Tor Browser 5.5 is released

Tor Browser 5.5, the first stable release in the 5.5 series, is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

On the privacy front we finally provide a defense against font enumeration attacks which we developed over the last weeks and months. While there is still room for improvement, it closes an important gap in our fingerprinting defenses. Additionally, we isolate Shared Workers to the first-party domain now and further improved our keyboard fingerprinting defense.

We made also progress on the usability side. First, by providing Tor Browser in another locale, Japanese. Additionally, by showing the changes in the new Tor Browser version immediately after an update and polishing our about:tor appearance. Last but not least we changed the search bar URL for the DuckDuckGo search engine to its onion URL.

Here is the full changelog since 5.0.7:

Tor Browser 5.5 -- January 27 2016

  • All Platforms
    • Update Firefox to 38.6.0esr
    • Update libevent to 2.0.22-stable
    • Update NoScript to 2.9.0.2
    • Update Torbutton to 1.9.4.3
      • Bug 16990: Show circuit display for connections using multi-party channels
      • Bug 18019: Avoid empty prompt shown after non-en-US update
      • Bug 18004: Remove Tor fundraising donation banner
      • Bug 16940: After update, load local change notes
      • Bug 17108: Polish about:tor appearance
      • Bug 17568: Clean up tor-control-port.js
      • Bug 16620: Move window.name handling into a Firefox patch
      • Bug 17351: Code cleanup
      • Translation updates
    • Update Tor Launcher to 0.2.7.8
      • Bug 18113: Randomly permutate available default bridges of chosen type
    • Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
    • Bug 10140: Add new Tor Browser locale (Japanese)
    • Bug 17428: Remove Flashproxy
    • Bug 13512: Load a static tab with change notes after an update
    • Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
    • Bug 15564: Isolate SharedWorkers by first-party domain
    • Bug 16940: After update, load local change notes
    • Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
    • Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646)
    • Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646)
    • Bug 17369: Disable RC4 fallback
    • Bug 17442: Remove custom updater certificate pinning
    • Bug 16620: Move window.name handling into a Firefox patch
    • Bug 17220: Support math symbols in font whitelist
    • Bug 10599+17305: Include updater and build patches needed for hardened builds
    • Bug 18115+18104+18071+18091: Update/add new obfs4 bridge
    • Bug 18072: Change recommended pluggable transport type to obfs4
    • Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
    • Bug 16322: Use onion address for DuckDuckGo search engine
    • Bug 17917: Changelog after update is empty if JS is disabled
  • Windows
    • Bug 17250: Add localized font names to font whitelist
    • Bug 16707: Allow more system fonts to get used on Windows
    • Bug 13819: Ship expert bundles with console enabled
    • Bug 17250: Fix broken Japanese fonts
    • Bug 17870: Add intermediate certificate for authenticode signing
  • OS X
    • Bug 17122: Rename Japanese OS X bundle
    • Bug 16707: Allow more system fonts to get used on OS X
    • Bug 17661: Whitelist font .Helvetica Neue DeskInterface
  • Linux
    • Bug 16672: Don't use font whitelisting for Linux users

Why is YouTube not working?

Tor users should ignore the above post.

It is most likely the work of our regular NSA troll.

His real question is: why is Adobe Flash not working on YouTube?

YouTube usually uses HTML5 video these days as opposed to Flash.

It's a valid question; last time I checked YouTube only worked with security set to low. For the uneducated user might not think to check those settings. Of course, whether or not you want to set security to low is another question.

To get bitcoin to us, the best plan right now is via Bitpay:
https://www.torproject.org/donate/donate-options#bitcoin

For some complexities in that process, see also
https://blog.torproject.org/blog/tors-first-crowdfunding-campaign#comme…

Also lastly, I think some of these non-profits who run exit relays are also pleased to receive bitcoins:
https://www.torproject.org/docs/faq#RelayDonations

Anon

January 27, 2016

Permalink

Thanks!

Anon

January 27, 2016

Permalink

Attention

Within the next few hours at the earliest or the next few days at the latest, our regular troll from the NSA will be posting his regular litany of complaints, viz. he is unable to watch Flash video clips using this latest version, or to watch Youtube clips and hence is compelled to using a very old version of TBB.

The NSA troll will further attempt to make similar posts using different identities, changing his writing style and deliberately making grammatical errors so as to avoid fingerprinting.

His ulterior motive? To entrap naive TBB users to use Adobe Flash, the latter being notorious for its ability to unmask true geo-locations.

P.S.: It appears that our NSA troll is not highly paid. The really talented NSA staff are each paid at least a million US dollars in annual compensation and do not have the time to post laughable comments on this blog.

