Tor Browser 6.0.3 is released

by boklm | August 2, 2016

Tor Browser 6.0.3 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates Firefox to 45.3.0esr. Additionally, it bumps NoScript to 2.9.0.12, HTTPS-Everywhere to 5.2.1, disables asmjs, removes meek-google and contains a few other bug fixes.

Note: Due to bug 19410, on OSX the incremental update will not be working for users who installed the previous version using the .dmg file. The internal updater should still work, though, doing a complete update.

Update (August 11, 10:04 UTC): Starting from a couple of hours ago Tor Browser users might see a notification box in their browser claiming that Firefox is too old providing a button to get a newer one. This is both due to a server-side code change on Mozilla's side and an oversight by us during the ESR45 transition. Clicking on the "Get Firefox" button is safe and leads the user to our Tor Browser download page. Needless to say, this whole behavior is highly confusing and we apologize for it. We are working on a fix as quickly as possible and hope to get Mozilla to exempt Tor Browser users from this feature while we are working on a new release. For technical details see our bug tracker.

Here is the full changelog since 6.0.2:

  • All Platforms
    • Update Firefox to 45.3.0esr
    • Update Torbutton to 1.9.5.6
    • Update HTTPS-Everywhere to 5.2.1
    • Update NoScript to 2.9.0.12
    • Bug 19715: Disable the meek-google pluggable transport option
    • Bug 19714: Remove mercurius4 obfs4 bridge
    • Bug 19585: Fix regression test for keyboard layout fingerprinting
    • Bug 19515: Tor Browser is crashing in graphics code
    • Bug 18513: Favicon requests can bypass New Identity
  • OS X
    • Bug 19269: Icon doesn't appear in Applications folder or Dock
  • Android
    • Bug 19484: Avoid compilation error when MOZ_UPDATER is not defined

Comments

Please note that the comment area below has been archived.

August 03, 2016

In reply to by Anonymous (not verified)

Permalink

Thanks

August 03, 2016

In reply to boklm

Permalink

Actually, Tor tools>options>advanced>updates already has dashboard options available as in:

"Automatically install updates (recommended: improved security)"

Or

"Check for updates, but let me choose whether to install them."

Or

"Never check for updates (not recommended: security risk)"

Tor, like any other app, requires fettling to conform it to your personal requirements.

Using Tor, as is, is a poor security choice so please take the trouble to read and understand the values of all the options on offer - not only in the tools menu but also in NoScript and in Tor button.

Understand also that the Tor browser is only fully secure when accessing sites available on the Tor network and nowhere else.

August 04, 2016

In reply to by Anonymous (not verified)

Permalink

Now the comment above, "... the Tor browser is only fully secure when accessing sites available on the Tor network and nowhere else." caught my attention like a hornet in a coke can.

I freely admit to limited understanding of Tor/anonymous nuances but that comment sounds as if I should have heard it first day in class.

How does one know if accessing a site with Tor on another network?

Said another way, if the site is on another network and not Tor's network I did think, until now, that it would be virtually impossible to pierce the Tor veil.

If you've the patience, a little dumb down would be appreciated, or point me to another source.

dontwanttocsun

August 02, 2016

Permalink

thanks !

i have a question : is telegram desktop safe if i set it with tor ? i mean telegram desktop get tor DNS Given that there are no options in the remote DNS on it?

August 02, 2016

Permalink

good

August 02, 2016

Permalink

The changelog says, that NoScript was updated to 2.9.0.12. After I`ve updated (OS X) to TorBrowser 6.0.3, I`m using NoScript 2.9.0.13.

August 03, 2016

Permalink

ty

August 03, 2016

Permalink

I updated TBB using the "About Tor Brower".
Initially everything seemed alright. TBB finished updating and I restarted it.
The home page said that my TBB is ver 6.0.3.
After a while, I realized that https everywhere was gone. I checked the add-ons list and it only listed noscript, torbutton, and tor launcher.
I ended up downloading a fresh copy of TBB; now everything is okay.

August 03, 2016

Permalink

Is this correct that I'm uniquely fingerprintable with Medium-High security settings, because there's no font fingerprinting defense?

