Download Tor Browser Bundle 4.0

Version 4.0 has been released of the Tor Browser Bundle. Tor stands for The Onion Router and is a network that can be used to surf the internet anonymously. All users’ tcp traffic is routed through different Tor routers, after which it is no longer possible for the recipient to trace who the original sender was. This information is still present within the Tor network, so that answers – of course also via the system of routers – eventually arrive at the right place. The release notes for this release can be found below.

Tor Browser 4.0 has been released

The first release of the 4.0 series is available from the Tor Browser Project page and also from our distribution directory. This release features important security updates to firefox. Additionally, due to the POODLE attack, we have also disabled SSLv3 in this release. The primary user-facing change since the 3.6 series is the transition to Firefox 31-ESR.

More importantly for censored users who were using 3.6, the 4.0 series also features the addition of three versions of the meek pluggable transport. In fact, we believe that both meek-amazon and meek-azure will work in China today, without the need to obtain bridge addresses.

This release also features an in-browser updater, and a completely reorganized bundle directory structure to make this updater possible. This means that simply extracting a 4.0 Tor Browser over a 3.6.6 Tor Browser will not work. Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help (“?”) “about browser” menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures.

There are also a couple of behavioral changes relating to NoScript since 3.6. In particular, by default it now enforces script enable/disable for all sub-elements of a page, so you only need to enable scripts once for a page to work, rather than enabling many sub-scripts. This will hopefully make it possible for more people to use the “High Security” setting in our upcoming Security Slider, which will have Javascript disabled globally via NoScript by default. While we do not recommend per-element whitelisting due to fingerprinting, users who insist on keeping this functionality may wish to check out RequestPolicy.

Note to MacOS users: We intend to deprecate 32bit OSX bundles very soon. If you are still using 32bit OSX 10.6, you soon will need to either update your OS to a later version, or begin using the tails live operating system.