Tor Browser 5.5a3 is released

A new alpha Tor Browser release is available for download in the 5.5a3 distribution directory and on the alpha download page.

This release features important security updates to Firefox.

Beginning with this alpha version Tor Browser is available in Japanese as well. In addition to that it contains usability improvements for our font fingerprinting defense, a better notification of Tor Browser changes after an update and regression fixes that were caused by our switch to ESR 38 back in August.

Here is the complete changelog since 5.5a2:

All Platforms
- Update Firefox to 38.3.0esr
- Update Torbutton to 1.9.4
  - Bug 16937: Don't translate the hompepage/spellchecker dictionary string
  - Bug 16735: about:tor should accommodate different fonts/font sizes
  - Bug 16887: Update intl.accept_languages value
  - Bug 15493: Update circuit display on new circuit info
  - Bug 16797: brandShorterName is missing from brand.properties
  - Translation updates
- Bug 10140: Add new Tor Browser locale (Japanese)
- Bug 17102: Don't crash while opening a second Tor Browser
- Bug 16983: Isolate favicon requests caused by the tab list dropdown
- Bug 13512: Load a static tab with change notes after an update
- Bug 16937: Remove the en-US dictionary from non en-US Tor Browser bundles
- Bug 7446: Tor Browser should not "fix up" .onion domains (or any domains)
- Bug 16837: Disable Firefox Hotfix updates
- Bug 16855: Allow blobs to be downloaded on first-party pages (fixes mega.nz)
- Bug 16781: Allow saving pdf files in built-in pdf viewer
- Bug 16842: Restore Media tab on Page information dialog
- Bug 16727: Disable about:healthreport page
- Bug 16783: Normalize NoScript default whitelist
- Bug 16775: Fix preferences dialog with security slider set to "High"
- Bug 13579: Update download progress bar automatically
- Bug 15646: Reduce keyboard layout fingerprinting in KeyboardEvent
- Bug 17046: Event.timeStamp should not reveal startup time
- Bug 16872: Fix warnings when opening about:downloads
- Bug 17097: Fix intermittent crashes when using the print dialog
Windows
- Bug 16906: Fix Mingw-w64 compilation breakage
- Bug 16707: Allow more system fonts to get used on Windows
OS X
- Bug 16910: Update copyright year in OS X bundles
- Bug 16707: Allow more system fonts to get used on OS X
Linux
- Bug 16672: Don't use font whitelisting for Linux users

Update: It seems claiming that our builds are reproducible with LXC as well now was a bit premature (see bug 12240 for details). Thus, this part got removed from the changelog.

Why are some of the stable

Why are some of the stable changes not listed in the alpha changelog?

Because the automatic

Because the automatic resizing of the browser window was not disabled in the last alpha and is generally enabled to test fixes for https://bugs.torproject.org/14429. Thus, nothing to mention in the changelog then.

Tor Browser & Linux & VPNs =

Tor Browser & Linux & VPNs = The Computing Holy Trinity!

We would be lost without your hard work. Don't forget that it is always appreciated by those who care about privacy and security.

Tails + Mac adress Changing

Tails + Mac adress Changing + dd-wrt = Unbelieveable Security

Well said. :-) Thanks very

Well said. :-) Thanks very much everyone for all your hard work! :-)

Linux? You mean Qube OS?

Linux? You mean Qube OS? What about LPS? Or...Kali Linux?

Hi gk, I noticed that there

Hi gk,

I noticed that there is a problem wherein the "Tor Circuit for this site' tab would disappear after prolong use.

Also, I was wondering if this feature (TOR Circuit for this site) would compromise anonymity? If a hacker were to hack into the TOR browser from the user end, would they be able to see the TOR circuit and slowly trace and eventually see and find the contents that the user is browsing? I understand that TAILS is uncomfortable with feature and thus not include it into their release.

If you are talking about a

If you are talking about a remote attacker using a vulnerability in the browser, yes it might be possible. However, the attacker could potentially use a number of other methods with that same vulnerability to deanonymize the user as well depending on what they manage to access. Keep your browser up to date to (help) avoid this.
On the other hand, yes a local attacker could potentially use that feature; however, disabling the feature doesn't really reduce the attacker's capabilities (in terms of Tor Browser) because they could simply attack the tor process itself. Yes, some projects (like Tails and Whonix) have limited the ability for the browser to see the circuit; however, these projects are designed to deal with (limited) badly behaving programs. Tor Browser doesn't (because it can't) protect you from other programs on your computer spying on it. Your OS might, if your OS isn't the one doing the spying.

Noted with thanks! :-)

I'm glad to tell you, It can

I'm glad to tell you, It can display Chinese fonts in OS X . Thank you.

Just updated. Now I receive

Just updated. Now I receive the error "Could not find Mozilla runtime". :(

I'm running Windows 10. I'm sure *that* has nothing to do with it.

I have the same problem

Would you recommend using

Would you recommend using TOR in conjunction with with VPNs?

Yes, but only ones that

Yes, but only ones that don't log
I recommend FrootVPN
It's $36/year.
Based in Sweden.
No personal information is required to create an account. Only username, password and email.
Accepts Bitcoin
And since I recommend it, it obviously has a no logging policy

Just because a VPN doesn't

Just because a VPN doesn't have a logging policy doesn't mean they don't log.

Hello Why digital signature,

Hello
Why digital signature, can not be confirmed?
please check
URL : http://i.cubeupload.com/1MNeEx.png
Thank you

Good question. What Windows

Good question. What Windows version is that? Both on Windows 7 and 8 the signature is valid for me. What SHA 256 sum does the .exe have? Does the signature check for Tor Browser 5.5a2 work for you (see: https://dist.torproject.org/torbrowser/5.5a2/)? I am asking as this alpha is the first version that got signed on a Linux box. Before that we needed to use a Windows machine.

