Tor Browser 5.0.6 is released

A new stable release for Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox which we missed in our update to Tor Browser 5.0.5. We are sorry for this inconvenience.

This change is the only one in the changelog since 5.0.5:

  • All Platforms
    • Bug 17877: Tor Browser 5.0.5 is using the wrong Mozilla build tag

The changes made in 5.0.5 are the following:

  • All Platforms
    • Update Firefox to 38.5.0esr
    • Update Tor to 0.2.7.6
    • Update OpenSSL to 1.0.1q
    • Update NoScript to 2.7
    • Update HTTPS Everywhere to 5.1.1
    • Update Torbutton to 1.9.3.7
      • Bug 16990: Avoid matching '250 ' to the end of node name
      • Bug 17565: Tor fundraising campaign donation banner
      • Bug 17770: Fix alignments on donation banner
      • Bug 17792: Include donation banner in some non en-US Tor Browsers
      • Translation updates
    • Bug 17207: Hide MIME types and plugins from websites
    • Bug 16909+17383: Adapt to HTTPS-Everywhere build changes
    • Bug 16863: Avoid confusing error when loop.enabled is false
    • Bug 17502: Add a preference for hiding "Open with" on download dialog
    • Bug 17446: Prevent canvas extraction by third parties (fixup of #6253)
    • Bug 17747: Add ndnop3 as new default obfs4 bridge
Anonymous

December 17, 2015

Permalink

Yikes!

So how does this release affect TAILS 1.8??

Should I wait for a newer version of TAILS instead of using 1.8?

Also, in TAILS 1.7, I couldn't view the main screen in HTTPS-Everywhere. It would only allow me to see the Observatory page. I could not access the first page to manage websites anymore. I reported this via their dev mailing list but no one responded. Please look into this.

Thank you!

AFAIK the maintainers from the EFF removed the website panel some time ago. It lagged the browser because of the huge amount of rules. I'm not a fan of this either but you can still view all rules on the HTTPS Everywhere Atlas.

Anonymous

December 18, 2015

Permalink

Hi gk

Thanks for rushing out a fix for Bug 17877 and updating TBB to 5.0.6

I'm just wondering: maybe in your rush, you forgot to update HTTPS Everywhere to 5.1.2?

We were already building when I realized there is a new HTTPS-Everywhere version. As the fix in 5.0.6 is rather important and I have a hard deadline for getting all the releases out today this had to wait, sorry.

BUGS : linux x64

a _ https every-where does not keep the settings 'block all http requests' .
b _ https every-where does not move on red when 'block all http requests' is checked.

it did not happened with version 5.0.5.
this new release sounds to have been built quick & without care.

We did not change anything in 5.0.6 with respect to HTTPS-Everywhere. Just two tiny Firefox patches make the difference between both releases. Maybe you updated to HTTPS-Everywhere 5.1.2 meanwhile and the bug is in this new version of the extension?

i did not update it but , you are right , the version of https every-where is 5.1.2.
all is fine now.
thx.

We were already building when I realized there is a new HTTPS-Everywhere version.

Perhaps in the future, before you dish out a quick fix for the latest version of TBB as in this instance, you would like to post a blog, asking us what possible updates need to apply to the quick fix.

I think this is a community project, no? Communication should be both ways: between Tor developers and users.

What do you think?

Speaking just as a satisfied user, this isn't very practical. If they wait for input on every build, some random component is going to be updated during the process and they'll never ship a completed version. Just update the plugin if you can't wait until the next bundle.

How do I update the latest HTTPS plug-in in TBB 5.0.6? Pretty please...

Same way you would in regular Firefox: Options button/Addons then Extensions. Hit the little gear and then Check for Updates. And actually this procedure probably isn't even necessary because it looks like auto-updates are enabled for these components. Mine had already self-updated to 5.1.2 so you are probably already upgraded too.

Maybe you will like the tor-qa list?

https://lists.torproject.org/pipermail/tor-qa/

Flash player doesnt work for fb games

flash player is a security pitfall has no place in tor browser bundle

Please, for the love of *whatever deity have you*, do not use Flash in the TBB.
- It is a security nightmare, and
- It leaks your real IP address and other info outside Tor. Sure, you are using FB, that still means FB AND whatever sits between you and the FB servers now knows you are using FB games and your real IP address, making your use of Tor moot.

Unless you are carefully using something like Whonix, chances are Flash is leaking your real IP which means you might as well not use TBB at all for FB. If you really must have Flash over Tor, look into Whonix. There are more options if you are running Linux- google for "tor anonymizing middlebox" then.

