Tor Browser 5.0a1 is released

The first alpha release in the new 5.0 series of the Tor Browser is now available from our extended downloads page as well as the distribution directory.

Tor Browser 5.0a1 is based on Firefox ESR 31.7.0, which features important security updates to Firefox.

In addition to including all of the fixes that were present in the 4.5.1 release, this alpha release also features some additional privacy defenses.

In particular, this release re-enables the automatic window resizing fingerprinting defense that first appeared in 4.5a4. This defense can be disabled by setting the about:config pref extensions.torbutton.resize_windows to false, but please first report any issues you encounter on the feature's trac ticket.

This release also introduces a new defense against various forms of performance fingerprinting and time-based side channel attacks. A handful of new attacks have been published recently that take advantage of Javascript's high-performance timers to determine hardware performance, perform keystroke fingerprinting, extract history information, and even steal sensitive data from memory. Because this defense reduces the resolution of time available to Javascript to 100 milliseconds for all time sources, and to 250 milliseconds for keypress event timestamps, we are especially interested in hearing any reports about issues with HTML5 video, animation, or game sites. Hopefully you will have as much fun testing this defense as we will!

Here is the complete list of changes since Tor Browser 4.5:

  • All Platforms
    • Update Firefox to 31.7.0esr
    • Update meek to 0.18
    • Update Tor Launcher to 0.2.7.5
      • Translation updates only
    • Update Torbutton to 1.9.2.5
      • Bug 15837: Show descriptions if unchecking custom mode
      • Bug 15927: Force update of the NoScript UI when changing security level
      • Bug 15915: Hide circuit display if it is disabled.
      • Bug 14429: Improved automatic window resizing
      • Translation updates
    • Bug 15945: Disable NoScript's ClearClick protection for now
    • Bug 15933: Isolate by base (top-level) domain name instead of FQDN
    • Bug 15857: Fix file descriptor leak in updater that caused update failures
    • Bug 15899: Fix errors with downloading and displaying PDFs
    • Bug 15773: Enable ICU on OS X
    • Bug 1517: Reduce precision of time for Javascript
    • Bug 13670: Ensure OCSP requests respect URL bar domain isolation
    • Bug 13875: Improve the spoofing of window.devicePixelRatio
  • Windows
    • Bug 15872: Fix meek pluggable transport startup issue with Windows 7
  • Build System
    • Bug 15947: Support Ubuntu 14.04 LXC hosts via LXC_EXECUTE=lxc-execute env var
    • Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
Anonymous

May 13, 2015

Permalink

The downloaded installer package cannot intall. It said:
NSIS Error
Installer integrity check has failed. Common causes include incomplete download and damaged media. Contact the installer's author to obtain a new copy.

Anonymous

May 13, 2015

Permalink

"Because this defense reduces the resolution of time available to Javascript to 100 milliseconds for all time sources, and to 250 milliseconds for keypress event timestamps"

Doesn't this allow page creators to distinguish Tor users from non-anonymous users with a simple embedded Javascript in the HTML?

Why is this the approach? Why make TOR users stand out at all - is it not possible to achieve the same level of anonymity, security and privacy whilst blending as a regular user of FF, Chrome etc?

As I've read, the answer is no, not possible. One reason I believe is that standard installation of firefox has disastrously weak privacy preferences. Few users edit preferences, so tbb with bolstered preferences already appears different than standard firefox.

The goal is instead to have all tbb users appear the same to websites as all other tbb users appear.

i sympathize with your interest in reducing the fingerprintability/distinguishability of Tor users in general, but reaching any page from a Tor exit's IP address presumably will always make it possible--at least heuristically--to distinguish likely Tor users from non-Tor users... unless we add many, many exits to the network!

Its trivial when you have access to the server logs or are able to run additional software on the servers.

This new feature may allow the many users of services like Blogger or WordPress to display different content to either identifiable or anonymous visitors.

Anonymous

May 13, 2015

Permalink

was just thinking about my own gratitude for your work, and wanted to mention that it's a shame that the team can't marshal more funding for advocacy work to upstream more of the fingerprintability/distinguishability patches to mozilla.

for all their talk about being committed to privacy, it's pretty lame that mozilla won't just accept patches that you've literally already written and tested that make firefox more private and secure.

already tbb design must weigh user expectations vs privacy.
Firefox user expectations tend even less toward privacy, and more toward expectations of whizbang websites (which then run amok with user privacy).
iirc, firefox installs allowing all cookies and javascript enabled.

tbb users wear helmet and full racing harness in vehicle with roll cage and fire retardant system.
firefox is designed for users who ride motorcycles shoeless wearing only underwear - not even with sunscreen.

Install www/linux-firefox to pull in all the needed libs, deinstall linux-firefox if you want after this.

Use the 32-bit version of tor browser.

