Blogs

Tor Browser 6.0a2 is released

A new alpha Tor Browser release is available for download in the 6.0a2 distribution directory and on the alpha download page.

This release features important security updates to Firefox. Users on the security level "High" or "Medium-High" were not affected by the bugs in the Graphite font rendering library.

Additionally, we fixed a number of issues found with the release of Tor Browser 5.5, which already got addressed in Tor Browser 5.5.1.

Here is the complete changelog since 6.0a1:

Tor Browser 6.0a2 -- February 15 2016

  • All Platforms
    • Update Firefox to 38.6.1esr
    • Update NoScript to 2.9.0.3
    • Bug 18168: Don't clear an iframe's window.name (fix of #16620)
    • Bug 18137: Add two new obfs4 default bridges
  • Windows
  • OS X
  • Linux

Tor Browser 5.5.2 is released

Tor Browser 5.5.2 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Users on the security level "High" or "Medium-High" were not affected by the bugs in the Graphite font rendering library.

The full changelog since 5.5.1 is:

Tor Browser 5.5.2 -- February 12 2016

  • All Platforms
    • Update Firefox to 38.6.1esr
    • Update NoScript to 2.9.0.3

Tor Browser 5.5.1 is released

Tor Browser 5.5.1 is now available from the Tor Browser Project page and also from our distribution directory.

Most notably, this release features fixes for regressions caused by our font fingerprinting defense: chinese users should have a functional Tor Browser again and emoji support is restored on OS X and Linux systems (we are still working on a fix for Windows).

Moreover, we fixed an oversight in one of our patches which broke some websites depending heavily on iframes.

The full changelog since 5.5 is:

Tor Browser 5.5.1 -- February 5 2016

  • All Platforms
    • Bug 18168: Don't clear an iframe's window.name (fix of #16620)
    • Bug 18137: Add two new obfs4 default bridges
  • Windows
  • OS X
  • Linux

Tor 0.2.8.1-alpha is released

Tor 0.2.8.1-alpha has been released! You can download the source from the Tor website. Packages should be available over the next several days.

Tor 0.2.8.1-alpha is the first alpha release in its series. It includes numerous small features and bugfixes against previous Tor versions, and numerous small infrastructure improvements. The most notable features are a set of improvements to the directory subsystem.

PLEASE NOTE: This is an alpha release. Expect a lot of bugs. You should really only run this release if you're willing to find bugs and report them.

Changes in version 0.2.8.1-alpha - 2016-02-04

  • Major features (security, Linux):
    • When Tor starts as root on Linux and is told to switch user ID, it can now retain the capability to bind to low ports. By default, Tor will do this only when it's switching user ID and some low ports have been configured. You can change this behavior with the new option KeepBindCapabilities. Closes ticket 8195.
  • Major features (directory system):
    • When bootstrapping multiple consensus downloads at a time, use the first one that starts downloading, and close the rest. This reduces failures when authorities or fallback directories are slow or down. Together with the code for feature 15775, this feature should reduces failures due to fallback churn. Implements ticket 4483. Patch by "teor". Implements IPv4 portions of proposal 210 by "mikeperry" and "teor".
    • Include a trial list of default fallback directories, based on an opt-in survey of suitable relays. Doing this should make clients bootstrap more quickly and reliably, and reduce the load on the directory authorities. Closes ticket 15775. Patch by "teor". Candidates identified using an OnionOO script by "weasel", "teor", "gsathya", and "karsten".
    • Previously only relays that explicitly opened a directory port (DirPort) accepted directory requests from clients. Now all relays, with and without a DirPort, accept and serve tunneled directory requests that they receive through their ORPort. You can disable this behavior using the new DirCache option. Closes ticket 12538.

  read more »

Tor Browser 6.0a1-hardened is released

A new hardened Tor Browser release is available. It can be found in the 6.0a1-hardened distribution directory and on the download page for hardened builds.

This release features important security updates to Firefox.

Note: There is no incremental update from 5.5a6-hardened available due to bug 17858. The internal updater should work, though, doing a complete update.

