tbb

Tor Browser 6.5a4 is released

Tor Browser 6.5a4 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Other components got an update as well: Tor to 0.2.9.5-alpha, HTTPS-Everywhere to 5.2.7, and OpenSSL to 1.0.2j.

This release includes numerous bug fixes and improvements. Most notably we improved our Unix domain socket support by resolving all the issues that showed up in the previous alpha and by making sure all connections to tor (not only the control port related ones) are using this feature on OS X and Linux now.

Additionally, we fixed a lot of usability bugs, some caused by Apple's macOS Sierra (meek did not work anymore and windows could not be dragged either). Others were caused by our window resizing logic. We moved that one into a C++ patch which we hope to get upstreamed into Firefox. We improved the usability of our security slider as well by reducing the amount of security levels available and redesigning the custom mode.

Finally, we added a donation banner shown in some localized bundles starting on Nov 23 in order to point to our end-of-the-year 2016 donation campaign.

Update (11/16 2215UTC): We currently have problems with our auto-updater at least on Linux systems. The updates are downloaded but don't get applied for yet unknown reasons. We therefore have decided to disable the automatic updates until we understand the problem and provide a fix for it. Progress on that task can be tracked in ticket 20691 in our bug tracker. We are sorry for this inconvenience. Fresh bundles are available on our download page, though.

Update (11/17 1012UTC): After some investigation and testing it turned out that the Windows platform is not affected by the updating problems. We therefore have enabled updates for it again. Updates for OS X and Linux stay disabled while we are trying to get to the bottom of our problems and to provide fixes/workarounds for them.

Update (11/17 1422UTC): Updates for OS X are enabled now as well as Mac systems are not affected by the bug in the updater code either.

Update (11/18 0953UTC): Updates for Linux are enabled now as well, with an information prompt listing the workarounds. One of the following workarounds can be used to avoid the updater error:

  • in about:config, set app.update.staging.enabled to false before attempting to update
  • in about:config, set extensions.torlauncher.control_port_use_socket to false (disabling the control port Unix domain socket) and restart the browser before attempting to update

Here is the full changelog since 6.5a3:

  • All Platforms
    • Update Firefox to 45.5.0esr
    • Update Tor to tor-0.2.9.5-alpha
    • Update OpenSSL to 1.0.2j
    • Update Torbutton to 1.9.6.7
      • Bug 20414: Add donation banner on about:tor for 2016 campaign
      • Bug 20111: Use Unix domain sockets for SOCKS port by default
      • Bug 19459: Move resizing code to tor-browser.git
      • Bug 20264: Change security slider to 3 options
      • Bug 20347: Enhance security slider's custom mode
      • Bug 20123: Disable remote jar on all security levels
      • Bug 20244: Move privacy checkboxes to about:preferences#privacy
      • Bug 17546: Add tooltips to explain our privacy checkboxes
      • Bug 17904: Allow security settings dialog to resize
      • Bug 18093: Remove 'Restore Defaults' button
      • Bug 20373: Prevent redundant dialogs opening
      • Bug 20388+20399+20394: Code clean-up
      • Translation updates
    • Update Tor Launcher to 0.2.10.2
      • Bug 20111: Use Unix domain sockets for SOCKS port by default
      • Bug 20185: Avoid using Unix domain socket paths that are too long
      • Bug 20429: Do not open progress window if tor doesn't get started
      • Bug 19646: Wrong location for meek browser profile on OS X
      • Translation updates
    • Update HTTPS-Everywhere to 5.2.7
    • Update meek to 0.25
      • Bug 19646: Wrong location for meek browser profile on OS X
      • Bug 20030: Shut down meek-http-helper cleanly if built with Go > 1.5.4
    • Bug 20304: Support spaces and other special characters for SOCKS socket
    • Bug 20490: Fix assertion failure due to fix for bug 20304
    • Bug 19459: Size new windows to 1000x1000 or nearest 200x100 (Firefox patch)
    • Bug 20442: Backport fix for local path disclosure after drag and drop
    • Bug 20160: Backport fix for broken MP3-playback
    • Bug 20043: Isolate SharedWorker script requests to first party
    • Bug 20123: Always block remote jar files
    • Bug 20244: Move privacy checkboxes to about:preferences#privacy
    • Bug 19838: Add dgoulet's bridge and add another one commented out
    • Bug 19481: Point the update URL to aus1.torproject.org
    • Bug 20296: Rotate ports again for default obfs4 bridges
    • Bug 20651: DuckDuckGo does not work with JavaScript disabled
    • Bug 20399+15852: Code clean-up
  • Windows
    • Bug 20342: Add tor-gencert.exe to expert bundle
    • Bug 18175: Maximizing window and restarting leads to non-rounded window size
    • Bug 13437: Rounded inner window accidentally grows to non-rounded size
  • OS X
    • Bug 20204: Windows don't drag on macOS Sierra anymore
    • Bug 20250: Meek fails on macOS Sierra if built with Go < 1.7
    • Bug 20590: Badly resized window due to security slider notification bar on OS X
    • Bug 20439: Make the build PIE on OSX
  • Linux
    • Bug 15953: Weird resizing dance on Tor Browser startup
  • Build System
    • All Platforms
    • OS X
      • Bug 20258: Make OS X Tor archive reproducible again
      • Bug 20184: Make OS X builds reproducible again
      • Bug 20210: In dmg2mar, extract old mar file to copy permissions to the new one