If you're running amd64, edit out the lines

  1. SYSARCHITECTURE=$(getconf LONG_BIT)<br />
  2. TORARCHITECTURE=$(expr "$(file TorBrowser/Tor/tor)" : '.*ELF \([[:digit:]]*\)')</p>
  3. <p>if [ $SYSARCHITECTURE -ne $TORARCHITECTURE ]; then<br />
  4. complain "Wrong architecture? 32-bit vs. 64-bit."<br />
  5. exit 1<br />
  6. fi

from the startup script.

Good luck.

Did you use the built-in updater or did you download a new package and install it manually? Did you look to see if Tor Browser made any backups that you could use to recover your bookmarks?

Anonymous

May 14, 2015

Permalink

Hi,
i have a question.

I'am using Tails and don't really understand difference between
Tor Browser(TBB) 4.5 and TBB 4.5.1(Tails1.4). And if the seen Browser behaviour is OK/normal.
1 open Browser Tab creates at least 2 and more different open circuits.
Especially with middle-click new Tab and manually drop link from same domain.
Final result is 1 site generates a lot of DIFFRERENT circuits?
Normal or Bug?

https://blog.torproject.org/blog/tails-14-out
Tor Browser(TBB) 4.5
"Tor Browser 4.5 now keeps using the SAME TOR CIRCUIT while you are visiting a website. This prevents the website from suddenly changing language, behavior, or logging you out."

https://blog.torproject.org/blog/tor-browser-451-released
TBB 4.5.1 (in Tails 1.4 !)
"Bug 15933: Isolate by base (top-level) domain name instead of FQDN"

Anonymous

May 14, 2015

Permalink

Update created a duplicate browser folder so now two browsers in one program. Will have to instal afresh yet again!!

Anonymous

May 14, 2015

Permalink

I am having 100% lack of connection since the last, most recent May 2015 update to the Tor Bundle. I went back to the stable April 2015 release, and have 100% connection, with no issue, other than being told to update browser, and update Tor. Anyone else having same issue? Anyone have an idea what is going on?

Anonymous

May 14, 2015

Permalink

re: resize_windows

I like the changes as far as usability is concerned, but when I disable it, the window sticks with the resized dimensions as if it was still enabled.
& can fingerprinting only be done while loading the page? If I disable resize_windows after I already loaded pages which I want to view in full-res, I shouldn't have anything to worry about if there's no JS or anything else active, right?

Anonymous

May 14, 2015

Permalink

I'm not crazy about allowing all scripts on a site I don't fully trust. Is there any way to have NoScript behave like it used to? I realize that cherry-picking scripts could provide a unique profile of a user, but there's tracking scripts, for example that I'm not keen on allowing.

Anonymous

May 14, 2015

Permalink

Hello, i installed the update and now I'm getting a Runtime error. Its not letting me activate the browser, and it keeps asking me to restart the tor browser.

Anonymous

May 15, 2015

Permalink

Why not make all TBB users screens fullscreen as default? Wouldn't this be just as effective as leaving it as it is now + better usability?

Anonymous

May 16, 2015

Permalink

Are the Tor DEVS finally going to get GTK working in Tor for Linux?

This is something that has been broke for over a year, would be nice to finally see this fixed...

Anonymous

May 16, 2015

Permalink

Google recaptcha is using html5 animation to show captcha images ?
Tor browser is useless if don't work with google recaptcha.

at least in 2014, google offered a noscript (noscript html element, not noscript extension) alternative that required pasting a long generated string into another form box. Maybe google stopped providing the noscript alternative?

Anonymous

May 17, 2015

Permalink

Cannot now save photos from tumblr or flickr using latest version? Always worked before wit javascipt off.

Anonymous

May 17, 2015

Permalink

Google recaptcha not working here too
No matter what i do, still not working.
I tried disable noscript and https and nothing

Anonymous

May 17, 2015

Permalink

@arma,

Yes there's a ticket, in fact there have been several tickets I've seen for a few years and nothing has been done about it...

Is there a ticket for it? If not, odds are good nobody knows what you're talking about. (And if that's so, you should make a ticket, and include as much information as you can.)

Anonymous

May 17, 2015

Permalink

How can I completely disable that resize stuff? Even if I set the about:config stuff related to it to false, after a restart I still get that behaviour (I don't like)!

Anonymous

May 17, 2015

Permalink

Whatever I do, user_pref("extensions.torbutton.resize_new_windows", true); and user_pref("extensions.torbutton.startup_resize_period", true); always are set to true after closing and restarting... meh.

Anonymous

May 20, 2015

Permalink

> Isolate by base (top-level) domain name instead of FQDN

There should be an option to turn back isolate by FQDN

A unique prefix for FQDN-based authenticators in each torbrowser instance is also needed. So isolation for different instances would be provided when surfing the same sites.

Anonymous

May 20, 2015

Permalink

Can't get the newer captchas to appear. It will tell me to identify all Burgers and show me the example burger image, but then it will not show any other images. I can select and deselect each square of the grid but of course I can't tell which square is what.

Trying to change to the audio challenge will not help. It will not play any sounds.

Disabling NoScript does not help.

Anonymous

May 23, 2015

Permalink

Hi. I too am having trouble with recaptcha. The picture matching images are not showing up. How do I resolve?

Thank you.