Treat this as a challenge: can you make so fine sandbox that even such crap as abobe flash be safe to use?

Don't ever use "adobe flash" and "safe to use" together in one sentence again. ;)
Also I don't think you should be running any proprietary software if you want to have basic safety, even if it is sandboxed.

Treat this as a challenge: can you make so fine sandbox that even such crap as abobe flash be safe to use?

First of all, I wish to inform you that most of Tor developers are not paid at all for their work, unlike NSA which has unlimited budget in the billions of US dollars. What this means is that Tor developers are unlikely to take up your challenge.

Secondly Adobe Flash has been known to be very buggy and the target of choice of hackers. The Hacking Team, whose tens of hundreds of documents and emails had been leaked on the internet, makes millions of dollars by selling Adobe Flash's exploits to authoritarian regimes.

Thirdly, you might wish to contact Whonix developers at www.whonix.org to let them know of your suggestion.

try downloading websites. there are still negatives
they may all be http, not https
they may all need javascript enabled for their domain
they may not download videos from sites that aren't popular video sites

I am a regular reader of this blog, but didn't recognize your description of that particular regular poster. However, I agree that

o flash + Tor is generally a bad combination (if you absolutely must use flash, at the very least use Tails), and in particular, scare stories in the "establishment" media from last two years with titles like "FBI/SCO/NFI has broken Tor" seem to be talking about state-sponsored malware which exploits flash bugs

o the Tor community can expect to be targeted here and elsewhere by a half dozen or more intelligence agencies (not all FVEY), including "suasion" operations which involve disinformation, scare rumors, and trolling.

LOL. I know who you are talking about but what makes you think he is from the NSA, as opposed to someone who wants to access a service that is geographically restricted. Hulu, CBS, if I live in some parts of Europe, or all of it, I can't access them. But with a USA exit node in TB plus flash player I can, it's safer than HOLA: http://www.pcworld.com/article/2928340/ultra-popular-hola-vpn-extension…. It also diversifies the TB user profile. People who use flash player in TB are not interested in privacy but functionality and TB+flash player > HOLA, they are not naive, not the majority of them anyway.

as opposed to someone who wants to access a service that is geographically restricted....

People who use flash player in TB are not interested in privacy but functionality and TB+flash player...

Look here, you've missed the point of why Tor was developed in the first place. One of its first principles is to help people living in authoritarian and oppressive regimes to communicate.

How does watching videos on Netflix, Hulu, CBS help to achieve that goal? As an example, I live in Iran and use TBB to watch "Breaking Bad", "Game of Thrones", "House of Cards", "Mad Men" on US-based Netflix. How does my action help to advance Tor's first principles?

People who wish to watch videos on Netflix or Hulu should just subscribe to a commercial VPN service provider.

You've missed the point of why some people use tor. It's irrelevant why tor was made. People use tor for different purposes.
"How does watching videos on Netflix, Hulu, CBS help to achieve that goal?"
Simple:"It also diversifies the TB user profile". It makes tor more mainstream, thus you won't have a target on your back by simply using tor.
Vpn cost more money than their worth, tor is free and those people can donate to tor because it's cheaper, some do others don't, stop telling people what to use tor for.
Plus unless you live in an "authoritarian and oppressive" country you are using tor for other reasons than the intended purpose. You hypocrite.
In the end you are wrong because it doesn't matter how much you talk about why tor was made or how can doing mediocre tasks on tor promote freedom from oppression, people will use tor for different purposes.So stop complaining.
Plus, about the youtube thing: "They circumvent censorship. If you live in a country that has ever blocked Facebook or Youtube, you might need to use Tor to get basic internet functionality. "
And you didn't prove yet that the guy works for NSA.

Simple:"It also diversifies the TB user profile". It makes tor more mainstream, thus you won't have a target on your back by simply using tor.

Flawed logic.

Vpn cost more money than their worth, tor is free

Cheapskate

Plus unless you live in an "authoritarian and oppressive" country you are using tor for other reasons than the intended purpose. You hypocrite.

Don't be too quick to judge. As my organization is affiliated with a UN body, I travel quite frequently to authoritarian and oppressive regimes for extended periods of time. Currently I'm traveling in an authoritarian regime where freedom of expression is severely curtailed and I'm using Tor as at the time of writing this reply.

In the end you are wrong because it doesn't matter how much you talk about why tor was made or how can doing mediocre tasks on tor promote freedom from oppression, people will use tor for different purposes.

That's why there's a need to educate people here on the proper uses of Tor.

