Tor Browser 5.5 is released

Tor Browser 5.5, the first stable release in the 5.5 series, is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

On the privacy front we finally provide a defense against font enumeration attacks which we developed over the last weeks and months. While there is still room for improvement, it closes an important gap in our fingerprinting defenses. Additionally, we isolate Shared Workers to the first-party domain now and further improved our keyboard fingerprinting defense.

We made also progress on the usability side. First, by providing Tor Browser in another locale, Japanese. Additionally, by showing the changes in the new Tor Browser version immediately after an update and polishing our about:tor appearance. Last but not least we changed the search bar URL for the DuckDuckGo search engine to its onion URL.

Here is the full changelog since 5.0.7:

Tor Browser 5.5 -- January 27 2016

  • All Platforms
    • Update Firefox to 38.6.0esr
    • Update libevent to 2.0.22-stable
    • Update NoScript to 2.9.0.2
    • Update Torbutton to 1.9.4.3
      • Bug 16990: Show circuit display for connections using multi-party channels
      • Bug 18019: Avoid empty prompt shown after non-en-US update
      • Bug 18004: Remove Tor fundraising donation banner
      • Bug 16940: After update, load local change notes
      • Bug 17108: Polish about:tor appearance
      • Bug 17568: Clean up tor-control-port.js
      • Bug 16620: Move window.name handling into a Firefox patch
      • Bug 17351: Code cleanup
      • Translation updates
    • Update Tor Launcher to 0.2.7.8
      • Bug 18113: Randomly permutate available default bridges of chosen type
    • Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
    • Bug 10140: Add new Tor Browser locale (Japanese)
    • Bug 17428: Remove Flashproxy
    • Bug 13512: Load a static tab with change notes after an update
    • Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
    • Bug 15564: Isolate SharedWorkers by first-party domain
    • Bug 16940: After update, load local change notes
    • Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
    • Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646)
    • Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646)
    • Bug 17369: Disable RC4 fallback
    • Bug 17442: Remove custom updater certificate pinning
    • Bug 16620: Move window.name handling into a Firefox patch
    • Bug 17220: Support math symbols in font whitelist
    • Bug 10599+17305: Include updater and build patches needed for hardened builds
    • Bug 18115+18104+18071+18091: Update/add new obfs4 bridge
    • Bug 18072: Change recommended pluggable transport type to obfs4
    • Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
    • Bug 16322: Use onion address for DuckDuckGo search engine
    • Bug 17917: Changelog after update is empty if JS is disabled
  • Windows
    • Bug 17250: Add localized font names to font whitelist
    • Bug 16707: Allow more system fonts to get used on Windows
    • Bug 13819: Ship expert bundles with console enabled
    • Bug 17250: Fix broken Japanese fonts
    • Bug 17870: Add intermediate certificate for authenticode signing
  • OS X
    • Bug 17122: Rename Japanese OS X bundle
    • Bug 16707: Allow more system fonts to get used on OS X
    • Bug 17661: Whitelist font .Helvetica Neue DeskInterface
  • Linux
    • Bug 16672: Don't use font whitelisting for Linux users
Anonymous

January 29, 2016

Permalink

mwen pa konn koman yo itilizel chak tan mwen chache itilizel li paka mache.....c´est pour cette raison j´aimerais avoir um pouco de ajuda but i don´t how i can do for the help..

Anonymous

January 29, 2016

Permalink

Preferivo restare alla versione precedente.
Questa nuova mi crea parecchi problemi e mi blocca alcune funzioni di alcuni siti.

Anonymous

January 29, 2016

Permalink

I Use Tor Browse For Facebook And I Can't See My Emojis. Is There A Way I Can Uninstall Update ?

Anonymous

January 29, 2016

Permalink

hi. nice update.

There are loads of XPCom errors with the new windows 10 build

What does it mean if the "signature made date" is different from what appears on the Tor Project web page about verifying signatures (https://www.torproject.org/docs/verifying-signatures.html.en)?

