2 different computers running Windows 7. When I open the TOR folder there is a shortcut to "Start TOR Browser" and an application of the same name. Neither work.

Same here. I haven't had

Same here. I haven't had issues running Tor before on my PC (running Windows 7 with all the latest patches) but when I install it or when I click on Start Tor Browser nothing happens (browser doesn't launch).

Is there a Tor Mobile App

Is there a Tor Mobile App for like the Iphone? I heard you have to set up your computer as a server for your Iphone to then access Tor.

Is there any way for Tor to auto-delete if it has been compromised? Maybe someone is tracking your Tor movements and if Tor detects some kind of suspicious tracking going on, it can automatically shut itself off? That would be great for pure defensive protection!

There's basically no way for

There's basically no way for tor to know it's been compromised and even if there were Eve could experiment on the same version as the one you're running to find a way to compromise it without triggering the auto-delete.

Why can't you go onto the

Why can't you go onto the Yelp site with Tor? It keeps saying blocked. How much does that suck!

It does

It does suck.

https://vbdvexcmqi.oedi.net/blog/call-arms-helping-internet-services-ac…

Cloudflare sucks even more.

Why is there post moderation

Why is there post moderation before posting? I want free speech!

Because for every actual

Because for every actual comment here there are ten times that many spam comments about shoes and Chinese herbs and so on. Trust me, you do not want to see the waves of spam comments.

Maybe someday we will have a blog that is open to anybody, and doesn't use any of those horrible centralized recaptcha things, and also doesn't have any spam on it. We're not there yet though, and we're focusing on developing Tor instead.

Feds are funding Tor...watch

Feds are funding Tor...watch out for back-doors!

You might

You might enjoy
https://decvnxytmk.oedi.net/docs/faq#Backdoor
and
https://vbdvexcmqi.oedi.net/blog/transparency-openness-and-our-2013-fin…
and the links that it points to.

Thanks for your wonderful

Thanks for your wonderful and great work!

Sure, there is no update to this 4.0-version - anyways I wanted to check, where to manually activate the certificate for this: »Please also be aware that the security of the updater depends on the specific CA that issued the decvnxytmk.oedi.net HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option.«

I could not find this option by following your description...

If you open the main menu

If you open the main menu (the rightmost icon on the toolbar) and choose "?" and then "About Tor Browser" you'll find a button you need to press first to download an update (if there is an update available at all).

Please answer, do you no

Please answer, do you no longer maintain expert bundle? The current version is 0.2.4.23 which is older than 0.2.4.24, which is older than 0.2.5.8-rc.

Another question is, do I even have to download expert bundle to use tor stand-alone? Could I just grab the tor.exe from Tor Browser? I'm asking because they have different file sizes and there might be major differences, I even guess it might be better to do so.

There is nobody who makes

There is nobody who makes them currently. I don't think there's a plan for fixing that. Maybe you should step up and help?

In the mean time, yes, I think you can just grab the Tor Browser and pull the tor.exe from it.

No. Replacing Tor.exe from

No.
Replacing Tor.exe from TBB does not work.
The only way to make it work is to grab the complete dir
Tor Browser\Browser\TorBrowser\Tor
and run tor.exe

It works on socks 127.0.0.1:9050
Since there is no UI, the only way to close tor.exe is killing the process.

Great -- I guess you do want

Great -- I guess you do want the libraries too, if your system doesn't already have them. Thanks for the clarification.

Crashes 100% after logging

Crashes 100% after logging into my favorite site, page appears to load about 80% normally:

Problem Event Name: APPCRASH
Application Name: firefox.exe
Application Version: 31.2.0.0
Application Timestamp: 00000000
Fault Module Name: xul.dll
Fault Module Version: 31.2.0.0

Clean TBB 4 install. Guess I'm staying with 3.6.6 for now.

WOOHOO!

WOOHOO!

seconded!

For some reason this newer

For some reason this newer version can never connect for me

Can you further explain the

Can you further explain the reasons for changing NoScript's functionality?

I can be fingerprinted based on my particular NoScript policies? Is that the idea?

How does the suggested replacement reduce this risk?

They will fingerprint you

They will fingerprint you the moment you activate the script for the website, for example if you go to https://panopticlick.eff.org/ and, if you have forbid scripts globally, choose to allow the scripts and press test me they will have a unique fingerprint for your browser, the same goes for any website. They should not have changed the settings on noscripts for the "cascade" now every script will be allowed thus not just the website you visit will be able to fingerprint you but all the other websites like those for comments or facebook, twitter will have a unique fingerprint of your browser. You should choose on a case by case which scripts you allow for all websites and just revoke temporary permissions before you go to a new website and don't make a whitelist. Regardless, go and check the website https://panopticlick.eff.org/ to see how unique your browser fingerprint is, hopefully it's not.

I understand that activating

I understand that activating JavaScript opens up my browser to fingerprinting.

Unchecking the "cascade" options allows my setup to work the way I wish: only allowing the current site and blocking the rest until I temporarily allow each of them.

One interesting thing I noticed when visiting panopticlick at your suggestion is maximizing the browser is what fingerprints my browser more so than anything else. Keeping the browser the default size is best.

Perhaps resizing the browser should be disabled? : )

If i try to change the

If i try to change the download folder in firefox options - firefox will crash. (WinXP SP3) Anyone else with this problem?

me too!!! resolve this bug

me too!!!
resolve this bug please!!

Yes, exactly the same as

Yes, exactly the same as you. Reported it in bugs or someplace. I have gone back to 3.6.6. which is fine.

Reported it where? (Also,

Reported it where?

(Also, going back to 3.6.6 is a poor idea -- see the link to Firefox security flaws in the old versions of Firefox.)

No alternative to going back

No alternative to going back to 3.6.6 if the new version crashes every time you try to change settings.

How can I reproduce this.

How can I reproduce this. Works for me on Windows 7.

really it is quite simple

really it is quite simple -
just have a bunch of vm-images w/ different versions of windows

I´ve tried to chance the

I´ve tried to chance the path manually over "about:config", but it seems that some commands are missing. Here is my workaround for that problem...

1. type "about:config" (without the "") in the address field of Firefox and confirm with the button that you will pay attention not to break the browser (or so, i can´t remember the right words, but you know what i mean, if you see it)

2. type "browser.download" into the searchfield and look if you have an entry that will called "browser.download.dir"... if so go to the next point... if not, create a new one... rightclick into an empty part of the window and choose "new", then choose "string". Give it this name "browser.download.dir" and in the next part your download location. It should look like this:

browser.download.dir - changed by user (or so, but it should not be standard) - string - C:\test

3. Doubleclick on "browser.download.folderList" and change its value to "2"!

4. go into the Firefox options and choose the function, that it will save the downloads into the desired folder and not let the user everytime choose, where the download will be saved...

Now you can close Firefox and restart Tor... your desired download location will now be used for downloading... but... it will crashed again if you try to change the path over the button in the Firefox options again...

Unfortunately, I had to

Unfortunately, I had to leave the Tor Browser Bundle. The new Firefox UI removed all usability. There is a classic theme restorer, but the Tor Project does not recommend the installation of additional extensions to the Tor Browser Bundle. Even if the Tor Project were to approve the installation of the classic theme restorer, it won't completely restore the usability level lost to the Australis interface.

Firefox has been lagging behind for years, but Australis was a step too far for me. Maybe one day sanity will return to the Firefox UI. In the meantime, the latest release of Qupzilla supports nested bookmarks (finally!). And strangest of all, Qupzilla has a sane, rational and well thought out UI. It's almost an exact duplicate of the Firefox 24 UI.

So instead of using a

So instead of using a relatively small extension to bring Firefox mostly back to how it should be you're suggesting we use a completely different browser that almost no one uses and which hasn't even had even the most cursory auditing done to it?

Okay, so what's your

Okay, so what's your alternative to Tor Browser for anonymity?

Sure Firefox has made the not so great decision to try to compete with Chrome for the average user by trying to replicate Chrome. It's a decision that kind of makes sense give Chrome's market share.
See https://en.wikipedia.org/wiki/Usage_share_of_web_browsers .

However, I'd caution against using UI as the primary factor for deciding a browser, especially for someone who has concerns that made them use Tor Browser in the first place.

Actually it's probably the

Actually it's probably the wrong decision as those who want a Chrome like interface are already using Chrome, it's those who want a usable interface that they should be targeting.

Chrome's interface is

Chrome's interface is usable, it's just different. When ever you get a new user interface you get old users complaining about it and frequently someone comes up with some addon/software to restore the old interface for the next five to ten years. It isn't really about having a useable interface, it's about people getting frustrated because they don't know how to use the new interface well. Of course, that hasn't stopped me from using the Classic Theme restorer addon just like I use a piece of software on my Win 7 box to restore the classic start menu.

Look, Firefox has to appeal to the general public. A web browser that appeals to only a subset of technically minded power users isn't going to get the resources (money/manpower) thrown at it to support the ever evolving web. Sure, there are web browsers around that are for that specific subset, but there are large parts of the web that they are unusable on. Even more importantly, they don't necessarily support the security features the major browsers do. For instance, forget about Lynx having certificate pinning. If it means I have less of a chance for my online banking to get hit with a MitM attack, I'll deal with a harder to use UI.

Most people don't want to clutter their screen space with unnecessary controls that they never use. For most users the simplification of the UI makes it more usable. That means they're more likely to use it. Personally, you and I and 100 other people on this blog might not like it, but the people who do like it usually don't write comments about it. Most of the people commenting on the Tor Blog tend to be power users; I don't think we can even assume they're an average cross section of tor users. We don't really have an idea what percentage of TB users dislike the UI changes as opposed to liking it, let alone vanilla Firefox.

Worked fine, updated, now -

Problem Event Name: APPCRASH
Application Name: firefox.exe

How do i fix it?

