Tor Browser 7.0a2-hardened is released

A new hardened Tor Browser release is available. It can be found in the 7.0a2-hardened distribution directory and on the download page for hardened builds.

This release features important security updates to Firefox.

This hardened alpha release mainly contains updates to several of our Tor Browser components: Firefox got updated to 45.8.0esr, Tor to 0.3.0.4-rc, OpenSSL to 1.0.2k, and HTTPS-Everywhere to 5.2.11.

Additionally, we updated the bridges we ship with Tor Browser and fixed some regressions that came with our last release.

In the previous release we introduced filtering of content requests to resource:// and chrome:// URIs in order to neuter a fingerprinting vector. This change however breaks the Session Manager addon. Users who think having extensions like that one working is much more important than avoiding the possible information leakage associated with that can now toggle the 'extensions.torbutton.resource_and_chrome_uri_fingerprinting' preference, setting it to 'true' to disable our defense against this type of fingerprinting.

Another known regression is the resizing of the window. We are currently working on a fix for this issue.

The full changelog since Tor Browser 7.0a1-hardened is:

  • All Platforms
    • Update Firefox to 45.8.0esr
    • Tor to 0.3.0.4-rc
    • OpenSSL to 1.0.2k
    • Update Torbutton to 1.9.7.1
      • Bug 21396: Allow leaking of resource/chrome URIs (off by default)
      • Bug 21574: Add link for zh manual and create manual links dynamically
      • Bug 21330: Non-usable scrollbar appears in tor browser security settings
      • Bug 21324: Don't update NoScript button with timer update
      • Translation updates
    • Update HTTPS-Everywhere to 5.2.11
    • Bug 21514: Restore W^X JIT implementation removed from ESR45
    • Bug 21536: Remove scramblesuit bridge
    • Bug 21342: Move meek-azure to the meek.azureedge.net backend and cymrubridge02 bridge
    • Bug 21326: Update the "Using a system-installed Tor" section in start script
  • Build system
    • Bug 17034: Use our built binutils and GCC for building tor
    • Code clean-up

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

When will Selfrando land in the alpha series? Thank you

We hope in 7.0a3. At least we plan to do so for Linux 64 bit bundles. https://trac.torproject.org/projects/tor/ticket/20683 tracks this effort and has a patch up for review.

OpenSSL to 1.0.1k
and
OpenSSL to 1.0.2k
referred in article. One reference is wrong. Please update article.

Corrected. Thanks.

;)

اريد الاشتراك بشبكة الخفية

I hope it comes to mobile soon. ^-^

Are you talking about the hardened version or just the regular version? Since the latter is already available in mobile (Orbot+Orfox for Android and Onion Browser by Mike Tigas for iOS).

me too

Twitter RT and Like button don't work on tor browser .
"Sorry Something gonna wrong" info appered

Yes, this is bug 21555 (https://trac.torproject.org/projects/tor/ticket/21555). It will be solved in the next release.

thanks

The hardened version, I'm assuming isn't released yet for mobile.

Correct, and there are no plans to do so.

when an update to mobile (orfox )

Does Tor have any vulnerabilities that were highlighted in the Wikileaks dump?

No. https://search.wikileaks.org/?query=tor+&exact_phrase=&any_of=&exclude_words=&document_date_start=&document_date_end=&released_date_start=&released_date_end=&publication_type[]=51&new_search=False&order_by=most_relevant#results

What about https://www.hackerone.com/product/community ?

What the ,exe files of Tor Browser need to unlock in a firewall?

I can't to connect to the Tor Network.

Help please, I'm a journalist.

all of my history and bookmarks have been deleted when I did the update!!!!
solutions please !!

Launching './Browser/start-tor-browser --detach --debug'...
==9686==Shadow memory range interleaves with an existing memory mapping. ASan cannot proceed correctly. ABORTING.
...

Does hardened Tor Browser work in hardened Linux?

> Does hardened Tor Browser work in hardened Linux?

No. ASan and PaX are incompatible with each other. Of the two, PaX is more useful.

Firefox though works fine in hardened Linux. Will there be a version of Tor Browser for hardened Linux?

> Firefox though works fine in hardened Linux.

If your definition of "works fine" is "need to disable MPROTECT" then sure? Firefox isn't built with ASan either, and likewise would be incompatible with PaX if it were.

> Will there be a version of Tor Browser for hardened Linux?

Anything that's not built with ASan works as well as normal firefox does.

I'm using apparmor over tor-browser.tor-browser_en-US.start-tor-browser.desktop

270 lines, generated during couple of hours.... works well..

It is asking sometimes for update, however, I have deny such options... etc...

How to increase the number of middle nodes? I'm aware of the trade-off between security and speed. Thanks.

Confused about when future editions of Tor Browser and Tails will use/require:

o various hardening features (selfrando, PAX)

o based on Debian 9 (stretch, soon to be the new stable)

Also confused about how these changes will affect the onion mirrors for people who use Debian OS and update using the onion mirrors. Also confused about the security of installing from Debian repos--- someone said in this blog that there is no security except for the bare bones Debian and no-one has contradicted this. I hope that person was wrong.

Any information would be appreciated!

IS THERE NOT ONE BROWSER THAT IS JUST BASIC AND DOES THE JOB WITH PRIVACY AND SECURITY INSTEAD OF CONTSANTLY REQUIRING OR NEEDING TO BE UPDATED? AFTER ALL ITS JUST BASIC CODES AND ALL RIGHT? ISN"T THERE A SIMPLE METHOD TO JUST BLOCK EVERYTHING AND THATS IT? A SILVER BULLET? MAYBE ITS MORE COMPLICATED THAN PEOPLE THINK?

first, i think your keyboard is broken.

second, if this was just basic codes then why don't you contribute to the code then.

+1000

um

is your keyboard broken bro ?

should i be using this over normal browser ?

This is an alpha version testing new hardening features and helping us to debug things. I think it might be worthwhile using the stable Tor Browser instead in your case.

Love just for you!!

Why Orfox (android) is never updated?

what is the ?
how to access dare web by this browser ?

Hey there,
are you planning to switch to the next ESR version (Firefox 52) in the near future?

A few days ago suddenly v 6.5 would not connect to the onion network so downloaded 7.2 still no luck even if I try changing to bridges. Works fine in normal non onion sites so anyone else got this and a fix? Using Win XP could that be the reason?

We need real tests for hardening, not checks: https://forums.freebsd.org/threads/46435/#post-283009

You can try running with ASAN_OPTIONS=fast_unwind_on_malloc=0 to get complete stack traces.

Syndicate content Syndicate content