Tor Browser 6.0a1-hardened is released

by boklm | January 27, 2016

A new hardened Tor Browser release is available. It can be found in the 6.0a1-hardened distribution directory and on the download page for hardened builds.

This release features important security updates to Firefox.

Note: There is no incremental update from 5.5a6-hardened available due to bug 17858. The internal updater should work, though, doing a complete update.

Here is the complete changelog since 5.5a6-hardened:

  • All Platforms
    • Update Firefox to 38.6.0esr
    • Update NoScript to 2.9.0.2
    • Update Torbutton to 1.9.5
      • Bug 16990: Show circuit display for connections using multi-party channels
      • Bug 18019: Avoid empty prompt shown after non-en-US update
      • Bug 18004: Remove Tor fundraising donation banner
      • Code cleanup
      • Translation updates
    • Update Tor Launcher to 0.2.8.3
      • Bug 18113: Randomly permutate available default bridges of chosen type
      • Bug 11773: Setup wizard UI flow improvements
      • Translation updates
    • Bug 17428: Remove Flashproxy
    • Bug 18115+18104+18071+18091: Update/add new obfs4 bridge
    • Bug 18072: Change recommended pluggable transport type to obfs4
    • Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
    • Bug 16322: Use onion address for DuckDuckGo search engine
    • Bug 17917: Changelog after update is empty if JS is disabled
    • Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646)

Comments

Please note that the comment area below has been archived.

January 27, 2016

Permalink

Is it safe to use the hardened version in terms of security/anonymity? I remember a few years ago only the alpha version of TBB was targeted by adversaries and this is also in alpha....or is it better to stick with the stable version?

Qihoo is a Chinese antivirus company. They cheated on independent test by using Bitdefender virus detection for the test while using their inferior QVM virus detection in their products.

http://www.pcmag.com/article2/0,2817,2483498,00.asp

QVM has a lower detection rate with more false positives. Since their product is based in Beijing with China being a primary market for them, of course they will tell users that Tor is malware!

January 28, 2016

Permalink

I've downloaded tails five different times to update my existing version manually and everytime it stops at exactly 72 percent. This is awful so is getting help. I can't even use pigeon to chat and email....ha good luck getting anything back. I've gone that road before. Why are you guys making things so difficult when you say you are making things easier? Feel sorry for the people in third world oppressive regimes sweating the download out.

Have you contributed to ToR? Have you paid money, written how-to, contributed code. Or do you think that software you paid nothing for should be giving you support all the while you are crying like a dirty little Democrat. Free stuff every one. You didn't do it my way so I'm pissed off now.,
What juvenile attitude.

Goof ball!

P.S. Good job guys! There are always a few trolls around. Try to ignore them. Mostly you are highly appreciated.

Usability is king. Without it, you get complaints.

Your above statement is valid provided that users have paid for it or have donated funds towards its development or contributed software code to improve it.

Have you paid for it? or have you made a monetary donation or contributed software code?

If you have done neither of the above, please stop complaining.

Except that simply by using tor you're contributing. You're adding yourself to the noise.
However, to take a page from your book: unless you're affiliated with The Tor Project, why don't you leave it to those who are to tell people to stop complaining. Otherwise you're just being a troll who'll discourage new users.

Except that simply by using tor you're contributing.

Flawed logic.

However, to take a page from your book: unless you're affiliated with The Tor Project,

Define "affiliate". My friends and I do contribute to the Tor Project in different ways. What about you?

Otherwise you're just being a troll who'll discourage new users.

We know who the real new users are and the regular NSA troll who's lurking in the background, monitoring and reporting back to his overlord.

I've downloaded tails five different times to update my existing version......

So the NSA troll is now spamming this blog with posts about Tails. He used to spam here about the latest version of TBB not being able to work with Adobe Flash.

While I can understand the frustration with getting the same questions about flash (some of which, but not all, are from trolls,) by repeatedly complaining about it you're scaring off legitimate potential users who are uneducated in the technical complexities.

While I can understand the frustration with getting the same questions about flash (some of which, but not all, are from trolls,)

Our regular NSA troll always complains about Adobe Flash not working AND telling us he's reverting to using an older version DESPITE repeated cautionary advices from us.

by repeatedly complaining about it you're scaring off legitimate potential users who are uneducated in the technical complexities.

