Tor Browser 5.0.5 is released

A new stable release for Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Additionally, we included updated versions for Tor (0.2.7.6), OpenSSL (1.0.1q), NoScript (2.7) and HTTPS-Everywhere (5.1.1). Moreover, we fixed an annoying bug in our circuit display (circuits weren't visible sometimes) and improved our fingerprinting defense against MIME type enumeration.

Tor Browser 5.0.5 comes with a banner supporting our donations campaign. The banner is visible on the about:tor page and features either Roger Dingledine, Laura Poitras or Cory Doctorow which is chosen randomly.

These and all the other changes (minor bug fixes and new features) can be found in the complete changelog since 5.0.4:

  • All Platforms
    • Update Firefox to 38.5.0esr
    • Update Tor to 0.2.7.6
    • Update OpenSSL to 1.0.1q
    • Update NoScript to 2.7
    • Update HTTPS Everywhere to 5.1.1
    • Update Torbutton to 1.9.3.7
      • Bug 16990: Avoid matching '250 ' to the end of node name
      • Bug 17565: Tor fundraising campaign donation banner
      • Bug 17770: Fix alignments on donation banner
      • Bug 17792: Include donation banner in some non en-US Tor Browsers
      • Translation updates
    • Bug 17207: Hide MIME types and plugins from websites
    • Bug 16909+17383: Adapt to HTTPS-Everywhere build changes
    • Bug 16863: Avoid confusing error when loop.enabled is false
    • Bug 17502: Add a preference for hiding "Open with" on download dialog
    • Bug 17446: Prevent canvas extraction by third parties (fixup of #6253)
    • Bug 16441: Suppress "Reset Tor Browser" prompt
    • Bug 17747: Add ndnop3 as new default obfs4 bridge

Software that works and does its job doesn't need to be updated.

Your statement is based on the fallacious premise that threat vectors and attack vectors remain the same.

We know that hackers and the NSA are refining their hacking skills by the day.

No; it depends on the scope of the software. If the software isn't on a potential attack vector it can't be used.
With that said, HTTPS-Everywhere is potentially on an attack vector.

A new version of HTTPS Everywhere was released today, version 5.1.2. Unfortunate timing for Tor Browser, which will be stuck on 5.1.1 for the next 6 weeks. I guess there isn't any release co-ordination between the two projects.

>stuck
Yes, this reminds me, does updating HTTPS Everywhere or NoScript in TorBrowser mean that the next incremental .mar file can't be applied, forcing the full .mar to be downloaded?

HTTPS Everyhwere is maintained by the EFF and Tor Browser is maintained by Torproject, two different organisations.

Anonymous

December 16, 2015

Permalink

Hello
The certificate in the signature cannot be verified
5.0.4 = OK
5.0.5 = Error
please check
URL : https://i.imgsafe.org/290ecde.png

Filename: torbrowser-install-5.0.5_en-US.exe
MD5: 4761aad6ab889de8cf225877885c8441
SHA1: e41fc5a4ee505f61102ac873a4c79263e5815475
CRC32: b68b9130

My operating system is Windows 10

Thank you

Anonymous

December 16, 2015

Permalink

hello

i asked a question via E-mail several days a go but i didn't receive any answer..i ask it again here ...hope to get an answer :

is telegram desktop safe using Tor ?(setting ip & port )

Specifically I want to know using Tor on Telegram desktop prevents
Snooping of My Traffic By ISP Or others? as regards there is no option
to select Remote DNS Similar to what exists in the browser !

Do not use Telegram. Ever. Even over Tor.

The problem with Telegram is the creators "rolled their own crypto" — in other words, they aren't cryptographers and they built their own crypto system instead of relying on well-tested systems. If you route Telegram through the Tor network, yes it will stop your ISP and other middlemen between you and the exit node from spying. But after the exit node, and especially on the Telegram servers, you should not trust that your communications are private; they are very likely being read by government agencies and possibly other malicious actors too.

Use Signal or an OTR client (such as Pidgin, Adium, Jitsi, Cryptocat, or Tor Messenger) instead for real privacy.

http://www.alexrad.me/discourse/a-264-attack-on-telegram-and-why-a-supe…
http://unhandledexpression.com/2013/12/17/telegram-stand-back-we-know-m…
http://thoughtcrime.org/blog/telegram-crypto-challenge/

Anonymous

December 16, 2015

Permalink

Hi gk

Thanks for the awesome product.

However we would appreciate it if Tor developers could come up with ways to mitigate the issues discussed in "Towards measuring unobservability in anonymous communication systems", Journal of Computer Research and Development, 2015, 52(10): 2373-2381.

The PDF version can be downloaded from: http://crad.ict.ac.cn/CN/abstract/abstract3031.shtml# The file size is about 6861 KB.

