Ok, we've finally got a beta build with the OpenSSL fix in it. It also has some other PT-related fixes, as well: https://people.torproject.org/~mikeperry/builds/3.6-beta-2/
Will probably post this in about 12 hours or so, unless someone notices something.
Here's the changelog: * All Platforms * Update OpenSSL to 1.0.1g * Bug 9010: Add Turkish language support. * Update fte transport to 0.2.12 * Update NoScript to 2.6.8.19 * Update Torbutton to 1.6.8.0 * Bug 11242: Fix improper "update needed" message after in-place upgrade. * Bug 10398: Ease translation of about:tor page elements * Update Tor Launcher to 0.2.5.2 * Bug 9665: Localize Tor's unreachable bridges bootstrap error * Backport Pending Tor Patches: * Bug 9665: Report a bootstrap error if all bridges are unreachable * Bug 11200: Prevent spurious error message prior to enabling network. * Linux: * Bug 11190: Switch linux PT build process to python2 * Bug 10383: Enable NIST P224 and P256 accel support for 64bit builds. * Windows: * Bug 11286: Fix fte transport launch error
On Wed, Apr 09, 2014 at 10:51:50PM -0700, Mike Perry wrote:
Ok, we've finally got a beta build with the OpenSSL fix in it. It also has some other PT-related fixes, as well: https://people.torproject.org/~mikeperry/builds/3.6-beta-2/
Will probably post this in about 12 hours or so, unless someone notices something.
Here's the changelog:
- All Platforms
- Update OpenSSL to 1.0.1g
- Bug 9010: Add Turkish language support.
- Update fte transport to 0.2.12
- Update NoScript to 2.6.8.19
- Update Torbutton to 1.6.8.0
- Bug 11242: Fix improper "update needed" message after in-place upgrade.
- Bug 10398: Ease translation of about:tor page elements
- Update Tor Launcher to 0.2.5.2
- Bug 9665: Localize Tor's unreachable bridges bootstrap error
- Backport Pending Tor Patches:
- Bug 9665: Report a bootstrap error if all bridges are unreachable
- Bug 11200: Prevent spurious error message prior to enabling network.
- Linux:
- Bug 11190: Switch linux PT build process to python2
- Bug 10383: Enable NIST P224 and P256 accel support for 64bit builds.
- Windows:
- Bug 11286: Fix fte transport launch error
-- Mike Perry
Testing: tor-browser-linux64-3.6-beta-2_en-US.tar.xz Platform: Debian Wheezy Processor: Intel(R) Core(TM) i5-2450M CPU @ 2.50GHz
TBB Launches successfully - OK Connects to the Tor network - OK Browser toolbars and menus work. Tab dragging works. - OK DNS - No leaks observed (wireshark)
OpenSSL - 1.0.1g
All extensions are present and functional - OK - HTTPS-Everywhere 3.4.5 - NoScript 2.6.8.19 - Torbutton 1.6.8.0 - TorLauncher 0.2.5.2
WebBrowsing works as expected - OK - HTTP, HTTPS, .onion browsing works - HTML5 videos work - ip-check.info - OK - samy.pl/evercookie - OK (new identity clears cookie) - phoul.github.io - Websocket open
tor-qa mailing list tor-qa@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-qa
On Wed, 09 Apr 2014, Mike Perry wrote:
Ok, we've finally got a beta build with the OpenSSL fix in it. It also has some other PT-related fixes, as well: https://people.torproject.org/~mikeperry/builds/3.6-beta-2/
There is a problem with tor-browser-linux64-3.6-beta-2_tr.tar.xz in tor-launcher: https://people.torproject.org/~boklm/tbbtests/r/3.6-beta-2-CentOS6.5-x86_64/...
