tor browser

Tor Browser 6.0.2 is released

Tor Browser 6.0.2 is now available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 6.0.2 is a fixup release to address the most pressing issues we found after switching to Firefox 45.2.0esr.

In particular, we resolved a possible crash bug visible e.g. on Faceboook or mega.nz and we fixed the broken PDF download button in the PDF reader.

Note: In version 6.0 we started code signing the OS X bundle for Gatekeeper support. A side effect of this signature is that it makes it harder to compare the bundles we ship with the bundles produced using reproducible builds, therefore we plan to post instructions for removing the OS X code signing parts on our website soon. An other effect is that the incremental update will not be working for users who installed the previous version using the .dmg file, due to bug 19410. The internal updater should still work, though, doing a complete update.

Update (June 23, 12:38 UTC): We have still some users that report crashes on Facebook and mega.nz. We suspect this happens because those users are not using Tor Browser in its default configuration but have left the Private Browsing Mode. There are at least two workarounds for this: 1) Using a clean new Tor Browser 6.0.2 (including a new profile) solves the problem. 2) As files cached by those websites in the Tor Browser profile are causing the crashes, deleting them helps as well. See bug 19400 for more details in this regard.

Here is the full changelog since 6.0.1:

  • All Platforms
    • Update Torbutton to 1.9.5.5
    • Bug 19401: Fix broken PDF download button
    • Bug 19411: Don't show update icon if a partial update failed
    • Bug 19400: Back out GCC bug workaround to avoid asmjs crash
  • Windows
    • Bug 19348: Adapt to more than one build target on Windows (fixes updates)
  • Linux
    • Bug 19276: Disable Xrender due to possible performance regressions

Tor Browser 6.5a1-hardened is released

A new hardened Tor Browser release is available. It can be found in the 6.5a1-hardened distribution directory and on the download page for hardened builds.

This release features important security updates to Firefox.

Tor Browser 6.5a1-hardened is the first hardened release in our 6.5 series. It updates Firefox to 45.2.0esr and contains all the improvements that went into Tor Browser 6.0. Compared to that there are additional noteworthy things that went into this alpha release: we bumped the Tor version to 0.2.8.3-alpha and backported additional security features: exploiting the JIT compiler got made harder and support for SHA1 HPKP pins got removed.

On the infrastructure side, we are now using fastly to deliver the update files. We thank them for their support.

Note: There is no incremental update from 6.0a5-hardened available due to bug 17858. The internal updater should work, though, doing a complete update.

Here is the complete changelog since 6.0a5-hardened:

  • All Platforms
    • Update Firefox to 45.2.0esr
    • Update Tor to 0.2.8.3-alpha
    • Update Torbutton to 1.9.6
      • Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
      • Bug 18905: Hide unusable items from help menu
      • Bug 17599: Provide shortcuts for New Identity and New Circuit
      • Bug 18980: Remove obsolete toolbar button code
      • Bug 18238: Remove unused Torbutton code and strings
      • Translation updates
      • Code clean-up
    • Update Tor Launcher to 0.2.8.5
      • Bug 18947: Tor Browser is not starting on OS X if put into /Applications
    • Update HTTPS-Everywhere to 5.1.9
    • Update meek to 0.22 (tag 0.22-18371-3)
    • Bug 19121: The update.xml hash should get checked during update
    • Bug 12523: Mark JIT pages as non-writable
    • Bug 19193: Reduce timing precision for AudioContext, HTMLMediaElement, and MediaStream
    • Bug 19164: Remove support for SHA-1 HPKP pins
    • Bug 19186: KeyboardEvents are only rounding to 100ms
    • Bug 18884: Don't build the loop extension
    • Bug 19187: Backport fix for crash related to popup menus
    • Bug 19212: Fix crash related to network panel in developer tools
    • Bug 18703: Fix circuit isolation issues on Page Info dialog
    • Bug 19115: Tor Browser should not fall back to Bing as its search engine
    • Bug 18915+19065: Use our search plugins in localized builds
    • Bug 19176: Zip our language packs deterministically
    • Bug 18811: Fix first-party isolation for blobs URLs in Workers
    • Bug 18950: Disable or audit Reader View
    • Bug 18886: Remove Pocket
    • Bug 18619: Tor Browser reports "InvalidStateError" in browser console
    • Bug 18945: Disable monitoring the connected state of Tor Browser users
    • Bug 18855: Don't show error after add-on directory clean-up
    • Bug 18885: Disable the option of logging TLS/SSL key material
    • Bug 18770: SVGs should not show up on Page Info dialog when disabled
    • Bug 18958: Spoof screen.orientation values
    • Bug 19047: Disable Heartbeat prompts
    • Bug 18914: Use English-only label in <isindex/> tags
    • Bug 18996: Investigate server logging in esr45-based Tor Browser
    • Bug 17790: Add unit tests for keyboard fingerprinting defenses
    • Bug 18995: Regression test to ensure CacheStorage is disabled
    • Bug 18912: Add automated tests for updater cert pinning
    • Bug 16728: Add test cases for favicon isolation
    • Bug 18976: Remove some FTE bridges
  • Linux
    • Bug 19189: Backport for working around a linker (gold) bug
  • Build System
    • All PLatforms
      • Bug 18333: Upgrade Go to 1.6.2
      • Bug 18919: Remove unused keys and unused dependencies
      • Bug 18291: Remove some uses of libfaketime
      • Bug 18845: Make zip and tar helpers generate reproducible archives

