Tor Browser 5.0 is released
The Tor Browser Team is proud to announce the first stable release in the 5.0 series. This release is available from the Tor Browser Project page and also from our distribution directory.
This release features important security updates to Firefox. Note that the recent PDF.js exploit did not affect 4.5 users, but they should upgrade to this release immediately because numerous other potential security issues were fixed by Mozilla in this release. (Incidentally: Users who are using the 5.0-alpha series are vulnerable to the PDF.js exploit, but not if they were using the 'High' security level. Regardless, we are also upgrading 5.0-alpha users to 5.5a1 today to fix the issue as well).
This release also brings us up to date with Firefox 38-ESR, which should mean improved support for HTML5 video on Youtube, as well as a host of other improvements. Controversial and hard-to-audit binary components related to EME DRM were disabled, however.
The release also features new privacy enhancements. In particular, more identifier sources that appeared in Firefox 38 (or were otherwise disabled previously) are now isolated to the first party (URL bar) domain. This release also contains defenses from the 5.0-alpha series for keystroke (typing) fingerprinting and some instances of performance/timing fingerprinting.
Regrettably, our new defenses for font and keyboard layout fingerprinting did not stabilize in time for this release. Users who are interested in helping us improve them should try out 5.5a1.
This release also will reset the permanent NoScript whitelist, due to an issue where previous NoScript updates had added certain domains to the whitelist during upgrade. The whitelist is reset to the default for all users as a result, and future updates to the whitelist by NoScript have been disabled.
Starting with this release, Tor Browser will now also download and apply upgrades in the background, to ensure that users upgrade quicker and with less interaction. This behavior is governed by the about:config pref app.update.auto, but we do not recommend disabling it unless you really know what you're doing.
Here is the complete changelog since 4.5.3:
- All Platforms
- Update Firefox to 38.2.0esr
- Update OpenSSL to 1.0.1p
- Update HTTPS-Everywhere to 5.0.7
- Update NoScript to 2.6.9.34
- Update meek to 0.20
- Update Tor to 0.2.6.10 with patches:
- Bug 16674: Allow FQDNs ending with a single '.' in our SOCKS host name checks.
- Bug 16430: Allow DNS names with _ characters in them (fixes nytimes.com)
- Bug 15482: Don't allow circuits to change while a site is in use
- Update Torbutton to 1.9.3.2
- Bug 16731: TBB 5.0 a3/a4 fails to download a file on right click
- Bug 16730: Reset NoScript whitelist on upgrade
- Bug 16722: Prevent "Tiles" feature from being enabled after upgrade
- Bug 16488: Remove "Sign in to Sync" from the browser menu (fixup)
- Bug 16268: Show Tor Browser logo on About page
- Bug 16639: Check for Updates menu item can cause update download failure
- Bug 15781: Remove the sessionstore filter
- Bug 15656: Sync privacy.resistFingerprinting with Torbutton pref
- Bug 16427: Use internal update URL to block updates (instead of 127.0.0.1)
- Bug 16200: Update Cache API usage and prefs for FF38
- Bug 16357: Use Mozilla API to wipe permissions db
- Bug 14429: Make sure the automatic resizing is disabled
- Translation updates
- Update Tor Launcher to 0.2.7.7
- Bug 16428: Use internal update URL to block updates (instead of 127.0.0.1)
- Bug 15145: Visually distinguish "proxy" and "bridge" screens.
- Translation updates
- Bug 16730: Prevent NoScript from updating the default whitelist
- Bug 16715: Use ThreadsafeIsCallerChrome() instead of IsCallerChrome()
- Bug 16572: Verify cache isolation for XMLHttpRequests in Web Workers
- Bug 16884: Prefer IPv6 when supported by the current Tor exit
- Bug 16488: Remove "Sign in to Sync" from the browser menu
- Bug 16662: Enable network.http.spdy.* prefs in meek-http-helper
- Bug 15703: Isolate mediasource URIs and media streams to first party
- Bug 16429+16416: Isolate blob URIs to first party
- Bug 16632: Turn on the background updater and restart prompting
- Bug 16528: Prevent indexedDB Modernizr site breakage on Twitter and elsewhere
- Bug 16523: Fix in-browser JavaScript debugger
- Bug 16236: Windows updater: avoid writing to the registry
- Bug 16625: Fully disable network connection prediction
- Bug 16495: Fix SVG crash when security level is set to "High"
- Bug 13247: Fix meek profile error after bowser restarts
- Bug 16005: Relax WebGL minimal mode
- Bug 16300: Isolate Broadcast Channels to first party
- Bug 16439: Remove Roku screencasting code
- Bug 16285: Disabling EME bits
- Bug 16206: Enforce certificate pinning
- Bug 15910: Disable Gecko Media Plugins for now
- Bug 13670: Isolate OCSP requests by first party domain
- Bug 16448: Isolate favicon requests by first party
- Bug 7561: Disable FTP request caching
- Bug 6503: Fix single-word URL bar searching
- Bug 15526: ES6 page crashes Tor Browser
- Bug 16254: Disable GeoIP-based search results.