Looks like the Tor Browser

Looks like the Tor Browser team is working on it currently:
https://trac.torproject.org/projects/tor/ticket/13443#comment:14

Looks like the Tor Browser

Looks like the Tor Browser team is now waiting Mozilla to fix this
https://bugzilla.mozilla.org/show_bug.cgi?id=1088848

Options:
a) Easy Fix: Use Visual Studio
b) Wait some years until Mozilla Developers close this bug as WONTFIX
c) Release a new TBB 4.0.1 with "media.directshow.enabled" workaround

If (a) is selected you may also fix this non reported bug in CPU's with no CMOV instructions:
https://vbdvexcmqi.oedi.net/blog/tor-browser-353-released#comment-54924

Perhaps you can learn of QupZilla Devs.
History of QupZilla Browser:
The Windows version of QupZilla was compiled using MingW, but due to a huge problem with Flash, it is now compiled with Microsoft Visual C++ Compiler 2008
https://github.com/QupZilla/qupzilla

I believe 'c' is the current

I believe 'c' is the current plan.

Visual studio is not at all the easy fix, because they would be throwing away all the reproducible build features, and I assume it will be approximately forever until visual studio can do that. So that tradeoff sure doesn't sound worth it to me.

I just downloaded the Tor

I just downloaded the Tor Browser from this site and when I ran it my Norton Security from Comcast told me that this file has a bad reputation and could be dangerous. I'm just wondering if anyone else had the same problem. Thanks

The antivirus answer of "bad

The antivirus answer of "bad reputation" drives me nuts. What it means is that they spy on every program that all their users run, and they haven't seen that many users run this one, "so it must be dangerous".

That will be true for all new software forever.

Also see https://decvnxytmk.oedi.net/docs/faq#VirusFalsePositives

Hey, Certificates about

Hey,
Certificates about China Internet ,eg China Internet Network Information Center EV Certificates Root ,CNNIC ROOT and Entrust.net Secure Server Certification Authority ,cann't be forbidden or deleted in TBB 4.0, WHY??????It's said that those certificates are dangerous while accessing some websites.
Thanks for comments.

Deciding which CAs to trust

Deciding which CAs to trust and which not and based on which criteria is messy. We leave that to Mozilla.

Thanks so much.

AVG detection on Browser !

https://decvnxytmk.oedi.net/do

https://decvnxytmk.oedi.net/docs/faq#VirusFalsePositives

Please report their bug to your AVG vendor.

The gullible starstruck

The gullible starstruck people of the Tor project trust (and worship) lying-spying google more and more each month.

Not really, they're just

Not really, they're just trying to use tools provided by google to circumvent other types of surveillance. Look, meek is designed to make it look like you're using google/amazon/microsoft instead of tor for your ISP/government. It's a trade off of letting google/amazon/microsoft known your using tor instead of your ISP/government. Depending on your threat model, that may or may not be a good idea. For example, it's probably a better idea for people in Iran than people in Germany.

ha-ha-ha "your improvisation

ha-ha-ha "your improvisation is quite entertaining!"
google/etc==nsa;
so for sure tor sells entry guards to nsa, now nsa will have enough data for correlation analysis/researches and tor will have more funds.
local google sell data to local govs in accordance with there legislation. any corporation exists for getting profit.

Are you complaining about

Are you complaining about meek, or Tor Browser, or the program called tor, or Google, or what? I am confused by your mushed-together concerns, so I don't know how to help you.

If your traffic going

If your traffic going through nsa to tor entry guard, and your exit traffic going to nsa watching site isn't it quite obvious to correlate tor user ip with access to suspected site?
Can tor _recommend_ somebody like Snowden to use this channel?
Does tor deny relations between google and nsa?
And as known common users are lazy and will use what is given it will create another pattern - "common users" and "suspicious users" who will not go through google.nsa .
It's understandable these two groups of tor users have different needs - one for security and the others . In right design others should significantly lower SNR for tor links. But mass switching them to google etc. will expose security concerned users!

I think you're right that

I think you're right that meek has different anonymity characteristics than e.g. obfsproxy, which also has different characteristics than flashproxy.

First, I should reiterate that none of these transports are enabled by default. So we're not mass switching anybody to routing their traffic through Google or Amazon or Akamai or other centralized services. These are research prototypes that users can use if they want to.

But second, I agree with you that it's worth exploring and better understanding the anonymity vs reachability tradeoffs for these transports. I think that question falls under criteria #5 at
https://lists.torproject.org/pipermail/tor-dev/2013-September/005528.ht…
which I'm hoping we'll have time and attention to work on now that we're ramping up SponsorS:
https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorS/Plu…

Yes, but the NSA may not be

Yes, but the NSA may not be the threat that a given user of TBB is worried about.

so anonymous and

so anonymous and anonymous@nsa! quite impressive...
lets see - anonymous@mosad, anonymous@kgb, anonymous@nwo... and sure every corp needs there owns registered/subscribed anonymous...

This new version of the

This new version of the browser continually crashes on win64, is this a known issue?

Problem signature:
Problem Event Name: APPCRASH
Application Name: firefox.exe
Application Version: 31.2.0.0
Application Timestamp: 00000000
Fault Module Name: xul.dll
Fault Module Version: 31.2.0.0
Fault Module Timestamp: 00000000
Exception Code: 80000003
Exception Offset: 0105d1e4

Yes....! and you are not

Yes....! and you are not alone..!

And yes...!!! The Navy is

And yes...!!! The Navy is watching as Tor sits back and does not inform you this activity is going on!!! Tor has been hack I am afraid..! when you do not get answers ..in reality the Tor guys do not even know of you posting issues ... it is going directly.. to echelon!

Your comment has been queued

Your comment has been queued for moderation by site administrators and will be published after approval. ...........O/K !!!! But I already know who is the Moderator...!

Yeah. Turns out, I am.

This may be a very dumb

This may be a very dumb question, but why in the hell was the option in NoScript to "Cascade top document's permissions to third party scripts" turned on? That ENABLES a whole bunch of privacy nightmare stuff on a lot of websites like Twitter stuff, Facebook tracking, etc.
Whose....... braindead stupid idea was it to enable that setting by default?
Whoever it was, in my opinion, needs kicked off the TOR team if they did not realize how dumb it was to enable that setting.

I have always hated noscript

I have always hated noscript because for the non geeky it is a nightmare to know how best to set the options for best security.

Someone else said "keep it simple". OK I appreciate the efforts the developers go to to keep us safe, but suspect there may be too many geeks involved who cannot avoid trying to fix things that don't need fixing.

No, they realized that

No, they realized that people didn't know how dumb they were using it and expecting to be hard to track and fingerprint. Turning off scripting for trackers doesn't eliminate the ability to track you.

commit

commit 1e64c52cbdf75863cc68f12431e6a3bb510ee695
Author: Mike Perry
Date: Thu Jun 26 18:27:48 2014 -0700

Set prefs for NoScript cascading permissions.

Also auto-reloading the current tab seems like a good plan.

I can't get Tor 4.0 to

I can't get Tor 4.0 to function consistently. It downloads fine, I install to a new directory (no overwriting any old version). Everything unpacks OK.

I then click "Start Tor Browser"... it loads, well, something -- "firefox.exe" and "tor.exe" appear on my running processes list. But no actual browser window appears. Any help? This happening to anyone else?

yep same here = Windows 8.1

yep same here = Windows 8.1 64bit

I`m having the same problem.

I`ve downloaded it several times now and still can`t get it to open a browser.

Any suggestions?

Yes, I 'm using windows

Yes, I 'm using windows vista home premium (32bit) with service pack 2.

Have tried downloading and re-installing TBB afresh many times - can download and install, but when I click "start tor browser" nothing appears to happen. I can see Tor listed as running in windows task manager. After a little while I get Tor browser has stopped working, close program, windows is looking for a solution.

The earlier version worked fine. Currently unable to use Tor.

To the Tor

To the Tor developers:

Please stop with making it more complex. This meek bullshit should not be forced on to all users by default. Make it an option people can turn on if they wish to involve Google/Amazon/Microsoft in their privacy. Now by involving the best friends of the NSA you are playing a very dangerous came with peoples live.

Again, KEEP IT SIMPLE !

By making things more complex you are creating more attack vectors which are or could get a problem in the future.

That said, your work is appreciated, one more thing i do donations to the project.

Like all other pluggable

Like all other pluggable transports, meek is optional and must be explicitly enabled. I'm not seeing what the problem is here.

Thanks tor, I used tor for

Thanks tor, I used tor for many year, it help me view internet directly, thanks a lot

Today I use Tor Browser 4.0 sign in Gmail, the browsers automatic close and win8.1 prompting tor have problem need to close.

This is my first time comment in site, so cool!

I have the same exact

I have the same exact problem. Win 8.1, sign into gmail, tor browser stops working.

So, does anyone know if TOR

So, does anyone know if TOR 4.0 took care of this issue:

https://www.eff.org/deeplinks/2014/05/mozilla-and-drm

If you don't want to check the link, it's about FireFox being the "last holdout" of Digital Rights Management and how F.F. folded.

It looks like no worries with the older TOR 3.x.x series, but now that TOR has shifted to the new F.F. ESR.....?

Thanks for the answer(s) if they are known.

^ ^ ^ ANYONE? ^ ^ ^

Tor project compiles Firefox

Tor project compiles Firefox themselves so it's highly unlikely that it has digital restrictions management support included.

Mozilla to their credit did mange to get a relatively benign implementation into Firefox that is optional and doesn't stuff up the rest of the browser, but will it stay that way or will the DRM lovers demand that Mozilla become more like the others?

I certainly hope the pirates put their effort into cracking the DRM on the other browsers which is implemented in a way more to Hollywood's liking than the Firefox implementation.

Thanks for your knowledge

Thanks for your knowledge and help. I'm not a computer guy/gal so I had no idea what the deal was since now FF has caved (although, not as bad as might seem according to your post).

