Tor Browser 6.5a2 is released

by boklm | August 3, 2016

Tor Browser 6.5a2 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates firefox to 45.3.0esr and contains the improvements that went into Tor Browser 6.0.3. Additionally, Tor is updated to 0.2.8.5-rc, the default search engine has been switched to DuckDuckGo, resource URLs are blocked to avoid fingerprinting.

Note: Due to bug 19410, on OSX the incremental update will not be working for users who installed the previous version using the .dmg file. The internal updater should still work, though, doing a complete update.

Here is the full changelog since 6.5a1:

  • All Platforms
    • Update Firefox to 45.3.0esr
    • Update Tor to tor-0.2.8.5-rc
    • Update Torbutton to 1.9.6.1
      • Bug 19689: Use proper parent window for plugin prompt
      • Bug 19206: Avoid SOCKS auth and NEWNYM collisions when sharing a tor client
      • Bug 19417: Disable asm.js (but add code to clear on New Identity if enabled)
      • Bug 19273: Improve external app launch handling and associated warnings
      • Bug 8725: Block addon resource and url fingerprinting with nsIContentPolicy
    • Update HTTPS-Everywhere to 5.2.1
    • Update NoScript to 2.9.0.12
    • Bug 19417: Disable asmjs for now
    • Bug 19715: Disable the meek-google pluggable transport option
    • Bug 19714: Remove mercurius4 obfs4 bridge
    • Bug 19585: Fix regression test for keyboard layout fingerprinting
    • Bug 19515: Tor Browser is crashing in graphics code
    • Bug 18513: Favicon requests can bypass New Identity
    • Bug 19273: Write C++ patch for external app launch handling
    • Bug 16998: Isolate preconnect requests to URL bar domain
    • Bug 18923: Add script to run all Tor Browser regression tests
    • Bug 19478: Prevent millisecond resolution leaks in File API
    • Bug 19401: Fix broken PDF download button
    • Bug 19411: Don't show update icon if a partial update failed
    • Bug 19400: Back out GCC bug workaround to avoid asmjs crash
    • Bug 19735: Switch default search engine to DuckDuckGo
  • Windows
    • Bug 19348: Adapt to more than one build target on Windows (fixes updates)
    • Bug 19725: Remove old updater files left on disk after upgrade to 6.x
  • Linux
    • Bug 19276: Disable Xrender due to possible performance regressions
    • Bug 19725: Remove old updater files left on disk after upgrade to 6.x
  • OS X
    • Bug 19269: Icon doesn't appear in Applications folder or Dock
  • Android
    • Bug 19484: Avoid compilation error when MOZ_UPDATER is not defined
  • Build System
    • All Platforms

Comments

Please note that the comment area below has been archived.

August 03, 2016

Permalink

When cancelling a request for chrome://browser/skin/preferences/in-content/favicon.ico because the inner window was destroyed or a new favicon was loaded for it, it was already canceled! PlacesUIUtils.jsm:109:0

August 03, 2016

Permalink

controlPort >> 250-ip-to-country/62.210.178.177=fr
circuit visualizer: 31.220.43.190
ip-check.info: 108.61.166.135 (You're not using Tor!)
What's going on? (and page loading is very slow)

August 03, 2016

Permalink

Previous builds would have a dark background with simple controls for video or audio playback. There are no longer visible controls for video/audio, just a blank white background, and I cannot view statistics or seek. Same behavior from local files [mp3/4].Is this change intentional? I did not change any configuration. thx

Videos are now playing in original size (with sliders if bigger than window). Videocontrols functionality is partly broken (in that cases when it's possible to invoke controls by some tricks). PageInfo is not affected.

August 04, 2016

In reply to dcf

Permalink

thanks for looking into this dcf, I thought it may have just been me.Image display also seems to be affected; I've only tried .jpg & .png so far.Image is on white/blank background, not centered & in the Inspector UI's CSS pane [Rules:element {shrinkToFit} does not seem to be available or is a bit wonky, in addition to other styles], no magnifying glass icon (however zoom does work).I'm sorry if this isn't quite clear, as I'm closer to a novice than the rest of you, but I felt that smarter people should know, since this could also be related.
thx again

August 03, 2016

Permalink

I've got a problem with the click to play for flash (which I need for some sites - and I know of the privacy problems with it), which doesn't work in 6.5a2 like it did in 6.5a1. When visiting e.g. http://www.techno4ever.fm/flashplayer/main.html I'm not getting asked to activate the plugin. When I chose to enable flash always (which is ugly and dangerous ^^) it's working again. Any ideas? Using the Windows version.

August 04, 2016

Permalink

I ran this alpha on Panopticlick. Got a 1 in 61 rating. I haven't seen a rating that good on a unstable or stable Tor Browser in a long time.

You realize that Panopticlick is extremely inaccurate, right? It's just used to show how fingerprinting works in theory, but it's not meant at all to tell people how protected they are from fingerprinting. Not only does it only take into account a minuscule fraction of fingerprinting vectors, but its user base is far from a representative sample of internet users. You're likely so low because Tor Browser users make up an abnormally high proportion of people connecting to Panopticlick. Do you really think that 1 in 61 people are using Tor Browser on Wikipedia or Google? I believe that 1 in 61 people are using an up to date Tor Browser on Panopticlick, because, like you, they go there all the time to naively check if they have a large web fingerprint.

You haven't seen that good a rating in a long time because there haven't been a lot of people who have been visiting that site in a long time. And Panopticlick does not even check for favicons, so the favicon fingerprint fix would not even register on the Panopticlick website.

If you want a good website to check how easy you are to fingerprint, try something like http://browserleaks.com/ instead. You will have to interpret the results yourself though, because, of course, it will be impossible for a website which is visited almost exclusively by privacy-conscious people to collect a representative sample of the web.

August 08, 2016

In reply to gk

Permalink

So, you don't mind that it advertises h2, spdy/3.1 and only then http/1.1 - it can increase connection time up to 3x.

August 11, 2016

Permalink

Window resizing has become wonky. The first couple of times I used 6.5a2, all was normal. Now when I change magnification (e.g. ctl + or ctl -) and then resize the window, the magnification reverts to default. I changed the default font size, and that works as expected. Resizing the window now goes in coarse quantum steps, maybe a centimeter or two per step.

August 12, 2016

Permalink

Sorry. You are not using Tor.

Your IP address appears to be: 108.61.123.88
What is this can anyone help?

August 26, 2016

Permalink

8/26 layout of every page is messed up after restarting browser. I can't even see the panel which should be on the right-hand side containing links on this blog.

August 29, 2016

In reply to gk

Permalink

I was trying to avoid shutting down the computer since I was working on some projects that couldn't be saved at the time; re-boot didn't help so I performed a fresh install, as you suggested & it worked. Closed and restarted the browser a few times, and the same issues returned. After wiping the directory & re-installing from the installation .exe a couple times (directory was already in use) , it began to work normally. Not sure what it was, but thank you for the suggestion.

August 27, 2016

Permalink

I made a comment a couple days ago that hasn't shown up yet, stating that even the recent blog posts links on this page weren't displayed. That was incorrect. I now see them at the bottom of the page. Layout on every page is still weird, however. When is the next update coming, and will these issues be fixed?

August 28, 2016

Permalink

The ever-present captcha is not appearing, which somehow sucks even more since every other goddamn site is hosted on cl0udflare nowadays.