Tor Browser 5.0.6 is released

A new stable release for Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox which we missed in our update to Tor Browser 5.0.5. We are sorry for this inconvenience.

This change is the only one in the changelog since 5.0.5:

  • All Platforms
    • Bug 17877: Tor Browser 5.0.5 is using the wrong Mozilla build tag

The changes made in 5.0.5 are the following:

  • All Platforms
    • Update Firefox to 38.5.0esr
    • Update Tor to 0.2.7.6
    • Update OpenSSL to 1.0.1q
    • Update NoScript to 2.7
    • Update HTTPS Everywhere to 5.1.1
    • Update Torbutton to 1.9.3.7
      • Bug 16990: Avoid matching '250 ' to the end of node name
      • Bug 17565: Tor fundraising campaign donation banner
      • Bug 17770: Fix alignments on donation banner
      • Bug 17792: Include donation banner in some non en-US Tor Browsers
      • Translation updates
    • Bug 17207: Hide MIME types and plugins from websites
    • Bug 16909+17383: Adapt to HTTPS-Everywhere build changes
    • Bug 16863: Avoid confusing error when loop.enabled is false
    • Bug 17502: Add a preference for hiding "Open with" on download dialog
    • Bug 17446: Prevent canvas extraction by third parties (fixup of #6253)
    • Bug 17747: Add ndnop3 as new default obfs4 bridge

Not only The Guardian but also tons of other online news websites that employ thousands of trackers, cookies, web bugs, etc... to un-mask you.
Did you know that as soon as you load comments in The Guardian it can pinpoint your geo-location with relative accuracy.

Citation needed

"Did you know that as soon as you load comments in The Guardian it can pinpoint your geo-location with relative accuracy."

Is this while using Tor? What's on the Guardian that can pinpoint your geo-location? Flash?

Tor is perfectly useable; it's the websites that you're visiting that aren't. Complain to them. Contact the website's admins and request that they change their settings.

Anything more constructive I can suggest to them than "Dear sir or madam, please stop using Cloudflare. kthx" ? Because that will get exactly nowhere.

Contact the website's admins and request that they change their settings.

Yeah...like that's gonna happen anytime soon....

They'll tell you to either use another "friendly" browser or move on. They don't need your business and support.

And Tor is more than a browser; just like they don't need your business and support you can choose to use and support more friendly websites.

I know that it isn't easy, but usually you can find alternatives that may be less popular but have most of the same functionality.

Also, smaller websites have a tendency to listen more to individual users.

Anonymous

December 20, 2015

Permalink

Just go to the bottom of the page at an article on the guardian and click View all comments >, you don't even need to allow any scripts to do that.

Anonymous

December 20, 2015

Permalink

I don't get the point in this release at all.

What does "using the wrong Mozilla build tag" mean?
Mozilla did release another version of Firefox that you missed?

What were the differences between the first mozilla version and the second version of Firefox that day?
Was it one issue or were it multiple issues?
Were they important or not?

One time Gk say's the fix (one?) "is rather important", another time he speaks of "Just two tiny Firefox patches make the difference between both releases."

I don't get the point at all.
Reason why I also think that it is important to clear this out (if that is the english expression) is that Tails has a builtin Torbrowser version that is not accurate.
Again.

My questions also therefor are:
Is it safe to browse with the 5.0.5 version or not?
Is it essential to use the 5.0.6 version?
What is the actual difference between these versions, I do not see the technical implications of "using the wrong Mozilla build tag".

Could (would) someone please explain this?
Thank you very much.

It means we forgot to include two important but small security fixes in 5.0.5 as Mozilla basically made a new candidate build available the same day they shipped their final 38.5.0esr release and we missed that. So, 5.0.5 is not secure and should not be used. 5.0.6 is the strongly recommended version.

The difference between 5.0.5 and 5.0.6 is that the latter contains

https://hg.mozilla.org/releases/mozilla-esr38/rev/f6c1116a4295 and
https://hg.mozilla.org/releases/mozilla-esr38/rev/57d0fb011812

additionally.

Thank you very much for answering.
Afther my post with this question I saw there was actually a new version of Tails on dec 19th with Torbrowser 5.0.6 included. I had missed that because I did not know thus expect that Tails is actually prepaired to make exceptions in their release schedule. Practical issue solved and my apologies for bothering you with this question.

> I don't get the point in this release at all.

Can you read? It says in the post:

"This release features important security updates to Firefox which we missed in our update to Tor Browser 5.0.5. We are sorry for this inconvenience."

> What does "using the wrong Mozilla build tag" mean?

The 5.0.5 release is based on outdated Firefox build.

> Mozilla did release another version of Firefox that you missed?

Yes (they missed it).

> What were the differences between the first mozilla version and the
> second version of Firefox that day?

Security fixes. Read.

> Was it one issue or were it multiple issues?

Multiple. Read.

> Were they important or not?

They are security vulnerabilities, of course they are important.

