tor browser

Tor Browser 4.5a5 is released

The Tor Browser team is proud to announce the release of the fifth alpha of the 4.5 series of Tor Browser. The release is available from the extended downloads page and also from our distribution directory.

Tor Browser 4.5a5 is based on Firefox ESR 31.6.0, which features important security updates to Firefox.

We're very excited about the usability and security improvements in this release. On the usability front, we've created a FreeDesktop-compatible launcher wrapper for Linux that can be invoked from either the GUI or the shell, and we also provide Windows users with the ability to add optional Start Menu and Desktop shortcuts. The circuit usage of Tor Browser has also been improved to avoid transitioning to a new circuit for a website while it is in active use.

On the security front, the Security Slider now has full descriptions of the browser behaviors that are changed at each security level. We've also made improvements to our display resolution fingerprinting defenses to automatically resize the browser window to a 200x100 pixel multiple after resize or maximization, and to perform similar resizing for full screen HTML5 video. Finally, the Windows releases are also now signed using the hardware signing token graciously provided to us by DigiCert, so Windows users should no longer be warned about Tor Browser being downloaded from an "unknown publisher".

And those are just the highlights. The complete list of changes since the 4.5a4 release is as follows:

  • All Platforms
    • Update Firefox to 31.6.0esr
    • Update OpenSSL to 1.0.1m
    • Update Tor to 0.2.6.6
    • Update NoScript to 2.6.9.19
    • Update HTTPS-Everywhere to 5.0
    • Update meek to 0.16
    • Update Tor Launcher to 0.2.7.3
      • Bug 13983: Directory search path fix for Tor Messanger+TorBirdy
    • Update Torbutton to 1.9.1.0
      • Bug 9387: "Security Slider 1.0"
        • Include descriptions and tooltip hints for security levels
        • Notify users that the security slider exists
        • Flip slider so that "low" is on the bottom
        • Make use of new SVG and MathML prefs
      • Bug 13766: Set a 10 minute circuit lifespan for non-content requests
      • Bug 15460: Ensure FTP urls use content-window circuit isolation
      • Bug 13650: Clip initial window height to 1000px
      • Bug 14429: Ensure windows can only be resized to 200x100px multiples
      • Bug 15334: Display Cookie Protections menu if disk records are enabled
      • Bug 14324: Show HS circuit in Tor circuit display
      • Bug 15086: Handle RTL text in Tor circuit display
      • Bug 15085: Fix about:tor RTL text alignment problems
      • Bug 10216: Add a pref to disable the local tor control port test
      • Bug 14937: Show meek and flashproxy bridges in tor circuit display
      • Bugs 13891+15207: Fix exceptions/errors in circuit display with bridges
      • Bug 13019: Change locale hiding pref to boolean
      • Bug 7255: Warn users about maximizing windows
      • Bug 14631: Improve profile access error msgs (strings).
    • Pluggable Transport Dependency Updates:
      • Bug 15448: Use golang 1.4.2 for meek and obs4proxy
      • Bug 15265: Switch go.net repo to golang.org/x/net
    • Bug 14937: Hard-code meek and flashproxy node fingerprints
    • Bug 13019: Prevent Javascript from leaking system locale
    • Bug 10280: Improved fix to prevent loading plugins into address space
    • Bug 15406: Only include addons in incremental updates if they actually update
    • Bug 15029: Don't prompt to include missing plugins
    • Bug 12827: Create preference to disable SVG images (for security slider)
    • Bug 13548: Create preference to disable MathML (for security slider)
    • Bug 14631: Improve startup error messages for filesystem permissions issues
    • Bug 15482: Don't allow circuits to change while a site is in use
  • Linux
    • Bug 13375: Create a hybrid GUI/desktop/shell launcher wrapper
    • Bug 12468: Only print/write log messages if launched with --debug
  • Windows
    • Bug 3861: Begin signing Tor Browser for Windows the Windows way
    • Bug 15201: Disable 'runas Administrator' codepaths in updater
    • Bug 14688: Create shortcuts to desktop and start menu by default (optional)

Tor Browser 4.0.6 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.0.6 is based on Firefox ESR 31.6.0, which features important security updates to Firefox.

Note to MacOS users: This is the last planned release that will run on 32 bit MacOS versions. Users of Mac OS 10.8 (Mountain Lion) and newer versions will be automatically updated to the 64 bit Tor Browser 4.5 when it is stabilized in April, and we expect this transition to be smooth for those users. However, the update process for 10.6 and 10.7 users will unfortunately not be automatic. For more details, see the original end-of-life blog post.