Tor Browser 6.0.6 is released

Tor Browser 6.0.6 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release is updating Firefox to 45.5.0esr. Moreover, other components got an update as well: Tor to 0.2.8.9, HTTPS-Everywhere to 5.2.7, and OpenSSL to 1.0.1u.

We fixed a lot of usability bugs, some caused by Apple's macOS Sierra (meek did not work anymore and windows could not be dragged either). We moved directly to DuckDuckGo as our search engine avoiding a roundtrip to Disconnect.me first. Finally, we added a donation banner shown in some localized bundled starting on Nov 23 in order to point to our end-of-the-year 2016 donation campaign.

Here is the full changelog since 6.0.5:

  • All Platforms
    • Update Firefox to 45.5.0esr
    • Update Tor to 0.2.8.9
    • Update OpenSSL to 1.0.1u
    • Update Torbutton to 1.9.5.12
      • Bug 20414: Add donation banner on about:tor for 2016 campaign
      • Translation updates
    • Update Tor Launcher to 0.2.9.4
      • Bug 20429: Do not open progress window if tor doesn't get started
      • Bug 19646: Wrong location for meek browser profile on OS X
    • Update HTTPS-Everywhere to 5.2.7
    • Update meek to 0.25
      • Bug 19646: Wrong location for meek browser profile on OS X
      • Bug 20030: Shut down meek-http-helper cleanly if built with Go > 1.5.4
    • Bug 19838: Add dgoulet's bridge and add another one commented out
    • Bug 20296: Rotate ports again for default obfs4 bridges
    • Bug 19735: Switch default search engine to DuckDuckGo
    • Bug 20118: Don't unpack HTTPS Everywhere anymore
  • Windows
    • Bug 20342: Add tor-gencert.exe to expert bundle
  • OS X
    • Bug 20204: Windows don't drag on macOS Sierra anymore
    • Bug 20250: Meek fails on macOS Sierra if built with Go < 1.7
  • Build system
    • All platforms

Announcing the Tor Browser User Manual

The community team is excited to announce the new Tor Browser User Manual!

The manual is currently only available in English. We will be adding more languages in the near future, as well as adding the manual to Transifex.

During the creation of this manual, community feedback was requested over various mailing lists / IRC channels. We understand that many people who read this blog are not part of these lists / channels, so we would like to request that if you find errors in the manual or have feedback about how it could be improved, please open a ticket on our bug tracker and set the component to "community".

