Tor Browser 5.5 is released

Tor Browser 5.5, the first stable release in the 5.5 series, is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

On the privacy front we finally provide a defense against font enumeration attacks which we developed over the last weeks and months. While there is still room for improvement, it closes an important gap in our fingerprinting defenses. Additionally, we isolate Shared Workers to the first-party domain now and further improved our keyboard fingerprinting defense.

We made also progress on the usability side. First, by providing Tor Browser in another locale, Japanese. Additionally, by showing the changes in the new Tor Browser version immediately after an update and polishing our about:tor appearance. Last but not least we changed the search bar URL for the DuckDuckGo search engine to its onion URL.

Here is the full changelog since 5.0.7:

Tor Browser 5.5 -- January 27 2016

  • All Platforms
    • Update Firefox to 38.6.0esr
    • Update libevent to 2.0.22-stable
    • Update NoScript to 2.9.0.2
    • Update Torbutton to 1.9.4.3
      • Bug 16990: Show circuit display for connections using multi-party channels
      • Bug 18019: Avoid empty prompt shown after non-en-US update
      • Bug 18004: Remove Tor fundraising donation banner
      • Bug 16940: After update, load local change notes
      • Bug 17108: Polish about:tor appearance
      • Bug 17568: Clean up tor-control-port.js
      • Bug 16620: Move window.name handling into a Firefox patch
      • Bug 17351: Code cleanup
      • Translation updates
    • Update Tor Launcher to 0.2.7.8
      • Bug 18113: Randomly permutate available default bridges of chosen type
    • Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
    • Bug 10140: Add new Tor Browser locale (Japanese)
    • Bug 17428: Remove Flashproxy
    • Bug 13512: Load a static tab with change notes after an update
    • Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
    • Bug 15564: Isolate SharedWorkers by first-party domain
    • Bug 16940: After update, load local change notes
    • Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
    • Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646)
    • Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646)
    • Bug 17369: Disable RC4 fallback
    • Bug 17442: Remove custom updater certificate pinning
    • Bug 16620: Move window.name handling into a Firefox patch
    • Bug 17220: Support math symbols in font whitelist
    • Bug 10599+17305: Include updater and build patches needed for hardened builds
    • Bug 18115+18104+18071+18091: Update/add new obfs4 bridge
    • Bug 18072: Change recommended pluggable transport type to obfs4
    • Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
    • Bug 16322: Use onion address for DuckDuckGo search engine
    • Bug 17917: Changelog after update is empty if JS is disabled
  • Windows
    • Bug 17250: Add localized font names to font whitelist
    • Bug 16707: Allow more system fonts to get used on Windows
    • Bug 13819: Ship expert bundles with console enabled
    • Bug 17250: Fix broken Japanese fonts
    • Bug 17870: Add intermediate certificate for authenticode signing
  • OS X
    • Bug 17122: Rename Japanese OS X bundle
    • Bug 16707: Allow more system fonts to get used on OS X
    • Bug 17661: Whitelist font .Helvetica Neue DeskInterface
  • Linux
    • Bug 16672: Don't use font whitelisting for Linux users

Who me, the original complainant? Windows 10. The previous Tor version is fine, this one 5.5 displays a lot of missing character placeholders,, sorry I didn't want to cause a fuss about it, but keep up the good work ;)

Hello, the original commenter here,, I fixed the problem by adding Segoe UI Emoji to the font whitelist and now the emoji are even better than before..! :D

Be aware, though, that you are probably the only one doing this and are thus sticking out of the crowd. We plan a 5.5.1 bugfix release addressing this issue. It should come out the next days.

Above it points to
https://trac.torproject.org/17428
which points to
https://trac.torproject.org/16756

The short answer is that because it required users to set up their own port forwarding, it basically got no users.

The plan is to dump it for now, to simplify the interface and reduce confusion for Tor Browser users.

In the mean time check out Snowflake:
https://lists.torproject.org/pipermail/tor-dev/2016-January/010310.html
which is not ready yet but I'm very excited about.

I thought WebRTC was disabled for security in the Tor Browser. Does this mean if it ever gets deployed it will not make into it?

Not necessarily. What we don't want is that basically any website can use WebRTC to find things out about you and your computer. Having WebRTC available in the trusted part of the browser (be it in an extension or be it in an communication with an external part of the browser bundle or...) is a different thing (see: e.g. https://trac.torproject.org/projects/tor/ticket/14836) provided it adheres to fundamental things like proxy obedience (https://trac.torproject.org/projects/tor/ticket/16221).

I don't know enough about Snowflake to make suggestions on what we need to change on the Tor Browser side, though. Thus, we'll see how it goes.

Love TOR! - LOVE IT!! ...and I thank you for it... =]
... though I've naughtily installed Firefox plugins: Privacy Settings, Ublock Origin and Random Agent Spoofer ..... bad idea? ... or Ok?

Depends on your threat model. It will definitely make you stand out amongst Tor users, but if that is of no concern to you, then that's alright.

Bad idea.

Edit: Ok.. cheers for the replies... =] ... [removed them] ... will keep Tor unmodified.

Couldn't Load XPCOM . Fix?

https://www.torproject.org/docs/faq#XPCOMError

[Edit: looks like this one is because of a bug in the Windows 10 alpha, and not related to the old issue that showed up because of Webroot. See more of the thread below.]

This is usually because of Webroot® SecureAnywhere™. Try disable it or wait for them to upgrade their signatures.