After update to new version by the inside updater, the search engine list are the same as last version, I find the search engine list from TBB folder, each engine file includes a long special code, not as short as usual URL, from time to time I think, the search engine can know your TBB version as you use the old version search plugin with special code.

The only "long special codes" I see are the base64-encoded icons. As far as I know, these are only shown in the UI and not sent over the network.

The update process is very quiet, fast and secure so
it's not really a problem but for the builders to provide
as many updates as needed. The way it works right
now for us, users, is just so easy that you could update
twice a day without even noticing it.

OMG What have you done.??? Again flash player dont work...!!!! if you dont fix that, many users stop using tor. I have the 5.0.4, and i never update to other version, if you dont fix Flash player.

Nobody should ever use Flash with Tor, and nobody should continue using old and vulnerability-ridden versions of Tor Browser. Flash is far more dangerous over Tor than over a regular internet connection.

Again flash player dont work...!!!! if you dont fix that, many users stop using tor. I have the 5.0.4, and i never update to other version, if you dont fix Flash player.

1. Adobe Flash still has many unresolved security vulnerabilities, most of which are exploitable by hackers and the NSA. The latter embed malware in their Flash videos and when viewers such as yourself open and view them, your true IP location is unmasked.

Besides tinkering with Flash videos, the NSA also has a dedicated team whose task it is to encourage people to use Tor to view Flash videos. This is called social engineering. We aren't surprised if you're one of the people tasked to social engineer us for your own ends.

2. According to internal investigations by European governments led by the United States, Islamic State's jihadists, terrorists and suicide bombers are known to use Tor to view Flash videos. The contents of these videos are mostly about radicalizing Muslim fanatics to join Daesh (Arabic name for Islamic State.)

Members of Al-Qaeda's branch in Pakistan have been known to use Tor to watch Flash videos on recruitment and guides on bomb-making.

There's been an increase in the radicalization of Muslims in India. Islamic militancy is on the rise in the sub-continent.

Are you planning another Mumbai-style bombing in India or elsewhere? Just so you know, you and your ilk are giving Islam a bad reputation. Shame on you!

3. We still don't get it. Please explain to us how watching Flash videos fulfills the primary objectives of Tor.

4. Go ahead and use the older version 5.0.4 if you wish. You're on your own. Technical support isn't available for old releases.

So it's like this. I like to listen to the BBC Radio, but here in Vietnam my government blocks such websites. So I use Tor to access it. I'm not afraid of the government tracking me down and incriminating me or something like that; Vietnam isn't China, the government only goes so far in Internet censorship, they don't have the resources to implement any more exhaustive measures. However, BBC Radio needs Flash to run, and the new update of Tor isn't allowing me that option.

I understand and appreciate very much the importance of Internet privacy the team had in mind when developing this browser. But, to this extent, it's just counter-productive for me. I just wish users would be given the choice whether or not to use Flash on Tor, that's all.

Please, stop using Tor

Please, stop using Tor

A cry of desperation and exasperation from the NSA's troll, no doubt about it.

Now that most users know about the dangers of using Adobe Flash with Tor, meaning that the NSA has failed in its social engineering mission to get TBB users to use Adobe Flash.

Flash Player hasn't worked on Tor Browser out of the box for years. 5.0.4 also doesn't allow Flash content without mucking around in the settings. This is intended behavior because Flash pretty much screws you over for anonymity.
Is it possible that it wasn't a flash app that was working but some sort of HTML5 app? If so, that might be useful feedback or even a bug.
If you really must use Flash with tor, you need to look into a more complicated solution than just Tor Browser because Flash will just disregard the proxy settings an connect directly as opposed to through tor. In order to use Flash with tor you're going to need something that forces traffic through tor without the program noticing. For example, a torrified VM.

I checked that no new vulnerabilities currently exist for firefox 38.5. Are known vulnerabilities only publicly disclosed after a fix is issued? Tails does this all the time, detailing problems with debian packages only after an updated version is released.
Are there databases that report unfixed vulnerabilities that are NOT engaged in weaponizing them?

I checked that no new vulnerabilities currently exist for firefox 38.5.

Oh, you did? Are you declaring 38.5 bug-free? I guess you meant "published" vulns. Also, "currently" there may not be. But between 5.0.5 and 5.0.6 there were (published fixes at least).

