Tor Browser 5.5a6-hardened is released

by gk | January 7, 2016

A new hardened Tor Browser release is available. It can be found in the 5.5a6-hardened distribution directory and on the download page for hardened builds.

This release features an important fix for a crash bug in one of our patches. All users are encouraged to update immediately as this bug is probably exploitable if Javascript is enabled. The bug was not exploitable at High security level, or on non-HTTPS websites at Medium-High security level.

Note: There is no incremental update from 5.5a5-hardened available due to bug 17858. We plan to have this fixed for the next release. The internal updater should work, though, doing a complete update.

Here is the complete changelog since 5.5a5-hardened:

  • All Platforms
    • Update NoScript to 2.9
    • Update HTTPS Everywhere to 5.1.2
    • Bug 17931: Tor Browser crashes in LogMessageToConsole()
    • Bug 17875: Discourage editing of torrc-defaults

Comments

Please note that the comment area below has been archived.

January 08, 2016

Permalink

NoScript still, huh?

Do a web search on the past confrontation over its cryptic streamed ad allowance with the AdBlock author. Are you sure it's not happening anymore? Then consider its current default behavior to white-list scripts from its 2 web sites and "phone back home" the user's info after every upgrade/installation.
Even if you change this default spying behavior in Tor Browser... You still include it in every single Tor Browser on the planet. Isn't it enough risking?

This page mentions the alternatives to NoScript and AdBlock (uMatrix and uBlock):
https://help.riseup.net/en/security/network-security/better-web-browsin…

Anyone cares to evaluate them for TBB? And perhaps there are others.

The Tor Browser Developers Signing Key which is used for the stable and alpha bundles as well.

Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290

January 10, 2016

Permalink

I find it appalling you (Tor devs) have to devote
so much of your limited man-power to fixing
Mozilla bugs and/or quirks.

I would rather the Torproject concentrates on
The Onion Routing - protocols, hardening and implementation. Is it REALLY REALLY necessary
for Torproject to maintain an own browser - at all,
esp. based on such unmainainable monster as
Mozilla/Netscape/Firefox has evolved into ?

Please consider concentrating on enhancements
of Tor itself, letting people run their borwsers
and other net connceted apps of choice. Of course
we plain users will still always appreciate your advising
and helping us select and tune our browsers, etc. But for Deity's sake, concentrate on fixing and hardening Tor.

Alas, it is still really necessary to ship our own browser. The risk of a user getting deanonymized by using a vanilla Firefox (or worse Chrome, IE...) + Tor is quite high (at least in the long-term not counting problems with plugins like Flash) as all the options for tracking or fingerprinting a user allow to generate a pretty unique fingerprint.

But there is hope as we are working close with Mozilla to get our patches upstreamed. So, one day we might be able to get rid of the fork and devote even more energy to Tor itself (which is still getting the bulk of attention development-wise I'd say).

January 11, 2016

In reply to gk

Permalink

That would be nice. Right now I don't really trust Firefox. It seems like I need to find and disable several new features in each version of Firefox that could phone home or store history or affect security. Recently, Pocket and extension signing. I have several local extensions (mostly changing menus, hotkeys, etc., no risk of deanonymization) and they keep threatening that I won't be able to run them without giving up anonymity by submitting them to Mozilla for signing.

I don't really feel right about Mozilla either, but there really isn't any other better choice. /Maybe/ PaleMoon, /Maybe/ SeaMonkey? Meh. Those are okay versions. All the Chromium-based browsers seem to replace whatever connections that fed data to Google, to their servers instead. All I can hope is that this is just Mozilla being Mozilla, and they'll get out of this hole again for a while, and the WebExtensions and security ideas they have will really be good for Firefox.

atm i am not coding anything but my 2 cents is windows is not open source most if not all of its lines of codes are closed or hidden so you can never be sure that windows been written in such away that does or not leaks. ofc that is my own opinion.

There are no real arguments against it. Thus, as soon as Mozilla is getting ASan to work with Firefox for Windows we can think about it. It might get stalled due to lack of resources (which is currently the main reason why there are no OS X hardened builds), though.

January 23, 2016

Permalink

why are so many tor bridges that belong to the Dutch Police.
When I try to connect to Tor 9 out of 10 connections are always to Dutch connections

usually via police & "Digi Boys" High Tech Crime Unit controlled...via servers in Roosendaal and Driebergen smurf.politie.nl

I do not get connections to Russia Australia HongKong or other worldwide connections

always via the Netherlands

More details? How did you find these bridges, how do you know they're controlled by the Dutch police, etc?

"9 out of 10 connections" makes me think you're not using bridges at all. But I can't tell what exactly you're confused about, from the post.