Tor Browser 7.5a5 is released

Tor Browser 7.5a5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Besides the usual Firefox security and extensions updates this alpha contains a bunch of long-awaited features:

  1. We include Tor 0.3.2.1-alpha, the first alpha release in the 0.3.2 series, with support for next generation onion services and a new circuit scheduler, KIST.
  2. Thanks to the work of Jed Davis we are able to ship a content sandbox for Linux users. While the content sandbox is disabled in Firefox 52 ESR versions, which Tor Browser is based on, backported patches allow us to protect our Linux users with the same mechanisms that are provided to regular Firefox users.
  3. The content sandbox is enabled for Windows users as well. While we still need to clean up our workarounds to get the sandboxing code to work with our mingw-w64 compiler, we think the enabled sandbox is ready for a wider testing in our alpha series. Please give it a try if you can.
  4. Although this change should be invisible to users, we switched our build system from gitian/tor-browser-bundle to rbm/tor-browser-build. The build should continue to be reproducible and if you want to do a build yourself the README file in the tor-browser-build repository has some informations.

Update: Tor Browser 7.5a5 is broken when using the sandboxed-tor-browser version 0.0.13, due to bug 23692. Version 0.0.14 of the sandboxed-tor-browser has been released to fix that issue.

Note: The release date in the changelog displayed after the update is incorrect. The actual release date is September 28.

The full changelog since Tor Browser 7.5a4 is:

  • All Platforms
    • Update Firefox to 52.4.0esr
    • Update Tor to 0.3.2.1-alpha
    • Update Torbutton to 1.9.8.1
      • Bug 20375: Warn users after entering fullscreen mode
      • Bug 22989: Fix dimensions of new windows on macOS
      • Bug 23526: Add 2017 Donation banner text
      • Bug 23483: Donation banner on about:tor for 2017 (testing mode)
      • Translations update
    • Update Tor Launcher to 0.2.13
      • Bug 23240: Retrieve current bootstrap progress before showing progress bar
      • Bug 22232: Add README on use of bootstrap status messages
      • Translations update
    • Update HTTPS-Everywhere to 2017.9.12
    • Update NoScript to 5.0.10
    • Update sandboxed-tor-browser to 0.0.13
    • Bug 23393: Don't crash all tabs when closing one tab
    • Bug 23166: Add new obfs4 bridge to the built-in ones
    • Bug 23258: Fix broken HTTPS-Everywhere on higher security levels
    • Bug 21270: NoScript settings break WebExtensions add-ons
    • Bug 23104: CSS line-height reveals the platform Tor Browser is running on
  • Windows
    • Bug 16010: Enable content sandboxing on Windows
    • Bug 23582: Enable the Windows DLL blocklist for mingw-w64 builds
    • Bug 23396: Update the msvcr100.dll we ship
    • Bug 23230: Fix build error on Windows 64
  • OS X
    • Bug 23404: Add missing Noto Sans Buginese font to the macOS whitelist
  • Linux
    • Bug 10089: Set middlemouse.contentLoadURL to false by default
    • Bug 22692: Enable content sandboxing on Linux
    • Bug 18101: Suppress upload file dialog proxy bypass (linux part)
  • Build System
    • All Platforms
      • Switch from gitian/tor-browser-bundle to rbm/tor-browser-build
Anonymous

September 28, 2017

Permalink

This release features important security updates to Firefox.

Your Firefox is out-of-date.

Get the most recent version to keep browsing securely.

Is Mozilla trolling us?

Anonymous

September 28, 2017

Permalink

Are there any v3 HS for the wider community to test and play with?
Preferably hosted by the Tor project. I would love a few with a wide assortment of content types and configs.

Something the team can throw together and harden that will entice hackers and casual users alike. Haven't found any v3 links at all so far. Anyone care to share?

It was alive for a while and worked great, later went down...

It looks like many Tor users around the world was trying to access their hidden service because of your comment ;-), now it has been taken down permanently because of the slashdot (torblog?) effect.