The slider is only concerned with the security of your Tor Browser not with your fingerprintability, say, by examining the fonts available. That said this risk should got minimized from Tor Browser 5.5 on where we started shipping the same fonts to use (roughly) for all users of the same platform.

August 03, 2016

Permalink

I clicked Enable plugins in Add-ons Manager, then opened Privacy and Security Settings and found Disable browser plugins still selected. So are plugins enabled or disabled now?

Some sites are bound to be unusable at High Security, as they require features that are disabled at High Security in order to function. Last I checked, Youtube didn't like that HTML5 was click to play at high security. There's some concern that a bug might allow a video to be used in an exploit, therefore HTML5 video is click to play.

You can use youtube-dl software. When a video interests you, download it with this stuff, with --proxy "socks5://127.0.0.1:9150"
9150 will use your tor browser's tor. If you prefer, you can run another tor instance and use theirs port.
You can open and watch a video before it's fully downloaded, just can't seek to a time that hasn't downloaded yet
For better security you might want to use app that hooks youtube-dl and force every connection through tor, like freecap, AdvOR etc

You could try the Tor Browser in Tails at High Security setting and see if it works for you. Tor Browser in Tails runs faster ( for me ) than the same Tor Browser version for Windows. YouTube videos play much clearer and smoother in Tails than Windows, although at a lower Security setting.

August 03, 2016

Permalink

I have tried uninstalling and reinstalling but the new version keeps telling me firefox is not found for installation. I gone though searching my whole c drive(after making sure I have removing older copies), %appdata% threads and drives and removing or renaming directories like they recommend but nothing is working, I know firefox has released two new versions in two days but their update chart and your comment thread says everything is fine. Have you guys been getting any similar reports or is something up with my system. This is my first upgrade with you guys since being forced into win10. Thanks ahead of time, Johnny

August 04, 2016

In reply to dcf

Permalink

Thank you.

August 03, 2016

Permalink

Ever since TBB 6.0.1 (Windows) update, pictures such as avatars don't show anymore on twitter apps. While the captcha image on a private paste service doesn't show either. I checked on other browsers and they show but they don't show on TBB.

I checked Google for the problem and found this old post:

https://blog.torproject.org/blog/tor-browser-50a3-released

++++

On July 7th, 2015 Anonymous said:
It's gotten really slower and stopped showing pictures on twitter

On July 8th, 2015 Anonymous said:
I can confirm problems on Twitter (no pictures shown), also I'm not able to right-click on Twitter and see the context menu and it always shows the cookie warning on top of the page.

On July 9th, 2015 Anonymous said:
Confirmation - no pictures on Twitter. Also tweet button does not show up, and am unable to use the search function on twitter.

On July 9th, 2015 arma said:
https://bugs.torproject.org/16528

++++

I tried the about:config fix it shows from last year mentioned on https://trac.torproject.org/projects/tor/ticket/16528 and it doesn't work for me. That link is from last year.

August 14, 2016

In reply to gk

Permalink

The laptop I'm currently working on is Windows Vista. The Twitter-linked sites I've noticed this on is Hootsuite. And unfollowing/follower sites such as statusbrew.com and who.unfollowed.me. Those are all web-based Twitter apps. No mobile. This all happened ever since TBB 6.0.1 (Windows) update.

August 03, 2016

Permalink

Just updated. Everything was stable and fine before; now things grind to a halt and freeze. What have you done?

I am on Windows 10. Also runs Firefox 48.0 with no problem at all.

August 04, 2016

Permalink

After presumably auto-updatingTBB now no longer launches under 10.7.x :(

August 04, 2016

Permalink

I manually checked for this update in Torbutton (check only in Options). It downloaded 6.0.3 and asked for restart. I closed Torbutton window, but nothing changed in hamburger menu. But when I opened Check for Tor Browser Update again, then the icon & "Restart Tor Browser to apply updates" appeared there!