Here is the complete changelog since 4.0.5:

  • All Platforms
    • Update Firefox to 31.6.0esr
    • Update meek to 0.16
    • Update OpenSSL to 1.0.1m

Tor Browser 4.0.5 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.0.5 is based on Firefox ESR 31.5.3, which features important security updates to Firefox. Additionally, it contains updates to Tor and NoScript.

Note to Tor Browser alpha users: There won't be a corresponding alpha release based on Firefox ESR 31.5.3 this time as we are currently in the midst of preparing releases based on ESR 31.6.0. Alpha users that can't wait another week are strongly recommended to use the Tor Browser 4.0.5 meanwhile.

Here is the changelog since 4.0.4:

  • All Platforms
    • Update Firefox to 31.5.3esr
    • Update Tor 0.2.5.11
    • Update NoScript to 2.6.9.19

Tor Browser 4.0.4 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Note: The individual bundles of the stable series are signed by one of the subkeys of the Tor Browser Developers signing key from now on, too. You can find its fingerprint on the Signing Keys page. It is:

pub   4096R/0x4E2C6E8793298290 2014-12-15
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7
                        DE68 4E2C 6E87 9329 8290


Tor Browser 4.0.4 is based on Firefox ESR 31.5.0, which features important security updates to Firefox. Additionally, it contains updates to NoScript, HTTPS-Everywhere, and OpenSSL (none of the OpenSSL advisories since OpenSSL 1.0.1i have affected Tor, but we decided to update to the latest 1.0.1 release anyway).

Here is the changelog since 4.0.3:

  • All Platforms
    • Update Firefox to 31.5.0esr
    • Update OpenSSL to 1.0.1l
    • Update NoScript to 2.6.9.15
    • Update HTTPS-Everywhere to 4.0.3
    • Bug 14203: Prevent meek from displaying an extra update notification
    • Bug 14849: Remove new NoScript menu option to make permissions permanent
    • Bug 14851: Set NoScript pref to disable permanent permissions

Tor Browser 4.5a4 is released

The Tor Browser team is proud to announce the release of the fourth alpha of the 4.5 series of Tor Browser. The release is available from the extended downloads page and also from our distribution directory.

Tor Browser 4.5a4 is based on Firefox ESR 31.5.0, which features important security updates to Firefox. Moreover, this release includes an updated Tor, 0.2.6.3-alpha, and switches Scramblesuit and obfs3 bridge support to a new golang-based implementation. We are especially interested in hearing any issues with using obfs3, obfs4, and Scramblesuit in this release.

The release also features several improvements to usability, following the results of the usability sprint at the end of last month. In particular, the Torbutton onion menu and related preference windows have been overhauled to provide more simplicity and more focus. The onion menu now features a much requested "New Circuit for this site" option, and the security and privacy settings window have been simplified. For censored users, the first run configuration wizard was also improved to present the choice of Pluggable Transport before the local proxy information, in an effort to avoid confusion between Pluggable Transports and local proxies. As can be seen from the changelog below, the release contains several other usability tweaks and enhancements as well.

Here is the full changelog for changes since 4.5-alpha-3:

  • All Platforms
    • Update Firefox to 31.5.0esr
    • Update Tor to 0.2.6.3-alpha
    • Update OpenSSL to 1.0.1l
    • Update NoScript to 2.6.9.15
    • Update obfs4proxy to 0.0.4
      • Use obfs4proxy for ScrambleSuit bridges
    • Update Torbutton to 1.9.0.0
      • Bug 13882: Fix display of bridges after bridge settings have been changed
      • Bug 5698: Use "Tor Browser" branding in "About Tor Browser" dialog
      • Bug 10280: Strings and pref for preventing plugin initialization.
      • Bug 14866: Show correct circuit when more than one exists for a given domain
      • Bug 9442: Add New Circuit button to Torbutton menu
      • Bug 9906: Warn users before closing all windows and performing new identity.
      • Bug 8400: Prompt for restart if disk records are enabled/disabled.
      • Bug 14630: Hide Torbutton's proxy settings tab.
      • Bug 14632: Disable Cookie Manager until we get it working.
      • Bug 11175: Remove "About Torbutton" from onion menu.
      • Bug 13900: Remove remaining SafeCache code in favor of C++ patch
      • Bug 14490: Use Disconnect search in about:tor search box
      • Bug 14392: Don't steal input focus in about:tor search box
      • Bug 11236: Don't set omnibox order in Torbutton (to prevent translation)
      • Bug 13406: Stop directing users to download-easy.html.en on update
      • Bug 9387: Handle "custom" mode better in Security Slider
      • Bug 12430: Bind jar: pref to Security Slider
      • Bug 14448: Restore Torbutton menu operation on non-English localizations
      • Translation updates
    • Update Tor Launcher to 0.2.7.2
      • Bug 13271: Display Bridge Configuration wizard pane before Proxy pane
      • Bug 14336: Fix navigation button display issues on some wizard panes
      • Translation updates
    • Bug 14203: Prevent meek from displaying an extra update notification
    • Bug 14849: Remove new NoScript menu option to make permissions permanent
    • Bug 14851: Set NoScript pref to disable permanent permissions
    • Bug 14490: Make Disconnect the default omnibox search engine
    • Bug 11236: Fix omnibox order for non-English builds
      • Also remove Amazon, eBay and bing; add Youtube and Twitter
    • Bug 10280: Don't load any plugins into the address space.
    • Bug 14392: Make about:tor hide itself from the URL bar
    • Bug 12430: Provide a preference to disable remote jar: urls
    • Bug 13900: Remove 3rd party HTTP auth tokens via Firefox patch
    • Bug 5698: Fix branding in "About Torbrowser" window
  • Windows:
    • Bug 13169: Don't use /dev/random on Windows for SSP
  • Linux:
    • Bug 13717: Make sure we use the bash shell on Linux

