Tor Browser 6.5.1 is released

Tor Browser 6.5.1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This is the first minor release in the 6.5 series and it mainly contains updates to several of our Tor Browser components: Firefox got updated to 45.8.0esr, Tor to, OpenSSL to 1.0.2k, and HTTPS-Everywhere to 5.2.11.

Additionally, we updated the bridges we ship with Tor Browser and fixed some regressions that came with our last release.

In Tor Browser 6.5 we introduced filtering of content requests to resource:// and chrome:// URIs in order to neuter a fingerprinting vector. This change however breaks the Session Manager addon. Users who think having extensions like that one working is much more important than avoiding the possible information leakage associated with that can now toggle the 'extensions.torbutton.resource_and_chrome_uri_fingerprinting' preference, setting it to 'true' to disable our defense against this type of fingerprinting.

An other regression introduced in Tor Browser 6.5 is the resizing of the window. We are currently working on a fix for this issue.

Here is the full changelog since 6.5:

  • All Platforms
    • Update Firefox to 45.8.0esr
    • Tor to
    • OpenSSL to 1.0.2k
    • Update Torbutton to
      • Bug 21396: Allow leaking of resource/chrome URIs (off by default)
      • Bug 21574: Add link for zh manual and create manual links dynamically
      • Bug 21330: Non-usable scrollbar appears in tor browser security settings
      • Translation updates
    • Update HTTPS-Everywhere to 5.2.11
    • Bug 21514: Restore W^X JIT implementation removed from ESR45
    • Bug 21536: Remove scramblesuit bridge
    • Bug 21342: Move meek-azure to the backend and cymrubridge02 bridge
  • Linux
    • Bug 21326: Update the "Using a system-installed Tor" section in start script

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Good job . have a question . WikiLeaks says it has obtained over of CIA hacking tool .may this affect on the Tor security?

Somebody commenting here should know more.
I have read little, but it looks like the claims of exploitable devices are old claims.

If we search more, we should find a security site that outlines the initial exploit of ios or android.

I don't think anyone has leaked the actual infection tools.

I think android uses orfox as android version of Tor browser?

Ios has no Tor browser?

iOS has Onion Browser, available with source code, now donation based.

dig into here >>

Starting from >>

and then, please feed us back of your findings :)

TBB AnonymousUser..

There will always be 0days in various programs. I haven't seen anything for Tor or Tor Browser in there, specifically, however I did see mentions of an exploit for the Android (and non-Android?) library for libxml2, which may be used in Tor Browser. Luckily Google is scrambling to find out what the cause of the bug is to get it fixed.

In general, the stuff in the CIA vault boiled down to:
1) Android and iOS exploits and bypasses
2) IoT exploits and spyware (the Samsung Smart TV)
3) Router exploits
4) FAQs and policies for how to write malware, etc
5) Random stuff like lists of Japanese emoticons and diatribes about text editors

I would imagine that anything they get to attack Firefox, they would buy from a contractor like Raytheon SI or Endgame. When it comes to the security of Tor itself, I wouldn't worry. They don't seem particularly invested in breaking the Tor network, from what I'm seeing in this leak.

Thank you for that promising feedback :)

"Luckily Google is scrambling to find out what the cause of the bug is to get it fixed"?
Oh my God, someone still trusts in Google. Do you really believe that Google is clean?

Google has always been a Government Puppet!

Wikileaks has only released a fraction of the total CIA files. More exploits will be revealed.


From tor-talk:
CIA Vault 7, Year Zero
krishna e bera
8 Mar 2017

>> ""Year Zero" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of "zero day" weaponized exploits against a wide range of U.S. and European company products" [0]

> The good news is no mention of exploits against Tor, TorBrowser, TAILS,
Orbot. They also appear to have developed ways to hide their traffic at HTTPS
servers, which may be useful for bridge developers if the code is released.
> [0]

For those who download the Tails ISO image, verify the cryptographic signature, and burn a R/O live DVD: the Vault 7 malware wiki does describe an exploit affecting Nero, so we should avoid that (until the vulnerability is fixed).

WL has stated that it has made the full malwares available to affected companies, and Apple has apparently already patched almost all of the ones affecting its own products.