Give specific examples and dates of our posts in which we complain about Adobe Flash not working with TBB.

Since there's a commonality between your failed attempts to download and the point at which you are being stopped I'd have to say that you are running out of disk space, you are using your persistence partition or even both. By the sounds of it I'm assuming that you are upgrading manually with the intermediate download attempt of the ISO...meaning that you already have Tails 2.0 obviously. If that is the case, make sure that you are choosing the Tor browser folder NON-persistence for the location to save. Save the ISO there and then upgrade a new copy "with ISO" in the Tails installer, then follow the rest of the directions.

That isn't mentioned in the directions and it is understandable that one would make this mistake. Hope this helps!

"meaning that you already have Tails 2.0 obviously."

I think he/she meant to say that the original poster probably has 1.8.2 tails. But I concur that the op looks to have been struggling with disk space and inadvertently was directing it into the persistence folder.

Over the years, at times I have also experienced frustrating problems downloading the iso for the latest Tails edition. Using wget with the -c flag running in the previous Tails edition seems to work for me. Try man wget (in a console in your current Tails) and ask if it isn't clear. You don't need to worry about torsocks if you use Tails (someone please correct me if I am wrong!).

Don't get upset by the two replies accusing you of being an "NSA troll", and thanks to the other poster who tried to help you (the post beginning "Since there's a commonality between your failed attempts to download and the point at which you are being stopped I'd have to say that you are running out of disk space...")

Don't get upset by the two replies accusing you of being an "NSA troll"

A troll is one who, despite numerous reminders that this blog isn't the right place to ask for technical support for Tails, persists in doing so and thus spamming it.

Tails, on its official website, lists several options for users who need technical support. The URL is https://tails.boum.org/support/index.en.html

You are a troll too, you pick an choose some people to criticize for posting about tails but not all, you only pick on those who ask about tails and not on those who talk about anything else not related to tbb.You do this only to annoy people who need help. the people from tails do not respond to all questions received, but someone may get lucky by asking for help here, not from you tho, you TROLL.
"someone who ​leaves an ​intentionally ​annoying ​message on the internet, in ​order to get ​attention or ​cause ​trouble" That's exactly what you do, complain, complain, complain about people not posting exclusively about tbb, just to annoy.

you pick an choose some people to criticize for posting about tails but not all, you only pick on those who ask about tails and not on those who talk about anything else not related to tbb.

Where's your proof? Give specific examples.

You do this only to annoy people who need help.

False accusation. We merely pointed out to people who need Tails' support to use the relevant channels. Those people who, despite our repeated advice, persisted in posting for Tails' help here are really trolls.

the people from tails do not respond to all questions received,

Another false accusation, this time not against us but against the Tails' team. Where's your proof that Tails' tech support do not respond to all questions received?

Two false accusations, one against us and another against Tails, have proved to all readers of this blog that you're really the NSA troll.

We hope that you are being handsomely remunerated for your effort in trolling here. Staff at NSA are each paid at least a million dollars annually for their contributions to the US mass surveillance programs. We doubt very much your derisory annual compensation is anywhere near a million dollars.

Of course it would only be fitting that we help someone when it's only formally appropriate. You need more bureaucracy in your life. Enforce and stay within the lines!

Yes, except none of these are available to non-technical users who what to keep their contact through tor. I'm not saying that this is the right place for it, but part of the reason it ends up here is that the Tails team hasn't exactly made it easy for people who can't figure out how to email through tor to contact them.

but part of the reason it ends up here is that the Tails team hasn't exactly made it easy for people who can't figure out how to email through tor to contact them.

Look here, I fail to see why people need to use Tor to send emails asking Tails for technical support. What's so secret or confidential about the contents of Tails' tech support?

Do these same people also use Tor to post their comments here? Why do they need to do so?

Not everyone wants others to know that they're using tor. Therefore they use pluggable transports to connect to tor and can only contact the Tails team or post here through tor (via pluggable transports.)

Not everyone wants others to know that they're using tor.

You haven't exactly answered our question.