Thanks again for your input! I'd be lost without so much giving so much in the web community.

How about adding the github

How about adding the github version of random-agent spoofer to Firefox to make more random of timezone and screen size and other information, it is possible I am too late to find this extension but I think many one have no notice so I'm share.

Timezone should just be UTC

Timezone should just be UTC for everyone.

My TBB keeps crashing every

My TBB keeps crashing every time I try to read my Gmail emails. No idea why. On Win 7, 32-bit. Everything worked perfectly before on the alphas 4.0 1,2, and 3. :(

This is

This is https://bugs.torproject.org/13443. If you can reproduce crashes on other sites, please let me know (ideally in the ticket), this might help solving the Gmail crashes as well.

Same here on Win XP: TBB 4.0

Same here on Win XP:
TBB 4.0 alpha-3 works fine with gmail
TBB 4.0 crashes when loading gmail:
Dr. Watson Log (in Spanish) says:

Excepción de aplicación ocurrida:<br />
        Aplicación: E:\...\Tor Browser\Browser\firefox.exe (pid=2220)<br />
        Fecha y hora: 17/10/2014 a las 22:24:00.484<br />
        Número de excepción: 80000003 (punto de interrupción codificado)<br />

Google translator (spanish to english):
"punto de interrupción codificado" = "coded breakpoint"

Workaround: disable javascript to force gmail "basic html view"

Hi, does it happen sometimes

Hi,

does it happen sometimes that the new version thinks it's outdated?

Thanks

it happened to me too last

it happened to me too last night
i commented here but they did not approve my msg, CIA/NSA BITCHES!!

Hi I can't import a personal

Hi
I can't import a personal .p12 certificate . What to do?

Sorry, Roger & Mike &

Sorry, Roger & Mike & company, but the TBB version 4.0 is buggy as all hell on Windows 7 and possibly Windows 8.1 ... when the installer unpacks the files, I think the directory tree that's made is all screwed up compared to previous versions.

On Tor 3.x, the "Start Tor Browser" was an executable file that did some juju and loaded Tor flawlessly. With Tor 4.0, "Start Tor Browser" has been changed to a shortcut file that points towards "firefox.exe" in a subdirectory. The result: clicking on "Start Tor Browser" loads firefox.exe and tor.exe into memory, into the processes list, without any actual browser window opening. Attempting to click "Start Tor Browser" again at this point gives an error message, "Firefox is already running but appears to not be responding at this time". Huh?

Seriously, take a Win7 box and run the Tor 4.0 installer. You'll get it to work once. But once you close the browser down, good luck getting it to run properly again.

Sticking with 3.6.6 until this gets sorted out. I have found one way to run Tor 4.0 properly, and that's through the just-released TAILS 1.2... there it works fine as far as I can tell. But I don't feel like having to reboot to a USB stick every time I want to do some little thing on Tor.

I am having the exact same

I am having the exact same issue with my Windows 7 (64bit) install as well. Tor doesn't launch.

Works fine here on Win 7

Works fine here on Win 7 64bit

Two issues which have

Two issues which have cropped up with the new version of TOR Browser 4.0:-

1) When attempting to login to a Gmail account, the browser stops working and closes. This only happens on this email account and not on others. The underlying OS is Windows 7 Pro 64-bit.

2) I have a number of installations across several machines, which are running either Windows 7 Pro 64-bit or Windows 8.1 and they all display the same characteristic, in that the browser frequently doesn't complete the start-up process. You get the little box in the corner whilst it is establishing a connection but no browser opens afterwards.

The worst issue with this second item is the fact that this error is not consistent, sometimes it works and sometimes it doesn't.

Yep, your second issue. Same

Yep, your second issue. Same thing here. Windows 7 Professional 64-bit. I'm the guy who posted the comment directly above yours coincidentally.

"The Tor Browser doesn't complete the start-up process". That's the most succinct way of putting it. It loads the browser into memory, but the actual window never opens. There have been like 10 people on this thread reporting similar issues -- how on Earth was this missed in testing?

As Kenan Thompson once said on SNL's Weekend Update, "FIX IT...! FIIIX IT!!! IT NEED TO BE FIXED!! NOW!" ;-)

I'm having the exact same

I'm having the exact same issue on windows 7, I downloaded and installed and it opened first time no problem within, 5 minutes it crashed and it hasn't opened since. I've tried reinstalling and a system restore to no avail. I've emailed their help desk and awaiting a reply. It does seems strange that it hasn't been addressed here.

The new interface is

The new interface is confusing, but overall the bundle works.

However, the browser seems to mess with some functions on sites like flickr.com, for example, the 'fav', 'share' and 'download' buttons on the album page are missing, changing no-script rules didn't help. Also when performing a search on this site, sometimes the search result page will get stuck in an infinite 'fetching more photos' loop, no matter how long you wait, no photos will be fetched.

The aforementioned issue is not present when using version 3.6 bundle.

Thanks for the tor team's effort in trying out new things, hope some day the problem will be addressed.

TorBrowser 3.6 was lagging a

TorBrowser 3.6 was lagging a lot it was barely usable, now TorBrowser 4.0 also lags but much less than 3.6, it's usable but the lag is visible and noticeable. What do you need to know and which public key should I use to send you what you need to know?

On Windows XP, Tor Browser

On Windows XP, Tor Browser 4.0 seems to conflict with Trusteer Rapport, which my bank requires me to use. On my system, Tor Browser 4.0 crashes without exception if Trusteer Rapport is running when I launch it. Trusteer Rapport also goes crazy, jumping to using nearly 1 GB of memory and 50%+ CPU. If Trusteer Rapport is disabled, however, Tor Browser launches and runs normally.

Tor Browser 3.6.6 does not create any issues, nor does vanilla Firefox. I will try and test it on Windows 7 when I can to see if the problem also occurs there (I currently only have access to a Win XP machine).

To clarify: Trusteer Rapport

To clarify: Trusteer Rapport is installed on my system, and the Rapport plugin is installed in vanilla Firefox. The plugin is NOT installed in Tor Browser. So it seems like something about the background process which Trusteer Rapport runs seems to conflict with something in Tor Browser. I'm happy to run specific tests, if it will help with debugging.

I had Trusteer Rapport on my

I had Trusteer Rapport on my comp. Just uninstalled and Tor working fine. The Trusteer programme was definately the reason Tor was not starting up. Thanks for this. Happy downloading :)

Tor Browser 4 doesn't work

Tor Browser 4 doesn't work for me on W8 - APPCRASH in Fault Module Name:KERNELBASE.dll. Stopped the Trusteer service and TB4 works ok.

I'll save you the time - it

I'll save you the time - it happens on Windows 7 and 8 if Rapport is installed.

Problem signature: Problem

Problem signature:
Problem Event Name: APPCRASH
Application Name: firefox.exe
Application Version: 31.2.0.0
Application Timestamp: 00000000
Fault Module Name: xul.dll
Fault Module Version: 31.2.0.0
Fault Module Timestamp: 00000000
Exception Code: 80000003
Exception Offset: 0105d1e4
OS Version: 6.2.9200.2.0.0.256.48
Locale ID: 1033
Additional Information 1: 5861
Additional Information 2: 5861822e1919d7c014bbb064c64908b2
Additional Information 3: 1a2a
Additional Information 4: 1a2aa8e38ac8adbb6fe1e594fa623c2e

Every time I'm in face book this will happen and I have to close Tor and restart it again, this is happening every time pop out news feed alerting me about my friends activity... I have no Idea what should I do, I had no problem with others Tor and this is surprising...

Got the same as you after

Got the same as you after the 4.0 update.

Does anyone know where to get the previous version's download? I want to go back.

Hi, this new version sucks

Hi, this new version sucks keep crashing on me...
Problem signature:
Problem Event Name: APPCRASH
Application Name: firefox.exe
Application Version: 31.2.0.0
Application Timestamp: 00000000
Fault Module Name: xul.dll
Fault Module Version: 31.2.0.0
Fault Module Timestamp: 00000000
Exception Code: 80000003
Exception Offset: 0105d1e4
OS Version: 6.2.9200.2.0.0.256.48
Locale ID: 1033
Additional Information 1: 5861
Additional Information 2: 5861822e1919d7c014bbb064c64908b2
Additional Information 3: 1a2a
Additional Information 4: 1a2aa8e38ac8adbb6fe1e594fa623c2e

I have the same problem

I have the same problem sig.

Can I go back to previous version? I deleted and need a 3.6 download site.

Anyone?

Awful update! New FF is lame

Awful update!
New FF is lame and broken Chrome, based on Chromium.
U'd better make good Tor Bundle w/o f*cking chrome-based FF and teach ppl how to configure any Chromium-based browsers (Chrome, FF. Opera).
U sold urself to the wrong browser.

Classic Theme Restorer can

Classic Theme Restorer can mostly fix that.

https://addons.mozilla.org/en-US/firefox/addon/classicthemerestorer/

Firefox isn't based on

Firefox isn't based on Chromium, the new UI was just designed to look like Chrome; there's significant differences in the internals. There is the unfortunate choice of "chrome" as a pseudo protocol to access browser internals, but that actually predates the Google Chrome browser. As for using any Chromium-based browser with tor, I remember reading that Chromium's doesn't handle certificates in a way that works well with tor and can break anonymity. If you really need to use a Chromium-based browser with tor, you probably should use an isolating proxy.

Also, while Opera uses the Blink layout engine which is part of Chromium, it isn't based on Chromium as a whole like Google Chrome is. Google Chrome is pretty much just repackaged Chromium with a few additional nonfree components. Like Flash.

Hi, this version is can't

Hi, this version is can't delete the "CNNIC" certificate, how to delete it? Thanks very much!

Certificates about China

Certificates about China Internet ,eg China Internet Network Information Center EV Certificates Root ,CNNIC ROOT and Entrust.net Secure Server Certification Authority ,cann't be forbidden or deleted in TBB 4.0, WHY??????It's said that those certificates are dangerous while accessing some websites.