I'VE GOT A LOT to Learn

if i go to and search for a book, then close the tab, open a new one and click on 'new circuit' then go to again i get automatically redirected to the previous site. is this the intented behaviour?

If I understand your comment, you did these steps:

1. Go to (js disabled by noscript)
2. Page redirects to url with sessionid;
3. Search "security" (without quotation)

I didn't do these following steps. Did you experience these?

5. Then you use TBB Torbutton "New Identity"
6. Go to (js disabled by noscript)
7. Page redirects to your search result;

Try this:
21. Create bookmark by pasting that into bookmarks toolbar.
22. Use TBB Torbutton "New Identity"
23. Load the bookmark into TBB blank tab

I think you will see;
with a new jsessionid value.

Redirecting to a new jsessionid url would how the page on that site is written to behave.

BTW, you have cookies disabled? As far as I know, "New Identity" flushes cookies, so I don't think allowing cookies setting should matter. But I disable cookies by default, so I don't know.

Note: I replaced the actual jsessionid that site gave me, with "XXXX"

no, the described behaviour is only if i click "new tor circuit for this site". in that case cookies will not be deleted? is this a good idea?

Yes. It just gives you a new circuit. All your browser state remains.

I've also noticed cookies persisting after using 'New Tor Circuit...' and it was (for me) unexpected behaviour. I think this is dangerous because people may assume it also resets the browser state for that site.

One solution is to make 'New Circuit...' delete cookies etc, so that it behaves as expected.

Another is to somehow make it clearer that sessions etc persist when using 'New Circuit..' so that people aren't getting a false sense of security.

Either is fine, but the status quo is unsafe.

We have New Identity for that. "New Circuit" does exactly what it says, not more and not less: it gives you a new circuit and that's all.

im with the comment above, "new circuit" means a new IP, that means, youre in an unclear state if you dont know that all other browser information like cookies, are still there. maybe its the least problem, maybe not, i dont know, but for me it feels unsafe too.

IMO both "new circuit" and "new identity" are useful, but I agree that it is important that users should understand what these user commands do and do not accomplish.

I figured the 'New Tor Circuit' doesn't clear cookies etc. after a while. Up until that point however I used it with the expectation it made me safe.
What's the purpose of this feature anyway? Why would I care for a new circuit if a site can trivially identify me anyway?

Resize issue, in Tails or in other OS Torbrowser versions there is a function that gets in the way a lot.
When having multiple windows opened and trying to rearrange those windows by moving he cursor to the top of the browser page and then moving the window it is really easy to release your fingers from a trackpad during moving. This results in a double click on that browser page that immediately is resizing full screen! I happens a lot and is really annoying.
How can I disable this double click full screen resizing function? I never do want a full screen size but I happen to end up with it anyway a lot of times.

Some window managers allow you to lock a window's size. I don't think Tails' does. Tor Browser doesn't (yet?) provide any way to lock the window's size or reset it to default. The only way to correct it is to restart Tor Browser.

As a quick and dirty solution, hold the Alt key and click anywhere inside the window (not the title bar) and drag to move it. In some window managers, it's the Windows key, so try that if Alt doesn't work, otherwise consult the GNOME documentation.

In the upper right-hand corner of the Tor Browser window, the second button from right (the one with the arrow pointing upward): Clicking-on this maximizes the browser window and, when the window is maximized, reduces it back to its default size, no?



Browser works great and thank you for the updates to TOR!!!
Darren Chaker

Mr. Chaker,

I'm Suggesting that TBB users are BEST to be commenting as "Anonymous" for there own good Anonymity :)

"Thank You" will still be (Thank You) from Anonymous users,


This update didn't mess-up with (SessionManager .xpi) like previous 6.5; that which i replaced the (tor-launcher & torbutton .xpi's) from TBB 6.0.8..

OK. Thanks Again..


Wrote upper comments, and UPDATING it now,

YES: Great & Thanks,
..and here comes BUT! :)

On the 2nd or(may be) 3rd restarting after updating TBB, The (SessionManager .xpi) seem to work without Icon-logo showing up in the sliding-bar, (so-called; hamburger Menu)

Did like before:
Exited, Replaced the (tor-launcher & torbutton .xpi's) from TBB 6.0.8, Started TBB 6.5.1,

Then: SessionManager Icon appeared & worked FiNE :)

Again : Great & Thanks

anyway to use MPROTECT from grsec/pax and use Tor Browser at same time?
also anyplans to use new firefox container in Tor Browser?