I don't have Webroot installed or any other antivirus with the exception of Windows Defender. Still get the same "Couldn't load XPCom" error...

I suddenly have the problem too after windows 10 updated to build14251 i don't use Webroot at all.

Looks like it's because of Windows 10 Build 14251

+1
Windows 10 Build 14251 installed on the fast ring, and now TOR Browser will not start, with msg "Couldn't load XPCOM".
Windows event log shows failing program as nspr4.dl, version 4.10.10.0, Exception code: 0xc0000005, Fault offset: 0x00020db2

We're tracking the issue here:
https://trac.torproject.org/projects/tor/ticket/18171
Please help if you can. Thanks!

Installed Windows Fast Ring Build 14257. Tor Browser 5.5 now works.

Awesoooooooooooooooooomeeeeeeeeeee

how can i see if i am (only me) under survey, 'targeted', in danger in real time ?

i mean , how can i know that that the contact or connection is compromised ?

i mean that the users have not something like a progression bar surveying the censor or a bip saying "cut the connection immediately".

this version 5.5 looks fine and sounds perfect.

Ricochet seems not to be updated (1.0) and the 1.1 does not work.

cheers.

You mean like in the movie 'Sneakers', where there's a global map and you can see the progress that the bad guys make at tracing the hero, and you make sure to hang up the phone right before the trace finishes? I want one of those too. Nobody knows what it should measure or how it should work in reality though.

For issues in Ricochet, I suggest contacting the Ricochet person. (This is a blog post about Tor Browser.)

tor would need anonymous hop-by-hop metrics forwarded to clients, measurements including latency and bgp analysis for starters, not to mention real time analysis of this data. None of which exists as tor only has padding support, which isn't used because it primarily targets malicious nodes and network-internal adversaries, and this is neither a well defined problem nor are the solution shown to be provable mitigations.

First and foremost then, tor needs useful padding to simulate uniformly diverse network use, while simultaneously considering both network-internal, and passive, possibly global adversaries.

Story I've heard: general visited a Pentagon cyberwar room, wandered around peering over shoulders, seemed very interested in one screen featuring a particularly vivid display showing warring packets bouncing back and forth over a world map, between USA and North Korea. Somehow his embarrassed escorts managed to avoid confessing that the display which so fascinated him was a *screensaver*. No cyberwar was actually in progress.

Tor is the shitttt

But we need this at middle east

If you are having trouble using Tor Browser or Tails in the ME, please explain, since others might be having the same problem, and someone here might be able to tell you how to fix it.

What more do you know about onion routing?

yas! love the updates. Screw you, lightspeed! Take that!!!

Can't load xpcom comes up now and I can not connect to browser on either version update today...... Help!!!!!

See above lunar's comment.

mucha gracias por darno esta oportunidad de ser libre a los que no podemos tener esta libertad y tener internet estable mucha gracias mucha gracias espero hacer mi donacion en su momento por a hora estoy en banca rota de verdad se los digo

Thank you to all the cool people who make Tor possible! I will donate as soon as I have bitcoin set up. Keep up the good work.

Спасибо за Ваш труд

BUG: Cannot maximize the browser window if extensions.torbutton.maximize_warnings_remaining is zero.
If I set it to any positive integer greater than zero, I get the warning when I maximize and the window stays maximized, and the value of extensions.torbutton.maximize_warnings_remaining decrements by one.
Once it hits zero, the browser resets to default size whenever I try to maximize.

Works fine for me on a Ubuntu testing machine after an upgrade from a fresh 5.0.7. How can I reproduce your problem? Which operating system are you using? Is this a new bug in 5.5?

bugzilla confirms that (6.0a1 on Win7). Nice way to remove ugly rectangle on bottom without breaking resolution ;)

It actually leads to a non-rounded window on start-up: https://bugs.torproject.org/18175

After upgrading to 5.5, when visiting https://check.torproject.org/?lang=en_US I get error (Error code: ssl_error_no_cypher_overlap).

I had manually disabled some ciphersuites so I'm not reporting a bug, but upon further investigation, it appears that check.torproject.org doesn't support TLS 1.2. See https://www.ssllabs.com/ssltest/analyze.html?d=check.torproject.org

Validating TLS 1.2 support seems like a potentially useful byproduct of clicking over to check.torproject.org. I realize that's not its primary purpose, but just a thought..

Thanks for a great release and for doing such a great job of keeping pace with Mozilla on Firefox's release schedule!

This *is* a bug. And has been known for more than a year: https://trac.torproject.org/projects/tor/ticket/13972

Not sure why is taking so long to update that server.

yes i agree, can tor developers comment on this?

Geog Koppen thanks for new Tor Browser update.

Since the upgrade there are problems with sites using frames. All anchors targeting specific frames are in fact opening in new windows instead of specified tabs.

I'm hoping for a fast fix since many web apps are now very difficult to use.

On lighter note, I like the new About:Tor look. Kudos to the Artist. In Wiccan colors doctrine green indicates and attracts money (though it sounds too much like a United States centric view, money not being green everywhere) But green or no green, I just hope Tor gets a lion's share of funding this year. All the best, Happy New Year.

Es!!!

good work

An exciting release! Many thanks to TBB team for the new protections.

Also, the Tails 2.0 announce is closed, but many thanks to the Tails team for all their work in porting to Jessie/systemd, especially for new protections. Just transferred a stack of DVDs to a spindle, and noticed this included a collection going back to Tails 0.12. And I was a Tails user long before that edition. Good times, good times!