Tor Browser 7.5.2 is released

Tor Browser 7.5.2 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Note: Users of the Tor Browser alpha series are strongly encouraged to use the stable series while we are preparing a new alpha release.

The full changelog since Tor Browser 7.5.1 is:

  • All platforms
    • Update Firefox to 52.7.2esr

The easiest answer is "install and use Tor Browser"--- the latest version, for the appropriate architecture (e.g. Windows, Linux) obtained from www.torproject.org.

For more privacy protections, you may want to consider using Tails:

https://tails.boum.org/about/index.en.html

Tails will enable you to browse the web anonymously:

https://tails.boum.org/doc/anonymous_internet/Tor_Browser/index.en.html

Within limits:

https://tails.boum.org/doc/about/warning/index.en.html

You can't. Tor provides no protection against global adversaries, but USA, People's Republic of China and other govenments are global adversaries because of MLATs and CLOUD. Say thank to Trump and the Congress.

Tor Project products, such as Tor Browser, cannot by themselves protect against flaws in your operating system, much less hardware vulnerabilities such as speculative execution.

If you are concerned about Spectre/Meltdown, good, and you may want to consider using Tails, which uses Tor Browser but has further protections; see

tails.boum.org

Tails Project is independent of Tor Project but allied with it.

The current version of Tails is hardened against some Spectre attacks and should be immune to known Meltdown attacks. It is not currently possible, and may never be possible, to be completely protected from Spectre attacks, for reasons discussed in previous comments in this blog.

Tor Browser, cannot by themselves protect against flaws in your operating system, much less hardware vulnerabilities such as speculative execution.

Actually, Retpoline does just that. Firefox was going to compile with Retpoline, but since Tor has its own build of Firefox, it would be great to hear that Retpoline is definitely enabled in the build target.

What does "instantly" mean? Just after trying to start Tor Browser? Or once you start surfing? I suspect your local AV/Firewall software does not like the new version. Could you try removing it and see whether it fixes your problem? Which previous version did work for you?

Anonymous

March 17, 2018

Permalink

Thanks,
what so I do now you have told me re update?
Rob

Anonymous

March 19, 2018

In reply to by robert.fraser1… (not verified)

Permalink

Follow the first link in the post to the Tor Project download page, download the new version of Tor Browser, verify the file, unpack it, and surf! Feel free to flip the bird in the general direction of Cambridge Analytica.

Anonymous

March 18, 2018

Permalink

Thanks for allowing comments, but where are the details about this vulnerability?
"Users of higher security levels are not affected", "do not allow ogg/vorbis" and so on?

We did not have time to analyze the implications for Tor Browser and don't have access to the PoC. So, it's hard to say something which is constructive at this point. That's the reason behind just saying: "Update!".

[Edit: I got told that setting media.ogg.enabled to false would make sure the vulnerable code would not have been triggered. It's not clear yet whether setting media.webaudio.enabled to false, which is possible with the security slider, would have helped as well.]

Okay. The most decent solution "Automatic updates" eliminates the need to even say "Update!" :) But is there some place where you publish (later) the results of analysis of effectiveness of the measures taken in Tor Browser (ssp, selfrando, etc)?

Anonymous

March 18, 2018

Permalink

Sorry for a simple question. I'm no security expert. Does 'Ghostery' work with Tor? If so, does it work well or ok? cheers.

Tor Project recommendation — Don't enable or install browser plugins. Tor Browser will block browser plugins such as Flash, RealPlayer, Quicktime, and others: they can be manipulated into revealing your IP address. Similarly, do not install additional addons or plugins into Tor Browser, as these may bypass Tor or otherwise harm your anonymity and privacy: https://www.torproject.org/download/download-easy.html.en#warning

It's simple, assuming you want to use Tor Browser to surf the internet anonymously:

1. download Tor Browser from https://www.torproject.org/download/download-easy.html.en

2. verify the file (a tarball)

3. unpack the tarball on your computer using your regular OS

4. use the provide startup script to start Tor Browser

5. surf!

You should probably read a bit about how to use Tor Browser wisely before you do too much surfing, though:

https://www.torproject.org/download/download-easy.html.en#warning

Ideally you should also read a bit about how the Tor network (including the underlying Tor client/server software) works:

https://www.torproject.org/about/overview.html.en#thesolution

You may also want to consider using Tails for additional protections. But Tails, much less Tor Browser, cannot protect you against some threats:

https://tails.boum.org/doc/about/warning/index.en.html

@ Tor Project: the OP asked a FAQ. Why is there no one document easily found in the Tor Project site which answers it?

Good question. I am actually not sure whether we have an entry in the FAQ for the question or not as I am not sure what is meant by "How does it work?". But, yes, once we figured that out and the FAQ does indeed not contain it we should add an entry.

We plan to help the Guardian Project getting an updated Orfox out in the coming days. And meanwhile we are continuing to work on getting Tor Browser for Android into shape. The first alpha is planned for July, so stay tuned.

I hope the following explainer will help, in which <--> means unencrypted data link and <==> means encrypted data link.

Ordinary websurfing with a browser other than Tor Browser works like this:

DNS.server <--> your.computer <--> your.ISP <--> some.website

Websurfing with Tor Browser works like this:

your.computer <==> your.ISP <==> entry.node <==> middle.node <==> exit.node <--> http.site

your.computer <==> your.ISP <==> entry.node <==> middle.node <==> exit.node <==> https.site

Details:

The Tor network consists of entry, middle, exit nodes, and special servers called Directory Authorities.

The Tor circuit entry <==> middle <==> exit is triply encrypted. Middle node knows IP of entry and exit, but exit node and entry node do not know each other's identity. The encryption is stripped off in layers by the next node in the circuit, as packets traverse the Tor network. Hence the term "onion routing", which is the core concept characterizing Tor.

The identity of exit nodes and some entry/middle nodes is public information. Nonpublished entry nodes are bridges, which can afford additional anonymity and censorship-resistance. There are various kinds of bridges, some especially designed to resist very censorious governmental monitoring.

When you first join the Tor network using Tor Browser, your computer contacts a Directory Authority via an encrypted connection, to get current information on which Tor nodes are operating, so your ISP can see that you are using Tor. Unless, possibly, if you use a bridge (because bridges are not publicly associated with Tor) to try to join the Tor network.

The exit node in a Tor circuit must contact a DNS server (via unencrypted data link) to locate the IP of the website you type into Tor Browser's location pane, but since it doesn't know your real IP, neither does the operator of the DNS server, nor the operator of the website you are visiting.

Tor Browser is a fully functional browser based on Mozilla Firefox, but carefully tailored to maximize anonymity via the Tor network.

Tor Project offers various other software in addition to Tor Browser. All of them use the underlying client/server Tor software and are open source and free to the public.

"Onions" are bit more complicated and offer additional protections for people who need to publish information anonymously.

Other names: "entry guard" = entry node, "relay" = entry/middle node, "hidden service" = onion.

Anonymous

March 20, 2018

Permalink

I am just getting started again, it has been a year or so since I have been here, just updating everything. Have a peaceful day...

Anonymous

March 21, 2018

Permalink

Hi guys - After upgrading to 7.5.2, Tor always insists on connecting to the UK as its first relay node, no matter how many times I try a different circuit.

Has anyone experienced this, and what's up with it?

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

8 + 9 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.