It's still irrelevant. You are the one with the flawed logic. "Each new user and relay provides additional diversity, enhancing Tor's ability to put control over your security and privacy back into your hands". That's from here:"https://www.torproject.org/about/overview.html.en#thefutureoftor". "They circumvent censorship. If you live in a country that has ever blocked Facebook or Youtube, you might need to use Tor to get basic internet functionality." It's from here:'https://www.torproject.org/about/torusers.html.en#normalusers".
Cheapskate, that's all you can say, LOL, go cry me a river.
Stop telling people how to use tor. Educate yourself on that.
And I'm still waiting on you to prove how that person works with the NSA, until now you only showed flawed logic in trying to prove it.
Hopefully you will have a better answer next time, but I doubt it.
Don't be too quick to judge. As my organization is affiliated with a UN body, I travel quite frequently to authoritarian and oppressive regimes for extended periods of time. Currently I'm traveling in an authoritarian regime where freedom of expression is severely curtailed and I'm using Tor as at the time of writing this reply.
Wait, wait, wait, you are using tor in "an authoritarian regime" right now, your words, and you are posting a reply to me from "an authoritarian regime", again, a reply to me, and you have the audacity to say I need to be educated on the proper uses of tor (I didn't know I was so important that someone affiliated with the UN must reply to me from "an authoritarian regime") no wonder the UN is useless. And, again, YOU HYPOCRITE.

Ok you two, it sounds like you should each take some time away from this thread. :)

If I press fullscreen the program just bugs and no fullscreen :(

Works for me with a fresh install on different Linux systems. How can we reproduce that?

Different anonymous, and the commenter is right. On windows, full screen now crippled, screen flashes and it won't do it. I'd say it is inherent in the new release, as opposed to an anomaly, but we'll see as others report it. I don't use full screen very often, just tested to see.

Works fine for me on a Windows 7 machine both with a fresh 5.5 bundle and and upgrade from 5.0.7. So, hrm...

Alright, this is a Windows-only bug which is tracked at https://bugs.torproject.org/18174.

There are fullscreen (video), maximize and fullscreen-mode (F11). Clarification is needed. But try F11 - there is something strange on Windows.

good

In Tails 1.8.2 and prior versions I connected to the internet by adding a username and password to a dsl connection in the network connections. In Tails 2.0 I can't find a dsl or equivalent where I can introduce a username and password to connect to the internet. I know this is not the right place to ask this but I don't know where else to go for help. So please, can anyone help me?

Read what? There's nothing relating to my problem there. If you found something please provide the complete link, no "google it" or equivalent, which is what you did.

This blog post is about Tor Browser. If you need help with Tails read that page and you'll know where to find it.

Read the previous two posts, because they answer both of your claims.And stop sending people to a page that does not have the answer they are looking for, also stop with basically "google it" type answers.If you can't help stop posting.

> This blog post is about Tor Browser. If you need help with Tails read that page and you'll know where to find it.

I just read the new Tails 2,0 documentation at tails.boum.org and I agree with the OP: the information or suggestion (don't know it myself) which he/she needs to solve the reported problem isn't there yet.

Agree this is the TB 5.5 thread, but unfortunately the Tails devs have chosen not to allow comments in the Tails 2.0 thread, so I think TP should give the OP some room to seek a solution to the issue here.

at tails.boum.org and I agree with the OP: the information or suggestion (don't know it myself) which he/she needs to solve the reported problem isn't there yet.

Surf to https://tails.boum.org/support/index.en.html and look closely at ALL the sections on that page.

but unfortunately the Tails devs have chosen not to allow comments in the Tails 2.0 thread,

Why should Tails devs post their replies here on this Tor's blog? Tails has its own support channels and we should respect their decision to be only contact via them.

Moreover no one can guarantee that on this blog, the solutions to Tails'-related issues are official. If you want official replies from Tails, then use Tails' official support channels, as advised by Tails' devs themselves How difficult is it for you guys to understand this simple truth?

This dude is probably talking about the last part of that page where they talk about talking to them by email etc otherwise the answer is stupid because the problem the op has is not there and this dude didn't even check that and the op did say he used whisperback.
But he should complain about every single comment that has nothing do to with tor on this entire blog otherwise he himself is a trol because he only goes after some people and not all.

I too am still getting used to Tails 2.0, which incorporates many changes under the hood and also a somewhat different desktop experience. One of the issues which has been reported as a bug is that the old style gnome "Network manager" applet doesn't seem to appear in the menu bar at top. I think. I am not quite sure if that is intentional or not, but I guess that the way you used to get online used "Network manager".

Can you report your issue using Whisperback? Yes, it moved, its now in Applications -> System Tools.