The problem is when opening this URL: chrome://torlauncher/content/network-settings-wizard.xul
It shows this error: XML ayrıştırma hatası: tanımlanmamış varlık Konum: chrome://torlauncher/content/network-settings-wizard.xul Satır: 16, Sütun: 1: <wizard id="TorNetworkSettings"
Nicolas Vigier:
On Wed, 09 Apr 2014, Mike Perry wrote:
Ok, we've finally got a beta build with the OpenSSL fix in it. It also has some other PT-related fixes, as well: https://people.torproject.org/~mikeperry/builds/3.6-beta-2/
There is a problem with tor-browser-linux64-3.6-beta-2_tr.tar.xz in tor-launcher: https://people.torproject.org/~boklm/tbbtests/r/3.6-beta-2-CentOS6.5-x86_64/...
The problem is when opening this URL: chrome://torlauncher/content/network-settings-wizard.xul
It shows this error: XML ayrıştırma hatası: tanımlanmamış varlık Konum: chrome://torlauncher/content/network-settings-wizard.xul Satır: 16, Sütun: 1: <wizard id="TorNetworkSettings"
Alright, new builds are up that should fix the above issue and also disable the two FTE bridges that changed fingerprints: https://people.torproject.org/~mikeperry/builds/3.6-beta-2/
Let me know if anything else explodes. I hope to announce these ASAP.
Mike Perry:
Alright, new builds are up that should fix the above issue and also disable the two FTE bridges that changed fingerprints: https://people.torproject.org/~mikeperry/builds/3.6-beta-2/
Let me know if anything else explodes. I hope to announce these ASAP.
Testing: TorBrowser-3.6-beta-2-osx32_en-US.dmg Platform: Mac OS X 10.9.2 (13C64) Processor: 2.3GHz Intel Core i7 Memory: 16 GB 1600 MHz DDR3 Graphics: NVIDIA GeForce GT 750M 2048 MB Display: 15-inch (2880 x 1800 Retina)
TBB Launches successfully: yes Connects to the Tor network: yes Browser toolbars and menus work, tab dragging works: yes
All extensions are present and functional: yes - HTTPS-Everywhere 3.4.5 - NoScript 2.6.8.19 - TorButton 1.6.8.1 - TorLauncher 0.2.5.3
WebBrowsing works as expected - HTTP, HTTPS, .onion browsing works - HTML5 videos work on http://videojs.com/ and YouTube - http://ip-check.info/?lang=en - ok - https://panopticlick.eff.org/ - only one in 505,378 , 18.95 bits of identifying information - html5demos.com/web-socket - Not Connected / Socket Closed
SOCKS/external apps work as expected: yes (Torbirdy & Bitcoin-QT)
--------------------------------------------------------------
Also: https://www.howsmyssl.com/ :
**Your SSL client is Bad.**
Bad: Your client is using TLS 1.0, which is very old, possibly susceptible to the BEAST attack, and doesn't have the best cipher suites available on it. Additions like AES-GCM, and SHA256 to replace MD5-SHA-1 are unavailable to a TLS 1.0 client as well as many more modern cipher suites.
Good: Ephemeral keys are used in some of the cipher suites your client supports. This means your client may be used to provide forward secrecy if the server supports it. This greatly increases your protection against snoopers, including global passive adversaries who scoop up large amounts of encrypted traffic and store them until their attacks (or their computers) improve.
Improvable: Session tickets are not supported in your client. Without them, services will have a harder time making your client's connections fast. Generally, clients with ephemeral key support get this for free.
Good: Your TLS client does not attempt to compress the settings that encrypt your connection, avoiding information leaks from the CRIME attack.
Good: Your client is not vulnerable to the BEAST attack. While it's using TLS 1.0 in conjunction with Cipher-Block Chaining cipher suites, it has implemented the 1/n-1 record splitting mitigation.
Bad: Your client supports cipher suites that are known to be insecure:
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: This cipher was meant to die with SSL 3.0 and is of unknown safety.
The cipher suites your client said it supports, in the order it sent them, are:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_RC4_128_SHA TLS_ECDH_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_RSA_WITH_SEED_CBC_SHA SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5
On Thu, Apr 10, 2014 at 7:51 AM, Mike Perry mikeperry@torproject.orgwrote:
Ok, we've finally got a beta build with the OpenSSL fix in it. It also has some other PT-related fixes, as well: https://people.torproject.org/~mikeperry/builds/3.6-beta-2/
Will probably post this in about 12 hours or so, unless someone notices something.