August 04, 2016

Permalink

TypeError: this._recipeManager is null LoginManagerParent.jsm:185:9

August 04, 2016

Permalink

geoip in TBB 6.0.3 is from December 2015.
Why this old version?
Newer ones are from "June 7 2016"(0.2.8.4-rc - 2016-06-15)
and "July 6 2016"(0.2.8.6 - 2016-08-02).

What's the reason for the old geoip version in TBB 6.0.3?

August 04, 2016

Permalink

Only 2 of the 6 the transports work OBFS3 and OBsF4 are the only transports working? I tried this from a few addresses the last was public IP 63.92.230.41.

August 05, 2016

Permalink

nice

August 05, 2016

Permalink

The Tor Browser ( 6.0.2 ) keeps on crashing on MAC ox ( 10.11.6 ) i can't visit a site for more than 1 minutes before it crashes and have to restart , i recently updated ( 6.0.3 ) but nothing change I'm having the same problem

August 05, 2016

Permalink

Hello,

I asked this question recently, but you seemingly overlooked it, so I will try again.

I cannot access a website with Tor and wish to enquire if you know why. It is a forum for techniques that enable skin growth. Here is the link:
http://foreskinrestoration.vbulletin.net/

Please publish this query as your help would be very valuable to me. I desperately need to use the forum again via Tor (for personal nature of the content).

Thank you.

August 05, 2016

Permalink

Immediately after update to 6.0.3, bridge connections all fail within minutes and logs fill with "Giving up on marked_for_close conn that's been flushing for 15s" messages. Also and more troubling (perhaps related) after closing the browser as gracefully as possible (tor has now been crashing, causing the browser to freeze) its processes and those of the transports always appear to remain resident.

August 06, 2016

Permalink

I don't think there isa general thread so I'm posting this here.

I found the following article from:

https://thehackernews.com/2016/07/tor-anonymity-node.html

"Another blow to the Tor Project: One of the Tor Project's earliest contributors has decided to quit the project and shut down all of the important Tor nodes under his administration.
Lucky Green was part of the Tor Project before the anonymity network was known as TOR. He probably ran one of the first 5 nodes in the TOR network at its inception and managed special nodes inside the anonymity network."

What will this mean for the many (grateful) users of TOR?

Thanks

Probably not much; maybe some slight slowdown, but that quote is sensationalizing it. There's a thread in the Mailing List archive that you can look up, which was probably where The Hacker News found out about it in the first place.

This is part of the reason why I don't read them, along with their dumbing-down of everything to the point that they butcher the concepts involved.

August 06, 2016

Permalink

I am using Windows. When I start the browser I see a black strip across the bottom (underneath the NoScript banner). This black strip only disappears if I maximize the browser.

I also get inconsistent browser resolutions. For example I usually see a browser window that has a short height, but if I maximize first and then create a new window or new identity then the new window has a a longer height. I believe this problem is tied to the screen resolution that I am using (but I'm not sure what is causing the problem of the black strip across the bottom of the browser which I described above).

These problems already existed in previous versions.

August 11, 2016

In reply to gk

Permalink

Related to this I have long been wondering whether there is a default browser window size and an effective way (short of dragging corners and measuring) to invoke it.

August 06, 2016

Permalink

Little bit off-topic but bad crypto on MSWindows:

"we present a new technique for hiding malware (encrypted and unencrypted) inside a digitally signed file (while still keeping the file with a valid certificate) and executing it from the memory, using a benign executable (which acts as a reflective EXE loader, written from scratch). Our research demonstrates our Certificate Bypass tool and the Reflective EXE Loader."

August 06, 2016

Permalink

Question on Tails 2.5:

Tails 2.5 is from August 2, 2016.
libc -very essential- has a very big and important patch on August 4,2016.

Is this a problem?

1. Link to above:
https://www.sourceware.org/ml/libc-alpha/2016-08/msg00212.html

2. Updatemechanism in FreeBSD vulnerable to Man-in-the-middle
attacks.
Linux, too(?).
https://github.com/libarchive/libarchive/issues/743
"We have other documents, dated 2014 and 2015, detailing attacks against the update systems of multiple Linux distributions and the corresponding defenses against "the adversary.""

