tbb

Tor Browser 5.5a4 is released

A new alpha Tor Browser release is available for download in the 5.5a4 distribution directory and on the alpha download page.

This release features important security updates to Firefox.

Moreover, it comes with Tor 0.2.7.4-rc and a number of other improvements. Most notably, we included Yan Zhu's fix for not leaking the Referer header when leaving a .onion domain and finally sorted out the HTTPS-Everywhere build problems allowing us to ship its latest version in our bundles again.

We fixed usability issues caused by our font fingerprinting patches and included a new defense against figerprinting users via available MIME types and plugins. Finally, besides additional minor bug fixes and clean-ups, we included an updated NoScript version.

Here is the complete changelog since 5.5a3:

  • All Platforms
    • Update Firefox to 38.4.0esr
    • Update Tor to 0.2.7.4-rc
    • Update NoScript to 2.6.9.39
    • Update HTTPS-Everywhere to 5.1.1
    • Update Torbutton to 1.9.4.1
      • Bug 9623: Spoof Referer when leaving a .onion domain
      • Bug 16620: Remove old window.name handling code
      • Bug 17164: Don't show text-select cursor on circuit display
      • Bug 17351: Remove unused code
      • Translation updates
    • Bug 17207: Hide MIME types and plugins from websites
    • Bug 16909+17383: Adapt to HTTPS-Everywhere build changes
    • Bug 16620: Move window.name handling into a Firefox patch
    • Bug 17220: Support math symbols in font whitelist
    • Bug 10599+17305: Include updater and build patches needed for hardened builds
    • Bug 17318: Remove dead ScrambleSuit bridge
    • Bug 17428: Remove default Flashproxy bridges
    • Bug 17473: Update meek-amazon fingerprint
  • Windows
    • Bug 17250: Add localized font names to font whitelist
  • OS X
    • Bug 17122: Rename Japanese OS X bundle
  • Linux
    • Bug 17329: Ensure that non-ASCII characters can be typed (fixup of #5926)

Tor Browser 5.0.4 is released

A new stable release for Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Additionally, we included Yan Zhu's fix for not leaking the Referer header when leaving a .onion domain and are shipping an updated NoScript version.

These and all the other changes (minor bug fixes and clean-ups) can be found in the complete changelog since 5.0.3:

  • All Platforms
    • Update Firefox to 38.4.0esr
    • Update NoScript to 2.6.9.39
    • Update Torbutton to 1.9.3.5
      • Bug 9623: Spoof Referer when leaving a .onion domain
      • Bug 16735: about:tor should accommodate different fonts/font sizes
      • Bug 16937: Don't translate the homepage/spellchecker dictionary string
      • Bug 17164: Don't show text-select cursor on circuit display
      • Bug 17351: Remove unused code
      • Translation updates
    • Bug 16937: Remove the en-US dictionary from non en-US Tor Browser bundles
    • Bug 17318: Remove dead ScrambleSuit bridge
    • Bug 17473: Update meek-amazon fingerprint
    • Bug 16983: Isolate favicon requests caused by the tab list dropdown
    • Bug 17102: Don't crash while opening a second Tor Browser
  • Windows
    • Bug 16906: Don't depend on Windows crypto DLLs
  • Linux
    • Bug 17329: Ensure that non-ASCII characters can be typed (fixup of #5926)

Tor Browser 5.5a3 is released

A new alpha Tor Browser release is available for download in the 5.5a3 distribution directory and on the alpha download page.

This release features important security updates to Firefox.

Beginning with this alpha version Tor Browser is available in Japanese as well. In addition to that it contains usability improvements for our font fingerprinting defense, a better notification of Tor Browser changes after an update and regression fixes that were caused by our switch to ESR 38 back in August.