Here's the changelog:
- All Platforms
- Update OpenSSL to 1.0.1g
- Bug 9010: Add Turkish language support.
- Update fte transport to 0.2.12
- Update NoScript to 2.6.8.19
- Update Torbutton to 1.6.8.0
- Bug 11242: Fix improper "update needed" message after in-place
upgrade. * Bug 10398: Ease translation of about:tor page elements
- Update Tor Launcher to 0.2.5.2
- Bug 9665: Localize Tor's unreachable bridges bootstrap error
- Backport Pending Tor Patches:
- Bug 9665: Report a bootstrap error if all bridges are unreachable
- Bug 11200: Prevent spurious error message prior to enabling network.
- Linux:
- Bug 11190: Switch linux PT build process to python2
- Bug 10383: Enable NIST P224 and P256 accel support for 64bit builds.
- Windows:
- Bug 11286: Fix fte transport launch error
Testing: torbrowser-install-3.6-beta-2_ar.exe Platform: Windows 7 64-bit
Bundle components: Firefox 24.4.0 ESR Torbutton 1.6.8.0 NoScript 2.6.8.19 HTTPS-Everywhere 3.4.5
Tests: - TBB Launches successfully - OK - Browser toolbars and menus work, tab dragging works - OK - HTTP, HTTPS, .onion browsing - Ok - HTML5 videos work (http://youtube.com/) - Websockets (http://websocketstest.com/) - OK - Tor SOCKS - OK - New identity closes all tabs and removes all cookies - OK - Localization - OK
Pluggable transports tests:
a) FTE Test:
4/10/2014 12:50:01 PM.321 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 4/10/2014 12:50:01 PM.321 [NOTICE] Pluggable transport proxy (obfs2,obfs3 exec Tor\PluggableTransports\obfsproxy managed) does not provide any needed transports and will not be launched. 4/10/2014 12:50:01 PM.321 [NOTICE] Pluggable transport proxy (flashproxy exec Tor\PluggableTransports\flashproxy-client --register :0 :9000) does not provide any needed transports and will not be launched. 4/10/2014 12:50:01 PM.321 [NOTICE] Opening Socks listener on 127.0.0.1:9150 4/10/2014 12:50:01 PM.321 [NOTICE] Pluggable transport proxy (obfs2,obfs3 exec Tor\PluggableTransports\obfsproxy managed) does not provide any needed transports and will not be launched. 4/10/2014 12:50:01 PM.321 [NOTICE] Pluggable transport proxy (flashproxy exec Tor\PluggableTransports\flashproxy-client --register :0 :9000) does not provide any needed transports and will not be launched. 4/10/2014 12:50:01 PM.321 [NOTICE] Application request when we haven't used client functionality lately. Optimistically trying directory fetches again. 4/10/2014 12:50:05 PM.150 [NOTICE] Bootstrapped 5%: Connecting to directory server. 4/10/2014 12:50:05 PM.151 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server. 4/10/2014 12:50:05 PM.817 [WARN] Tried connecting to router at 79.125.3.12:8080, but identity key was not as expected: wanted 17AF9F9F4E57614A060B7221DCCEDB8BB546DD73 but got 272465348803EE2546A9BB8EE37D462915531F09. 4/10/2014 12:50:06 PM.156 [NOTICE] Bootstrapped 15%: Establishing an encrypted directory connection. 4/10/2014 12:50:06 PM.366 [WARN] Tried connecting to router at 131.252.210.150:8080, but identity key was not as expected: wanted 271EC1874E40FE65C145C6397AA34FFF7008E50E but got 0E858AC201BF0F3FA3C462F64844CBFFC7297A42. 4/10/2014 12:50:06 PM.443 [NOTICE] Bootstrapped 20%: Asking for networkstatus consensus. 4/10/2014 12:50:06 PM.690 [NOTICE] Bootstrapped 50%: Loading relay descriptors. 4/10/2014 12:50:11 PM.473 [NOTICE] Application request when we haven't used client functionality lately. Optimistically trying directory fetches again. 4/10/2014 12:50:16 PM.681 [NOTICE] We now have enough directory information to build circuits. 4/10/2014 12:50:16 PM.681 [NOTICE] Bootstrapped 80%: Connecting to the Tor network. 4/10/2014 12:50:17 PM.171 [NOTICE] Bootstrapped 90%: Establishing a Tor circuit. 4/10/2014 12:50:18 PM.337 [NOTICE] Tor has successfully opened a circuit. Looks like client functionality is working. 4/10/2014 12:50:18 PM.337 [NOTICE] Bootstrapped 100%: Done. 4/10/2014 12:50:19 PM.141 [NOTICE] New control connection opened.