This manual is part of an ongoing effort to foster wider adoption of Tor, and provide better support to all users, new and old. We'll soon have some more exciting new developments to share about our user support efforts, so stay tuned.

Thanks for using Tor!

Tor Browser 6.5a3-hardened is released

A new hardened Tor Browser release is available. It can be found in the 6.5a3-hardened distribution directory and on the download page for hardened builds.

This release features important security updates to Firefox including the recently disclosed extension update vulnerability. All users should upgrade as soon as possible.

In addition to the changes from Tor Browser 6.5a3, the creation of incremental MARs for hardened builds is now fixed.

Note: Due to bug 20185 Tor Browser will not work correctly if the path where it is installed is too long. As a workaround you may need to move it to a directory with a shorter path.

  • All Platforms
  • Update Firefox to 45.4.0esr
  • Update Tor to 0.2.9.2-alpha
  • Update OpenSSL to 1.0.2h (bug 20095)
  • Update Torbutton to 1.9.6.4
    • Bug 17334: Move referrer spoofing for .onion domains into tor-browser.git
    • Bug 17767: Make "JavaScript disabled" more visible in Security Slider
    • Bug 19995: Clear site security settings during New Identity
    • Bug 19906: "Maximizing Tor Browser" Notification can exist multiple times
    • Bug 19837: Whitelist internal URLs that Firefox requires for media
    • Bug 15852: Remove/synchronize Torbutton SOCKS pref logic
    • Bug 19733: GETINFO response parser doesn't handle AF_UNIX entries + IPv6
    • Bug 14271: Make Torbutton work with Unix Domain Socket option
    • Translation updates
  • Update Tor Launcher to 0.2.11
    • Bug 14272: Make Tor Launcher work with Unix Domain Socket option
    • Bug 19568: Set CurProcD for Thunderbird/Instantbird
    • Bug 19432: Remove special handling for Instantbird/Thunderbird
    • Translation updates
  • Update HTTPS-Everywhere to 5.2.4
  • Update NoScript to 2.9.0.14
  • Bug 19851: Fix ASan error by upgrading GCC to 5.4.0
  • Bug 17858: Fix creation of incremental MARs for hardened builds
  • Bug 14273: Backport patches for Unix Domain Socket support
  • Bug 19890: Disable installation of system addons
  • Bug 17334: Spoof referrer when leaving a .onion domain
  • Bug 20092: Rotate ports for default obfs4 bridges
  • Bug 20040: Add update support for unpacked HTTPS Everywhere
  • Bug 20118: Don't unpack HTTPS Everywhere anymore
  • Bug 19336+19835: Enhance about:tbupdate page
  • Build system
    • All platforms
      • Bug 20133: Don't apply OpenSSL patch anymore
      • Bug 19528: Set MOZ_BUILD_DATE based on Firefox version

Tor Browser 6.5a3 is released

Tor Browser 6.5a3 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox including the recently disclosed extension update vulnerability. All users should upgrade as soon as possible.

This release bumps the versions of several of our components: Firefox to 45.4.0esr, Tor to 0.2.9.2-alpha and OpenSSL to 1.0.2h, HTTPS-Everywhere to 5.2.4, NoScript to 2.9.0.14. Additionally we are adding Unix Domain Socket support on Linux and OSX, the about:tbupdate page giving information about the update has been improved, the referrer spoofing for .onion domains has been moved from Torbutton to C++ patches.

Note: Due to bug 20185 Tor Browser on Linux and OS X will not work correctly if the path where it is installed is too long. As a workaround you may need to move it to a directory with a shorter path.

Update (9/22 07:15 UTC): We got reports about updates failing on OS X systems. We are still investigating the problem but this is likely due to a combination of issues. For one we might have introduced a permission problem by trying to get our incremental updates working again. Secondly, unix domain socket paths for the control port that contain spaces are not working. See comment 5 in bug 20210 for a preliminary analysis and workarounds. We are sorry for the inconvenience.