Tor Browser 6.5a1 is released

A new alpha Tor Browser release is available for download in the 6.5a1 distribution directory and on the alpha download page.

This release features important security updates to Firefox.

Tor Browser 6.5a1 is the first release in our 6.5 series. It updates Firefox to 45.2.0esr and contains all the improvements that went into Tor Browser 6.0. Compared to that there are additional noteworthy things that went into this alpha release: we bumped the Tor version to 0.2.8.3-alpha and backported additional security features: exploiting the JIT compiler got made harder and support for SHA1 HPKP pins got removed.

On the infrastructure side, we are now using fastly to deliver the update files. We thank them for their support.

Here is the complete changelog since 6.0a5:

  • All Platforms
    • Update Firefox to 45.2.0esr
    • Update Tor to 0.2.8.3-alpha
    • Update Torbutton to 1.9.6
      • Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
      • Bug 18905: Hide unusable items from help menu
      • Bug 17599: Provide shortcuts for New Identity and New Circuit
      • Bug 18980: Remove obsolete toolbar button code
      • Bug 18238: Remove unused Torbutton code and strings
      • Translation updates
      • Code clean-up
    • Update Tor Launcher to 0.2.9.3
      • Bug 18947: Tor Browser is not starting on OS X if put into /Applications
    • Update HTTPS-Everywhere to 5.1.9
    • Update meek to 0.22 (tag 0.22-18371-3)
      • Bug 18904: Mac OS: meek-http-helper profile not updated
    • Bug 19121: The update.xml hash should get checked during update
    • Bug 12523: Mark JIT pages as non-writable
    • Bug 19193: Reduce timing precision for AudioContext, HTMLMediaElement, and MediaStream
    • Bug 19164: Remove support for SHA-1 HPKP pins
    • Bug 19186: KeyboardEvents are only rounding to 100ms
    • Bug 18884: Don't build the loop extension
    • Bug 19187: Backport fix for crash related to popup menus
    • Bug 19212: Fix crash related to network panel in developer tools
    • Bug 18703: Fix circuit isolation issues on Page Info dialog
    • Bug 19115: Tor Browser should not fall back to Bing as its search engine
    • Bug 18915+19065: Use our search plugins in localized builds
    • Bug 19176: Zip our language packs deterministically
    • Bug 18811: Fix first-party isolation for blobs URLs in Workers
    • Bug 18950: Disable or audit Reader View
    • Bug 18886: Remove Pocket
    • Bug 18619: Tor Browser reports "InvalidStateError" in browser console
    • Bug 18945: Disable monitoring the connected state of Tor Browser users
    • Bug 18855: Don't show error after add-on directory clean-up
    • Bug 18885: Disable the option of logging TLS/SSL key material
    • Bug 18770: SVGs should not show up on Page Info dialog when disabled
    • Bug 18958: Spoof screen.orientation values
    • Bug 19047: Disable Heartbeat prompts
    • Bug 18914: Use English-only label in <isindex/> tags
    • Bug 18996: Investigate server logging in esr45-based Tor Browser
    • Bug 17790: Add unit tests for keyboard fingerprinting defenses
    • Bug 18995: Regression test to ensure CacheStorage is disabled
    • Bug 18912: Add automated tests for updater cert pinning
    • Bug 16728: Add test cases for favicon isolation
    • Bug 18976: Remove some FTE bridges
  • OS X
    • Bug 18951: HTTPS-E is missing after update
    • Bug 18904: meek-http-helper profile not updated
    • Bug 18928: Upgrade is not smooth (requires another restart)
  • Linux
    • Bug 19189: Backport for working around a linker (gold) bug
  • Build System
    • All PLatforms
      • Bug 18333: Upgrade Go to 1.6.2
      • Bug 18919: Remove unused keys and unused dependencies
      • Bug 18291: Remove some uses of libfaketime
      • Bug 18845: Make zip and tar helpers generate reproducible archives