Here is the complete changelog since 5.5a6-hardened:

  • All Platforms

    • Update Firefox to 38.6.0esr
    • Update NoScript to 2.9.0.2
    • Update Torbutton to 1.9.5
      • Bug 16990: Show circuit display for connections using multi-party channels
      • Bug 18019: Avoid empty prompt shown after non-en-US update
      • Bug 18004: Remove Tor fundraising donation banner
      • Code cleanup
      • Translation updates
    • Update Tor Launcher to 0.2.8.3
      • Bug 18113: Randomly permutate available default bridges of chosen type
      • Bug 11773: Setup wizard UI flow improvements
      • Translation updates
    • Bug 17428: Remove Flashproxy
    • Bug 18115+18104+18071+18091: Update/add new obfs4 bridge
    • Bug 18072: Change recommended pluggable transport type to obfs4
    • Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
    • Bug 16322: Use onion address for DuckDuckGo search engine
    • Bug 17917: Changelog after update is empty if JS is disabled
    • Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646)

Tor Browser 6.0a1 is released

A new alpha Tor Browser release is available for download in the 6.0a1 distribution directory and on the alpha download page.

This release features important security updates to Firefox.

On the usability front we improved the setup wizard UI flow. We also changed the search bar URL for the DuckDuckGo search engine to its onion URL.

On the build system side, we switched the guest build VMs to Debian Wheezy for the Linux version (the previous versions were built using Ubuntu 10.04 LTS).

Here is the complete changelog since 5.5a6:

  • All Platforms
    • Update Firefox to 38.6.0esr
    • Update NoScript to 2.9.0.2
    • Update Torbutton to 1.9.5
      • Bug 16990: Show circuit display for connections using multi-party channels
      • Bug 18019: Avoid empty prompt shown after non-en-US update
      • Bug 18004: Remove Tor fundraising donation banner
      • Code cleanup
      • Translation updates
    • Update Tor Launcher to 0.2.9
      • Bug 18113: Randomly permutate available default bridges of chosen type
      • Bug 11773: Setup wizard UI flow improvements
      • Translation updates
    • Bug 17428: Remove Flashproxy
    • Bug 18115+18102+18071+18091: Update/add new obfs4 bridge
    • Bug 18072: Change recommended pluggable transport type to obfs4
    • Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
    • Bug 16322: Use onion address for DuckDuckGo search engine
    • Bug 17917: Changelog after update is empty if JS is disabled
    • Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646)
  • Build System
    • Linux
      • Bug 15578: Switch to Debian Wheezy guest VMs (10.04 LTS is EOL)

Tor Browser 5.5 is released

Tor Browser 5.5, the first stable release in the 5.5 series, is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

On the privacy front we finally provide a defense against font enumeration attacks which we developed over the last weeks and months. While there is still room for improvement, it closes an important gap in our fingerprinting defenses. Additionally, we isolate Shared Workers to the first-party domain now and further improved our keyboard fingerprinting defense.

We made also progress on the usability side. First, by providing Tor Browser in another locale, Japanese. Additionally, by showing the changes in the new Tor Browser version immediately after an update and polishing our about:tor appearance. Last but not least we changed the search bar URL for the DuckDuckGo search engine to its onion URL.

Here is the full changelog since 5.0.7:

Tor Browser 5.5 -- January 27 2016

  • All Platforms
    • Update Firefox to 38.6.0esr
    • Update libevent to 2.0.22-stable
    • Update NoScript to 2.9.0.2
    • Update Torbutton to 1.9.4.3
      • Bug 16990: Show circuit display for connections using multi-party channels
      • Bug 18019: Avoid empty prompt shown after non-en-US update
      • Bug 18004: Remove Tor fundraising donation banner
      • Bug 16940: After update, load local change notes
      • Bug 17108: Polish about:tor appearance
      • Bug 17568: Clean up tor-control-port.js
      • Bug 16620: Move window.name handling into a Firefox patch
      • Bug 17351: Code cleanup
      • Translation updates
    • Update Tor Launcher to 0.2.7.8
      • Bug 18113: Randomly permutate available default bridges of chosen type
    • Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
    • Bug 10140: Add new Tor Browser locale (Japanese)
    • Bug 17428: Remove Flashproxy
    • Bug 13512: Load a static tab with change notes after an update
    • Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
    • Bug 15564: Isolate SharedWorkers by first-party domain
    • Bug 16940: After update, load local change notes
    • Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
    • Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646)
    • Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646)
    • Bug 17369: Disable RC4 fallback
    • Bug 17442: Remove custom updater certificate pinning
    • Bug 16620: Move window.name handling into a Firefox patch
    • Bug 17220: Support math symbols in font whitelist
    • Bug 10599+17305: Include updater and build patches needed for hardened builds
    • Bug 18115+18104+18071+18091: Update/add new obfs4 bridge
    • Bug 18072: Change recommended pluggable transport type to obfs4
    • Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
    • Bug 16322: Use onion address for DuckDuckGo search engine
    • Bug 17917: Changelog after update is empty if JS is disabled
  • Windows
    • Bug 17250: Add localized font names to font whitelist
    • Bug 16707: Allow more system fonts to get used on Windows
    • Bug 13819: Ship expert bundles with console enabled
    • Bug 17250: Fix broken Japanese fonts
    • Bug 17870: Add intermediate certificate for authenticode signing
  • OS X
    • Bug 17122: Rename Japanese OS X bundle
    • Bug 16707: Allow more system fonts to get used on OS X
    • Bug 17661: Whitelist font .Helvetica Neue DeskInterface
  • Linux
    • Bug 16672: Don't use font whitelisting for Linux users

