Tor Browser 6.0.6 is released

by boklm | November 15, 2016

Tor Browser 6.0.6 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release is updating Firefox to 45.5.0esr. Moreover, other components got an update as well: Tor to 0.2.8.9, HTTPS-Everywhere to 5.2.7, and OpenSSL to 1.0.1u.

We fixed a lot of usability bugs, some caused by Apple's macOS Sierra (meek did not work anymore and windows could not be dragged either). We moved directly to DuckDuckGo as our search engine avoiding a roundtrip to Disconnect.me first. Finally, we added a donation banner shown in some localized bundled starting on Nov 23 in order to point to our end-of-the-year 2016 donation campaign.

Here is the full changelog since 6.0.5:

  • All Platforms
    • Update Firefox to 45.5.0esr
    • Update Tor to 0.2.8.9
    • Update OpenSSL to 1.0.1u
    • Update Torbutton to 1.9.5.12
      • Bug 20414: Add donation banner on about:tor for 2016 campaign
      • Translation updates
    • Update Tor Launcher to 0.2.9.4
      • Bug 20429: Do not open progress window if tor doesn't get started
      • Bug 19646: Wrong location for meek browser profile on OS X
    • Update HTTPS-Everywhere to 5.2.7
    • Update meek to 0.25
      • Bug 19646: Wrong location for meek browser profile on OS X
      • Bug 20030: Shut down meek-http-helper cleanly if built with Go > 1.5.4
    • Bug 19838: Add dgoulet's bridge and add another one commented out
    • Bug 20296: Rotate ports again for default obfs4 bridges
    • Bug 19735: Switch default search engine to DuckDuckGo
    • Bug 20118: Don't unpack HTTPS Everywhere anymore
  • Windows
    • Bug 20342: Add tor-gencert.exe to expert bundle
  • OS X
    • Bug 20204: Windows don't drag on macOS Sierra anymore
    • Bug 20250: Meek fails on macOS Sierra if built with Go < 1.7
  • Build system
    • All platforms

Comments

Please note that the comment area below has been archived.

November 15, 2016

Permalink

When I click "Restart Tor Browser to Update" it fails:
"Software Update Failed"

Running on Fedora 23.

November 15, 2016

Permalink

will it be more or less protected using tomoyo/apparmor/another similar tools ?

Those will protect from unintended or malicious filesystem access and resource usage, so more or less, sure. An attacker can still call arbitrary syscalls even when using a MAC like AppArmor, TOMOYO, etc. A kernel vulnerability can be used to bypass those protections if one is known to the attacker. You would have to use Seccomp to protect from that, but it requires much more configuration than a MAC. Chrome/Chromium uses Seccomp-BPF to sandbox its processes. Hopefully one day Firefox/Tor browser will be able to do the same. Mozilla wants to, but it's taking a long time.

Note that a MAC and Seccomp are both separate from the browser. The browser doesn't have to be configured to use them, except maybe for rules (Firefox rules, if available, should probably work on Tor Browser). Tor Browser could be run under seccomp using a small wrapper program (or even systems --user, see systems.exec(5)), and maybe a small LD_PRELOAD shim, if you are willing to enumerate all the system calls that it will need for your particular use case. At a minimum, you could most likely block all 32 bit system calls on 64 bit Firefox, and cut the attack surface roughly in half. The exec(2) family of syscalls might be the most important ones on any platform, and really could be blocked for almost all use-cases. Being that Firefox is cross-platform, I doubt that it uses many syscalls directly.

But this is a very tedious situation, and it would be ideal to have something specific to the Tor Browser that can configure seccomp and other security mechanisms automatically and precisely. Luckily, Tor Project developers are already thinking about it: https://blog.torproject.org/category/tags/sandbox

You can use Tor Browser with Seccomp via Firejail, like this:

  1. <br />
  2. $ cat /etc/firejail/tor-browser.profile<br />
  3. noblacklist ~/.tor-browser-en<br />
  4. include /etc/firejail/firefox-esr.profile<br />
  5. whitelist ~/.tor-browser-en</p>
  6. <p>$ firejail --seccomp --profile=/etc/firejail/tor-browser.profile /usr/bin/tor-browser-en<br />

>Seccomp via Firejail
I thank you very very much for this tip (almost perfect : one of the torproject is torsanbox). That is solves one problem but i have still the second : adding a mac protection.
- SE is not for me (it is not my cup of tea).
- AppArmor is buggy after updating or tweaking the .conf:files.
- Tomoyo is very interresting.but will it protect a Torbundle folder (a short link is included and tor must not be run as root) and openvpn files (login & password are mine) put in my :
home/document/[TBfolder] ?

How to configure a Tomoyo mac protection for these particular files/folders ?

November 15, 2016

Permalink

AudioContext Fingerprint

AudioContext fingerprint is a property of your machine's audio stack itself. If you choose to see your fingerprint, we will collect the fingerprint along with a randomly assigned identifier, your IP Address, and your User-Agent and store it in a private database so that we can analyze the effectiveness of the technique.

AudioContext Fingerprint Test Page
https://audiofingerprint.openwpm.com/

November 20, 2016

In reply to by Anonymous (not verified)

Permalink

I had tor & onion on an old android device. When govt stepped in, they blocked it in settings. I haven't used it for about 3 mos; however I am still paying 9.99 a month on a credit card. I now have access to this iPad and would like to restart my old account. The problem is I am not very computer savvy and need some help. Could you guide me through it?

On your Android device, uninstall the tor&onion that is charging you 9.99, and install Orbot and Orfox, by searching them on Google Play (easiest) or...
...getting FDroid at https://f-droid.org and enabling GuardianProject repository(ask a techie friend to help if you do it this way. It's safer bit requires more clicks to aet it up).

Legit Tor and Tor Browser (on Android it's called Orbot and Orfox) will never charge you anything.

That device is pretty well shot. I tried to uninstall but keep getting charged. I could probably just install it on this iPad but I don't want to overpay. 10 bucks from.the old then 15 for this. I have the Italian disease.... Funds allow...yuc, yuc!

November 15, 2016

Permalink

Why does the auto-updater not even check for available disk space before attempting the update? This is the third time the auto-updater has failed to update and left a non-working install, riddled with ".updated" files, which however are useless in trying to get back to the previous, working, setup. So, why litter the drive with these useless files if reverting back to the previous version is impossible anyway? How do I get my setup back to working now? Do I really have to disable auto-update to keep this from happening?

Not sure about checking the available disk space question. What operation system are you using? I think if you don't have enough disk space for getting the update applied automatically, then, yes, disabling the auto-updater seems to be a better solution for you.

I have set TBB to clear everything on exit, but the remainder of the system keeps filling up the drive over time or even temporarily (other program's caches for example). And because TBB-updates are only announced _after_ they have been applied (and possibly failed) when auto-update is enabled, it is not possible to make room for the update beforehand. Obviously that is the way "auto-update" is supposed to work, but a basic sanity check before starting a procedure that
1) is irreversible
2) may leave the system in an unusable state
3) has no straightforward method of reverting to the previous state
is good practice (and IMO mandatory).

I ended up downloading the full installer, unpacking it and then locating and copying over the entire profile from the damaged install. I hope that this didn't compromise the anonymizing functionality of the TBB (seems to work OK).

Well, thanks for the update, anyway, now that it's running!

November 15, 2016

Permalink

Hi Team, some YouTube videos only plays the audio part. Already downloaded fresh copy. I'm on Trisquel 7 x32. Works fine with Abrowser with all extensions and plugins disabled. Thanks..

November 15, 2016

Permalink

"We moved directly to DuckDuckGo as our search engine avoiding a roundtrip to Disconnect.me first."

Not working here. Doesn't even redirect to DDG anymore.

Does it work in a freshly downloaded bundle for you? What happens if it does not redirect to DDG anymore? What operation system and locale are you using?

November 16, 2016

In reply to gk

Permalink

Does this TBB, 6.0.6, contain the ESR that switches to search.json.mozl4?
The old searchgengines (in omni.jar I think i have read) should carryover? Unless TBB 6.0.6 explicitly deals with obsolete ddg searchengine?

Whichever is happening, I'd try this:
In old profile, save copies of pref.js and export bookmarks.
Shutdown TBB.
Empty profile location.
Startup TBB which should let TBB generate new profile?
Import the bookmarks
Shutdown.
Copy your saved prefs.js over the freshly generated prefs.js
Startup TBB and try DGG to check if it works.

Do you really want DDG anyways? Cloudflare doesn't let anyone read anything anonymously. The only advantages to DDG are it has a .onion version(so less reliant on certificate authorities) and that it doesn't use Google.

https://ixquick.com/ and https://startpage.com/ use Google but all Google knows is that a request came from ixquick. Isn't that worth it to read articles censored by cloudflare? Just click "proxy" in search results and you can read. Some sites block https://archife.org/web/ but none block ixquick's/startpage's ever-changing proxies.

I've used startpage as my only search engine and without scripts. It rarely lets me down. Anything that involves the root "cloud" I stay away from, and I am glad I am not a meteorologist, or a pilot. The wider the web the narrower it has gotten for some of us. Altering an old saying, "if it is not written in plain HTML chances are you don't need it or can live without it". But I only wish this was true, as people these days instead of writing down something they find it easier to say it in front of a camera and upload it to utube.

November 15, 2016

Permalink

There was a problem checking for, downloading, or installing this update. Tor Browser could not be updated because: Failed(unknown reason)

on Windows?

In the FF 3.5 era, I saw that error. A proxy such as some anti-virus might cause this.
On the other hand, TB is "portable" and possibly the anti-virus scanner installs its proxy extension only into browsers that formally install themselves. (Antivirus installer later finds browser installer registry values)

November 15, 2016

Permalink

works fine here thanks!

OT: some sites aks for html5 canvas. i always want to decline it is there a way to do this automatically für all sites? thanks

Goto about:config and set javascript.enabled to "false". You should do this anyways, unless you like viruses. For non-accessibility-com-liant websites made by sub-human trash that require javascript for no reason other than to tryd to get everyone hacked, just use view-source to read their content.

As suggested, I went to about:config and set javascript.enabled to "false" whereby I noticed, however, that there be also the following two settings pertaining to javascript within about:config,,,:
capability.policy.maonoscript.javascript.enabled;allAccess
and
services.sync.prefs.sync.javascript.enabled;true

Is it correct to leave those setting unchanged? Or should those settings also get toggled to "false"?

Btw I am using Linux at this desktop (LinuxMint 17.3 freshly updated) and the new (freshly updated) Tor Browser 6.0.6

Mozilla developers and community members Olli Pettay, Christian Holler, Ehsan Akhgari, Jon Coppeard, Gary Kwong, Tooru Fujisawa, Philipp, and Randell Jesup reported memory safety bugs present in Firefox 49 and Firefox ESR 45.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

November 15, 2016

Permalink

I must admit I am getting fed up of Tor 'unexpectedly exiting' for no apparent reason, in Windows 7 at least. This fault has been dogging Tor for the past three or so versions. It never used to happen. Tor used to remain connected all the time, now it will 'unexpectedly exit' up to ten times a day. Can someone look to see what changed that might cause this? Or is Windows 7 just no good for Tor any more? Naturally I'd like to hear whether anyone else is experiencing this. If it's just me then I can't imagine why it is happening, nothing new has been added so far as I know that may conflict with Tor.

Could you get more information regarding what is causing the unexpected exit? So far, we have not heard many such reports and without further information it is hard to debug it. Can you reproduce the problem? Do you have an antivirus/firewall software you could uninstall to check whether that one is interfering?

November 16, 2016

In reply to gk

Permalink

Might also try running a fresh unzip of TBB, for as many hours it takes for the current TBB to crash.

November 16, 2016

In reply to gk

Permalink

I can't reproduce the problem. It's not antivirus or firewall interfering as far as I can tell. It happens most often when I have gone away from the computer or Tor a bit, although it has also happened when I have been using Tor, just more rarely. As I say, about three versions back it never happened, and I haven't changed anything since then so far as I know. I can't say what may be causing it, but it seems like a problem in Tor itself. But if no-one else has reported 'unexpected exits' in Windows 7 then I suppose it must be something my end, but no idea what.

Nobody should use Windows or Mac for anything. It is irresponsible to, because the NSA requires them to be easy to hack, and even if you don't care about your own information being stolen, you should care about China and Russia using the same backdoors, making your computer part of a botnet, and using it to DDoS democracy-promoting websites such as WikiLeaks and Reporters Without Boundaries.

The very minimal to be reasonably secure is a microkernel. They aren't all slow like Tanenbaum's "Minix".
QubesOS and GenodeOS are much better. Even SubgraphOS and Trisquel are far superior to Windows and Mac.
QubesOS is good enough for people like me who don't have a PHD in information security and just want to avoid being part of the problem.
Also, please support Coreboot and Libreboot by making your next laptop purchase a Librem or at least something with open firmware like Chromebook.

There's a lot you can do to track down the issue, but one of the simplest is run the Tor Browser in a terminal (command prompt) and post the output on the Tor stack exchange, IRC, in a comment here, or (if you identify a reproducible bug) on the bug tracker.

I don't know Windows, but on Linux you would open a terminal and run
./tor-browser-en_US/Browser/start-tor-browser > tor.log 2>&1
... use the browser until it crashes, then open the "tbb.log" file in a text editor. I assume the process is fairly similar on Windows. Alternatively you could use Tails or switch to Linux ;-P

Out to tor.log and open tbb.log? Lol.
Your terminal sucks more than Windoze ;-P
You offer to use Tor Browser for Windows on Tails or Linux... Rofl.

Use QubesOS for a few easy, idiot-proof GUI experience while still being reasonably secure. All computers with Windows are infected and need reformatted.

Yes I mixed up 'tor.log' and 'tbb.log', and of course anyone who accidentally substitutes one arbitrary temporary filename for another must have no clue what they're talking about or how to troubleshoot a program crash ;) sarcasm aside, thanks for pointing that out especially for the OP.

And this about offering to run TBB for Windows on tails or Linux... I never said the "for Windows" part. The wink-toung was intended to mean "that's my suggestion, but use whatever OS you want." If I say anything more on this I would probably be feeding the troll.

If you use TAILS it is always better than Windows, but it's meant for public computers. Own your own computer install QubesOS, then you can run TAILS inside QubesOS for reasonable security.

November 15, 2016

Permalink

When you will configure Tweetdeck.com so we can login on TOR.
Right now its not working and we are not able to login into tweetdeck.com on TOR browser.
Please Help.

That means you're infected with "Windows".
To remove the infection, installing "QubesOS" is the most user-friendly option that is still reasonably safe.

November 15, 2016

Permalink

When will tor messenger stable be released.
Thank you' tor community for the hard work.

November 16, 2016

Permalink

Здравствуйте. Я не знаю английский но очень хочется спросить - в Твиттер выхожу через ваш браузер и почему то при репостах нелециприятных новостей по России сайт начинает "зависать" и требовать обновления страницы,и так постоянно! Это говорит о взломе спецслужбами РФ вашего браузера?

November 16, 2016

Permalink

THANK

November 16, 2016

Permalink

Good job, thanks a lot. But regrettably there is a flaw in the new update.

"We moved directly to DuckDuckGo as our search engine avoiding a roundtrip to Disconnect.me first.". <<---- It doesn't work in Debian. All searches are still redirected from Disconnect.me to DuckDuckGo. Please check and fix it.

Did you test with a fresh Tor Browser or after auto-updating from a previous version? If the latter, then this is expected. The "problem" is the default search engine is cached in your profile directory and we don't touch that directory (apart from updating the extensions we provide) as we don't want to mess with user data. The relevant file is search.json.mozlz4 in Browser/TorBrowser/Data/Browser/profile.default.

One could think about "Don't write that information to disk in the first place", though. It, however, remains to be seen if and how the search functionality would break in this case.

November 16, 2016

In reply to gk

Permalink

Yeah, done. It works properly now. Thank you so much! Cheers............

Do you really want DDG anyways? Cloudflare doesn't let anyone read anything anonymously. The only advantages to DDG are it has a .onion version(so less reliant on certificate authorities) and that it doesn't use Google.

https://ixquick.com/ and https://startpage.com/ use Google but all Google knows is that a request came from ixquick. Isn't that worth it to read articles censored by cloudflare? Just click "proxy" in search results and you can read. Some sites block https://archife.org/web/ but none block ixquick's/startpage's ever-changing proxies.

Use video download site,

or check noscript whitelisted domains.
I think there are three domains to play YT videos.
I think that also www.google.com must be whitelisted to show comments (though ugh, YT comments are often best hidden)

It's irresponsible to enable javascript anywhere; https://labs.bromium.com/2014/02/21/the-wild-wild-web-youtube-ads-servi…
By letting China and Russia put your computer in a botnet, you are helping them make DDoS attacks against democracy promoting websites such as WikiLeaks and Reporters without Boundaries.
Goto about:config and set javascript.enabled to "false".
To watch youtube without dangerous ActiveX or JavaScript, just copy&paste the YouTube link into http://keepvid.com or https://keepvid.jp or savefrom.net to get the mp4/m4a/mp3 without running or installing untrustworthy code.
Also, not required, but recommended, is to replace Windows with the easy-to-use-but-still-reasonably-secure QubesOS.

Don't run Javascript!

Use youtube-dl on either your Linux, Mac or Windows desktop to download it, and then view it.

This program will also work on several other video streaming websites like Daily Motion, Vimeo, BBC iPlayer, Vid.me, LiveLeak, MetaCare and Lynda.

Music streaming sites supported include: Soundcloud, 8tracks, Bandcamp, Beatport, Deezer, AudioMack, EveryonesMixtape, Myspace, Freesound and Hearthis.at

https://rg3.github.io/youtube-dl/

Best case scenario:

1. Run QubesOS
2. Install youtube-dl from the Debian repos in the applicable Whonix-Workstation template:

sudo apt-get install youtube-dl

3. Create a separate Whonix-Workstation AppVM just for downloading videos
4. Download cr*p from Youtube via the Tor network e.g.

youtube-dl https://www.youtube.com/watch?t=4&v=BaW_jenozKc

Note: download later versions of youtube-dl from testing repos if it fails to download; Youtube are a finicky bunch who don't like workarounds.

5. Move file to an offline Debian AppVM with no networking entitled 'Youtube c*rap'
6. Use quality open source media player (VLC media player) to watch video unmolested by creepy Google freaks who want to profile you
7. Frustrate governments who want to know every cat video you watch as part of their bulk personal data-sets
8. Shred file when finished

Win-win-win

November 16, 2016

Permalink

"We moved directly to DuckDuckGo as our search engine avoiding a roundtrip to Disconnect.me first."

It doesn't work in macOS Sierra 10.12.1. All searches are still redirected from Disconnect.me to DuckDuckGo.

See my reply above: This works on fresh Tor Browser 6.0.6 but if you upgrade from earlier versions you either have to set the the default search engine manually or delete the cached search settings in your profile folder.

November 16, 2016

Permalink

I'm on Mac OS X 10.10.5 (yosemite)
Until today I used Tor 6.0.5. Perfect, never one problem.
Since the upgrade 606, Tor quit immediately on start. Clic on restart, quit, restar, quit…
I tryed to instal an older version but it quit anyway.
Now I use Tor 555, no one 6 version work.
What is wrong ?

November 17, 2016

In reply to gk

Permalink

Hereafter the message (I try to rewrite because it is not possible to copy it)

"Tor Launcher

Tor exited during startup. This might be due to an error in your torrc file, a bug in Tor or another program on your systeme, or faulty hardware. Until you fix the underlying problem and restard Tor, Tor Browser will not start.

Button "OK" and button "Restart Tor"

Did you happen to test an alpha version of Tor Browser recently? The symptoms look like that. What happens in this case is that your stable Tor Browser is using the same browser profile than the alpha one but both are not compatible at the moment.

You can avoid that problem by removing the old TorBrowser-Data folder in your Library/Application Support directory (which is in your home directory) before starting a new 6.0.6. See https://trac.torproject.org/projects/tor/ticket/20300#comment:8 for some help on how to find this folder.

If you did not use a Tor Browser alpha recently it would be super helpful if you could help us debug this problem. https://trac.torproject.org/projects/tor/ticket/20300#comment:11 has some instructions and we would be very glad to see the debug output.

Thanks!

November 16, 2016

Permalink

thank

November 16, 2016

Permalink

Has this update been installed on my computer automatically?

I'm a senior citizen and unfortunately computer illiterate,so I had to ask this question.

If it wasn't automatically installed,then how do I install it?

Thank you.

If you start Tor Browser you should see "Tor Browser 6.0.6" in the upper right corner of your browser window. If you see an older version you have not updated yet.

November 16, 2016

Permalink

I'm STILL getting google 404 error, 403. That’s an error.

Your client does not have permission to get URL. How do i fix that? if it's fixable of course...

You mean 6.0.6? Which version did you use before? My first guess is your Antivirus/Firewall software is not liking Tor Browser anymore. Could you give us a more detailed error message?

November 17, 2016

In reply to gk

Permalink

Same problem.
Running WIN7 and AVAST, updated Windows prior to TOR update and TOR ran quite fine.
Updated to TOR 6.0.6 in the TOR browser and started getting "Can't load XPCOM" error.
Removed TOR, reinstalled from TOR site same error.
Installed Firefox browser runs just fine.
Removed AVAST still XPCOM error.
Removed TOR rolled back Windows updates and reinstalled TOR same error message.
Any information appreciated.
thanks for running TOR and keep up the good work.

Update on above.
I updated Win7 and Avast with out TOR installed.
Installed 6.0.6 Same Error "Can't load XPCOM"
Removed TOR.
Found a copy of TOR 6.0.5 which ran like a champion.
Shut down TOR 6.0.5 and re-opened TOR from shortut, Auto updated to 6.0.6 and error message re-appeared "Can't load XPCOM"
CJ

November 21, 2016

In reply to gk

Permalink

Does this help?
Description
Faulting Application Path: C:\Users\Christopher\Desktop\Tor Browser\Browser\firefox.exe

Problem signature
Problem Event Name: APPCRASH
Application Name: firefox.exe
Application Version: 45.5.0.0
Application Timestamp: 00000000
Fault Module Name: xul.dll
Fault Module Version: 45.5.0.0
Fault Module Timestamp: 00000000
Exception Code: c0000005
Exception Offset: 01efe89c
OS Version: 6.1.7601.2.1.0.256.48
Locale ID: 3081
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789

Extra information about the problem
Bucket ID: 1190358135

XPCOM errors are a sign of being infected by the "Windows" trojan.
Remove that malware by installing QubesOS and choosing a clean install. This is the absolute minimum reasonable computer safety.

November 16, 2016

Permalink

No script's drop down menus flicker out so you can't point at them successfully with the mouse

What is "normal button"? When you click on it the next set of choices appear and flicker out and then you can't click the next choice because they disappeared.

Hmm, the testcase where it appears was found, and it's actually not only a NoScript issue (webpage is constantly updating its content), but if you want you can report it to Maone's Forum. Does context (right-click) menu work for you?

Various entities have various blogs accessible at blog.torproject.org. Some of them, e.g. Tails and some TP employees, have chosen not to enable posting in their blogs. Others enable posting but lack time to repel all the spam, so many legitimate comments/replies are not posted. It's frustrating but when you consider all the things that a handful of TP employees are doing, and consider the seriousness of technical and political threats from governments such as the USG, China, Saudi Arabia, or Russia, you see that this issue is unavoidable just now.

Make sure cookies are enabled. Everhthing I posted here with cookies disabled never showed up. Blocking 3rd part cookies is omay though.

November 17, 2016

Permalink

The default list of web contents search engines are something to do with google or yahoo, do they send the privacy data to them?

November 17, 2016

Permalink

You can't take Tor Project seriously when they keep compiling it with OpenSSL instead of LibreSSL.

How many times have we been hit with OpenSSL vulnerabilities?

When is the Tor Project going to make the switch?

Patches welcome xD

I don't know if they've considered it yet, but if so I would bet it comes down to the fact that the developers already have a lot to do, and no one else has taken the time to do the migration and submit a patch. There also might be portability or other concerns holding up the process. IRC would probably be the best place to discuss it with the developers first, then possibly the bug tracker.

I share your frustration, but making a major change introduces the possibility of breaking Tor security in another way. So the proposed change is something to consider, and probably worthwhile if the devs conclude it can be done safely, but I doubt they have the time right now.

So many threats... sigh...

LibreSSL is a drop in replacement of OpenSSL, they share the same API.

The biggest differences are LibreSSL ripped out all the insecure bs from OpenSSL, and LibreSSL uses a standard memory allocator instead of the NSA induced customized OpenSSL memory allocator that was carefully crafted to bypass OS memory protection, allowing important information such as cert keys to stay in memory forever, exposing them to various vulnerabilities.

If you are new to Tor, you have to watch this LibreSSL video to understand how dangerous OpenSSL is:

Youtube search:
LibreSSL: The first 30 days, and what the Future Holds

November 17, 2016

Permalink

As far back as 2015, reports (some clear, others obscure) indicated that vulnerabilities were identified by various agencies w/in the US.

It went on to say that those vulnerabilities were exploited, and in fact are in the process (2016) of being classified as National Security software, therefore the code is not being released to the public domain.

One of the tenants of security software development and deployment is that developers usually need a second set of eyes on the effort. Basically because at times, developers are too close to the trees to see the forest. Fresh minds and fresh approaches are more likely to float areas the the originators simply didn't think of as they worked deep inside the application/function.

With the newest release (and perhaps prior ones) is the TBB more effective in removing or severely curtailing such hacks during our use of the TBB?

I sure believe in and support the TBB. I'm just curious to understand if this vulnerability has been remediated.

Thank you for your time and consideration.

November 17, 2016

Permalink

What the hell. Now DDG doesn't work at all. Yes, I deleted my previous install and installed 6.0.6 anew. Neither url-bar search or search-bar search (tls DDG nor .onion DDG) works. It did the first, fresh instance I used it. Then I renewed Identity and now all I get is this error message after being re-directed to DDG's standard search page:
"Oops, there was an error. Please try again."
"If it persists, please email ops@duckduckgo.com"
Either this is a universal problem at this moment on DDG's end or something was screwed up in the new Tor Browser search engine tweaks.

November 17, 2016

Permalink

I'm the person who commented about 6.0.6 DDG not working correctly. It seems the problem was on DDG's side. It now works as it should again. Thanks for your great work, Tor team!

November 17, 2016

Permalink

Im having trouble, i try to download it then Norton says "fewer than 5 users used this file", and it was recognized as "WS.Reputation.1", and removed.

If you have "Norton" or "McAfee" errors it means there is a big problem with your computer.
These errors mean it has "Windows" which is very bad for you and for everyone your computer can connect to.
For anyone who is tech-savvy enough to search for "QubesOS", it is easy enough to install. No command-line/terminal/complicated stuff. It will makd your computer much more safe for yourself and those it connects to than leaving "Windows" on it will.
Best wishes.

November 18, 2016

Permalink

I have updated today 18 NOV 2016 the TOR BROWSER to 6.0.6.version.

The McAFFE antivirus has detected four Trojans during the installation and deleted them.
Trojans have been detected as Artemis!39E8FB7DB6F9
Artemis!A8B534817E99
Artemis!EB71C6C55A6D
Artemis!5DEFB87498BC

File were on the Pluggable Transports folder
meek client ,
obfs4proxi
termianteproc.

Hi everyone,

Same happened to me but MCAfee only deteced one Trojan, named => Artemis!5DEFB87498BC,put in quarantine

+My Tor Browser do not functin as before. Can't get any Startup symbol. I have to reinstall Tor, every time/every day!?

I read about that Tor has spy-ware...but its the first time I've noticed it.

/Just saying...

My McAfee Security has also identified and quarantined the first
of the aforementioned Trojans:
Artemis!A8B534817E99
It was in the same location (meek.)
Is it advisable to manually search for the others? Also, what threat does this class of Trojans pose? The only information I found was that there are a multitude of them.
Most importantly, is it safe to use this this release that I downloaded?
I'm quite new at this stuff.

just the same here:
Artemis!5DEFB87498BC
Artemis!39E8FB7DB6F9
Artemis!A8B534817E99
Artemis!EB71C6C55A6D

Exact same issue here with McAfee AV detecting those same 4 Artemis Trojans.
I don't just want to assume they are false positives without some confirmation... Any news about this yet?

Thanks

That is very likely a false positive where your antivirus software is trying to outsmart us who are building Tor Browser from source and are making sure that the build result on at least two different machines is exactly the same.

November 18, 2016

Permalink

I discovered the same result as the poster above. Noticed this yesterday, after upgrading to the latest version. I believe it was 6.0.6.

It was detected as a trojan/trojan-like via McAfee's artemis heuristic engine. This was the detection: artemis!39E8FB7DB6F9

November 18, 2016

Permalink

On the Tor Browser home/about page it still says: "Search securely with Disconnect.me".

November 19, 2016

Permalink

Why does searching with DuckDuckGo direct me to their clearnet side instead of their .onion site now?

That did not change. Before you reached the DuckDuckGo clearnet site via Disconnect.me. Now, we save this round-trip and use DuckDuckGo directly. You still can choose the .onion version in your search settings, though.

November 22, 2016

In reply to gk

Permalink

Hello gk.
What are the downsides to setting DuckDuckGo at https://3g2upl4pq6kufc4m.onion/html/ as default search engine? It says that the certificate is for duckduckgo.com, isn't it safe to ignore that warning? Doesn't this require compromising the certificate authorities AND the hidden service protocol, whereas breaking duckduckgo.com just requires compromised CA?
I know I'm missing something. Any thoughts are welcome.
Have a good day.

The certificate is one issue. Then it is not clear to us whether the onion service would be able to cope with the load of search requests once it is used by default by all Tor Browser users.

November 19, 2016

Permalink

On a Mac OS transport meek-azure does not work and the transport FTE is stil mising.

November 20, 2016

Permalink

updated TOR and tried to log on but got message "your IP address is blacklisted." Never had this message before and don't know why my IP would be blacklisted. Anyone got the same message and if yes what did they do about it?

I, too, recently got that message about my IP having been blacklisted, though I have ever and still now use whatever DHCP address my ISP (Vodafon/Kabeldeutschland) allocates.

I did actually nothing (nothing effective, that is) about that. In the meanwhile, though, that message does not get shown and I am able again to browse the internet (apparently) normallly.

My impression has been, that either my email protesting the blacklisting of my ISP provided IP finally brought results or the problem simply got handled anyways after awhile. For awhile (over the weekend) I simply was not able to use the internet from this (LinuxMint17.3 running) desktop and saw myself reduced to only being able to surf using my Lenovo Thinkpad laptop (running Trisquel 7, freshly updated at every session start). I avoided the message there by using Firefox Nightly (also always freshly updated at every session start), which made it possible for me to send off that complaint emaill.

November 20, 2016

Permalink

Had the same issue when installing TOR 6.0.6. Got the ARTEMIS trojan warning from McAffee when I was installing the browser and when I scanned the TOR executable for viruses (McAffee).

I read online that this ARTEMIS might be a false positive. It's often triggered by heuristic analysis of files, but still...

November 20, 2016

Permalink

if tor connect gui starts before wlan0 in linux is connected, connection wont happen even if wifi does subsequently connect
wrote this code to start tor browser on boot only after wifi has connected distro is puppy linux but perhaps you caneven use the code somehow in the gui itself

  1. #!/bin/bash</p>
  2. <p>HIIP=20</p>
  3. <p>until [ $HIIP -lt 0 ]; do<br />
  4. echo -n " : HIone " $HIIP</p>
  5. <p> ifconfig wlan0>>/tmp/Test.txt</p>
  6. <p> RegExStr="addr:[0-9].[0-9].[0-9].[0-9]"<br />
  7. egrep -o $RegExStr "/tmp/Test.txt" > /tmp/Test2.txt<br />
  8. rm /tmp/Test.txt<br />
  9. while read p; do<br />
  10. TEST=${p}<br />
  11. done </tmp/Test2.txt<br />
  12. rm /tmp/Test2.txt</p>
  13. <p>echo -n "test is qnow" $TEST</p>
  14. <p> if [ $TEST ]; then tor-browser & exit<br />
  15. fi<br />
  16. let HIIP-=1<br />
  17. let X=20-$HIIP<br />
  18. echo -n " : HItwo" $HIIP<br />
  19. echo -n " :X is " $X<br />
  20. sleep $X<br />
  21. done</p>
  22. <p>exit 0<br />

it not elegant code but it serves it purpose

Anti viruses use very paranoid heuristics in an attempt to detect polymorphic viruses.
These heuristics are easy to overcome for anyone trying to overcome them, but any legit program that uses a slightly unorthodox build system gets blocked.
If you want to be secure there is no perfect solution, but here's a much better solution than running Windows with an antivirus;

Replace Windows with QubesOS(unlike what you hear about Linux, QubesOS doesn't require command lines, terminals, typing, wizardry, reading, etc. It has a simple, user-friendly GUI with very small learning curve).

If you get a virus in QubesOS, you just close the application and re-open it, and it automatically gets a whole fresh operating in under a second without you having to do anything. It's like running TAILS and restarting it every time you close a program, but it only takes a s-lit second to restart, and most important EASY TO JSE REQUIRING NO TECHNICAL KNOWLEDGE.
https://www.qubes-os.org/downloads/

November 21, 2016

Permalink

Using macOS Sierra 10.12.1, I`ve updated TorBrowser to 6.0.6. Everything works fine.

After that, I`ve updated the alpha version to 6.5a4. Everything works fine too.

But now I can`t open my 6.0.6. any more. When trying it, I get the following message:

"Tor wurde unerwartet beendet. Dies kann die Folge eines Fehlers in ihrer "Torrc"-Datei sein, ein Fehler in Tor, einem anderen Programm in ihrem System oder fehlerfafter Hardware. Bis die Ursache beseitigt wurde und Tor neugestartet wurde, wird der TorBrowser nicht starten."

Any idea? I´m sure that there isn`t a mistake in my hardware.

The problem is that the current alpha is using a feature that is not available in the stable series but both are sharing the same browser profile. Thus, until we fix that problem (e.g. by taking this into account the next time we design such a new alpha feature) you can either install the alpha and the stable into different locations (e.g. one into /Applications and the other on your desktop). Or you need to get rid of your profile in order to get the stable running again. I guess you installed Tor Browser into /Applications. Then your profile directory, TorBrowser-Data, should be at ~/Library/Application Support.

November 21, 2016

Permalink

If I reinstall the same 6.06 version on a Mac OS I get the message a newer one already already exists.

"A newer item named “TorBrowser.app” already exists in this location. Do you want to replace it with the older one you’re moving?"

November 22, 2016

Permalink

Question.

What does "client-versions" and "server-versions" in consensus
mean?

in consensus:
client-versions 0.2.4.27,0.2.5.12,0.2.7.6,0.2.8.9,0.2.9.4-alpha,0.2.9.5-alpha
server-versions 0.2.4.27,0.2.5.12,0.2.7.6,0.2.8.9,0.2.9.4-alpha,0.2.9.5-alpha

In all Tor Release notes "[...] All Tor users should upgrade to this version [...]". Why older Tor versions like 0.2.4.27, has a Guard
Flag ?

in consensus,too: e.g.
default Tor 0.2.4.19 153.163.177.44
default 0.2.4.19 83.233.76.111
torfoo 0.2.4.23 212.129.42.9
default 0.2.4.23 91.106.139.225
TorExitJejaringOrg Tor0.2.4.20 14:38:22 185.61.149.193

These versions are very old and older as 0.2.4.27 in consensus.
Why you support those?