Let us rephrase it. Why do people need to use Tor to contact Tails' tech support? As for us, we don't.

Because if you're trying to get Tails' tech support you're probably trying to use tails, and if you're trying to use tails you're trying to use tor.
So if you're trying to hide that you're using tor, you've got to hide any contact to Tails' tech support
I don't know why I'm even responding to you at this point. Given your sheer number of posts and the speed of your responses, you're probably the NSA troll you're claiming to warn us about. The negativity that you spew is just the thing that turns people off. It also explains why you refer to yourself as plural.

Because if you're trying to get Tails' tech support you're probably trying to use tails, and if you're trying to use tails you're trying to use tor.

So if you're trying to hide that you're using tor, you've got to hide any contact to Tails' tech support

OMG.....

Such convoluted thinking....can only come from people with severe paranoia.

What if we were to tell you and your severely paranoid friends that the NSA has found some vulnerabilities in Tor?

What if I were to tell you that I had a magic anonymity system that nobody could break, no matter what?

The "what if I were to tell you" rhetoric is exactly the one used to spread FUD without providing any facts or details. Please don't do it.

January 28, 2016

Permalink

Can't use browser in full screen. I am using screen size spoofing in headers. Where do I remove the limitation?

Full screen works for me on different machines. What do you mean with "I am using screen size spoofing in headers"? How can I reproduce your problem? Does it go away if you click on the green onion and choose "New Identity"?

Tor browser gives a warning not to use maximise screen for risk of compromising your identity. I had problems like that in the previous rc version of tails 2.0 but now in the New Tails 2.0 version I could maximise if I wanted it.

Won't happen. ASan by design uses 20 TiB of virtual address space. It may be possible to reduce this, but being limited to 4 GiB makes it unlikely that effective mitigations can be implemented.

January 29, 2016

In reply to yawning

Permalink

Looking at the AddressSanitizer documentation, i386 seems to be supported. The problem is that, as a large, complex program, Firefox uses a lot of memory. With ASan added to that, you're going to run out of 32-bit address space, and your browsing session will come to an abrupt end.

32-bit user space is only 3GiB (unless you have a kernel with hugemem patches). Browsing more than a few simple web pages causes the current hardened Tor Browser to allocate more than that.

Yeah looks like ASan allows a smaller shadow region on 32 bit platforms, but that severely cuts into usable address space. Another issue is that the quarantine zone size directly affects how effective ASan's use-after-free protections are, and 32 bit systems likely don't have enough RAM to provide effective protection there either.

Something in Firefox leaks memory like a sieve (I messed around with reducing the quarantine zone size to force memory to be released back to the system), so the 32 bit ASan build will die horrible screaming death sooner than later.

January 31, 2016

In reply to yawning

Permalink

It seems to be not common leaks, but something that isn't being freed, plus writing unexpected and huge data by valid pointers.

January 28, 2016

Permalink

Still has the problem of eating up all available memory and doesn't seem to free it
up once those windows are exited.

January 28, 2016

Permalink

I would use Tor a lot more if it could stream video. That would truly make it a full service browser. As it is, it's very limited. Isn't there some way to create a secure Tor friendly substitute for adobe flash?

I would use Tor a lot more if it could stream video.

We should never ever stray from Tor's first principles, one of which is to help people living in authoritarian and oppressive regimes to communicate.

We don't see how streaming and watching videos through Tor can help advance the latter's first principles.

What immediately comes to mind are the slick video clips produced by IS (Islamic State), ISIL (Islamic State of Iraq and the Levant) or ISIS (Islamic State of Iraq and Syria) which are in great demand by jihadis. Such video clips are readily found using Tor.

Perhaps you're a jihadi-wannabe interested in streaming videos clips produced by Islamic State?

> What immediately comes to mind are the slick video clips produced by IS (Islamic State), ISIL (Islamic State of Iraq and the Levant) or ISIS (Islamic State of Iraq and Syria) which are in great demand by jihadis. Such video clips are readily found using Tor.
>
> Perhaps you're a jihadi-wannabe interested in streaming videos clips produced by Islamic State?

I think you may have been reading too much USG scare mongering ("ISIS in all our heads" [sic]).

