Tor Browser 4.5.2 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.5.2 provides a fix for the Logjam attack (https://weakdh.org/) and updates a number of Tor Browser components: Tor to version 0.2.6.9, Torbutton to version 1.9.2.6, NoScript to version 2.6.9.26 and HTTPS-Everywhere to version 5.0.5. Moreover, it fixes a possible crash on Linux and avoids breaking the Add-ons page if Torbutton is disabled.

Here is the complete changelog since 4.5.1:

All Platforms
- Update Tor to 0.2.6.9
- Update OpenSSL to 1.0.1n
- Update HTTPS-Everywhere to 5.0.5
- Update NoScript to 2.6.9.26
- Update Torbutton to 1.9.2.6
  - Bug 15984: Disabling Torbutton breaks the Add-ons Manager
  - Bug 14429: Make sure the automatic resizing is disabled
  - Translation updates
- Bug 16130: Defend against logjam attack
- Bug 15984: Disabling Torbutton breaks the Add-ons Manager
Linux
- Bug 16026: Fix crash in GStreamer
- Bug 16083: Update comment in start-tor-browser

> Update OpenSSL to 1.0.1n I

> Update OpenSSL to 1.0.1n

I take it then that Tor/Firefox are not effected by the HMAC ABI breakage that required the v1.0.1o release of OpenSSL the day after v1.0.1n?

That is our current

That is our current understanding, yes. Thus, even pointing to a system tor or copying a self-compiled tor into the respective Tor Browser directory should not break things for users.

The regular Tor Browser update in two weeks will ship with OpenSSL 1.0.1o then.

By the way: "The regular Tor

By the way:

"The regular Tor Browser update in two weeks"

Will this update be 4.5.x or 5.x.x ??

4.5.3 ad 5.0a3

To: mikeperry, gk, arma,

To: mikeperry, gk, arma, erinn, et. al.

Firstly thanks for bringing out the latest update.

Secondly, according to gk, the next update of Tor Browser will include OpenSSL 1.0.1o.

Please, please, co-ordinate with Tails' developers so that Tails will have a Tor Browser that includes OpenSSL 1.0.1o and the latest updates from you guys. Your ability to work with Tails as a team and in-sync would be appreciated. For your info, according to Tails' website, the next update of Tails is scheduled for June 30.

Yes, the next Tor Browser

Yes, the next Tor Browser release is scheduled for the same day. So, everything should work out.

Why not using OpenSSL 1.0.2c?

My Windows PC has the

My Windows PC has the OpenSSL 1.0.2 branch in the system directory. Do you perceive possible conflicts with TorBrowsers OpenSSL 1.0.1 when using TorBrowser?

Are there security/anonymity benefits of using OpenSSL 1.0.1 over 1.0.2?

Are there security/anonymity

Are there security/anonymity benefits of using OpenSSL 1.0.1 over 1.0.2?

You will receive a faster response if you re-post your question on https://tor.stackexchange.com/

What's with the first

What's with the first question of that post Mr. Picky?

> You will receive a faster

> You will receive a faster response if you re-post your question on https://tor.stackexchange.com/

No, you won't. I asked the same question over a month ago and got no responses.

What's the difference

What's the difference between "new identity" and "new circuit for this site"?

New identity clears the

New identity clears the browser state.

What's the difference

What's the difference between "new identity" and "new circuit for this site"?

You will receive a faster response if you re-post your question on https://tor.stackexchange.com/

"New Tor Circuit for this

"New Tor Circuit for this Site" just gives you a new Tor circuit for the particular website leaving all your browser state (cookies, etc.) untouched. "New Identity" gives you basically a clean, new browser session.

Thanks guys!

Not sure if a bug - windows

Not sure if a bug - windows resizing is not working properly. When I open tbb and go to ipcheck.info my monitor screen sizes varies from 999 x 490 pixels and other variations of this instead of the default size intended for TBB.

works without problem on my

works without problem on my system: when I open ipcheck.info, I get 1000x600 pixels, which seems to be the intended value.

which operating system do you use?? maybe your window manager will mess up things...

