Tor Browser 5.0 is released

The Tor Browser Team is proud to announce the first stable release in the 5.0 series. This release is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Note that the recent PDF.js exploit did not affect 4.5 users, but they should upgrade to this release immediately because numerous other potential security issues were fixed by Mozilla in this release. (Incidentally: Users who are using the 5.0-alpha series are vulnerable to the PDF.js exploit, but not if they were using the 'High' security level. Regardless, we are also upgrading 5.0-alpha users to 5.5a1 today to fix the issue as well).

This release also brings us up to date with Firefox 38-ESR, which should mean improved support for HTML5 video on Youtube, as well as a host of other improvements. Controversial and hard-to-audit binary components related to EME DRM were disabled, however.

The release also features new privacy enhancements. In particular, more identifier sources that appeared in Firefox 38 (or were otherwise disabled previously) are now isolated to the first party (URL bar) domain. This release also contains defenses from the 5.0-alpha series for keystroke (typing) fingerprinting and some instances of performance/timing fingerprinting.

Regrettably, our new defenses for font and keyboard layout fingerprinting did not stabilize in time for this release. Users who are interested in helping us improve them should try out 5.5a1.

This release also will reset the permanent NoScript whitelist, due to an issue where previous NoScript updates had added certain domains to the whitelist during upgrade. The whitelist is reset to the default for all users as a result, and future updates to the whitelist by NoScript have been disabled.

Starting with this release, Tor Browser will now also download and apply upgrades in the background, to ensure that users upgrade quicker and with less interaction. This behavior is governed by the about:config pref app.update.auto, but we do not recommend disabling it unless you really know what you're doing.

Here is the complete changelog since 4.5.3:

  • All Platforms
    • Update Firefox to 38.2.0esr
    • Update OpenSSL to 1.0.1p
    • Update HTTPS-Everywhere to 5.0.7
    • Update NoScript to 2.6.9.34
    • Update meek to 0.20
    • Update Tor to 0.2.6.10 with patches:
      • Bug 16674: Allow FQDNs ending with a single '.' in our SOCKS host name checks.
      • Bug 16430: Allow DNS names with _ characters in them (fixes nytimes.com)
      • Bug 15482: Don't allow circuits to change while a site is in use
    • Update Torbutton to 1.9.3.2
      • Bug 16731: TBB 5.0 a3/a4 fails to download a file on right click
      • Bug 16730: Reset NoScript whitelist on upgrade
      • Bug 16722: Prevent "Tiles" feature from being enabled after upgrade
      • Bug 16488: Remove "Sign in to Sync" from the browser menu (fixup)
      • Bug 16268: Show Tor Browser logo on About page
      • Bug 16639: Check for Updates menu item can cause update download failure
      • Bug 15781: Remove the sessionstore filter
      • Bug 15656: Sync privacy.resistFingerprinting with Torbutton pref
      • Bug 16427: Use internal update URL to block updates (instead of 127.0.0.1)
      • Bug 16200: Update Cache API usage and prefs for FF38
      • Bug 16357: Use Mozilla API to wipe permissions db
      • Bug 14429: Make sure the automatic resizing is disabled
      • Translation updates
    • Update Tor Launcher to 0.2.7.7
      • Bug 16428: Use internal update URL to block updates (instead of 127.0.0.1)
      • Bug 15145: Visually distinguish "proxy" and "bridge" screens.
      • Translation updates
    • Bug 16730: Prevent NoScript from updating the default whitelist
    • Bug 16715: Use ThreadsafeIsCallerChrome() instead of IsCallerChrome()
    • Bug 16572: Verify cache isolation for XMLHttpRequests in Web Workers
    • Bug 16884: Prefer IPv6 when supported by the current Tor exit
    • Bug 16488: Remove "Sign in to Sync" from the browser menu
    • Bug 16662: Enable network.http.spdy.* prefs in meek-http-helper
    • Bug 15703: Isolate mediasource URIs and media streams to first party
    • Bug 16429+16416: Isolate blob URIs to first party
    • Bug 16632: Turn on the background updater and restart prompting
    • Bug 16528: Prevent indexedDB Modernizr site breakage on Twitter and elsewhere
    • Bug 16523: Fix in-browser JavaScript debugger
    • Bug 16236: Windows updater: avoid writing to the registry
    • Bug 16625: Fully disable network connection prediction
    • Bug 16495: Fix SVG crash when security level is set to "High"
    • Bug 13247: Fix meek profile error after bowser restarts
    • Bug 16005: Relax WebGL minimal mode
    • Bug 16300: Isolate Broadcast Channels to first party
    • Bug 16439: Remove Roku screencasting code
    • Bug 16285: Disabling EME bits
    • Bug 16206: Enforce certificate pinning
    • Bug 15910: Disable Gecko Media Plugins for now
    • Bug 13670: Isolate OCSP requests by first party domain
    • Bug 16448: Isolate favicon requests by first party
    • Bug 7561: Disable FTP request caching
    • Bug 6503: Fix single-word URL bar searching
    • Bug 15526: ES6 page crashes Tor Browser
    • Bug 16254: Disable GeoIP-based search results.
    • Bug 16222: Disable WebIDE to prevent remote debugging and addon downloads.
    • Bug 13024: Disable DOM Resource Timing API
    • Bug 16340: Disable User Timing API
    • Bug 14952: Disable HTTP/2
    • Bug 1517: Reduce precision of time for Javascript
    • Bug 13670: Ensure OCSP & favicons respect URL bar domain isolation
    • Bug 16311: Fix navigation timing in ESR 38
  • Windows
    • Bug 16014: Staged update fails if meek is enabled
    • Bug 16269: repeated add-on compatibility check after update (meek enabled)
  • Mac OS
    • Use OSX 10.7 SDK
    • Bug 16253: Tor Browser menu on OS X is broken with ESR 38
    • Bug 15773: Enable ICU on OS X
  • Build System
    • Bug 16351: Upgrade our toolchain to use GCC 5.1
    • Bug 15772 and child tickets: Update build system for Firefox 38
    • Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
    • Bug 15864: rename sha256sums.txt to sha256sums-unsigned-build.txt
Anonymous