Here is the full changelog since 6.5a2:

  • All Platforms
    • Update Firefox to 45.4.0esr
    • Update Tor to 0.2.9.2-alpha
    • Update OpenSSL to 1.0.2h (bug 20095)
    • Update Torbutton to 1.9.6.4
      • Bug 17334: Move referrer spoofing for .onion domains into tor-browser.git
      • Bug 17767: Make "JavaScript disabled" more visible in Security Slider
      • Bug 19995: Clear site security settings during New Identity
      • Bug 19906: "Maximizing Tor Browser" Notification can exist multiple times
      • Bug 19837: Whitelist internal URLs that Firefox requires for media
      • Bug 15852: Remove/synchronize Torbutton SOCKS pref logic
      • Bug 19733: GETINFO response parser doesn't handle AF_UNIX entries + IPv6
      • Bug 14271: Make Torbutton work with Unix Domain Socket option
      • Translation updates
    • Update Tor Launcher to 0.2.10.1
      • Bug 14272: Make Tor Launcher work with Unix Domain Socket option
      • Bug 19568: Set CurProcD for Thunderbird/Instantbird
      • Bug 19432: Remove special handling for Instantbird/Thunderbird
      • Translation updates
    • Update HTTPS-Everywhere to 5.2.4
    • Update NoScript to 2.9.0.14
    • Bug 14273: Backport patches for Unix Domain Socket support
    • Bug 19890: Disable installation of system addons
    • Bug 17334: Spoof referrer when leaving a .onion domain
    • Bug 20092: Rotate ports for default obfs4 bridges
    • Bug 20040: Add update support for unpacked HTTPS Everywhere
    • Bug 20118: Don't unpack HTTPS Everywhere anymore
    • Bug 19336+19835: Enhance about:tbupdate page
  • Android
    • Bug 19706: Store browser data in the app home directory
  • Build system
    • All platforms
      • Bug 20133: Don't apply OpenSSL patch anymore
      • Bug 19528: Set MOZ_BUILD_DATE based on Firefox version
    • OS X
      • Bug 19856: Make OS X builds reproducible again
      • Bug 19410: Fix incremental updates by taking signatures into account

Tor Browser 6.0.5 is released

Tor Browser 6.0.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox including the recently disclosed extension update vulnerability. All users should upgrade as soon as possible.

That vulnerability allows an attacker who is able to obtain a valid certificate for addons.mozilla.org to impersonate Mozilla's servers and to deliver a malicious extension update, e.g. for NoScript. This could lead to arbitrary code execution. Moreover, other built-in certificate pinnings are affected as well. Obtaining such a certificate is not an easy task, but it's within reach of powerful adversaries (e.g. nation states).

Thanks to everyone who helped investigating this bug and getting a bugfix release out as fast as possible.

We are currently building the alpha and hardened bundles (6.5a3 and 6.5a3-hardened) that will contain the fix for alpha/hardened channel users. We expect them to get released at the beginning of next week. Until then users are strongly encouraged to use Tor Browser 6.0.5.

Apart from fixing Firefox vulnerabilities this release comes with a new Tor stable version (0.2.8.7), an updated HTTPS-Everywhere (5.2.4), and fixes minor bugs.

Here is the full changelog since Tor Browser 6.0.4:

  • All Platforms
    • Update Firefox to 45.4.0esr
    • Update Tor to 0.2.8.7
    • Update Torbutton to 1.9.5.7
      • Bug 19995: Clear site security settings during New Identity
      • Bug 19906: "Maximizing Tor Browser" Notification can exist multiple times
    • Update HTTPS-Everywhere to 5.2.4
    • Bug 20092: Rotate ports for default obfs4 bridges
    • Bug 20040: Add update support for unpacked HTTPS Everywhere
  • Windows
    • Bug 19725: Remove old updater files left on disk after upgrade to 6.x
  • Linux
    • Bug 19725: Remove old updater files left on disk after upgrade to 6.x
  • Android
    • Bug 19706: Store browser data in the app home directory
  • Build system
    • All platforms
      • Upgrade Go to 1.4.3

Tor Browser 6.0.4 is released

Tor Browser 6.0.4 is now available from the Tor Browser Project page and also from our distribution directory.