I get--> Browser window

I get--> Browser window 1004 x 632 pixels (inner size)

on Windows.

The link

The link "https://weakdh.org/" is not working. I always get that "Problem loading page" thing...

The time: 14:30:00 UTC

now it works! I guess I was

now it works! I guess I was simply too impatient ::-)

ERROR: Not all signatures

ERROR: Not all signatures were verified

Is the signature's process during update not yet ready ?

What is broken in particular?

The error message during the

The error message during the update is scary:
Jun 17 20:55:54.000 [notice] New control connection opened from 127.0.0.1.
ERROR: Error verifying signature.
ERROR: Not all signatures were verified.
Jun 17 20:56:15.000 [notice] Owning controller connection has closed -- exiting now.

Did we install hacked software?

No, see:

No, see: https://bugs.torproject.org/15532 for the background of this issue.

Some files from

Some files from https://dist.torproject.org/torbrowser/4.5.2/ has 0 byte size

for example: tor-win32-0.2.6.9.zip, torbrowser-install-4.5.2_it.exe, TorBrowser-4.5.2-osx64_es-ES.dmg.asc and others.

This should be fixed now,

This should be fixed now, thanks for reporting.

What is the fix for Logjam,

What is the fix for Logjam, disabling DHE ciphers or requiring minimum bitness, and If bits, how many?

Disabling DHE ciphers is one

Disabling DHE ciphers is one option but Mozilla did not do this. Rather, the fix we backported bumped the minimum key size. It is now 1024 bits.

Ok, thanks :)

SHA256 checksum doesn't

SHA256 checksum doesn't verify

https://dist.torproject.org/torbrowser/4.5.2/sha256sums-unsigned-build…

2de1e369dea4b2c6a1192bad8b65e9cfb70ea2830ddb2ab0305be95cddbcda84 torbrowser-install-4.5.2_en-US.exe

As the name of the file

As the name of the file implies this is the checksum of the *unsigned* .exe. Have you stripped the authenticode signature first, before comparing the SHA 256 sums? See: https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerif…

SHA256 checksum doesn't

SHA256 checksum doesn't verify

My personal experience is if you are using Microsoft Windows OS, you could try installing gpg4win and use it to verify torbrowser-install-4.5.2_en-US.exe.asc against torbrowser-install-4.5.2_en-US.exe

gpg4win is available for free from: http://www.gpg4win.org/download.html

AVG attacks Torbrowser

AVG attacks Torbrowser durning installation. (4.5.2 WIN)

Hadn't happened here, with

Hadn't happened here, with AVG on my Windows.

Same. Tried installing it

Same. Tried installing it differently as well.

same. AVG detect Unknown

same. AVG detect Unknown Virus during installation / upgrade of 4.5.2
Win 7

AVG exactly found a threat

AVG exactly found a threat named "IDP Generic Whitelisted". If let it repaire it deletes the tor.exe. Or you should add to AVG exceptions. I`v controlled the fingerprint and it was OK, but i don`t want punch a hole on my firewall with the exception. Please help me find a solution.

Tor browser is often unable

Tor browser is often unable to connect to the Tor network or pages
do not load.It works well only in Linux.I am in Russia.Can somebody
help?

I've tried to download the

I've tried to download the italian version but it's 0 byte large.
Can you check and solve this problem?
Thanks.

This should be fixed now,

This should be fixed now, thanks for reporting this issue.

Tor had finally been working

Tor had finally been working well for commenting on political sites. I could get a new circuit quickly, which is necessary for sites that have blocked many of Tor exit IPs. It is necessary to try many IPs before a post can get through the site's block list.

Now it is frigged up again, since getting a "new circuit for this site" reloads the page. The process takes much longer. Why did you change what had worked well?

If you people have no conception of what it is like to try and use Tor for online commenting, what in heaven's name are you using Tor for? Pirating movies?

Maximizing the browser

Maximizing the browser window still does not work (4.5.2 WIN). The maximize window button does odd things: resulting window too high for screen, or window reduced to a bar. I'd like to start maximized. What can I do?

Are you sure you want to

Are you sure you want to maximize? Are you aware of the fingerprinting implications?

I have the same issue.

I have the same issue. Unable to expand the TOR browser window. (Version 4.5.2 Windows 8.1) I could not find any options to correct this problem. Please help.

Domain isolation still

Domain isolation still broken. Can't download anything from any file host tried. When will this be a toggle?

Could you give me steps to

Could you give me steps to reproduce your problem?

And on 4.5, only worked

And on 4.5, only worked sometimes or with a new circuit created manually.

Link gets deleted because

Link gets deleted because *obviously* it is evil. If repeat, look at end of ticket 15933, and just find any link to that site anywhere. Last worked on 4.5

tor-browser-linux32-4.5.2_en-

tor-browser-linux32-4.5.2_en-US does not work for me:

$ ./start-tor-browser
$ echo $?
126

Upcoming Events

October 21, 2019 - October 27, 2019

Mozz Fest (London)

October 30, 2019

Swiss Web Security Day (Bern)

November 01, 2019

Driving IT (Copenhagen)

See All Upcoming Events

Recent Updates

Reaching People Where They Are

Part of the Tor Project's mission is to further the popular understanding of privacy technologies, and we believe we can achieve it by combining educational efforts with usability

New release: Tor 0.4.1.6

We have a new stable release today. If you build Tor from source, you can download the source code for 0.4.1.6 from the download page on the website. Packages should be available within the next several weeks, with a new Tor Browser in the next week or two.

This release backports several bugfixes to improve stability and correctness. Anyone experiencing build problems or crashes with 0.4.1.5, or experiencing reliability issues with single onion services, should upgrade.

Changes in version 0.4.1.6 - 2019-09-19

Major bugfixes (crash, Linux, Android, backport from 0.4.2.1-alpha):
- Tolerate systems (including some Android installations) where madvise and MADV_DONTDUMP are available at build-time, but not at run time. Previously, these systems would notice a failed syscall and abort. Fixes bug 31570; bugfix on 0.4.1.1-alpha.
- Tolerate systems (including some Linux installations) where madvise and/or MADV_DONTFORK are available at build-time, but not at run time. Previously, these systems would notice a failed syscall and abort. Fixes bug 31696; bugfix on 0.4.1.1-alpha.
Minor features (stem tests, backport from 0.4.2.1-alpha):
- Change "make test-stem" so it only runs the stem tests that use tor. This change makes test-stem faster and more reliable. Closes ticket 31554.

New Release: Tor 0.4.2.1-alpha

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.2.1-alpha from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release in the next couple of weeks.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

This is the first alpha release in the 0.4.2.x series. It adds new defenses for denial-of-service attacks against onion services. It also includes numerous kinds of bugfixes and refactoring to help improve Tor's stability and ease of development.

Changes in version 0.4.2.1-alpha - 2019-09-17

Major features (onion service v3, denial of service):
- Add onion service introduction denial of service defenses. Intro points can now rate-limit client introduction requests, using parameters that can be sent by the service within the ESTABLISH_INTRO cell. If the cell extension for this is not used, the intro point will honor the consensus parameters. Closes ticket 30924.
Major bugfixes (circuit build, guard):
- When considering upgrading circuits from "waiting for guard" to "open", always ignore circuits that are marked for close. Previously we could end up in the situation where a subsystem is notified of a circuit opening, but the circuit is still marked for close, leading to undesirable behavior. Fixes bug 30871; bugfix on 0.3.0.1-alpha.

Join the Global Climate Strike 20-27 September

Humanity is facing a climate crisis.