Tor Browser 5.5 is released

Tor Browser 5.5, the first stable release in the 5.5 series, is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

On the privacy front we finally provide a defense against font enumeration attacks which we developed over the last weeks and months. While there is still room for improvement, it closes an important gap in our fingerprinting defenses. Additionally, we isolate Shared Workers to the first-party domain now and further improved our keyboard fingerprinting defense.

We made also progress on the usability side. First, by providing Tor Browser in another locale, Japanese. Additionally, by showing the changes in the new Tor Browser version immediately after an update and polishing our about:tor appearance. Last but not least we changed the search bar URL for the DuckDuckGo search engine to its onion URL.

Here is the full changelog since 5.0.7:

Tor Browser 5.5 -- January 27 2016

  • All Platforms
    • Update Firefox to 38.6.0esr
    • Update libevent to 2.0.22-stable
    • Update NoScript to 2.9.0.2
    • Update Torbutton to 1.9.4.3
      • Bug 16990: Show circuit display for connections using multi-party channels
      • Bug 18019: Avoid empty prompt shown after non-en-US update
      • Bug 18004: Remove Tor fundraising donation banner
      • Bug 16940: After update, load local change notes
      • Bug 17108: Polish about:tor appearance
      • Bug 17568: Clean up tor-control-port.js
      • Bug 16620: Move window.name handling into a Firefox patch
      • Bug 17351: Code cleanup
      • Translation updates
    • Update Tor Launcher to 0.2.7.8
      • Bug 18113: Randomly permutate available default bridges of chosen type
    • Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
    • Bug 10140: Add new Tor Browser locale (Japanese)
    • Bug 17428: Remove Flashproxy
    • Bug 13512: Load a static tab with change notes after an update
    • Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
    • Bug 15564: Isolate SharedWorkers by first-party domain
    • Bug 16940: After update, load local change notes
    • Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
    • Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646)
    • Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646)
    • Bug 17369: Disable RC4 fallback
    • Bug 17442: Remove custom updater certificate pinning
    • Bug 16620: Move window.name handling into a Firefox patch
    • Bug 17220: Support math symbols in font whitelist
    • Bug 10599+17305: Include updater and build patches needed for hardened builds
    • Bug 18115+18104+18071+18091: Update/add new obfs4 bridge
    • Bug 18072: Change recommended pluggable transport type to obfs4
    • Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
    • Bug 16322: Use onion address for DuckDuckGo search engine
    • Bug 17917: Changelog after update is empty if JS is disabled
  • Windows
    • Bug 17250: Add localized font names to font whitelist
    • Bug 16707: Allow more system fonts to get used on Windows
    • Bug 13819: Ship expert bundles with console enabled
    • Bug 17250: Fix broken Japanese fonts
    • Bug 17870: Add intermediate certificate for authenticode signing
  • OS X
    • Bug 17122: Rename Japanese OS X bundle
    • Bug 16707: Allow more system fonts to get used on OS X
    • Bug 17661: Whitelist font .Helvetica Neue DeskInterface
  • Linux
    • Bug 16672: Don't use font whitelisting for Linux users

I know this isn't the place to ask this, but are there any plans to create a very simple UI for cryptsetup in TAILS? Currently, it is very tedious to open up an encrypted volume in TAILS. The amnesic quality of TAILS makes that much more frustrating after every reboot.

I'm not a proficient coder but I've seen how quickly a crude UI can be produced in python using the twisted library. If I knew how to tie the UI to cryptsetup I'd do it myself. Although what would take me days if not weeks would take a TAILS dev an hour or so.

The reason I have placed this here is that I hope to generate interest from the rest of the community. If enough people speak up, devs are sure to respond positively.

I know this isn't the place to ask this,

The reason I have placed this here is that I hope to generate interest from the rest of the community.

Exactly. This isn't the right place for feature requests of a different product.

Please surf to https://tails.boum.org/contribute/talk/ and mail your request to the appropriate mailing list.

but are there any plans to create a very simple UI for cryptsetup in TAILS?

