Tor Browser 5.0.2 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Additionally, we updated the NoScript version we ship and included a small fix for Unity and Gnome users on Linux.

Here is the complete changelog since 5.0.1:

  • All Platforms
    • Update Firefox to 38.2.1esr
    • Update NoScript to 2.6.9.36
  • Linux
    • Bug 16860: Avoid duplicate icons on Unity and Gnome
Anonymous

August 27, 2015

Permalink

Thanks for the update, just updated!
I want to verify what's changed, what's downloaded before I update, how can I best do this?

Anonymous

August 27, 2015

Permalink

it seems to crash on win7 on startup. i receive a "tor browser has stopped working" message together with an "appcrash" detailed report below. never happened with the previous version. crashes started to occur soon afer updating to 5.0.2. i've tried to uninstall (by simply deleting folders and icons) and reinstall but that did not fix the problem.

hope you can help, thanks

just in case: where could one download 5.0.1 version? is it safe to use it? i'd like to try at least if it works.

Anonymous

August 27, 2015

Permalink

always me, the guy who reported crashes of 5.0.2 under win7. installed 5.0.1 and everything is fine again. let us know...

Anonymous

August 28, 2015

In reply to by Anonymous (not verified)

Permalink

Germans cannot speak anymore since their orthography got reformed some years back. His scrawl is called Kauderwelsch in german or gibberish in english.

Anonymous

August 27, 2015

Permalink

To maintain guard-node continuity when updating TBB via full download and replacement of the old-version folders, which old-version file(s) should be saved for re-use?

Thank you.

It seems to be Browser/TorBrowser/Data/Tor/state.

I've tested by moving the file to somewhere else, and tor generated a new one with different nodes. I then moved the old one back, and tor used the old nodes.
However I'm not sure how secure this is. You could also try moving the whole .../Data/Tor directory.

Anonymous

August 27, 2015

Permalink

Most usefull for me is to export bookmarks and restore them via bookmarks menu.

Anonymous

August 28, 2015

Permalink

ERROR: Error verifying signature.
ERROR: Not all signatures were verified.

What went wrong, and how do I set it to not thrash my bandwidth automatically downloading the full archive when the mar method fails?

As to the errors see https://trac.torproject.org/projects/tor/ticket/13379#comment:50. We have two keys and if one signs the MAR files with the second one Tor Browser is complaining that the first one it expects is not there but then falling back to the second one (if the second one were not there either your update would fail).

You only get the incremental update if there are no substantial changes in your old Tor Browser, like a modified Torbutton or Tor Launcher or changes to your torrc file(s).

Anonymous

August 28, 2015

Permalink

is someone be able to clarify that : Tor + vpn or Vpn + tor ?
(i cannot add my vpn after tor but i can do it before).
thx.

As I understand it (and I am far from being an expert), VPN -> Tor is likely no worse, from a security perspective, than ISP -> Tor.

Tor -> VPN, on the other hand, introduces some real potential risks. In such a case, the VPN can be considered, in a sense, like an exit node. Under the default design of Tor, one is continually bounced between numerous different exit nodes, thereby greatly limiting the volume of any given Tor user's traffic that any one exit node can observe (and have the ability to tamper with). In contrast, when one connects to a VPN after Tor, ALL of one's traffic goes through the VPN-- a single entity and network point.

Anonymous

August 28, 2015

Permalink

I used http://ip-check.info website to test anonymity of the latest version of the Tor browser and the authentication field is marked red and it shows my unique ID to identify me. It says: "Your browser should not send any HTTP authentication data to third party sites". Will you please fix this immediately? Some other fields are marked orange.

If you click cancel when the prompt comes up (like it tells you too,) you won't get a unique ID in the auth field.
Otherwise, some of the orange fields are simply an attempt to push you to use JonDonym as opposed to tor (like the HTTP Session field,) and others are out of date (Such as the Language field and Browser window field.)
Referrer and cookies are valid concerns, but they bring usability concerns as well.

Anonymous

August 28, 2015

Permalink

Why is it that every first link is now a USA link 104.131.108.7? This link is always the same after attempting to change the tor circuit.

https://www.torproject.org/docs/faq.html.en#EntryGuards

Tor picks a Guard node and maintains it as the first hop for several months as this provides better anonymity versus certain attacks.

This question comes up often enough that there is also https://trac.torproject.org/projects/tor/ticket/16665 which deals with including this explanation as part of the user interface.

