wiki:doc/TorBrowserBundle3FAQ

These FAQs answer some questions users may have during the transition from the 2.4 Tor Browser Bundle to the 3.x series.

The 3.x series has a number of changes:

Links:

Where did the world map (Vidalia) go?

Vidalia has been replaced with Tor Launcher, which is a Firefox extension that provides similar functionality. Unfortunately, circuit status reporting is still missing, but we are working on providing it.

In the meantime, we are providing standalone Vidalia packages for people who still want the map. Windows and Linux versions are available at https://people.torproject.org/~erinn/vidalia-standalone-bundles/.

To use these packages, extract them, then run the startup script. On Windows, this is "Start Vidalia.exe". On Linux, it is start-vidalia. They can be placed in a different directory from TBB (and likely should be).

This Vidalia package will only run properly if Tor Browser has already been launched. You cannot start it before launching Tor Browser.

MacOS is still under development, but in the mean time you can modify your TBB 2.x to be a standalone Vidalia (and then use it after starting TBB 3.x) by opening your TBB 2.x vidalia.conf file in an editor and replacing its contents with just these lines:

[General]
LanguageCode=en

[Tor]
ControlPort=9151
TorExecutable=.
Torrc=.
DataDirectory=.
AuthenticationMethod=cookie

How do I disable JavaScript?

Alas, Mozilla decided to get rid of the config checkbox for JavaScript from earlier Firefox versions. And since TBB 3.5 is based on Firefox 24 (FF17 is unmaintained), that means TBB 3.5 doesn't have the config checkbox anymore either. :(

The simplest way to disable JavaScript in TBB 3.5 is to click on the Noscript "S" (between the green onion and the address bar), and select "Forbid scripts globally". Note that vanilla NoScript actually whitelists several domains even when you try to disable scripts globally, whereas TBB's NoScript configuration disables all of them.

The more klunky way to disable JavaScript is to go to about:config, find javascript.enabled, and set it to false.

There is also a very simple addon available at addons.mozilla.org called QuickJS, which provides a toolbar toggle for the javascript.enabled about:config control. There are no configuration options for the addon, it just switches the javascript.enabled entry between true and false and provides a button for it.

If you want to be extra safe, use both the about:config setting and NoScript.

As for whether you should disable it or leave it enabled, that's a tradeoff we leave to you: https://www.torproject.org/docs/faq#TBBJavaScriptEnabled

How do I verify the download (sha256sums.txt)?

You can still verify your Tor Browser download by downloading the signature file (.asc) along with your package and checking the GPG signature as before. We now have an additional verification method that allows you to verify the build as well as the download.

This new verification process ensures that no part of the software build-upload-download process has been compromised, from the developer's computer to the user's.

  • Download the Tor Browser package, the sha256sums.txt file, and the sha256sums signature files. They can all be found in the same directory under https://www.torproject.org/dist/torbrowser/, for example in 3.5 for TBB 3.5.
  • Download the signers' GPG keys. This can be done from the command line by entering something like gpg --keyserver keys.mozilla.org --recv-keys 0x29846B3C683686CC (This will bring you developer Mike Perry's public key. Other developers' key IDs can be found on this page.)
  • Verify the sha256sums.txt file by executing this command: gpg --verify <NAME OF THE SIGNATURE FILE> sha256sums.txt.
  • You should see a message like "Good signature from <DEVELOPER NAME>". If you don't, there is a problem. Try these steps again.
  • Now you can take the sha256sum of the Tor Browser package. On Windows you can use the hashdeep utility and run C:\location\of\your\hashdeep -c sha256sum <TOR BROWSER FILE NAME>. On Mac and Linux you can run sha256sum <TOR BROWSER FILE NAME> without having to download a utility.
  • You will see a string of letters and numbers.
  • Open sha256sums.txt in a text editor
  • Locate the name of the Tor Browser file you downloaded.
  • Compare the string of letters and numbers to the left of that filename with the string of letters and numbers that appeared on your command line. If they match, you've successfully verified the build.

Scripts that automate these steps are available, but to use them you will need to modify them yourself with the latest Tor Browser filename.

Why did we go through so much trouble to create this new verification process? These additional verification steps are designed to protect against an increasing landscape of cyberthreats that might someday target Tor users.

How do I use pluggable transports?

Recent versions of Tor Browser have pluggable transports built in (starting with 3.6-beta-1). You must choose which transport you want to use in the configuration interface. When you start the browser for the first time, select Configure. At the question Does your Internet Service Provider (ISP) block or otherwise censor connections to the Tor Network?, say Yes and choose the type of pluggable transport you want to use.

To use obfs3 or fte, choose it from the selection box. If you need extra bridges, you can get them from https://bridges.torproject.org/ and enter them in the box for custom bridges.

To use flashproxy, select it and follow the steps in FlashProxyHowto.

Why does "New Identity" close all my open tabs?

That's actually a feature, since it's discarding your application-level browser data too. But it sure is a surprising feature, for people who are used to Vidalia's "new identity" behavior.

We're working on ways to make the behavior less surprising, e.g. a popup warning or auto restoring tabs. See ticket 9906 and ticket 10400 to follow progress there.

In the mean time, you can get Vidalia's old "newnym" functionality by attaching a Vidalia to your TBB3.5. See the instructions above.

How do I configure Tor as a relay or bridge?

You've got three options.

First (best option), if you're on Linux, you can install the system Tor package (e.g. apt-get install tor) and then set it up to be a relay (instructions). You can then use TBB independent of that.

Second (simpler option), if you're on Windows, you can fetch the separate "Vidalia relay bundle" or "Vidalia bridge bundle" from the download page and then use that (again you can use TBB independent of it).

Third (complex option), you can either hook your Vidalia up to TBB (as described in the FAQ above) or edit your torrc file (in Data/Tor/torrc) directly to add the following lines:

    ORPort 443
    Exitpolicy reject *:*
    BridgeRelay 1  # only add this line if you want to be a bridge

If you've installed Obfsproxy, you'll need to add one more line:

    ServerTransportPlugin obfs3 exec /usr/bin/obfsproxy managed

This third option is pretty klunky right now; see e.g. this bug; but I'm hoping it will become an easy option in the future.

Why are the file timestamps from 1999?

One of the huge new features in TBB 3.x is the "deterministic build" process, which allows many people to build the Tor Browser Bundle and verify that they all make exactly the same package. See Mike's first blog post for the motivation, and his second blog post for the technical details of how we do it.

Part of creating identical builds is having everybody use the same timestamp. Mike picked the beginning of 2000 for that time. The reason you might see 7pm in 1999 is because of time zones.

Where is the source code for the bundle? How do I verify a build?

Start with https://gitweb.torproject.org/builders/tor-browser-bundle.git and https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/HEAD:/gitian/README.build

Last modified 4 years ago Last modified on Mar 31, 2014, 3:35:36 AM