Tor Browser 6.0.1 is released

Tor Browser 6.0.1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Tor Browser 6.0.1 is the first point release in our 6.0 series. It updates Firefox to 45.2.0esr, contains fixes for two crash bugs and does not ship the loop extension anymore.

Update (June, 8, 12:28 UTC): We just found out that our incremental updates for Windows users were not working. After a short investigation this issue could get resolved and incremental updates are working again. One of the unfortunate side effects of this bug was that all users upgrading from 6.0 got the English 6.0.1 version. The safest way to get a properly localized Tor Browser again is to download it from our homepage. We are sorry for any inconvenience due to this.

Update 2 (June, 10, 9:17 UTC): Linux users that hit serious performance regressions with Tor Browser 6.x might want to try setting gfx.xrender.enabled to false. For a detailed discussion of this problem see bug 19267.

Update 3 (June, 10, 9:22 UTC): We plan to post instructions for removing the OS X code signing parts on our website soon. This should make it easier to compare the OS X bundles we build with the actual bundles we ship.

Update 4 (June, 15, 8:34 UTC): There are a number of users reporting crashes on mega.nz and Facebook. We are still investigating this bug and are working on a fix. Meanwhile there are at least two ways to avoid those crashes: 1) Using a clean new Tor Browser 6.0.1 (including a new profile) solves the problem. 2) As files cached by those websites in the Tor Browser profile are somehow related to the crashes, deleting them helps as well. See bug 19400 for more details in this regard.

Here is the full changelog since 6.0:

  • All Platforms

    • Update Firefox to 45.2.0esr
    • Bug 18884: Don't build the loop extension
    • Bug 19187: Backport fix for crash related to popup menus
    • Bug 19212: Fix crash related to network panel in developer tools
  • Linux

    • Bug 19189: Backport for working around a linker (gold) bug

Tor Browser 6.0 is released

The Tor Browser Team is proud to announce the first stable release in the 6.0 series. This release is available from the Tor Browser Project page and also from our distribution directory.

This release brings us up to date with Firefox 45-ESR, which should mean a better support for HTML5 video on Youtube, as well as a host of other improvements.

Beginning with the 6.0 series code-signing for OS X systems is introduced. This should help our users who had trouble with getting Tor Browser to work on their Mac due to Gatekeeper interference. There were bundle layout changes necessary to adhere to code signing requirements but the transition to the new Tor Browser layout on disk should go smoothly.

The release also features new privacy enhancements and disables features where we either did not have the time to write a proper fix or where we decided they are rather potentially harmful in a Tor Browser context.

On the security side this release makes sure that SHA1 certificate support is disabled and our updater is not only relying on the signature alone but is checking the hash of the downloaded update file as well before applying it. Moreover, we provide a fix for a Windows installer related DLL hijacking vulnerability.