HTTPS Everywhere can check

HTTPS Everywhere can check certificates to detect MITM, you just have to enable that feature.

unfortunately this sends all

unfortunately this sends all of your certs to Google last time I heard (SSL Observatory), which violates the threat models of many TBB users

I thought it sent them to

I thought it sent them to the EFF (a non-profit committed to privacy), and it can do it over tor (hopefully it gives the ASN on the exit node you use, if not just make sure to uncheck the part about telling them what ISP you're using.

Why do you not establish a

Why do you not establish a hidden service (or multiple of them) to update TBB? That doesn't rely on any CA.

Hi, I don't know if anyone

Hi, I don't know if anyone is using Vidalia, Tor Bandwith Usage is always 0 when it is listening TBB 4.0 with meek-azure. I want to know why and how to view your rate TBB produced and deletet the nodes.

I would like to thanks the

I would like to thanks the developers of TOR for the hard work and the steady improvement of security. But I also have to say that the foundation of TB (means: Firefox) is getting worse by every update (of FF). The continual integration of features like WebGL, social media APIs, codecs and removal on the ability to turn off JavaScript by menu should give food for thought. Plus, the new Australis UI is really dreadful. Dumbing down everything IS NOT EQUALS improving usability. Just because everything is round, not everything is more beautiful. And c'mon... Burger menu... If I want a burger Menu, I choose Chrome or go the Mac Donald's ;-).
But like said. This is not critique to the TOR developers. But maybe they should think about the future of FF. Just my 2 cents.

There doesn't seem to be

There doesn't seem to be much in the way of other options, though NoScript can at least kill WebGL and audio/video and plugins are blocked.

Classic Theme Restorer works well enough, something other than Firefox might be nice but what?

Use noscript to disable

Use noscript to disable javascript. The end.

It is not the problem of the

It is not the problem of the ability to disable. But the decision to remove the option from the FF menu is very questionable. Why? If people turn of JavaScript, web pages are not working properly anymore? So what! Why remove a well known feature from the menu and keep the functionality to turn on/off JavaScript in the back end anyway?
And there are plans to get the rid of addons. This is definitely not the reason why I switched to FF years ago.

Mozilla has done alot of

Mozilla has done alot of shady actions this year to effectively end their reputation as "Committed to you, your privacy and an open Web"

I think FF devs rightfully

I think FF devs rightfully think that the ppl who disable FF from the menu are the same ppl who will know how to disable it, with the same level of ease, from about:config.

on one level this appears to

on one level this appears to make sense, but in my opinion does not hold up at all once you start looking through all the other even-more-obscure options they've left UI-visible.

it's quite telling that mozilla's pages telling you about their commitment to your privacy drop google analytics on you..

While Firefox devs may make

While Firefox devs may make a number of bad decisions the problem with suggesting TB switch to a different browser is there needs to be a better alternative out there that more than just power users can use.

That is indeed true. To say

That is indeed true.
To say "make a fork of FF" seems to be a easier said than done.
Creating a own fork: Enough resources to maintain TOR and the fork?
Using an existing FF fork like Palemoon: I don't know.
Chrome: The same problem like FF.
Opera: Open enough?
Konqueror: Usable and platform independent enough?
Safari: LOL.
IE: No comment...
Year, and we are back to square one. Really a quandary...

Palemoon might be the

Palemoon might be the closest though they branched it to MPL only as far as I can tell (tor project would probably want dual licensing) and there's no macintoy version.

Realistically only Gecko based browsers are likely to have the API hooks needed without lots of extra work.

huzzah! finally back to

huzzah! finally back to having a semi-modern firefox!

so now google street view works (without flash)!

if you miss the old google maps (which TBB users have been using until now) see http://googlesystem.blogspot.com/2013/10/classic-google-maps-url.html

linux64, gets stuck at

linux64, gets stuck at loading -- 85% bootstrap, trying to establish first hop connection but nothing happens.
3.6.6 works fine.

Any idea what is the issue?

after installing 4.0 tor

after installing 4.0 tor keeps telling me that something went wrong when i start it up whats the chance anyone has ideas to fix this please used tor for a while now and never had a problem

Wont work downloaded

Wont work downloaded installed wont open very frustrating indeed

make sure you downloaded the

make sure you downloaded the right build for your operating system, and that your download is complete

Hello. I used not to be able

Hello.
I used not to be able to play mp4 files in the tor browser (because the browser couldn't support natively mp4 codecs) but with the new 4.0 version it can. Before it used to just give me the option to download the file, now it plays. Is it intentional, and how can I choose to donwload the file? Instead of playing the video, how can I download it? Thanks.

Interestingly, I used to be

Interestingly, I used to be able to play mp3s in 3.6.6 and earlier, but now I can't.
The browser crashes every time and notes an issue with "xul.dll"

It took a lot of headache for me to get mp4 videos to work after awhile, but I'm not even sure how that happened. The modified preferences don't seem to have anything to do with video or mpeg.

is this related to the following? re:concerns about vulnerabilities

https://trac.torproject.org/projects/tor/ticket/12212

thanks

In theory Tor Browser

In theory Tor Browser shouldn't play any videos other than WebM and OGG. That's because Firefox only has native support for those codecs/formats. If you play them, that's because Tor Browser is getting plugins from the system (which might be leaking sensitive information) or that Firefox has new native support for those formats (mp4 and such).
I don't know if the new version of firefox has such support.

I have finally discovered

I have finally discovered what caused Tor Browser Bundle to now be able to play mp4 files. It's because the new firefox has the ability to use gstreamer plugins (if installed in your system) to play the h264 codecs. Which makes me ask: is it safe?? Or can gstreamer plugins leak any sensitive information (like DNS requests)??
I have found a workaround to this you just go to "about:config" and search for "media.gstreamer.enabled" and set it to false. At least it prevents gstreamer from being loaded into the browser. HOWEVER IT MIGHT CAUSE FINGERPRINTING PROBLEMS, BECAUSE YOUR BROWSER WILL ACTUALLY LOAD ANY VIDEO INSIDE A WEBPAGE WHICH IS DIFFERENT BEHAVIOR FROM VANILLA TOR BROWSER BUNDLE! USE AT YOUR OWN RISK! I will open a bug concerning this.

about:downloads is not on

about:downloads is not on the NoScript whitelist causing any downloads not to update in that tab until manually reloaded (unless you have JS enabled).

Why is it a good idea to

Why is it a good idea to include Firefox Sync? I'm sure it can be used in a secure way but it just doesn't feel right.

FireFox Sync CANNOT be used

FireFox Sync CANNOT be used in a secure and private way because it is designed in a way to collect information. Please stop considering Mozilla FireFox to be "secure" and "cares about your privacy" because it's not, there's basic security features that are still missing 4from it, out of mere neglect, carelessness, and hypocrisy (e.g. sandboxing)

After this fix, I'm unable

After this fix, I'm unable to move the "Refresh" button to it's normal spot, next to the back button. This is where it is in every other browser I use, so it's where I click without thinking. What is the security enhancement provided by locking the refresh button to the right of the address bar and taking away the ability to move it where I want?

Classic Theme Restorer can

Classic Theme Restorer can do that.

https://addons.mozilla.org/en-US/firefox/addon/classicthemerestorer/

Please don't suggest

Please don't suggest installing addons without mentioning that they may open users up to security flaws or deanonymization attacks.

Me here,using transport

Me here,using transport pluggable The TorBrowser 4.0 is running very well,but Three Certificates such asChina Internet Network Information Center EV Certificates Root /CNNIC ROOT/Entrust.net Secure Server Certification Authority cann't be forbidden.

Yeah, I find this bug too,I

Yeah, I find this bug too,I cannot forbid Chinese Certificates.Maybe a bug for newest version of firefoxESR?

Thank you for this great

Thank you for this great update. I love this interface and have been happy while using it with Firefox.

I just had one question, can I use Disconnect and privacy badger (from EFF) with tor browser?

It will make you much easier

It will make you much easier to track since you won't look like everyone else.

Simple answer: No.

Please do not discourage

Please do not discourage users from layering on additional security & privacy settings without any rhyme or reason. The primary reason it makes one "easier to track" is because everyone is discouraged from using things like the EFF's privacy badger. If people were free to decide their level of security for themselves, there would be the "it's that one person who uses Tor Browser Bundle with PB and Disconnect" risk, as there would be more people who had this setup. Furthermore Privacy Badger will change over time, so the first time you go to a site it may block different things than subsequent visits. Accounting for this in tracking software is non-trivial to say the least.

So I say, go ahead and install them if you want. You should realize that since you will not be requesting certain things (as that's the entire purpose of PB), and so a site could identify that it was the same person visiting the site multiple times, however if you're logging in with a pseudonym then this is of no concern as there's no more risk than without PB.

Simple and accurate answer: It depends on your security goals.

If you're just trying to hide your location and remain pseudonymous, then it's fine.

If you're attempting to avoid being identified as the same user with multiple visits to the same site, then it's possible that it's a bad idea. While I may be confident that the gains of PB will outweigh the negative side effects, that's for each person to decide.

When using Tor Browser 4.0,

When using Tor Browser 4.0, it asks me to contact system administrator. It said is blocked because of the system settings.
Kindly guide.
PS:I can use earlier version of tor though.

The exact lines are: This

The exact lines are:
This operations has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.
I have installed it on the system in new directory.
Please answer..

First things first: Huge

First things first:
Huge thanks, hugs and love etc. for all the work you have done for us so far! For me personally, the TBB has been running flawlessly ever since I've started using it.
While I feel a bit dickish for adding to what I feel is more than enough clueless individuals complaining without trying to figure things out themselves, the following two things must be mentioned:

1. This Australis abomination needs to GTFO. Please make it stop if you can find the time to do it. Might have been mentioned before, will try to figure it out myself. But I wouldn't wanna mess up anything relevant to TBBs security features. It just hurts the eyes extremely bad, as I find overly round edges distasteful to say the least ;(
But enough crying and taking things for granted which clearly aren't.

