Tor Browser 5.0.4 is released

A new stable release for Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Additionally, we included Yan Zhu's fix for not leaking the Referer header when leaving a .onion domain and are shipping an updated NoScript version.

These and all the other changes (minor bug fixes and clean-ups) can be found in the complete changelog since 5.0.3:

  • All Platforms
    • Update Firefox to 38.4.0esr
    • Update NoScript to 2.6.9.39
    • Update Torbutton to 1.9.3.5
      • Bug 9623: Spoof Referer when leaving a .onion domain
      • Bug 16735: about:tor should accommodate different fonts/font sizes
      • Bug 16937: Don't translate the homepage/spellchecker dictionary string
      • Bug 17164: Don't show text-select cursor on circuit display
      • Bug 17351: Remove unused code
      • Translation updates
    • Bug 16937: Remove the en-US dictionary from non en-US Tor Browser bundles
    • Bug 17318: Remove dead ScrambleSuit bridge
    • Bug 17473: Update meek-amazon fingerprint
    • Bug 16983: Isolate favicon requests caused by the tab list dropdown
    • Bug 17102: Don't crash while opening a second Tor Browser
  • Windows
    • Bug 16906: Don't depend on Windows crypto DLLs
  • Linux
    • Bug 17329: Ensure that non-ASCII characters can be typed (fixup of #5926)
Anonymous

November 04, 2015

Permalink

FIRST
Anyway, thank you for spoofing the referer after leaving a .onion domain, that was really needed.

Anonymous

November 04, 2015

Permalink

I really do appreciate the effort the Tor team puts into their software. Thank you for all the humanitarian work that has saved countless lives and freedoms.

I have one suggestion that might fall on deaf ears due the massive workload this team has. Please bare with me and strongly consider the following.

A relatively new systems programming language called Rust poses many benefits over the C family while still maintaining much of its valued speed. Rust avoids memory leaks, reduces overall code error, retains much of the speed of C, and as a result of its inbuilt safety measures, reduces complexity and lines of code.

An example of this is the Maidsafe project's rapid port of several years worth of C++ code over to Rust in under 6 months. As a result, development speed has dramatically improved, and the code has been reduced from nearly a million lines down to only 20 thousand. This has reduced attack surfaces, eliminated memory leaks, and generally makes the code more readable/audit-able. The lead developer David Irvine has credited Rust for improved security. It's even claimed that they wouldn't be so close to launched if it had not been for the transition over to rust. Their testnet is now only several days away (an unexpected bug in one of their libraries is the only thing left).

I really hope the Tor team really considers rust for future development. I suspect that as a result of the work that team has done with rust, its popularity will increase and the benefits understood.

Please check this post on their forums, but keep in mind that rust is now at 1.4 stable. It was yet unreleased at the time of the discussion. https://forum.safenetwork.io/t/rust-vs-c/3216

HERE IS THEIR GITHUB: https://github.com/maidsafe

Please tell me what you think :-)

While an interesting concept, is there any reason to believe this is any different than any other new programming language that tries to give performance relatively close to C (Or at least C++) yet include additional safety measures? Rust is still a new language; I'd say give it a few years to figure out if it's still around and actually being used outside of a few diehards. I'd hesitate moving a long term project to a new programming language before the initial hype has worn off.

Of course, Tor Project really can't control what most of firefox is written in, so any decisions they make about programming languages can't apply to the browser itself.

Anonymous

November 04, 2015

Permalink

Do not know if the update is giving me problems, or the browser, or what, but this version gives me problems accessing onion or privacy email services...anything about this?

> problems accessing onion or privacy email services

What is the adress of the site (onion) , what is your privacy email service ?

afaik, all is fine.

but this version gives me problems accessing onion or privacy email services...anything about this?

Detailed descriptions and error messages of the problems you encountered.

From at least version 4 of TBB, there have been internet brigades sent by the NSA and GCHQ to post so-called "feedback" on the failings of the latest version and insinuating to readers to fall back on using older versions.

I should know because I am from Tailor Access Operations.

