Tor Browser 5.0.6 is released

by gk | December 17, 2015

A new stable release for Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox which we missed in our update to Tor Browser 5.0.5. We are sorry for this inconvenience.

This change is the only one in the changelog since 5.0.5:

  • All Platforms
    • Bug 17877: Tor Browser 5.0.5 is using the wrong Mozilla build tag

The changes made in 5.0.5 are the following:

  • All Platforms
    • Update Firefox to 38.5.0esr
    • Update Tor to 0.2.7.6
    • Update OpenSSL to 1.0.1q
    • Update NoScript to 2.7
    • Update HTTPS Everywhere to 5.1.1
    • Update Torbutton to 1.9.3.7
      • Bug 16990: Avoid matching '250 ' to the end of node name
      • Bug 17565: Tor fundraising campaign donation banner
      • Bug 17770: Fix alignments on donation banner
      • Bug 17792: Include donation banner in some non en-US Tor Browsers
      • Translation updates
    • Bug 17207: Hide MIME types and plugins from websites
    • Bug 16909+17383: Adapt to HTTPS-Everywhere build changes
    • Bug 16863: Avoid confusing error when loop.enabled is false
    • Bug 17502: Add a preference for hiding "Open with" on download dialog
    • Bug 17446: Prevent canvas extraction by third parties (fixup of #6253)
    • Bug 17747: Add ndnop3 as new default obfs4 bridge

Comments

Please note that the comment area below has been archived.

December 17, 2015

Permalink

Yikes!

So how does this release affect TAILS 1.8??

Should I wait for a newer version of TAILS instead of using 1.8?

Also, in TAILS 1.7, I couldn't view the main screen in HTTPS-Everywhere. It would only allow me to see the Observatory page. I could not access the first page to manage websites anymore. I reported this via their dev mailing list but no one responded. Please look into this.

Thank you!

December 19, 2015

In reply to gk

Permalink

They didn't release anything. I think they don't need to update the browser.

December 20, 2015

In reply to gk

Permalink

TAILS 1.8.1 has been released, and specifically updates Tor Browser to 5.0.6.

AFAIK the maintainers from the EFF removed the website panel some time ago. It lagged the browser because of the huge amount of rules. I'm not a fan of this either but you can still view all rules on the HTTPS Everywhere Atlas.

December 18, 2015

Permalink

Hi gk

Thanks for rushing out a fix for Bug 17877 and updating TBB to 5.0.6

I'm just wondering: maybe in your rush, you forgot to update HTTPS Everywhere to 5.1.2?

We were already building when I realized there is a new HTTPS-Everywhere version. As the fix in 5.0.6 is rather important and I have a hard deadline for getting all the releases out today this had to wait, sorry.

December 19, 2015

In reply to gk

Permalink

BUGS : linux x64

a _ https every-where does not keep the settings 'block all http requests' .
b _ https every-where does not move on red when 'block all http requests' is checked.

it did not happened with version 5.0.5.
this new release sounds to have been built quick & without care.

We did not change anything in 5.0.6 with respect to HTTPS-Everywhere. Just two tiny Firefox patches make the difference between both releases. Maybe you updated to HTTPS-Everywhere 5.1.2 meanwhile and the bug is in this new version of the extension?

December 20, 2015

In reply to gk

Permalink

i did not update it but , you are right , the version of https every-where is 5.1.2.
all is fine now.
thx.

December 18, 2015

Permalink

We were already building when I realized there is a new HTTPS-Everywhere version.

Perhaps in the future, before you dish out a quick fix for the latest version of TBB as in this instance, you would like to post a blog, asking us what possible updates need to apply to the quick fix.

I think this is a community project, no? Communication should be both ways: between Tor developers and users.

What do you think?

Speaking just as a satisfied user, this isn't very practical. If they wait for input on every build, some random component is going to be updated during the process and they'll never ship a completed version. Just update the plugin if you can't wait until the next bundle.

Same way you would in regular Firefox: Options button/Addons then Extensions. Hit the little gear and then Check for Updates. And actually this procedure probably isn't even necessary because it looks like auto-updates are enabled for these components. Mine had already self-updated to 5.1.2 so you are probably already upgraded too.