Here is the complete changelog since 5.5a2:

  • All Platforms
    • Update Firefox to 38.3.0esr
    • Update Torbutton to 1.9.4
      • Bug 16937: Don't translate the hompepage/spellchecker dictionary string
      • Bug 16735: about:tor should accommodate different fonts/font sizes
      • Bug 16887: Update intl.accept_languages value
      • Bug 15493: Update circuit display on new circuit info
      • Bug 16797: brandShorterName is missing from brand.properties
      • Translation updates
    • Bug 10140: Add new Tor Browser locale (Japanese)
    • Bug 17102: Don't crash while opening a second Tor Browser
    • Bug 16983: Isolate favicon requests caused by the tab list dropdown
    • Bug 13512: Load a static tab with change notes after an update
    • Bug 16937: Remove the en-US dictionary from non en-US Tor Browser bundles
    • Bug 7446: Tor Browser should not "fix up" .onion domains (or any domains)
    • Bug 16837: Disable Firefox Hotfix updates
    • Bug 16855: Allow blobs to be downloaded on first-party pages (fixes mega.nz)
    • Bug 16781: Allow saving pdf files in built-in pdf viewer
    • Bug 16842: Restore Media tab on Page information dialog
    • Bug 16727: Disable about:healthreport page
    • Bug 16783: Normalize NoScript default whitelist
    • Bug 16775: Fix preferences dialog with security slider set to "High"
    • Bug 13579: Update download progress bar automatically
    • Bug 15646: Reduce keyboard layout fingerprinting in KeyboardEvent
    • Bug 17046: Event.timeStamp should not reveal startup time
    • Bug 16872: Fix warnings when opening about:downloads
    • Bug 17097: Fix intermittent crashes when using the print dialog
  • Windows
    • Bug 16906: Fix Mingw-w64 compilation breakage
    • Bug 16707: Allow more system fonts to get used on Windows
  • OS X
    • Bug 16910: Update copyright year in OS X bundles
    • Bug 16707: Allow more system fonts to get used on OS X
  • Linux
    • Bug 16672: Don't use font whitelisting for Linux users

Update: It seems claiming that our builds are reproducible with LXC as well now was a bit premature (see bug 12240 for details). Thus, this part got removed from the changelog.

Tor Browser 5.0.3 is released

A new stable release for Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

We fixed a number of regressions from our switch to ESR 38 back in August and reduced keyboard layout fingerprinting to mention just some highlights.

These and all the other changes can be found in the complete changelog since 5.0.2:

  • All Platforms
    • Update Firefox to 38.3.0esr
    • Update Torbutton to 1.9.3.4
      • Bug 16887: Update intl.accept_languages value
      • Bug 15493: Update circuit display on new circuit info
      • Bug 16797: brandShorterName is missing from brand.properties
      • Bug 14429: Make sure the automatic resizing is disabled
      • Translation updates
    • Bug 7446: Tor Browser should not "fix up" .onion domains (or any domains)
    • Bug 16837: Disable Firefox Hotfix updates
    • Bug 16855: Allow blobs to be downloaded on first-party pages (fixes mega.nz)
    • Bug 16781: Allow saving pdf files in built-in pdf viewer
    • Bug 16842: Restore Media tab on Page information dialog
    • Bug 16727: Disable about:healthreport page
    • Bug 16783: Normalize NoScript default whitelist
    • Bug 16775: Fix preferences dialog with security slider set to "High"
    • Bug 13579: Update download progress bar automatically
    • Bug 15646: Reduce keyboard layout fingerprinting in KeyboardEvent
    • Bug 17046: Event.timeStamp should not reveal startup time
    • Bug 16872: Fix warnings when opening about:downloads
    • Bug 17097: Fix intermittent crashes when using the print dialog
  • Windows
    • Bug 16906: Fix Mingw-w64 compilation breakage
  • OS X
    • Bug 16910: Update copyright year in OS X bundles

Tor Browser 5.5a2 is released

A new release for the alpha Tor Browser is available for download in the 5.5a2 distribution directory and on the alpha download page.

This release features important security updates to Firefox.

Additionally, we included the crash bug fix that was already available in the stable series and a small fix for Unity and Gnome users on Linux. Also, we updated the NoScript version we ship.

