Tor Browser 5.0.1 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release fixes a crash bug that caused Tor Browser to crash on certain sites (in particular, Google Maps and Tumblr). The crash bug was a NULL pointer dereference while handling blob URIs. The crash was not exploitable.

Here is the complete changelog since 5.0:

  • All Platforms
    • Bug 16771: Fix crash on some websites due to blob URIs

HTML5 is new technology, "new" as compared to Adobe Flash. As such there may be countless of de-anonymizing bugs in HTML5.

The NSA is busy uncovering and exploiting bugs in HTML5 to their advantage.

Use HTML5 over Tor with extreme caution. You have been forewarned.

*sigh* look, HTML5 video does have some anonymity and especially fingerprinting concerns... however, it is part of the browser itself and therefore (in Firefox's case) open source. The problem in Flash is it isn't open source so we don't have a clue what it's doing.
Although Flash also doesn't use the browsers proxy settings and therefore deanonymizes you, while HTML5 uses the browsers settings because it is the browser.

*sigh* look, HTML5 video does have some anonymity and especially fingerprinting concerns... however, it is part of the browser itself and therefore (in Firefox's case) open source. The problem in Flash is it isn't open source so we don't have a clue what it's doing.

sigh..sigh..and..sigh

Are you suggesting that open source software is free of security vulnerabilities?

Please read the write-up "Shellshock proves open source's 'many eyes' can't see straight" (URL: http://www.infoworld.com/article/2689233/security/shellshock-proves-ope…)

I'm not saying it's free of security vulnerabilities; I'm saying that you can audit it to check if it's doing something undesirable. You don't have to trust some corporation/person/government that the software they provide doesn't spy on you, you can check it yourself.

I'm not saying it's free of security vulnerabilities; I'm saying that you can audit it to check if it's doing something undesirable.

Look here, my original post of August 19th is in response to a post of August 18th: "Why go to youtube, by using flash player you do compromise your location."

And your reply to mine is largely out of topic. In addition it may cause confusion in those who are not tech-savvy.

People who use Tor Browser Bundle are those who desire to remain anonymous on the internet and using HTML5 video may unmask them. They do not care much about whether HTML5 is open source or proprietary/closed source.

I hate when people say shit like this. Of course you can check it yourself, but who has the proper expertise to even spot a backdoor or vulnerability? Better than closed source but still needs more professional eyes and caution.

Why cannot I get access to Tor over my old iPhone? It keeps telling me something like "sorry, you cannot download " blah blah blah. I still think someone set up a bogus rumor-net to get people to attempt to get into a system the govt ostensibly doesn't want them to gain access to. However I could give a rat's patootie what the CIA thinks I'm up to. I don't access child porn, I don't kill endangered animals but I am looking for the creepy face in the mask who speaks to me if I order illegal drugs.

Anonymous

August 17, 2015

Permalink

Thanks, hopefully those experiencing this issue will now upgrade from 4.5.3 to 5.01.

Kaspersky Warning
Cannot guarantee authenticity of the domain to which encrypted connection is established

application oracle vm virtualbox

url www.omwfe772jto3cmnltm2pguujg.com

reason         invalid name of the certificate.either the name is not on the allowed list or was
explicitly excluded

issued to      www.r3m3yaiegd.net
issued by      www.qj33ncodj.com
valid from                    6/14/2015 to 11/25/2015

certification path     www.r3m3yaiegd.net

field                                            value
version                                         v3
serial number                                00 0e fa 53 fd c6 fa 67 f7
singnature algorithm                      sha1rsa
signature hash algorithm           sha1
issuer                                           www.qj33ncodj.com
valid from                                    Sunday, Jube 14, 2015 5:30:00 am
valid to                                     wednesday, november25, 2015 5:29:59am
subject                                        www.r3m3yaiegd.net
public key                                    rsa(1024bits)
thumbprint algorithm                        sha1
thumbprint                                    0d 89 09 0d 36 a6 5e de c6 2a b1 63 40 67 9e 61 67 d4 58 2d

Anonymous

August 17, 2015

Permalink

My browser just sent my a system notification of a pending update - please tell me, is my system knowing tor upgraded or is everything is downloaded and updated through tor+tor browser?

It's an important question and needs an answer. There is no way it could download the entire application in a few minutes of launching here...especially since the latest release has ballooned by another 30 or so MB (Mozilla's fault I guess). Unless it's just downloading a few patches and updated scripts. But I doubt it is, because it relies on Firefox's updater, right ?

It makes me think it's downloading in the clear. If it is it's a massive gaff.

We need some information.

The upgrade is downloaded through Tor.

Firefox, and hence Tor Browser, supports incremental updates, so the size of the download depends on how much has changed between versions; for the upgrade from 5.0 to 5.0.1 the corresponding .incremental.mar (Mozilla archive) file is smaller than 500K.
See https://wiki.mozilla.org/Software_Update
You can see the .mar upgrade files here: https://dist.torproject.org/torbrowser/5.0.1/

Do you also *need* to be spoon-fed the information? How about clicking the "Documentation" link and reading up yourself?

Yes, it's fetched over Tor. Yes, it downloads only a small delta (when updating consecutive releases, at least). And, at least on GNU/Linux, the package has certainly not "ballooned by another 30 or so MB" (maybe 9MB).

(I'm not a Tor developer btw.)

