Tor Browser 5.0a4 is released

The Tor Browser Team is proud to announce the second alpha release based on Firefox 38 ESR. This release is also the fourth and final alpha in the 5.0 series. The release is available for download in the 5.0a4 distribution directory and on the alpha download page.

Most notably, this release contains an experimental defense against font fingerprinting by using an identical set of shipped fonts on all supported platforms. We've also updated the versions of several Tor Browser components, including updating Tor to 0.2.7.2-alpha. The 5.0-stable release will be based on Tor 0.2.6-latest, however.

Last but not least we fixed a lot of important bugs that were due to our switch to Firefox 38 ESR, including issues with major websites such as Twitter. This release brings us very close to a stable Tor Browser 5.0, which we aim to release next week. Unless we hear about additional issues, not much will change between 5.0a4 and 5.0-stable, aside from the Tor version and possibly the font defense.

Here is the complete changelog since 5.0a3

  • All Platforms
    • Update Tor to 0.2.7.2-alpha with patches
      • Bug 15482: Don't allow circuits to change while a site is in use
    • Update OpenSSL to 1.0.1p
    • Update HTTPS-Everywhere to 5.0.7
    • Update NoScript to 2.6.9.31
    • Update Torbutton to 1.9.3.1
      • Bug 16268: Show Tor Browser logo on About page
      • Bug 16639: Check for Updates menu item can cause update download failure
      • Bug 15781: Remove the sessionstore filter
      • Bug 15656: Sync privacy.resistFingerprinting with Torbutton pref
      • Translation updates
    • Bug 16884: Prefer IPv6 when supported by the current Tor exit
    • Bug 16488: Remove "Sign in to Sync" from the browser menu
    • Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
    • Bug 16662: Enable network.http.spdy.* prefs in meek-http-helper
    • Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent (fixup)
    • Bug 15703: Isolate mediasource URIs and media streams to first party
    • Bug 16429+16416: Isolate blob URIs to first party
    • Bug 16632: Turn on the background updater and restart prompting
    • Bug 16528: Prevent IndexedDB Modernizr site breakage on Twitter and elsewhere
    • Bug 16523: Fix in-browser JavaScript debugger
    • Bug 16236: Windows updater: avoid writing to the registry
    • Bug 16005: Restrict WebGL minimal mode a bit (fixup)
    • Bug 16625: Fully disable network connection prediction
    • Bug 16495: Fix SVG crash when security level is set to "High"
  • Build System
    • Bug 15864: Rename sha256sums.txt to sha256sums-unsigned-build.txt
Anonymous

August 04, 2015

Permalink

Not sure if it was just a fluke or a bug that needs to be looked at, but when my 5.0a3 popped up with an update alert for 5.0a4, something strange happened. I clicked Update, the download went along like normal, but then another download began with a message that said "Tor Browser was unable to verify the integrity of the incremental update it downloaded, so it is now downloading the complete update package."

Anonymous

August 04, 2015

Permalink

While the new fonts do look nice they aren't complete.
For example a playing youtube video should show a play icon in the tab indicator.
Or just go to the Emoji wikipedia page: https://en.wikipedia.org/wiki/Emoji

Also since the update to FF38 Firefox Sync doens't seem to work anymore. I realize this isn't perfect for anonymity but I use Torbrowser as a hardened, daily browser and would still like to sync my tabs. Is this intentional?

Other than that great work!

The font issue aside, I really recommend you not using Firefox Sync in Tor Browser, because it may harm your anonymity and privacy quite a bit, since you are sending your browser history (if enabled), bookmarks, et cetera to Firefox Sync servers (unless you run your own).

I understand but as I said in my first comment I make this choice deliberately for convenience instead of security because I use it as my main browser. I only use it to sync bookmarks and plugins between Torbrowsers. Sync is supposed to be end-to-end encrypted and I trust the Mozilla developers that they can deliver on this.
This is also why the Tor developers themselves still haven't the sync code, see [Review and audit sync](https://trac.torproject.org/projects/tor/ticket/10368) and https://trac.torproject.org/projects/tor/ticket/7188.