Here is the complete changelog since 5.5a1:

  • All Platforms
    • Update Firefox to 38.2.1esr
    • Update NoScript to 2.6.9.36
    • Bug 16771: Fix crash on some websites due to blob URIs
  • Linux
    • Bug 16860: Avoid duplicate icons on Unity and Gnome

Tor Browser 5.0.2 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Additionally, we updated the NoScript version we ship and included a small fix for Unity and Gnome users on Linux.

Here is the complete changelog since 5.0.1:

  • All Platforms
    • Update Firefox to 38.2.1esr
    • Update NoScript to 2.6.9.36
  • Linux
    • Bug 16860: Avoid duplicate icons on Unity and Gnome

Tor Browser 5.0.1 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release fixes a crash bug that caused Tor Browser to crash on certain sites (in particular, Google Maps and Tumblr). The crash bug was a NULL pointer dereference while handling blob URIs. The crash was not exploitable.

Here is the complete changelog since 5.0:

  • All Platforms
    • Bug 16771: Fix crash on some websites due to blob URIs

Tor Browser 5.5a1 is released

The Tor Browser Team is proud to announce the first alpha release in the 5.5 series. The release is available for download in the 5.5a1 distribution directory and on the alpha download page.

This release features important security updates to Firefox. In particular, while the recent PDF.js exploit did not affect 4.5 users, it does affect users of 5.0a3 and 5.0a4. Although the High security level of the Security Slider also prevented the exploit from working against even those users, all alpha users are still strongly encouraged to upgrade as soon as possible.

In addition to fixing these security issues, the remaining major issues with Firefox 38 from 5.0a4 were also fixed. This release also features improvements to fingerprinting defenses. In particular, we continue to refine our font fingerprinting defense that was added in 5.0a4. With this defense, Tor Browser now ships with a standard set of fonts, and prefers to use the provided fonts instead of native ones in most cases. Interested users are encouraged to help us refine this defense by commenting on the associated ticket in our bugtracker.

This release also will reset the permanent NoScript whitelist, due to an issue where previous NoScript updates had added certain domains to the whitelist during upgrade. The whitelist is reset to the default for all users as a result, and future updates to the whitelist by NoScript have been disabled.

Here is the complete changelog since 5.0a4:

  • All Platforms
    • Update Firefox to 38.2.0esr
    • Update NoScript to 2.6.9.34
    • Update Torbutton to 1.9.3.3
      • Bug 16731: TBB 5.0 a3/a4 fails to download a file on right click
      • Bug 16730: Reset NoScript whitelist on upgrade
      • Bug 16722: Prevent "Tiles" feature from being enabled after upgrade
      • Bug 16488: Remove "Sign in to Sync" from the browser menu (fixup)
      • Bug 14429: Make sure the automatic resizing is enabled
      • Translation updates
    • Update Tor Launcher to 0.2.7.7
      • Translation updates
    • Bug 16730: Prevent NoScript from updating the default whitelist
    • Bug 16715: Use ThreadsafeIsCallerChrome() instead of IsCallerChrome()
    • Bug 16572: Verify cache isolation for XMLHttpRequests in Web Workers
    • Bug 16311: Fix navigation timing in ESR 38
    • Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent (fixup)
    • Bug 16672: Change font whitelists and configs for rendering issues (partial)

Tor Browser 5.0 is released

The Tor Browser Team is proud to announce the first stable release in the 5.0 series. This release is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Note that the recent PDF.js exploit did not affect 4.5 users, but they should upgrade to this release immediately because numerous other potential security issues were fixed by Mozilla in this release. (Incidentally: Users who are using the 5.0-alpha series are vulnerable to the PDF.js exploit, but not if they were using the 'High' security level. Regardless, we are also upgrading 5.0-alpha users to 5.5a1 today to fix the issue as well).

This release also brings us up to date with Firefox 38-ESR, which should mean improved support for HTML5 video on Youtube, as well as a host of other improvements. Controversial and hard-to-audit binary components related to EME DRM were disabled, however.