Please, for the love of *whatever deity have you*, do not use Flash in the TBB.
- It is a security nightmare, and
- It leaks your real IP address and other info outside Tor. Sure, you are using FB, that still means FB AND whatever sits between you and the FB servers now knows you are using FB games and your real IP address, making your use of Tor moot.

Unless you are carefully using something like Whonix, chances are Flash is leaking your real IP which means you might as well not use TBB at all for FB. If you really must have Flash over Tor, look into Whonix. There are more options if you are running Linux- google for "tor anonymizing middlebox" then.

December 18, 2015

Permalink

After update to new version by the inside updater, the search engine list are the same as last version, I find the search engine list from TBB folder, each engine file includes a long special code, not as short as usual URL, from time to time I think, the search engine can know your TBB version as you use the old version search plugin with special code.

The only "long special codes" I see are the base64-encoded icons. As far as I know, these are only shown in the UI and not sent over the network.

December 18, 2015

Permalink

The update process is very quiet, fast and secure so
it's not really a problem but for the builders to provide
as many updates as needed. The way it works right
now for us, users, is just so easy that you could update
twice a day without even noticing it.

December 18, 2015

Permalink

OMG What have you done.??? Again flash player dont work...!!!! if you dont fix that, many users stop using tor. I have the 5.0.4, and i never update to other version, if you dont fix Flash player.

Nobody should ever use Flash with Tor, and nobody should continue using old and vulnerability-ridden versions of Tor Browser. Flash is far more dangerous over Tor than over a regular internet connection.

Again flash player dont work...!!!! if you dont fix that, many users stop using tor. I have the 5.0.4, and i never update to other version, if you dont fix Flash player.

1. Adobe Flash still has many unresolved security vulnerabilities, most of which are exploitable by hackers and the NSA. The latter embed malware in their Flash videos and when viewers such as yourself open and view them, your true IP location is unmasked.

Besides tinkering with Flash videos, the NSA also has a dedicated team whose task it is to encourage people to use Tor to view Flash videos. This is called social engineering. We aren't surprised if you're one of the people tasked to social engineer us for your own ends.

2. According to internal investigations by European governments led by the United States, Islamic State's jihadists, terrorists and suicide bombers are known to use Tor to view Flash videos. The contents of these videos are mostly about radicalizing Muslim fanatics to join Daesh (Arabic name for Islamic State.)

Members of Al-Qaeda's branch in Pakistan have been known to use Tor to watch Flash videos on recruitment and guides on bomb-making.

There's been an increase in the radicalization of Muslims in India. Islamic militancy is on the rise in the sub-continent.

Are you planning another Mumbai-style bombing in India or elsewhere? Just so you know, you and your ilk are giving Islam a bad reputation. Shame on you!

3. We still don't get it. Please explain to us how watching Flash videos fulfills the primary objectives of Tor.

4. Go ahead and use the older version 5.0.4 if you wish. You're on your own. Technical support isn't available for old releases.

So it's like this. I like to listen to the BBC Radio, but here in Vietnam my government blocks such websites. So I use Tor to access it. I'm not afraid of the government tracking me down and incriminating me or something like that; Vietnam isn't China, the government only goes so far in Internet censorship, they don't have the resources to implement any more exhaustive measures. However, BBC Radio needs Flash to run, and the new update of Tor isn't allowing me that option.

I understand and appreciate very much the importance of Internet privacy the team had in mind when developing this browser. But, to this extent, it's just counter-productive for me. I just wish users would be given the choice whether or not to use Flash on Tor, that's all.

Please, stop using Tor

A cry of desperation and exasperation from the NSA's troll, no doubt about it.

Now that most users know about the dangers of using Adobe Flash with Tor, meaning that the NSA has failed in its social engineering mission to get TBB users to use Adobe Flash.

Flash Player hasn't worked on Tor Browser out of the box for years. 5.0.4 also doesn't allow Flash content without mucking around in the settings. This is intended behavior because Flash pretty much screws you over for anonymity.
Is it possible that it wasn't a flash app that was working but some sort of HTML5 app? If so, that might be useful feedback or even a bug.
If you really must use Flash with tor, you need to look into a more complicated solution than just Tor Browser because Flash will just disregard the proxy settings an connect directly as opposed to through tor. In order to use Flash with tor you're going to need something that forces traffic through tor without the program noticing. For example, a torrified VM.