According to the Tor Project, the result should be:

gpg: Signature made Tue 24 Jan 2015 09:29:09 AM CET using RSA key ID D40814E0
gpg: Good signature from "Tor Browser Developers (signing key) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290

Everything matches except for the bold parts, which presents a different date and time. Does that mean no one has updated the verifying signatures page since it was written and it is safe to consider the package verified?

Yes, correct. The instructions page gives you example output. Since we have to sign each new package, the timestamp on each new signature will be different.

Thanks for the update, but seems there is a big f*ckup in Firefox. Frames don't work anymore as expected and always open a new tab instead opening in the intended frame. Also automatic refreshing is broken and stops working erratically. I tried TBB on Windows and Tails, same behavior. Any other browser works fine!

Any way to mitigate? Keeping the old version is not an option! Otherwise I hope for a quick update. Thanks for all the hard work.

If you want to reproduce what I describe, check out this chat or install the script somewhere yourself: http://tt3j2x4k5ycaa5zt.onion/chat.php

درود بینهایت به فعالان در پروژه بی همتای تور

با تشکر فراوان از تمام دوستان متعهد و معتقد به آزادی بیان و حقوق بشر که با راه اندازی این پروژه بزرگترین کمک را به من و دیگر شهروندان کشورم ایران کرده اید ، تا در هر زمان و مکان ، بدون نگرانی از ردیابی شدن توسط سازمانهای قوی جاسوسی و امنیتی اینترنتی رژیم ایران. زیرا این سازمان ها و افراد متخصص فراوانی که در آنها کار میکنند ، به غیر از فیلتر کردن گسترده اینترنت برای مردم ایران ، کار مهم تر آنها ردیابی اینترنتی کل مردم میباشد و اگر فردی بوسیله ضد فیلتر به سایت های فیلتر شده وارد شود یا نظرات شخصی خودش را در اینترنت منتشر کند ، خیلی راحت توسط حکومت دزدیده یا دستگیر میشود ، بدون هیچ اعلام قبلی و یا حکم دادگاه. افراد زیادی بدون تفهیم اتهام و برگزاری دادگاه ، در مکانهایی که حتی خانواده آنها خبر ندارند توسط بازجو ها زیر شکنجه می میرند. از اینگونه افراد بسیار هستند در ایران ، ولی تنها خواندن جریان یکی از این افراد کافی است تا درک شود : تنها عقیده شخصی را بیان کردن تاوان مرگ دارد. نام یکی از این عزیزان هموطن من "ستار بهشتی " می باشد ، فقط نام او را جستجو کنید. به این دلیل ممنون از شما عزیزان در پروژه تور هستم. که راه حضور و فعالیت امن را در اینترنت به من و جمع خیلی زیادی از هم وطنان من در ایران فراهم کردید. من از ابتدای شروع به کار تور از مشترکین شما بودم و خواهم بود ، تبریک می گویم که روز به روز کیفیت و قدرت کار شما افزایش داشته است.
در آرزوی دنیای آزاد و صلح فراگیر
یک ایرانی

دوست عزیز من هم ایرانیم و از تور استفاده میکنم ولی با نظر شما مخالفم. درسته که در بعضی موارد اتفاقات ناخوشایندی افتاده، مثل مرحوم ستار بهشتی. ولی رژیم همیشه اینطوری برخورد نکرده. اساساً در توانش نیست که چنین کنترلی بر این همه کاربر اینترنت داخلی داشته باشه. شما رو ارجاع میدم به سایتهای مختلف خبری داخلی و فیسبوک و امثالهم که اشخاص فراوانی با پروفایل واقعی و با استفاده از ایمیل شخصی نظرات خودشون رو هر چند مخالف رژیم بیان میکنن. این حجم از ابراز نظر اساساً قابل پیگیری نیست. بنابراین اگر با نظام جمهوری اسلامی مشکل داریم، که به حق است، از دایره انصاف خارج نشیم و تخیلات خودمون رو به عنوان واقعیت به جهان معرفی نکنیم.
ممنونم

ok

very good in performance but a bit slow in loading.

puzzling proxy URL.