A note on our search engine situation: Lately, we got a couple of comments on our blog and via email wondering why we are now using DuckDuckGo as the default search engine and not Disconnect anymore. Well, we still use Disconnect. But for a while now Disconnect has no access to Google search results anymore which we used in Tor Browser. Disconnect being more a meta search engine which allows users to choose between different search providers fell back to delivering Bing search results which were basically unacceptable quality-wise. While Disconnect is still trying to fix the situation we asked them to change the fallback to DuckDuckGo as their search results are strictly better than the ones Bing delivers.

Update: We plan to post instructions for removing the OS X code signing parts on our website soon. This should make it easier to compare the OS X bundles we build with the actual bundles we ship.

The full changelog since Tor Browser 5.5.5 is:
Tor Browser 6.0 -- May 30

  • All Platforms
    • Update Firefox to 45.1.1esr
    • Update OpenSSL to 1.0.1t
    • Update Torbutton to 1.9.5.4
      • Bug 18466: Make Torbutton compatible with Firefox ESR 45
      • Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
      • Bug 18905: Hide unusable items from help menu
      • Bug 16017: Allow users to more easily set a non-tor SSH proxy
      • Bug 17599: Provide shortcuts for New Identity and New Circuit
      • Translation updates
      • Code clean-up
    • Update Tor Launcher to 0.2.9.3
      • Bug 13252: Do not store data in the application bundle
      • Bug 18947: Tor Browser is not starting on OS X if put into /Applications
      • Bug 11773: Setup wizard UI flow improvements
      • Translation updates
    • Update HTTPS-Everywhere to 5.1.9
    • Update meek to 0.22 (tag 0.22-18371-3)
      • Bug 18371: Symlinks are incompatible with Gatekeeper signing
      • Bug 18904: Mac OS: meek-http-helper profile not updated
    • Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
    • Bug 18900: Fix broken updater on Linux
    • Bug 19121: The update.xml hash should get checked during update
    • Bug 18042: Disable SHA1 certificate support
    • Bug 18821: Disable libmdns support for desktop and mobile
    • Bug 18848: Disable additional welcome URL shown on first start
    • Bug 14970: Exempt our extensions from signing requirement
    • Bug 16328: Disable MediaDevices.enumerateDevices
    • Bug 16673: Disable HTTP Alternative-Services
    • Bug 17167: Disable Mozilla's tracking protection
    • Bug 18603: Disable performance-based WebGL fingerprinting option
    • Bug 18738: Disable Selfsupport and Unified Telemetry
    • Bug 18799: Disable Network Tickler
    • Bug 18800: Remove DNS lookup in lockfile code
    • Bug 18801: Disable dom.push preferences
    • Bug 18802: Remove the JS-based Flash VM (Shumway)
    • Bug 18863: Disable MozTCPSocket explicitly
    • Bug 15640: Place Canvas MediaStream behind site permission
    • Bug 16326: Verify cache isolation for Request and Fetch APIs
    • Bug 18741: Fix OCSP and favicon isolation for ESR 45
    • Bug 16998: Disable <link rel="preconnect"> for now
    • Bug 18898: Exempt the meek extension from the signing requirement as well
    • Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
    • Bug 18890: Test importScripts() for cache and network isolation
    • Bug 18886: Hide pocket menu items when Pocket is disabled
    • Bug 18703: Fix circuit isolation issues on Page Info dialog
    • Bug 19115: Tor Browser should not fall back to Bing as its search engine
    • Bug 18915+19065: Use our search plugins in localized builds
    • Bug 19176: Zip our language packs deterministically
    • Bug 18811: Fix first-party isolation for blobs URLs in Workers
    • Bug 18950: Disable or audit Reader View
    • Bug 18886: Remove Pocket
    • Bug 18619: Tor Browser reports "InvalidStateError" in browser console
    • Bug 18945: Disable monitoring the connected state of Tor Browser users
    • Bug 18855: Don't show error after add-on directory clean-up
    • Bug 18885: Disable the option of logging TLS/SSL key material
    • Bug 18770: SVGs should not show up on Page Info dialog when disabled
    • Bug 18958: Spoof screen.orientation values
    • Bug 19047: Disable Heartbeat prompts
    • Bug 18914: Use English-only label in <isindex/> tags
    • Bug 18996: Investigate server logging in esr45-based Tor Browser
    • Bug 17790: Add unit tests for keyboard fingerprinting defenses
    • Bug 18995: Regression test to ensure CacheStorage is disabled
    • Bug 18912: Add automated tests for updater cert pinning
    • Bug 16728: Add test cases for favicon isolation
    • Bug 18976: Remove some FTE bridges
  • Windows
  • OS X
    • Bug 6540: Support OS X Gatekeeper
    • Bug 13252: Tor Browser should not store data in the application bundle
    • Bug 18951: HTTPS-E is missing after update
    • Bug 18904: meek-http-helper profile not updated
    • Bug 18928: Upgrade is not smooth (requires another restart)
  • Build System
    • All Platforms
      • Bug 18127: Add LXC support for building with Debian guest VMs
      • Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
      • Bug 18919: Remove unused keys and unused dependencies
    • Windows
      • Bug 17895: Use NSIS 2.51 for installer to avoid DLL hijacking
      • Bug 18290: Bump mingw-w64 commit we use
    • OS X
      • Bug 18331: Update toolchain for Firefox 45 ESR
      • Bug 18690: Switch to Debian Wheezy guest VMs
    • Linux
      • Bug 18699: Stripping fails due to obsolete Browser/components directory
      • Bug 18698: Include libgconf2-dev for our Linux builds
      • Bug 15578: Switch to Debian Wheezy guest VMs (10.04 LTS is EOL)