> anyway to use MPROTECT from grsec/pax and use Tor Browser at same time?

Patch the Firefox JIT to not rely on being able to make executable pages writable again.

Not easily. In the past, Firefox would create RWX pages for JIT, put the bytecode into it, then execute it. In order to support W^X in OpenBSD and iOS, Firefox has changed how it behaves, so now it creates an RW page with mmap(), puts bytecode into it, then uses mprotect() to convert it to RX, so it can execute it. This works fine for the W^X implementation on OpenBSD and iOS, but PaX's MPROTECT implementation is much more aggressive, and additionally denies converting writable pages to executable pages.

I wrote a bit about this on the Tor bug tracker:

When the mprotect() call fails, Firefox runs its OOM (Out Of Memory) subroutine, which occurs whenever any memory-related functionality fails (even if it's just for JIT, and JIT will be disabled at runtime). This causes Firefox to crash itself.

All the code is a tangled mess. It's rather sad, really. If you wanted to fix it, it'd be best probably just to get the browser to be able to stop trying to allocate RWX pages in the first place when the config is such that JIT will not be used at runtime.

thank you

This version fails to run on debian stable (jessie 8.7) due to a glibc error:

./firefox: /usr/lib/x86_64-linux-gnu/ version `GLIBCXX_3.4.21' not found (required by ./firefox)

This works fine for me on Debian Jessie.

It should work if you use the 'start-tor-browser.desktop' script at the root of the archive. This script adds the 'Browser/TorBrowser/Tor' directory to the LD_LIBRARY_PATH environment variable, so the from that directory should be used instead of the one from /usr/lib.

There is no problem for me; I use Jessie 8.7.1 amd64.

I just download, extract, and run as normal. Maybe you should do a distribution upgrade (apt-get dist-updrade) to get all the libraries updated. I used to experience the same kind of errors when running new updated programs, and in many of the cases it's because I hadn't upgrade my OS distribution then.

No problems for me either. I updated from the previous version

I went to main onion page: http://expyuzz4wqqyqhjn.onion/projects/torbrowser.html.en
If I point mouse on the link, it shows it uses http://expyuzz4wqqyqhjn.onion/dist/torbrowser/6.5.1/tor-browser-linux64-6.5.1_en-US.tar.xz for download. But when I click on it and see what location is used, it is not onion, but Why this happens? As I see from, the correct address is another: http://rqef5a5mebgq46y5.onion/torbrowser/6.5.1/ Should links on the page http://expyuzz4wqqyqhjn.onion/projects/torbrowser.html.en be fixed?

Ideally, yes, but our setup is pretty complicated and we currently don't have the resources to make this happen.

Thanks, I understood.

Why do the debian packages never get updated in time?

Here's hoping that the Trump administration won't interfere with the Tor project funding cycle?

Yes. So far we are not aware of any interferences with our funding due to the Trump administration.

But we cannot assume James Comey is not lobbying hard to change that.

Comey stated in a recent speech that he intends to serve out his ten year term, which would carry him into the (barf) second DJT administration. But Comey is so diminished politically speaking that it could actually benefit the People if against expectation he manages to hang onto his job for another 6.5 years. Back in the Clinton administration, for better or worse, Freeh assured that FBI remained crippled by also hanging onto his job despite being "frozen" out of the rest of the administration. If Comey stays, this could buy us more time to use encryption to keep ourselves, our friends, our clients, and our families safer from our governments.

Thanks to all Tor and Tails people for your work!

@ GK:

This is more Debian than Tor relevant, but in view of the "evil maid" implications in the Vault7 leak, please help me convince Debian Project to fix the backdoor in LUKS encryption!

I like tor browser thank you so much our Manger Tor Browser

Why is not DuckDuckGoOnion used as the search engine on about:tor?

We are not sure how stable DDG's onion is and are worried about the additional delay due to additional onion service overhead.

