Tor Browser 5.0.5 is released

A new stable release for Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Additionally, we included updated versions for Tor (0.2.7.6), OpenSSL (1.0.1q), NoScript (2.7) and HTTPS-Everywhere (5.1.1). Moreover, we fixed an annoying bug in our circuit display (circuits weren't visible sometimes) and improved our fingerprinting defense against MIME type enumeration.

Tor Browser 5.0.5 comes with a banner supporting our donations campaign. The banner is visible on the about:tor page and features either Roger Dingledine, Laura Poitras or Cory Doctorow which is chosen randomly.

These and all the other changes (minor bug fixes and new features) can be found in the complete changelog since 5.0.4:

  • All Platforms
    • Update Firefox to 38.5.0esr
    • Update Tor to 0.2.7.6
    • Update OpenSSL to 1.0.1q
    • Update NoScript to 2.7
    • Update HTTPS Everywhere to 5.1.1
    • Update Torbutton to 1.9.3.7
      • Bug 16990: Avoid matching '250 ' to the end of node name
      • Bug 17565: Tor fundraising campaign donation banner
      • Bug 17770: Fix alignments on donation banner
      • Bug 17792: Include donation banner in some non en-US Tor Browsers
      • Translation updates
    • Bug 17207: Hide MIME types and plugins from websites
    • Bug 16909+17383: Adapt to HTTPS-Everywhere build changes
    • Bug 16863: Avoid confusing error when loop.enabled is false
    • Bug 17502: Add a preference for hiding "Open with" on download dialog
    • Bug 17446: Prevent canvas extraction by third parties (fixup of #6253)
    • Bug 16441: Suppress "Reset Tor Browser" prompt
    • Bug 17747: Add ndnop3 as new default obfs4 bridge

Software that works and does its job doesn't need to be updated.

Your statement is based on the fallacious premise that threat vectors and attack vectors remain the same.

We know that hackers and the NSA are refining their hacking skills by the day.

No; it depends on the scope of the software. If the software isn't on a potential attack vector it can't be used.
With that said, HTTPS-Everywhere is potentially on an attack vector.

A new version of HTTPS Everywhere was released today, version 5.1.2. Unfortunate timing for Tor Browser, which will be stuck on 5.1.1 for the next 6 weeks. I guess there isn't any release co-ordination between the two projects.

>stuck
Yes, this reminds me, does updating HTTPS Everywhere or NoScript in TorBrowser mean that the next incremental .mar file can't be applied, forcing the full .mar to be downloaded?

HTTPS Everyhwere is maintained by the EFF and Tor Browser is maintained by Torproject, two different organisations.

Hello
The certificate in the signature cannot be verified
5.0.4 = OK
5.0.5 = Error
please check
URL : https://i.imgsafe.org/290ecde.png

Filename: torbrowser-install-5.0.5_en-US.exe
MD5: 4761aad6ab889de8cf225877885c8441
SHA1: e41fc5a4ee505f61102ac873a4c79263e5815475
CRC32: b68b9130

My operating system is Windows 10

Thank you

Can you check what the differences are in the cert dialog between 5.0.4 and 5.0.5? All Windows 10 versions we tested on worked although we had one user in the alpha series with similar symptoms.

Edit: the 5.0.4 bundles can be found in https://dist.torproject.org/torbrowser/5.0.4

hello

i asked a question via E-mail several days a go but i didn't receive any answer..i ask it again here ...hope to get an answer :

is telegram desktop safe using Tor ?(setting ip & port )

Specifically I want to know using Tor on Telegram desktop prevents
Snooping of My Traffic By ISP Or others? as regards there is no option
to select Remote DNS Similar to what exists in the browser !

Do not use Telegram. Ever. Even over Tor.

The problem with Telegram is the creators "rolled their own crypto" — in other words, they aren't cryptographers and they built their own crypto system instead of relying on well-tested systems. If you route Telegram through the Tor network, yes it will stop your ISP and other middlemen between you and the exit node from spying. But after the exit node, and especially on the Telegram servers, you should not trust that your communications are private; they are very likely being read by government agencies and possibly other malicious actors too.

Use Signal or an OTR client (such as Pidgin, Adium, Jitsi, Cryptocat, or Tor Messenger) instead for real privacy.

http://www.alexrad.me/discourse/a-264-attack-on-telegram-and-why-a-supe…
http://unhandledexpression.com/2013/12/17/telegram-stand-back-we-know-m…
http://thoughtcrime.org/blog/telegram-crypto-challenge/

for what definition of safe?

Don't use Telegram, it sucks pee pee

Hi gk

Thanks for the awesome product.

However we would appreciate it if Tor developers could come up with ways to mitigate the issues discussed in "Towards measuring unobservability in anonymous communication systems", Journal of Computer Research and Development, 2015, 52(10): 2373-2381.

The PDF version can be downloaded from: http://crad.ict.ac.cn/CN/abstract/abstract3031.shtml# The file size is about 6861 KB.

Thanks, we have seen that paper. As far as we know, it doesn't describe current abilities (the title says "towards"), but it is something to be aware of for the future.

obfs4 and ScrambleSuit actually already have the ability to modify their traffic signature, but it is currently turned off because we don't think censors are really capable of blocking traffic on that basis yet. But it is something we can turn on in the future when it becomes necessary.