Tor Browser 6.0a5-hardened is released

A new hardened Tor Browser release is available. It can be found in the 6.0a5-hardened distribution directory and on the download page for hardened builds.

This release features important security updates to Firefox.

It contains a bunch of noteworthy changes. We switched the browser to Firefox ESR 45 and rebased our old patches/wrote new ones where necessary. We also ship a new Tor alpha version, 0.2.8.2, which makes meek usable again and contains a number of other improvements/stability fixes.

Note: There is no incremental update from 6.0a3-hardened available due to bug 17858. The internal updater should work, though, doing a complete update.

Here is the complete changelog since 6.0a4-hardened:

Tor Browser 6.0a5-hardened -- April 28 2016

  • All Platforms
    • Update Firefox to 45.1.0esr
    • Update Tor to 0.2.8.2-alpha
    • Update Torbutton to 1.9.5.3
      • Bug 18466: Make Torbutton compatible with Firefox ESR 45
      • Translation updates
    • Update Tor Launcher to 0.2.8.4
      • Bug 13252: Do not store data in the application bundle
      • Bug 10534: Don't advertise the help desk directly anymore
      • Translation updates
    • Update HTTPS-Everywhere to 5.1.6
    • Update NoScript to 2.9.0.11
    • Update meek to 0.22 (tag 0.22-18371-2)
      • Bug 18371: Symlinks are incompatible with Gatekeeper signing
    • Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
    • Bug 18900: Fix broken updater on Linux
    • Bug 18042: Disable SHA1 certificate support
    • Bug 18821: Disable libmdns support for desktop and mobile
    • Bug 18848: Disable additional welcome URL shown on first start
    • Bug 14970: Exempt our extensions from signing requirement
    • Bug 16328: Disable MediaDevices.enumerateDevices
    • Bug 16673: Disable HTTP Alternative-Services
    • Bug 17167: Disable Mozilla's tracking protection
    • Bug 18603: Disable performance-based WebGL fingerprinting option
    • Bug 18738: Disable Selfsupport and Unified Telemetry
    • Bug 18799: Disable Network Tickler
    • Bug 18800: Remove DNS lookup in lockfile code
    • Bug 18801: Disable dom.push preferences
    • Bug 18802: Remove the JS-based Flash VM (Shumway)
    • Bug 18863: Disable MozTCPSocket explicitly
    • Bug 15640: Place Canvas MediaStream behind site permission
    • Bug 16326: Verify cache isolation for Request and Fetch APIs
    • Bug 18741: Fix OCSP and favicon isolation for ESR 45
    • Bug 16998: Disable for now
    • Bug 17506: Reenable building hardened Tor Browser with startup cache
    • Bug 18898: Exempt the meek extension from the signing requirement as well
    • Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
    • Bug 18890: Test importScripts() for cache and network isolation
    • Bug 18726: Add new default obfs4 bridge (GreenBelt)
  • Build System
    • Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
    • Bug 18699: Stripping fails due to obsolete Browser/components directory
    • Bug 18698: Include libgconf2-dev for our Linux builds