The feature has been requested many times in the past, on Tails' mailing list. From what I heard, the feature you requested, when implemented, can lead to hackers and the NSA attacking Tails' users. That was sometime ago but with improvements in software, security vulnerabilities may be reduced.

Did this. If it were easy to make such request anonymously I would have opted for the tails mailing list. I tried pigeon with Tor proxy but it seems the exits that I tried using had been abused prior to my attempt.

I wasn't aware that this had been requested before. Glad I'm not the only one.

I don't understand how a GUI would significantly increase the attack surface from a remote location? Please enlighten me.

If it were easy to make such request anonymously I would have opted for the tails mailing list.

Besides using Pidgin with Tor proxy, have you tried other ways of seeking Tails' technical support? See https://tails.boum.org/support/index.en.html

I don't understand how a GUI would significantly increase the attack surface from a remote location? Please enlighten me.

Unlike our regular NSA troll here, I don't wish to spam this blog with Tails-related issues.

Please ask your above question using the appropriate Tails' support channels.

Hello everyone is anybody can help me buy Tor tell me how do I do happens if someone can help me please Bonjour à tous est-ce que quelqu'un peut m'aider à acheter sur Tor m'expliquer comment faut faire je n'arrive si quelqu'un peut m'aider s'il vous plaît

Anonymous

January 27, 2016

Permalink

Спасибо вам от всех россиян, казахстанцев и белорусов, да и от всех людей со всего мира, кто пользуется вашим замечательным браузером Тор, всех благ и удач вашей команде, по возможности буду производить пожертвования на улучшения вашего продукта, с уважением из города Астана, Казахстан, ваш пользователь.

I would like to join the thanks from Astana, Kazakhstan! This is a very important tool for countries like ours where free speech and access to information are so severely limited. Will certainly donate whenever I am able to.

Anonymous

January 27, 2016

Permalink

Oh, my!
A measure against browser fingerprinting.
Thanks for the great work!

Depends. The connection between exit node and http site is not encrypted, you could be a victim of a man-in-the-middle attack. The content could be replaced, or the man-in-the-middle could insert javascript which will threaten your browser and could install malware or deanonymise you. If you enter personal information, the exit node can see it. If you have javascript disabled, you are safe from attacks, but the exit node can still see the page and anything you enter.

The content could be replaced, or the man-in-the-middle could insert javascript which will threaten your browser and could install malware or deanonymise you.

Very true.

But I was told that if you use Tails and with Javascript enabled, your identify and geolocation are less likely to be unmasked. How true is it? Can someone confirm it?

You should use https websites to minimize the amount of snooping an exit node could possibly do, even though an exit node won't know who generated the traffic in the first place in theory. You also should be very wary to run Javascript from non-https sites, as it could've been tampered with by an exit node. Normally this doesn't happen, at least it did never for me, but depending on your circumstances/needs you maybe want to be more cautious than I am.

Normally this doesn't happen, at least it did never for me,

What proofs have you to state categorically that you've never had to deal with Javascript malware?

Anonymous

January 27, 2016

Permalink

i'm not able to get bridges ,when i send email this message apeares"

This is the mail system at host polyanthum.torproject.org.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

(expanded from
): temporary failure

what should i do ?

First, what email address you send your letters to?
Second, *from* what email address you send them? BridgeDB servers only respond to emails from @gmail, @yahoo and @riseup accounts.
Also, if you think you're doing it right on every step, consult with person who is responsible for your network' work.

Anonymous

January 27, 2016

Permalink

Is there an update from 5.5a6 to this via Software Update in Tor Browser?

Anonymous

January 27, 2016

Permalink

nice

Anonymous

January 27, 2016

Permalink

Awesome

Anonymous

January 27, 2016

Permalink

我是Tor的忠实用户,非常遗憾的是:Win8 微软雅黑6.10 (UI)的字体在这个版本下失效,确切地说,它根本就不认这个字体,决定放弃升级;另外,所有的5.0以后的版本,Foirefox的侧边栏扩展一直无法安装,亦请你们予以修正,谢谢,拜托了!

