Hi, TBB 3.6.2 is ready for testing. It contains an updated tor (0.2.4.22), an updated OpenSSL (1.0.1h) due to the flaws published last week (https://lists.torproject.org/pipermail/tor-talk/2014-June/033161.html) and the security fixes of the upcoming Firefox 24.6.0 ESR. Furthermore, it supports proxies with Pluggable Transports now. The bundles can be found at: https://people.torproject.org/~mikeperry/builds/3.6.2/ Here is the complete changelog: * All Platforms * Update Firefox to 24.6.0esr * Update OpenSSL to 1.0.1h * Update NoScript to 2.6.8.28 * Update Tor to 0.2.4.22 * Update Tor Launcher to 0.2.5.5 * Bug 10425: Provide geoip6 file location to Tor process * Bug 11754: Remove untranslated locales that were dropped from Transifex * Bug 11772: Set Proxy Type menu correctly after restart * Bug 11699: Change   to in UI elements * Update Torbutton to 1.6.10.0 * Bug 11510: about:tor should not report success if tor proxy is unreachable * Bug 11783: Avoid b.webProgress error when double-clicking on New Identity * Bug 11722: Add hidden pref to force remote Tor check * Bug 11763: Fix pref dialog double-click race that caused settings to be reset * Bug 11629: Support proxies with Pluggable Transports * Updates FTEProxy to 0.2.15 * Updates obfsproxy to 0.2.9 * Backported Tor Patches: * Bug 11654: Fix malformed log message in bug11156 patch. * Bug 10425: Add in Tor's geoip6 files to the bundle distribution * Bugs 11834 and 11835: Include Pluggable Transport documentation * Bug 9701: Prevent ClipBoardCache from writing to disk. * Bug 12146: Make the CONNECT Host header the same as the Request-URI. * Bug 12212: Disable deprecated webaudio API * Bug 11253: Turn on TLS 1.1 and 1.2. * Bug 11817: Don't send startup time information to Mozilla. Georg
Georg Koppen:
Hi,
TBB 3.6.2 is ready for testing. It contains an updated tor (0.2.4.22), an updated OpenSSL (1.0.1h) due to the flaws published last week (https://lists.torproject.org/pipermail/tor-talk/2014-June/033161.html) and the security fixes of the upcoming Firefox 24.6.0 ESR. Furthermore, it supports proxies with Pluggable Transports now. The bundles can be found at:
Everything works well, apart from the initial connection to https://panopticlick.eff.org. The result is a warning page saying that the connection is untrusted (error code: sec_error_unknown_issuer) and there is no way to proceed. Toggling noscript.alwaysBlockUntrustedContent from true to false fixes the problem, and then after toggling back to true the problem does *not* reoccur when restarted. It is only the first load after extraction which is the issue. I don't recall this happening before. Maybe a change in NoScript? (The root cause appears to be that the intermediate chain isn't being pushed from the server.) On the plus side, the result from Panopticlick is very good! Testing: tor-browser-linux64-3.6.2_en-US.tar.xz Platform: Debian 7.5 Processor: Intel(R) Pentium(R) CPU B950 @ 2.10GHz Tor *v0.2.4.22* (git-345e00dc68a052fe) Libevent 2.0.21-stable OpenSSL *1.0.1h* Firefox: *ESR 24.6.0* System Tray Icon: no, present with vidalia-standalone Network Map: no, present with vidalia-standalone New ID without losing tabs:no, yes with vidalia-standalone TBB Launches successfully: yes Connects to the Tor network: yes Browser toolbars and menus work, tab dragging works: yes All extensions are present and functional: yes - HTTPS-Everywhere 3.5.1 - NoScript *2.6.8.28* - TorButton 1.6.10.0 - TorLauncher *0.2.5.5* WebBrowsing works as expected - HTTP, HTTPS, .onion browsing works - HTML5 videos work (http://videojs.com/) - http://ip-check.info/?lang=en - ok - https://panopticlick.eff.org/ - unique among 3,325, 11.7 bits of identifying information SOCKS/external apps work as expected: yes Uses a bridge: yes -- kat
Katya Titov:
Georg Koppen:
Hi,
TBB 3.6.2 is ready for testing. It contains an updated tor (0.2.4.22), an updated OpenSSL (1.0.1h) due to the flaws published last week (https://lists.torproject.org/pipermail/tor-talk/2014-June/033161.html) and the security fixes of the upcoming Firefox 24.6.0 ESR. Furthermore, it supports proxies with Pluggable Transports now. The bundles can be found at:
Everything works well, apart from the initial connection to https://panopticlick.eff.org. The result is a warning page saying that the connection is untrusted (error code: sec_error_unknown_issuer) and there is no way to proceed. Toggling noscript.alwaysBlockUntrustedContent from true to false fixes the problem, and then after toggling back to true the problem does *not* reoccur when restarted. It is only the first load after extraction which is the issue. I don't recall this happening before. Maybe a change in NoScript? (The root cause appears to be that the intermediate chain isn't being pushed from the server.)