2. This one might actually be relevant: on a non-Windows machine, I've been seeing error messages related to NoScript overlay. Occurs when using TorButton to acquire New Identity. Will look into it more, maybe file bug report properly if it's a thing...

This is probably

This is probably https://bugs.torproject.org/13377

Yes that's the "thing" I was

Yes that's the "thing" I was referring to.

Found it in mere minutes after posting and consequently hung my head in shame for 8 nanoseconds (rough estimate, but close enough).

Ultimately, however, I had a good chuckle: partly due to the fact that I could have easily found the answer before wasting valuable time and resources, but mostly because the bug number appeared even more odd considering my short bout of having "the stupids and lazies" spoke quite the contrary.

But what does 1337 even mean here on the internet in times when once "established and "respectable" printed newspapers, you could even say most media in general, consider the term "selfie" to be an actual word. In my opinion this neologism has taken the ongoing abuse of language way too far.

Oh well. Silly ranting about unimportant matters doesn't change shit, but what can you say in times like these, which are clearly governmentally insane, when fellow humans are confusing electronics-store openings with religious ceremonies.
I guess it all somehow fits the picture in the weirdest possible way. Something's off...feels wrong.

So in addition to the huge respect I already have for your tireless work and dedication, which is already saving many peoples lives and freedom,
I thank you for your patience and for taking the time to reply to my post.

But also know that the Tor Project's work has helped me personally a great deal in terms of keeping my sanity and not giving up hope for some positive change. Love ya'll.

Become a Tor advocate! Go

Become a Tor advocate! Go out and tell people why Tor is important, how it's protecting our eroding freedoms, and how it's not about scary people wearing masks or people talking about dark webs.

haha - you mean policemen

haha - you mean policemen masks...

That's a great suggestion!

That's a great suggestion! And rest assured that in fact I am already doing as much as much as my schedule allows me to, even making compromises in terms of getting no rest when I absolutely should. With my closest friends and family, I have found it OK to do that.

But even with them - being what I consider intelligent, open minded and capable individuals - it has been so ridiculously difficult to get the point across.
You probably know people with whom you can communicate in ways where there is no need for even using words to do so. And in my world even under said circumstances I have been met with resistance and lazy excuses. They say things like "I like what I am used to." "My day has been long enough already, I have no patience for this right now". Well, at least they are starting to see it, but very very slowly. And I will never ever give up. Because I care for them.

Another issue causing the above mentioned problem of having too little time is a result of the fact that I work in a profession which is very demanding on ones spirit, where it is an absolute must that you prioritize and take good care of your self lest it tears your soul apart and breaks you. It doesn't pay too well either, but money a sick joke anyway so I don't mind all that much. I am very happy to be able to do what I do, because it is spiritually fulfilling.

But as you can probably relate: Being passionate about things is a bit difficult because you can only do so much in one day. Oftentimes I reflect on days passed and gone, wishing I had done more. I will remain do whatever I can.

Humanity can't resist being reasoned with forever, or can it? ;)

After downloading and

After downloading and extracting the tarball, I was "treated" to the following:

- my bookmarks: gone;
- my browser configuration: gone;
- Pentadactyl's configuration: gone.

Antics like the ones you pulled with this release give the whole OSS movement a bad name.

At the very least, you should have changed the name of the directory that the tarball extracts to. If you really wanted to do something professional, instead, you should have included a first-run script to move the user's old stuff to the new, horribly redundant, directory hierarchy.

Be ashamed.

From this very blog

From this very blog entry:
This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work.
Maybe you'll learn to read release notes next time.

The blog post suggests that

The blog post suggests that you don't try to install over a preexisting install. In fact, that was never a supported feature in the first place. Don't go complaining about what an installer does when you just skim through the installer and don't pay attention to its warnings.

see - others OSes use

see - others OSes use "extract it and run" approach. WHY you need installer in first place? Its primary purpose is to add staff in not accessible by users places for auditing etc.

No, the primary purpose of

No, the primary purpose of the installer is because too many users were clicking 'run' rather than 'save' back when Tor Browser was a zip, and then when they closed the browser, they couldn't find it on their system anymore (since it never got there in the first place) and ended up confused.

We thought a simple zip was the much better solution too, until we actually watched users try to use it.

It might still be a good

It might still be a good idea to have a simple .zip lying around for more advanced users (but can a windows or mac user even be called advanced?) on the View All Downloads page.

May also be easier for those who need to run tor from removable media.

I'm sure your old files are

I'm sure your old files are still there, new browser uses new directory structure, so that's why you cannot see your old profile on the new browser.

They did warn this would

They did warn this would happen :D

Can't install Tor 4.0. AVG

Can't install Tor 4.0. AVG pops up with message that the install file is malware. The file is too big for AVG to work with so it crashes my computer. Windows 7 64 operating system. Tor 3.6.6 works OK.

Sounds like two bugs in your

Sounds like two bugs in your antivirus -- one that it falsely flags this binary (but that's not surprising, since the whole concept of antivirus is a losing game -- see https://decvnxytmk.oedi.net/docs/faq#VirusFalsePositives ) and the second is that your antivirus program crashes your computer. Can you report the bugs to your antivirus company?

NOOOOOOOOOOOOOOOO Why

NOOOOOOOOOOOOOOOO Why Chromwzilla firefox|?

That's mozilla's mistake

That's mozilla's mistake (they design it) not torproject

How do I download the .asc

How do I download the .asc for verification. Every time I click the link, the .asc file is opened in tab on the browser, rather than prompting me to download.

Right click is your friend.

You could right click on the

You could right click on the link and then "save link as". Or copy the link location and use a command line tool like wget to fetch the signature file you need. The possibilities are plentiful. Don't give up trying so soon :)

It probably depends on your

It probably depends on your browser. In my Firefox, I right-click and choose 'save link as'.

(But to be fair, actually I right click and choose "Copy Link Location" and then paste the URL into wget. But again, it depends how you like downloading things.)

I've downloaded the new

I've downloaded the new version, but when I click on "Start Tor Browser" nothing happens. Nothing at all. This means i cannot acces Tor anymore, because I deleted the older version.

Hi, I would like to run Tor

Hi,

I would like to run Tor on my Debian Wheezy to help the project.
Maybe this is a stupid question, but is there a way to split the internet connection and have a browser working through TOR and other stuff through my regular internet connection? Cause I want to stream videos for example and the speed is not that good for streaming through TOR, or using social media and not getting Warnings because my account looks like it is accessed from various ip addresses from all over the world.

Looking forward for some recommendations and/or documentation.

Thanks

You can do three things: A)

You can do three things:

A) apt-get install tor and then edit /etc/tor/torrc to become a relay or a bridge. That way you'll be contributing bandwidth to the Tor network. For much more detailed instructions, see
https://decvnxytmk.oedi.net/docs/tor-relay-debian

B) Run the Tor Browser, and use it when you want safety for your web connections.

C) Use some other browser or other application when you don't want safety for your Internet activity.

You can do all three of these at the same time. Just running Tor Browser doesn't magically push all your traffic through it.

Hope that helps!

FEDS ARE FUNDING TOR...LOOK

FEDS ARE FUNDING TOR...LOOK OUT!

http://reason.com/blog/2014/07/30/feds-gave-tor-project-18m-while-also-…

Dear yelling person, Please

Dear yelling person,

Please also see
https://vbdvexcmqi.oedi.net/blog/transparency-openness-and-our-2013-fin…

Thank you for pointing that

Thank you for pointing that out. At:
https://decvnxytmk.oedi.net/about/findoc/2013-TorProject-Form990.pdf

In Part VII, we see that the top three earners got ~ $150,000 in 2013.

Back in 2007, only Nick Mathewson was getting paid ($100,000).

If NSA was going to try to bribe anybody, that'd seem to be the guy.

--

Medium7

Thank god someone is funding

Thank god someone is funding tor, without the us gov you wouldn't have it. and btw the us gov does NOT want tor broken, this is one tool they wouldn't give up because they use it too, and they use it the most.

I was with you until that

I was with you until that last part. They use it the most? We have millions of daily users at this point -- it seems unlikely that any single group is a substantial fraction of that number. And that's important to its security, since the diversity of users is part of what makes it ok to be a Tor user.

Upgrading from v4.0.3 alpha

Upgrading from v4.0.3 alpha and trying to get the autoupdate triggered. Sometimes it starts. But the last time it started my circuit broke and when I restarted TBB, I could not retrigger it. Has anyone determined the Secret Link that will restart it?

Go to "Help -> About Tor

Go to "Help -> About Tor Browser" and then check for updates.

Also, I think the Tor Browser team disabled some of the "automatically notice and start fetching updates" features in 4.0-alpha-3, since they wanted to reduce the number of surprises for the alpha testers. So it's possible it will become smoother than what you're experiencing with mainstream 4.0 over time.

torbrowser 4.0 will not

torbrowser 4.0 will not start on win8.1 if Trusteer Rapport is installed on pc.
had to uninstall Trusteer Rapport to run tor

The post about the conflict

The post about the conflict with Trusteer Raport appears right! I am pleased to report that I am now able to use Tor 4.0 on windows vista sp2 after disabling Trusteer Raport.

To disable, make sure firefox is closed, go to : start menu>all programs>trusteer endpoint protection>stop trusteer endpoint protection.

Thank you so much!! Does

Thank you so much!!
Does disabling Rapport have any adverse effects?

as usual, don't forget to

as usual, don't forget to disable javascript.

When will

When will https://check.torproject.org support TLS 1.1 & 1.2?