August 16, 2015

Permalink

hello, using TOR since few years, Now, I have disabled Noscript and changed to umatrix and privacy badger. Also any things I know to do this in about:"..".
Please give your opinion if it is ok to do this.
For me, I think, Tor is easerly to use . It is the Standard-Browser here.
Thanks in advance and greetings from Germany

Anonymous

August 17, 2015

Permalink

Now, I have disabled Noscript and changed to umatrix and privacy badger. Also any things I know to do this in about:"..".Please give your opinion if it is ok to do this.

No, what you did is totally wrong and you are doing more harm than good to yourself.

You should never ever add stuff to or remove stuff from Tor Browser Bundle. Before releasing it to the public, Tor developers have tried their best to ensure that all the stuff in Tor Browser Bundle work well together to ensure the best possible anonymous experience.

You will not receive technical support if you modify parts of Tor Browser Bundle yourself, that is add your own stuff to or remove official stuff from Tor Browser Bundle. You are on your own. You have been forewarned.

Not that The Tor Project provides technical support in the first place...
It should be mentioned that using nonstandard addons may change your fingerprint in addition to potentially adding a vulnerability. Fingerprinting may or may not be a concern based on your threat model, but even if it isn't a concern for you it is still a concern for others, and it does help them if you don't alter your TorBrowser from it's defaults.

Not that The Tor Project provides technical support in the first place...

With due respect, I believe it or its supporters who are themselves experts do, on a best effort basis.

Firstly, via email (the email address is stated on Tor's official website).

Secondly via this blog site.

Thirdly Tor's webpage on StackExchange.

Fourthly Tails' support mailing list.

Please be specific: plugins are different from addons.
Of course, it's suggested you don't add either of them, but a trusted addon is probably just going to make it easy to fingerprint you while a plugin can easily leak your real IP all over the place. Of course, a malicious addon could do that too.

Plug-in and Add-on are two terms that are pointing to the same functionality; they are simply extensions that extends the usability of the program. It just depends on the software maker on what to call the software extensions of their programs. These extensions could be made by other companies, individuals, or by the software makers themselves.
Plug-in is the term that is usually used when referring to third party software that is meant to interact with a certain program (plug-in flash player).
An Add-on also extends the functionality of a certain program but they are usually meant to function on a certain program(add-ons that are meant for Firefox would only work with Firefox).
The separation between an add-on and a plug-in is not really that clear. They are both made to do specific functions that are suited to a certain user’s preference.
Add-on: essentially anything that can be installed into the browser. This includes for example extensions, themes, plugins, dictionaries, language packs, search engines.
Mozilla uses the term "add-on" as an inclusive category of augmentation modules that consists of plug-ins, themes, and search engines.
Extension: a package extending browser functionality

Fingerprint is an another subject (answered on this page) leaking ip another and malicious add-on another.

Usually, an add-on or a plugin or an extension is not build for the purpose to let a big fingerprint or to leak the ip or to be malicious. I suggest you add all extensions plugins or add-on you wish and even ask to the tor team to include it for the next release if you do think that it can improve your surfing.

Anonymous

August 17, 2015

Permalink

What fingerprinting it would be if I enable the Preferences/Advanced/General/Use hardware acceleration when available?

Anonymous

August 17, 2015

Permalink

There's a lot of crashes from this version, and it comes from watching videos or having too many things going on at one time which never happened before. If I watch a youtube video I have to do it 1 at a time otherwise it crashes. If I have tumblr on, it can only be 2 tabs because the gifs on tumblr are another video that make it crash. I can't press embed videos of youtube cuz it crashes. when I'm avoiding videos altogether I can only have 2 (and maybe 3 if I'm risky) open. Anymore and it crashes. I really hope this is fixed in the future.

Anonymous

August 17, 2015

Permalink

as soon as you change the settings , it becomes less secure

"Before releasing it to the public, Tor developers have tried their best to ensure that all the stuff in Tor Browser Bundle work well together to ensure the best possible anonymous experience." like yet said another post.

About fingerprint (erase all your cookie/block http request/check noscript options) , on eff, a test can be performed showing you the level of anonymity you obtain (see stack exchange questions&answers for the discussion).

https://myshadow.org/panopticlick
https://panopticlick.eff.org/
https://nakedsecurity.sophos.com/2014/07/28/panopticlick-reveals-the-co…

you can try with this eff test (panopticclick) the option hardware acceleration and see the result. do not forget after each test to take another identity/circuit to erase the old fingerprint.

tor solution ;
1°new identity
2°new tor circuit
3°security high level

Anonymous

August 19, 2015

Permalink

Does anyone else notice huge spikes in CPU usage when the updater is active?

On an admittedly very old computer with Ubuntu the process is consistently using 50-70% of the CPU, making the computer pretty much unusable until I kill the process.

Anonymous

August 19, 2015

Permalink

Regarding the CPU usage: Also of note is if you store any data (old or new) in the Tor download folder, Tor apparently tries to copy these files to Browser/updated/Downloads (especially notable with Tails images or other large files).

Anonymous

August 22, 2015

Permalink

never again will i trust auto upgrade of TBB
isnt the first time its trashed my installation