Hi, I had to machine-translate your comments. This is what I got:

I am a loyal user of Tor, very unfortunately: Win8 Microsoft elegant black 6.10 (UI) of the font in this release fail, rather, it simply does not recognize the font, decided to abandon the upgrade; In addition, all of the 5.0 version, Foirefox sidebar extension has been unable to install, will you also be amended, thank you, please!

17250 fonts should be similar problems. The font name is not in the whitelist in: https: //trac.torproject.org/projects/tor/ticket/17250#comment: 6

What Sidebar extension specifically referring to? Test install add-on is no problem. You can specify it? Or submit bug?

The 微软雅黑 font (Microsoft YaHei) should be present in the whitelist. See here:
https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/…

pref("font.system.whitelist", "..., Microsoft YaHei, 微软雅黑, MingLiU, 細明體, ...");

Maybe "微软雅黑(UI)" is considered a different font than "微软雅黑"? Do web pages render text in 微软雅黑 correctly?

The UI fonts are separate since the white listing is done by matching in full. The entire browser UI gets really broken if the "system default UI font" isn't present on the whitelist, and if the ja_JP locale is anything to go by, MS has/will change it between major Windows releases.

See:

* https://trac.torproject.org/projects/tor/ticket/17550 (Similar issue with ja_JP)
* https://trac.torproject.org/projects/tor/ticket/17999 (OS version fingerprinting risks associated with whitelisting all the UI fonts ever used)

Hey guy,
What is the intention you are using TorBrowser for?
You wanna circumvent the surveillance from an evil regime, right?
Anything else more important than safety?
You need browsing the Internet anonymously rather than fonts research, right?
Please try not to focus on the issue of fonts. Just update, what else?

不要猶疑那麼多了, 程序更新比任何都重要.
我都很久没有使用中文了, 又如何?

不要犹豫那么多了, 程序更新比任何都重要.
我都很久没有使用中文了, 又如何?

Anonymous

January 27, 2016

Permalink

sync is not working anymore :( are you going to fix it or did you disable it on purpose?

Hi. Not a dev.
But do you REALLY want your tor browser bundle connecting to moz sync servers over the tor network every 10 minutes? (Or worse, a custom sync server that only YOU use?)

If a global passive observer can watch you connecting to the tor network, and somehow see "someone" authenticating to a moz sync server, wouldn't they be able to correlate both events given enough samples?

Play it safe. Keep your tor browser bundle in a password protected zip file on a usb key. (Preferably named something like milfporn.zip or something)

Avoid sync.

I understand your point but consider that not every tor user has the same level of security concerns. Tor is used by different ppl for different purposes. I need sync and if they are not reintroducing it I will have to downgrade to 507.

I understand your point but consider that not every tor user has the same level of security concerns.

If that's the case, why don't you build your own TBB with your own specifications? With limited resources, Tor's development team has to focus on the needs of the majority and not cater to the specific requests of a few.

Tor is used by different ppl for different purposes. I need sync and if they are not reintroducing it I will have to downgrade to 507.

Please feel free to downgrade to 301 or even TBB version 101.

Interesting. Which operating system are you on? I can't neither reproduce it on Ubuntu nor Windows be it with or without update.

Oh, and please post a new comment in this regard in the thread below which (probably) you opened.

I could use Sync in previous version - which allowed many conveniences like bookmarks and passwords. I understand the the issue with anonymity with those features, but like the fact that I can use the same browser for everything.

I have similar issue: from tor503 to 507 (both win7ent and osx 10.8) I could log to sync with user&pass and sync was performed (between two tor507 in the two OSs). Now when I go to sync (in both OSs as above) and try to login (or to use another sync account) I get a "500 Error Oh dear, something went wrong there. We've been notified and will get working on a fix." (URL is "about:accounts?entrypoint=menubar" ). Note that sync didn't work from tor500 to 503 while it was working in all versions 4. Thanks in advance!!!