What would really be a nice addition would be an onion search engine that allows you view results in a proxy.

Sites that have the proxy but no onion address are and

Thanks again. Keep up the good work.

Does anyone know if tails and subgraph have plans on collaborating ?

> Sites that have the proxy but no onion address are and does have an onion address! (but the proxy works over the clearnet, and not through the onion service)

Relevant ticket:

"Before that is going to happen we'd need some data on whether DDG can handle our load and how large the performance drop-down for searches would be."

Any chance the next version will have the flag privacy.trackingprotection.enabled set to true?

We plan to use that flag when we switch to Firefox ESR 52 as this flag makes use of our upstreamed patches.

Thanks for another great release. It's awesome how closely the TBB team has been tracking Firefox's release schedule lately!


Thank you GR8 release.

Why is Tor Browser signed with key id C3C07136

Where did this GPG key come from? It was never used prior to 6.5

How do we know this is actually the TOR Project in control of these releases now?

C3C07136 is a subkey of the Tor Browser key (4E2C6E8793298290). If you imported the Tor Browser key before it had this subkey, you can refresh it to get the new subkey:
$ gpg --refresh-keys 4E2C6E8793298290

like i am tor browser

Once again the process of applying an update takes up a disproportionate amount of disk space.

Even with app.update.staging.enabled set to false I observed it consuming around 220MiB.

(I believe it takes up even more when this is set to true).

If it runs out of space before it's done applying the update, it breaks TBB completely ('3817 Bus error' on line 368 of Browser/start-tor-browser).

Maybe having staging.enabled set to true prevents the breakage, but I don't have enough disk space to apply updates that way (uses something ridiculous like 400-500MiB).

Anything you can do to apply updates in a way which doesn't use all the disk space at once would be great.

Tor is helping me to get out of a hacking that that killed my business

That would be a very interesting story to tell to a reporter, if you are able and willing to consider doing that! You could negotiate in advance how "anonymous" you want to be in the published story. Many of the better sort of news organizations now use SecureDrop.


Since installing the latest version of tor my antivirus keeps blocking tor from running, and say that tor is infect by IDP.Generic virus

Download Tor again, delete the earlier install, and install it again. Don't forget to verify the download!

downloaded it 2 times still gettin something about a virus

Upload the file to to verify with most available AVs

Thou, you didn't tell what AV u r using,

Suggesting to Temporary-disable AV until TBB installed

& then Run it,

Enable AV,

See what happens,

you might need to switch to other AV product like: AVAST..

free Avast visions are great too :)

Safety everyone needs help

Sadly, all too true. All persons everywhere are at risk from thousands of cyberwarriors working for various governments.

But both the Snowden and Vault7 leaks (which have provided the public with invaluable information about NSA and CIA spying respectively) suggest that USIC (and probably adversary services) have had considerable difficulty in spying on people who (correctly) use cyberprotection tools such as Tor.


thanks for release.

i logged in but tor didnt say i dont have the latest version. so i have to start it manually over browser help / about tor browser.

after the update i checked addons, update all. and there was an update for https everywhere. it installed and then restart.

shouldnt the update of tor browser and addons be automatically?


There is usually a delay before we deprecate the old version (12-24h) in order to the old browser time to download the update in the background. Not sure why you needed to do that manually. One explanation is Tor Browser checking only twice a day for new updates (+ after start-up). Similarly, Tor Browser is checking for updates extensions only once a day.

thx for your kind explanation!

OpenSSL to 1.0.1k
OpenSSL to 1.0.2k
are referred in article. Both can't be right.

Corrected. Thanks.

can anyone advise as to the best method of browsing i.e. duckduck etc with Tor? i dont know much about it all

Thank you


You fixed the print to pdf issue for OS X 10.6.
That is very nice to see and takes away some console stress!

Thanks, bye

Actually, no. We did not fix anything in that regard. But glad that it works for you now. :)

Yes, Bug still there,
I did discover that shortly therafter too.

Wired did fix the issue, on their website

but the bug is still existing in Torbrowser on other websites.
So I guess that Wired devs know the answer to a guestion that was addressed at toredevs to look at and solve.

