Tor Browser 5.0.2 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Additionally, we updated the NoScript version we ship and included a small fix for Unity and Gnome users on Linux.

Here is the complete changelog since 5.0.1:

  • All Platforms
    • Update Firefox to 38.2.1esr
    • Update NoScript to 2.6.9.36
  • Linux
    • Bug 16860: Avoid duplicate icons on Unity and Gnome
Anonymous

August 29, 2015

Permalink

I can't get the 5.0.2 to install. I download the file, and click on it, nothing happens.

Could there be a Windows firewall preventing the application from running?

Windows Vista User.

Right-click on "torbrowser-install-5.0.2_en-US.exe", left click on Properties, then click on the Unblock button.

Anonymous

August 29, 2015

Permalink

Tor Browser Bundle for Linux. In this version PLUGGABLE TRANSPORTS do NOT WORK. Even if you use working bridges, Tor cannot connect. Please, fix this.

Same here. Tried 9 obfs4 bridges obtained from BridgeDB and none of them allowed me to connect to internet. These same 9 obfs4 bridges did allow me to connect to internet using Windows.

Anonymous

August 29, 2015

Permalink

Can a Tor developer tell me that that the new update system automatically checks all verification signatures?

Anonymous

August 30, 2015

Permalink

The Tor Browser works well. Many thanks for your efforts in fighting online censorship. Dreamsofspanking.com was recently forced by ATVOD to remove all of its videos and photos, due to new draconian UK porn laws - A reminder that censorship is dangerous and not acceptable.

censorship is dangerous, when a draconian law comes ; it is often because they cannot obtain all the market for themselves so they prohibit it for every one.
the new market will be open and under control of the mayors like it was 30 years ago.

www.theguardian.com › Arts › Pornography
www.ukcolumn.org/article/atvod-major-risk-freedom-speech-internet
www.melonfarmers.co.uk/me_atvod.htm
Few millions of real persons are concerned whom members of Parliament obviously , it is also about regulating a market and prohibiting which should not be a "label" certified ... by their own industry.
In uk, an old law still exist since 300 years ; all suspicious behavior can be considered as a terrorist threat.
so, i really do not understand your sentence :
| I wonder what percentage of Tor users are individuals in the UK wishing to circumvent the laws that you characterize as "draconian".|
You should be better informed.

Anonymous

August 30, 2015

Permalink

Clean install to USB, win vista 32 bit.

With security slider on high can't change any options under Tools>options.

So move slider to its lowest setting, still cant change options without exiting and restarting.

Exit and restart, change settings, leave slider on lowest settings, exit and restart - all settings have been saved. Move slider to highest settings, exit restart - settings now back on their defaults, ie all boxes are clear.

Are my settings being saved once the security slider is moved up to max ? For example if I clear the 'block cookies from sites' box when the slider is low are they still blocked when the slider is on max (on low the box is ticked, on high it's empty)

Anonymous

August 30, 2015

Permalink

Am I doing the right things ?

No Script>options>embeddings = all boxes ticked.

Tools>options>content, block pop up windows = ticked

Tools>options>privacy, tell sites not to track = unticked
Tools>options>privacy, tor browser will use custom settings
Tools>options>privacy, always use private browsing = ticked
Tools>options>privacy, accept cookies = unticked
Tools>options>privacy, third party cookies = never
Tools>options>privacy, clear history when closes = ticked

Tools>options>security, warn site add ons = ticked
Tools>options>security, block attack sites = ticked
Tools>options>security, block forgeries = ticked

Tools>options>advanced>data choices, health report = unticked
Tools>options>advanced>update, check but let me choose = ticked

Security slider set to maximum security.

Finally and probably the most important;
About:config in the address bar then

About:config>app.update.auto = set to FALSE
About:config>javascript.enabled = set to FALSE

Anything here that would weaken my privacy/anonimity, everythin looks good on ip-check.info. Thanks for any feedback.

Am I doing the right things?

You may be doing the right thing but as you personally customized the settings, your TBB might stand out easily to be tracked.

