Tor Browser 7.5.5 is released

Tor Browser 7.5.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates Firefox to 52.8.1esr. In addition, we had to remove the amazon-meek pluggable transport.

The full changelog since Tor Browser 7.5.4 is:

  • All platforms
    • Update Firefox to 52.8.1esr
    • Bug 26098: Remove amazon-meek
Anonymous

June 09, 2018

Permalink

CVE-2018-6126: Heap buffer overflow rasterizing paths in SVG with Skia
Another one hole in google's backdoor? Surprise, surprise...

Anonymous

June 09, 2018

Permalink

> we had to remove the amazon-meek pluggable transport.

Tragic.

Amazon's biggest customer is CIA, as some of us tried to warn over the past two years, so TP should have foreseen the demise of domain-fronting. You were so warned.

Please, TP, don't make the same mistake again by trusting the companies (such as Google) which are salivating over the prospect of becoming a permanent member of the US Surveillance-Industrial complex.

TP must find sources of funding other than USG or their public-private partners (BBG) and "benign" sponsorships such as "Google Summer of Code" from companies like Google.

If TP cannot look to "benign" USG agencies (like RFA) or "benign" multinational corporate partners of USG (like Google)--- because Yasha Levine is correct when he argues that there is no such thing as a "benign" partner of a government which seeks global hegemony--- who does that leave? Ordinary people.

This is why it is so worrisome that:

o the new TP ED has said nothing about whether she intends to continue Shari's attempts to move TP funding to a user-funded model similar to EFF,

o the long overdue TP financials have *still* not been posted, with no explanation of the hangup or any firm deadlines being offered.

And what about the PKI cert issue for this very blog? What's up with that?

Anonymous

June 09, 2018

Permalink

How's about NOT auto-updating my software, making me think I've been the victim of an automated attack?!
Prompting prominently, is acceptable.
Then I can download the update, verify it, and install it CLEANLY.
This is security best-practice. You're breaking that like Microsoft does - with the assumption that FORCING everyone to do it means more people are going to be updated and the 'herd' is overall less vulnerable.
Other people's laziness for such an easy-to-achieve operation is NOT my problem to suffer abuse over.
Whilst BLIND acceptance of updates (from which IP? I had no way to verify - HOW do I verify? It is safer to assume hostile environment, and I am suffering a potential VPNFilter infection, so no way do I trust things blindly at the moment.
But hey, what do I know, I only administrate my own equipment - you _must_ know better... sure...(!)

The automatic updates should be safe even with a hostile network:
https://www.torproject.org/projects/torbrowser/design/#update-safety

Automatic updates are enabled by default because this is what most users want, especially those that do not know how to change preferences. For advanced users that want more control over how updates are installed it is still possible to disable automatic updates by setting app.updates.auto to false:
http://kb.mozillazine.org/App.update.auto

Yes, Knowing, like Microsoft does. They do go after you and FORCE their updates which, for my computer, leaves it a little worse off almost every time. I now try to prolong the agony of their mostly unnecessary "updates". They usually sneak them in anyway and tell very little what they did. Tor is much more transparent and trustworthy. Thank you Tor, this time worked like a charm.

The op is correct. Automated updates from an unverifiable source is getting into Doze territory (aka proprietary non GNU-Linux hell). If people are incapable of updating a browser, an argument may be made that they are not intelligent enough to use TOR and should consider using Doze and Internet Explorer in perpetuity. You deserve what you teach yourself to deserve.

Anonymous

June 09, 2018

Permalink

danke für Ihre arbeit. ich stamme aus deutschland und habe den 2.weltkrieg durchlebt. werden Sie auch vom siegeswillen getragen!

Anonymous

June 09, 2018

Permalink

Hi

Just downloaded the latest version 7.5.5 and TOR browser just said goodbye.!!! :)
It does not start. Have tried many different ways it just would not start. Simple as that.
Even started the Vidalia to see if that will be able to connect to TOR servers, it did but the TOR 7.5.5 would not.

Please help

Anonymous

June 09, 2018

Permalink

I know it's not related but is a new design for this blog coming?

I don't know what happened between this version and the old one (with green background) but this one is really disappointing.

- page title is "Tor Blog |" and should be without the "|" (yes I'm finicky)
- plain white background everywhere (except footer)
- big pixelated pictures for each articles
- excerpt feels like the legend of the above picture, also the interline space is odd (too big)
- "add a comment" box is nearer the below article than the one it's supposed to be with
- font sizes in general...

The blog feels like a default amateurish wordpress theme with the brand color of Tor for the texts.

I remember reading good articles on this blog in the past but this new design makes it painful to read or scroll anything.

Please rollback to the old design where you could see each element in a concise way.

Sorry for the rant, this is because I really care about Tor and hate seeing things going obviously wrong.

Anonymous

June 09, 2018

Permalink

Just remember that Tor is updated only after the NSA and FBI have conducted their investigations. Remember when Dingledine let CMU run its attack? Tor is consumer grade security.

Anonymous

June 09, 2018

Permalink

Hello, I have an issue. Whenever I try to watch any video, I get the following error message: "no video with supported format and mime type found". I've tried everything I've found online but haven't found a solution yet. Could anyone please help?

You mean this blog? We're privacy advocates and human rights advocates, not (for the most part) hackers.

But take a look at the PKI certificate for blog.torproject.org. Weird, ain't it? Not a certificate controlled by Tor Project, and it is shared with numerous other domains including a company called forensicon.com. Makes you think, huh? Especially since TP is refusing to answer questions about it.

The PKI cert for www.torproject.org looks fine, BTW.

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

14 + 3 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.