Are known vulnerabilities only publicly disclosed after a fix is issued? Tails does this all the time

It is common for Mozilla to embargo bug reports about exploitable vulns. These bugs have been announced, though.

Are there databases that report unfixed vulnerabilities that are NOT engaged in weaponizing them?

Probably. There are mailing lists.

The same as version 5.0.5, the first tor relay doesn't change at all when I restart tor, click new identity or new tor circuit for this site. This is happening on win xp, I don't know if this occurs in tails since the diagram showing the IP addresses of all relays in a circuit is not included. What's the reason for this?

The FAQ talks about "few relays", not a single one, as it seems to be the current situation: "The solution is "entry guards": each Tor client selects a few relays at random to use as entry points, and uses only those relays for her first hop."
Maybe update the FAQ?

This is a security feature. By cycling through guard nodes (first relays) slowly, it statistically reduces the chance that your first relay will be owned by an attacker.

flash doesn't work anymore....

flash doesn't work anymore....

Stop trolling.

Just above your post there are many posts by various contributors warning users against viewing Flash videos on Tor.

new version works perfekt thank you.

sometimes i have to lower the security level then websites start to ask about save html5-canvas. i can choose no, yes or never for this site.

how can i change it that i never will be ask about this, i want always no. thank you.

Why can't obfs4 and scramblesuit bridge got from https://bridges.torproject.org/ be used in China too now?

With this release, every time I open Tor my bookmarks bar and menu bar has disappeared and I have right-click to check them again. In previous versions my choice to have them checked was remembered. Is this an intentional design decision, or a bug?

Update: the problem seems to be an effect of the donation appeal banner. Once I heard I could get rid of the damn thing by getting a new identity 10 times I tried it and now the menu and bookmark bars are back to stay.

How do you manage to face the new "zombi surveillance" capturing, injecting and decrypting everything?
I suggest you create an HTTPS proxy to load every page through.

@ my fellow paranoiacs:

I offer a lesson using GPG to check that you are about to install a genuine copy of the latest edition of Tor Browser Bundle.

Everyone should always check the detached signature against the tarball:

gpg --verify tor-browser-linux32-5.0.6_en-US.tar.xz.asc tor-browser-linux32-5.0.6_en-US.tar.xz
gpg: Signature made Thu 17 Dec 2015 12:57:12 PM PST using RSA key ID D40814E0
gpg: Good signature from "Tor Browser Developers (signing key) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0

Paranoics also try to check that the signing key is genuine.

Here some confusion arises due to mention of a revoked subkey:

pub 4096R/93298290 created: 2014-12-15 expires: 2020-08-24 usage: C
trust: unknown validity: unknown
sub 4096R/F65C2036 created: 2014-12-15 expires: 2017-08-25 usage: S
sub 4096R/D40814E0 created: 2014-12-15 expires: 2017-08-25 usage: S
This key was revoked on 2015-08-26 by RSA key 93298290 Tor Browser Developers (signing key)
sub 4096R/589839A3 created: 2014-12-15 revoked: 2015-08-26 usage: S
[ unknown] (1). Tor Browser Developers (signing key)

Note carefully that the second output, while confusing, says that the revoked subkey is

589839A3

But the first output says that the subkey used to sign the tarball is

D40814E0

which remains still valid.

Roger explained previously that someone made a mistake which briefly exposed the private half of 589839A3, noticed the goof, and immediately revoked the subkey, which I agree was the proper response.

Hello fellow paranoiac,

Please stop using short key IDs. Either use the full key fingerprint (preferred) or the "long" key ID (--keyid-format long).

Regards.

Hi There,
Since upgrading to 5.0.6 I have been unable to access comments on The Guardian website. I can still login and see my comments, but the comments section in articles won't load.
I tried with 5.0.4 and they worked again.
Is there a setting I can change to get comments loading?
I have tried dropping the security level to low (from medium) and allowing cookies and tracking, but they won't load.
Thanks.

Is there a setting I can change to get comments loading?

Not only The Guardian but also tons of other online news websites that employ thousands of trackers, cookies, web bugs, etc... to un-mask you.

Did you know that as soon as you load comments in The Guardian it can pinpoint your geo-location with relative accuracy.

it means that these sites are compromised/under survey/busy/for closed friend/private ( it is not coming from your browser ) Contact their admin. Try later. Avoid it. You are not maybe anymore tolerated.
geo location is a big troll like corrupted opinion/advices.
so , what is your address/latitude/longitude lol ?