December 18, 2015

Permalink

I checked that no new vulnerabilities currently exist for firefox 38.5. Are known vulnerabilities only publicly disclosed after a fix is issued? Tails does this all the time, detailing problems with debian packages only after an updated version is released.
Are there databases that report unfixed vulnerabilities that are NOT engaged in weaponizing them?

I checked that no new vulnerabilities currently exist for firefox 38.5.

Oh, you did? Are you declaring 38.5 bug-free? I guess you meant "published" vulns. Also, "currently" there may not be. But between 5.0.5 and 5.0.6 there were (published fixes at least).

Are known vulnerabilities only publicly disclosed after a fix is issued? Tails does this all the time

It is common for Mozilla to embargo bug reports about exploitable vulns. These bugs have been announced, though.

Are there databases that report unfixed vulnerabilities that are NOT engaged in weaponizing them?

Probably. There are mailing lists.

December 18, 2015

Permalink

The same as version 5.0.5, the first tor relay doesn't change at all when I restart tor, click new identity or new tor circuit for this site. This is happening on win xp, I don't know if this occurs in tails since the diagram showing the IP addresses of all relays in a circuit is not included. What's the reason for this?

December 21, 2015

In reply to arma

Permalink

The FAQ talks about "few relays", not a single one, as it seems to be the current situation: "The solution is "entry guards": each Tor client selects a few relays at random to use as entry points, and uses only those relays for her first hop."
Maybe update the FAQ?

This is a security feature. By cycling through guard nodes (first relays) slowly, it statistically reduces the chance that your first relay will be owned by an attacker.

flash doesn't work anymore....

Stop trolling.

Just above your post there are many posts by various contributors warning users against viewing Flash videos on Tor.

December 18, 2015

Permalink

new version works perfekt thank you.

sometimes i have to lower the security level then websites start to ask about save html5-canvas. i can choose no, yes or never for this site.

how can i change it that i never will be ask about this, i want always no. thank you.

December 19, 2015

Permalink

With this release, every time I open Tor my bookmarks bar and menu bar has disappeared and I have right-click to check them again. In previous versions my choice to have them checked was remembered. Is this an intentional design decision, or a bug?

Update: the problem seems to be an effect of the donation appeal banner. Once I heard I could get rid of the damn thing by getting a new identity 10 times I tried it and now the menu and bookmark bars are back to stay.

December 19, 2015

Permalink

How do you manage to face the new "zombi surveillance" capturing, injecting and decrypting everything?
I suggest you create an HTTPS proxy to load every page through.

December 19, 2015

Permalink

@ my fellow paranoiacs:

I offer a lesson using GPG to check that you are about to install a genuine copy of the latest edition of Tor Browser Bundle.

Everyone should always check the detached signature against the tarball:

gpg --verify tor-browser-linux32-5.0.6_en-US.tar.xz.asc tor-browser-linux32-5.0.6_en-US.tar.xz
gpg: Signature made Thu 17 Dec 2015 12:57:12 PM PST using RSA key ID D40814E0
gpg: Good signature from "Tor Browser Developers (signing key) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0

Paranoics also try to check that the signing key is genuine.

Here some confusion arises due to mention of a revoked subkey:

pub 4096R/93298290 created: 2014-12-15 expires: 2020-08-24 usage: C
trust: unknown validity: unknown
sub 4096R/F65C2036 created: 2014-12-15 expires: 2017-08-25 usage: S
sub 4096R/D40814E0 created: 2014-12-15 expires: 2017-08-25 usage: S
This key was revoked on 2015-08-26 by RSA key 93298290 Tor Browser Developers (signing key)
sub 4096R/589839A3 created: 2014-12-15 revoked: 2015-08-26 usage: S
[ unknown] (1). Tor Browser Developers (signing key)

Note carefully that the second output, while confusing, says that the revoked subkey is

589839A3

But the first output says that the subkey used to sign the tarball is

D40814E0

which remains still valid.