August 07, 2016

Permalink

greets

this version of TBB is crashing browsing the average popular web sites.
i dont mean to complain and appreciate the hard work gone into TBB but this seems to be a basic firefox stability issue?!

Mr Blue

August 07, 2016

Permalink

Where to get Tor version from Tor Browser?

  1. <br />
  2. $ ./Browser/TorBrowser/Tor/tor --version<br />
  3. ./Browser/TorBrowser/Tor/tor: symbol lookup error: ./Browser/TorBrowser/Tor/tor: undefined symbol: evutil_secure_rng_set_urandom_device_file<br />

Browser -> Menu -> About -> (Nothing about Tor version).

This press release -> again nothing about Tor Version.

And https://trac.torproject.org/ does not work (Connection refused).

Please fix!

Starting with `./start-tor-browser.desktop --debug` in your terminal should be enough to see the tor version there.

August 08, 2016

Permalink

With this release I've noticed that Tor periodically stops running and has to be relaunched, which it does without closing any of the windows. I don't know whether this is a bug. It's random. Never happened with any of the previous releases I've used. There are no steps to reproduce it.

There's definitely something wrong with this release. In addition to the above, now Tor browser gives me a message that 'Your Firefox is out of date. Please download a fresh copy'. Yet obviously the Tor browser itself is up-to-date.

Any comment on these anomalies?

August 10, 2016

Permalink

Im using Torbrowser 6.0.3. Today suddenly a yellow bar located under the url and above the website area showed up when i startet Torbrowser and said, that firefox is outdated and i have to update it, but when clicking on the update button the tor website with version 6.0.3 (which i already have) shows up. What to do ?

August 10, 2016

Permalink

Linux UBUNTU 14.04
Tor 6.03
11-7-2016

https://abu-pessoptimist.blogspot.nl/--> -->

https://abu-pessoptimist.blogspot.de/

The page isn't redirecting properly

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

This problem can sometimes be caused by disabling or refusing to accept cookies.
-----------------------------------------------------

I changed nothing in configuration of TOR

August 11, 2016

Permalink

"Your Firefox is out of date. Please download a fresh copy." Should I update Firefox or not?

August 11, 2016

Permalink

"We are working on a fix as past as possible and hope to get Mozilla to exempt Tor Browser users from this feature" - yep, as past. Nice attempt from Mozilla to raise attention that Tor Browser really uses outdated by security features Firefox which needs to be updated.

August 11, 2016

Permalink

'About' shows I'm now on TBB v6.0.3 (based on Mozilla Firefox 45.3.0) but, for the last day or two, I get a banner with 'Your Firefox is out of date. Please download a fresh copy.' and an embedded 'Get Firefox' button that takes me to the main TBB downloads page, offering me a fresh download of this same current version.

August 11, 2016

Permalink

For the last day or so, every time I launch TOR, I get a message to say that my Firefox is out of date (I am using TOR 6.0.3). When I click on the download link, I get the same 6.0.3 that I am already running. Or I THINK it is the same...

A bug or what? Please advise.

Thanks

August 12, 2016

Permalink

Please help.
I'm using TBB on Linux and this version (6.0.3) shows me a message saying "Your Firefox is out of date. Please download a fresh copy". I thought something went wrong during an update, so I deleted the folder and extracted a newly downloaded version to a new one, but now after a browser restart, the problem appears again. How come no one has mentioned it yet?

August 13, 2016

Permalink

To: Tails developers

I refer to the security vulnerability discussed on the page whose URL is https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5696

According to the page, it states: net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack.

Would you be rolling out an updated version once Debian has issued a patch for it?

August 13, 2016

Permalink

Hi,

my 6.0.3 Tor Browser gives a Message "Your Firefox is out of date. Please download a fresh copy."

Is this normal? Tor is up to date when I check it with "Check for Tor Browser Update...."

Thanxs.

August 13, 2016

Permalink

Is NSA censoring these comments? I had a question regarding a bug in this version and it hasn't been approved.

August 13, 2016

Permalink

"Sorry. You are not using Tor."