Isn't it more likely that a random internet user is

(i) interested in Tor Browser because it is getting a reputation for being the most secure easy to install/use browser?

(ii) interested in streaming videos to watch instruction videos like Khan Academy or "how to install a network card"?

(iii) doesn't yet understand how dangerous Flash can be if you are trying to stay secure online?

> We should never ever stray from Tor's first principles, one of which is to help people living in authoritarian and oppressive regimes to communicate.

Plus one.

> We don't see how streaming and watching videos through Tor can help advance the latter's first principles.

I hope we all agree that the goal of "mainstreaming" Tor which Shari Steele has said will be a major priority is absolutely necessary to ensure the long term survival of the Project. For so many reasons, but to mention just two: (i) if everyone in "the West" uses Tor on a daily basis, hostile FVEY governments will find it politically difficult to simply declare TP illegal (ii) the more people who use Tor daily for all kinds of ordinary things, that easier it will be for people living in "active conflict zones" or nations with harshly repressive governments to "hide among the noise".

But this means that we will need to be explain to prospective Tor users who are shocked to find something they consider "essential" [sic] is harder with Tor Browser that anonymity, security, and convenience sometimes conflict, so the developers often need to make design choices, and quite properly give extra weight to the personal security needs of those users whose lives quite literally depend upon Tor keeping them anonymous.

ISIS don't need Tor protection as they have official backing from Western secret services and even states (Turkey, Saudis and so on)

OTOH, if you want to watch some youtube video about encryption and fighting the police state you may end up in some lists.

ISIS don't need Tor protection as they have official backing from Western secret services and even states (Turkey, Saudis and so on)

That's so true. Our sources confirmed it to us about two years ago.

OTOH, if you want to watch some youtube video about encryption and fighting the police state you may end up in some lists.

That's very true too. According to our sources familiar with the NSA, TBB users who do the stuff that you described in your post will also end up on the NSA watch list. It means all of us who post here on this blog have ended up on the relevant lists.

Hurray!

"According to our sources familiar with the NSA" users who ends up "on the NSA watch list" are subjects for bot strike.

Tor cannot help you if you are being throttled or have low, spotty, or no connectivity.

YouTube HD streams fine with 50-150MBs.

Download the videos and play locally so you get better sound!

Flash is a dinosaur. Even Adobe says you shouldn't use flash. All modern streaming video sites should be using HTML5 video, which Tor Browser supports as it is built into the browser itself.

January 30, 2016

Permalink

Hi, new update is not displaying punjabi language, please help. before it was running so good

January 30, 2016

Permalink

Somthing strange with the tor nodes. I just set up -6.0a1_en-US
No matter how many times I change the circuits I am getting a UK address as first hop and it is 124.6.36.201 which is registered in Singapore. Have the Security mob knobbled us?

January 30, 2016

In reply to arma

Permalink

Re entry guards: We went through this on earlier versions where the first hop always remained the same and we were told it was because of "entry guards". Yet later versions reverted back to the ability to change the node locations at will. It seems to me that being able to change node locations is far more secure than having a single "guard" entry point which always remains static. I do not trust having a fixed first hop with always the same URL.

January 31, 2016

In reply to arma

Permalink

From a traceroute, it looks like it's probably Singapore. Nothing too weird there.

To arma, gk and all Tor staff:

Please remove Singapore from the list of Tor nodes and ban all nodes originating or terminating in Singapore for life for the benefit of Tor users. You'd do well to heed our advice.

We can't tell you which specific organization we work for but suffice it to say that we are very familiar with how NSA, GCHQ and the signals intelligence unit in Singapore work.

Singapore is part of the Five Eyes Plus grouping that scoops up massive amounts of data everyday. The signals intelligence unit is located in Tuas, the western part of the city-state.

If you have a map of the world, you'd notice that all submarine cables carrying telecommunications from East Asia would have to pass by Singapore to reach the Middle East, Europe and Africa, and vice versa from the latter to East Asia.

Singapore's physical location is very strategic and the US government recognizes it. In fact it provides hundreds of millions of dollars and technical expertise to the signals intelligence unit in Singapore to help it achieve its goal of mass surveillance.