Tails 2.0 is out

We are especially proud to present you Tails 2.0, the first version of Tails based on:

  • GNOME Shell, with lots of changes in the desktop environment.
  • Debian 8 (Jessie), which upgrades most included software and improves many things under the hood.

This release fixes many security issues and users should upgrade as soon as possible.

New features

Tails now uses the GNOME Shell desktop environment, in its Classic mode. GNOME Shell provides a modern, simple, and actively developed desktop environment. The Classic mode keeps the traditional Applications, Places menu, and windows list. Accessibility and non-Latin input sources are also better integrated.

To find your way around, read our introduction to GNOME and the Tails desktop.

Upgrades and changes

  • Debian 8 upgrades most included software, for example:

    • Many core GNOME utilities from 3.4 to 3.14: Files, Disks, Videos, etc.
    • LibreOffice from 3.5 to 4.3
    • PiTiVi from 0.15 to 0.93
    • Git from 1.7.10 to 2.1.4
    • Poedit from 1.5.4 to 1.6.10
    • Liferea from 1.8.6 to 1.10
  • Update Tor Browser to 5.5 (based on Firefox 38.6.0 ESR):

    • Add Japanese support.
  • Remove the Windows camouflage which is currently broken in GNOME Shell. We started working on adding it back but your help is needed!

  • Change to systemd as init system and use it to:

    • Sandbox many services using Linux namespaces and make them harder to exploit.
    • Make the launching of Tor and the memory wipe on shutdown more robust.
    • Sanitize our code base by replacing many custom scripts.
  • Update most firmware packages which might improve hardware compatibility.

  • Notify the user if Tails is running from a non-free virtualization software.

  • Remove Claws Mail, replaced by Icedove, a rebranded version of Mozilla Thunderbird.

Fixed problems

  • HiDPI displays are better supported. (#8659)

  • Remove the option to open a download with an external application in Tor Browser as this is usually impossible due to the AppArmor confinement. (#9285)

  • Close Vidalia before restarting Tor.

  • Allow Videos to access the DVD drive. (#10455, #9990)

  • Allow configuring printers without administration password. (#8443)

Known issues

  • Tor Browser 5.5 introduces protection against fingerprinting but due to an oversight it is not enabled in Tails 2.0. However, this is not so bad for Tails users since each Tails system has the same fonts installed, and hence will look identical, so this only means that it's easy to distinguish whether a user of Tor Browser 5.5 uses Tails or not. That is already easy given that Tails has the AdBlock Plus extension enabled, unlike the normal Tor Browser.

See the current list of known issues.

Installing

We also redesigned completely our download and installation instructions to make it easier to get started with Tails.

For example, you can now verify the ISO image automatically from Firefox using a special add-on.

You can also install or upgrade Tails directly from Debian or Ubuntu using the tails-installer package.

Try our new installation assistant.

Upgrading

Tails changed so much since version 1.8.2 that it is impossible to provide an automatic upgrade. We recommend you follow our new manual upgrade instructions instead.

What's coming up?

The next Tails release is scheduled for March 6.

Have a look at our roadmap to see where we are heading to.

We need your help and there are many ways to contribute to Tails (donating is only one of them). Come talk to us!

Support and feedback

For support and feedback, visit the Support section on the Tails website.

Syndicate content Syndicate content