Anonymous

August 28, 2015

Permalink

HORNET: High-speed Onion Routing at the Network Layer
http://arxiv.org/abs/1507.05724

What do you think about HORNET? It claims to be much faster without hurting anonymity. Perhaps parts of HORNET could help the Tor network. And it claims to scale well.

Already talked about this. There is also Astoria Browser, and the newest is the Hornet Browser. I suggested to the Tor Team to work together to create a Tor/Astoria/Hornet overlay that will surpass any network possible and as an alternating script to safeguard privacy. I think Hornet will good for freedom lovers because it will allow you to go through any website without restriction. Yelp cannot be accessed through Tor, but Hornet will, hopefully.

Neither Astoria Browser nor Hornet Browser exist; at the moment both Astoria and Hornet are simply clients, and neither of them have public releases.
The reason you can't access Yelp through tor is that Yelp has specifically decided to block tor. Unless Hornet specifically hides the fact that a request is coming from the Hornet network, there's no reason to believe they won't block Hornet as well. In order to do that, Hornet would need to somehow hide what IPs are used to exit the network, and doing so is a significant technical challenge (in addition to making legal challenges more difficult.)

HORNET uses IP-level routing and Tor has an official response to IP routing that I read years ago somewhere on the web site.

HORNET more specifically is evaluated from a high level by an outsider as part of the Security Now podcast sn-518. Some quotations from Gibson:

"These guys asked the question, what if we upgraded, updated, had
second-generation routers? And of course, unfortunately, it'll never happen."

" what HORNET is, is an academic exercise in the idea of onion
routing at the IP level, not four layers up at the application level. And the idea is you
need minimal work per router, meaning that it's only doing symmetric crypto on the
packet."

"The problem is, if you have near real-time, then there's even more ability to do traffic pattern analysis. And they don't address that at all."

"what they've done is they've solved the performance problem."

"unfortunately, you know, we're not
even moving to IPv6, let alone adding dramatic protocol level crypto stuff into the packet management and switching of our routers. So nice idea, you know."

Yelp blocks tor by blocking access from tor exit nodes. Tor doesn't try to hide that a request is coming from the tor network because doing so is difficult if not impossible to do accurately with the present day infrastructure of the internet. This isn't something that can be resolved on tor's end.
If you don't mind potentially allowing more people to sniff your traffic, you can try proxying after tor; if you're using Tor Browser you can try something like a PHProxy server.
With all of that said, is there any reason why you have to use tor to access Yelp? Please remember that if you're logging into an account you previously accessed without tor, you are NOT ANONYMOUS or even pseudonymous.

Another option for accessing Yelp and other sites that block access to Tor is to use the Ixquick proxy. This can be done by entering the name of the site one wishes to access (in this case, "yelp") into the StartPage search engine and then clicking-on the "proxy" link for any of the results displayed from said site. (A "Proxy" link should be displayed with each and every result that StartPage returns.)

Reasons for wishing to use Tor for a site such as Yelp, could include any of the following.

1.) Not wanting to reveal one's current location.

2.) Wanting to avoid tracking/snooping of one's traffic and activity by one's ISP and/or advertising entities.

3.) There would always be the argument, advanced by many, that if one is going to use Tor for sensitive traffic, one should also make sure to use Tor for as much as everything else as possible-- no matter how mundane. Otherwise, one is effectively flagging their Tor traffic for special attention and scrutiny. This overlaps with the theory that the more routine/mundane/"innocent" traffic that one routes over Tor, the more padding is given to one's sensitive traffic; more hay in the stack, if you will.
(Both theories/arguments apply as well to encryption in general, including Full Disk Encryption (FDE).

Note, as well, that one does not have to log-in (or even have an account) in order to merely /view/ content on Yelp.

Anonymous

August 28, 2015

Permalink

https://www.reddit.com/r/TORAstoria/comments/3ah27w/upcoming_release/
i do not know / i am not an expert but astoria seems a better solution for a near future.
https://thehackernews.com/2015/05/Astoria-tor-client.html
i do not understand how a vpn can compromise an anonymity (scam? manipulation?) ; it is written every where that it adds another security layer and on the other side it is written the opposite..
how many owner of vpn company/enterprise are working against their users ?
how many owner of vpn company/enterprise are giving money/resources/relays/etc. for tor project ?
hypocrisy or organization of crime made in usa/eu government ?
Is all that only marketing where users become a virtual merchandise ?
tor is tied with usa laws but it was never done for usa citizens/needs.
why every country cannot build their own personalized version of tor ?
are we used the same electronic component,the same code/program,the same hardware everywhere (build in the same enterprise)?
hornet or astoria does not solve the fact that victims are still the users.