I've opened a ticket to move

I've opened a ticket to move the service to a newer VM:
https://bugs.torproject.org/13491/

Under NoScript

Under NoScript Options-->Advanced tab-->HTTPS tab-->Permissions tab

Why isn't the default under "Forbid active web content unless it comes from a secure (HTTPS) connection left on "When using a proxy (recommended for use with tor)" and instead left on "Never"? The more secure default would seem to be "always" (forbid active web content) followed by the tor-specific setting. Could you please clarify why active web content is never forbidden in the default NoScript configuration?

You might like (or

You might like (or hate)
https://decvnxytmk.oedi.net/docs/faq#TBBJavaScriptEnabled
(including the reference to ticket 9387)

thanks--i've been following

thanks--i've been following 9387 for a while now.

i'm still curious if you have any specific thoughts in response to my question. my impression as someone outside the dev team is that some of these decisions have not been made and/or translated into shipping releases in some cases.

"Websites can easily

"Websites can easily determine whether you have allowed JavaScript for them, and if you disable JavaScript by default but then allow a few websites to run scripts (the way most people use NoScript), then your choice of whitelisted websites acts as a sort of cookie that makes you recognizable (and distinguishable), thus harming your anonymity."

Could you explain that or link-reference?

Thanks

I get th waiting for

I get th waiting for moderation thing....! But 4.0 is broken....! Reset to old version ,then diagnostic the new but get the old version back online...! This is frustrating....!

I feel sorry for those who

I feel sorry for those who work on TOR. They work hard on trying to help keep us safe on the Internet but then get showered with complaints. Making bug fix suggestions is fine, but please people bear in mind this software is free unless you contribute. So please keep the complaints none personal unless you want the developers to say "oh screw this I am out of it" and we loose a valuable resource. I am certain the NSA and others would love to scoop it up, paying new developers highly so they can find out what we are all up to. TOR 4 needs a rebuild for sure, but I will go back to 3.6.6 until the developers can fix things.

Me

Guys & Girls - TOR we have a

Guys & Girls - TOR we have a big problem. (java script Exploit problem)

This means one thing stop using Firefox 31.2.0
fucking

now

.

Or disable java script fully, and get the flash plugin out of the system folder that TOR-Browser does not try to ennumerate it and then disable it, just not let it find it.

(put it for normal operation in local plugin folder of your clearnet browser)

Because getting 404 (see below) from tor-4.0 download page this means somebody might have recognized the problem and tries to stop it from spreading.

What's whacky and no information about this error:

1.) Firefox 31.2.0-ESR has a "security problem" when certain java script tries to call the flash plugin it has something to do with a video class declared.

Keep in mind the plugin is disabled.

It crashes the browser I could replicate it with the non-tor version of Firefox 31.2.0 ESR on the source and you can use it for a heap spraying attack, I analyzed that code and it did not, it was just accidently triggering the hole.

2.) https://tor.eff.org/dist/torbrowser/4.0/torbrowser-install-4.0_en-US.exe

I tried to download tor-4.0 again and got a "404 Not Found"
through tor and through clearnet

If there's a vulnerability

If there's a vulnerability in javascript in 31-esr2, please report it?

Also, the reason you were getting a 404 is because that's not the Tor website, it's just a mirror that EFF runs. See also
https://lists.torproject.org/pipermail/tor-mirrors/2014-October/000727…

Given that Tor Browser

Given that Tor Browser doesn't ship with adobe flash anyways, and in order to get it to work with flash you need to do some technical manipulation, adobe flash exploits really aren't something to be concerned about.
Also, writing javascript as "java script" suggests although it does not prove that you don't understand exactly what javascript is.. It's like using "java" and "javascript" interchangeably.
On a similar note, there's a difference between the versions of Tor Browser and Tor. Tor Browser is the one at 4.0, Tor is in the 0.2.5.x versions. You're not the only one to make that mistake, and it might be a minor one but it makes you come off as not knowing what you're talking about.

“One document provided by

“One document provided by Snowden included an internal exchange among NSA hackers in which one of them said the agency’s Remote Operations Center was capable of targeting anyone who visited an al-Qaeda Web site using Tor.”

If it is true, it isn't restricted to al-Qaeda Web sites. Is it just the worst case? It is very devious, the CIA invented al-Qaeda, so these websites are honeypots. So the CIA will protect al-Qaeda, rather than terminate it. Devious!

De-cloaking Tor users doesn’t necessarily require a federal budget either. According to a couple of researchers slated to speak at Black Hat in a few weeks[ix]:

“In our analysis, we’ve discovered that a persistent adversary with a handful of powerful servers and a couple gigabit links can de-anonymize hundreds of thousands Tor clients and thousands of hidden services within a couple of months. The total investment cost? Just under $3,000.”

Is this still to be considered?

http://www.counterpunch.org/2014/07/18/the-nsa-wants-you-to-trust-tor-s…

What they meant by

What they meant by "targetting" was that they'd put their intercept boxes on the Internet near the target website, and then look for web requests going to it and inject attacks that would break into the web browser of users who visit the website. This sort of attack doesn't care whether the user is routing their traffic over Tor, since it's about attacking the endpoint. For more details see
https://vbdvexcmqi.oedi.net/blog/yes-we-know-about-guardian-article
and
http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-networ…

As for the Black Hat thing, see
https://vbdvexcmqi.oedi.net/blog/tor-security-advisory-relay-early-traf…

“One document provided by

“One document provided by Snowden included an internal exchange among NSA hackers in which one of them said the agency’s Remote Operations Center was capable of targeting anyone who visited an al-Qaeda Web site using ___Tor____.”
Am I reading right? And why push unready browser with suspicious settings?

You're not quite reading it

You're not quite reading it right. Or rather, they intentionally wrote it poorly so you would end up not reading it right. :(

It means they can target anybody visiting the website, including people using Tor.

Now, mind you they could also specifically only try to attack people using Tor. That would be straightforward to do -- you watch the website for connections coming in, and then you check each IP address to see if it's a Tor exit relay, and if it is, you inject something into the response that tries to break into the user's web browser.

This passage exists in

This passage exists in Washington Post also. Nevertheless, new buggy browser will be much help, is it not? And up-to-date tor exit lists are available in wild net.
Funny, did anybody see such official up-to-date lists with nsa addresses?

Roger, these are all fair

Roger, these are all fair comments but I think issue the OP was pointing out was that if TBB users can be exploited using Firefox 0days in this way when reading things that are interesting to intelligence agencies, that probably means attackers can also inject from elsewhere to infect anyone using TBB and we may never know if 5 or 50% or all of TBB users can be or will be exploited by intelligence agencies or some other adversary.

I agree that this doesn't really mean that Tor is broken, but if people using your tools can still get owned because of upstream problems, they're still going to get owned and will still be concerned even if their concerns are misplaced.

I would encourage the OP to consider using TAILS from a connection not linkable to them while taking multiple other steps to ensure operational security if they're concerned about these types of attacks.

Yep. If only somebody could

Yep. If only somebody could make the Qubes + VM + iptables approaches easily usable by the Windows users, we'd all be in better shape.

For more on Firefox code security, see also
https://vbdvexcmqi.oedi.net/blog/isec-partners-conducts-tor-browser-har…

but ... nobody can. just

but ... nobody can. just clicking on website page can not lead to steps like
- download and install virtualizer (like VirtualBox)
- create/download vm image with the user's version of Windows
- put tbb into this image and make snapshot (or use immutable image)
- start vm-windows-tbb in seamless windows mode, with shared folders etc.
- etc.
AND all this while showing just 'downloading xx%' to the user for not frighting him/her.
"you must be aware of the incredible stupidity of that class"

Whonix is probably your best

Whonix is probably your best bet for something like that at the moment.

https://www.bbc.com/news/worl

https://www.bbc.com/news/world-latin-america-29639241

I will see your unexplained

I will see your unexplained URL and raise you one:
https://decvnxytmk.oedi.net/download/download#warning

"So the CIA will protect

"So the CIA will protect al-Qaeda, rather than terminate it."
Terminate? Why should they? It's a golden goose.

I too have the same problem

I too have the same problem with Tor 4.0 on Win 7.
Tor crashes with Gmail for login. Login is successful, but Tor crashes completely in about 10 seconds. The google asks while logging in that it will install some image to identify to computer every time I login.. If I say no,, next ten seconds it crashes.. 2nd time I tried from VMware machine installing TOR 4.. n clicked yes some kinds image from google.. it allowed with out crash .. SH**T Google wants to recognize us..

Tor pp.. please find the solution for this..

Tor 4.0 on Win Vista crashes

Tor 4.0 on Win Vista crashes shortly after opening Gmail ( some 10 seconds after) as other users with different OS have reported.

Previous version of TOR still works fine on my Vista.

Any reason ?

Any solution ?

Thanks !

hope Vidalia will back

It has been unmaintained and

It has been unmaintained and abandoned for years.

It will only come back if you do it. And you'll have a lot of work to do.

Okay, but how can you use

Okay, but how can you use another (Mozilla forked) browser to connect to the tor network then?

Hm? This makes no sense.

Hm? This makes no sense. Vidalia was just a way to visualize and interact with your Tor. It's unrelated to the browser.