Roger explained previously that someone made a mistake which briefly exposed the private half of 589839A3, noticed the goof, and immediately revoked the subkey, which I agree was the proper response.

Hello fellow paranoiac,

Please stop using short key IDs. Either use the full key fingerprint (preferred) or the "long" key ID (--keyid-format long).

Regards.

December 19, 2015

Permalink

Hi There,
Since upgrading to 5.0.6 I have been unable to access comments on The Guardian website. I can still login and see my comments, but the comments section in articles won't load.
I tried with 5.0.4 and they worked again.
Is there a setting I can change to get comments loading?
I have tried dropping the security level to low (from medium) and allowing cookies and tracking, but they won't load.
Thanks.

December 19, 2015

Permalink

Is there a setting I can change to get comments loading?

Not only The Guardian but also tons of other online news websites that employ thousands of trackers, cookies, web bugs, etc... to un-mask you.

Did you know that as soon as you load comments in The Guardian it can pinpoint your geo-location with relative accuracy.

it means that these sites are compromised/under survey/busy/for closed friend/private ( it is not coming from your browser ) Contact their admin. Try later. Avoid it. You are not maybe anymore tolerated.
geo location is a big troll like corrupted opinion/advices.
so , what is your address/latitude/longitude lol ?

Not only The Guardian but also tons of other online news websites that employ thousands of trackers, cookies, web bugs, etc... to un-mask you.
Did you know that as soon as you load comments in The Guardian it can pinpoint your geo-location with relative accuracy.

Citation needed

"Did you know that as soon as you load comments in The Guardian it can pinpoint your geo-location with relative accuracy."

Is this while using Tor? What's on the Guardian that can pinpoint your geo-location? Flash?

Tor is perfectly useable; it's the websites that you're visiting that aren't. Complain to them. Contact the website's admins and request that they change their settings.

Contact the website's admins and request that they change their settings.

Yeah...like that's gonna happen anytime soon....

They'll tell you to either use another "friendly" browser or move on. They don't need your business and support.

And Tor is more than a browser; just like they don't need your business and support you can choose to use and support more friendly websites.

I know that it isn't easy, but usually you can find alternatives that may be less popular but have most of the same functionality.

Also, smaller websites have a tendency to listen more to individual users.

December 20, 2015

Permalink

Just go to the bottom of the page at an article on the guardian and click View all comments >, you don't even need to allow any scripts to do that.

December 20, 2015

Permalink

I don't get the point in this release at all.

What does "using the wrong Mozilla build tag" mean?
Mozilla did release another version of Firefox that you missed?

What were the differences between the first mozilla version and the second version of Firefox that day?
Was it one issue or were it multiple issues?
Were they important or not?

One time Gk say's the fix (one?) "is rather important", another time he speaks of "Just two tiny Firefox patches make the difference between both releases."

I don't get the point at all.
Reason why I also think that it is important to clear this out (if that is the english expression) is that Tails has a builtin Torbrowser version that is not accurate.
Again.

My questions also therefor are:
Is it safe to browse with the 5.0.5 version or not?
Is it essential to use the 5.0.6 version?
What is the actual difference between these versions, I do not see the technical implications of "using the wrong Mozilla build tag".

Could (would) someone please explain this?
Thank you very much.

It means we forgot to include two important but small security fixes in 5.0.5 as Mozilla basically made a new candidate build available the same day they shipped their final 38.5.0esr release and we missed that. So, 5.0.5 is not secure and should not be used. 5.0.6 is the strongly recommended version.

The difference between 5.0.5 and 5.0.6 is that the latter contains

https://hg.mozilla.org/releases/mozilla-esr38/rev/f6c1116a4295 and
https://hg.mozilla.org/releases/mozilla-esr38/rev/57d0fb011812

additionally.

December 21, 2015

In reply to gk

Permalink

Thank you very much for answering.
Afther my post with this question I saw there was actually a new version of Tails on dec 19th with Torbrowser 5.0.6 included. I had missed that because I did not know thus expect that Tails is actually prepaired to make exceptions in their release schedule. Practical issue solved and my apologies for bothering you with this question.

> I don't get the point in this release at all.