No you're not; changing the default settings with make it easier to fingerprint you. Tor Browser is pretty secure "out of the box" and you get anonymity by looking exactly like every other Tor Browser user (to be using the security slider setting you use.) If you change that, you change your fingerprint.
By the way, you don't have to block the plugins in NoScript since TorBrowser is specifically engineered to not find the plugins by default.

>you don't have to block the plugins in NoScript since TorBrowser is specifically engineered to not find the plugins by default.

What about the concept of layered security? Could such blocking via NoScript not be considered a backup defense, in the event that such blocking within TorBrowser somehow fails?

Anonymous

August 31, 2015

Permalink

Am I doing the right things ?

https everywhere > block all http request (recommended)
tor > high level (recommended)
noscript > advanced > checked clearclick/abe/xss (recommended)

Thanks for any feedback.

I'm pretty sure enabling NoScript ABE isn't recommended.
Then again, I don't think it'll effect your fingerprint unless you write additional rules. Of course, I don't think the default rules even do anything on TB given that access to LAN resources won't work anyways.

Anonymous

August 31, 2015

Permalink

Why are you changing HTTP-headers and default screen size? In this way you make distinguishable users of older versions of torbrowser. Now I use version 4.0.8 and ip-check.info detects difference from the current version.

torbrowser 5.0.2
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Accept-Language: en-US,en;q=0.5
Window size: 1000x775

torbrowser 4.0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
Accept-Language: en-us,en;q=0.5
Window size: 1000x800

While the first two can be corrected via about:config, the window size does not have such setting.

Even one different symbol completely changes the header signature (such as us -> US). It would be wise to stick to some settings and never change them.

Apart from the fact that Firefox 31 based browsers do not get any security updates anymore it is probably not possible to pretend you are using a Firefox 38 based one while in fact using a Firefox 31 based one anyway. Thus never changing settings would not help.

OK, with enabled javascript that may be right. But in case of the safest browsing with javascript disabled or the high security level (accordind to the slider), how sites can detect the firefox version? I think the only way is analyzing HTTP headers. Other properties, such as TCP stack and pipelining, are likely to be identical.

>Even one different symbol completely changes the header signature (such as us -> US).

Can I change this manually? Or no good idea?

about:config -> general.useragent.override, inlt.accept_languages.

However after browser restart the option intl.accept_languages resets for some course. So you have either to change it after each start of browser or not change anything, otherwise you became trackable because of the unique HTTP header combination. Users of old versions still compose some crowd, which however far less populated than the crowd of the current version.

i think even if you fullscreen your TB(not f12 fullscreen) but just squared, it sitll do not show your monitor size, it shows the size without win.taskbar panel so it's still differs from your monitor..i might be not right with this, but, if anyone could say more it'be great

I do not know how, but ip-check.info test determines the browser window, which is different for old versions and the current one. If you maximize the window, then the values are the same according to your monitor resolution. But the best practice is to use default window size and not to maximize it. In such a way you belong to the biggest crowd of users the with the best anonymity.

Anonymous

September 01, 2015

Permalink

_enabling NoScript ABE isn't recommended.
Interesting point of view but i do not see any link or information from noscript or tor devs explaining clearly the advantages/inconvenient of enabling abe with tor bundle 5.0.2. with example(s)/scenari (e.g. chat / webmail).

NoScript ABE allows fine-grain control over what website resources are loaded. Unfortunately, that detailed level control is fingerprintable; it's the same reason TB disabled NoScript's block by domain functionality.
With that said, just enabling ABE doesn't gain you anything. TB and tor already protect you from the attack on LAN resources that the default rule provides you. Simply enabling ABE won't do anything except maybe use a minor amount of cpu/memory. Theoretically, TB could include a custom ABE rule list (which would reduce/remove the fingerprinting issue) but that pretty much steps into the adblocker arena which is a minefield.