Tor Browser 6.0a5 is released

A new alpha Tor Browser release is available for download in the 6.0a5 distribution directory and on the alpha download page.

This release features important security updates to Firefox.

This will probably be our last alpha release before the stable 6.0 and it contains a bunch of noteworthy changes.

First, we switched the browser to Firefox ESR 45 and rebased our old patches/wrote new ones where necessary.

Second, we ship a new Tor alpha version, 0.2.8.2, which makes meek usable again and contains a number of other improvements/stability fixes.

Third, this alpha release introduces code signing for OS X in order to cope with Gatekeeper, the OS X mechanism for allowing only authorized applications to run. There were bundle layout changes necessary to adhere to code signing requirements. Please test that everything is still working as expected if you happen to have an OS X machine. We plan to post instructions for removing the code signing parts on our website soon. This should make it easier to compare the bundles we build with the actual bundles we ship.

The fourth highlight is the fix for an installer related DLL hijacking vulnerability. This vulnerability made it necessary to deploy a newer NSIS version to create our .exe files. Please test that the installer is still working as expected if you happen to have a Windows machine.

Known issues:

  • It seems there is a bug regarding our search engine selection in non-en-US bundles. The search engines actually used are the ones contained in the respective language packs but not those we ship. There is no easy workaround for this short of disabling the language pack or adding the search engines one wants to have by hand. We are sorry for this inconvenience.
  • An other issue is an error "Unable to start tor" after upgrading from an older version, on Mac OS (Bug 18928). Quitting and restarting a second time should fix the problem.
  • A third issue we found is the missing HTTPS-Everywhere extension in Mac OS bundles after an update from previous Tor Browser versions. Workarounds are either installing HTTPS-Everywhere manually from EFF's website or using a clean, new 6.0a5 Mac OS bundle.

Here is the full changelog since 6.0a4:

Tor Browser 6.0a5 -- April 28 2016

  • All Platforms

    • Update Firefox to 45.1.0esr
    • Update Tor to 0.2.8.2-alpha
    • Update Torbutton to 1.9.5.3
      • Bug 18466: Make Torbutton compatible with Firefox ESR 45
      • Translation updates
    • Update Tor Launcher to 0.2.9.1
      • Bug 13252: Do not store data in the application bundle
      • Bug 10534: Don't advertise the help desk directly anymore
      • Translation updates
    • Update HTTPS-Everywhere to 5.1.6
    • Update NoScript to 2.9.0.11
    • Update meek to 0.22 (tag 0.22-18371-2)
      • Bug 18371: Symlinks are incompatible with Gatekeeper signing
    • Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
    • Bug 18900: Fix broken updater on Linux
    • Bug 18042: Disable SHA1 certificate support
    • Bug 18821: Disable libmdns support for desktop and mobile
    • Bug 18848: Disable additional welcome URL shown on first start
    • Bug 14970: Exempt our extensions from signing requirement
    • Bug 16328: Disable MediaDevices.enumerateDevices
    • Bug 16673: Disable HTTP Alternative-Services
    • Bug 17167: Disable Mozilla's tracking protection
    • Bug 18603: Disable performance-based WebGL fingerprinting option
    • Bug 18738: Disable Selfsupport and Unified Telemetry
    • Bug 18799: Disable Network Tickler
    • Bug 18800: Remove DNS lookup in lockfile code
    • Bug 18801: Disable dom.push preferences
    • Bug 18802: Remove the JS-based Flash VM (Shumway)
    • Bug 18863: Disable MozTCPSocket explicitly
    • Bug 15640: Place Canvas MediaStream behind site permission
    • Bug 16326: Verify cache isolation for Request and Fetch APIs
    • Bug 18741: Fix OCSP and favicon isolation for ESR 45
    • Bug 16998: Disable <link rel="preconnect"> for now
    • Bug 18898: Exempt the meek extension from the signing requirement as well
    • Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
    • Bug 18890: Test importScripts() for cache and network isolation
    • Bug 18726: Add new default obfs4 bridge (GreenBelt)
  • Windows