Unlikely, though most of

Unlikely, though most of what it did you can do with arm (just figure out what port TBB's tor runs on, pass it to arm with the -i option then bang the keyboard for a bit to enter the password).

https://www.atagar.com/arm/

Tails and the Torbrowser

Tails and the Torbrowser suffer of a common bug.
It is possible using javascripts to connect to other computers in the LAN, including (for the Torbrowser) with 127.0.0.1 that might host a local website. A connection to 192.168.0.1 or 192.168.1.1 might find out the version of an installed home router and send it via Tor to a hidden service or anyway to a remote website. Exploiting the common bugged home routers it's possible to access, without password requests, to a page that contains the public IP address of the modem and sent the page's content out.
It's generally possible to access a resource located on the LAN using img src="..." without javascript, but likely to no usefulness in this case.
The surprise comes with Tails however. Because it was a surprise as it was noted that it had suffered from the same vulnerability. It won't protect against this vulnerability.
Believe me or not. Here in Germany we have already successfully exploited that bug several months ago in a targeted attack... getting the IP from NETGEAR routers bypassing the password request. I tested the javascript exploit myself, it connected via javascript with [geshifilter-code]http://192.168.0.1/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=cat+…] to get the IP from the testing modem i had been given (a NETGEAR router) skipping the HTTP Basic authorization request and later sent the Ip via AJAX to a server i won't say.
The exploit works with and without Tor (with or without the Torbrowser and Tails -- no difference). In many cases it could be used to steal the configuration file of the modem that contains the ADSL credentials, so that it's a dangerous attack also for the normal everyday's clear Net users.
One more thing, it's very likely for all NETGEAR modems to be backdoored; or using our own language "misconfigured".

Tor Browser removes all the

Tor Browser removes all the entries from "no proxy for", so it shouldn't let you make any non-Torified connections, including to 127.0.0.1 or to 192.168.1.1, even if you allow JavaScript. If you can make it do one anyway, please open a ticket at
https://bugs.torproject.org/

I don't know about Tails, but I hope they use Tor Browser's settings here too. If they don't, please open a ticket for Tails:
https://tails.boum.org/doc/first_steps/bug_reporting/index

(To be clear, does your attack involve breaking into the browser and then inducing it to bypass the 'no proxy for' settings? Or just giving it some normal javascript to run or img links to load?)

The Tor user got a private

The Tor user got a private message with a link. The link had to be safe in appearance pointing to a Tor hidden service. However the HTML of the page deployed the javascript that worked deanonymizing the Tor user. At all meetings javascript was always referred as the most prominent vehicle of exploits against the Torbrowser, as it's the easiest and only way to execute an arbitrary program client-side.
I suggest never to reveal details about the used hardware and to keep javascript disabled while surfing in Internet in general.

I'm still using the Tor

I'm still using the Tor Browser 3.6.6 (debian amd64) and i can confirm you that i am able to connect with hosts in the LAN. I don't know about the version for Windows and this fucked Chrome Tor 4.0.
I checked Tails and the same is possible with cUrl as root and with Firefox as normal user. For the record looking at "no proxy for" it says: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
Misconfigurations?

As I understand it, Tails

As I understand it, Tails launches TBB under user "amnesia" which is prohibited by the Tails firewall to connect to anything but the Tor (or I2P) Daemon:
https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/e…

Obviously as root u can do anything.

Obviously not! If iptables

Obviously not!

If iptables were configure properly, you could use it to prevent the root user to access the clearnet.
At least not to allow system programs and a user logged as root to mistakenly access the internet.
The root user can reconfigure iptables, but this requires a step more that isnt required at the moment. An exploit could force a program running as root to connect with an arbitrary host without being able to execute code remotely to disable iptables.

Better safe than sorry. Not for Tails. Tails is configured like shit. The link you posted proves what im saying.

Tails is designed to be

Tails is designed to be dummy-proof system used without logging in as root, many of the unique features of Tails are expicitly tampered by using the root user, e.g. accessing hard drives. The idea is that even if some malware manages to take control of the amnesia user, it still cannot identify him (unless he used the persistent volume and kept there identifying info) and cannot harm the machine.

So the optional and unrecommended root user is there for highly competent users, those that would know and understand the iptables configuration and how to change it to their satisfaction.

GTK: Can you PLEASE make an

GTK:

Can you PLEASE make an announcement about the now broken (err...'better') UI for this TB release?!

As you can see, LOTS of users are confused and not happy about the change. Can you please update your blog post to make comments about this? Maybe link to the Mozilla web page explaining the change?
https://support.mozilla.org/en-US/questions/997275

I'm pretty surprised Tor didn't think this would upset users. I realize it's not Tor's fault, but you should at least make your users aware of what happened and what their options are (e.g. show Menu Bar, or the various add-ons like "Classic Theme Restorer" (note someone mentioned it changes window size by 1 pixel) or "The Addon Bar (Restored)").

i would suggest that upon

i would suggest that upon updating, auto-loading a static page with the changelog (like noscript does except static/local) would be a good opportunity for communicating these types of changes to users

That's a really great idea,

That's a really great idea, so that means it won't happen.

Well, I opened

Well, I opened https://trac.torproject.org/projects/tor/ticket/13512 to find out what they think of it.

To all readers: The Tor

To all readers:

The Tor Projects concern with NoScirpt's sub-script feature seems to be their assumption that ALL users use white-lists. Well, just don't use a white-list ;-)

Simply use temporary allow ONLY.

I for one will NOT allow Google Analytics to run, ever.

Not entirely; their concern

Not entirely; their concern lies more with the fact that allowing some javascript but not others to run is detectable. The selection you make for which scripts to run or not run is more information for fingerprinting, as there are ways to tell if some javascript but not all is blocked. Temporarily allow doesn't fix the issue because you're likely to Temporarily allow the same list of sites in future sessions, making it easier to link those sessions. To make matters worse, if you use similar settings on your clearnet browsing, it could be used to give a tentative identification!

I doubt more so than

I doubt more so than allowing GA to run, and other things like that.

Also, I doubt most people visit the same site with Tor as they do without Tor...

Tor isn't just used by power

Tor isn't just used by power users. Tor Browser is targeted towards the general population who may not necessarily have the greatest understanding what threatens online anonymity. Personally, I make sure to use different browsing habits through Tor than I do without Tor, but that doesn't mean that I don't inevitably have some sites that I end up visiting both with Tor and without Tor. Of course I make sure to use them differently and they're all high traffic sites.
What you have to realize is that the average person doesn't have the education in Privacy/Data Correlation/etc to make use of Tor without shooting themselves in the foot. This doesn't mean that they don't have a need for anonymity; they may live in regions or countries that are repressive, and I mean worse than the NSA. The goal of Tor Browser is to make many of the common mistakes hard to accomplish compared to the earlier usage of Vidalia, etc. If you listen to some of the stories about teaching people how to use Tor, they really do treat it like they would any other web browsing experience. These are still people who have a need for Tor; in fact they probably have a greater need for Tor than the average person debating on Tor's blog. They just don't have that voice here.

Add this to your

Add this to your torrc:

MapAddress www.google-analytics.com 127.0.0.1
MapAddress ssl.google-analytics.com 127.0.0.1

Requests are redirected to localhost. Problem solved. Google Anal-Ytics is blocked.

But there are other surveillance servers out there. Log your requests on pageload and add them to torrc.

Hi. I have a problem with

Hi. I have a problem with TOR 4, after a few minutes of use, Firefox 31.2.0.0 I think, crashes and a window pops up. The gist of the messages are:

problem with TOR v.4, Firefox 31.2.0 dies after a couple minutes or so. error messages ---
firefox.exe
appver: 31.2.0.0
modname: xul.dll
modver: 31.2.0.0
offset:0105d1e4
code: 0x80000003
flags:0x000000000
record:0x0 *all zeroes*
address: 0x000000000225d1e4

rest of report available upon request (modules by number, doesn't point anything else out to me, I'm not clear how to save it to a file, as I can't highlight and copy the text, maybe there is a better way or it auto saves to a file unknown to me).

Oh, the problem I just had

Oh, the problem I just had said it was in "xul.dll" if that helps.

Upon downloading and running

Upon downloading and running v 4.0, I immediately received a Firefox keylogger warning for the onion browser. I blocked it, but this is worrisome.

The onion browser? Isn't

The onion browser? Isn't that the name of an ios app?

Assuming you meant Tor Browser, and assuming you're on Windows running some sketchy antivirus detection thing, see
https://decvnxytmk.oedi.net/docs/faq#VirusFalsePositives

But please do investigate further if you can!

tor 4.0 will not run if

tor 4.0 will not run if Trusteer Rapport is installed i had to uninstall it to get tor working

Strange white strip bar at

Strange white strip bar at the bottom of the browser window. Please take a look bit.ly/1CHgmyb. Appears on every page cropping out the pages from bottom. It gets disappeared if the TBB window is maximized for a moment, but that solves it temporarily as a new fresh start of TBB brings this issue back.

Me too! I thought that was

Me too! I thought that was only my OS.

TB has a small bar of whatever is in the background, but when TB is moved or window resized it goes away.

Do you want to open a bug report now that I can confirm the issue on Win 7 64bit?

Narrow bar at bottom of each

Narrow bar at bottom of each new page mirroring background
https://trac.torproject.org/projects/tor/ticket/13500

installed 3.6 and got

installed 3.6 and got prompted to update and opened a page with a place to do so. DL new version and installed. Now i crash when i open app. Win 7 64

Listen up guys! NSA gets

Listen up guys!

NSA gets early access to zero-day data from Microsoft, others
http://arstechnica.com/security/2013/06/nsa-gets-early-access-to-zero-d…

*Microsoft and other companies give the government so much information....talk about privacy laws.

FBI pressures Internet providers to install surveillance software
http://www.cnet.com/news/fbi-pressures-internet-providers-to-install-su…

*And the feds all of a sudden want to fun Tor? Look up articles, cause it says feds just donated money to the Tor Project

The NSA is giving your phone rechttp://www.washingtonpost.com/blogs/the-switch/wp/2013/08/05/the-nsa-is… to the DEA. And the DEA is covering it up.

*Fight crim is good but really? All records?

We should indeed be worried

We should indeed be worried about the tendency of large corporations to give up their user data to governments (and heck, to others too).

As for your "all of a sudden", it seems you haven't been paying attention. Various parts of the government have been funding privacy research and development for a long time now.

