Tor Browser 5.0.6 is released

A new stable release for Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox which we missed in our update to Tor Browser 5.0.5. We are sorry for this inconvenience.

This change is the only one in the changelog since 5.0.5:

  • All Platforms
    • Bug 17877: Tor Browser 5.0.5 is using the wrong Mozilla build tag

The changes made in 5.0.5 are the following:

  • All Platforms
    • Update Firefox to 38.5.0esr
    • Update Tor to 0.2.7.6
    • Update OpenSSL to 1.0.1q
    • Update NoScript to 2.7
    • Update HTTPS Everywhere to 5.1.1
    • Update Torbutton to 1.9.3.7
      • Bug 16990: Avoid matching '250 ' to the end of node name
      • Bug 17565: Tor fundraising campaign donation banner
      • Bug 17770: Fix alignments on donation banner
      • Bug 17792: Include donation banner in some non en-US Tor Browsers
      • Translation updates
    • Bug 17207: Hide MIME types and plugins from websites
    • Bug 16909+17383: Adapt to HTTPS-Everywhere build changes
    • Bug 16863: Avoid confusing error when loop.enabled is false
    • Bug 17502: Add a preference for hiding "Open with" on download dialog
    • Bug 17446: Prevent canvas extraction by third parties (fixup of #6253)
    • Bug 17747: Add ndnop3 as new default obfs4 bridge

it is for us civil rights ; in the rogue states, it is worst since a long time.
tor is a free democratic tool , in a territory without constitution, laws , rules, it gives a little hope ... like few century ago ...

new version will not let you update flash, why oh why did I update lol.

Another post by probably the same troll working for the NSA.

He encourages naive unsuspecting Tor users to use older versions of TBB which have security vulnerabilities.

new version will not let you update flash, why oh why did I update lol.

There are a few posts above yours that spell out the dangers of using TBB with Adobe Flash.

Anonymous

December 25, 2015

Permalink

Guys, today I discovered that bug #16990 is still present in 5.0.6. Right now my circuit display is gone.

I wanted to post this in the bug tracker but I can't access the multiuser account. Could you do something to prevent people from changing the password? (Assuming that's the problem.)

It was. However, the change doesn't look urgent nor interesting: https://www.mozilla.org/en-US/firefox/38.5.2/releasenotes/

Oddly, the non-ESR release (43.0.2) does have 1 security fix:
https://www.mozilla.org/en-US/firefox/43.0.2/releasenotes/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#f…

The advisory announcement 404s for me though:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/

Still, reading the title I would hope it doesn't affect Tor Browser (MD5 should have been disabled completely long ago).

Anonymous

December 26, 2015

Permalink

I'm wondering why the highest security setting in Tor should block HTML5 videos on YouTube. Is Java Script needed for HTML5 or something? I don't get why Tor can't accept HTML5 video. Any explanations would be very welcome.

Thanks. That works. I didn't realise you could manually whitelist sites as NoScript seems to be differently configured than in a non-Tor Firefox, where you're invited to build your whitelist in use, so I left it as it came default. I take it there shouldn't be a security problem whitelisting those two URLs to play HTML5 videos at YouTube?

Your question was already answered above, in the first reply. By using JavaScript you increase your risk of de-anonymization. The same goes for enabling multimedia playback (like HTML5 videos/audio). The reason is the same: you're increasing the attack surface by using vast sections of code (code with a reputation for having security holes, to boot).

Is Java Script needed for HTML5 or something?

Firstly, JavaScript and HTML5 are two distinct technologies, meaning you don't need one in order to operate the other.

Secondly, JavaScript has been used by ill-intentioned folks such as hackers and the NSA to un-mask you, that is, identify you.

Anonymous

December 26, 2015

Permalink

There are a lot of relays with "default" in her names, Windows7/8 and Tor version 0.2.4.23(22).Reason?