  • OS X

    • Bug 6540: Support OS X Gatekeeper
    • Bug 13252: Tor Browser should not store data in the application bundle
  • Build System

    • All Platforms
      • Bug 18127: Add LXC support for building with Debian guest VMs
      • Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
    • Windows
      • Bug 17895: Use NSIS 2.51 for installer to avoid DLL hijacking
      • Bug 18290: Bump mingw-w64 commit we use
    • OS X
      • Bug 18331: Update toolchain for Firefox 45 ESR
      • Bug 18690: Switch to Debian Wheezy guest VMs
    • Linux
      • Bug 18699: Stripping fails due to obsolete Browser/components directory
      • Bug 18698: Include libgconf2-dev for our Linux builds

Tor Browser 5.5.5 is released

Tor Browser 5.5.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates Firefox to 38.8.0esr. Additionally, we bump NoScript to version 2.9.0.11 and HTTPS-Everywhere to 5.1.6.

Moreover, we don't advertise our help desk anymore as we are currently restructuring our user support.

Here is the full changelog since 5.5.4:

Tor Browser 5.5.5 -- April 26 2016

  • All Platforms

    • Update Firefox to 38.8.0esr
    • Update Tor Launcher to 0.2.7.9

      • Bug 10534: Don't advertise the help desk directly anymore
      • Translation updates
    • Update HTTPS-Everywhere to 5.1.6
    • Update NoScript to 2.9.0.11
    • Bug 18726: Add new default obfs4 bridge (GreenBelt)

GetTor: New Ways to Download Tor Browser

We are pleased to announce the new features available in the GetTor, a service that provides alternative ways to download Tor Browser, aimed for people who live in places with high levels of censorship (e.g. when www.torproject.org is blocked) or people who just don't want to expose the fact that they are downloading Tor Browser. This work adds important new download options and capabilities and includes improvements to the current code, deployment of new channels and providers, and some brand new features such as the GetTor API. We would also like to give special thanks to Nima Fatemi, who was in charge of the non-coding parts of this project (from funding to technical management).


Update note: we now have the gettor@torproject.org account for the XMPP channel. However, we will have the get_tor@riseup.net account enabled for a couple of more weeks just in case you are still using it.


Landing page

A GetTor landing page has been created to offer information in one place (statistics, guides, etc.). If you are interested in what is going on with GetTor, following the landing page is highly recommended.


New Distribution Channels

In the past, GetTor has distributed packages by sending the bundles -- and then, later, just links -- via email. Now there are two more ways to interact with GetTor:


  1. Using Twitter: You can send a direct message to @get_tor account (you don't need to follow the @get_tor acount). Send the word help in a direct message to receive information on how to download the Tor Browser.

  2. Using XMPP: You can send a message to gettor@torproject.org using your favorite XMPP client. Simply enter help in an XMPP message to receive information on how to download the Tor Browser.


GitHub

GitHub is now a provider of Tor Browser (in addition to Dropbox and Google Drive), and the latest version of Tor Browser may be downloaded from our Github page and our Github repository.


Support for Android

Orbot is a free proxy (i.e. an intermediary) app that empowers other apps to use the Internet more securely. Orbot uses Tor to encrypt your Internet traffic and then hides it by sending it through a series of computers around the world. In addition to the download options provided by Guardian Project (Google Play, F-Droid, Direct download), GetTor provides yet another way to download Orbot to your mobile device. To do this, you have to reach one of our distribution channels and specify the android command (See Examples, at the bottom of this blog post). You will then receive instructions to download Orbot's Android Application Package (APK) file from Github, Google Drive or Dropbox. Once you have downloaded the APK file you can use it to install Orbot (similar to .exe files in Windows) and start using it.