This happens with a clean, new TBB 3.6.1 as well. Thus, it is not related to anything new in TBB 3.6.2. Georg
Georg Koppen:
Katya Titov:
Georg Koppen:
Everything works well, apart from the initial connection to https://panopticlick.eff.org. The result is a warning page saying that the connection is untrusted (error code: sec_error_unknown_issuer) and there is no way to proceed. Toggling noscript.alwaysBlockUntrustedContent from true to false fixes the problem, and then after toggling back to true the problem does *not* reoccur when restarted. It is only the first load after extraction which is the issue. I don't recall this happening before. Maybe a change in NoScript? (The root cause appears to be that the intermediate chain isn't being pushed from the server.)
This happens with a clean, new TBB 3.6.1 as well. Thus, it is not related to anything new in TBB 3.6.2.
Thanks Georg. I ran out of time for a little while and haven't tested since 3.5.4. Hmmm ... I just extracted that version anew and it exhibits the same problem. Maybe it is because of the intermediate chain. I'll get in touch with EFF. -- kat
Katya Titov:
Georg Koppen:
Katya Titov:
Georg Koppen:
Everything works well, apart from the initial connection to https://panopticlick.eff.org. The result is a warning page saying that the connection is untrusted (error code: sec_error_unknown_issuer) and there is no way to proceed. Toggling noscript.alwaysBlockUntrustedContent from true to false fixes the problem, and then after toggling back to true the problem does *not* reoccur when restarted. It is only the first load after extraction which is the issue. I don't recall this happening before. Maybe a change in NoScript? (The root cause appears to be that the intermediate chain isn't being pushed from the server.)
This happens with a clean, new TBB 3.6.1 as well. Thus, it is not related to anything new in TBB 3.6.2.
Thanks Georg. I ran out of time for a little while and haven't tested since 3.5.4. Hmmm ... I just extracted that version anew and it exhibits the same problem. Maybe it is because of the intermediate chain. I'll get in touch with EFF.
For what it's worth, I've also emailed Giorgio of NoScript. Since changing that NoScript option seems to prevent the issue, it seems like NoScript may be at fault here somehow.. Though I am also wondering if it is perhaps an interaction between NoScript and HTTPS-Everywhere. Thanks for narrowing this down to that NoScript option in TBB though! That was extremely helpful. -- Mike Perry
Mike Perry:
For what it's worth, I've also emailed Giorgio of NoScript. Since changing that NoScript option seems to prevent the issue, it seems like NoScript may be at fault here somehow.. Though I am also
Thanks Mike.
wondering if it is perhaps an interaction between NoScript and HTTPS-Everywhere.
Thanks for narrowing this down to that NoScript option in TBB though! That was extremely helpful.
I use Tor heavily, so I try to give back where I can - even if it is only something small! -- kat
On Mon, Jun 09, 2014 at 06:49:20AM +0000, Georg Koppen wrote:
TBB 3.6.2 is ready for testing. It contains an updated tor (0.2.4.22), an updated OpenSSL (1.0.1h) due to the flaws published last week (https://lists.torproject.org/pipermail/tor-talk/2014-June/033161.html) and the security fixes of the upcoming Firefox 24.6.0 ESR. Furthermore, it supports proxies with Pluggable Transports now. The bundles can be found at:
Hot on the heels of 3.6.2, here's a version of 3.6.2 built with meek. https://people.torproject.org/~dcf/pt-bundle/3.6.2-meek-1/ https://trac.torproject.org/projects/tor/wiki/doc/meek#Quickstart The main differences in this release are that you can now use an upstream HTTP or SOCKS proxy, and you no longer get two dock icons on OS X. In order to test a SOCKS proxy, you can use ssh with any host you have SSH access to: ssh -v -D 1080 -N <sshhost> Use Tor Browser's configuration wizard to set a SOCKS 5 proxy for localhost port 1080. David Fifield
participants (4)
-
David Fifield -
Georg Koppen -
Katya Titov -
Mike Perry