Skip to content

TorBrowser 4.0 released

16. Oct 2014

DO NOT OVERWRITE THE OLD VERSION, instead extract it to a new folder, because the folder structure was changed to make the auto-updater feature work. The auto-update feature is not enabled by default. There is still on-going work for this feature, which can be turned on under “Help > About”, at your own risk.

This release takes care of the attack on SSLv3, includes security fixes from Firefox and changes the behavior of NoScript.


The mentioned change regarding NoScript (applies to TorBrowser) is that you can enable/disable JavaScript on a site with all sub-elements. This change will allow more users to make use of disabling and enabling JavaScript. It is planned to have JavaScript turned off by a recommended setting. The TorBrowser still has to implement the security slider.

Changes since last release:

  • All Platforms
    • Update Firefox to 31.2.0esr
    • Update fteproxy to 0.2.19
    • Update Tor to (from
    • Update NoScript to
    • Update Torbutton to (from
      • Bug 13378: Prevent addon reordering in toolbars on first-run.
      • Bug 10751: Adapt Torbutton to ESR31’s Australis UI.
      • Bug 13138: ESR31-about:tor shows “Tor is not working”
      • Bug 12947: Adapt session storage blocker to ESR 31.
      • Bug 10716: Take care of drag/drop events in ESR 31.
      • Bug 13366: Fix cert exemption dialog when disk storage is enabled.
    • Update Tor Launcher to (from
      • Bug 11405: Remove firewall prompt from wizard.
      • Bug 12895: Mention as a valid bridge request email address
      • Bug 12444: Provide feedback when “Copy Tor Log” is clicked.
      • Bug 11199: Improve error messages if Tor exits unexpectedly
      • Bug 12451: Add option to hide TBB’s logo
      • Bug 11193: Change “Tor Browser Bundle” to “Tor Browser”
      • Bug 11471: Ensure text fits the initial configuration dialog
      • Bug 9516: Send Tor Launcher log messages to Browser Console
    • Bug 13027: Spoof window.navigator useragent values in JS WebWorker threads
    • Bug 13016: Hide CSS -moz-osx-font-smoothing values.
    • Bug 13356: Meek and other symlinks missing after complete update.
    • Bug 13025: Spoof screen orientation to landscape-primary.
    • Bug 13346: Disable Firefox “slow to start” warnings and recordkeeping.
    • Bug 13318: Minimize number of buttons on the browser toolbar.
    • Bug 10715: Enable WebGL on Windows (still click-to-play via NoScript)
    • Bug 13023: Disable the gamepad API.
    • Bug 13021: Prompt before allowing Canvas isPointIn*() calls.
    • Bug 12460: Several cross-compilation and gitian fixes (see child tickets)
    • Bug 13186: Disable DOM Performance timers
    • Bug 13028: Defense-in-depth checks for OCSP/Cert validation proxy usage
    • Bug 4234: Automatic Update support (off by default)
    • Bug 11641: Reorganize bundle directory structure to mimic Firefox
    • Bug 10819: Create a preference to enable/disable third party isolation
    • Bug 13416: Defend against new SSLv3 attack (poodle).
  • Windows:
    • Bug 10065: Enable DEP, ASLR, and SSP hardening options
  • Linux:
    • Bug 13031: Add full RELRO hardening protection.
    • Bug 10178: Make it easier to set an alternate Tor control port and password
    • Bug 11102: Set Window Class to “Tor Browser” to aid in Desktop navigation
    • Bug 12249: Don’t create PT debug files anymore

From → General

  1. Drago permalink

    Anyone else getting a message saying that Version 4.0 is out of date when starting up and directing to download Version 3.6.6? Running on Windows 7 64 Bit.

Comments are closed.

%d bloggers like this: