Tor Browser 6.5 is released

Tor Browser 6.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This is a major release and the first one in the 6.5 series. First of all it fixes the usual critical bugs in Firefox by updating to ESR 45.7.0. It contains version updates to other bundle components as well: Tor to 0.2.9.9, OpenSSL to 1.0.2j, HTTPS-Everywhere to 5.2.9, and NoScript to 2.9.5.3.

Besides those updates Tor Browser 6.5 ships with a lot of the improvements we have been working on in the past couple of months.

On the security side we always block remote JAR files now and remove the support for SHA-1 HPKP pins. Additionally we backported from an other firefox branch patches to mark JIT pages as non-writable and other crash fixes that could disrupt a Tor Browser session quite reliably.

With respect to user tracking and fingerprinting we now isolate SharedWorker script requests to the first party domain. We improved our timer resolution spoofing and reduced the timing precision for AudioContext, HTMLMediaElement, and Mediastream elements. We stopped user fingerprinting via internal resource:// URLs, and for Windows users we fixed a regression introduced in Tor Browser 6.0 which could leak the local timezone if JavaScript were enabled.

A great deal of our time was spent on improving the usability of Tor Browser. We redesigned the security slider and improved its labels. We moved a lot of Torbutton's privacy settings directly into the respective Firefox menu making it cleaner and more straightforward to use. Finally, we moved as many Torbutton features as possible into Firefox to make it easier for upstreaming them. This allowed us to resolve a couple of window resizing bugs that piled on over the course of the past years.

The features mentioned above are only some of the highlights in Tor Browser 6.5. The full changelog since 6.0.8 is:

All Platforms
Update Firefox to 45.7.0esr
Tor to 0.2.9.9
OpenSSL to 1.0.2j
Update Torbutton to 1.9.6.12
- Bug 16622: Timezone spoofing moved to tor-browser.git
- Bug 17334: Move referrer spoofing for .onion domains into tor-browser.git
- Bug 8725: Block addon resource and url fingerprinting with nsIContentPolicy
- Bug 20701: Allow the directory listing stylesheet in the content policy
- Bug 19837: Whitelist internal URLs that Firefox requires for media
- Bug 19206: Avoid SOCKS auth and NEWNYM collisions when sharing a tor client
- Bug 19273: Improve external app launch handling and associated warnings
- Bug 15852: Remove/synchronize Torbutton SOCKS pref logic
- Bug 19733: GETINFO response parser doesn't handle AF_UNIX entries + IPv6
- Bug 17767: Make "JavaScript disabled" more visible in Security Slider
- Bug 20556: Use pt-BR strings from now on
- Bug 20614: Add links to Tor Browser User Manual
- Bug 20414: Fix non-rendering arrow on OS X
- Bug 20728: Fix bad preferences.xul dimensions
- Bug 19898: Use DuckDuckGo on about:tor
- Bug 21091: Hide the update check menu entry when running under the sandbox
- Bug 19459: Move resizing code to tor-browser.git
- Bug 20264: Change security slider to 3 options
- Bug 20347: Enhance security slider's custom mode
- Bug 20123: Disable remote jar on all security levels
- Bug 20244: Move privacy checkboxes to about:preferences#privacy
- Bug 17546: Add tooltips to explain our privacy checkboxes
- Bug 17904: Allow security settings dialog to resize
- Bug 18093: Remove 'Restore Defaults' button
- Bug 20373: Prevent redundant dialogs opening
- Bug 20318: Remove helpdesk link from about:tor
- Bug 21243: Add links for pt, es, and fr Tor Browser manuals
- Bug 20753: Remove obsolete StartPage locale strings
- Bug 21131: Remove 2016 donation banner
- Bug 18980: Remove obsolete toolbar button code
- Bug 18238: Remove unused Torbutton code and strings
- Bug 20388+20399+20394: Code clean-up
- Translation updates
Update Tor Launcher to 0.2.10.3
- Bug 19568: Set CurProcD for Thunderbird/Instantbird
- Bug 19432: Remove special handling for Instantbird/Thunderbird
- Translation updates
Update HTTPS-Everywhere to 5.2.9
Update NoScript to 2.9.5.3
Bug 16622: Spoof timezone with Firefox patch
Bug 17334: Spoof referrer when leaving a .onion domain
Bug 19273: Write C++ patch for external app launch handling
Bug 19459: Size new windows to 1000x1000 or nearest 200x100 (Firefox patch)
Bug 12523: Mark JIT pages as non-writable
Bug 20123: Always block remote jar files
Bug 19193: Reduce timing precision for AudioContext, HTMLMediaElement, and MediaStream
Bug 19164: Remove support for SHA-1 HPKP pins
Bug 19186: KeyboardEvents are only rounding to 100ms
Bug 16998: Isolate preconnect requests to URL bar domain
Bug 19478: Prevent millisecond resolution leaks in File API
Bug 20471: Allow javascript: links from HTTPS first party pages
Bug 20244: Move privacy checkboxes to about:preferences#privacy
Bug 20707: Fix broken preferences tab in non-en-US alpha bundles
Bug 20709: Fix wrong update URL in alpha bundles
Bug 19481: Point the update URL to aus1.torproject.org
Bug 20556: Start using pt-BR instead of pt-PT for Portuguese
Bug 20442: Backport fix for local path disclosure after drag and drop
Bug 20160: Backport fix for broken MP3-playback
Bug 20043: Isolate SharedWorker script requests to first party
Bug 18923: Add script to run all Tor Browser regression tests
Bug 20651: DuckDuckGo does not work with JavaScript disabled
Bug 19336+19835: Enhance about:tbupdate page
Bug 20399+15852: Code clean-up
Windows
- Bug 20981: On Windows, check TZ for timezone first
- Bug 18175: Maximizing window and restarting leads to non-rounded window size
- Bug 13437: Rounded inner window accidentally grows to non-rounded size
OS X
- Bug 20590: Badly resized window due to security slider notification bar on OS X
- Bug 20439: Make the build PIE on OSX
Linux
- Bug 20691: Updater breaks if unix domain sockets are used
- Bug 15953: Weird resizing dance on Tor Browser startup
Build system
- All platforms
  - Bug 20927: Upgrade Go to 1.7.4
  - Bug 20583: Make the downloads.json file reproducible
  - Bug 20133: Don't apply OpenSSL patch anymore
  - Bug 19528: Set MOZ_BUILD_DATE based on Firefox version
  - Bug 18291: Remove some uses of libfaketime
  - Bug 18845: Make zip and tar helpers generate reproducible archives
- OS X
  - Bug 20258: Make OS X Tor archive reproducible again
  - Bug 20184: Make OS X builds reproducible (use clang for compiling tor)
  - Bug 19856: Make OS X builds reproducible (getting libfaketime back)
  - Bug 19410: Fix incremental updates by taking signatures into account
  - Bug 20210: In dmg2mar, extract old mar file to copy permissions to the new one

Thanks for the great release!

I can NOT get any of the new

I can NOT get any of the new versions to work.
I’ve been using 6.5a5 since it was released and it works fine.

Today I installed 6.5 several times and it just won’t connect.
"Something Went Wrong!
Tor is not working in this browser."

Onion icon shows "Tor disabled" and pages won’t load - "unable to find the proxy server"

I don’t have a proxy server configured right now!

Downloaded and installed several times, sometimes it says "Tor Launcher could not connect to Tor control port."

And v7.0a1 is the same.

Reinstalling 6.5a5 makes it functional again. WTF?!

Wouldn’t you know it -

Wouldn’t you know it - right after posting my comment I deleted and replaced the TorBrowser-Data folder AGAIN.

At first I got a big error window. Then I deleted the Updates folder within, and all the files in the Tor folder.

I had already done that many times, so I don’t know why Tor launched this time but it did (version 7.0a1).

I notice that inside the updates.xml file there’s no mention of version 7.0a1 or Firefox 45.7.0. The last updates listed are Tor 6.5a6 and Firefox 45.6.0.

Just successfully launched it again, so who knows what caused the problem.

- Firefox 24 ESR works on

- Firefox 24 ESR works on KDE 4
- Firefox 45 ESR (i.e. TBB 6.5) works on KDE 4
- Firefox 51 (no e10s) does not work on KDE 4

Not like I need Firefox 51 for KDE though, but Firefox 52 ESR is creeping up soon, so are there any plans for the next Tor Browser based on that version to work on KDE 4? :nervous:

Not sure. I guess the first

Not sure. I guess the first task would be to find out why it is not working anymore. Then we could think about ways to fix that. Is KDE4 support deprecated?

The last Plasma 4 LTS

The last Plasma 4 LTS release was 4.11.22 (August 19, 2015).

See: https://www.kde.org/announcements/announce-applications-15.08.0.php ("Other Releases")

Session Manager in Tools

Session Manager in Tools menu and it's icons in toolbars disappeared after update.
How to make Session Manager fully functional?

360 total security now flags

360 total security now flags the tor 7.0 and 6.5 as UNKNOWN, yesterday it was saying it was a virus/trojan

2017-01-29 13:47:56 D:\Users\user\Desktop\deskk\Downloads\torbrowser-install-7.0a1_en-US.exe Unknown Mozilla
2017-01-29 13:47:34 D:\Users\user\Desktop\deskk\Downloads\torbrowser-install-6.5_en-US.exe Unknown Mozilla

very use full

Can't download the new

Can't download the new version. Everytime I try, I receive this warning: "signature verification failed! You might be under attack, or there might just be a networking problem. Click start try the download again."
Well, I don't have networking problems and I'd already tried several times. Any help?

Simple- Do a fresh install

Simple- Do a fresh install of Tor and remember to redo your security settings.

There is a bug in

There is a bug in tor-browser-launcher: https://github.com/micahflee/torbrowser-launcher/issues/260. I'd recommend to download Tor Browser from our website and use its built-in updater. It should be much faster that way as well if you are updating regularly as it only downloads diffs in that case and not a whole new Tor Browser every time.

Something interesting. I

Something interesting. I think I may have found the FBI's alleged magic bullet. It seems that PHP has a known but not well publicized exploitable bug that allows a PHPscript to both hide other scripts such as javascript from the browser, as well as somehow, at least hypothetically, execute them as well. If this is the case, it would seem that PHP would be able to bypass the browser plugins and run scripts anyways. So a few questions:

1. Has this type of attack been considered and mitigated,

and,

2. How might we mitigate this sort of thing?

PHP is a server-side

PHP is a server-side language. It does not execute on browsers and cannot be used to exploit browsers in any way. A PHP bug, no matter how severe, could only be used to exploit a web server. PHP is simply a method of having a server choose what to send to a client, like any other CGI script like Perl, Ruby, ASP, or whatever. It cannot tell the client how to execute it. To answer your questions:

1. No, because it does not exist.

2. We cannot, because it does not exist.

tor + firefox updated not

tor + firefox updated not properly. Tor not run correctly in firefox. Items in "Add-ons" is absent. I do not know what kinds configuration methods to use for to repare. When I Install old version over not properly updated version then links what I added to "Bookmarls" is erased. These situation is appear often.

Did you get error messages

Did you get error messages during the update? What extensions were there before and are missing now? Which operating system are you using?

nice

agree

in saudi arabia your brawser

in saudi arabia your brawser has dead now im outside of my home

in this new 6.5 version some

in this new 6.5 version some web-site not opens. but in 6.0.8 all good. for example: https://999.md

Works with neither of them

Works with neither of them for me.

Try with Low security

Try with Low security settings

I did.

I think problem in NoScript

04-02-2017, 11:57:27.500

04-02-2017, 11:57:27.500 [WARN] Proxy Client: unable to connect to 83.212.101.3:443 ("general SOCKS server failure")

This is down again. This is used with the scramblesuite transport

I talked to the maintainer

I talked to the maintainer of that bridge and he told me that this bridge gets hammered with requests and the server can't handle that. We'll take that one out of the Tor Browser default bridges next time, alas.

That means that scramblesuit

That means that scramblesuit will be removed?

Yes, if we don't find a

Yes, if we don't find a replacement bridge before the next release is getting out.

The TOR metrics doesn't seem

The TOR metrics doesn't seem to support the excessive usage as it peaks at 300 averaging 120. See

https://metrics.torproject.org/userstats-bridge-transport.html?start=20…

Doesn't every TOR site support every bridge?

I don't know what "Doesn't

I don't know what "Doesn't every TOR site support every bridge" means, but if it means "Doesn't every Tor relay support every pluggable transport", the answer is no.

Pluggable transports, such as scramblesuit, are separate programs that transform Tor traffic in a way that makes it harder to detect and/or censor.

The scramblesuit protocol doesn't get that much use in practice, and there aren't that many bridges that support it, and apparently the ones that do are having trouble with stability. Sounds to me like a reasonable time to remove it from the Tor Browser.

I only use it because it is

I only use it because it is one of the transports that is able to get through "Tor"blocked sites that don't allow other transports through. This could be because it is hardly used and sites that try to block Tor don't pay any attention to scramblsuit.

Thanks! Your services are

Thanks! Your services are invaluable!!

super

I am using a Mac OSX, and I

I am using a Mac OSX, and I see 2 "Tor browser" processes running simultaneously. Is this normal ?

And both vanish if you close

And both vanish if you close Tor Browser? Are you using some pluggable transports or Tor Browser just as it ships connecting directly to the Tor network?

No big deal but it seems the

No big deal but it seems the "wrap long lines" option doesn't work when I open "view page source".

When I install To browser

When I install To browser 6.5 onto my Ubuntu 16.05 with the latest Firefox version already installed the Tor browser doesn't show being open from the App menu selection even though it is open. Firefox shows 2 applications open. It is if the Tor browser and Firefox are linked.

It seems to me this is a bug

It seems to me this is a bug related to https://trac.torproject.org/projects/tor/ticket/18199. Might even be the same.

Unable to verify the

Unable to verify the signature of file tor-browser-linux64-6.5_en-US.tar.xz. I get the following when I attempt to verify the signature:

<br />
gpg: Signature made Tue 24 Jan 2017 09:42:49 AM EST using RSA key ID C3C07136<br />
gpg: Can't check signature: public key not found<br />

SHA256 hash sum of the file:
c4714061748a70d3871dd84ff88d2f317b386d290a5c1fb94a504a1c256f1960

I've downloaded the file three different times now and had the same issue with all three downloads.

Updating your local Tor

Updating your local Tor Browser key should help. The bundles are signed with a new subkey. The SHA256 hash looks good for what it is worth.

I Love You Guys! Thanks Tor

I Love You Guys! Thanks Tor I will Always donate to you! Keep up the great work!

Version 6.5 consistantly

Version 6.5 consistantly does not start. Instead I am getting the message Something Went Wrong! Tor is not working in this browser

Version 6.08 is working.

Do you get some more error

Do you get some more error information than that? What exactly did you do? Does a clean new install of Tor Browser help? What operating system are you on?

does someone know why TBB

does someone know why TBB doesn't remember
browser.zoom.siteSpecific = true?

See:

See: https://trac.torproject.org/projects/tor/ticket/20727.

Is TBB affected

Is TBB affected with?

https://www.openssl.org/news/secadv/20170216.txt
Encrypt-Then-Mac renegotiation crash (CVE-2017-3733)
=========================================

Severity: High

During a renegotiation handshake if the Encrypt-Then-Mac extension is
negotiated where it was not in the original handshake (or vice-versa) then this
can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers
are affected.

OpenSSL 1.1.0 users should upgrade to 1.1.0e

No, we are using 1.0.2.

ok

Anonymity broken ? On some

Anonymity broken ?

On some website(s?) there is a strange error happening while printing a webpage to pdf file.
It will give a modem error message for more than 20 times within a second.
This is happening for some time, one or two Torbrowser versions.
This is happening with no javascripts allowed.

What I see in the Console program log

<br />
(date) Week 09 (time) [0x0-0xad0ad].org.mozilla.tor browser (process number) (date) (time) localnetworkaddressname.local firefox (process number) <Error>: replacing NaN with 0<br />

This "replacing NaN with 0" message only keeps popping up in console on this website www.security.nl

What is this?
A new manner for circumventing Torbrowser anonymity by trying tot send feedback when printing a page?
Why aren't all dom settings in the about:config that try to send back user behavior disabled?
There used tot be a separate dom setting for sending printing feedback as well in firefox but I can find it anymore.

Please just try this yourself or please analyze that website code.
Tested many websites but this is only happening on that website that happened to be in a way related to another company that is focused on legal interception (Pine).
It is strange behavior, exeptional and very specific related and it does not look right.

Could you give us exact

Could you give us exact steps to reproduce your problem? What operating system are you on?