Translated Versions of Tor Browser

GetTor provides a small set of translated packages focused on its end users. The available languages are Farsi, Chinese, Turkish, and English (which is the default). If you want to use this feature in the email autoresponder, for example, you send your request to:


    Farsi: gettor+fa@torproject.org
    Chinese: gettor+zh@torproject.org
    Turkish: gettor+tr@torproject.org
    English: gettor@torproject.org


For the Twitter and XMPP channels, you just need to add the language word to the
message (e.g. linux fa will get you links for Tor Browser in Farsi).


Mirrors

There are many volunteers who use their own servers to provide mirrors of Tor Project's website. One or more of these mirrors may be not blocked in places where torproject.org is censored and could help in downloading Tor Browser. With this new release, you can request a list of these mirrors from GetTor by sending an email (or message, in case of Twitter and XMPP) with the word mirrors in the body of the text.


Statistics

Some basic but effective improvements have been made to collect anonymous data and compile meaningful statistics about GetTor usage, including requests per channel, operating system, and language. Safeguards have been implemented so that all information collected is anonymous, and it is erased on a daily basis -- we just keep the number and types of requests. Reports about this data will soon be available on GetTor's website.


RESTful API

One of GetTor's major new features is its API. In simple terms, an API is a set of rules and specifications that allow applications to communicate with each other (following these rules). This is helpful to developers who want to create new services or applications based on the information provided by the API. In this case, the GetTor API provides the following information:

  1. Links to download Tor Browser by provider, with filters for operating system and language.

  2. Links to download Tor Browser from Tor Project's website, with filters for choosing the release (latest version , etc.), operating system, and language.

  3. List of mirrors of Tor Project's website.



You can find more information on the API documentation.


Invitation to Collaborate

If you are a Tor user, a developer, good at writing content for non-technical users or anything else, we are happy to hear from you! You can use the comments section below, the tor-talk and tor-dev mailing lists, or come talk to us on IRC (#tor-dev on OFTC; our nicknames are ilv, sukhe and mrphs).


How to Ask for Tor Browser--Some Examples

To help you get started, here are a few examples of GetTor requests with different locales (languages) and operating systems:


Example 1 (Email): To get links for downloading Tor Browser in Farsi for Windows, send an email to gettor+fa@torproject.org with the word windows in the body of the message.


Example 2 (Twitter): To get links for downloading Tor Browser in English for OS X, send a Direct Message to @get_tor with the words osx on it (you don't need to follow the account).


Example 3 (XMPP): To get links for downloading Tor Browser in Chinese for Linux, send a message to gettor@torproject.org account with the words linux zh on it.


Example 4 (Email): To get links for downloading Orbot for Android, send an email to gettor@torproject.org with the word android in the body of the message.

Tor Browser 6.0a4-hardened is released

A new hardened Tor Browser release is available. It can be found in the 6.0a4-hardened distribution directory and on the download page for hardened builds.

This release updates firefox to 38.7.1. Mozilla decided to disable the Graphite library in this release and we are taking the same action: irrespective of the security slider settings the Graphite library won't be used for rendering fonts in Tor Browser 6.0a4-hardened. The Graphite font rendering library was already disabled for users on the security level "High" or "Medium-High".

Note: There is no incremental update from 6.0a3-hardened available due to bug 17858. The internal updater should work, though, doing a complete update.

Here is the complete changelog since 6.0a3-hardened:

Tor Browser 6.0a4-hardened -- March 18 2016

  • All Platforms

    • Update Firefox to 38.7.1esr
    • Update Torbutton to 1.9.5.2

      • Bug 18557: Exempt Graphite from the Security Slider
    • Bug 18536: Make Mosaddegh and MaBishomarim available on port 80 and 443
Syndicate content Syndicate content