Tor Browser 5.0a2 is released

The second alpha release in the 5.0 series of the Tor Browser is now available from our extended downloads page as well as the distribution directory.

This release provides a fix for the Logjam attack (https://weakdh.org/) and updates a number of Tor Browser components: Tor to version 0.2.7.1-alpha, Torbutton to version 1.9.2.7, NoScript to version 2.6.9.26, meek to version 0.19 and HTTPS-Everywhere to version 5.0.5. Moreover, it fixes a possible crash on Linux and avoids breaking the Add-ons page if Torbutton is disabled, and it also fixes an update issue when using meek on Windows systems.

Here is the complete changelog

  • All Platforms
    • Update Tor to 0.2.7.1-alpha
    • Update OpenSSL to 1.0.1n
    • Update HTTPS-Everywhere to 5.0.5
    • Update NoScript to 2.6.9.26
    • Update meek to 0.19
    • Update Torbutton to 1.9.2.7
      • Bug 15984: Disabling Torbutton breaks the Add-ons Manager
      • Bug 14429: Make sure the automatic resizing is enabled
      • Translation updates
    • Bug 16130: Defend against logjam attack
    • Bug 15984: Disabling Torbutton breaks the Add-ons Manager
  • Windows
    • Bug 16014: Staged update fails if meek is enabled
    • Bug 16269: repeated add-on compatibility check after update (meek enabled)
  • Linux
    • Bug 16026: Fix crash in GStreamer
    • Bug 16083: Update comment in start-tor-browser
Anonymous

June 16, 2015

Permalink

The captcha issue is not yet solved on some websites. The pictures do not load when asked to select a few pictures of something. This has been broken for some releases now and it has had no attention. Can you please investigate this.

Which websites have broken captchas? I've never had a problem with CloudFlare (even if the ReCaptcha method they use is hard to solve).

Now, the recent obsession of sites straight-up banning Tor IPs...

Got the same problem as mentioned by the 2ppl above. And as many before me I've tried switching off NoScript etc..

One example: https://www.openmailbox.org/#register

Interestingly enough it displays the image of what has to be identified but not the 9 pictures you get to choose from. This is a very frustrating issue and I really hope someone finds a solution soon.. :)

This isn't a problem with Tor Browser; it's a problem with the captcha provider (Google, I think.) You may have some luck by lowering your security settings if you're willing to take the risk but in the end you need to complain to the captcha provider or the website using the captcha provider.

Anonymous

June 16, 2015

Permalink

I see NoScript's ClearClick feature for trusted and untrusted sites is disabled by default. Are we looking for a fix from Tor Browser or NoScript or both?

I enabled ClearClick on NoScript. I would rather deal with false positives than have no protection against clickjacking.

I think there is a bug , PleaseCheckOut

Why aren't more Noscript features as TBB is shipped enabled? Like ABE?

Because we think the currently enabled features are sufficient for our purposes.

Endpoints are so easy:) lol

While ABE has it's uses I think that individual users making their own customized rules would make fingerprinting them exceptionally easy. It would be similar to NoScript's normal per-domain/site/etc whitelisting but worse.

Apologies ahead of time, as I'm much less tech-literate than most that post here.

Every time I try to update to this latest version of the Tor Browser Bundle, AVG anti-virus program detects a potential threat.

This must be the 4th or 5th version of Tor I've downloaded, and never before have I had this prob.

Again, apologies if this is old-hat, previously covered ad nauseam.

canvas fingerprinting ?

browserleaks.com/canvas

AVG 2015 doesn't let the program install, in the middle it detects tor.exe as a threat and delete it.

Yup, that's exactly what I ran into. Solution?

can i manage to get a permanet IP on this version

No, and it isn't a feature likely to ever be implemented.

The Meek servers are comming from Google/Amazon/Microsoft, all had worked with NSA in the past, so supposing they record my IP address which is comming from Iran, NSA will try to crack my Tor becaus I come from Iran?

The US government loves it when Iranians use Tor. Not so much for US citizens.

Since update now no longer get map of connections on Tor button.
Windows XP pro 3

Please work on the tor CAPTCHAS problem:

"There was an issue with the captcha provider. More information may be available below."

If it works in other browsers then it should also work in tor.

when i try to update tor browser . after the update if i restart the browser it shows update is available . its seems some bug . may be i need to download a fresh copy of the browser .

Astoria client is coming up soon...better or worse than Tor?

PLEASE, FIX THIS BUG:

In the TBB for linux bridges do not work anymore. You are not allowed to connect if using bridges (obfs3, obfs4, ...), not the default ones, not whatever working bridge you enter into the box. Why hasn't this been fixed yet?

The problem I encounter is if TBB fails to connect to Tor network (I'm using meek and obfs3 bridge) and you wish to try again, you have to close and run TBB again, it wastes time especially for Tails you have to reboot.

Hi,
A short while ago I found a site which offered Tor users a test to see if they were being compromised (their real IP was discernable) while watching an HTML 5 video. I took the test and failed- my real IP was indeed being shown to me despite being on TOR and despite having NO scripting enabled - javascript et. al. -or any other such plugin enabled. It was done purely through HTML 5 on an as-downloaded version of Tor, the lastest version at that time. This was perhaps a month or two ago.

My questions are- are you aware of this? If so, have you notified your users of this? Have you addressed the issue? If you are aware of this and you know the URL of the site I was describing, can you post that URL since I cannot find it any longer.

Thank you

1. Captchas error all the time

2. This error message appears more and more often:

The server rejected the handshake because the client downgraded to a lower TLS version than the server supports. (Error code: ssl_error_inappropriate_fallback_alert)

Not working on cloudflare protected websites!

Captchas broken! Firefox works, tor has problems.

Why use Tor and not encryption without Tor?

With mozilla adding more and more controversial features like 3rd party closedsource services, please consider migrating to palemoon! Both Palemoon and Tor communities will only win from this and I'm sure Palemoon developers will cooperate.