Tor Browser 5.5a6-hardened is released
A new hardened Tor Browser release is available. It can be found in the 5.5a6-hardened distribution directory and on the download page for hardened builds.
This release features an important fix for a crash bug in one of our patches. All users are encouraged to update immediately as this bug is probably exploitable if Javascript is enabled. The bug was not exploitable at High security level, or on non-HTTPS websites at Medium-High security level.
Note: There is no incremental update from 5.5a5-hardened available due to bug 17858. We plan to have this fixed for the next release. The internal updater should work, though, doing a complete update.
Here is the complete changelog since 5.5a5-hardened:
- All Platforms
- Update NoScript to 2.9
- Update HTTPS Everywhere to 5.1.2
- Bug 17931: Tor Browser crashes in LogMessageToConsole()
- Bug 17875: Discourage editing of torrc-defaults
Comments
Please note that the comment area below has been archived.
NoScript still, huh? Do a
NoScript still, huh?
Do a web search on the past confrontation over its cryptic streamed ad allowance with the AdBlock author. Are you sure it's not happening anymore? Then consider its current default behavior to white-list scripts from its 2 web sites and "phone back home" the user's info after every upgrade/installation.
Even if you change this default spying behavior in Tor Browser... You still include it in every single Tor Browser on the planet. Isn't it enough risking?
This page mentions the alternatives to NoScript and AdBlock (uMatrix and uBlock):
https://help.riseup.net/en/security/network-security/better-web-browsin…
Anyone cares to evaluate them for TBB? And perhaps there are others.
Why does NoScript behave
Why does NoScript behave differently in Tor Browser vs. Firefox?
NoScript recently (version
NoScript recently (version 2.9.0.2) removed informaction.com, flashgot.net and maone.net from the default whitelist.
Are there windows builds of
Are there windows builds of tor browser hardened?
No.
No.
Whose key is this signed
Whose key is this signed with? I want to verify the download.
The Tor Browser Developers
The Tor Browser Developers Signing Key which is used for the stable and alpha bundles as well.
Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
http://glenngreenwald.net/
http://glenngreenwald.net/
I find it appalling you (Tor
I find it appalling you (Tor devs) have to devote
so much of your limited man-power to fixing
Mozilla bugs and/or quirks.
I would rather the Torproject concentrates on
The Onion Routing - protocols, hardening and implementation. Is it REALLY REALLY necessary
for Torproject to maintain an own browser - at all,
esp. based on such unmainainable monster as
Mozilla/Netscape/Firefox has evolved into ?
Please consider concentrating on enhancements
of Tor itself, letting people run their borwsers
and other net connceted apps of choice. Of course
we plain users will still always appreciate your advising
and helping us select and tune our browsers, etc. But for Deity's sake, concentrate on fixing and hardening Tor.
Alas, it is still really
Alas, it is still really necessary to ship our own browser. The risk of a user getting deanonymized by using a vanilla Firefox (or worse Chrome, IE...) + Tor is quite high (at least in the long-term not counting problems with plugins like Flash) as all the options for tracking or fingerprinting a user allow to generate a pretty unique fingerprint.
But there is hope as we are working close with Mozilla to get our patches upstreamed. So, one day we might be able to get rid of the fork and devote even more energy to Tor itself (which is still getting the bulk of attention development-wise I'd say).
That would be nice. Right
That would be nice. Right now I don't really trust Firefox. It seems like I need to find and disable several new features in each version of Firefox that could phone home or store history or affect security. Recently, Pocket and extension signing. I have several local extensions (mostly changing menus, hotkeys, etc., no risk of deanonymization) and they keep threatening that I won't be able to run them without giving up anonymity by submitting them to Mozilla for signing.
I don't really feel right
I don't really feel right about Mozilla either, but there really isn't any other better choice. /Maybe/ PaleMoon, /Maybe/ SeaMonkey? Meh. Those are okay versions. All the Chromium-based browsers seem to replace whatever connections that fed data to Google, to their servers instead. All I can hope is that this is just Mozilla being Mozilla, and they'll get out of this hole again for a while, and the WebExtensions and security ideas they have will really be good for Firefox.
the hardened version is only
the hardened version is only for linux?
For 64bit Linux, yes. We are
For 64bit Linux, yes. We are thinking about doing an OS X version as well. But there is no ETA for it yet.
What are the arguments pro
What are the arguments pro not making a Windows version?
atm i am not coding anything
atm i am not coding anything but my 2 cents is windows is not open source most if not all of its lines of codes are closed or hidden so you can never be sure that windows been written in such away that does or not leaks. ofc that is my own opinion.
There are no real arguments
There are no real arguments against it. Thus, as soon as Mozilla is getting ASan to work with Firefox for Windows we can think about it. It might get stalled due to lack of resources (which is currently the main reason why there are no OS X hardened builds), though.
why are so many tor bridges
why are so many tor bridges that belong to the Dutch Police.
When I try to connect to Tor 9 out of 10 connections are always to Dutch connections
usually via police & "Digi Boys" High Tech Crime Unit controlled...via servers in Roosendaal and Driebergen smurf.politie.nl
I do not get connections to Russia Australia HongKong or other worldwide connections
always via the Netherlands
More details? How did you
More details? How did you find these bridges, how do you know they're controlled by the Dutch police, etc?
"9 out of 10 connections" makes me think you're not using bridges at all. But I can't tell what exactly you're confused about, from the post.
this comments section is a
this comments section is a joke..
you put up a comment and it never shows for weeks
http://www.sott.net/article/3
http://www.sott.net/article/310841-FBI-allows-over-200K-pedophiles-acce…
The same thread is happening
The same thread is happening over at
https://blog.torproject.org/blog/transparency-openness-and-our-2014-fin…