Anonymous

August 18, 2015

Permalink

Hello Mike,

I tested this release yesterday.
YES ! Now it works like past time. :)

Anonymous

August 18, 2015

Permalink

Same bug again: once the "SocksListenAddress 0.0.0.0:9150" added into torrc , Tor Browser 5.0.1 will crashed at start, so as Tor Browser 5.0. I am a chinese user,so I cannot use whonix without "SocksListenAddress 0.0.0.0:9150".

It's worth noting that `SocksListenAddress` has been deprecated for quite a while, so the better thing to do is to alter the `SocksPort` entry.

> DEPRECATED: As of 0.2.3.x-alpha, you can now use multiple SOCKSPort
> entries, and provide addresses for SOCKSPort entries, so
> SOCKSListenAddress no longer has a purpose. For backward
> compatibility, SOCKSListenAddress is only allowed when SOCKSPort
> is just a port number.)

ok, as a work around, set
browser.display.use_document_fonts from 1 to 0
that brings one down to 3 fonts displayed

Anonymous

August 18, 2015

Permalink

Whenever i finish a download, instead of opening the file tor browser crashes, deletes the shortcut and then malware is detected immediately after.

Anonymous

August 18, 2015

Permalink

strange,
tried several attempts, but this blog seems to be closed for comments.

Anonymous

August 18, 2015

Permalink

Thank you very much for a speedy update. I did not ever use Tumbl or Google maps but the Linux version of 5.0 crashed repeatedly on Bruce Schneier's site (!) and usually crashed on almost any site within 5 minutes ... while the Windows version did not crash at all on the same sites. Version 5.0.1 now running for 20 minutes with 15 tabs open and all looks good. Again, thanks.

Anonymous

August 18, 2015

Permalink

Hi. I'm from Iran and I'm using obfs4 as obfs3 has stopped working in Iran, but it's so slow I'm often faced with the "connection has timed out" message and can't open any web pages most of the time, even when I restart Tor.

Also whenever I use Google, it just says I appear to be a bot and keeps asking me to enter a scrambled number correctly, but it never accepts the number even though I enter it correctly every time. Could you please kindly look into it, especially the extremely slow speed problem? Thank you for your kind efforts.

There's not much to look into regarding speed. The default obfs4 bridges service a lot of users, and are constantly overloaded. You may have better luck if you obtained different obfs4 bridges from BridgeDB.

I'm using Custom Bridges on the Tor Browser in Tails. Can I have too many bridges or the more bridges the better? Tor Browser in Tails is supposed to use a different bridge each time I boot to Tails, isn't it?

recatcha used to work without js. there was a copy and paste routine.

maybe you can look in the untrusted submenu of noscript menu to see the url that needs temporary noscript allow?

Anonymous

August 18, 2015

Permalink

I'm sorry regarding my previous comment I noticed the reason why obfs4 suddenly magically started to work was that Hotspot Shield was running in the background without my knowledge. As soon as I disabled it I was again unable to open any webpages. It seems like Iran's government is using a new kind of censorship. While I can connect to the Tor Network using obfs4 fairly fast and see the "Congratulations" web page, I haven't been able to open a single web page for the past few days no matter how many times I restart Tor. It's always "The Connection Has Timed Out". Could you please look into it?

Hard to look into it without having a computer there, or knowing which bridges you use (if it's not the default, don't reply with them either). If they're throttling long lived connections again, that's the sort of behavior I'd expect, but I don't have a good solution to that for obfs4.

I'm sorry regarding my previous comment I noticed the reason why obfs4 suddenly magically started to work was that Hotspot Shield was running in the background without my knowledge.

As I had cautioned you in my earlier post, I will caution you now for your sake.

Avoid Hotspot Shield at all costs as it has been working closely with the United States' National Security Agency. Your online activities may be closely monitored by it.

But again, being monitored by the NSA does not present the same risks to you compared to being monitored by the Iranian authorities. The NSA will not throw you into jail but the Iranian authorities will. One of my Iranian contacts who was vocal in his support of the American-led Iranian non-proliferation nuclear arms deal has just been given a seven year jail sentence. Do you want to be next?

Sometimes when you see "connections is rimed out" means "it is impossible to open a connection for your security & safety" so , it is better to not have one.

Try another location/country from your vpn or another circuit/identity from tor..

*i do not like comment about vpn/nsa/interpol or good/bad people/country ; in fact, as soon as you live in a reverted republic (old monarchy) or a false democracy (European Union), every body can ask a sanction against someone else , no need to be in contract with a government or a military circle ...

Anonymous

August 18, 2015

Permalink

I'm a bit confused. Today TorBrowser "informed" me that there's an update available and I should restart TB to apply it. In the 4.XXX Versions, on my startpage (about:tor) there always was this info "however, this browser is out of date" and then I used to update it manually. Since I prefer to do this manually, after today's update message, I checked the options to turn off the auto update (which I did not turn on). Then I recognized, that I can no longer change the settings. When I click the relevant box, no check mark appears. Is this a bug?
-----
I just realized, it is the same with ALL the options. It seems that when I click unto something, my changes apply but the "box" is not marked, no check mark visible..

sorry for my bad english, hope you get me

It's a recent bug. Lower the slider in the "Privacy and Security Settings" to Medium-High (or lower) and restart the Tor Browser. You should be able to modify your settings after the restart. And then you can set that slider back to High.