These ip addresses seem to keep interfering with Tornetwork on a frequent basis, 104.156.228.156, 108.61.226.16, 209.95.50.25, 104.200.154.73, 108.61.123.66, 172.98.67.97 .
Would it make sense or is it possible to block redirects to these non Tor circuit ip addresses?

Thank you very much for Tor!
But the latest version doesn't work in China.

How did you manage to arrive at this page to post your feedback?

I tried another software. I have more than 5. If one fails then switch to another one. But I want to keep Tor in my arsenal and expect it to work.

the error message:

Tor failed to establish a Tor network connection.

Establishing an encrypted directory connection failed (done - 0.0.2.0:3).

sometimes it's 0.0.2.0:2

August 14, 2016

Permalink

I just installed a clean version of tor and when trying to access it I received this message, mind you I am not using a proxy and am able to access the internet without tor, so I don't understand how to fix this, I have never had this problem before this version...please help! Thank you in advance.

PS USING TOR 6.0.3

8/13/2016 16:09:09 PM.400 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
8/13/2016 16:09:09 PM.400 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
8/13/2016 16:09:09 PM.400 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
8/13/2016 16:09:09 PM.400 [NOTICE] Opening Socks listener on 127.0.0.1:9150
8/13/2016 16:09:09 PM.500 [NOTICE] Bootstrapped 5%: Connecting to directory server
8/13/2016 16:09:09 PM.700 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server
8/13/2016 16:09:10 PM.100 [NOTICE] Bootstrapped 15%: Establishing an encrypted directory connection
8/13/2016 16:09:10 PM.200 [NOTICE] Bootstrapped 20%: Asking for networkstatus consensus
8/13/2016 16:09:10 PM.300 [NOTICE] Bootstrapped 25%: Loading networkstatus consensus
8/13/2016 16:09:10 PM.700 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no recent usable consensus.
8/13/2016 16:10:11 PM.300 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no recent usable consensus.
8/13/2016 16:11:12 PM.600 [WARN] Received http status code 404 ("Not found") from server '91.121.23.100:8001' while fetching "/tor/keys/fp/585769C78764D58426B8B52B6651A5A71137189A".
8/13/2016 16:12:17 PM.000 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
8/13/2016 16:12:17 PM.000 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
8/13/2016 16:12:17 PM.000 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
8/13/2016 16:12:17 PM.500 [NOTICE] Delaying directory fetches: DisableNetwork is set.

August 14, 2016

Permalink

I keep getting this: 'Tor unexpectedly exited. This might be due to a bug in Tor itself, another program on your system, or faulty hardware.'

Is this a bug? Any suggestions how to deal with it or is it just a matter of waiting until the next release?

I did make one change to Tor. I added the 'Mozilla Archive Format' add-on. Could this possibly be causing the problem? I can't imagine why it would though. I suspect a bug, but it doesn't appear that anyone else is mentioning it.

August 15, 2016

Permalink

this new version screwed up my ability to log into one of my webmail accounts, I suspect something is whacked with one of the plugins such as maybe the NoScript or possibly with Java scripting options that got fouled up when you pushed this download onto my machine and hozed up my ability to use one of my accounts due to this.

btw, this happened on a WINDOZE box as well, I am on Xubuntu currently, latest version.

between the graphics instability which really bites, and this, I'm just about ready to quit using TOR altogether because now of all things, the a$$holes in RU are now blocking the use of it more aggressively and somehow or another they have the ability to watch all nodes going thru their hardware and then blast the user with a big fat warning message I'd prefer not to read again.

thanks for making a very very unstable product even worse guys! really!

August 23, 2016

In reply to gk

Permalink

only the clean version 6.0.3 was not working, however I discovered the clock on my laptop was a day behind so when I reset clock day and time everything is working now...and than there is new version 6.0.4 is working great now!! Thank you tor!

Is there any need for such a rant?

The TOR developers are doing a great job. The vast majority of people are using it OK. If you are not able to use it - as we are doing - why don't you try reformatting your hard-drive and reloading everything - instead of just automatically blaming TOR.

Stop using TOR. Who will care? Only YOU.