Tor Browser 4.5a5 is released

The Tor Browser team is proud to announce the release of the fifth alpha of the 4.5 series of Tor Browser. The release is available from the extended downloads page and also from our distribution directory.

Tor Browser 4.5a5 is based on Firefox ESR 31.6.0, which features important security updates to Firefox.

We're very excited about the usability and security improvements in this release. On the usability front, we've created a FreeDesktop-compatible launcher wrapper for Linux that can be invoked from either the GUI or the shell, and we also provide Windows users with the ability to add optional Start Menu and Desktop shortcuts. The circuit usage of Tor Browser has also been improved to avoid transitioning to a new circuit for a website while it is in active use.

On the security front, the Security Slider now has full descriptions of the browser behaviors that are changed at each security level. We've also made improvements to our display resolution fingerprinting defenses to automatically resize the browser window to a 200x100 pixel multiple after resize or maximization, and to perform similar resizing for full screen HTML5 video. Finally, the Windows releases are also now signed using the hardware signing token graciously provided to us by DigiCert, so Windows users should no longer be warned about Tor Browser being downloaded from an "unknown publisher".

And those are just the highlights. The complete list of changes since the 4.5a4 release is as follows:

  • All Platforms
    • Update Firefox to 31.6.0esr
    • Update OpenSSL to 1.0.1m
    • Update Tor to 0.2.6.6
    • Update NoScript to 2.6.9.19
    • Update HTTPS-Everywhere to 5.0
    • Update meek to 0.16
    • Update Tor Launcher to 0.2.7.3
      • Bug 13983: Directory search path fix for Tor Messanger+TorBirdy
    • Update Torbutton to 1.9.1.0
      • Bug 9387: "Security Slider 1.0"
        • Include descriptions and tooltip hints for security levels
        • Notify users that the security slider exists
        • Flip slider so that "low" is on the bottom
        • Make use of new SVG and MathML prefs
      • Bug 13766: Set a 10 minute circuit lifespan for non-content requests
      • Bug 15460: Ensure FTP urls use content-window circuit isolation
      • Bug 13650: Clip initial window height to 1000px
      • Bug 14429: Ensure windows can only be resized to 200x100px multiples
      • Bug 15334: Display Cookie Protections menu if disk records are enabled
      • Bug 14324: Show HS circuit in Tor circuit display
      • Bug 15086: Handle RTL text in Tor circuit display
      • Bug 15085: Fix about:tor RTL text alignment problems
      • Bug 10216: Add a pref to disable the local tor control port test
      • Bug 14937: Show meek and flashproxy bridges in tor circuit display
      • Bugs 13891+15207: Fix exceptions/errors in circuit display with bridges
      • Bug 13019: Change locale hiding pref to boolean
      • Bug 7255: Warn users about maximizing windows
      • Bug 14631: Improve profile access error msgs (strings).
    • Pluggable Transport Dependency Updates:
      • Bug 15448: Use golang 1.4.2 for meek and obs4proxy
      • Bug 15265: Switch go.net repo to golang.org/x/net
    • Bug 14937: Hard-code meek and flashproxy node fingerprints
    • Bug 13019: Prevent Javascript from leaking system locale
    • Bug 10280: Improved fix to prevent loading plugins into address space
    • Bug 15406: Only include addons in incremental updates if they actually update
    • Bug 15029: Don't prompt to include missing plugins
    • Bug 12827: Create preference to disable SVG images (for security slider)
    • Bug 13548: Create preference to disable MathML (for security slider)
    • Bug 14631: Improve startup error messages for filesystem permissions issues
    • Bug 15482: Don't allow circuits to change while a site is in use
  • Linux
    • Bug 13375: Create a hybrid GUI/desktop/shell launcher wrapper
    • Bug 12468: Only print/write log messages if launched with --debug
  • Windows
    • Bug 3861: Begin signing Tor Browser for Windows the Windows way
    • Bug 15201: Disable 'runas Administrator' codepaths in updater
    • Bug 14688: Create shortcuts to desktop and start menu by default (optional)
Anonymous

March 31, 2015

Permalink

Muchos gracias!
I appreciate the new fingerprinting defences with regard to display resolution, but is it really necessary with JavaScript/font-stuff disabled? Maybe that functionality could toggle automatically when scripts are allowed on any open tab. Or even better, maybe there's a clever way to lie about display resolution so that script frames can render properly (by the pixel-multiple) but the overall window size is left alone -- a kind of 'anonymous' window invisibly within the user's maximised window.
Just my food for thought... Thanks again!

The browser window content area size can be detected and transmitted using pure CSS, so the fingerprinting defenses are necessary even without JS/fonts.

is there a bugzilla bug to add a browser feature flag that can disable sharing this sort of information with a website? I can see why the tor team added the change to prevent maximizing but hopefully this is just a temporary measure. for the time being i've disabled it, I don't feel that a website potentially knowing my screen size or resolution is of much harm for my usecases

Good question. I don't think so. What we have is https://bugzilla.mozilla.org/show_bug.cgi?id=418986 (see the dependencies of it as well). I am not sure whether disabling it would be the right thing to do as detecting the screen size is probably quite helpful in laying out the content properly according to your display. I think we can find a good compromise by rounding the window dimensions.

Thanks for the clarification. Now wondering: can CSS-resolution-fingerprinting be more precise than the pixel multiples offered by this version? Either way, a clever lie in this respect seems like it could benefit usability and anonymity at once.

Anonymous

April 01, 2015

Permalink

Downloaded and installed Tor Browser 4.5a5 with no problems. Not a peep of protest from my antivirus program. Using Windows 8.1, Sandboxie and obfs4.

Anonymous

April 01, 2015

Permalink

Thanks for the excellent work, Torians. (Torrans? Torites? Oo, Torantulas. Hah, yes.)

Is there some more information about how the window resolution leaks data? I originally thought that the Tor Browser already applied resolution rounding even if the window was maximized. Does the change mean that the resolution is "more enforced" or was it not enforced previously?

Anonymous

April 01, 2015

Permalink

Can I see the Tor network traffic in this version, I'm using Meek, and trying Vidalia to see the network traffic when using Meek, unavailabe too.

Newest version of ARM is back to 3 years ago, and certainly unable to disply the Tor traffic rate with Meekbridges. You talk about Vidalia, it lives in Tails, which is a Meek unsuported OS.

Anonymous

April 01, 2015

Permalink

many torbrowser users simply disable javascript through the browser flags. i want the added security features that torbrowser is adding but i don't want it to totally prevent me from maximizing the screen. can we please find some compromise for this?

extensions.torbutton.resize_windows = false

Developers of tor-browser, Do not use these solutions, please. I myself, damn, want to decide what size browser window I need!

I have half an hour looking for the correct flag in the settings that would turn off this shit. You will not move my mouse? And this is the same stupid idea! And just - let the FBI know my screen resolution = 1920 * 1080 resolution, it is not rare!

But nonetheless - thanks for your work, your work is very much needed!

It's not just your screen resolution, it's also the window size if the window isn't Maximized; how many toolbars you have displayed might also affect it. Suddenly, you're the only user of Torbrowser with that resolution and that allows your adversary to link all of your browsing together to get a profile of who you are and what your interests are. These incremental steps eventually lead to connecting your browsing through tor to your identity.

Sorry but thats bullshit. Who uses toolsbars or anything in a tor browser?

99,99% of users have one of the standard resolutions. Some have a bookmark bar some not. And that might be all there is with the tor browser. Its just annoying, nothing else.

Anonymous

April 01, 2015

Permalink

Hi. The sha256 hash that I get for torbrowser-install-4.5a5_en-US.exe doesn't match what is listed on sha256sums.txt. What I get is b672ac18e1b02fdbe395f848cf3a6810454ad9c7bdc3c9a9620b79ac70eca126
Is this correct and just an error on the txt file? Thanks in advance.

It is correct and there is no error in the txt file. In 4.5a5 we started signing the Windows executables the Windows way (using authenticode) to avoid scary warnings or broken installations. So, in order to compare the .exe we ship with the one we (or you?) built deterministically one needs to strip that signature again. Unfortunately, while stripping the signature works one does not get the same SHA256 sum back. We hope we get that fixed rather soon. You can follow https://bugs.torproject.org/15539 if you are interested.

Yes. But be careful here! The goal of Tor Browser is to make you look like the other Tor Browser users, and if you are the first to go to Panopticlick with a new Tor Browser version, you could look very unusual indeed, yet Tor Browser is still doing its job.

(I've just added this question to
https://tor.stackexchange.com/questions/6548/why-does-panopticlick-tell…
so the future humans can see it too.)

Anonymous

April 01, 2015

Permalink

Excellent.

Among many other things, providing a Tor Circuit display and the Security Slider are great steps forward. Thank you.

You have obviously put a lot of careful thought into the Slider's optimizations over time. One example I see is that JS status can depend on if the connection is secure (httpS).

If time permits further tweaking of JS behavior which seems to be crucial, please consider if there are benefits to distinguishing JS run by the site in the ULR vs all the other JS. The other sources seem to have various specializations in tracking.

(To make all sources visible with NoScript under its Options, choose the Appearance tab and check off either Allow or Temporarily Allow).

Thank you.

Anonymous

April 01, 2015

Permalink

Annoying page size now being fixed to half my window size. How can your screen size be used as a tracking method?

Because your screen size can be retrieved through javascript (or as suggested above, CSS) and therefore is part of your browsers "fingerprint" that any website you visit can see (in addition to UserAgent strings and some other stuff.) If your fingerprint is unique (that is, you're the only person with that specific combination of parts in your fingerprint), an adversary can link all of your browsing together. If your fingerprint isn't unique but still rare, an adversary may still try to link your browsing together and might even attribute some visits to websites to you that you never did and really don't want anyone thinking that you did. Of course, none of this allows an adversary to make the connection between your Tor browsing and your offline identity, but it gives them a starting point to do that; it gives them an identity they want to unveil.

Anonymous

April 01, 2015

Permalink

Why can't I have the window wider than 1000 pixels on my 1024-pixel-wide display? I understand the display size being a distinguisher, but how was the number 1000 chosen? (is that the max size with some other window manager with giant window decorations or something?)

Anonymous

April 01, 2015

Permalink

TBB always gets stuck on initial start up. Requesting relays forever, then start up times out. Start again, and boots OK.

ENU

Anonymous

April 01, 2015

Permalink

This release is great, though on Windows the window still starts with empty additional spaces but resizing fixes it. I also would like to be able to go full screen with my javascript off

Anonymous

April 01, 2015

Permalink

I would nix the screen resolution snapping. There are plenty of addons that already do that. However it is automated, and doesn't limit size proportions. Cloudfare should be more of a focus. That's been a problem for about 9 months now.

Appreciate it.

Size proportions have to be limited to limit the ability to fingerprint individual users. Tor Browser can't do anything against Cloudflare. The problem is on cloudflare's end with how they are trying to limit attacks against the websites they host that come through Tor.

Anonymous

April 02, 2015

Permalink

I tried with the same computer(same isp), using 4.0.6 I can switch from meek-amazon to meek-azure or meek-google, and use "New Identity" to restart tor; using 4.5 alpha 5, after I switch from meek-amazon to meek-azure or meek-google, I can't restart tor using either "New Identity" or close tor and restart a fresh new one, it stucks on trying to connect to my home page.

Anonymous

April 02, 2015

Permalink

The full screen resizing should be reconsidered. It is usability nightmare. I can't watch videos full screen

Anonymous

April 02, 2015

Permalink

Sometimes I think I'm being overly cautious, but then I find out things like my screen's resolution could be used to fingerprint me. Wow, and it's been known for at least seven years.
It was kind of annoying at first since I didn't read the release notes, but I'm grateful that the Tor Project team is taking these precautions.

I also agree with another user that the issue with sites hosted by Cloudflare should be addressed, but that's Cloudflare's fault. Cloudflare is the problem, but their response is "We don't block Tor," which is BS. I don't see how blacklisting all exit nodes or what they say are "multiple connection attempts" from one address protects sites hosted on their servers from DDOS. I've also started to notice other hosts copying their policy which is troubling.

Anonymous

April 02, 2015

Permalink

Can it really be so important to stop sites knowing that I am running at 1920x1080?

Answers would be appreciated :-)

Please amend the notice that is displayed when the browser prevents maximising to include an 'override' button.

Thanks

Re the menu bar, Tabs bar, address bar and Bookmark bar all the same height?
If not your should make them equal to reduce fingerprinting.

Also, allow a proper maximised window on 1920x1080p maybe with a fixed number of menu bars visible?

Anonymous

April 02, 2015

Permalink

random-agent-spoofer of github version is sending different screen resolutions to web server. Based on some standard screen solutions + how you resize the Firefox window size, it makes the web server impossible to detective or guess your real resolution, can I add this addon to Tor Browser?

Epic Browser is based on Chromium, so it (probably) has the same concerns (missing APIs, not following proxy settings for certs on Windows, etc.) Without looking at the code I can't be sure.

Anonymous

April 03, 2015

Permalink

Thanks for the resizing changes, stops me having to do my hacky fixes. To solve the problems above, I think you should keep the 200x100 but also allow the 10 most common sizes such as 1920x1080.

Anonymous

April 03, 2015

Permalink

Screen sizing is a real nightmare. Sometime if window diminished in size, it then refuses to go back to its original size as per start up. Only way to then use it is to pull the window to the size you want.

Anonymous

April 03, 2015

Permalink

Alot of people appear confused about inner window size fingerprinting. The anonymous browser test at http://ip-check.info/ should clear up your confusion.

Here's an example of the results you'll see:

Browser window:
1000 x 500 pixels (inner size)

Now maximize your window. You would expect to see:

Browser window:
1920x1080 pixels (inner size)

Wrong! Because CSS works with (inner window size). Thus depending on how big your address bar is. If you have the Tool Bar Menu hidden or exposed. If you have any addons. All those things effect your (inner window size) and are thus fingerprintable.

Anonymous

April 04, 2015

Permalink

I like the screen sizing.

I have some other observations though. I get the feeling that this version is slower and less responsive than the previous one. Even if I disable JS using about:config.

Another observation has to do with NoScript. I used to be able to allow only specific domains in a web page, and now it only has an option to allow everything on a web page. On some pages like reddit the icon is blue instead of red.

Re NoScript granularity, I also prefer blocking ability per-site as in several versions ago.

If you want to get it back (but could help fingerprint you as selectively allowing):
Right click: Select NoScript; Options. In Options dialog box check off the 3rd or 4th checkboxes from the top ("Allow" or "Temporarily Allow").

Blocking per-site is exactly what you don't want from a fingerprinting perspective. Sites can tell if their javascript is being loaded or not, so the configuration of sites that you block or allow becomes part of your fingerprint, and the manual method that you describe tends to have everyone blocking and allowing a slightly different list of sites. The end result is that the number of users with your fingerprint are significantly lower, making your browsing pseudonymous as opposed to anonymous.

The multiple site data you suggest is collected must be collected by a single adversary or a cooperating set of adversaries. A site such as facebook puts 'bugs' on many non-facebook websites.

But more common is a single site analyzing only their own visitor data. A browser with js disabled will be unusual within the site's visitor data.
However, tbb visitors are already obvious, and analyzing only tbb visitor data will probably show that many tbb users disable js.

By the way, panopticlick implies that disabling js reduces bits of data, but as you suggest, fewer bits of data in itself makes that browser less common.
We careful web users among stupid web users face a similar problem as smart voters face in democratic countries full of stupid manipulable voters.