Note: Once again, the individual bundles of both Tor Browser series are signed by one of the subkeys of the Tor Browser Developers signing key from now on. You can find its fingerprint on the Signing Keys page. It is:

pub   4096R/0x4E2C6E8793298290 2014-12-15
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7
                        DE68 4E2C 6E87 9329 8290

Tor Browser 4.5a3 is released

The third alpha release of the 4.5 series is available from the extended downloads page and also from our distribution directory.

Note: The individual bundles of the alpha series are signed by one of the subkeys of the Tor Browser Developers signing key from now on. You can find its fingerprint on the Signing Keys page. It is:

pub   4096R/0x4E2C6E8793298290 2014-12-15
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7
                        DE68 4E2C 6E87 9329 8290


Tor Browser 4.5a3 is based on Firefox ESR 31.4.0, which features important security updates to Firefox. Its updater now contains the code for verifying signed update files and does not accept unsigned ones anymore. Moreover, this release includes an updated Tor, 0.2.6.2-alpha, an updated meek, 0.15, which is now working again, and a bunch of additional improvements and bugfixes.

Here is the changelog since 4.5-alpha-2:

  • All Platforms
    • Update Firefox to 31.4.0esr
    • Update Tor to 0.2.6.2-alpha
    • Update NoScript to 2.6.9.10
    • Update HTTPS Everywhere to 5.0developement.2
    • Update meek to 0.15
    • Update Torbutton to 1.8.1.3
      • Bug 13998: Handle changes in NoScript 2.6.9.8+
      • Bug 14100: Option to hide NetworkSettings menuitem
      • Bug 13079: Option to skip control port verification
      • Bug 13835: Option to change default Tor Browser homepage
      • Bug 11449: Fix new identity error if NoScript is not enabled
      • Bug 13881: Localize strings for tor circuit display
      • Bug 9387: Incorporate user feedback
      • Bug 13671: Fixup for circuit display if bridges are used
      • Translation updates
    • Update Tor Launcher 0.2.7.1
      • Bug 14122: Hide logo if TOR_HIDE_BROWSER_LOGO set
      • Translation updates
    • Bug 13379: Sign our MAR files
    • Bug 13788: Fix broken meek in 4.5-alpha series
    • Bug 13439: No canvas prompt for content callers

Tor Browser 4.0.3 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.0.3 is based on Firefox ESR 31.4.0, which features important security updates to Firefox. Additionally, it contains updates to meek, NoScript and Tor Launcher.

Here is the changelog since 4.0.2:

  • All Platforms
    • Update Firefox to 31.4.0esr
    • Update NoScript to 2.6.9.10
    • Update meek to 0.15
    • Update Tor Launcher to 0.2.7.0.2
      • Translation updates only

Tor Browser 4.5-alpha-2 is released

The second alpha release of the 4.5 series is available from the extended downloads page and also from our distribution directory.

Tor Browser 4.5-alpha-2 is based on Firefox ESR 31.3.0, which features important security updates to Firefox. Additionally, it fixes a regression which caused third party authentication credentials to remain undeleted and contains smaller improvements to the circuit UI and the security slider.