Anonymous

August 29, 2015

Permalink

Please list the countries/cities to avoid in the Nodes because of SIGINT surveillance and instruction for configuration.
Why there is no Security Level slider for this or this is not posted on main page?
Why nodes can be from the same country by default?
Why with New Tor Circuit for this Site the cookie stays the same?

"I also have this problem of nodes always being the same at the top of the list and other times the map not working at all. Just checked with a friend who has also found this after checking the nodes list. Strange no response from the TOR developers."

1) What does listing cities help here?
2) Because they are not selected based on country but based on capabilities (guard/exit/provided bandwidth etc.)
3) Because "Give me a new Tor circuit for this site" is just doing what it says: you get a new Tor circuit. If you want more, i.e. a New Identity, then use that option.
4) https://www.torproject.org/docs/faq.html.en#EntryGuards
5) This might be https://bugs.torproject.org/15493 which will be fixed in the next regular release.

Anonymous

August 29, 2015

Permalink

still got 2 versions 'https-everywhere' (5.0.7+5.1.0 - both updated on 08/27/15!) addons on firefox. Leave as is ?

Deleting 5.0.7 sounds like a good solution. The problem is caused by a change in the addon id that was necessary due to the new Mozilla extension signing requirement.

Anonymous

August 29, 2015

Permalink

Do you know any popular servers that could automatically generate padding from your tab?

Other popular solutions?

Problems mentioned in docs look pathetic.

Anonymous

August 29, 2015

Permalink

May I ask any questions ?
I want to use Tor Browser 5.0.2 + VPN GATE .
Can Tor Browser 5.0.2 connect to VPN GATE ?
VPN GATE use SOCKS 4 .
Does Tor Browser 5.0.2 support SOCKS 4 completely ??
Please tell me ...

Yes , it is .
There are many sites which don't accept Tor Browser .
I want to use those sites through using Tor .
So , I needed VPN .
Free VPN is good . So , I thought to try to use VPN Gate .
VPN Gate has not good matters , but It's FREE ...

I heard Tor + VPN Gate is powerful .

There's other plenty 'free' VPNs out there. The question you've got to ask is what they gain out of there service.
You've got to determine your threat model. Why are you using tor? For some uses, spying VPNs aren't a problem.
With that said, I wouldn't use Tor Browser with a VPN; if I'm visiting a website that I can't bypass with a PHProxy, I'd feel safer with a tor -> VPN connection in a whonix VM than Tor Browser.

Now , I'm thinking about using whonix ...

If someone knows GOOD FREE VPNs , Please tell me the one .

I know HIDE me , Cyber Ghost , Tunnel Bear , Security KISS ...

Air VPN is very GOOD VPN with using Tor , But Air VPN is NOT FREE .

Cyber Ghost & Tunnel Bear don't have logs , so I like these ...

If someone knows the other GOOD FREE VPNs , Please tell me the one .

I agree with yawning.

VPN GATE is full of security holes. However you can use it as a decoy to fool your ISP or whichever evil regime is monitoring you. For example you can use VPN GATE to surf to Ashley Madison (the number #1 adultery site) and the evil regime that spies on you will get a kick out of reading your racy posts.

But for serious stuff such as whistleblowing on the activities of your evil regime, you should use Tor or some other anonymizing proxy.

Did you know that some of the people running VPN GATE are US intelligence officers who are based in Okinawa? Some of them are Japanese-Americans highly qualified in the field of signals intelligence?

* some of the people running VPN GATE are US intelligence officers who are based in Okinawa? Some of them are Japanese-Americans highly qualified in the field of signals intelligence?
pls give us name; address, (highly qualified ...hm... few doubt ... well payed ; certainly)
how do they work , by team ,alone ? how many are they ? in the base ? it is a military project or a civil enterprise ? whom are they speaking to ?
details are welcome !
enjoy !

US intelligence officers who are based in Okinawa ?
I didn't know such a thing ...
If it is true , it's so terrible ...

OK , I'll search other FREE VPN .
If someone knows GOOD FREE VPN , Please tell me the one .

Anonymous

August 29, 2015

Permalink

Sites know all Tor exit nodes anyway. Why send correct Referrers while using Tor and save all Cookies between automatically changed exit nodes? Usability concerns make Tor Browser less secure on any Security Level?

Anonymous

August 29, 2015

Permalink

I can't get the installer to open in windows vista. I download the 5.0.2 to my computer and when I click on it nothing happens.

Could there be a firewall in Windows that won't allow the application to open?