With a little help from the friends: Should I convice them to work for Torproject to really make things in Torbrowser better? :)

Crashed on startup on Mac OS X 10.12.3

Could you be a bit more specific? Is that reproducible? Did/does that happen with Tor Browser 6.5 as well ( has the older version)? Did you get some crash report that could help us understand what is going on? Did that happen after an update or with a clean, new Tor Browser 6.5.1?

When is Tor Browser going to FF 52ESR?
Another question I was wondering for quite some time:
Why is the TorBrowser not spoofing or disabling the referer header?

The alpha we'll release in April will be based on ESR 52 (we hope) and the stable series will switch in June. Regarding your referer question: section A.1.1 has some rationale for this.


Will TBB run on RPI RPI2 RPI3 or RPI0/W?
How do i do it?
Would Tails help HERE?


By "RPI" you mean RaspberryPi? If so, you'll have to compile it yourself and see. There are no official Tor Browser builds for RaspberryPis.

Would tor and Whonix work well together?
Is this a good idea?

> Would tor and Whonix work well together?

Yes. Why do you think that they don't work so well? :)

Whonix is all about isolating the Tor process from the Tor Browser, so to prevent any leaks in case your browser gets compromised (so they'll have to use even more sophisticated attacks such as VM escape).

You can read about it in this blog post:

just tried Whonix .org but it seem not working,

instead, leme suggest trying Tails | >>

( Tails is a live operating system that you can start on almost any computer from a DVD, USB stick, or SD card.

It aims at preserving your privacy and anonymity, and helps you to:

*use the Internet anonymously and circumvent censorship;
all connections to the Internet are forced to go through the Tor network;

*leave no trace on the computer you are using unless you ask it explicitly;

*use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.)

Thank you.

"wrap long lines" is still not fixed since TBB 6.5, but noone will die over it.

Read the post carefully. If you think having features "like that one working is much more important than avoiding the possible information leakage associated with that can now toggle the 'extensions.torbutton.resource_and_chrome_uri_fingerprinting' preference, setting it to 'true' to disable our defense against this type of fingerprinting."

Maybe, as was fixed in Firefox 47, it could be whitelisted too.

Uh oh!

Mozilla support for XP will end in September 2017.

Does this mean that TBB too - as from September 2017 - will no longer be available for the XP series?

And how does Avast interact with TBB when used as a regular browser on the regular internet?

I use Mozilla with the identical TBB settings - except that my TBB browser bookmarks facility remains unused.


Breaking ESR in the middle of its lifetime will be EPIC!
(Extended support even from M$ for NT5 series ends on April 9, 2019. Mozilla, shame upon you!)

That won't happen. XP is supported through the whole ESR 52 series. It won't be available in ESR 59 anymore, though.

We believe you'll keep your promise.
But Firefox is going to suicide, and ESR 52 will be the last version of ESR as we all know it.

> Does this mean that TBB too - as from September 2017 - will no longer be available for the XP series?

Yes. XP is now a 17 years old OS riddled with security vulnerabilities, you can't expect developers to support it for a longer time. See "My guess is we're going to triage and decide not to try to rescue XP when Mozilla has decided to abandon it."

No, the first Tor Browser that won't run on XP anymore will be one based on ESR 59.

> XP is now a 17 years old OS riddled with security vulnerabilities

Just to support the point that cautious netizens tend to avoid using TBB under Windows, or at least very old versions of Windows:

The Vault 7 wiki of CIA malware just published by Wikileaks includes a long list of attacks on (often old versions of) Windows, but not very much on Linux (outside embedded platforms).

Not to imply that Linux users should rest easy, of course, just that all things considered, the preponderance of evidence available to the public would seem to encourage citizens concerned about privacy and data security to move to Linux (and to keep their systems up to date, to avoid installing unsigned software, to use TBB for browsing, to pay attention to valid security bulletins, and so on). Similar remarks hold for MacOS users (Vault 7 also lists some zerodays affecting Mac users).


great and usuful..


Hello Torproject,
2 issues:

1. 'Wrap Long Lines' with ';false' isn't working reliable

2. Why tor.exe is 32-bit(Image Type) on an Win64? Should be 64-bit?
(firefox.exe(TBB) is 32-bit, too.)

OOPS, have read:
"On March 8th, 2017 Anonymous said:
Thank you.
"wrap long lines" is still not fixed since TBB 6.5, but noone will die over it." .