You can see an example of timing and packet size obfuscation here:
https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPlugga…

My Tor Browser Bundle seems to have updated itself to 5.0.5. This is weird, it has never done this before. Was auto-updating introduced in 5.0.4?

This happened to me too.

Yes it has had auto-update turned on since several builds ago. If you prefer it not to, type about:config in the url bar, search for app.update.auto and set it to false.

TBB defaults to auto-update, change app.update.auto to false (you can find it in about:config) if you want it to not auto-update.

update hardened channel please

It is in the works. I might be able to get to it today.

Panda Antivirus neutralized this Tor update. Bloody annoying antivirus, I should get rid of it.

Hey, this is just a friendly suggestion to switch to the fully free software Trisquel GNU/Linux and abandon your anti-virus. It will help freedom and also improve your security :)

Hey, this is just a friendly suggestion to switch to the fully free software Trisquel GNU/Linux and abandon your anti-virus.

Excuse me, I'd love to try Trisquel out but it doesn't seem to be updated regularly with security fixes, or does it?

I get updates all the time, so I believe it is. Just wondering, what made you think otherwise? Hope you try some more free software out!

Still wont let you use keepshare or Oboom.com . Loads the captcha then fails. Older version and Mac version work but windows just fail

My flash is no longer working. I need it working to play a game. It was fine in the previous versions. I have an up to date version of flash installed. I have checked in Tor options regarding blocking and can't see the problem.
Windows XP OS.
Cheers

Me too!

I have the same problem

Hi, I also having the same problem.. any solution to it?

Try to uncheck "Change details that distinguish you from other Tor Browser users" in Privacy and Security Settings

great! now its working :D

Where is this setting exactly?

Click the Tor Onion then "Privacy and Security settings"

I cannot see this option

My flash is no longer working. I need it working to play a game. It was fine in the previous versions. I have an up to date version of flash installed. I have checked in Tor options regarding blocking and can't see the problem.
Windows XP OS.

Firstly DON'T ever use Adobe Flash. It's lots of security vulnerabilities and is the favorite software of hackers. Go read about what The Hacking Team did with Adobe Flash.

Secondly Tor is meant to primarily help people who genuinely need anonymity to communicate with others. We don't see how playing games is fulfilling one of the primary objectives of Tor. Please respect that. If you want people to respect you, you must learn how to respect others first.

In addition people like you who use Tor to play games are one of the causes of slow Tor connections. Please be civic-minded and unless you're the person who pays for all of Tor's bandwidth, you'd better be respectful of humanity.

Thirdly Microsoft has stopped issuing security fixes for Windows XP OS years ago. The company itself cautioned people against using it.

P.S.: We know who you're. In every new release of TBB you post messages like this one to try to ensnare unsuspecting Tor users to use defective software. Well, keep on trying. You're doomed to fail.

1. Indeed, yet Adobe Flash is needed to run most applications on the Internet

2. Around 90% of the people don't really use Tor for anonymity, considering that Tor Browser doesn't even grant it, on most occasions

3. Windows XP is the 2nd most widely used OS, even after its end of life. He may be living in India; in India, China and most African countries WinXP is still widely used, and in Cuba it's even more popular than Windows 7... with 41% of the OS market share...

same issue can´t find a solution or a previous version of tor, this just happened with the latest update, Win 7 OS

Use a Previous version of tor located at this page:https://dist.torproject.org/torbrowser/5.0.4/ then disable auto updates until a fix is found is my only solution....

sha256sum of torbrowser-install-5.0.5_en-US.exe is:
c717ca07aba66452ca237cb968d70a54ec968aeb0c2fa75953b968cd99c09b73, however, sha256sums-unsigned-build.txt says:
fb65e2a5af9a7d1a26fdadd712defdc06f2a51890a0a72508b9e8914f28f6d77 torbrowser-install-5.0.5_en-US.exe

The date of the binary itself is 2015-12-15 08:42, but the date of the sha256sums-unsigned-build.txt is 2015-12-12 15:54 -- was the binary rebuilt after the sha256sum file was generated?

It has an authenticode signature added to avoid scary warnings if you start a .exe downloaded from the internet. See: https://www.torproject.org/docs/verifying-signatures.html.en for stripping that one off which should give you the same SHA256 sum.

thanks again for churning out an excellent release just a day after i saw the prompt on my non-TBB firefox client to upgrade. the team has done an excellent job of closing this 'release timeline' gap!

After this update, some Web sites are no longer displayed video. How to deal with it. Is it just me such a problem? And sorry for my clumsy English

Do you have an example?

Try to uncheck "Change details that distinguish you from other Tor Browser users" in Privacy and Security Settings

there is no such uncheck in privacy and security settings...
where is it exactly?

no such thing in Settings!!

I am OK with donations but never donate to organizations
sporting some individual as a front, usually to much about their ego
and not about the core values.

I donated before, very small sums admittedly,
but will refrain from donating this time since
I do not like this campaign.

Will give more in the future though cause I love
the product.

Keep up the good work!