> One time Gk say's the fix (one?) "is rather important", another time he
> speaks of "Just two tiny Firefox patches make the difference between
> both releases."

Well, both statements are correct. The fixes are important and the delta is small.

> Reason why I also think that it is important to clear this out (if that is the
> english expression) is that Tails has a builtin Torbrowser version that is
> not accurate.

Tails 1.8.1 includes Tor Browser 5.0.6: https://tails.boum.org/news/version_1.8.1/index.en.html

> Is it safe to browse with the 5.0.5 version or not?

NOT SAFE!

> Is it essential to use the 5.0.6 version?

YES!

> What is the actual difference between these versions

See the links in the post.

> Could (would) someone please explain this?
> Thank you very much.

You're welcome.

Anonymous

December 20, 2015

Permalink

Hello users of TorProject,
I have a great concern, and I would like someone to answer my big question,
Because when I go to check my IP
this site: http://ip-check.info
and sometimes here: https://torcheck.xenobite.eu/index.php
This is what happens:
http://pixs.ru/showimage/01jpg_8855641_19951902.jpg
...and my text:
http://pixs.ru/showimage/02jpg_9039700_19951906.jpg

-of course the IP even if had this error, not show my real IP,
im feel good for that,
but is only a bad configuration of my TBB or is this for everybody?
I HOPE ANSWERS,
Thanks!

Anonymous

December 20, 2015

Permalink

You say Tor fails when the attacker can see both ends of the communications channel. Now the first tor relay doesn't change. Lets do this with the last tor relay for uncle Sam? He can see both ends of the communications channel via transatlantic cables, and the only problem was to correlate huge internet traffic, and this problem almost solved since the first tor relay doesn't change.

When entry guards was made? I want to know the date, before or after the attack on Freedom Hosting?

"this problem almost solved since the first tor relay doesn't change" is not obviously true. Or rather, it is almost the same as saying "this problem almost solved since the client location doesn't change" -- which brushes a lot of the hard part about the problem under the rug.

For much more on this topic, you should see this earlier blog post:
https://blog.torproject.org/blog/improving-tors-anonymity-changing-guar…

As for when entry guards were added into Tor? Long ago -- 2006 ish.
http://freehaven.net/anonbib/#hs-attack06

It's a valid question. Even the FAQ talks about "few relays", not a single one, as it seems to be the current situation: "The solution is "entry guards": each Tor client selects a few relays at random to use as entry points, and uses only those relays for her first hop."
Maybe update the FAQ?

With the previous version I was having that problem but the latest version changes the entry guard.

I've had an increase in having all 3 relays located in the same country, from a security perspective I can't work out whether that's a good thing or bad.

I do wish Tor allowed us to add additional relays, maybe using hidden services as web proxies (like an exit node) .. I'd imagine that would help hide hidden services more if paranoid users were allowed to have 6 total relays.

Anonymous

December 20, 2015

Permalink

I have a specific use for flash in a whonix vm environment and now flash doesnt work?

I specifically downloaded tor, enabled plugins and asked to enable flash. I don't care that flash is compromised from the get go. This is a disposible torrified VM.

Too many stupid comments about how "crap" flash is. Of course it is crap, now let me use it if I want to!

I have a specific use for flash in a whonix vm environment and now flash doesnt work?

You should ask for help from Whonix developers about your Flash issue, not on this Tor blog. The latter is specifically for Tor users who do not use TBB in a VM, Whonix, Qubes or Tails.

Too many stupid comments about how "crap" flash is. Of course it is crap,

So you yourself have admitted to making stupid comments?

Please stop trolling on behalf of the NSA.

On the TBB privacy panel, set security level to Low, uncheck "Disable browser plugins..." and "Change details that distinguish..." But like everyone said, don't do this unless you are running flash inside a dedicated VM with a Tor gateway/proxy like Whonix. It's very easy to shoot yourself in the foot.

Even if it is a disposable torrified VM doesn't mean you aren't at risk. A vulnerability in flash could be used to download and execute a program to break out of the VM and therefore have access to your underlying OS.
VMs are nice, but they're not perfect.

Anonymous

December 21, 2015

Permalink

I am in Love with my Tor Browser, kiss kiss...I'm in Love with my VPN, kiss kiss...I hate my Mac with a passion, it's programed to always turn wifi on at the router, the only one my ISP allows (theirs) so I put it in a Faraday Cage...anyone not using Tor is not reading the Real news...I'd Love to Donate but am a disabled shut-in that is dirt poor, I really am sorry but all I can send is Love and advise others to use Tor...........

I really am sorry but all I can send is Love and advise others to use Tor.

Thank you, thank you, thank you.....

Hallelujah.....Edward Snowden be praised. We need lots of Torevangelists like you to spread the gospel (a/k/a good news) that we, mere mortal users of the internet, can be free from the yoke of mass surveillance, trans-boundary snooping and invasion of privacy. Tor gives us liberte, fraternite and egalite.

P.S.: Admiral Michael S. Rogers sends you his regards.

