Tor Browser 5.0 is released

The Tor Browser Team is proud to announce the first stable release in the 5.0 series. This release is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Note that the recent PDF.js exploit did not affect 4.5 users, but they should upgrade to this release immediately because numerous other potential security issues were fixed by Mozilla in this release. (Incidentally: Users who are using the 5.0-alpha series are vulnerable to the PDF.js exploit, but not if they were using the 'High' security level. Regardless, we are also upgrading 5.0-alpha users to 5.5a1 today to fix the issue as well).

This release also brings us up to date with Firefox 38-ESR, which should mean improved support for HTML5 video on Youtube, as well as a host of other improvements. Controversial and hard-to-audit binary components related to EME DRM were disabled, however.

The release also features new privacy enhancements. In particular, more identifier sources that appeared in Firefox 38 (or were otherwise disabled previously) are now isolated to the first party (URL bar) domain. This release also contains defenses from the 5.0-alpha series for keystroke (typing) fingerprinting and some instances of performance/timing fingerprinting.

Regrettably, our new defenses for font and keyboard layout fingerprinting did not stabilize in time for this release. Users who are interested in helping us improve them should try out 5.5a1.

This release also will reset the permanent NoScript whitelist, due to an issue where previous NoScript updates had added certain domains to the whitelist during upgrade. The whitelist is reset to the default for all users as a result, and future updates to the whitelist by NoScript have been disabled.

Starting with this release, Tor Browser will now also download and apply upgrades in the background, to ensure that users upgrade quicker and with less interaction. This behavior is governed by the about:config pref app.update.auto, but we do not recommend disabling it unless you really know what you're doing.

Here is the complete changelog since 4.5.3:

  • All Platforms
    • Update Firefox to 38.2.0esr
    • Update OpenSSL to 1.0.1p
    • Update HTTPS-Everywhere to 5.0.7
    • Update NoScript to 2.6.9.34
    • Update meek to 0.20
    • Update Tor to 0.2.6.10 with patches:
      • Bug 16674: Allow FQDNs ending with a single '.' in our SOCKS host name checks.
      • Bug 16430: Allow DNS names with _ characters in them (fixes nytimes.com)
      • Bug 15482: Don't allow circuits to change while a site is in use
    • Update Torbutton to 1.9.3.2
      • Bug 16731: TBB 5.0 a3/a4 fails to download a file on right click
      • Bug 16730: Reset NoScript whitelist on upgrade
      • Bug 16722: Prevent "Tiles" feature from being enabled after upgrade
      • Bug 16488: Remove "Sign in to Sync" from the browser menu (fixup)
      • Bug 16268: Show Tor Browser logo on About page
      • Bug 16639: Check for Updates menu item can cause update download failure
      • Bug 15781: Remove the sessionstore filter
      • Bug 15656: Sync privacy.resistFingerprinting with Torbutton pref
      • Bug 16427: Use internal update URL to block updates (instead of 127.0.0.1)
      • Bug 16200: Update Cache API usage and prefs for FF38
      • Bug 16357: Use Mozilla API to wipe permissions db
      • Bug 14429: Make sure the automatic resizing is disabled
      • Translation updates
    • Update Tor Launcher to 0.2.7.7
      • Bug 16428: Use internal update URL to block updates (instead of 127.0.0.1)
      • Bug 15145: Visually distinguish "proxy" and "bridge" screens.
      • Translation updates
    • Bug 16730: Prevent NoScript from updating the default whitelist
    • Bug 16715: Use ThreadsafeIsCallerChrome() instead of IsCallerChrome()
    • Bug 16572: Verify cache isolation for XMLHttpRequests in Web Workers
    • Bug 16884: Prefer IPv6 when supported by the current Tor exit
    • Bug 16488: Remove "Sign in to Sync" from the browser menu
    • Bug 16662: Enable network.http.spdy.* prefs in meek-http-helper
    • Bug 15703: Isolate mediasource URIs and media streams to first party
    • Bug 16429+16416: Isolate blob URIs to first party
    • Bug 16632: Turn on the background updater and restart prompting
    • Bug 16528: Prevent indexedDB Modernizr site breakage on Twitter and elsewhere
    • Bug 16523: Fix in-browser JavaScript debugger
    • Bug 16236: Windows updater: avoid writing to the registry
    • Bug 16625: Fully disable network connection prediction
    • Bug 16495: Fix SVG crash when security level is set to "High"
    • Bug 13247: Fix meek profile error after bowser restarts
    • Bug 16005: Relax WebGL minimal mode
    • Bug 16300: Isolate Broadcast Channels to first party
    • Bug 16439: Remove Roku screencasting code
    • Bug 16285: Disabling EME bits
    • Bug 16206: Enforce certificate pinning
    • Bug 15910: Disable Gecko Media Plugins for now
    • Bug 13670: Isolate OCSP requests by first party domain
    • Bug 16448: Isolate favicon requests by first party
    • Bug 7561: Disable FTP request caching
    • Bug 6503: Fix single-word URL bar searching
    • Bug 15526: ES6 page crashes Tor Browser
    • Bug 16254: Disable GeoIP-based search results.
    • Bug 16222: Disable WebIDE to prevent remote debugging and addon downloads.
    • Bug 13024: Disable DOM Resource Timing API
    • Bug 16340: Disable User Timing API
    • Bug 14952: Disable HTTP/2
    • Bug 1517: Reduce precision of time for Javascript
    • Bug 13670: Ensure OCSP & favicons respect URL bar domain isolation
    • Bug 16311: Fix navigation timing in ESR 38
  • Windows
    • Bug 16014: Staged update fails if meek is enabled
    • Bug 16269: repeated add-on compatibility check after update (meek enabled)
  • Mac OS
    • Use OSX 10.7 SDK
    • Bug 16253: Tor Browser menu on OS X is broken with ESR 38
    • Bug 15773: Enable ICU on OS X
  • Build System
    • Bug 16351: Upgrade our toolchain to use GCC 5.1
    • Bug 15772 and child tickets: Update build system for Firefox 38
    • Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
    • Bug 15864: rename sha256sums.txt to sha256sums-unsigned-build.txt

I upgraded to Windows 10 from 8.1. I have portable Tor Browser on a 2.0 flash drive. My Tor Browser refuses to run on Win 10. Went back to Win 8.1 and Tor Browser runs as it always did.

i

August 13, 2015

Permalink

Font fingerprinting bug/regression:
The same list of fonts are detected on the new stable TorBrowser (5.0) and a default firefox profile when tested with http://ip-check.info/
I've tested this on Debian GNU/Linux Wheezy and Jessie.

Relevant tickets:
Limit the fonts available in TorBrowser - https://trac.torproject.org/projects/tor/ticket/2872
Limit fonts to a whitelist? - https://trac.torproject.org/projects/tor/ticket/16312
Enable bundled fonts in Tor Browser - https://trac.torproject.org/projects/tor/ticket/13313

Specification (see point 6)
https://www.torproject.org/projects/torbrowser/design/#fingerprinting-d…

Perhaps for now we should set "browser.display.use_document_fonts" to 0. To prevent easy fingerprinting between sessions.

Do Tor developers approve of your suggestion?

Am I right to assume they have taken care of it? Below is the quote from "The Design and Implementation of the Tor Browser [DRAFT]" (point 6: Fonts) [URL: https://www.torproject.org/projects/torbrowser/design/#fingerprinting-d…]

"In the meantime while we investigate shipping our own fonts, we disable plugins, which prevents font name enumeration. Additionally, we limit both the number of font queries from CSS, as well as the total number of fonts that can be used in a document with a Firefox patch. We create two prefs, browser.display.max_font_attempts and browser.display.max_font_count for this purpose. Once these limits are reached, the browser behaves as if browser.display.use_document_fonts was set.

To improve rendering, we exempt remote @font-face fonts from these counts, and if a font-family CSS rule lists a remote font (in any order), we use that font instead of any of the named local fonts. "

i

August 14, 2015

Permalink

My computer time got reset 20 hours backwards once I started update!!! Had to change it again in order to start tbb

i

August 14, 2015

Permalink

On ip-check.info there are some inconsistencies, like accepted languages (intl.accept_languages = en-us, en), but it identifies as en-US, en no matter what you do.

Also on the first visit of the page, it'll ask you for name and password (have to click cancel, it's for test) and showing that dialog was sign of good security settings in browser.
Said dialog used to appear every visit, with new version it's just the very first visit and then you need to restart browser to see it again.

"Said dialog used to appear every visit, with new version it's just the very first visit and then you need to restart browser to see it again."

I tested it about one year ago, it only appeared on first visit to me. I had to restart too.

Why is that?

That's strange, it happened with 4.5 for me too, but with newer version it got fixed (appearing every visit).
Before 4.5 it was just every visit, never seen it happening differently.

i

August 14, 2015

Permalink

Unlike in the previous versions, there seems to be no SSL connection between my computer and the entry node according to Wireshark. Why is that? Is it certain that the traffic is still encrypted? Thank you

https everywhere : block all http request and
https section on noscript : recommended with tor

could help to be safe.

On hidden onion , it is certain because the address is self decrypting

Thank you
In the previous version of TBB, Wireshark certainly detected that the traffic between the entry node and my computer is encrypted. Is there any way to single this out?
Regarding https everywhere, I can't find this option. In fact, the icon is gone and it is also not listed in about:config
Can somebody of the developers please look into this? Probably it is fine, but if not that would be a serious issue.

"Do you Tor Project guys still enable javascript by default ?"
tor 5.0 is embedded with noscript ready to use : you choose the options like it suits you.

"Firefox Zero-Day Exploit used by FBI to shutdown a site on Tor Network hosting"
does it exist a test page , a tor test , showing that it is not possible anymore (2015) ?

Be sure you're running a recent enough Tor Browser Bundle. That should keep you safe from this attack. Windows users are advised to Update Tor Browser Bundle, version 2.3.25-10 (released June 26 2013), 2.4.15-alpha-1 (released June 26 2013), 2.4.15-beta-1 (released July 8 2013), 3.0alpha2 (released June 30 2013) includes the fix. Consider disabling JavaScript (click the blue"S" beside the green onion, and select "Forbid Scripts Globally"). Disabling JavaScript will reduce your vulnerability to other attacks like this one, but disabling JavaScript will make some websites not work like you expect.

Update: According to Baneki Privacy Labs research, the IP address 65.222.202.53 hardcoded into the exploit belongs to Virginia is actually owned by Science Applications International Corporation (SAIC), a major intelligence, military, aerospace, engineering and systems contractor involved with the Federal Bureau of Investigation (FBI), Defense Advanced Research Projects Agency (DARPA) , Central Intelligence Agency (CIA) and National Security Agency (NSA).

They believe that the hardcoded IP address is directly allocated to the NSA's Autonomous Systems (AS), so its probably not the FBI, its NSA who used Firefox Zero-Day exploit to compromise Freedom Hosting and TOR network.

troll

i

August 14, 2015

Permalink

Keeps hanging in and crashing. No need a reply. Posting just so you know. Thanks

i

August 14, 2015

Permalink

**Very serious bug**

I am a reporter working in the Middle East.

To be able to send emails from within SIGaint and Mail2Tor, I need to enter captchas. Both these services are unable to accept my inputs. I had no problems with them when I was using Tor Browser Bundle version 4.5.3.

For those interested, the URLs for these two services are http://sigaintevyh2rzvw.onion/ and http://mail2tor2zyjdctd.onion/

i

August 15, 2015

Permalink

New version constantly crashes. Not usable. Prior version was stables and good.

i

August 15, 2015

Permalink

Why Tor Project stopped shipping static-linked portable tor.exe? Will it ever return?

i

August 15, 2015

Permalink

Do you hardcode absolute file paths into the Tor browser configuration files? Is there any way you could change this in the future so that we can move the Tor Browser folder around on the file system and still have Tor work at the new location?

i

August 15, 2015

Permalink

after being on youtube for few mins the new browser crashes and I keep getting this message from google when trying to sign in my own acct... Sorry, we can't process your request right now

For security reasons, Google may sometimes deny logins in cases where we believe the account's password could have been stolen. To regain access to your account, try other computers. If that doesn't work you can reset your password, or learn more

google will error with the same 2 or 3 error messages
will try make you change password
try force you to add personal telephone numbers to the account
will try to say you needed to be contacted to confirm your identity

All of which is aimed at keeping track of you,identity and location

Google isn't Tor friendly; this isn't a problem with tor or this version of Tor Browser. It's probably a combination of trying to protect their users and that they can't datamine users of tor as well.
If you've got to log into a google service using tor you can potentially use a proxy after tor, but be aware that that brings security/anonymity concerns.

i

August 15, 2015

Permalink

Thanks, I'm a big fan of tor. However, this version crashes constantly. Not just once in a while. I mean all the time.

The last comment mentioned youtube. Sure enough after 3 minutes it crashed (using all the defaults and a clean extract on Win7).

i

August 16, 2015

Permalink

Also on OS X frequent crashes of 5.0. Will figure out where to send crash reports...

i

August 16, 2015

Permalink

custom settings from official manual dont seem to work after update.
how is this possible?

i

August 16, 2015

Permalink

can i suggest ask the previous coders working on the last builds to come back.

can i suggest ask the previous coders working on the last builds to come back.

How much in US$ are you willing to pay them to make them come back?

The US National Security Agency is offering US$60,000-tax free per month per previous coder plus benefits (eg. first class travel on flights, paid accommodation in lavishly decorated penthouses, free booze and barely legal 18-year-old girls).

i

August 16, 2015

Permalink

With a new TBB does it make sense automatically change the entry node? Isn't it more secure from time to time to change it? So the entry note loses some information about my ip and so on.

Setup a bridge and you can control what is your entry node. Your bridge is the entry node and you can change it as much as you like.

For serious anonymity you should never trust the Tor chosen entry-node. When using Tor without your own bridge you should always assume you're being monitored.