I have been using 5.5 for a few days and it has been swaping proxies fine when I select 'new tor circuit for this site', Today no matter how many times I do that or even reboot TOR completely the top site is still showing as 176.126.242.49 (UK) yet a who is search draws a blank. Any ideas? If this is a gaurd proxy why has it only appeared today?

John

Thanks for your work.
I would like to help translate the Tor into Ukrainian.

so its not working better opning some sites but not playing

Спасибо!

Dear Team,

Using this version, I cannot see Bangla Font nor can't write in Bangla. Can you please look this issues?

Regards,

Joy

Hello, can you tell us what your operating system is (Windows/Mac/Linux)? What is one of the web sites that don't work?

https://bn.wikipedia.org/ is working for me on GNU/Linux with Tor Browser 5.5, using the font "Noto Sans Bengali":

You can find out what font the browser is trying to use by right-clicking on some text, selecting "Inspect Element", and then clicking on "Fonts".

i'm using windows. here i'd tried different font but none of them worked. the problem is, i've installed these fonts and moved them to "font" folder but couldn't find any of them on browser font selecting option :/

tor>options>content>default font- none of them found.

-borsian_sisu

Do you mean the default font worked but not the custom one you used? For what it is worth there is the preference font.system.whitelist which is accessible vai about:config that is governing which fonts are available. You could test whether adding your font(s) to this preference is working for you although having them there is not recommended. You are probably the only one doing that and are therefore sticking out of the crowd.

It is rendering fine for me on Windows 7, using the system font "Vrinda":

You won't be able to configure alternate fonts unless you change the font whitelist, as gk suggests. But you should think before changing the whitelist, as it is a safety feature.

comment please ?

http://miupix.cc/pm-LSXABV

using Windows 7, privacy setting High and js manually disabled.

you're amazing, thanks

بسیار سپاس گ.زارم از همت بلند انسان دوستانه شما

Блин, классный браузер! Я в восторге! А наш Роскомнадзор пусть застрелится! :-)

I have been using TOR for a long time in WINDOWS 10 till this last build of WINDOWS broke TOR WINDOWS 10 version (OS BUILD 14251.1000) .I get XPCOM can't load .
I have tried reinstalling TOR and does not help .

I have been using TOR for a long time in WINDOWS 10 till...

Stop using Microsoft Windows OS, especially Windows 10. The latter sends everything you do online to its servers in the US where all data is being collected for and by the NSA.

Start your switch of OS to a Unix-like operating system and use TBB with it.

سلام گرم من را از ایران بپذیرید تور سنبل آزادی بیان در کشورهای دیکتاتوری می باشد و من آرزو دارم روزی امکان کمک به این پروژه برایم فراهم شود . موفق و پیروز باشید و همیشه پیشرو چون زندگی و آزادی افراد زیادی به شما وابسته است.

I resent the fleers of those who supported the removal of 'comic sans' from the font menus. LOL

Ok, so y'all probably did so to eliminate a perceived security issue and, yes, I can live with that... I must!

I certainly wasn't aware that sites must interact with the browser in this regard and can thus detect which fonts are requested. I simply accepted that my font selection was purely a local system matter

But all those other sans-serif fonts appear, to me, as overly angular, ugly and harsh. Comic sans is fat and comfortable. We'll truly miss it.

When will torproject.org upgrade from TLS 1.0 to 1.2? This is a security concern that has been known for a long time.

I am using Tor and some Times another ,like Ultra Surf and Free Gate, but the Tor is most better ,than others.

It does not work the entrance to the vk.com. By clicking "Sign in" open a new tab , but there is no authorization .

This might be a problem caused by https://bugs.torproject.org/18168. We are currently testing a fix.

