Tor Browser 5.0.3 is released

A new stable release for Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

We fixed a number of regressions from our switch to ESR 38 back in August and reduced keyboard layout fingerprinting to mention just some highlights.

These and all the other changes can be found in the complete changelog since 5.0.2:

  • All Platforms
    • Update Firefox to 38.3.0esr
    • Update Torbutton to 1.9.3.4
      • Bug 16887: Update intl.accept_languages value
      • Bug 15493: Update circuit display on new circuit info
      • Bug 16797: brandShorterName is missing from brand.properties
      • Bug 14429: Make sure the automatic resizing is disabled
      • Translation updates
    • Bug 7446: Tor Browser should not "fix up" .onion domains (or any domains)
    • Bug 16837: Disable Firefox Hotfix updates
    • Bug 16855: Allow blobs to be downloaded on first-party pages (fixes mega.nz)
    • Bug 16781: Allow saving pdf files in built-in pdf viewer
    • Bug 16842: Restore Media tab on Page information dialog
    • Bug 16727: Disable about:healthreport page
    • Bug 16783: Normalize NoScript default whitelist
    • Bug 16775: Fix preferences dialog with security slider set to "High"
    • Bug 13579: Update download progress bar automatically
    • Bug 15646: Reduce keyboard layout fingerprinting in KeyboardEvent
    • Bug 17046: Event.timeStamp should not reveal startup time
    • Bug 16872: Fix warnings when opening about:downloads
    • Bug 17097: Fix intermittent crashes when using the print dialog
  • Windows
    • Bug 16906: Fix Mingw-w64 compilation breakage
  • OS X
    • Bug 16910: Update copyright year in OS X bundles
khled.8@hotmai.com

September 22, 2015

Permalink

Please help me, After My Tor Browser updated to 5.0.3 but my antivirus "Panda" deleted it. I lost all of my bridges and conditions.

Just started with TOR browser. Now that it's activated and protected, I want to use it privately, so that when another machine user is on (who can get in my identity) to check where I went online, needs to be deleted without a trace back. How do I ensure that I have cleared out any cookies or otherwise to identify which web sites I am on?
I know how to use programs but am not into code very well or IT stuff. Any clues how to clean out Tor's records of websites visited?

khled.8@hotmai.com

September 22, 2015

Permalink

I want to restore crashed sessions, and (better) be able to keep all open tabs when I close/open the Tor Browser.
Because of the lack of this things, I have using the old 3.5 version of TorBundle instead of new versions. Yes, this insecure, but I NEED TO KEEP the TABS session!

Hello, for that you should at least deactivate "Don't record browsing history or website data (enables Private Browsing Mode)" in your "Privacy and Security Settings".

khled.8@hotmai.com

September 22, 2015

Permalink

FIRST!
Oh wait this isn't YouTube
anyway, good update.
I've been waiting for GK to write this blog post
I knew there was Tor Browser 5.0.3 from Tails 1.6.0

khled.8@hotmai.com

September 23, 2015

Permalink

thanks

i would be great if Tor team make an application like :what's up ,Telegram and etc which works Anonymous

android applications are more practical and more effective.

Telegram is transfering their servers to iran

you might take a look at ChatSecure (Android) which offers connection to XMPP servers via Tor.

Or SMSSecure if you want to avoid the net completely.

Thank you very much for restoring sync!! It was a real pain to manually export and import bookmarks every day.

Please post the lists of identity fingerprints, country codes, and address patterns of nodes to avoid when building a circuit. Add the explanations if possible. For long lists using links to popular secure clearnet pastebin service is preferable.
https://trac.torproject.org/projects/tor/ticket/17044

You're not going to get a consensus on what nodes to block, other than those nodes that tor blocks by itself. Not everyone has the same threat model and concerns you do.

many thanks again to the tor team for the latest browser :)

The Settings page now works as expected in High Security Mode. Thanks a lot for fixing this!

When updating from within the Tor browser, rather than downloading again and comparing sig file, how safe is this from MMTM attack?

Pretty safe as the update files are signed with a key. Thus, assuming you meant a MITM attack, even if an attacker could be in the middle (which is not easy given we pin the certificate) they would still need to figure out how to get around the signature feature. Tor Browser won't accept update files with a wrong signature.

Thanks. Yes, I did mean MITM attack. This has cleared up my doubt on this issue. I use Gibson's site when downloading Tor afresh as another backup to check I'm actually contacting the actual Tor site:

https://www.grc.com/fingerprints.htm

I'd be interesting on any opinions on the usefulness of this.

Good question! I avoid attacks in this way:
1. Manually download corresponding .MAR file from Torproject.org distribution directory
2. Download and update Tor Browser with it's updater., But don't restart!
3. Compare checksums of downloaded MAR file with MAR file located in Tor Browser\Browser\TorBrowser\Data\Browser\Caches\Tor Browser\Browser\updates\0
4. If the checkums are exact, then the Browser is updated with the same MAR file that are distributed by Torproject. The MAR also is determenistic built, it means everyone with right tools and skills can recreate the exact file from source code.

thanks for a great release! it is excellent to see how quickly the TBB team has 'caught up' with the firefox release cycle. auto-updating both firefox and TBB on the same day makes me happy.