Anonymous

September 28, 2017

Permalink

Sandbox log on Win 10:
Process Sandbox BLOCKED: NtCreateFile for : \??\pipe\chrome.3736.1.48797690
Process Sandbox Broker ALLOWED: NtCreateFile for : \??\pipe\chrome.3736.1.48797690
Process Sandbox BLOCKED: NtCreateFile for : \??\pipe\chrome.3736.2.129251956
Process Sandbox BLOCKED: NtCreateFile for : \??\pipe\chrome.3736.3.116815476
Process Sandbox Broker ALLOWED: NtCreateFile for : \??\pipe\chrome.3736.3.116815476
Process Sandbox Broker ALLOWED: NtCreateFile for : \??\pipe\chrome.3736.2.129251956
Process Sandbox BLOCKED: NtCreateFile for : \??\pipe\chrome.3736.4.13357681
Process Sandbox Broker ALLOWED: NtCreateFile for : \??\pipe\chrome.3736.4.13357681
Process Sandbox Broker ALLOWED: DuplicateHandle

Anonymous

September 28, 2017

Permalink

Disable experimental-webgl
https://browserleaks.com/webgl
04:10:25.421 Error: WebGL: getExtension('MOZ_WEBGL_lose_context'): MOZ_ prefixed WebGL extension strings are deprecated. Support for them will be removed in the future. Use unprefixed extension strings. To get draft extensions, set the webgl.enable-draft-extensions preference. 1 webgl.js:4:12124

Anonymous

September 28, 2017

Permalink

Bug 23104: CSS line-height reveals the platform Tor Browser is running on
eats lower parts of letters in the address bar on Windows 10.

Anonymous

September 28, 2017

Permalink

04:20:20.582 Will-change memory consumption is too high. Budget limit is the document surface area multiplied by 3 (600000 px). Occurrences of will-change over the budget will be ignored. 1 www.youtube.com

Anonymous

September 29, 2017

Permalink

thanks for another great release; i am especially grateful that the team is closely tracking mozilla's release cycle!

Anonymous

September 29, 2017

Permalink

It doesn't download from mega.nz
I have tried to download a PDF bit it's stuck at 99%
Just try to download something
Thank you

Anonymous

September 29, 2017

Permalink

Thank You all for the hard work, especially on 7.5a5 and for addressing Bug #21270, in particular. I know that additional extensions are strongly discouraged, but the few that I use are necessary for how I use TorBrowser. I thought that the issues I had may have been due to Mozilla's push towards WebExtensions making the (updated) ones I use incompatible with FF ESR. So far, everything seems to be working. I look forward to playing around with this release and bothering you in the future when something doesn't go my way. Thanks Tor Team!

Anonymous

September 29, 2017

Permalink

I take back what I said; lol. my previous comment hasn't appeared yet, but I still seem to have problems with extensions. They seem to work fine unless I happen to change even a singular NoScript setting.

Anonymous

September 29, 2017

Permalink

sorry for the multiple responses... The comments take a while to appear & I want to submit this before I forget; if a mod can join the three replies into one thread, that would be great.add-on functionality breaks even without changing the security slider. There was an assertion made that the bug only occurs when the slider is set to medium or high, but I still have issues even when it's left on default/low."Synced Tabs" button also magically re-appears in the menu even if I remove it in "Customize". That's usually when I notice that extensions have broken. Thanks again

Anonymous

September 29, 2017

Permalink

Now I have no idea what is causing the issue. I turned off javascript in config, then HTTPS Everywhere broke; then I set the value back to true and HTTPS Everywhere is working like normal again. This is without restarting, btw.

WebExtensions need JavaScript enabled!? Seriously! If it isn't bad enough that limiting Firefox to WebExtensions will effectively kill Firefox, as an absolute majority of users are there for the extensions. On a wider note, is it a case of someone(s) deliberately trying to make Firefox insecure?, kill Firefox? You would think that the gugle guys and girls are on the 'development' team :D

Anonymous

September 29, 2017

Permalink

Tor WARN: Tried connecting to router at 144.76.26.175:9011, but RSA identity key was not as expected: wanted 2BA2C8E96B2590E1072AECE2BDB5C48921BF8510 + no ed25519 key but got 94B0AC1151F5611E801A04AEE29D7D65C3B1A5F5 + no ed25519 key.