- Bug 16222: Disable WebIDE to prevent remote debugging and addon downloads.
- Bug 13024: Disable DOM Resource Timing API
- Bug 16340: Disable User Timing API
- Bug 14952: Disable HTTP/2
- Bug 1517: Reduce precision of time for Javascript
- Bug 13670: Ensure OCSP & favicons respect URL bar domain isolation
- Bug 16311: Fix navigation timing in ESR 38
- Windows
- Bug 16014: Staged update fails if meek is enabled
- Bug 16269: repeated add-on compatibility check after update (meek enabled)
- Mac OS
- Use OSX 10.7 SDK
- Bug 16253: Tor Browser menu on OS X is broken with ESR 38
- Bug 15773: Enable ICU on OS X
- Build System
- Bug 16351: Upgrade our toolchain to use GCC 5.1
- Bug 15772 and child tickets: Update build system for Firefox 38
- Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
- Bug 15864: rename sha256sums.txt to sha256sums-unsigned-build.txt
Real problem? Updated with
Real problem?
Updated with Tor updater. Restart. New Version looks good.
Tested with strongest seetings at www.ip-check.info with result:
"You are using Tor, but your browser profile differs from the recommended Tor Browser Bundle default profile."
And after the test, the website can read:
Signature, user-agent and other things.
This sounds not good. A problem with the ip-check.info, or a problem with my installation or a problem for all with last update?
Also getting the same
Also getting the same results at ip-check.info with the security level on high.
TBB has moved to firefox
TBB has moved to firefox 38-ESR, as you can see in the changelog. The user agent sent with each request has been updated to reflect this change (Firefox/38.0).
IMHO, the test you have used is expecting the old value (version 31), which is why you would get a negative result. Give them a few days to update their tests, it would be worth trying again then.
This is also a good opportunity to stress out why updating quickly is important: with everyone moving forward to 5.0, users that don't will stand out more and more.
thanks. now the user-agent
thanks. now the user-agent is fine. the signature still not.
Crashes, crashes, crashes,
Crashes, crashes, crashes, and then it crashes a bit more.
Previous versions of tor browser has been very stable for a number of releases. But 5.0 crashes all the time. Where can I find crash log to report?
You are probably hitting
You are probably hitting https://bugs.torproject.org/16771 (bug 16773 is with high likelihood a duplicate of it). We are working on fixing it and will release it in a point release that is coming shortly.
Under
Under "Preferences":
"General" --> "Startup", "Downloads", "Tabs"
"Content" --> "Pop-ups"
"Privacy"
"Security"
"Advanced"
the radio buttons and small rectangular check boxes are deactivated. I am unable to use my mouse to click on them.
Is this by design or cased by bugs?
I have the same problem.
I have the same problem.
Same thing here. What I did
Same thing here. What I did was lower the privacy and security settings so I could configure it. Just raise it back up when you're done.
Same here when I go to Tools
Same here when I go to Tools and then Options.
Thanks for reporting. This
Thanks for reporting. This is https://bugs.torproject.org/16775 now.
Need to say, the options
Need to say, the options still work, at least some, i.e. cookies setting, even though you can see the checkboxes changing.
*can't
*can't
Yes, and no one noticed ...