Anonymous

December 29, 2015

Permalink

Tor circuit seems to always include the USA for me. Is there any way to avoid a Tor node there?

have you tried to change your dns ?
to set high level on the privacy setting tab ?
to not be on windows ?
to not working on lenovo laptop e.g. ?

>always include the USA
it is not at all fine.

Anonymous

January 01, 2016

Permalink

I thought [forbid script globally] once was a default.
After new update, I was using a default setting [allow Script globally], thinking ,
default is set to [forbid script globally], ------which is very dangerous.

Anonymous

January 04, 2016

Permalink

Tor biases exit selection to those having previously successfully handled exiting traffic in some interval.

Tor also shares this bias across all isolation contexts.

Mind you the defect is in Tor itself rather than Tor Browser. It wouldn't be uncommon to use the bundled Tor binary system wide.

This means isolation contexts may share exits, albeit on separate circuits, even if traffic routed is chosen from disjunctive sets. Take set www, and email and separate them by isolation context you see they share exits in a given interval. Use your imagination as to where this leads.

Preferably, bias should not be shared across isolation context. A bias property should be maintained for each isolation context. Although, understandably, it may not always be disjunctive across all contexts.

If it absolutely must be shared it should always prefer adding/using an exit with the narrowest routable exit traffic. So provided a set of exit that routes traffic { {www}, {email}, {www+email} }, and bias must be shared, the current behavior selects {www+email} for all isolation contexts even if context_a is www only, and context_b is email only.

The goal is to improve anonymity, and reduce attack surface for fingerprinting. Do I make sense? English isn't my primary. Has it been studied? If so, where? If not, does it merit further investigation? It looks to be an important discussion?

#freerasool

Anonymous

January 05, 2016

Permalink

There is a regression in this build or 5.0.5. When I try to use an obfs4 connection through a proxy with authentication it does not work anymore. I don't really now where the problem is but I'm sticking to 5.0.4 for the time being.

The only thing that comes to mind while looking at the changelog is the change in the default obfs4 bridges. Are you saying it does not work with any obfs4 bridge anymore? Are you using one of those shipped with Tor Browser?

Anonymous

January 05, 2016

Permalink

Hello,
release note for Tor 0.2.7.6 -in TBB5.0.6- writes:
"...When we implemented the directory guard design, we accidentally started treating all relays as if they have the Guard flag...".

For the interested Tor user it would be really nice to have an simple convenient graphic overview about ALL flags for all relays.
The are only few working torstatus.xxx.xxx sites and 'Flag'
sometimes INCOMPLETE )-:.

Anonymous

January 06, 2016

Permalink

Unfortunatelly the TOR browser crashes a lot now with quite a few sites (like german computer news sites or flight search sites and so on). 5.0.4 was a lot more stable and I am considering returning to 5.0.4

Anonymous

January 06, 2016

Permalink

BUG: from version to version TBB cannot preserve screen resolution.
DESC: TBB starts with some of its default reso (1000*600, 1000*1000, etc - on diff PCs) with the ugly black bar under the bottom slider, but after some browsing (maybe HTML5 video or other activities, but without reso changes!) it becomes +30px higher (*630, *1030) and black bar dissapears! ip-check.info detects it as fingerprinting vulnerability! Full screen video toggling has the same effect.
PC: Win XP SP3, 7 SP1, 8.1.3, 10; TBB 5.0.6 on defaults.
MISC: if this is not a bug then TBB must warn user of such behaviour as it does when user changes resolution!

Anonymous

January 07, 2016

Permalink

Cloudflare has rapidly become the most annoying site in the world for Tor users. Is this being addressed? Whole swathes of the internet are becoming no-go zones. In some respects, I suppose one could say at least it is another site one is not being distracted by. Amazing how quickly one loses interest in a site one cannot reach in Tor. But, applying that logic, one may as well give up on the web altogether, which I sometimes think I may well do. Yes, Cloudflare is annoying.