Is it not an official opinion ?
# With that said,...
What is the goal of noscript and its options ?
# NoScript ABE allows fine-grain control over what website resources are loaded. TB and tor already protect you.
# ABE is a very good choice. I read that according on the app you run it can protect you better.
When, why, how, ?
# TB could include a custom ABE rule list (which would reduce/remove the fingerprinting issue).
Does it work better with or without tor ?
# Like for another add-on (https everywhere e.g.), most of users are against learning the real purpose of the plugin and setting it correctly.
Is it better (fingerprint) to enable it or not ?
# enabling ABE doesn't gain you anything.
For what app i must activate it or not ?
# TB and tor already protect you from the attack on LAN resources that the default rule provides you.
# I agree that by default, all is fine except i need an official how-to and i did not find one,
Who have yet sent an email to tor or noscript site for obtaining an answer ?
who have received one ?
# enabling ABE doesn't gain you anything
# so where are the expert reviews ? on the tor site ? on the noscript site ?
# where are the how-to, the clear explanation , the discussion, the examples the feed-back, the test, why this option (useless-abe ?) is embedded in the Tor noscript add-on ?
# Is speaking about plugin embedded with Tor a taboo ?
# Who is responsible , Tor or Noscript dev ?

Anonymous

September 02, 2015

Permalink

Can't maximize the tor browser window. after clicking on the maximize button, the window flickers a lot an then finally has a random size, sometimes ~100px width, sometimes ~6000px width(!). Using Windows 7 64bit.

Window size is fingerprintable; Tor Browser is specifically designed to prevent maximization as a defense, but I've never had it end up at a random value afterward.

Anonymous

September 05, 2015

Permalink

I cannot change Settings (I also hate as all (many) sites are moving to the "new" win8+ feel--with regard to buttons). Should I update to 5.0.2a?

Anonymous

September 05, 2015

Permalink

what is the point of "torrc.orig.1" if its blank after TBB update?!
it doesnt contain the "previous" nor original torrc prior to update?!

Anonymous

September 05, 2015

Permalink

Dear Torteam

online update of TBB:
method1
try parsing the torrc
find the custom variables/settings -save them
perform the update
restore the customization

method2
update TBB
don't overwrite ORIGINAL torrc

not difficult

highly pissed Anon

Anonymous

September 06, 2015

Permalink

I'm testing Tor browser on a notebook that connects to Internet using a cell phone network. About 60% of my data usage was Youtube videos viewed through Tor Browser. Somehow my ISP was able to profile my traffic and their tech support told me that more than half my usage had been "videos".

How is such profiling possible, if my access is through Tor Browser? I thought that all traffic went through an encrypted pipe, and no ISP should be able to inspect headers of packets inside that pipe?

That posting 2.5 years out of date. The world has moved on from flash video onto html5; html5 goes through the browser as opposed to flash. It shouldn't leak; if it does, that's a bug.

That's an interesting question, admins should notice that..Tor isn't safe anymore??? How your isp was able to profile u? isp must see only the fact that you're using TB.

Anonymous

September 09, 2015

Permalink

3 things are broken in TBB 5.0.2:

-Technical Details(Crypto algorithm).Tools -> Page Info -> Security

-Tools -> Page Info -> Media

-Tools -> HTTPS Everywhere -> Enable / Disable Rules

Please fix that.Thank you.

Anonymous

September 09, 2015

Permalink

I see that enabling ABE in NoScript isn't recommended in the default TBB or there is no gain at all, but what about the ClearClick option?
It comes disabled by default as well.

ClearClick is eventually supposed to be enabled by default. It was enabled by default until a NoScript update caused ClearClick + Tor Browser to create ClearClick False Positives on some websites. At least that's how I read the explanation. I could be wrong.

Anonymous

September 09, 2015

Permalink

Hi,the meek is unavailable
Please fix it.

Anonymous

September 11, 2015

Permalink

Please post the lists of identity fingerprints, country codes, and address patterns of nodes to avoid when building a circuit. Add the explanations if possible. For long lists using links to popular secure clearnet pastebin service is preferable.

Anonymous

September 12, 2015

Permalink

um hello. first time commenter, happy 2 year tor user (though i'm using an ie8 for this post for an unrelated reason, ok, i'm at the office and they still use XP here).

i understand that magnetic links do not work with the tor browser since like v3, not a problem. but i seem unable to download a torrent link and associate it with utorrent like i did on the previous version when using kicckass for public domain content. (nice save huh?) rather, torcache pops up and just hangs. is it a related v5.02 issue others have noticed or a kickass linking glitch w/torcache iyo?

thanks, very much for your time.