November 22, 2016

Permalink

The newly discovered Trojans in Tor might have something to do with the fact that FBI placed their malware in Tor to identify pedophiles, according to this article:
http://thedailyhaze.com/fbi-hosted-tor-child-pornography/
...and that the police in Norway recently discovered a large pedophile network, that the FBI is said to having been tipped the Norwegian police about.
https://www.flashback.org/t2783686

/Just wondering...

If you are talking about the ones mentioned on this blog post and that were included in freshly downloaded Tor Browser versions or our updates, then very likely "no". We built those directly from the source on different machines and got the exact same output which we shipped. It is much more likely that those issues are false positives due to the firewall/AV software running on the machines.

November 24, 2016

In reply to gk

Permalink

Agree. The McAfee "artemis" detection is just very broad heurestics prone to errors.
I am curious however, as to what methods the Norwegian police used.

November 22, 2016

Permalink

> Add donation banner on about:tor for 2016 campaign
a donation banner appeared a week later , what does it mean ?!

November 23, 2016

In reply to gk

Permalink

nice logo nice banner good luck and thank you very much again for your fantastic work.

November 23, 2016

Permalink

great

November 23, 2016

Permalink

NoScript today has started detecting a cross-scripting issue (XSS) with StartPage and DuckDuckGo used from the search box, and instead of searching directs to the search engine's home page.

I presume a temporary issue. But, if not, how does one correct that? Or is it a NoScript issue? Still works fine with Yahoo search.

Yesterday, this was not a problem. Unsure if the search engines have changed something.

November 24, 2016

Permalink

It is possible to install some dictionary from others localized versions of Tor Browser?
For example adding spanish and chinese dictionaries to english Tor Browser.
If yes: I have to manually update those dictionaries installed by me when a new version of Tor Browser is ready?

It is considered insecure or at anonymization risk? Or what else...

Thank you

November 27, 2016

Permalink

Log says:
1/27/2016 17:50:54.800 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.

I thereafter thoughtlessly ran
sudo apt install gnome-system-monitor

AND SU'CCEEDED.

Isn't something wrong? Shouldn't apt have been blocked from the net. I know I failed using wget to download stuff before. And had to install torsocks to get it working.

Not sure how you have configured your package updates/installation but, no, Tor does not automatically tunnel all your network activity. You have to configure every application to do that.

November 28, 2016

In reply to gk

Permalink

So something is wrong. This is a vanilla TB6.0.6 under ubuntu 16.04 (live-cd) on an old Toshiba Satellite. I burnt a fresh TB after I got suspicious against the old usb I had used so far. The new thing that happened was a slight delay. A first attempt to start now allways fails, independent of the configuration I choose. But after a short while it works fine even with the config that failed to begin with. Communication is very slow, like 60k instead of the 200k I have had recently.

Basically the problem remains, but by setting Privacy and Security settings to HIGH. and then in NoScript allowing all in the site I can even view video shows there, otherwise nogo.
These Privacy etc. settings do the work with more than NoScript?_

November 27, 2016

Permalink

Hi Tor team.

You sure you didn't flip some switch by accident? Because now Youtube videos don't autoplay with NoScript off (you need to manually allow first the audio and then the video, maybe this isn't THAT bad now that I think about it, but it sure is irksome) and Vimeo videos that used to play now don't at all.

December 07, 2016

Permalink

Why are we updating OpenSSL when there's LibreSSL freely available now: https://www.libressl.org/

It's 2016, nearly 2017. Trump's won and four horsemen start saddling up while China hardens its defense through economic infiltration and Russia tries to pull itself together before Armageddon. People like to look to the EU for online privacy and the EFF lawyer brain trust for some sort of digital freedom, because the truth is too much to bear: the US owns the English world, China and India own almost everything else and Russia clings to it's ever-dwindling lines on the map of what was once a much bigger USSR. At times like this we maybe look to the liberals at the UN. Ha, ha, ha. Good joke, Funny. Everybody laugh. Maybe there's a god you can pray to before this abscess of a civilization finally bursts and all the blood, muck, and puss come broiling out in an horrific eruption violence versus oppression in the Chaos Versus Order War that will have some people who once preached liberal values begging for the first dictator who will protect them from the very masses they once spilled all those liberal tears for. Meanwhile the system continues to turn, Quantum Phenox lives on, ushering in the Next Age (an age of totalitarianism) as the sun sets on the Old Era (the one, one of liberalism). And don't think you'll be safe. There's no anonymity left, not truly. TBB is just a way of keeping commercial interests at bay, not governments. They can only be held back by the best of hackers, neither you nor I (or we wouldn't be on this site, downloading prepackaged, pre-configured TOR with browser).

December 17, 2016

Permalink

my TOR BROWER 6.0.6 wont use my choice of default Search engine which is Start Page- Why is that. I cannot tolerate DuckDuckGo.It is too slow and doesn't give me good results. Start Page is MUCH better in all ways I am aware of

If you're still using Tor Browser 6.0.6 at this point you are doing it wrong.

Mozilla keeps putting out security updates for Firefox, and Tor Browser keeps up with them, and so should you.