This release finally brings Tor Browser users the latest Tor stable, 0.2.8.6, and avoids pinging Mozilla's servers for system extensions.

Pinging Mozilla's servers was responsible for users getting an extension into their Tor Browser that resulted in annoying and confusing "Your Firefox is out of date" notifications on start-up (bug 19890). Thanks to Mozilla engineers, who fixed that issue as quickly as possible on their side, the extension is not shipped to Tor Browser users anymore since August 11 13:00 UTC. This takes care of getting the add-on removed as well in case it got installed into Tor Browser (as does the fix we ship in Tor Browser 6.0.4) which should have happened/is happening during the next extension update ping. For further information see the discussion in our bug tracker.

Users that are on the alpha channel or are using the hardened Tor Browser were not affected. The same goes for Tails users as far as we know.

The full changelog since Tor Browser 6.0.3 is:

Tor Browser 6.0.4 -- August 16

  • All Platforms
    • Update Tor to 0.2.8.6
    • Update NoScript to 2.9.0.14
    • Bug 19890: Disable installation of system addons

Tor Browser 6.5a2-hardened is released

A new hardened Tor Browser release is available. It can be found in the 6.5a2-hardened distribution directory and on the download page for hardened builds.

This release features important security updates to Firefox.

In addition to the changes from Tor Browser 6.5a2, this releases integrates Selfrando. For more details about Selfrando integration in Tor Browser, see the Q and A with Georg Koppen and the Selfrando git repository.

Here is the full changelog since 6.5a1-hardened:

  • All Platforms
    • Update Firefox to 45.3.0esr
    • Update Tor to tor-0.2.8.5-rc
    • Update Torbutton to 1.9.6.1
      • Bug 19689: Use proper parent window for plugin prompt
      • Bug 19206: Avoid SOCKS auth and NEWNYM collisions when sharing a tor client
      • Bug 19417: Disable asm.js (but add code to clear on New Identity if enabled)
      • Bug 19273: Improve external app launch handling and associated warnings
      • Bug 8725: Block addon resource and url fingerprinting with nsIContentPolicy
    • Update HTTPS-Everywhere to 5.2.1
    • Update NoScript to 2.9.0.12
    • Bug 17406: Include Selfrando into our hardened builds
    • Bug 19417: Disable asmjs for now
    • Bug 19715: Disable the meek-google pluggable transport option
    • Bug 19714: Remove mercurius4 obfs4 bridge
    • Bug 19585: Fix regression test for keyboard layout fingerprinting
    • Bug 19515: Tor Browser is crashing in graphics code
    • Bug 18513: Favicon requests can bypass New Identity
    • Bug 19273: Write C++ patch for external app launch handling
    • Bug 16998: Isolate preconnect requests to URL bar domain
    • Bug 18923: Add script to run all Tor Browser regression tests
    • Bug 19478: Prevent millisecond resolution leaks in File API
    • Bug 19401: Fix broken PDF download button
    • Bug 19411: Don't show update icon if a partial update failed
    • Bug 19400: Back out GCC bug workaround to avoid asmjs crash
    • Bug 19735: Switch default search engine to DuckDuckGo
    • Bug 19276: Disable Xrender due to possible performance regressions
    • Bug 19725: Remove old updater files left on disk after upgrade to 6.x
  • Build System
    • All Platforms

Tor Browser 6.5a2 is released

Tor Browser 6.5a2 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates firefox to 45.3.0esr and contains the improvements that went into Tor Browser 6.0.3. Additionally, Tor is updated to 0.2.8.5-rc, the default search engine has been switched to DuckDuckGo, resource URLs are blocked to avoid fingerprinting.

Note: Due to bug 19410, on OSX the incremental update will not be working for users who installed the previous version using the .dmg file. The internal updater should still work, though, doing a complete update.