Yes, and no one noticed ... until now. I've reverted to 4.5.3 until this is fixed. No more auto-upgrades for me, please!
at firstrun options menu
at firstrun options menu worked
after (editing about:config and) installing apps everything is unchecked
i'm waiting for instructions or 5.0.1. returned to 4.5.3
same user again: it's the
same user again:
it's the security slider. options menu doesn't work with slider set to high.
set from high to medium-high - new identity - options menu is working.
set back to high - options menu is working only for current session of TBB 5.0.
Go to about:config and
Go to about:config and change "browser.preferences.inContent" from true to false. This will restore the old Preferences ui.
After successfully connected
After successfully connected to Tor's network, error messages started to appear:
*******************************************
A coding exception was thrown and uncaught in a Task.
Full message: TypeError: this.Paths is null
Full stack: Agent.wipe@resource:///modules/sessionstore/SessionWorker.js:236:7
worker.dispatch@resource:///modules/sessionstore/SessionWorker.js:21:24
anonymous/AbstractWorker.prototype.handleMessage@resource://gre/modules/workers/PromiseWorker.js:122:16
@resource:///modules/sessionstore/SessionWorker.js:30:41
*************************
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
WARNING: content window passed to PrivateBrowsingUtils.isWindowPrivate. Use isContentWindowPrivate instead (but only for frame scripts).
pbu_isWindowPrivate@resource://gre/modules/PrivateBrowsingUtils.jsm:25:14
getTopWin@chrome://browser/content/utilityOverlay.js:61:19
openLinkIn@chrome://browser/content/utilityOverlay.js:240:11
openUILinkIn@chrome://browser/content/utilityOverlay.js:203:3
openHelpLink@chrome://browser/content/utilityOverlay.js:732:3
helpButtonCommand@chrome://browser/content/preferences/in-content/preferences.js:162:3
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
WARNING: content window passed to PrivateBrowsingUtils.isWindowPrivate. Use isContentWindowPrivate instead (but only for frame scripts).
pbu_isWindowPrivate@resource://gre/modules/PrivateBrowsingUtils.jsm:25:14
getTopWin@chrome://browser/content/utilityOverlay.js:61:19
openLinkIn@chrome://browser/content/utilityOverlay.js:240:11
openUILinkIn@chrome://browser/content/utilityOverlay.js:203:3
openHelpLink@chrome://browser/content/utilityOverlay.js:732:3
helpButtonCommand@chrome://browser/content/preferences/in-content/preferences.js:162:3
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
1439348981000 addons.update-checker WARN Update manifest was not valid XML
1439348981000 addons.update-checker WARN Update manifest was not valid XML
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
(firefox:3883): Gtk-CRITICAL **: IA__gtk_clipboard_set_with_data: assertion `targets != NULL' failed
*************************
A coding exception was thrown and uncaught in a Task.
Full message: TypeError: this.Paths is null
Full stack: Agent.wipe@resource:///modules/sessionstore/SessionWorker.js:236:7
worker.dispatch@resource:///modules/sessionstore/SessionWorker.js:21:24
anonymous/AbstractWorker.prototype.handleMessage@resource://gre/modules/workers/PromiseWorker.js:122:16
@resource:///modules/sessionstore/SessionWorker.js:30:41
*************************
Aug 12 11:14:49.000 [notice] New control connection opened from 127.0.0.1.
console.error:
[CustomizableUI]
Custom widget with id loop-button does not return a valid node
Here is the complete
Here is the complete changelog since 4.5.3:
[long list follows...]
Which item in this long list corresponds to the following change?
Starting with this release, Tor Browser will now also download and apply upgrades in the background, to ensure that users upgrade quicker and with less interaction. This behavior is governed by the about:config pref app.update.auto, but we do not recommend disabling it unless you really know what you're doing.
???
I can't find it!?!
Bug 16632: Turn on the
Bug 16632: Turn on the background updater and restart prompting
"""Starting with this
"""Starting with this release, Tor Browser will now also download and apply upgrades in the background, to ensure that users upgrade quicker and with less interaction. This behavior is governed by the about:config pref app.update.auto, but we do not recommend disabling it unless you really know what you're doing."""
What's the difference between app.update.auto and app.update.enabled?
And what are the possible values for app.update.mode and what do they mean?
Thanks for your patience!
http://kb.mozillazine.org/App
http://kb.mozillazine.org/App.update.auto
http://kb.mozillazine.org/App.update.mode
If you have "app.update.enabled" set to "false" there'll be no updates happening.