I can get to network manager, it's there, what's not there is a tab for dsl which is what I used in tails 1.8.2 and prior and ubuntu 14.04.3 LTS & 15.10 and linux mint 17.3. I connect to the internet with a password and username that's the only way I can, which was in the dsl tab. In debian 8.3 the dsl tab is there but it doesn't connect unlike the ubuntu and linux mint os. And I did send a report using Whisperback.

Just to be sure (and just in case), you mean username and password for an internal DSL modem, not 802.1x security over ethernet?

I'm supposing by "Network Manager" you mean Applications > System Tools > Settings, followed by double clicking the "Network" block (second row down, far right). (For the 802.1x security dialogue, one'd choose "Wired", below "Wi-Fi", then click the button at bottom-centre "Add Profile...". In the 'Security' tab, 802.1x security asks for username and password there, but I see nothing about DSL though.)

I have to say that personally I'm finding the conversion to systemd and Gnome shell in Tails 2.0 completely disorientating. So many tweaks that used to be in context menus have been shuffled off into obscure places or removed completely. I'm guessing your problem is another example of that.

On every tails version since 1 up to and including tails 1.8.2 i would simply go to network manager applet at the top right corner (if no windows camouflage) choose vpn connections - configure vpn and then the network connections window would appear, click on the dsl tab - add - and introduce the username and password and then connect to the internet. Like I said no problem doing that since tails 1 up to and including tails 1.8.2, and I used tails daily. And I can't find a way to do that in tails 2.

And for a complete answer, yes to your first question, as for the network manager, yes but that is not the only way to get there. But I think they simply removed the dsl connection from tails 2.0 as it does not work in debian cinnamon (it's there but it doesn't work) and it's not present in debian gnome, unlike linux mint and ubuntu 14 lts and 15 where it's present and working fine.

The tab I see for the new "Wired" menu doesn't look like the example in the documentation. I guess that may be because Tails 2.0 does not include some driver(s) my machine needs to do WiFi and or Bluetooth. I always worry about some bug or mistake making an unintentional WiFi connection to a hostile "Open" AP, but have no idea if this is good or bad. Under Tails 1.8.2 I could at least see the option to connect to WiFi APs, which gave me some reassurance this isn't happening against my wishes.

I also use Debian Jessie when not using Tails. By "Network Manager" I mean a standard component of Debian Jessie (and older) which can be used by clicking on its icon in upper right of task bar. Tails 1.8.2 and earlier worked the same way. When I changed to Debian Jessie I recall experimenting with Gnome Classic and don't remember it looking much like Tails 2.0, so I am a bit confused. I believe NM is part of the Gnome desktop suite in Debian, so since I use another desktop in Debian, I suppose I must be confused.

I guess I can't help with your problem since under Tails 1.8.2/earlier or Tails 2.0 I never connected via wired connection the way you describe.

> I have to say that personally I'm finding the conversion to systemd and Gnome shell in Tails 2.0 completely disorientating.

I have the same reaction, but experience has taught me not to worry too much about such initial reactions, that over time one may figure out how to use a new desktop environment efficiently to perform the customary tasks you used to perform another way using an older desktop.

As long as we are carping, I notice that various tasks seem to all be slightly slower in Tails 2.0 than Tails 1.8.2 and earlier. No idea whether that has something to do with systemd. I worry that switching back and forth between two desktops, various simple tasks in gedit such as spellchecking, and various other simple common tasks all seem to now take two clicks rather than one, which is annoying and will wear out my keyboard twice as fast. Saving text files created with gedit might be hard for newbies because they need not only to realize they need to save them in Tor Browser (the folder i.e the subdirectory in amnesia home directory), but that to they need to scroll in the gedit menu to find Tor Browser at the very bottom of the menu. Similarly mounting a USB stick got less intuitive, but once you figure it out it's not really much slower. But those are all convenience issues with Gnome classic, I think.

However, balancing all these against the sandboxing, and basing Tails on the current stable (Jessie) version of Debian, I think the better security makes Tails 2.0 a huge improvement.

exalent

AntiVirus detected Trojan

HEUR/QVM20.1.Malware.Gen

Yes, crappy antivirus products marking legitimate software as malicious are a real headache.

That's from Qihoo, a Chinese antivirus. They were caught cheating on independent tests by enabling Bitdefender algorithms for the test while using their inferior QVM engine in China.

https://www.grahamcluley.com/2015/05/revealed-anti-virus-product-cheat/

Of course a Chinese antivirus company will say that Tor is malware.

Whilst the "defence against font enumeration attacks" is welcomed for use by the super paranoid,,, for mr, miss and mrs bloggs just using Tor for anonymous blogs, tumblr. etc it seems overkill and we lose our - all important, lol - emoji support. If we had a switch to turn this feature off and on then this would be cool...

How can I test whether this is really caused by our font fingerprinting defense?