My operating system is

My operating system is Windows 10

torbrowser-install-5.5a2_en-US.exe
Digital Signature = OK
Screenshot : http://i.cubeupload.com/Hkkjhv.png
MD5: e831d3bca509613fbb84d78a80e1e256
SHA256: b91700836a7f3f983a4961a06df5492647ccafd2c976c47c2c7e0ab1942f2632

torbrowser-install-5.5a3_en-US.exe
Digital Signature = Error
Screenshot : http://i.cubeupload.com/LDt7aj.png
MD5: 92df31f154ea262f1507271459177fbc
SHA256: b0300a609b3fe9e2f37fc10b5819059cd810b87210ed7e1ace814bafd014a74c

Thanks. The SHA 256 sum is

Thanks. The SHA 256 sum is good. Could you test one or two other bundles just to be sure that this is a more generic problem and not en-US only?

Sure

I got my hand on a Windows

I got my hand on a Windows 10 box and there the digital signature was correct. Could you find out what is causing this in your case? Like comparing the things shown to you if you are look at the output after clicking on "Properties" (after right-clicking on the 5.5a2 and 5.5a3 .exe files)?

torbrowser-install-5.5a3_de.e

torbrowser-install-5.5a3_de.exe
Digital Signature = Error
MD5: a892c57d2434e34a2cea6cc39653603d
SHA256: 10fc0612f080844c83874d88ba751913ebbc2a9d7447babfd5e2a76e4c8d2134

Just because the

Just because the authenticity of the files (original and not tampered with) this test done

5.5a2 = OK 5.5a3 = Error

5.5a2 = OK
5.5a3 = Error

Sorry, why are people using

Sorry, why are people using privacy tools under Windows 10? I fail to grasp the point. I lack the phantasy to come up with an explanation why one would willingly use a compromised-by-design OS. Your threat model can't be accurate because private data collections do leak.

:)

Thank you!! Guys & Gals for

Thank you!! Guys & Gals for your hard work, its much appreciated..

England, London, and Britain

England, London, and Britain wants to control the Internet and all of you.

A sort of offtopic remark

A sort of offtopic remark that maybe though is worth looking at.
(Did not know where to write this elsewhere on this site.)

Did anyone notice the sudden huge amount of exitnodes risen in Lithuania?
At least 60 sudden/new exitnodes by someone that has the contactname avenueoftor.com ?

Has someone from Torproject looked at this?

EMAIL ALTERNATIVES CHECK

EMAIL ALTERNATIVES CHECK THESE OUT AND PROSPER IN PRIVACY AND FREEDOM!

1) Scramble - https://scramble.io/
2) Sigma - https://sigma.email/
3) ProtonMail - https://protonmail.ch/
4) DarkMail - https://darkmail.info/
5) Sigaint - https://www.sigaint.org/ (Has onion address)
6) Mail2Tor - http://mail2tor.com/
7) RuggedInbox - http://s4bysmmsnraf7eut.onion/

Additional information:

Site:
http://www.emailquestions.com/encrypted-email-service-providers/

Since disabling all

Since disabling all javascript, http refferal etc. I cannot sign in to my emails on any of the onion email sites. Even captures rarely work on those sites. https sites probably the same. Looks like some onion sites are using javascript for tracking. Used to be OK on earlier versions of TOR.

They could be using

They could be using javascript for completely legitimate reasons; it can be used for far more than tracking.

Your efforts are hugely

Your efforts are hugely appreciated, many thanks indeed.

Many Chinese words(about

Many Chinese words(about 1/2) in the browser UI can't be displayed correctly after the 5.5a3 update. These words show like a square box with 4 hex numbers in it. That does not happen in the 5.5a2 version.
It happens in my Win10 OS. I tested the 5.5a3 version in a Win7 OS(VMware), and these words can be displayed correctly but their font are different from other words that can be displayed correctly in Win10.
I guess there is something wrong with the fonts.

Thanks for reporting this.

Thanks for reporting this. What variant of Chinese are you using (Simplified or Traditional) and can you give me a web page example where you see this problem?

http://22u75kqyl666joi2.onion

http://22u75kqyl666joi2.onion/

greatfire.org

https://zh.greatfire.org/

Chinese Simplified. The

Chinese Simplified.
The problem is not about any web page, it's about the browser UI (all the menus, toolbars and dialogs). There is nothing wrong with the Chinese words in web pages.

These words show like this :
___
|7F|
|16|
ˉˉˉˉˉ
The "7F16" in the square box is the unicode of the word.

Sorry. My reply above is

Sorry. My reply above is partial wrong. I tested some web pages and found there is the same problem with Chinese words in all the web pages. So the problem is about both the browser UI and web pages.

This problem happens in any Chinese web page.
e.g.
zh.wikipedia.org

I'm not seeing this problem

I'm not seeing this problem on the pages listed. What version of Windows are you using? Also, could you paste the value of the pref "font.system.whitelist" (in about:config)?

When I visit zh.wikipedia.org, the font used for the main text is "Microsoft YaHei".

Windows 10

windows 10 pro insider

windows 10 pro insider preview build 10576 displayed correctly.

Hello, Im new to TOR. I was

Hello, Im new to TOR. I was exploring the TOR hidden services for the first time, and I noticed that under the TOR circuit map, it shows that there are 6 relays between my browser and the onion site. Does this thus mean that firstly, the TOR traffic never leaves the TOR circuit (unlike the normal non- hidden service websites) and there are 6 onion layers of encryption instead of the normal 3 which makes hidden services much more private?