Can you read? It says in the post:

"This release features important security updates to Firefox which we missed in our update to Tor Browser 5.0.5. We are sorry for this inconvenience."

> What does "using the wrong Mozilla build tag" mean?

The 5.0.5 release is based on outdated Firefox build.

> Mozilla did release another version of Firefox that you missed?

Yes (they missed it).

> What were the differences between the first mozilla version and the
> second version of Firefox that day?

Security fixes. Read.

> Was it one issue or were it multiple issues?

Multiple. Read.

> Were they important or not?

They are security vulnerabilities, of course they are important.

> One time Gk say's the fix (one?) "is rather important", another time he
> speaks of "Just two tiny Firefox patches make the difference between
> both releases."

Well, both statements are correct. The fixes are important and the delta is small.

> Reason why I also think that it is important to clear this out (if that is the
> english expression) is that Tails has a builtin Torbrowser version that is
> not accurate.

Tails 1.8.1 includes Tor Browser 5.0.6: https://tails.boum.org/news/version_1.8.1/index.en.html

> Is it safe to browse with the 5.0.5 version or not?

NOT SAFE!

> Is it essential to use the 5.0.6 version?

YES!

> What is the actual difference between these versions

See the links in the post.

> Could (would) someone please explain this?
> Thank you very much.

You're welcome.

December 20, 2015

Permalink

Hello users of TorProject,
I have a great concern, and I would like someone to answer my big question,
Because when I go to check my IP
this site: http://ip-check.info
and sometimes here: https://torcheck.xenobite.eu/index.php
This is what happens:
http://pixs.ru/showimage/01jpg_8855641_19951902.jpg
...and my text:
http://pixs.ru/showimage/02jpg_9039700_19951906.jpg

-of course the IP even if had this error, not show my real IP,
im feel good for that,
but is only a bad configuration of my TBB or is this for everybody?
I HOPE ANSWERS,
Thanks!

December 20, 2015

Permalink

You say Tor fails when the attacker can see both ends of the communications channel. Now the first tor relay doesn't change. Lets do this with the last tor relay for uncle Sam? He can see both ends of the communications channel via transatlantic cables, and the only problem was to correlate huge internet traffic, and this problem almost solved since the first tor relay doesn't change.

When entry guards was made? I want to know the date, before or after the attack on Freedom Hosting?

"this problem almost solved since the first tor relay doesn't change" is not obviously true. Or rather, it is almost the same as saying "this problem almost solved since the client location doesn't change" -- which brushes a lot of the hard part about the problem under the rug.

For much more on this topic, you should see this earlier blog post:
https://blog.torproject.org/blog/improving-tors-anonymity-changing-guar…

As for when entry guards were added into Tor? Long ago -- 2006 ish.
http://freehaven.net/anonbib/#hs-attack06

December 20, 2015

In reply to arma

Permalink

I meant the date, since the first relay stop changing every browser start, and its not 2006.

It's a valid question. Even the FAQ talks about "few relays", not a single one, as it seems to be the current situation: "The solution is "entry guards": each Tor client selects a few relays at random to use as entry points, and uses only those relays for her first hop."
Maybe update the FAQ?

With the previous version I was having that problem but the latest version changes the entry guard.

I've had an increase in having all 3 relays located in the same country, from a security perspective I can't work out whether that's a good thing or bad.

I do wish Tor allowed us to add additional relays, maybe using hidden services as web proxies (like an exit node) .. I'd imagine that would help hide hidden services more if paranoid users were allowed to have 6 total relays.

December 20, 2015

Permalink

I have a specific use for flash in a whonix vm environment and now flash doesnt work?

I specifically downloaded tor, enabled plugins and asked to enable flash. I don't care that flash is compromised from the get go. This is a disposible torrified VM.

Too many stupid comments about how "crap" flash is. Of course it is crap, now let me use it if I want to!

I have a specific use for flash in a whonix vm environment and now flash doesnt work?

You should ask for help from Whonix developers about your Flash issue, not on this Tor blog. The latter is specifically for Tor users who do not use TBB in a VM, Whonix, Qubes or Tails.

Too many stupid comments about how "crap" flash is. Of course it is crap,

So you yourself have admitted to making stupid comments?