Noone will die over it, i too. Second question, 32bit tor.exe, is open.

"Tor is ready" does not appear every time i choose 'new identity'.
is it an evidence or a trace that something is wrong ?

What is appearing instead?

nothing !
it does not work every time i click on "new identity" : sometimes (rarely) yes , sometimes not.
pff ... i wonder if the users are not the testers of an experimental manipulation in the goal that a subvention be given to a usa rotten team ...
pff ... i use tor for some app but too much bugs means untrust software ...
no comment.

Could you open your browser console (with Shift + Ctrl + J) and check whether error messages appear during New Identity?

Tails 2.11 came out on schedule; why no announcement in this blog?

I don't know you should ask the Tails folks for that we are not doing their release announcements.

OP here.

Yes, I've read y'alls anon responses to my query but only gk's replies can be accepted as authentic by m'self.

Thanks, gk!

This simply means that I'm gonna hafta dl a GUI enabled Linux version to an external hdd and so use Linux as an additional OS for a Linux based TBB. Neva mind. I got 6 months to figger the how out.

As for XP now being " a 17 years old OS riddled with security vulnerabilities..." I guess that depends only on which sites one interacts with, not so?

The only hassle I can anticipate is spending more time backing up folders in the event of a system failure. In 2015 Verbatim was offering a 7 year warranty on its 1tb external hdd but sadly, such items are not permitted in my country.

@ gk

Just a passing thought... but both Mozilla and y'selves interact with a large (in the hundreds of millions) XP community. See

for detail.

How will this issue affect y'alls collective futures?

I can go where I like onna www and my laptop - Japanese made- is soooo reliable. I reformatted it in early 2014 and I still don't see the need for any upgrades.

It's not like I'm a rocket scientist planning to put someone onto Mars an' I desperately need the latest doodads to so do. I have a monthly 2Gb data cap and I'm hard-pressed to utilize it all.

I jus' don't see the sense of upgrading to Win 10/11/12/13 whatever in order to accommodate a web browser.

Any marketing wonk thinking/hoping/praying I'm now gonna be compelled to embrace the latest Windows or Apple offering is vaping the wrong stuff!

I thankfully avoided all the hassles associated with Vista, Win7, 8 and 10. And when I eventually do upgrade, the new OS - personal computers and autos - will all be thought-controlled.

Until then, y'all, stay well...

love tor

is there anything better than tor?

Thank you excellent!

great, but google drive is not working on tor

OK Thanks!

In WIN10 (in Chinese) running on a black square block of text, complete the configuration to scrape through memory, stop running after open the browser interface.

Reinstall the old version can be normal use.

Which old version do you mean? Do you have some antivirus software that could interfere with Tor Browser? If so, could you uninstall that one for testing and check whether things get better (disabling is often not enough)?

Is the Tor network still relevant to the general public?

Far as I can see, it's mostly used to shield the activities of drug dealers and paedophiles. Am I wrong?

The few others which use it for political activism against repressive regimes will soon be stymied as a consequence of Mozilla/TorBrowserBundle excluding Microsoft's venerable XP OS after September 2017.

XP has been the OS choice of activists almost since its inception due to its ubiquity, simplicity and reliability. Later MS systems (Win10, various handheld gadgets etc) sold in dictatorships such as China, Russia and many Asian and African nations must comply with governmental modifications- modifications not only to the newest devices but also monitor and censor of the network of their local isps.

Also, exchange rate issues in these tyrannical and despotic regimes militate against the acquisition of more modern equipment -whether over the counter or via a smugglers route.

I daresay this also applies to the USA and EU to some degree -but there the various democratic movements have ensured that such "modifications" are strictly controlled by legislative authorities to only combat global terrorism.

It really helps, thanks a lot. :)

Upload speed is limited to 3 Mb/s on 32-bit Windows. While download speed remains unaffected. Speedtest service was used to test the bandwidth.

Post new comment

  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <em> <strong> <cite> <code> <ul> <ol> <li> <b> <i> <strike> <p> <br>

More information about formatting options

Syndicate content Syndicate content