Here is the changelog since 4.5-alpha-1:

  • All Platforms
    • Update Firefox to 31.3.0esr
    • Update NoScript to 2.6.9.5
    • Update HTTPS Everywhere to 5.0developement.1
    • Update Torbutton to 1.8.1.2
      • Bug 13672: Make circuit display optional
      • Bug 13671: Make bridges visible on circuit display
      • Bug 9387: Incorporate user feedback
      • Bug 13784: Remove third party authentication tokens
    • Bug 13435: Remove our custom POODLE fix (fixed by Mozilla in 31.3.0esr)

Tor Browser 4.0.2 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.0.2 is based on Firefox ESR 31.3.0, which features important security updates to Firefox. Additionally, it fixes a regression in third party cache isolation (tracking protection) that appeared in 4.0, and prevents JavaScript engine locale leaks. Moreover, we believe we have fixed all of the Windows crashes that were due to mingw-w64 compiler bugs. DirectShow is still disabled by default, though, to give the respective mingw-w64 patch another round of testing.

Here is the changelog since 4.0.1:

  • All Platforms
    • Update Firefox to 31.3.0esr
    • Update NoScript to 2.6.9.5
    • Update HTTPS Everywhere to 4.0.2
    • Update Torbutton to 1.7.0.2
      • Bug 13019: Synchronize locale spoofing pref with our Firefox patch
      • Bug 13746: Properly link Torbutton UI to thirdparty pref.
    • Bug 13742: Fix domain isolation for content cache and disk-enabled
      browsing mode

    • Bug 5926: Prevent JS engine locale leaks (by setting the C library
      locale)

    • Bug 13504: Remove unreliable/unreachable non-public bridges
    • Bug 13435: Remove our custom POODLE fix (fixed by Mozilla in 31.3.0esr)
  • Windows
    • Bug 13443: Fix DirectShow-related crash with mingw patch.
    • Bug 13558: Fix crash on Windows XP during download folder changing
    • Bug 13594: Fix update failure for Windows XP users

Tor Browser 4.5-alpha-1 is released

The first alpha release of the 4.5 series is available from the extended downloads page and also from our distribution directory.

This release features a circuit status reporting UI (visible on the green Tor onion button menu), as well as isolation for circuit use. All content elements for a website will use a single circuit, and different websites should use different circuits, even when viewed at the same time. The Security Slider is also present in this release, and can be configured from the green Tor onion's Preferences menu, under the Privacy and Security settings tab. It also features HTTPS certificate pinning for selected sites (including our updater), which was backported from Firefox 32.

This release also features a rewrite of the obfs3 pluggable transport, and the introduction of the new obfs4 transport. Please test these transports and report any issues!

Note to Mac users: As part of our planned end-of-life for supporting 32 bit Macs, the Mac edition of this release is 64 bit only, which also means that the updater will not work for Mac users on the alpha series release channel for this release. Once you transition to this 64 bit release, the updater should function correctly after that.

Here is the complete changelog since 4.0.1:

  • All Platforms
    • Bug 3455: Patch Firefox SOCKS and proxy filters to allow user+pass isolation
    • Bug 11955: Backport HTTPS Certificate Pinning patches from Firefox 32
    • Bug 13684: Backport Mozilla bug #1066190 (pinning issue fixed in Firefox 33)
    • Bug 13019: Make JS engine use English locale if a pref is set by Torbutton
    • Bug 13301: Prevent extensions incompatibility error after upgrades
    • Bug 13460: Fix MSVC compilation issue
    • Bug 13504: Remove stale bridges from default bridge set
    • Bug 13742: Fix domain isolation for content cache and disk-enabled browsing mode
    • Update Tor to 0.2.6.1-alpha
    • Update NoScript to 2.6.9.3
    • Bug 13586: Make meek use TLS session tickets (to look like stock Firefox).
    • Bug 12903: Include obfs4proxy pluggable transport
    • Update Torbutton to 1.8.1.1
      • Bug 9387: Provide a "Security Slider" for vulnerability surface reduction
      • Bug 13019: Synchronize locale spoofing pref with our Firefox patch
      • Bug 3455: Use SOCKS user+pass to isolate all requests from the same url domain
      • Bug 8641: Create browser UI to indicate current tab's Tor circuit IPs
      • Bug 13651: Prevent circuit-status related UI hang.
      • Bug 13666: Various circuit status UI fixes
      • Bug 13742+13751: Remove cache isolation code in favor of direct C++ patch
      • Bug 13746: Properly update third party isolation pref if disabled from UI
  • Windows
    • Bug 13443: Re-enable DirectShow; fix crash with mingw patch.
    • Bug 13558: Fix crash on Windows XP during download folder changing
    • Bug 13091: Make app name "Tor Browser" instead of "Tor"
    • Bug 13594: Fix update failure for Windows XP users
  • Mac
    • Bug 10138: Switch to 64bit builds for MacOS
Syndicate content Syndicate content