Please stop trolling on behalf of the NSA.

On the TBB privacy panel, set security level to Low, uncheck "Disable browser plugins..." and "Change details that distinguish..." But like everyone said, don't do this unless you are running flash inside a dedicated VM with a Tor gateway/proxy like Whonix. It's very easy to shoot yourself in the foot.

Even if it is a disposable torrified VM doesn't mean you aren't at risk. A vulnerability in flash could be used to download and execute a program to break out of the VM and therefore have access to your underlying OS.
VMs are nice, but they're not perfect.

December 21, 2015

Permalink

I am in Love with my Tor Browser, kiss kiss...I'm in Love with my VPN, kiss kiss...I hate my Mac with a passion, it's programed to always turn wifi on at the router, the only one my ISP allows (theirs) so I put it in a Faraday Cage...anyone not using Tor is not reading the Real news...I'd Love to Donate but am a disabled shut-in that is dirt poor, I really am sorry but all I can send is Love and advise others to use Tor...........

I really am sorry but all I can send is Love and advise others to use Tor.

Thank you, thank you, thank you.....

Hallelujah.....Edward Snowden be praised. We need lots of Torevangelists like you to spread the gospel (a/k/a good news) that we, mere mortal users of the internet, can be free from the yoke of mass surveillance, trans-boundary snooping and invasion of privacy. Tor gives us liberte, fraternite and egalite.

P.S.: Admiral Michael S. Rogers sends you his regards.

Adm. Rogers should be court-martialed on charges of aiding and abetting terrorism. And we are working to see that he, John Brennan, and other state-sponsored crime lords are brought up on war crimes charges at the Hague. Because unlike him, we are law-abiding citizens who oppose terrorism.

Cloudflare need to stop treating the Tor network as a threat. Also, Disconnect.me needs to change their website to work without Javascript and cookies. It's stopped working now - I have to use startpage now

I'd say it's more accurate to say Cloudflare is blocking the tor network from accessing Mozilla's website than it is to say cloudflare is blocking the website itself. It may seem like semantics but it's important to realize that the issue is with the software running on the website not with tor itself.

On that not, mozilla might actually listen to the Tor Project about the issue. Maybe it's time to fire off an official email?

December 21, 2015

Permalink

How do you change the user agent string?

------------------------------
Can users change their fingerprints?

In some ways, yes. By installing new fonts or new plugins the fingerprint changes. It’s also possible to fake the user agent string, that is, you can pretend you’re using a Firefox browser on a Mac OS X machine but in fact you are using Chrome with Windows. Some browsers let you alter the User-Agent string. But that’s not always a good idea since the functionality of some websites depends on a correct user agent. In general, changing your system or browser settings affects your browser fingerprint but every setting that differs from the default setting makes a browser fingerprint more unique.

December 22, 2015

Permalink

You want this config?
security.tls.unrestricted_rc4_fallback == true

We are testing setting this to "false" in the current alphas. If that works out as expected the stable series will get it, too.

December 22, 2015

Permalink

Does the issue discussed above regarding Flash affect Gnash as well? I mean, if Gnash is used in Firefox (not Tor Browser) with a VPN, for example.

Does the issue discussed above regarding Flash affect Gnash as well?

Gnash, like Adobe Flash, uses ActionScript.

Even using a free open source software (FOSS) like Gnash to view Flash videos is risky. Hackers and the NSA have been known to embed Flash videos with malware so much so that your real IP geolocation may be revealed.

Well, Gnash doesn't use the same implementation of ActionScript as Flash, so it shouldn't have the same vulnerabilities; ergo, malware designed to work with Flash could easily fail to work with Gnash.
With that said, last I check Gnash wasn't under active development, so any known vulnerabilities probably haven't been patched...

December 22, 2015

Permalink

please add niche function to let us use double relays (6 total) for paranoid users? a network of hidden services acting as exit nodes would be good

I believe that a three relay circuit isn't enough for home users because the middle relay is in a position to know with certainty both ends of the circuit. Tor fails when an adversary can monitor both ends, and knowing both ends is an obvious first step toward that goal. I think that the standard number of relays should be four.

December 22, 2015

Permalink

Both v5.0.5 and v5.0.6 freeze on Youtube again.