Adm. Rogers should be court-martialed on charges of aiding and abetting terrorism. And we are working to see that he, John Brennan, and other state-sponsored crime lords are brought up on war crimes charges at the Hague. Because unlike him, we are law-abiding citizens who oppose terrorism.

VPNs are not a secure way to communicate. There are a lot of fake memes out there promoting them as a way to be anonymous online. They don't work.

Cloudflare need to stop treating the Tor network as a threat. Also, Disconnect.me needs to change their website to work without Javascript and cookies. It's stopped working now - I have to use startpage now

I'd say it's more accurate to say Cloudflare is blocking the tor network from accessing Mozilla's website than it is to say cloudflare is blocking the website itself. It may seem like semantics but it's important to realize that the issue is with the software running on the website not with tor itself.

On that not, mozilla might actually listen to the Tor Project about the issue. Maybe it's time to fire off an official email?

Anonymous

December 21, 2015

Permalink

How do you change the user agent string?

------------------------------
Can users change their fingerprints?

In some ways, yes. By installing new fonts or new plugins the fingerprint changes. It’s also possible to fake the user agent string, that is, you can pretend you’re using a Firefox browser on a Mac OS X machine but in fact you are using Chrome with Windows. Some browsers let you alter the User-Agent string. But that’s not always a good idea since the functionality of some websites depends on a correct user agent. In general, changing your system or browser settings affects your browser fingerprint but every setting that differs from the default setting makes a browser fingerprint more unique.

Anonymous

December 22, 2015

Permalink

You want this config?
security.tls.unrestricted_rc4_fallback == true

Anonymous

December 22, 2015

Permalink

Does the issue discussed above regarding Flash affect Gnash as well? I mean, if Gnash is used in Firefox (not Tor Browser) with a VPN, for example.

Does the issue discussed above regarding Flash affect Gnash as well?

Gnash, like Adobe Flash, uses ActionScript.

Even using a free open source software (FOSS) like Gnash to view Flash videos is risky. Hackers and the NSA have been known to embed Flash videos with malware so much so that your real IP geolocation may be revealed.

Well, Gnash doesn't use the same implementation of ActionScript as Flash, so it shouldn't have the same vulnerabilities; ergo, malware designed to work with Flash could easily fail to work with Gnash.
With that said, last I check Gnash wasn't under active development, so any known vulnerabilities probably haven't been patched...

Anonymous

December 22, 2015

Permalink

please add niche function to let us use double relays (6 total) for paranoid users? a network of hidden services acting as exit nodes would be good

I believe that a three relay circuit isn't enough for home users because the middle relay is in a position to know with certainty both ends of the circuit. Tor fails when an adversary can monitor both ends, and knowing both ends is an obvious first step toward that goal. I think that the standard number of relays should be four.

Anonymous

December 22, 2015

Permalink

Both v5.0.5 and v5.0.6 freeze on Youtube again.

This bug was resolved a long time ago, then reintroduced since v5.0.5. The behavior is exactly the same, so it's the same bug.

Jumping around a video will cause it to freeze, and any other video you have open will continue to play for a while then freeze as well, but the audio will continue playing. Lastly, no new video will start.

Selecting the lowest resolution will prevent this from happening (e.g. 140p), so it apparently has something to do with automatic resolution changes.

Creating a "New Identity" doesn't fix the problem.

Could you post a link to a video on Youtube where this is definitely not happening with 5.0.4 but with 5.0.6?

I'm guessing the OP was trying to watch Flash videos on Youtube using TBB.

The OP could be the same troll who works for free for the NSA and who has been posting messages either encouraging users to use Adobe Flash or complaining about Adobe Flash being screwed up by TBB.

(Trolls fall into two broad categories: smart trolls and stupid ones. The smart ones are rewarded handsomely for their work, for example, they each rake in at least half a million USD per year. On the other hand stupid trolls are willing slaves who work for free.)

My OS is Win7 64bit, using HTML5 (no flash).

The specific video isn't relevant. I used a clean extraction of Tor 3x in a row (both v5.0.5 and v5.0.6).

I then opened 3 random videos and after buffering for a while jumped to the end of a buffer. Within a few times the video froze (audio did not) and any new video wouldn't load.

I reported this exact behavior about 12 versions ago and you guys fixed it, and now it's back.

Like I said, forcing the lowest resolution for the 1st video (e.g. 170p) keeps this from happening (since all subsequent videos also load at this resolution). So Youtube's automatic resolution switches appear to have something to do with this bug. It's crashing HTML5, and subsequently doesn't work on other sites as well.

No Problem on Mac OS X. Videoplaying works fine.
Even on Older OS X versions no problem at all.
Be smart in choosing witch javascripts you are allowing with videoviewing.
No Flash plugin needed at all.

Both v5.0.5 and v5.0.6 freeze on Youtube again.

You did not specify the format of the video that you were watching on Youtube.

Were you trying to watch Flash videos on Youtube?