Another heads up that v5.0
Another heads up that v5.0 crashes all the time. Recent previous versions did not have that problem. Something's definitely not right there.
https://bugs.torproject.org/1
https://bugs.torproject.org/16771
Something's definitely not
Something's definitely not right there.
The spooks at the NSA are definitely having a field day intercepting online communications from the bugs thrown up by this latest version of TBB.
Nevertheless we ought to thank the TBB team for their effort and time.
I added "SocksListenAddress
I added "SocksListenAddress 0.0.0.0:9150" in torrc, then I started TorBrowser 5.0 ,and it crashed immediately. To use whonix, "SocksListenAddress 0.0.0.0:9150" must be added , so please fix it as soon as possible.
My OS:WIN 7
This worked with 4.5.3? And
This worked with 4.5.3? And with the alphas? Which alpha broke it? (you'll find them at https://archive.torproject.org/tor-package-archive/torbrowser/)
4.5.3 works normally.Well,
4.5.3 works normally.Well, when I updated TBB to 5.0.a4, I found this bug.
about:preferences# and
about:preferences# and about:downloads both give the error "The address isn't valid"
Works for me. How can I
Works for me. How can I reproduce that?
I can't give you
I can't give you instructions to reproduce the shortcut URLs not working under 5.0.
As soon as I go back to 4.5.3 they work.
Starting with this release,
Starting with this release, Tor Browser will now also download and apply upgrades in the background, to ensure that users upgrade quicker and with less interaction. This behavior is governed by the about:config pref app.update.auto, but we do not recommend disabling it unless you really know what you're doing.
If an experienced user wants to download the TBB manually and check all SHA/GPG signs, then - is it an unroundabout option? Or that user can say "NO" to autoupdate request before it started without deactivating this feature?
Returned to version 4.5.3
Returned to version 4.5.3
Simple question: Can I
Simple question:
Can I manually upgrade tor browser? I don't want it to upgrade automatically.
To prevent tor browser from automatically upgrade, which thingy should I disable in about:config other then app.update.auto?
Having every body update tor
Having every body update tor browsers makes Tor network stronger for every one.
Wow...Tor Browser 5.0 STABLE
Wow...Tor Browser 5.0 STABLE RELEASE
But still got some bugs..smh.
To be fair, this is a major
To be fair, this is a major Firefox update and it did include a large number of new features that are problematic for privacy - quite a lot of work for the TBB developers.
In case of changing the
In case of changing the language from English to Hungarian the Tor does not work anymore.
How are you changing the
How are you changing the language? And what does "Tor does not work anymore" mean?
Too many odd things are
Too many odd things are happening with 5.0
I don't trust it. I'd rather not move backwards since that is also risky.
So I hope there are some fixes soon.
Like what?
Like what?
Like serious spikes in Ram
Like serious spikes in Ram usage, something that has never happened in any of the 4.* versions.
Some other bugs which might just be cosmetic, too hard to explain these and too hard to reproduce. They mostly happened at times of startup and opening new tabs.
For now I've switched back to mainly using 4.5.3 because like others have stated that one felt very solid.
i doubt there will be, have
i doubt there will be, have to go to 5.01..
Hi, Not able to download any
Hi,
Not able to download any attachments after latest update!
Do you have an example
Do you have an example attachment/link which we could test?
New Firefox. New html5
New Firefox. New html5 "bugs" useful for deanonymization and fingerprinting, new vulnerabilities added like pdfjs.
Well, the recently
Well, the recently documented vulnerability in PDF.js is patched in this release.
Of course, there could be undocumented vulnerabilities in this release and maybe some of the concerning new features for this branch of firefox have yet to be dealt with; then again, 4.5.3 also has documented vulnerabilities. If you're sure that no one is willing to look for vulnerabilities for a slightly outdated browser, go ahead and keep using it.
I am loading the language
I am loading the language pack xpi. After that the browser cannot connect to Tor. I have tried it already 15 times. Without changing the language Tor works.
Could you give steps to
Could you give steps to reproduce your problem? On which operating system does his happen?
Not found single issue yet,
Not found single issue yet, those reporting ip check info error, its because the user agent string has been updated, but not on the ip check site yet you cn safely ignore that one