Anonymous

November 04, 2015

Permalink

Just wanted to say thanks again for keeping TBB's release cycle so close to Mozilla's. As someone who uses this product every day, it helps me feel more confident and secure in my browsing. Keep up the great work!

Anonymous

November 04, 2015

Permalink

Strange behavior of Electrum when running through Tor

The latest TBB 5.0.4 runs on port 9150, right? Well, I configured Electrum 2.5.2 to run through Tor.

On my Linux box, whenever Electrum connects through Tor, I receive the error message:

Nov 4 00:00:00.000 [warn] Application request to port 110: this port is commonly used for unencrypted protocols. Please make sure you don't send anything you would mind the rest of the Internet reading!

Has anyone of you using Electrum over Tor come across the same issue? Does it arise from Tor or Electrum?

Port 110 is for unencrypted POP3 E-mail access. Exit nodes can sniff and read unencrypted POP3 traffic. Tor warns about port 110 being used, but is dumb enough to not distinguish between POP3 traffic and Electrum (Stratum protocol) traffic. You can ignore this warning IMHO everything is OK.

Anonymous

November 04, 2015

Permalink

What does the below error message mean and how did it happen?

Nov 04 08:00:04.000 [notice] Your network connection speed appears to have changed. Resetting timeout to 60s after 18 timeouts and 451 buildtimes.

Anonymous

November 04, 2015

Permalink

Would something as benign as already having NoScript updated to 2.6.9.39 in 5.0.3 cause the incremental updater to then switch over to the full .mar file instead?

Anonymous

November 05, 2015

Permalink

Where is the new Tor network manager? The green icon inside Tor Broswer is too week and also the ARM, Vidalia is strong but out of date. How about the Tork? But what package it requires before ./configure&make&make install

Anonymous

November 05, 2015

Permalink

After upgrading I am still running Tor Button 1.9.2.8!

This bug was reported 15 months ago and is easy to reproduce: https://trac.torproject.org/projects/tor/ticket/12745

Also (possibly due to the same bug?) I'm apparently running two versions of HTTPS Everywhere simultaneously: 5.0.7 and 5.1.1. (And in another user's Tor Browser I see 5.0.7 and 5.1.0.)

That upgrade method was never recommended exactly due to issues like yours. So, if you don't want to use the auto-udpater (although you should) you should resort to extracting the new version into a different location and importing your bookmarks into it manually.

With respect ro HTTPS-Everywhere: This is https://bugs.torproject.org/16909. A fix for this landed in our recent alpha and if nothing blows up we'll backport this to the stable and the problem should be gone then.

Anonymous

November 05, 2015

Permalink

Actually, after restarting my newly updated Tor Browser 5.0.4, my HTTPS Everywhere 5.1.1 has reverted to 5.1.0. And I still have HTTPS Everywhere 5.0.7 installed too. :(

Anonymous

November 05, 2015

Permalink

geoip not updated in tbb dist. since june,, check it,, meanwhile ipv4 now at capacity,,,

~freerasool~

Anonymous

November 06, 2015

Permalink

Hello Tails,
i love your Distribution but the old,very special, very Reproducible!
changeWindowsize(Vidalia,Browser/others?)-getBlackFullscreenOOOPS
is still alive)-:. AMD CPU with onboard GPU graphic.

"Oh no! Something has gone wrong.
A problem has occured and the sytem can't recover.
Please log out and try again.
|Log Out|"

Why very simple desktop operation -change window size- is crashing Linux?
I have never seen this kind of error on other Linux distro.

Anonymous

November 06, 2015

Permalink

i dont know wat happened but whn i updated 5.0.4 it now its not working on my mac it says check proxy setting so any suggestions

Anonymous

November 07, 2015

Permalink

"Tor browser unexpectedly exited. This might be due to a bug in Tor itself. another program on your system. or faulty hardware. until you restart Tor. the Tor Browser will not able to reach any websites. If the problem persists. please send a copy of your Tor Log to the support Team.

Restarting Tor will not close your browser tabs."

Restarting Tor just repeats the above message.

Windows 8.1

Anonymous

November 08, 2015

Permalink

Ver 5.0.4: Clicking on the green onion S-T-I-L-L does not show the server chain the majority of the time. Why is this STILL broken?

