Tor peels back Browser Bundle 3.0 alpha

The Tor project has now posted the first alpha builds of the soon-to-be-released Tor Browser Bundle 3.0, which provides a newer and faster anonymous-browsing experience from previous editions, but revamps a number of interface settings for simplicity. Tor's architecture can be on the confusing side for many people, so (in theory) improved ease-of-use translates into fewer accidentally-insecure browsing sessions. The project is also taking the first steps into other important features, like a means for verifying binary builds.

The browser at the heart of the Tor Browser Bundle is a derivative of Firefox; the 3.0 release will be based on Firefox 17 Extended Support Release (ESR). It incorporates several changes from the upstream Firefox, including settings and extensions that guard the user's anonymity and a pre-configured pipeline to the anonymizing Tor network. In addition to piping all browser traffic through Tor, the bundle includes the HTTPS Everywhere extension to force TLS/SSL connections to a wide variety of sites, NoScript to selectively disable JavaScript and other executable content, and Torbutton for one-click toggling of Tor transport.

The new bundles are available on the Tor site. There are packages for OS X and Windows as well as both 32-bit and 64-bit Linux systems, all in a variety of localizations. The Linux builds are compressed tar archives; they can be uncompressed to virtually any location and run with standard user permissions.

Previous releases of the bundle included Vidalia, a standalone Tor controller which allowed the user to start and stop the Tor network connection, as well as tweak its settings. In the 3.0 browser series, Vidalia has been replaced with a Tor Launcher browser extension, which performs the same basic function. Users who require more customization can still run Vidalia separately. As such, there is a tad less "bundle" to the new Tor Browser Bundle, but there is also less complexity to fret over.

This streamlining of the user experience is evidently a conscious decision on the project's part; it is mentioned first in the blog announcement of the alpha. But there is more. The new release also includes a new default home page, a local about:tor URI.

This page provides Tor status information, a "secure search" bar utilizing the Startpage search engine, and links to some informational resources about both privacy and how to get more involved in the Tor project. Perhaps the biggest difference, though, is that this page reports whether or not Tor has been successfully started.

This has the potential to be an important change for users in the field; the old version of the browser was set to visit https://check.torproject.org/ as the default homepage. While it, too, checks that Tor is running, it has the drawback of doing so by immediately requesting a remote page, and that could be a security risk for those users who run the Tor browser to evade surveillance. After all, if Tor is not running for some reason when the browser launches, that information could be intercepted via the HTTPS request. In addition, although Tor has greatly improved its bandwidth in recent years, connecting to a remote site could be slow. The about:tor page performs a local test to ensure that Tor is in fact functioning, and check.torproject.org is still accessible as a link.

The Tor Launch extension also fires up a "first run" wizard the first time it is run (obviously) that asks whether the user's Internet connection is "clear of obstacles" or is "censored, filtered, or proxied." Choosing the first option launches Tor in normal mode without any special settings; choosing the second provides a set of settings windows into which one can enter proxy addresses, open firewall ports that Tor should use, and bridge relay addresses to which Tor should connect. Manually entering bridge relay addresses is an added security layer; the addresses are not published, so they are much harder for censors to monitor or block in advance. On the other hand, one must obtain the addresses "out of band" so to speak—usually by emailing the Tor project.

The first-run wizard is a nice feature, although it is puzzling why it is configured to only run one time. After all, surely it is fairly common for Tor Browser users to run the software from a laptop. The user can get to the wizard again by punching the "Options" button on the "Tor is starting up" window that appears when the browser is launched, but speed is required on anything resembling modern hardware. On my machine, the startup window only appeared for 1.5 seconds at most. Alternatively, resetting the extensions.torlauncher.prompt_at_startup preference to "true" in about:config brings it back as well; it is simply odd not to have a setting available.

There are other changes to the 3.0 alpha builds, including a "guided" extraction for Windows users, which assists the user to install the browser in a convenient and hopefully difficult-to-forget location on the system, and overall reductions in the sizes of the downloaded packages. All builds are now less than 25MB in size, a size chosen because it makes it possible to send the package as an attachment in GMail.

The announcement also highlights a change in the project's build infrastructure. The Tor Browser Bundle is now built with Gitian trusted-build tool, which is designed to allow independent developers to compile bit-identical binaries, thus providing a means for verifying the integrity of a binary package. The Tor Browser is not yet "quite at the point where you always get a matching build," the announcement says, but it is getting closer. Gitian is already in use by a handful of other projects like Bitcoin.

As a browser, naturally, the Tor Browser is quite solid. The update to Firefox 17 ESR brings with it a host of improved web features—although one notable addition, Firefox's built-in PDF viewer, was not introduced until Firefox 19, so its functionality in Tor Browser comes via the official add-on instead. The PDF reader extension is (like more and more Mozilla projects) implemented in JavaScript. But users will inevitably find using Tor Browser a somewhat frustrating affair simply because of how many sites these days rely on JavaScript and other potentially-privacy-harming techniques. There is no silver bullet for that problem; the best one can do is delve into NoScript exception rules to restore functionality for specific, trusted sites.

There does not appear to be a full list of the preferences that Tor Browser changes from the upstream Firefox release, although there are several (e.g., it is set to never record browsing history or save passwords). It is also a bit strange that the bundled extensions do not include a cookie-management tool, but perhaps this is in the interest of simplicity for the user. Finally, it is also surprising that the builds offer no tools for finding Tor hidden services. Hidden services are not directly related to anonymous access to the Internet, but the project does use the browser bundle to promote other efforts, like SSL Observatory, which is included in the HTTPS Everywhere Extension. Still, perhaps providing any sort of hidden service index would simply be crossing into services best left to others.

So far there are few known issues to report, but there will certainly be some during the alpha and beta testing cycle. The only real caveat for power users is that the increased simplicity of the bundle means less flexibility. The absence of Vidalia has already been mentioned; one can also run the browser with an existing transparent Tor router (a feature that in previous releases was explicitly presented to the user) by jumping through some hoops. Using the browser with a transparent router now requires setting the TOR_SKIP_LAUNCH environment variable to 1. Of course, with a Tor router already running, adding the Tor Browser to the mix essentially just gives the user Firefox with fewer extensions and plugins, but perhaps that is desirable from time to time. Then again, where anonymity is concerned, maybe you can't be too careful.