Tor Browser 5.0 is released

The Tor Browser Team is proud to announce the first stable release in the 5.0 series. This release is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Note that the recent PDF.js exploit did not affect 4.5 users, but they should upgrade to this release immediately because numerous other potential security issues were fixed by Mozilla in this release. (Incidentally: Users who are using the 5.0-alpha series are vulnerable to the PDF.js exploit, but not if they were using the 'High' security level. Regardless, we are also upgrading 5.0-alpha users to 5.5a1 today to fix the issue as well).

This release also brings us up to date with Firefox 38-ESR, which should mean improved support for HTML5 video on Youtube, as well as a host of other improvements. Controversial and hard-to-audit binary components related to EME DRM were disabled, however.

The release also features new privacy enhancements. In particular, more identifier sources that appeared in Firefox 38 (or were otherwise disabled previously) are now isolated to the first party (URL bar) domain. This release also contains defenses from the 5.0-alpha series for keystroke (typing) fingerprinting and some instances of performance/timing fingerprinting.

Regrettably, our new defenses for font and keyboard layout fingerprinting did not stabilize in time for this release. Users who are interested in helping us improve them should try out 5.5a1.

This release also will reset the permanent NoScript whitelist, due to an issue where previous NoScript updates had added certain domains to the whitelist during upgrade. The whitelist is reset to the default for all users as a result, and future updates to the whitelist by NoScript have been disabled.

Starting with this release, Tor Browser will now also download and apply upgrades in the background, to ensure that users upgrade quicker and with less interaction. This behavior is governed by the about:config pref app.update.auto, but we do not recommend disabling it unless you really know what you're doing.

Here is the complete changelog since 4.5.3:

  • All Platforms
    • Update Firefox to 38.2.0esr
    • Update OpenSSL to 1.0.1p
    • Update HTTPS-Everywhere to 5.0.7
    • Update NoScript to 2.6.9.34
    • Update meek to 0.20
    • Update Tor to 0.2.6.10 with patches:
      • Bug 16674: Allow FQDNs ending with a single '.' in our SOCKS host name checks.
      • Bug 16430: Allow DNS names with _ characters in them (fixes nytimes.com)
      • Bug 15482: Don't allow circuits to change while a site is in use
    • Update Torbutton to 1.9.3.2
      • Bug 16731: TBB 5.0 a3/a4 fails to download a file on right click
      • Bug 16730: Reset NoScript whitelist on upgrade
      • Bug 16722: Prevent "Tiles" feature from being enabled after upgrade
      • Bug 16488: Remove "Sign in to Sync" from the browser menu (fixup)
      • Bug 16268: Show Tor Browser logo on About page
      • Bug 16639: Check for Updates menu item can cause update download failure
      • Bug 15781: Remove the sessionstore filter
      • Bug 15656: Sync privacy.resistFingerprinting with Torbutton pref
      • Bug 16427: Use internal update URL to block updates (instead of 127.0.0.1)
      • Bug 16200: Update Cache API usage and prefs for FF38
      • Bug 16357: Use Mozilla API to wipe permissions db
      • Bug 14429: Make sure the automatic resizing is disabled
      • Translation updates
    • Update Tor Launcher to 0.2.7.7
      • Bug 16428: Use internal update URL to block updates (instead of 127.0.0.1)
      • Bug 15145: Visually distinguish "proxy" and "bridge" screens.
      • Translation updates
    • Bug 16730: Prevent NoScript from updating the default whitelist
    • Bug 16715: Use ThreadsafeIsCallerChrome() instead of IsCallerChrome()
    • Bug 16572: Verify cache isolation for XMLHttpRequests in Web Workers
    • Bug 16884: Prefer IPv6 when supported by the current Tor exit
    • Bug 16488: Remove "Sign in to Sync" from the browser menu
    • Bug 16662: Enable network.http.spdy.* prefs in meek-http-helper
    • Bug 15703: Isolate mediasource URIs and media streams to first party
    • Bug 16429+16416: Isolate blob URIs to first party
    • Bug 16632: Turn on the background updater and restart prompting
    • Bug 16528: Prevent indexedDB Modernizr site breakage on Twitter and elsewhere
    • Bug 16523: Fix in-browser JavaScript debugger
    • Bug 16236: Windows updater: avoid writing to the registry
    • Bug 16625: Fully disable network connection prediction
    • Bug 16495: Fix SVG crash when security level is set to "High"
    • Bug 13247: Fix meek profile error after bowser restarts
    • Bug 16005: Relax WebGL minimal mode
    • Bug 16300: Isolate Broadcast Channels to first party
    • Bug 16439: Remove Roku screencasting code
    • Bug 16285: Disabling EME bits
    • Bug 16206: Enforce certificate pinning
    • Bug 15910: Disable Gecko Media Plugins for now
    • Bug 13670: Isolate OCSP requests by first party domain
    • Bug 16448: Isolate favicon requests by first party
    • Bug 7561: Disable FTP request caching
    • Bug 6503: Fix single-word URL bar searching
    • Bug 15526: ES6 page crashes Tor Browser
    • Bug 16254: Disable GeoIP-based search results.
    • Bug 16222: Disable WebIDE to prevent remote debugging and addon downloads.
    • Bug 13024: Disable DOM Resource Timing API
    • Bug 16340: Disable User Timing API
    • Bug 14952: Disable HTTP/2
    • Bug 1517: Reduce precision of time for Javascript
    • Bug 13670: Ensure OCSP & favicons respect URL bar domain isolation
    • Bug 16311: Fix navigation timing in ESR 38
  • Windows
    • Bug 16014: Staged update fails if meek is enabled
    • Bug 16269: repeated add-on compatibility check after update (meek enabled)
  • Mac OS
    • Use OSX 10.7 SDK
    • Bug 16253: Tor Browser menu on OS X is broken with ESR 38
    • Bug 15773: Enable ICU on OS X
  • Build System
    • Bug 16351: Upgrade our toolchain to use GCC 5.1
    • Bug 15772 and child tickets: Update build system for Firefox 38
    • Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
    • Bug 15864: rename sha256sums.txt to sha256sums-unsigned-build.txt
Anonymous

August 12, 2015

Permalink

Just my 2cents:
No crash here till now. But I was a bit pessimistic from older major upgrades. 4.5.3 was rock stable for me, so I just created a new user and gave him the new 5. (running debian).
Anyways: Thanks for to the team for their work!

Anonymous

August 12, 2015

Permalink

Once the download was finished, the torbrowser installer was removed automatically by norton antivirus.

The warning was as below:
Threat name: WS.Reputation.1
Category: Insight Network Threat

Why? Is TB Installer safe, or any virus included inside?

Why? Is TB Installer safe, or any virus included inside?

No, there's NO virus included in TBB. Both Norton and Symantec uses the same heuristics engine to flag programs such as TBB that don't have more than five users using Norton or Symantec to scan for viruses and malware.

That's why Norton and Symantec named it a "threat" based on "reputation".

So this issue will resolve with time. Right?

When more than 100 people are using Norton or Symantec to scan TBB 5.0, then the warning about the so-called "reputational threat" will disappear. The question is: how many TBB users are using Norton/Symantec to scan TBB files?

Anonymous

August 12, 2015

Permalink

"upgrade quicker and with less interaction"

What exactly does less interaction mean here?

Do I get a say at all

And if I say no will you nag?

Anonymous

August 12, 2015

Permalink

Many thanks to the Tor team for all the hard work. Hopefully the fix for crashes comes soon. I read the ticket with Google Maps causing the browser to crash - WordPress admin area does that too, though equally difficult to replicate because sometimes a task that crashed the browser before, now works, but a different task crashes it.

For the time being, I went back to 4.5.3, which is a rock solid version, like another commenter mentioned earlier. Either way, many thanks again for all the hard work.

Anonymous

August 12, 2015

Permalink

i like to have control over what's going on, so i would like to disable the autoupdate feature.
are there any known privacy/security risks involved when setting app.update.auto to false (except for the obvious fact that my browser won't be up to date ASAP)?

Anonymous

August 12, 2015

Permalink

I had to uninstall the newest version due to the freezing and closing expectingly problem. Fix that particular issue and I may upgrade.

Anonymous

August 12, 2015

Permalink

Maximizing the browser window is still not working. Unbelievable.

Hi,
have read about that security aspect of screen size many times and never understood it. Standard seems to be 1024x768. But as I think, THIS is outstanding and unique and makes fingerprinting easy, as there should hardly be many users with such old equipment anymore. At least I think so. Why not set the standard to 1280x1024 as it is much more ergonomic and most (?) websites are designed for that and up?

Those users who have a super extravagant monitor (eg. a 5000x4000 monster) should use their brain and reduce to somewhat more common. Using Tor shouldn't replace using brain :)

BTW: I can and do raise resolution up to the last mentioned one. In 4.53 there is no nag/reminder. In 5.0 there is, but I can ignore it.

Sorry if this is a dumb question/proposal.

First of all, it's surprisingly hard to get people to "use their brain" as you put it. Since everyone has different experiences everyone has a different idea of "common sense;" what you find as trivial other people don't have the experience to understand.
I don't see why you think 1280x1024 is a good resolution. I'm using a Laptop with 1366x768 as a max, and it isn't that old. TorBrowser has a large userbase, and they can't always pick up optimum hardware for browsing. The more people using TorBrowser the better the anonymity for everyone.
As a final point: Yes, setting the resolution to 1024x768 may make it easier to figure out who is using TorBrowser versus who isn't, but that's already a trivial task. Tor itself doesn't hide the fact that you're using it to the site that you connect to, and TorBrowser already sends information in the HTTP request that makes distinguishes it from most users' normal Firefox. The goal of fingerprinting defense isn't to make it harder to determine who is using tor and TorBrowser, but to make all of the users of TorBrowser look the same.

Thanks for your response, I still have to take some time to think about the arguments. At least some points are still making me think about:

In the design page for Tor (chapter about screen size etc), which is quite a very technical one and I had to read it several times, I have seen sentences like or in the meaning of 'whatever you - the user - set up in your screen settings, we have provided faking of response values, so you are on the safe side' (Can look up and quote them precisely if necessary). But there were mentioned different sorts of ways for the counterpart to get fingerprints. So maybe, some can be blocked by that faking values (sort of a good nanny taking care of the user) and other can't, leaving a possible danger...

From that I understood, that some internal safety net is provided by the team who designed TB to let leak as little information as possible.

What concerns me most is: If I do act against the rules in this case (choosing fullscreen on 1280x1024 on a desktop PC), whom and to what amount do I jeopardize. Just myself? Other Tor users? The Tor system in whole?

Btw more important: how about using 4.5.3 instead of 5.0?

If it's just increasing my personal risk, I could live with that. If increasing the risk for others, I would be more convinced to act as the average John Smith in the swarm :)

Anonymous

August 12, 2015

Permalink

Regarding singatures:
I've been using Tor Browser 4.5.3. A browser's own update window appeared so I clicked to update to 5.0, however I didn't notice that a signature was checked after downloading, so I'm quite worried. I use Debian and there is a "torbrowser-launcher" package which always checks signatures after downloading new release (somehow it doesn't work now, so I launch TorBrowser directly from its directory). Honestly I don't dare to launch 5.0 without a correct sig. Is this new auto-update feature going to check sigs?

Regarding pdf.js:
Was Firefox vulnerable to this exploit even when pdf.js was disabled with "pdfjs.disabled" in about:config?

Thanks

I will ask a slightly different question

Was Firefox vulnerable to this exploit even when pdf.js was disabled with javascript disabled in about:config?

Anonymous

August 12, 2015

Permalink

Will the upcoming v5.0 stable release of the Tor browser include any of the bloatware from Firefox ESR v38.2, like Hello, Pocket, Reader+, Share and other WebRTC related code? I hope so because this in my opinion will make Firefox slower and more vulnerable to attacks, which means on your part there will be more security patches for you to release.

Will the upcoming v5.0 stable release of the Tor browser include any of the bloatware from Firefox ESR v38.2, like Hello, Pocket, Reader+, Share and other WebRTC related code?

I'd like to know the answer too. Having bloatware from Firefox 38.2 ESR only increases the attack surface of TBB.

Anonymous

August 12, 2015

Permalink

Had a few freezes after update yesterday so did a fresh install on my thumb drive, only been on it total few hours but so far so good (knocks on wood)

Anonymous

August 12, 2015

Permalink

"Many thanks to the Tor team for all the hard work. Hopefully the fix for crashes comes soon. " My ass.
I've donated money to this project year after year because I'm a journalist in conflict zones and I'm amongst the few that doesn't use this software to jerk off to illegal porn or to tell their friends about how cool is to use anonymizing software. To me, this is a real life necessity. Today, the endless amount of crashes this STABLE FORCED UPDATE which sorts an issue that could be easily been blacklisted in an easier way than an ENTIRE PRODUCT UPDATE, got me into a REAL LIFE tight spot. A very distressing situation of which I will not relieve any detail here, though I'll say this much:
If the tor browser is a TOY, please let us know. I'll donate My money to some other project, and make use of it. If tor browser is going to be handled by teenagers without any clue of product management / lifecycle, PLEASE.. let me know. This software was based on a once serious project, understanding that the need for being anonymous comes from a very tangible threat, and not from some stupid teen paranoia.

TBB 4.5.3 was based on Firefox 31esr which is end of life and doesn't receive security updates anymore. TBB 5 is based on Firefox 38esr.

Some of the security issues fixed in the last 38esr release are likely in 31esr as well (and not fixed).

Firefox automatically makes backups of your bookmarks.
Go to your Tor Browser folder, in most cases this is: "tor-browser_en-US", then follow this path "Browser/TorBrowser/Data/Browser/profile.default/bookmarkbackups".

Hope this helps, not sure about the addons.

Anonymous

August 13, 2015

Permalink

TBB5.0 is MISSING some things existing in old TBB.
Please bring back.

1. Page Crypto is missing... back already. Why?: Page Info -> Security -> 'Technical Details'

2. No eye cancer in 'about:config'. Different look.

3.Persistant entry status for 'Preferences'(about:preferences).

Anonymous

August 13, 2015

Permalink

quite disappointed at new tor-browser, ver. 5
It crashes repeatedly! tens of times in just a day!!! it even doesn't let me to write this feedback! :) I'm writing it with Hotspot Shield on Firefox! never expect such a thing from tor-project! :|
BUT, thanks a lot for your efforts. I sincerely appreciate it and still believe in you and wait for your updated version.
regards
a fan from Iran

I'm writing it with Hotspot Shield on Firefox! never expect such a thing from tor-project! :

Never, ever use Hotspot Shield. As a proxy and/or VPN service, it's NOT safe to use unless you want to be a target of the NSA.

But I suppose being a target of the NSA is far better than being a target of the Iranian authorities who work directly for the Ayatollah. The NSA won't throw you into prison but the Ayatollah's henchmen will.

Anonymous

August 13, 2015

Permalink

just download 5.0
when i try laod from shortcut i have firefox message "Couldnt load XPCOM"

Anonymous

August 13, 2015

Permalink

I want to enable browsing history without enabling anything else like Local storage so it won't fingerprint me online.

What is the correct way to do this?

If I check the "Don't record browsing history or website data" TB enables the cookie storage after restart. What else "website data" TB stores and how to disable it?

Anonymous

August 13, 2015

Permalink

This version crashes on numerous common websites. Even browsing youtube caused this version to crash twice.

I don't think this is your fault since only Google owned websites seem to be crashing, so they're probably doing something non-standard or unique.

Anonymous

August 13, 2015

Permalink

Only issue for me was having tabs open into windows instead. I encountered this when trying to view picture attachments in emails.

As someone had suggested earlier, I went to "Privacy and Security Settings." I lowered "Security Level" to the lowest.

I went to Tools > Options > General. Under Tabs, I clicked "Open new windows in a new tab instead."

I went back to "Privacy and Security Settings" and raised "Security Level" back up to High.

So it seems if we want anything changed in Tools > Options, just follow the steps I described above.

Anonymous

August 13, 2015

Permalink

Have I been unmasked?

Please see below for the errors:

console.error:
[CustomizableUI]
Custom widget with id loop-button does not return a valid node
Aug 14 10:30:30.000 [notice] New control connection opened from 127.0.0.1.
Aug 14 10:30:30.000 [notice] New control connection opened from 127.0.0.1.
Aug 14 10:37:09.000 [notice] New control connection opened from 127.0.0.1.
console.error:
[CustomizableUI]
Custom widget with id loop-button does not return a valid node
*************************
A coding exception was thrown and uncaught in a Task.

Full message: TypeError: this.Paths is null
Full stack: Agent.wipe@resource:///modules/sessionstore/SessionWorker.js:236:7
worker.dispatch@resource:///modules/sessionstore/SessionWorker.js:21:24
anonymous/AbstractWorker.prototype.handleMessage@resource://gre/modules/workers/PromiseWorker.js:122:16
@resource:///modules/sessionstore/SessionWorker.js:30:41

*************************
*************************
A coding exception was thrown and uncaught in a Task.

Full message: TypeError: this.Paths is null
Full stack: Agent.wipe@resource:///modules/sessionstore/SessionWorker.js:236:7
worker.dispatch@resource:///modules/sessionstore/SessionWorker.js:21:24
anonymous/AbstractWorker.prototype.handleMessage@resource://gre/modules/workers/PromiseWorker.js:122:16
@resource:///modules/sessionstore/SessionWorker.js:30:41

*************************
Aug 14 11:02:16.000 [notice] New control connection opened from 127.0.0.1.
console.error:
[CustomizableUI]
Custom widget with id loop-button does not return a valid node
Aug 14 11:02:20.000 [notice] Owning controller connection has closed -- exiting now.

Anonymous

August 13, 2015

Permalink

Windows 10 is a data leecher! How will Tor Browser work in Windows 10?