I have the same issue as the person above with the latest Win10 preview build (14251). Tried both 5.5 stable and 6.0 Alpha releases of Tor browser, both are a no-go.

Are we ever going to get any replies about this xpcom error that the new build of windows has broken?

Other than people not actually reading the comments and just pointing to Webroot...

https://bugs.torproject.org/18171 is the one where we track and investigate this. Please follow this one and help with testing patches/tracking the root cause down if you can, thanks!

I have the same issue as the person above with the latest Win10 preview build (14251).

Why are you still using the preview build of Microsoft Windows 10? The retail version of it has been released for a few months now and Microsoft is offering FREE upgrades to users of legitimate copies of Windows 7, 8 and 8.1.

I'm using the technical preview builds because I'm enrolled in the Windows Insider program. It's not an old build - it's the latest build published to the Fast ring. If I was using an old build, Tor would still be working fine!

ughhh...after this update, none of the sites i go to work anymore...

How can I reproduce your problem?

I have tried on two computers to access tor today, and only one site that i tried actually displays. What do I need to do? I just updated the browser today also.

I cannot see most of my bookmarked pages. They are just blank. I got the update today, what do i do?

Hello and good morning everyone

I don't know why but it seems like a lot of obfs4 providers and bridges are just evaporating. here is the case:

I go to https://bridges.torproject.org/bridges?transport=obfs4 and I get new bridges, but the problem is that after a few hours I get a lot of messages like this in my my tor log:

2/2/2016 1:18:22 AM.200 [WARN] Proxy Client: unable to connect to 198.23.141.168:44323 ("general SOCKS server failure")

meaning that for one reason or another my tor client is not able to communicate with this IP. Now here is my question:

Is the local gov guessing or somehow getting the bridges and their respective ip and port number and just blocking them, by simply having a lot of guys doing the job of simply surfing to https://bridges.torproject.org/bridges?transport=obfs4 and black listing the ip and port addresses??

or are the bridges really unstable at the moment?? why am I getting a lot of

2/2/2016 1:18:02 AM.500 [WARN] Proxy Client: unable to connect to 194.132.209.183:41172 ("general SOCKS server failure")
2/2/2016 1:18:02 AM.500 [WARN] Proxy Client: unable to connect to 194.132.208.206:36491 ("general SOCKS server failure")
2/2/2016 1:18:02 AM.600 [WARN] Proxy Client: unable to connect to 194.132.209.153:54104 ("general SOCKS server failure")
2/2/2016 1:18:02 AM.600 [WARN] Proxy Client: unable to connect to 37.218.246.199:41909 ("general SOCKS server failure")
2/2/2016 1:18:02 AM.700 [WARN] Proxy Client: unable to connect to 194.132.209.177:35909 ("general SOCKS server failure")
2/2/2016 1:18:22 AM.200 [WARN] Proxy Client: unable to connect to 172.245.230.92:42061 ("general SOCKS server failure")
2/2/2016 1:18:22 AM.200 [WARN] Proxy Client: unable to connect to 198.23.141.168:44323 ("general SOCKS server failure")
...
...
...
..
???

thank you TOR. We all <3 you

The other day the "Tor circuit for this site" disappeared.
"New Identity" and "New Tor Circuit for this Site" would not bring this information back.

I've read similar issues from others suggesting prolonged use of the browser caused the same issue - this could have been the case here as the browser may have been open after a period of sleep of the computer.

The connection is: 127.0.0.1 Port: 9150 SOCKS v5 and Remote DNS is checked.

Tor worked normally and the check.torproject.org would display various IP addresses. Just the info tab was missing completely.

Could a MITM attack sit between my computer and the entry or directory node and remove this information to keep himself hidden? Any other ways this information could be removed but Tor still work normally?

Or is this just a bug that has not been worked around yet?

Also, how do I check my current Tor version? I'm quite sure it is 5.5 as I remember the update being only a few days ago and noted the new Japanese language update.

Thank You.