I really need sync too (and I am not so "paranoid" about privacy). Can you please tell me to which Tor version can I downgrade to have sync working again? Thanks.

Anonymous

August 04, 2015

Permalink

The new fonts look nice but are incomplete. Check for example the 'now playing' char in youtube tabs or the emoji wikipedia-page (https://en.wikipedia.org/wiki/Emoji).

Also since the update to FF38 Firefox Sync doesn't seem to work anymore. You can login fine and initial sync works but after closing and reopening Torbrowser it gives an error. I realize that using Sync isn't optimal for anonymity but I use it as my daily browser and I consciously make this decision in favour of usability.
Should I file a bug or was this change intentional considering that you removed its option from the browser menu?

Other than that great work, as always!

Anonymous

August 04, 2015

Permalink

is safe to use tor on windows 10? I have to configure something?

Windows 10 is not good for anonymity and privacy in general, so no, it's not safe, and not recommended IMO.

I recommend installing Tails (https://tails.boum.org) on your USB, and boot your PC from that USB. Or install a Linux like Debian (https://debian.org), Ubuntu (http://ubuntu.com) et cetera.

But if you really want to stick to using Windows, I recommend using Windows 7, 8, or 8.1. And if you really want to stick to using Windows 10, try to change the settings to favor privacy, use a local account, and it's always better to use Tor than not to.

The previous alpha had a strange bug when trying to download a file, it asked whether you wanted to download it but didn't show the filename dialog. Instead, you had to copy the file link and paste it into the Downloads tab.

Haven't tested it yet with the new alpha though.

I've just reported a similar issue:
TBB 5.0 a3/a4 win32 fails to download a file when right clicking url
https://trac.torproject.org/projects/tor/ticket/16731


Steps to reproduce:
1. Go to https://dist.torproject.org/torbrowser/5.0a4/
2. Right click any file url, for example, "tor-win32-0.2.7.2-alpha.zip"
3. Select "Save link as"
4. Wait for TBB dialog asking if you want to open file with external application
5. Press "Download file" button
Expected results:
Download dialog asking where to save file should appear.
Actual results:
Nothing happens

Thank you for releasing new build !

SHA-256 for "torbrowser-install-5.0a4_en-US.exe" seems inconsistent.

SHA-256 of my downloaded "torbrowser-install-5.0a4_en-US.exe" is...
0702DC136EB64F4DDA02B4FD11384FD21391F8A7DEDCF5836FC6517C89CAD788

The value in the "sha256sums-unsigned-build.txt" is...
9bb52de6693d133c3fb37663687f135a8e1ba71e91001077bfa300e192922e71

But, signature seems OK using GnuPG(gpg)
torbrowser-install-5.0a4_en-US.exe
torbrowser-install-5.0a4_en-US.exe.asc

SHA-256 of "torbrowser-install-5.0a4_en-US.exe.asc" is...
AD05EC2686DB765FD082EB0E74983388846C56F88D1E25A0CEE1BCCA4D4463F3

[NOTE]
The same inconsistency happened in the previous release. So, the root cause is not accidental download failure.

Pretty weird :(

I got the same SHA256 you did for the install package.

See: https://bugs.torproject.org/15864 for some background information. We thought renaming the SHA-256 sums file might indicate that that hash is *not* the one you get when downloading the .exe file. The reason for this is the additional signature we need to avoid the scary warning you get if you just try to run an unsigned .exe you downloaded. So, in order to use the SHA-256 sum verification you need to follow this guide: https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerif…

Just installed 5.0a4 on MacOS 10.6.8 and I get a repeatable crash at startup with the "fontworker" component. Crash dump at http://pastebin.com/eJSr0aKC . This appears to be 100% repeatable.

TBB appears to start normally after a few seconds, but I'm a bit troubled by this (it never happened with 5.0a3).

