Tor Browser 5.5.2 is released

Tor Browser 5.5.2 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Users on the security level "High" or "Medium-High" were not affected by the bugs in the Graphite font rendering library.

The full changelog since 5.5.1 is:

Tor Browser 5.5.2 -- February 12 2016

  • All Platforms
    • Update Firefox to 38.6.1esr
    • Update NoScript to 2.9.0.3
Anonymous

February 12, 2016

Permalink

Hmm, getting the error "The integrity of the update could not be verified" when I try to update. I'm on Qubes-Whonix. Tried getting a new identity, which didn't make any difference. The error shows up in 2 of my VM's, but doesn't in another. Any idea what's wrong?

Another thing you could do is checking were exactly the issue is by setting `app.update.log` in your Tor Browser to `true` and open the browser console with Ctrl + Shift + J and looking at the log output.

(I'm the person you replied to.) Qubes-Whonix is 64-bit. I restarted Tor Browser, told it again to look for updates, and that fixed it. I'm not sure why restarting Tor Browser fixed it; I've never seen that behavior before. Sadly I don't have any debug output for you.

Speaking of integrity, how is it verified then? I'm a little worried about this auto-update feature in general. Any know attacks? Thanks.

As I am new and don't know, hereby a copy of a posting to help@rt.torproject.org:

5.5.1 (based on Mozilla Firefox 38.6.0)

https://thegreateststorynevertold.tv

Safe mode:

The proxy server is refusing connections

Firefox is configured to use a proxy server that is refusing connections.

Check the proxy settings to make sure that they are correct.
Contact your network administrator to make sure the proxy server is working.
-------------

After 30 minutes trying to figure solution: http://thegreateststorynevertold.tv/portfolio/part-8-pearl-harbor/ Screen changed to:

Forbidden

You don't have permission to access /portfolio/part-8-pearl-harbor/ on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
Apache Server at thegreateststorynevertold.tv Port 80

Or
I get: This request has been denied for security reasons. If you believe this was in error, please contact support.

Reference #18.37535d68.1455279193.d56bd48

------------------------------

Access Denied
You don't have permission to access "http://www.lufthansa.com/us/en/Homepage?" on this server.

----------------------------

I tried to do as secure as possible. Any advise?

These websites are blocking access over Tor. Because Tor's anonymity is sometimes abused, some website operators have chosen to deny access to Tor users.

changing the exit node made that error disappear, you probably just used an exitnode, someone abused before on that site

Firefox "Safe Mode" will disable networking in Tor Browser.

Try using proxy on Tor to unblock these sites.

مساء الخير ومشكورين على هالبرنامج

getting torbutton warn "no SOCKS credentials found for current document" in browser console. proxy setting: http/https without username/password. how to fix this?

I think this message is related to Torbutton not being able to find a domain against which to perform domain isolation for the purpose of showing the tor circuit graph.

It happens because Firefox's own UI uses several windows/documents that trigger Torbutton's algorithm. Examples: about:* pages, some of the Developer Tools sometimes*.

I believe such cases are harmless and you can disregard the warning.

(*) I have also seen this: "Component returned failure code: 0x80070057 (NS_ERROR_ILLEGAL_VALUE) [mozIThirdPartyUtil.getFirstPartyURIFromChannel]"

Sorry, just sent you the log output without "setting `app.update.log` in your Tor Browser to `true`"
Where can I find: setting `app.update.log`?

My bad. You find it by entering `about:config` in your URL bar.

I should not forget to put it back to false??

[snip]

Does not matter much. You should be careful, though, when pasting things somewhere to omit your authentication cookies etc.

thanks guys!

Добавте русский язык

Anonymous

February 17, 2016

In reply to by Anonymous (not verified)

Permalink

Это точно!!!

да русский язык не помешал бы...

Thanks! Quick question: Is there a reason "Medium-High" uses click-to-play HTML5 audio/video media? I can live with Medium-High for daily use but the HTML5 media click-to-play can be a bit annoying at times

HTML5 audio/video is a huge attack surface. Libraries like ffmpeg try to compete with Flash for the highest number of security bugs.

You have no clue what you're talking about
>Comparing open source to closed source
>Comparing single ffmpeg misconfiguration issue with giant attack surface of flash with hundreds of vulnerabilities
>Clearly don't understand how the tech works

Comparisons aside, his answer is correct: great increase in attack surface + bad vulnerability track record => great increase in de-anonymisation risk.

Thank you <3 + (A)

Hi ,

i have a problem with firefox, i see anything this message "The proxy server is refusing connections

Firefox is configured to use a proxy server that is refusing connections.

Check the proxy settings to make sure that they are correct.
Contact your network administrator to make sure the proxy server is working."

how i can make for have Tor , before i was download this version i never have problem,

thanks & thanks for your working

Maybe TorLauncher is not working?

A common reason for this error is a firewall running on the computer that is preventing connections between the browser and tor.

I cant change the resolution anymore :(

Thanks for a new release.

Why ever would anyone NOT use all maximum security settings?
Just curious...

Practicality, mostly. The maximum security setting does slow many websites down and it disables many web features. Some people (me for example) consider this too high of a price to pay.

people who just pretend to be naive.

thx ; update successed / no problem

NO ENTIENTO EL LEGUAJE PERO DOY LAS GRACIAS POR TENER LA OPURTUNIDAD DE CONTAR CON ESTE POGRAMA GRACIA A USTEDE QUE ME ANDADO AMI ESTA OPORTUNIDAD ES MUY BUENO Y COMPARTIBLE CON MI NAVEGADOR MOZILLA FIREFOX

nice one

Hello, should I be worried about this error? Tor Browser only.

addons.xpi WARN Download of https://addons.cdn.mozilla.net/user-media/addons/722/noscript_security_… failed: Downloaded file hash (7c65095465f8abc7594dd20ad63e20de57fd68b015b016b3c03e0d5692eacb4e) did not match provided hash (94d036ff45116023bde97e6dee6c79daf2d28804764bfa8937f5d4d3463173f5)

Maybe it was just some corrupted download? Or maybe someone tampered with your (TLS) exit connection? Hard to tell. Keep an eye open, I suppose.

Hello,
I will try and make short... I downloaded Tor few days ago, left all settings as Tor has them, did all recommended things, no tool bar stuff, no plugins, and so on. Tor's been running just fine, I use it mainly for one site that I need to log in and change pages. Today 2-12-16 Tor did auto update (5.2.2), all was fine, restarted. So here is the problem.. After I log into that site just fine, after about 5 minutes and changing a few pages on that site, the site logs me out as if the IP address/Tor network disconnected briefly. This keeps happening even after I try different Tor Circuit or New Identity.
Any recommendations would be appreciated. ( will check back later for reply) Thank you.

The site is probably expiring your session when the exit IP changes, as a security measure. Try enabling TrackHostExits in your torrc file located within the tor browser directory. Add the line

TrackHostExits 1

ok

thank you

is it really safe to allow script in https as well as non https websites

gk pls advice and help