Anonymous

September 29, 2017

Permalink

Another one semi-broken add-on update (NoScript 5.1)

06:33:57.300 XML Parsing Error: undefined entity
Location: jar:file:///C:/Browser/TorBrowser/Data/Browser/profile.default/extensions/%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D.xpi!/chrome/content/noscript/noscriptOverlayFx57.xul?1br8nr5ksqe742k1ufps
Line Number 27, Column 5: 1 noscriptOverlayFx57.xul:27:5

06:33:57.302 TypeError: widgetTemplate is null 1 Restartless.jsm:90:7

06:34:24.235 [Exception... "Failure" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: chrome://noscript/content/Restartless.jsm?0.4271424961007011.1506753222200 :: loadIntoWindow :: line 139" data: no] 1 (unknown)
loadIntoWindow chrome://noscript/content/Restartless.jsm:139:5
observe chrome://noscript/content/Restartless.jsm:164:11

06:34:24.235 Could not overlay chrome://browser/content/browser.xul 1 Restartless.jsm:170
loadIntoWindow chrome://noscript/content/Restartless.jsm:170:5
observe chrome://noscript/content/Restartless.jsm:164:11

Anonymous

September 30, 2017

Permalink

When the Tor message about "This website (www.facebookcorewwwi.com) attempted to extract html5" appears, if the mouse is clicked elsewhere the message closes and there is no chance to click the "Never for this site" button.
When this happens does it mean facebook is allowed to extract html5, or is it a default of blocked? Thank you.

UX guides say that the default option should be "Allow" (as in Firefox), because that dialog box is a question to the user to allow canvas. So that if it disappears users won't bother you with such questions.

Anonymous

October 01, 2017

Permalink

I've been experiencing issues with extensions breaking since the last couple alphas.

It's been two days and my comment hasn't shown up, so I'm going to assume that it didn't go through. Mod, can you disallow the three comments I made re:extensions which as of now haven't displayed? I don't remember if I included any more detailed information than the following...

I initially presumed that the issues with add-ons breaking was due to Mozilla's push towards WebExtensions, making my updated extensions incompatible with ESR, which somehow affected other (legacy?) add-ons. Then, I had a suspicion that NoScript may be at fault, but I didn't know until seeing the 7.5a5 changelog about Bug #21270. Now, I'm not sure what the root cause of the problem is.

In the bug-tracker, there was an assertion that extensions break when the security level slider is moved to medium or high, but not if it's left on the default security setting. However, I have issues even when the slider is left on default/low.

If I change any of the browser's options/about:preferences, nothing seems to be affected. But, if I turn javascript off in about:config, then extensions break. If I turn javascript back on (without exit/restart), then extensions appear to work again. I don't know if changing the value of any other config preferences have the same effect.

No, sorry, I already enabled them. (We can leave them there, it's okay). Re: JavaScript: yes, you need that enabled in your about:config otherwise WebExtensions won't work. NoScript is dealing with that on higher security levels by whitelisting JavaScript from WebExtensions.

ok, thank you, gk. I saw that Bug 1329731 was fixed in FF54. Is the patch detailed on that page something that TorDevs could apply on your end to TBB? If not, do you have a rough idea of what the ESR release schedule is projected to be? I couldn't make sense of this diagram I take it to mean that it would be a few years before we get to 54? : )

Nah, not years "just" months. We'll switch to the next ESR mid-June next year. That said what is the use case for backporting this patch as we have the security slider on level "high" that is supposed to achieve the same as flipping the JavaScript preference while allowing WebExtensions to work.

Well, I got into the habit of enabling javascript for a single, specific page only when I absolutely needed to, then immediately turning it back off. the Majority of the time I use TBB for day-to-day browsing, unless I need to send/receive sensitive data or more data than I think is reasonable over Tor, e.g. longer-duration content, high-res video/audio, etc.

For the longest time, I had the security slider on "high" & I thought that may have been causing the issues, so I reverted it back to "low/default" for a while. I didn't even realize that setting it to "medium" or "high" was an option that could still retain the functionality of WebExtensions while restricting javascript.

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

3 + 10 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.