-J

I opened https://bugs.torproject.org/16740 for it, thanks.

Oh, forgot to add -- GPG sig of the .dmg verifies just fine, as usual, so the "fontworker" issue is not due to any corruption in the download.

-J

What's the deal with fonts on this build?

The fonts that you've installed on your computer can be detected when you leave Javascript enabled on regular websites you visit.
This builds tries to fix that by shipping a fixed set of fonts, so that it's harder to distinguish between people by what fonts they have installed on their computers.

Thanks!

Anonymous

August 08, 2015

In reply to by Anonymous (not verified)

Permalink

No problem. Thanks for coming back to say thanks :)

hi friends, im still having a full 100% usage of my cpu every time i open new site or reload (F5) any tab. it taken sometimes even more of 30 seconds and is very uncomfortable.

i have xp, 2gb ram, slow cpu but capable of have these tor browser and more software running at the same time, before i tried this newer version, i use 0.2.3.25 because this is the last version when i can get "new identity" without lost all the tabs, and with that version i could manage to have normal FF, Tor, Office and other programs. all without problems. i try 4.5.2, 4.5.3 and 5.0a3, all with the same results.

Tor Browser compatible Windows 10??

Yes, Tor Browser is compatible with Windows 10 (checked in VirtualBox). Why ask when you can check to see if it works yourself.
Though I do not recommend using Windows 10 in general.

Thank you Tor developers for your hard work!

Yes, thanks Tor developers!

I have asked this question to the Tor help group email, but not gotten a response (probably as they did not know). Even with 5.0a3 Tor Browser I am having troulbe getting Torbrowser to work when behind a ForiGate Firewall? http://www.fortinet.com/products/fortigate/

I have tried to use one of the suggested Bridges provided with the Tor Browser (flash-proxy, fte, others), but so far no luck.

Any thoughts?

Everything seems to be running smoothly so far. I haven't tried d/l anything yet, but if I have an issue as a previous poster indicated with 5.0a3, I guess I'll whine about it here.Does the font defense address the following? http://arstechnica.com/security/2015/07/how-the-way-you-type-can-shatte… typing with one finger while my other hand adjusts my tin-foil hat.* Should I leave 'Tell sites that I do Not want to be tracked' unchecked? [options/priv.] I wasn't sure if it sent out a header which could be, ironically, tracked.* Will N0Scrip+'s default whitelisting ever be amended or is there a way for me to revive the old functionality? I had to mark sc0rec@rdr3search among other scripts as untrusted AFTER they were allowed, by default. Allowing everything doesn't feel safe.Thanks for all the hard work, everyone!

Even though TBB arguably makes some poor choices, changing those settings can be observed and makes you stand out.

The defaults in the Tor Browser are really annoying, people change these anyway, which is dangerous.
So, we need to better gauge the community for what they want. Or, have a better and stronger Tor community.

Well if you disable JavaScript on the particular site you're typing, there should be no problem. But this can be potentially very dangerous for most Tor users.

Please, don't change too much in your Tor browser configuration, this can defeat anonymity pretty easily, if you don't know what you're doing that is. But, enabling, disabling JavaScript should be no problem, most people do this it seems.

For the NoScript question: "Allowing everything doesn't feel safe. ", yes, this is true, it isn't, but the Tor Project seems to think most of us are incapable to whitelist a few sites from the context menu in NoScript.

You know what I think we need? A proper community edition of Tor Browser that does have the settings and configuration we (hopefully most) want. Because people are going to be annoyed by all these defaults, and take things in their own hands, which is bad, for anonymity and thus your privacy.

Or at least, Tor Project, help foster this community, all we get is a Bug tracker, and this blog to communicate, it's really bad. Please fix this!

Thank you Tor developers, contributors and community.

My system is SUSE, failed to save the page with all components to hard disk with a file name with special character.

Can I add fonts of my own choice?

why is windows 10 not good for security, if i use tor wont it be anonymous? Thanks in advance