Anonymous

November 09, 2015

Permalink

Hi
My tor browser is being cloned or taken over By a chrome version!
I have been trying to delete "the My browser" application, but to no avail
Am I doing anything wrong, How can I dump this clone?
thanks
Bryan or toffeecat@mail .com

Anonymous

November 11, 2015

Permalink

Tor 5.0.4_32 bit_EN won't install in Manjaro Linux Xfce 32 bit. It's not on Manjaro repositories but can be selected by enabling the AUR repository. The problem is that the last source package can't be built because the Open PGP public key is missing. Retrying to build gives the same error. Note that Manjaro uses Pamac, a Gtk 3 frontend for libalpm, and so it auto builds the AUR repository packages (the Manjaro repositories have only pre-built packages). But the problem is in Tor own files. I downloaded the Tor tar-xz package, extracted as user (no root in any step) and it gave me an error on extraction but still extracted the archives. Running the Tor Browser desktop configuration file, again as a user, launches Tor and everything looks peachy... Except I don't like this arrangement nor the extraction error. The AUR package can't be built because one of the public keys is missing? This is not how Tor should work, and so I can't trust the safety of my extracted tarball, nor the resulting installation, although I'm using it because there are no alternatives (I don't want to use the package in my native language!). Can you please try and look into this issue? Many thanks! R.P.

ok ; it is more a manjaro user problem than a tor problem.
do not enable AUR repository ; do not accept error on extraction ;

Download tor linux AND the sig file then verify from the terminal the integrity of the package ; the sig file is on the download page - open an empty document then copy & paste the sig file.
there are on your download folder two files now , a torxz and its sig so go there by this command ;
$ cd /home/USER/Downloads

and let's verify by this one the safety of your downloaded package
$ gpg --verify tor-browser-linux32-5.0.4.sig tor-browser-linux32-5.04_en-US.tar.xz

a key (ID) appears on the screen ; now, add this key (e.g D40814E0) by this command
$ gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys ID D40814E0

of course you can do that also
$ gpg --fingerprint D40814E0

now jf you do that
$ gpg --verify tor-browser-linux32-5.0.4.sig tor-browser-linux32-5.04_en-US.tar.xz
it will write GOOD SIGNATURE

Anonymous

November 13, 2015

Permalink

Since the update I cannot access a lot of sites or Chats? I get a Rotten Onion message stating US Jurisdiction prevents forwarding to site?

Anonymous

November 14, 2015

Permalink

hi. how risky is to use old tbb of 3.x.x OR 4.x.x . I know its bad... but does it automatic mean that you get hacked very easy?

Anonymous

November 19, 2015

Permalink

5.0.4 just won't open. 3 instances of Firefox open in the task manager, any ideas? Running on windows xp

Tor 5.04 worked the first time I used it. Then it wouldn't open. I also got several Firefox.exe in the task manager. Couldn't end the processes. My tor is stored on a flash drive. Deleting the Tor Browser is a pain. Deleti9ng the folder doesn't delete everything. Firefox remains. Because the firefox.exe is running, it won't let me eject my flash drive, safely. But I did, and then I restart my computer. Then I insert the flash drive and then right click on the Tor Folder and it is finally gone. I reinstalled Tor Browser 5.04 2 more times and I can't get it to open at all. So I deleted it two more times.

Anonymous

November 24, 2015

Permalink

hello please how can i remove this tor from my pc
today it came on my pc and destroyed totalz the function of my pc
please help me to remove this tor or rsa 2048 from my pc
thanks

Anonymous

November 28, 2015

Permalink

Wrong Exit Nodes

v. 5.0.4
ExitNodes {FI} takes me to Romania instead of Finland.

Checked this several times/days.
Very strange.
This did not happen with v.5.0.3

Anonymous

December 02, 2015

Permalink

Very strange. I updated long time ago. Today I started my PC (Win7), got Tor-Message about how I do connect to internet (options), but I havent't started Tor nor is it in the Autorun!

Antivirus says it's all okay and all program are patched. I did restart my pc and it didnt happen again. Tor is not running automatically in the process monitor. TY!