The release also features new privacy enhancements. In particular, more identifier sources that appeared in Firefox 38 (or were otherwise disabled previously) are now isolated to the first party (URL bar) domain. This release also contains defenses from the 5.0-alpha series for keystroke (typing) fingerprinting and some instances of performance/timing fingerprinting.

Regrettably, our new defenses for font and keyboard layout fingerprinting did not stabilize in time for this release. Users who are interested in helping us improve them should try out 5.5a1.

This release also will reset the permanent NoScript whitelist, due to an issue where previous NoScript updates had added certain domains to the whitelist during upgrade. The whitelist is reset to the default for all users as a result, and future updates to the whitelist by NoScript have been disabled.

Starting with this release, Tor Browser will now also download and apply upgrades in the background, to ensure that users upgrade quicker and with less interaction. This behavior is governed by the about:config pref app.update.auto, but we do not recommend disabling it unless you really know what you're doing.

Here is the complete changelog since 4.5.3:

  • All Platforms
    • Update Firefox to 38.2.0esr
    • Update OpenSSL to 1.0.1p
    • Update HTTPS-Everywhere to 5.0.7
    • Update NoScript to 2.6.9.34
    • Update meek to 0.20
    • Update Tor to 0.2.6.10 with patches:
      • Bug 16674: Allow FQDNs ending with a single '.' in our SOCKS host name checks.
      • Bug 16430: Allow DNS names with _ characters in them (fixes nytimes.com)
      • Bug 15482: Don't allow circuits to change while a site is in use
    • Update Torbutton to 1.9.3.2
      • Bug 16731: TBB 5.0 a3/a4 fails to download a file on right click
      • Bug 16730: Reset NoScript whitelist on upgrade
      • Bug 16722: Prevent "Tiles" feature from being enabled after upgrade
      • Bug 16488: Remove "Sign in to Sync" from the browser menu (fixup)
      • Bug 16268: Show Tor Browser logo on About page
      • Bug 16639: Check for Updates menu item can cause update download failure
      • Bug 15781: Remove the sessionstore filter
      • Bug 15656: Sync privacy.resistFingerprinting with Torbutton pref
      • Bug 16427: Use internal update URL to block updates (instead of 127.0.0.1)
      • Bug 16200: Update Cache API usage and prefs for FF38
      • Bug 16357: Use Mozilla API to wipe permissions db
      • Bug 14429: Make sure the automatic resizing is disabled
      • Translation updates
    • Update Tor Launcher to 0.2.7.7
      • Bug 16428: Use internal update URL to block updates (instead of 127.0.0.1)
      • Bug 15145: Visually distinguish "proxy" and "bridge" screens.
      • Translation updates
    • Bug 16730: Prevent NoScript from updating the default whitelist
    • Bug 16715: Use ThreadsafeIsCallerChrome() instead of IsCallerChrome()
    • Bug 16572: Verify cache isolation for XMLHttpRequests in Web Workers
    • Bug 16884: Prefer IPv6 when supported by the current Tor exit
    • Bug 16488: Remove "Sign in to Sync" from the browser menu
    • Bug 16662: Enable network.http.spdy.* prefs in meek-http-helper
    • Bug 15703: Isolate mediasource URIs and media streams to first party
    • Bug 16429+16416: Isolate blob URIs to first party
    • Bug 16632: Turn on the background updater and restart prompting
    • Bug 16528: Prevent indexedDB Modernizr site breakage on Twitter and elsewhere
    • Bug 16523: Fix in-browser JavaScript debugger
    • Bug 16236: Windows updater: avoid writing to the registry
    • Bug 16625: Fully disable network connection prediction
    • Bug 16495: Fix SVG crash when security level is set to "High"
    • Bug 13247: Fix meek profile error after bowser restarts
    • Bug 16005: Relax WebGL minimal mode
    • Bug 16300: Isolate Broadcast Channels to first party
    • Bug 16439: Remove Roku screencasting code
    • Bug 16285: Disabling EME bits
    • Bug 16206: Enforce certificate pinning
    • Bug 15910: Disable Gecko Media Plugins for now
    • Bug 13670: Isolate OCSP requests by first party domain
    • Bug 16448: Isolate favicon requests by first party
    • Bug 7561: Disable FTP request caching
    • Bug 6503: Fix single-word URL bar searching
    • Bug 15526: ES6 page crashes Tor Browser
    • Bug 16254: Disable GeoIP-based search results.
    • Bug 16222: Disable WebIDE to prevent remote debugging and addon downloads.
    • Bug 13024: Disable DOM Resource Timing API
    • Bug 16340: Disable User Timing API
    • Bug 14952: Disable HTTP/2
    • Bug 1517: Reduce precision of time for Javascript
    • Bug 13670: Ensure OCSP & favicons respect URL bar domain isolation
    • Bug 16311: Fix navigation timing in ESR 38
  • Windows
    • Bug 16014: Staged update fails if meek is enabled
    • Bug 16269: repeated add-on compatibility check after update (meek enabled)
  • Mac OS
    • Use OSX 10.7 SDK
    • Bug 16253: Tor Browser menu on OS X is broken with ESR 38
    • Bug 15773: Enable ICU on OS X
  • Build System
    • Bug 16351: Upgrade our toolchain to use GCC 5.1
    • Bug 15772 and child tickets: Update build system for Firefox 38
    • Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
    • Bug 15864: rename sha256sums.txt to sha256sums-unsigned-build.txt

