Tor Browser 5.0.7 is released

Update: Clarify that the crash bug requires Javascript to be exercised.

A new stable release for Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release features an important fix for a crash bug in one of our patches. All users are encouraged to update immediately as this bug is probably exploitable if Javascript is enabled. The bug was not exploitable at High security level, or on non-HTTPS websites at Medium-High security level.

Here is the complete changelog since 5.0.6:

  • All Platforms
    • Update NoScript to 2.9
    • Update HTTPS Everywhere to 5.1.2
    • Bug 17931: Tor Browser crashes in LogMessageToConsole()
    • Bug 17875: Discourage editing of torrc-defaults

January 07, 2016


"Bug 17875: Discourage editing of torrc-defaults"

I really like the possibility to edit torrc, depending on the usage and risk calculation in case.
What I really hate though and would like to know if there's an answer to that, is how I can manage choosing my entry nodes. To be more specific, avoiding using services in so called western democracies like ultimate wire tapping king UK for example.

They probably keep a nice list of all people using Torbrowser by registering people contacting entry nodes in the UK and share that info with all their partners in legal crime.
I allmost would consider, as a way of speaking, using an entry node in NK than a growing list of western countries that are preparing laws to make it possible to wire tap the complete communication in their country and everything that is trespassing.
I assume that when a country is wiretapping all communication it's very important to not use an entry and exit node in the same country at the same time because of the risk connecting entry an exit node information to unanonimise people.

Would a Torbrowser model be thinkable where users could choose a region, in the meaning of a cluster of countries, for their entry node and the same thing for their exit nodes?
To illustrate the idea behind this situation, I would be more comfortable with the idea to use an entry node in Russia and using an exit node in the US while living in Portugal then living, let's say, in Ireland and using an entry and exit node in the UK.
I realize that this way of thinking is maybe not exactly matching the principle of getting the Torbrowser user group as identical as possible, but maybe the above concept is not a big threat to that at all and could also protect people in pseudo democracies more then maybe now.

I'm not an expert while you and many others probably are, so I am very open to the pros and con's to this idea.
Thank you for reading and maybe answering in advance.
All the best,

This is exactly what I thought too.

It is absolutely stupid to allow exit-nodes in the UK, or other countries which have already turned into total-surveillance-states.

Also i totally dislike that you always get an "entry-node" (? not sure if term is correct) in the same country where you are located at the time you open TOR-Browser.

I would like to use the eastern-european countries (or russia) for much more safety !

And i dont care if they are much slower !

Let the guys who insist to download warez through TOR download it from fast NSA servers.

And the rest, who want "a bit more privacy" chill at slow but secure speeds in other parts of the world ;-)

Let us have an actual CHOICE !

But, if my suggestion is contra-productive : Make TOR as unbreakable as possible !!!

Thanks for all your efforts so far, without TOR the whole Internet would have already turned into being merely "a marketplace" for capitalist shit goals anyways ;-)

Using an entry node in Russia makes it a certainty that your traffic to the entry node will be captured and stored indefinitely.

If the entry node is in the same country, there is a chance that it won't be.

> you always get an "entry-node" (? not sure if term is correct) in the same
> country where you are located at the time you open TOR-Browser.

This is false.

Conversely the use of UK nodes leads to divide and conquer. Such adversary then need to invest greater effort in monitoring not just UK nodes, but every other. It becomes more of a challenge to perform analysis without breaking crypto. As long as the exiting traffic, from a UK node, doesn't contain identifying info, and provided the traffic doesn't end up at a UK business (or 5eye). If a % of tor client suddenly avoided UK node, or exit, it would make the job of this adversary easier against all others.

The fact that relay selection is random rather than user-selected is an important security feature. An adversary able to guess the relays in a particular user's circuits can focus their efforts on those relays. Additionally, statistically anomalous relay selection leads to the intersection attack described above wherein users (or their reasons for using Tor) may be identified with some degree of confidence based on which relays they choose.

Agreed. Now, more than ever, we are stronger standing together. You'll recall not too long ago many of these adversaries conducted surveillance under the cover of blanket national security directives. Now they do the same thing after public disclosure. Why? This implies they may intend to create the heightened paranoia that causes Tor client to avoid nodes of interest.

Not that I don't see a reason for concern. As described in a comment below, the behavior of NodeFamily needs re-evaluation against modern adversaries. In the case of any potentially adversarial node a defensive stance should be easily obtainable by torrc config. Rather than force a client to avoid (i.e) UK exit, or all (i.e) UK node, NodeFamily (or some other option), should prevent multiple (i.e) UK node in a given circuit. It's a slight refinement and, provided geoip data is accurate, makes it harder for potential state adversaries to get a chain of nodes in a geo-location, also having well behaved and predictable timing characteristics. I see three potential discussion points:
1. Adjust the NodeFamily behavior for all uses of the torrc option. Make the above proposed behavior the default.
2. Introduce an additional torrc option to enable the proposed new behaviour. Make it optional.
3. Allow NodeFamily, ExcludeExitNodes, and ExcludeNodes to be specified for particular isolation. This may be of use in tbb+system tor implementations, or where exiting traffic touches adversary-friendly entity and the lack of ephemerally secured communication exists for some streams.

I don't mind writing some code. One of these days I'll cross-post to mailing list and make the request on trac.