Notes:
* While connecting "Open Settings" shows a yellow warning icon indicating something is wrong but tbb continues and connects anyway. * DisableNetwork is set... * Browsing actually work. * Not sure what is hijacking connections here, the antivirus on this VM is completely disabled.
b) obfs3:
Works.
On 4/10/14, 9:30 AM, Sherief Alaa wrote:
On Thu, Apr 10, 2014 at 7:51 AM, Mike Perry <mikeperry@torproject.org mailto:mikeperry@torproject.org> wrote:
Ok, we've finally got a beta build with the OpenSSL fix in it. It also has some other PT-related fixes, as well: https://people.torproject.org/~mikeperry/builds/3.6-beta-2/...
Pluggable transports tests:
a) FTE Test: ... 4/10/2014 12:50:01 PM.321 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. ... 4/10/2014 12:50:05 PM.817 [WARN] Tried connecting to router at 79.125.3.12:8080 http://79.125.3.12:8080, but identity key was not as expected: wanted 17AF9F9F4E57614A060B7221DCCEDB8BB546DD73 but got 272465348803EE2546A9BB8EE37D462915531F09. ... Notes:
- While connecting "Open Settings" shows a yellow warning icon
indicating something is wrong but tbb continues and connects anyway.
The warning icon is triggered by WARN or ERR tor log messages like the one I left in the quoted text above. The icon is designed to tell people "Please check your tor log; something bad may have happened." I guess the fingerprints need to be updated for some of the PT bridges.
- DisableNetwork is set...
DisableNetwork is initially set to 1 by Tor Launcher and then later it is reset to 0. When it is set to 1, tor generates Notice-level log messages like those you saw. I am not sure what if anything we should do about those messages. They are possibly confusing but probably important to see if you run tor outside of TBB with DisableNetwork=1.
Mike Perry:
- Windows:
- Bug 11286: Fix fte transport launch error
While this is working now, it seems there are new fingerprints available for the remaining two bridges:
10.04.14 12:06:18 [0x0-0x23023].org.mozilla.torbrowser[272] Apr 10 12:06:18.000 [warn] Tried connecting to router at 79.125.3.12:8080, but identity key was not as expected: wanted 17AF9F9F4E57614A060B7221DCCEDB8BB546DD73 but got [snip] 10.04.14 12:06:18 [0x0-0x23023].org.mozilla.torbrowser[272] Apr 10 12:06:18.000 [warn] Tried connecting to router at 131.252.210.150:8080, but identity key was not as expected: wanted 271EC1874E40FE65C145C6397AA34FFF7008E50E but got [snip]
And I did not get flashproxy to run at all (but tried not hard).
10.04.14 12:04:21 [0x0-0x23023].org.mozilla.torbrowser[272] Apr 10 12:04:21.000 [warn] We were supposed to connect to bridge '0.0.1.0:1' using pluggable transport 'flashproxy', but we can't find a pluggable transport proxy supporting 'flashproxy'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running. 10.04.14 12:04:21 [0x0-0x23023].org.mozilla.torbrowser[272] Apr 10 12:04:21.000 [warn] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Can't connect to bridge; PT_MISSING; count 1; recommendation warn)
This might be no surprise given that I just started the Tor Browser with flashproxy enabled in the TorLauncher dialog. If users are supposed to do additional things we should tell them that somehow...
Georg
-
Colin C. -
Georg Koppen -
Mark Smith -
Mike Perry -
Nicolas Vigier -
Sherief Alaa -
Wilton Gorske