Tor Browser 5.0a4 is released

The Tor Browser Team is proud to announce the second alpha release based on Firefox 38 ESR. This release is also the fourth and final alpha in the 5.0 series. The release is available for download in the 5.0a4 distribution directory and on the alpha download page.

Most notably, this release contains an experimental defense against font fingerprinting by using an identical set of shipped fonts on all supported platforms. We've also updated the versions of several Tor Browser components, including updating Tor to 0.2.7.2-alpha. The 5.0-stable release will be based on Tor 0.2.6-latest, however.

Last but not least we fixed a lot of important bugs that were due to our switch to Firefox 38 ESR, including issues with major websites such as Twitter. This release brings us very close to a stable Tor Browser 5.0, which we aim to release next week. Unless we hear about additional issues, not much will change between 5.0a4 and 5.0-stable, aside from the Tor version and possibly the font defense.

Here is the complete changelog since 5.0a3

  • All Platforms
    • Update Tor to 0.2.7.2-alpha with patches
      • Bug 15482: Don't allow circuits to change while a site is in use
    • Update OpenSSL to 1.0.1p
    • Update HTTPS-Everywhere to 5.0.7
    • Update NoScript to 2.6.9.31
    • Update Torbutton to 1.9.3.1
      • Bug 16268: Show Tor Browser logo on About page
      • Bug 16639: Check for Updates menu item can cause update download failure
      • Bug 15781: Remove the sessionstore filter
      • Bug 15656: Sync privacy.resistFingerprinting with Torbutton pref
      • Translation updates
    • Bug 16884: Prefer IPv6 when supported by the current Tor exit
    • Bug 16488: Remove "Sign in to Sync" from the browser menu
    • Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
    • Bug 16662: Enable network.http.spdy.* prefs in meek-http-helper
    • Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent (fixup)
    • Bug 15703: Isolate mediasource URIs and media streams to first party
    • Bug 16429+16416: Isolate blob URIs to first party
    • Bug 16632: Turn on the background updater and restart prompting
    • Bug 16528: Prevent IndexedDB Modernizr site breakage on Twitter and elsewhere
    • Bug 16523: Fix in-browser JavaScript debugger
    • Bug 16236: Windows updater: avoid writing to the registry
    • Bug 16005: Restrict WebGL minimal mode a bit (fixup)
    • Bug 16625: Fully disable network connection prediction
    • Bug 16495: Fix SVG crash when security level is set to "High"
  • Build System
    • Bug 15864: Rename sha256sums.txt to sha256sums-unsigned-build.txt
Syndicate content Syndicate content