This bug was resolved a long time ago, then reintroduced since v5.0.5. The behavior is exactly the same, so it's the same bug.

Jumping around a video will cause it to freeze, and any other video you have open will continue to play for a while then freeze as well, but the audio will continue playing. Lastly, no new video will start.

Selecting the lowest resolution will prevent this from happening (e.g. 140p), so it apparently has something to do with automatic resolution changes.

Creating a "New Identity" doesn't fix the problem.

December 23, 2015

In reply to gk

Permalink

Could you post a link to a video on Youtube where this is definitely not happening with 5.0.4 but with 5.0.6?

I'm guessing the OP was trying to watch Flash videos on Youtube using TBB.

The OP could be the same troll who works for free for the NSA and who has been posting messages either encouraging users to use Adobe Flash or complaining about Adobe Flash being screwed up by TBB.

(Trolls fall into two broad categories: smart trolls and stupid ones. The smart ones are rewarded handsomely for their work, for example, they each rake in at least half a million USD per year. On the other hand stupid trolls are willing slaves who work for free.)

December 23, 2015

In reply to gk

Permalink

My OS is Win7 64bit, using HTML5 (no flash).

The specific video isn't relevant. I used a clean extraction of Tor 3x in a row (both v5.0.5 and v5.0.6).

I then opened 3 random videos and after buffering for a while jumped to the end of a buffer. Within a few times the video froze (audio did not) and any new video wouldn't load.

I reported this exact behavior about 12 versions ago and you guys fixed it, and now it's back.

Like I said, forcing the lowest resolution for the 1st video (e.g. 170p) keeps this from happening (since all subsequent videos also load at this resolution). So Youtube's automatic resolution switches appear to have something to do with this bug. It's crashing HTML5, and subsequently doesn't work on other sites as well.

December 24, 2015

In reply to gk

Permalink

No Problem on Mac OS X. Videoplaying works fine.
Even on Older OS X versions no problem at all.
Be smart in choosing witch javascripts you are allowing with videoviewing.
No Flash plugin needed at all.

Both v5.0.5 and v5.0.6 freeze on Youtube again.

You did not specify the format of the video that you were watching on Youtube.

Were you trying to watch Flash videos on Youtube?

it is for us civil rights ; in the rogue states, it is worst since a long time.
tor is a free democratic tool , in a territory without constitution, laws , rules, it gives a little hope ... like few century ago ...

new version will not let you update flash, why oh why did I update lol.

Another post by probably the same troll working for the NSA.

He encourages naive unsuspecting Tor users to use older versions of TBB which have security vulnerabilities.

December 25, 2015

Permalink

Guys, today I discovered that bug #16990 is still present in 5.0.6. Right now my circuit display is gone.

I wanted to post this in the bug tracker but I can't access the multiuser account. Could you do something to prevent people from changing the password? (Assuming that's the problem.)

It was. However, the change doesn't look urgent nor interesting: https://www.mozilla.org/en-US/firefox/38.5.2/releasenotes/

Oddly, the non-ESR release (43.0.2) does have 1 security fix:
https://www.mozilla.org/en-US/firefox/43.0.2/releasenotes/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#f…

The advisory announcement 404s for me though:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/

Still, reading the title I would hope it doesn't affect Tor Browser (MD5 should have been disabled completely long ago).

December 26, 2015

Permalink

I'm wondering why the highest security setting in Tor should block HTML5 videos on YouTube. Is Java Script needed for HTML5 or something? I don't get why Tor can't accept HTML5 video. Any explanations would be very welcome.

Thanks. That works. I didn't realise you could manually whitelist sites as NoScript seems to be differently configured than in a non-Tor Firefox, where you're invited to build your whitelist in use, so I left it as it came default. I take it there shouldn't be a security problem whitelisting those two URLs to play HTML5 videos at YouTube?

Your question was already answered above, in the first reply. By using JavaScript you increase your risk of de-anonymization. The same goes for enabling multimedia playback (like HTML5 videos/audio). The reason is the same: you're increasing the attack surface by using vast sections of code (code with a reputation for having security holes, to boot).

Is Java Script needed for HTML5 or something?