I assume that when a country is wiretapping all communication it's very important to not use an entry and exit node in the same country at the same time because of the risk connecting entry an exit node information to unanonimise people.
And middle node too.

Perhaps it would be possible to avoid a global monitoring Tor.

"open to the pros and con's to this idea."

Not so bad as it sounds?

Bug 17875: Discourage editing of torrc-defaults
torrc-defaults gets overwritten during update
"...torrc, not torrc-defaults..."…

"Bug 17875: Discourage editing of torrc-defaults"

How is this discouraged? Editing torrc is important for me.

Do edit torrc if you need to. As the text after the bug number and the colon says, editing *torrc-defaults* is discouraged.

" this bug is probably exploitable if Javascript is enabled"


so what should we do with this new version 5.0.7? you guys think its safe still?


January 07, 2016

In reply to by Anonymous (not verified)


We plan to update NSS in the next regular release:

"We plan to update NSS in the next regular release"

Ok, but the critical question is:
Surprising use of MD5 is visible, in Security - Technical details, or not?

WTF? It's not an attack! Weak cipher suites were disabled long time ago!

Javascript? Always disabled. ;-)

Does anyone know more about this Tor Browser exploit from February 2015?…

It's been a few weeks since I noticed that Disconnectme is returning far fewer results than it used to. I guess the men behind the curtains are messing with it too.

I contacted the people and they told me that this was caused by SEO bots hitting them. As the result they had to put in mitigation strategies to cope with Google's bot detection mechanisms. They are working on a permanent fix for this problem. Other search engines offers should be not affected.

How can I open the *.mar files downloaded from the distribution directory?

If you are asking this question my guess is that you do not actually need or want to "open" them.

If you actually know what you are doing, check the "mar tools" package, also in the distribution directory.

I find the network traffic of inside updater updating Tor Browsers is about 10 times faster than I download something from any website including torproject itself, do you notice that?

Is it updating via Tor or not? Can tor developers make sure it still downloads via Tor or whether it is accidentally bypassing?

The UI does not tell you how much data you're downloading, so you can't say what the speed is. The reason it takes apparently little time is because the updater does not download the entire Tor Browser but only a "patch".

Here are some of our favorite tools that you can try:

Internet Service Provider (ISP): Sonic
Wireless provider: Cricket
Encrypt an email account you already have: Thunderbird with Enigmail; Mac Mail with GPGTools; Outlook with GPG4Win
Private email clients: Unspyable, Countermail, or Shazzle
Search engines: Ixquick and DuckDuckGo
Mobile calls: RedPhone, Silent Circle
Android proxy: Orbot
iOS proxy: FoxyProxy (configure it as a proxy, not a VPN)
Mobile photos: ObscuraCam
Text messaging: TextSecure
Online tracker blocking: our very own DNTMe
Web-based chatting: Adium with OTR, Cryptocat
Mobile chatting: ChatSecure (iOS)Virtual private networks (VPNs): iVPN, Private Wifi
Hard drive encryption: TrueCrypt
Web browser: Tor Browser (and Mozilla’s Firefox is the best major browser on privacy)
Mobile browser: Onion Browser (iOS), Orweb (Android)

Redphone is Signal now.

How the way you type can shatter anonymity—even on Tor…

There are also stylometry attacks, the way you style your writings and other forms to attack you personally.

ExcludeNodes and ExcludeExitNodes by country does not work

NodeFamily also has a long standing problem. It considers the comma separated values as part of a declared family. It does not consider entire sets of node from a country, declared as an element, to form a family.
`NodeFamily {us}, {gb}, {ca}, {nz}, {au}` will avoid circuits where a node from each element appear. It will not prevent multiple node from each element. Meaning although us and uk node won't be used in a circuit, uk or us can easily appear more than once in a given circuit.
Surprisingly, no ticket was found. Is this intended behaviour, or should it be ticketed....

one question:
Some applications need to "proxy authentication" when communicating with "Tor Browser"
When questioned username and password, what should we do?
Thank you

Click on the green onion after you started Tor Browser and there choose "Tor Network Settings..." and check "This computer needs to use a local proxy to access the Internet". There you can enter your credentials.

You can do this on your very first start as well with the Tor Launcher wizard if you choose the configure option and are not trying to connect directly to the Tor network.

My computer is connected to the Internet without proxy
I want "RSSOwl" get internet from "Tor Browser"
How do I do this?

hey bros, when I ask for obfuscated bridges it is only giving me one, the same one, for the past 24 hours.

I would say this is probably intentional, to prevent abuse from censors.

Where is the version / integration?

There is none we provide as Tor Browser is meant to be portable itself.

How can one get little older 5.0.4 linux 64bit bundle. Is there any way to get that version?

If NIT is based on flash how can they hack android users?

Will they release Tails 1.8.2 ?

We have a few years now with many serious bags not yet fixed:

Many of these serious issues are 3 years old, they go from release to release. Will they be fixed? If yes, then when?

The latter is supposed to get fixed in the upcoming 5.5 stable release and should be no issue anymore in the current alphas. Not sure about the former yet. There is no ETA for them. Patches are welcome!

Thank you for the reply! As I understand, the first issue (distinguishing Windows from Linux when JS is enabled) will not be resolved in foreseeable future. :-(

It seems they can still track you with Tor. It is called a browser fingerprint. People are using Random Agent Spoofers now, which is an extension add on.