Here is the full changelog since 6.5a1:

  • All Platforms
    • Update Firefox to 45.3.0esr
    • Update Tor to tor-0.2.8.5-rc
    • Update Torbutton to 1.9.6.1
      • Bug 19689: Use proper parent window for plugin prompt
      • Bug 19206: Avoid SOCKS auth and NEWNYM collisions when sharing a tor client
      • Bug 19417: Disable asm.js (but add code to clear on New Identity if enabled)
      • Bug 19273: Improve external app launch handling and associated warnings
      • Bug 8725: Block addon resource and url fingerprinting with nsIContentPolicy
    • Update HTTPS-Everywhere to 5.2.1
    • Update NoScript to 2.9.0.12
    • Bug 19417: Disable asmjs for now
    • Bug 19715: Disable the meek-google pluggable transport option
    • Bug 19714: Remove mercurius4 obfs4 bridge
    • Bug 19585: Fix regression test for keyboard layout fingerprinting
    • Bug 19515: Tor Browser is crashing in graphics code
    • Bug 18513: Favicon requests can bypass New Identity
    • Bug 19273: Write C++ patch for external app launch handling
    • Bug 16998: Isolate preconnect requests to URL bar domain
    • Bug 18923: Add script to run all Tor Browser regression tests
    • Bug 19478: Prevent millisecond resolution leaks in File API
    • Bug 19401: Fix broken PDF download button
    • Bug 19411: Don't show update icon if a partial update failed
    • Bug 19400: Back out GCC bug workaround to avoid asmjs crash
    • Bug 19735: Switch default search engine to DuckDuckGo
  • Windows
    • Bug 19348: Adapt to more than one build target on Windows (fixes updates)
    • Bug 19725: Remove old updater files left on disk after upgrade to 6.x
  • Linux
    • Bug 19276: Disable Xrender due to possible performance regressions
    • Bug 19725: Remove old updater files left on disk after upgrade to 6.x
  • OS X
    • Bug 19269: Icon doesn't appear in Applications folder or Dock
  • Android
    • Bug 19484: Avoid compilation error when MOZ_UPDATER is not defined
  • Build System
    • All Platforms

Tor Browser 6.0.3 is released

Tor Browser 6.0.3 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates Firefox to 45.3.0esr. Additionally, it bumps NoScript to 2.9.0.12, HTTPS-Everywhere to 5.2.1, disables asmjs, removes meek-google and contains a few other bug fixes.

Note: Due to bug 19410, on OSX the incremental update will not be working for users who installed the previous version using the .dmg file. The internal updater should still work, though, doing a complete update.

Update (August 11, 10:04 UTC): Starting from a couple of hours ago Tor Browser users might see a notification box in their browser claiming that Firefox is too old providing a button to get a newer one. This is both due to a server-side code change on Mozilla's side and an oversight by us during the ESR45 transition. Clicking on the "Get Firefox" button is safe and leads the user to our Tor Browser download page. Needless to say, this whole behavior is highly confusing and we apologize for it. We are working on a fix as quickly as possible and hope to get Mozilla to exempt Tor Browser users from this feature while we are working on a new release. For technical details see our bug tracker.

Here is the full changelog since 6.0.2:

  • All Platforms
    • Update Firefox to 45.3.0esr
    • Update Torbutton to 1.9.5.6
    • Update HTTPS-Everywhere to 5.2.1
    • Update NoScript to 2.9.0.12
    • Bug 19715: Disable the meek-google pluggable transport option
    • Bug 19714: Remove mercurius4 obfs4 bridge
    • Bug 19585: Fix regression test for keyboard layout fingerprinting
    • Bug 19515: Tor Browser is crashing in graphics code
    • Bug 18513: Favicon requests can bypass New Identity
  • OS X
    • Bug 19269: Icon doesn't appear in Applications folder or Dock
  • Android
    • Bug 19484: Avoid compilation error when MOZ_UPDATER is not defined
Syndicate content Syndicate content