Do note that there are no privacy laws in Singapore and none of those laws governing how and under what circumstances can the Singaporean government obtain confidential information in emails and other electronic communications.

January 30, 2016

Permalink

Hi. can anyone help? i found out tor this version of tor has issues with indic fonts. previously everything was fine. now it doesn't show indic fonts, rather box box.

peace.

January 30, 2016

Permalink

Since the US government has been successful twice now in de-anonymizing tor hidden services (first Silk Road Two then a pornography site last July), would that not indicate that they have the ability to do that? They did so with the help of MIT. That being so, what is the point of using tor? It would seem a whole new system is needed, which will take several years to be conquered like tor did.

Well, this is a complicated question. It does indeed appear that the feds have been able to attack some Tor users over the years. Most of these attacks are done by attacking the endpoints, e.g. with browser vulnerabilities. One of these attacks does seem like it was done by attacking the Tor network itself (the CMU one -- there was no MIT one as far as I know).

But that said, this is a small number of attacks over many years, and each time we patched things once we understood what they had done (and in fact, in some cases we patched things even before the attack, so only people who hadn't upgraded were affected). So, we know how they did it, and those particular attacks won't work anymore.

Tor does indeed need to become stronger. It will always be an arms race where the research community works on ways to make Tor stronger, and the adversaries work on finding ways to break it. That's how security works.

January 31, 2016

Permalink

Some weird things fill log since 20160129:
[warn] rend_service_introduce(): Bug: Internal error: Got an INTRODUCE2 cell on an intro circ (for service "x...x") with no corresponding rend_intro_point_t.
Attack? Guards compromised? Bad weather?

February 01, 2016

In reply to arma

Permalink

tor-0.2.6.10
(and i never see this errror before) Is it dangerous/exploitable?

January 31, 2016

Permalink

Is it possible to restrict tor using ciphers to dhe/ecdhe or the only existable way is to cut others from the openssl compilation?

January 31, 2016

Permalink

Hi I am in Scotland (UK) Since I upgraded to 6.o1a I am having problems with switching the different nodes. This may be related to one of the the questions above. When I select 'new circuit' instead of it changing to nodes around the world, it will only select nodes in Europe. Seems a bit less secure to me. Anyway to fix this so it changes proxies randomly?

Thanks for your efforts.

January 31, 2016

Permalink

Recently obfs3 found at BridgeDB is very hard to connect to the network in China, so as Tails. China has never blocked obfs3 so well. Meek bridge works fine but they are possible cooperated with China by providing which user is using Tor, how frequency and so on. If they are not cooperated, Google is an example. Other kind of bridges (obfs2/4 fte scamblesuite) is unlucky too. So can you develop new kind of bridge?

Recently obfs3 found at BridgeDB is very hard to connect to the network in China, so as Tails. China has never blocked obfs3 so well.

According to what we have heard from some of our friends in China, if you use Tor on an Android OS smartphone, your communication is less likely to be blocked.

This is because a user can never be truly anonymous if he/she uses a smartphone to surf the internet, even with Tor and the Chinese authorities know it. But at least your communication is end-to-end encrypted.

I'm at the desktop OS not a smartphone, I removed the new TBB which is updated by inside updater, and replace it with the new full package. TBB finishes the connection after this setup.

February 02, 2016

Permalink

'Cloudfare' is KILLING Tor! 'Cloudfare with be the DEATH of Tor!

If you wanted to KILL Tor off you would be hard-pressed to come up with a better strategy than 'Cloudfare'.

Godamn 'Cloudfare'! Godamn 'Cloudfare' to HELL!!

February 03, 2016

Permalink

I can see how to use bridges, but is there any way to use bridges on the exit node instead of on my end? More and more sites are blocking Tor, and I was hoping there'd be a way to exit through a bridge.

Currently, Tor is designed to allow people to block connections from Tor network if they desire. Someday, exit bridges may be a thing.

February 03, 2016

Permalink

TOR network outage
Somebody is exhausting all possible TOR sockets to our server. This can cause interruptions for users.

https://bitmessage.ch/

THE FBI AND POLICE AND ENFORCEMENT ARE DEPLETING TOR NETWORK! HELP!