But I'll also point out that the feds you talk about (FBI, NSA, DEA) haven't funded Tor.

first of all, thank you,

first of all, thank you, thank you and thank you again for your efforts to make web secure and reachable for us, in these dark parts of the world, shadowed by tyrannical gov's.
I have 2 questions:
1- why I can't use some of websites? this problem came after last two versions of TOR and still exists. so many sites, from normal Persian news sites to subtitle sites, don't let me use them with TOR. some of them absolutely don't, some of the killing me with captcha tests! why?
http://digarban.com/ http://subscene.com/
2- I installed a weather forecast add-on and set my city up on that. after that, I removed that add-on, closed TOR and shut down my PC. next time that I run TOR, when I installed the same add-on, the add-on knew about my city! how could is this possible?! shouldn't the cache and cookies (and also IP) be removed and renewed every time we run TOR?
thank you again for your efforts to make world a better one :)
a fan

1. See

1. See https://vbdvexcmqi.oedi.net/blog/call-arms-helping-internet-services-ac…

2. I wonder if you didn't really remove the add-on, but rather disabled it or something else that made you think it was removed when actually it was just lurking in the background.

Just downloaded the new

Just downloaded the new release and replaced my old Tor folder with the new.

Now when I try to start Tor I get this:

sh start-tor-browser
start-tor-browser: 221: start-tor-browser: Syntax error: "(" unexpected

Help?

I start mine with

I start mine with ./start-tor-browser

It looks like the start-tor-browser script is bash, not sh (which for me is dash).

What instructions told you to run it with sh?

Read the release notes, it

Read the release notes, it clearly said that wouldn't work.

Same here. no: sh

Same here.
no: sh start-tor-browser
no: sh ./start-tor-browser

works for me: ./start-tor-browser

hth

I get the same thing. I am

I get the same thing. I am running Ubuntu 14.04 and am using the same command.

Yeah, you're running it

Yeah, you're running it wrong.

It's a bash script. Not a dash script. So, start it with ./start-tor-browser like it wants to be started.

same here

I am also getting this in

I am also getting this in ubuntu 14.04

$ sh start-tor-browser
start-tor-browser: 221: start-tor-browser: Syntax error: "(" unexpected

You're running it wrong. See

You're running it wrong.

See above comment for how to run it correctly.

crashes on

crashes on www.littlegreenfootballs.com

PLEASE fix

PLEASE fix this.Quick:
https://trac.torproject.org/projects/tor/ticket/13254
#13254 new defect
Setting `security.nocertdb` to `true` breaks pageinfo dialog.

It's annoying.

Thanks

W T F Torbrowser Where is

W T F Torbrowser
Where is 'Page Info' -> Media

Firefox gets more and more like Tamagotchi.
Is this intentional?

You mean this

You mean this one?
https://support.mozilla.org/en-US/kb/page-info-window-view-technical-de…

Huh. You're right, my Iceweasel has the media tab but my Tor Browser doesn't.

Reported as
https://trac.torproject.org/projects/tor/ticket/13489

'Nice' to know that some

'Nice' to know that some feedback posts here are 'not really read'

Like this point
(among other points at longread post in oktober 16th)

1) Torbrowser 4.0 browser feedback

- Media tab is still missing in page information while this tab is available in firefox ESR versions and torbrower 3.6.5 and before.

- Security tab, Technical details is still empty.

By the way, again, this problem already exists since version 3.6.5

The new 4.0 Tor browser

The new 4.0 Tor browser bundle didn't work at first, since found out that Rapport needed to be disabled for it to work correctly = Windows 8.1 64bit Rapport disabled works now

Well that's not very good -

Well that's not very good - probably why mine won't work - but I want Rapport and don't want to disable it whilst using Tor.

It is not possible to

It is not possible to control which nodes (or country) are used for exit anymore? I used to edit the torc file with the ExitNodes function, but it is not working anymore

Does this still work in Tor

Does this still work in Tor Browser 3.6.6? (See: https://archive.torproject.org/tor-package-archive/torbrowser/3.6.6/) We have https://bugs.torproject.org/13051 that might be related.

Well that was a weird one. I

Well that was a weird one. I installed the new version, it instantly flagged firefox.exe as a threat on AVG, figured it was false positive so I just deleted the installer and downloaded again with no problems. Most of my addons transferred through, some settings have returned to default some not. Strange stuff!

It's quite amusing. WHY do

It's quite amusing. WHY do you believe in "strange stuff" AVG and don't believe in TBB downloaded across HTTPS connection from torproject.org web site???
Surely it will be better for torproject.org to have link to 'securenet' onion site to download staff, but anyway...

Using a hidden service to

Using a hidden service to fetch the 45+ megabytes means double the load on the network. It's already not clear if the Tor network can handle millions of people updating their browser over Tor.

What you really want here is "encrypted services":
https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/ideas/xx…
which reduces the load on the network on the service side. But nobody has finished fleshing out the design or building it. That could be you!

But really, another fine answer is pinning the cert that you expect on the other end of the https connection, and also actually signing the update. As the blog post here says, those are the next steps for the Tor Browser team.

Just don't forget there are

Just don't forget there are users who use only tor for all web access! So maybe add link marked "slow but secure"?
Or do you mean hidden services are too heavy for tor network? Or for the hidden web site? I'm not sure I'm catching you...
BTW as it's you who compiles tbb package, you can add your own ca and not invite any third party between you and yours users.
(you can even name it 'nsa top secure root ca' etc.)

Thinking about it some more,

Thinking about it some more, I actually think signing the update is a more secure approach than running it on a hidden service. The hidden service approach is basically like https but without the awful "turkish telekom can pretend to be any website it wants to be" problems. But for updates, the property we want is "that file I got, and it doesn't matter how I got it, is the one I want".

So if you sign the files, you can do that offline, and then it doesn't even matter if somebody breaks into the webserver or computer hosting the hidden service.

Anyway, how can you _proof_

Anyway, how can you _proof_ that tbb root ca certificates are what there are pretended to be? Users _ought_ to believe package creators.

And signing roughly just means: file hash is verified by (any)entity having private key as confirmed by (any)root ca from your list.
Maybe better to grant that an update is signed with the same key as the base package ? (aka pinning)

Signing is orthogonal to hidden service which will add protection against 'who get what' tracking. IF they are not broken of course.

Concerning distribution: maybe 'users help yourself' concept as in edonkey/imule/torrent will drastically lower server load? As a package creator you have the opportunity to (optionally?) add hidden service to every client and let them share downloaded parts of tbb.

I'm so pleased my TBB 4

I'm so pleased my TBB 4 issues are shared. It won't configure "always ask to save files" download. It just tells Mozilla to 'pologise for inconvenience and closes.

BTW: This is why I always keep a copy of an earlier TBB on file. I reinstalled 3.6.6 and here I am.

Please fix TBB 4.O

Change 3.6.6 useragent into

Change 3.6.6 useragent into 4.0 version

If you use Tbb 3.6.6. again, maybe you should consider to change at least your useragent in the newer Tbb 4.0 one in the about:config settings.

In this case your browser is telling websites that it is an up to date mozilla browser which maybe can prevent you a bit from scripts that are targeting by detecting older browser version strings.

Old Tbb 3.6.6 useragent, just search for 'user', you'll find it.
general.useragent.override;
Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

New Tbb 4.0 useragent
general.useragent.override;
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0

Consider changing the numbers 24.0
into 31.0

Remember it's just a tiny 'reversed social engineering trick', also know as 'a bit security by some obscurity'.
No guarantees but every tiny security bit can help.

@ developers
In Tbb 4.0 this useragent is still set on rv 17 ? It may not matter but seems odd.

extensions.torbutton.useragent_override;Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0

you can put there anything

you can put there anything you like, even Windows95. Or random text to let there databases explode. But better do not use "windows" string it will attract specific exploits.

I always download and save,

I always download and save, using TBB, the most recent TBB for my XP. Then I close the Tor browser and delete all Tor relevant files. Then I run CCleaner and reboot.

After this self-imposed procedure I open and install the latest iteration of the TBB - but always keeping a copy of the previous to hand. In the pc's backup external hdd, if you must know. Most of us do!

And TBB 4 won't install properly. I also now note that many others have reported similar issues. In my case it failed to accept a new download destination - My Pictures. I re-installed TBB 3.6.6; reconfigured same and hastened my issues over to your blog.

What else do I need to do? TIA

My english is very poor,so i

My english is very poor,so i only tell you the fact that TBB 4.0 is working very good now.

Can somebody confirm that

Can somebody confirm that TBB 4 is known to work on Debian Wheezy stable? I get

/usr/lib/i386-linux-gnu/libstdc++.so.6: version `GLIBCXX_3.4.20' not found (required by /root/tor-browser_en-US/Browser/libxul.so)
Couldn't load XPCOM.

Wheezy uses GCC 4.7 with libstdc++ 6.0.17, but TBB 4 depends on GLIBCXX_3.4.20 which is in libstdc++ 6.0.20 with GCC 4.9, which aren't available in Wheezy. Did I miss something, or does TBB 4 not run on Wheezy?

Didn't you knew that we are

Didn't you knew that we are the beta-testers? We aren't the end user.
Releases of Tor and the TBB are always bugged beyond imagination.
The end users are the FBI, the CIA, the NSA, the american govt.
Ofc it doesn't work on Debian Wheezy. Wait and even the update for us, the less fortunate, will come.
Thank you for your bug report.

This person opened the

This person opened the ticket here:
https://trac.torproject.org/projects/tor/ticket/13505
and hopefully they will follow up to answer the questions.

To all TB users, here's how

To all TB users, here's how to unbreak this version of TB's UI. Realize though there are issues with fingerprinting (changing window size for example) and the add-ons have not been vetted by Tor Project:

How to make the new Firefox look like the old Firefox
https://support.mozilla.org/en-US/kb/how-to-make-new-firefox-look-like-…

Right-Click Menu Change
http://forums.mozillazine.org/viewtopic.php?f=7&t=2865005

Tab title color not

Tab title color not uniform
https://trac.torproject.org/projects/tor/ticket/13501

Tor Browser 4.0 is released

Comments