Thanks, we have seen that paper. As far as we know, it doesn't describe current abilities (the title says "towards"), but it is something to be aware of for the future.

obfs4 and ScrambleSuit actually already have the ability to modify their traffic signature, but it is currently turned off because we don't think censors are really capable of blocking traffic on that basis yet. But it is something we can turn on in the future when it becomes necessary.

You can see an example of timing and packet size obfuscation here:
https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPlugga…

Anonymous

December 16, 2015

Permalink

My Tor Browser Bundle seems to have updated itself to 5.0.5. This is weird, it has never done this before. Was auto-updating introduced in 5.0.4?

Yes it has had auto-update turned on since several builds ago. If you prefer it not to, type about:config in the url bar, search for app.update.auto and set it to false.

Anonymous

December 16, 2015

Permalink

Panda Antivirus neutralized this Tor update. Bloody annoying antivirus, I should get rid of it.

Hey, this is just a friendly suggestion to switch to the fully free software Trisquel GNU/Linux and abandon your anti-virus. It will help freedom and also improve your security :)

Hey, this is just a friendly suggestion to switch to the fully free software Trisquel GNU/Linux and abandon your anti-virus.

Excuse me, I'd love to try Trisquel out but it doesn't seem to be updated regularly with security fixes, or does it?

Anonymous

December 16, 2015

Permalink

Still wont let you use keepshare or Oboom.com . Loads the captcha then fails. Older version and Mac version work but windows just fail

Anonymous

December 16, 2015

Permalink

My flash is no longer working. I need it working to play a game. It was fine in the previous versions. I have an up to date version of flash installed. I have checked in Tor options regarding blocking and can't see the problem.
Windows XP OS.
Cheers

Try to uncheck "Change details that distinguish you from other Tor Browser users" in Privacy and Security Settings

My flash is no longer working. I need it working to play a game. It was fine in the previous versions. I have an up to date version of flash installed. I have checked in Tor options regarding blocking and can't see the problem.
Windows XP OS.

Firstly DON'T ever use Adobe Flash. It's lots of security vulnerabilities and is the favorite software of hackers. Go read about what The Hacking Team did with Adobe Flash.

Secondly Tor is meant to primarily help people who genuinely need anonymity to communicate with others. We don't see how playing games is fulfilling one of the primary objectives of Tor. Please respect that. If you want people to respect you, you must learn how to respect others first.

In addition people like you who use Tor to play games are one of the causes of slow Tor connections. Please be civic-minded and unless you're the person who pays for all of Tor's bandwidth, you'd better be respectful of humanity.

Thirdly Microsoft has stopped issuing security fixes for Windows XP OS years ago. The company itself cautioned people against using it.

P.S.: We know who you're. In every new release of TBB you post messages like this one to try to ensnare unsuspecting Tor users to use defective software. Well, keep on trying. You're doomed to fail.

1. Indeed, yet Adobe Flash is needed to run most applications on the Internet

2. Around 90% of the people don't really use Tor for anonymity, considering that Tor Browser doesn't even grant it, on most occasions

3. Windows XP is the 2nd most widely used OS, even after its end of life. He may be living in India; in India, China and most African countries WinXP is still widely used, and in Cuba it's even more popular than Windows 7... with 41% of the OS market share...

same issue can´t find a solution or a previous version of tor, this just happened with the latest update, Win 7 OS

Anonymous

December 16, 2015

Permalink

sha256sum of torbrowser-install-5.0.5_en-US.exe is:
c717ca07aba66452ca237cb968d70a54ec968aeb0c2fa75953b968cd99c09b73, however, sha256sums-unsigned-build.txt says:
fb65e2a5af9a7d1a26fdadd712defdc06f2a51890a0a72508b9e8914f28f6d77 torbrowser-install-5.0.5_en-US.exe

The date of the binary itself is 2015-12-15 08:42, but the date of the sha256sums-unsigned-build.txt is 2015-12-12 15:54 -- was the binary rebuilt after the sha256sum file was generated?

Anonymous

December 16, 2015

Permalink

thanks again for churning out an excellent release just a day after i saw the prompt on my non-TBB firefox client to upgrade. the team has done an excellent job of closing this 'release timeline' gap!

Anonymous

December 16, 2015

Permalink

After this update, some Web sites are no longer displayed video. How to deal with it. Is it just me such a problem? And sorry for my clumsy English

Anonymous

December 16, 2015

Permalink

I am OK with donations but never donate to organizations
sporting some individual as a front, usually to much about their ego
and not about the core values.

I donated before, very small sums admittedly,
but will refrain from donating this time since
I do not like this campaign.

Will give more in the future though cause I love
the product.

Keep up the good work!