Firstly, JavaScript and HTML5 are two distinct technologies, meaning you don't need one in order to operate the other.

Secondly, JavaScript has been used by ill-intentioned folks such as hackers and the NSA to un-mask you, that is, identify you.

December 26, 2015

Permalink

There are a lot of relays with "default" in her names, Windows7/8 and Tor version 0.2.4.23(22).Reason?

December 29, 2015

Permalink

Tor circuit seems to always include the USA for me. Is there any way to avoid a Tor node there?

have you tried to change your dns ?
to set high level on the privacy setting tab ?
to not be on windows ?
to not working on lenovo laptop e.g. ?

>always include the USA
it is not at all fine.

January 01, 2016

Permalink

I thought [forbid script globally] once was a default.
After new update, I was using a default setting [allow Script globally], thinking ,
default is set to [forbid script globally], ------which is very dangerous.

January 04, 2016

Permalink

Tor biases exit selection to those having previously successfully handled exiting traffic in some interval.

Tor also shares this bias across all isolation contexts.

Mind you the defect is in Tor itself rather than Tor Browser. It wouldn't be uncommon to use the bundled Tor binary system wide.

This means isolation contexts may share exits, albeit on separate circuits, even if traffic routed is chosen from disjunctive sets. Take set www, and email and separate them by isolation context you see they share exits in a given interval. Use your imagination as to where this leads.

Preferably, bias should not be shared across isolation context. A bias property should be maintained for each isolation context. Although, understandably, it may not always be disjunctive across all contexts.

If it absolutely must be shared it should always prefer adding/using an exit with the narrowest routable exit traffic. So provided a set of exit that routes traffic { {www}, {email}, {www+email} }, and bias must be shared, the current behavior selects {www+email} for all isolation contexts even if context_a is www only, and context_b is email only.

The goal is to improve anonymity, and reduce attack surface for fingerprinting. Do I make sense? English isn't my primary. Has it been studied? If so, where? If not, does it merit further investigation? It looks to be an important discussion?

#freerasool

January 05, 2016

Permalink

There is a regression in this build or 5.0.5. When I try to use an obfs4 connection through a proxy with authentication it does not work anymore. I don't really now where the problem is but I'm sticking to 5.0.4 for the time being.

The only thing that comes to mind while looking at the changelog is the change in the default obfs4 bridges. Are you saying it does not work with any obfs4 bridge anymore? Are you using one of those shipped with Tor Browser?

January 05, 2016

Permalink

Hello,
release note for Tor 0.2.7.6 -in TBB5.0.6- writes:
"...When we implemented the directory guard design, we accidentally started treating all relays as if they have the Guard flag...".

For the interested Tor user it would be really nice to have an simple convenient graphic overview about ALL flags for all relays.
The are only few working torstatus.xxx.xxx sites and 'Flag'
sometimes INCOMPLETE )-:.

January 06, 2016

Permalink

Unfortunatelly the TOR browser crashes a lot now with quite a few sites (like german computer news sites or flight search sites and so on). 5.0.4 was a lot more stable and I am considering returning to 5.0.4

January 06, 2016

Permalink

BUG: from version to version TBB cannot preserve screen resolution.
DESC: TBB starts with some of its default reso (1000*600, 1000*1000, etc - on diff PCs) with the ugly black bar under the bottom slider, but after some browsing (maybe HTML5 video or other activities, but without reso changes!) it becomes +30px higher (*630, *1030) and black bar dissapears! ip-check.info detects it as fingerprinting vulnerability! Full screen video toggling has the same effect.
PC: Win XP SP3, 7 SP1, 8.1.3, 10; TBB 5.0.6 on defaults.
MISC: if this is not a bug then TBB must warn user of such behaviour as it does when user changes resolution!

January 07, 2016

Permalink

Cloudflare has rapidly become the most annoying site in the world for Tor users. Is this being addressed? Whole swathes of the internet are becoming no-go zones. In some respects, I suppose one could say at least it is another site one is not being distracted by. Amazing how quickly one loses interest in a site one cannot reach in Tor. But, applying that logic, one may as well give up on the web altogether, which I sometimes think I may well do. Yes, Cloudflare is annoying.