Last night it was no problem to use mail2tor. But today the link (.onion) doesn't work. Is there a problem? Although I updated the Tor Browser to 5.0.3. I don't think that should be a problem. Can anyone say something useful about this?

Mailt2Tor onion address doesn't work for me neither atm. Anyway this isn't torproject side, and you should contact Mail2Tor admins to get better info.

Some porno sites are incompatible with Tor...why? Html 5? Flash? Help me!

PornHub uses Flash Player which is disabled in Tor

After upgrading to 5.0.3., i always get the same entry node (same ip), even if i restart tbb and/or computer. When i redownload and verify new tbb and launch it, i get a new entry node but then that one stays the same again, even if i relaunch it again.
Is this ok?

Yes. The UI should be improved to indicate that this is normal behavior.

https://trac.torproject.org/projects/tor/ticket/16665

Interesting about guards. I hadn't sufficiently taken the implications in myself.

A question: If the guard is being surveilled by the NSA, like Sebastian Hahn's is/was in Germany, what can the NSA actually learn as opposed to what they could learn if they ran the guard themselves?

Meek runners like google have the history of working with NSA revealing by E.Snowden. If one connects to one of their server the IP maybe loged, it also logs how many times user uses their Meek every day, then can tell how you love Tor and how important your data is, why they don't send the logs to Chinese government if they want to earn more the Chinese money. Yes, government and runners work together, much easier to know you data.

recently, Meek is very easy to build the connection, that is never happen before, when the obfs3/4 isn't.

If the cloud provider(s) running the current meek entry points are adversaries in your model, don't use meek. I'm not sure what more there is to say about this. Yes it's bad that people are in bed with various governments? It is, but I don't know what people expect should happen here? Not offering meek?

Sometimes, when pressing the Torbutton, the circuit view showing the three nodes isn't there. This also happened haphazardly in the previous versions. Is this a known issue? I couldn't find anything definitive on it.

It depends on what issue you are actually hitting. The one we know about is https://bugs.torproject.org/16990. How can we reproduce your one?

It seems haphazard. My only guess is that it may be related to having a lot of tabs open, but can't say for certain as yet.

After upgrading to Tor Browser 5.0.3, the tor button will not show the route of the network (those three green dots). Is this feature removed in 5.0.3?

No. How can I reproduce that? What website are you trying to reach?

I'm using Windows. I downloaded TBB 5.0.3. After the update, two Https Everywhere addons appeared in the addons manager. This is the first time I can recall this ever happening. Do I just uninstall the oldest version? http://prntscr.com/8kc1bi

Yes, please. This will be fixed wit https://bugs.torproject.org/16909.

This may have been mentioned previously, but on Win7 64bit, whenever TorBrowser is maximized it freezes the PC temporarily and occasionally causes aero to turn off. It seems rather than maximizing correctly, it creates a much larger, un-maximized version of itself, far larger than the actual screen (1080p).

You are shooting yourself in the foot by resizing the window size as of now. We are developing a fix for this which is available in the alpha series for testing currently.

To clarify the maximized TorBrowser issue, this occurs only when setting the browser to display tabs from the previous session, and it's a 20+ tab session.

auto update of this version from the latest one is failing. is it just me ?

What does "failing" mean? What does the log in the browser console (CTRL + SHIFT + J) contain if you are enable logging via about:config "app.update.log" -> "true"

download does not work at https://openload.co

{"status":403,"msg":"download ISP is different to request ISP. request: AS249xx download: AS161xx"}

in the last version of tor same problem

Interesting. Although this worked for me I just might have had luck. Probably related to our domain isolation to prevent tracking.

hi,

i am unable to get tor-browser-linux64-5.0.3_en-US.tar.xz to work on openbsd.

can someone help me please?

This is #10763/#14942 in our bugtracker. So, there is no known fix for this issue available yet.

This is #10763/#14942 in our bugtracker. So, there is no known fix for this issue available yet.

Hi gk:

Perhaps Tor developers would like to co-operate with the people who are porting Tor Browser Bundle to OpenBSD.

The latter's project is to be found at: https://github.com/torbsd/openbsd-ports

If you read the contents (of that web page) carefully, you won't want to use TBB offered (on that web page) because:

A. The version is 4.5.3 whereas the official TBB's version is 5.0.3
B. A warning that the TBB offered on that web page is experimental
C. It is not officially supported by The Tor Project

On a different note, I'm puzzled that the writer of the web page complained about This is because the Tor project chooses not to make source tarballs easily available for anything except tor itself (their gitian-based build process does not require them).

I wonder what Tor developers have to say about the writer's complaint.

If someone opens a ticket on our Trac bugtracker and provides a patch for review. I'd be happy to look at it.

I am new on TOR and I am currently using version 5.0.3 TB and thank you for all the work already done.

What would be great:
- It would be to have a secure page translator and configured in TB ...
- It would be to have a secure, configured Meta search engine..

For cons, I'm surprised because I am an online browser security test site different and advice me to install a firewall for protection because a lot of ports are open !!!

The Windows firewall is not enough?

Running 5.0.3 64bit on slackware it reports as 5.0.2 and "out of date" verified its sigs which report all good?

Scrap that last, I just removed the dir and re extracted and its all good.
however, I never used to have to do this, just been extracting over exisiting has always worked till now!