Tor Browser 5.5 is released

Tor Browser 5.5, the first stable release in the 5.5 series, is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

On the privacy front we finally provide a defense against font enumeration attacks which we developed over the last weeks and months. While there is still room for improvement, it closes an important gap in our fingerprinting defenses. Additionally, we isolate Shared Workers to the first-party domain now and further improved our keyboard fingerprinting defense.

We made also progress on the usability side. First, by providing Tor Browser in another locale, Japanese. Additionally, by showing the changes in the new Tor Browser version immediately after an update and polishing our about:tor appearance. Last but not least we changed the search bar URL for the DuckDuckGo search engine to its onion URL.

Here is the full changelog since 5.0.7:

Tor Browser 5.5 -- January 27 2016

  • All Platforms
    • Update Firefox to 38.6.0esr
    • Update libevent to 2.0.22-stable
    • Update NoScript to 2.9.0.2
    • Update Torbutton to 1.9.4.3
      • Bug 16990: Show circuit display for connections using multi-party channels
      • Bug 18019: Avoid empty prompt shown after non-en-US update
      • Bug 18004: Remove Tor fundraising donation banner
      • Bug 16940: After update, load local change notes
      • Bug 17108: Polish about:tor appearance
      • Bug 17568: Clean up tor-control-port.js
      • Bug 16620: Move window.name handling into a Firefox patch
      • Bug 17351: Code cleanup
      • Translation updates
    • Update Tor Launcher to 0.2.7.8
      • Bug 18113: Randomly permutate available default bridges of chosen type
    • Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
    • Bug 10140: Add new Tor Browser locale (Japanese)
    • Bug 17428: Remove Flashproxy
    • Bug 13512: Load a static tab with change notes after an update
    • Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
    • Bug 15564: Isolate SharedWorkers by first-party domain
    • Bug 16940: After update, load local change notes
    • Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
    • Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646)
    • Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646)
    • Bug 17369: Disable RC4 fallback
    • Bug 17442: Remove custom updater certificate pinning
    • Bug 16620: Move window.name handling into a Firefox patch
    • Bug 17220: Support math symbols in font whitelist
    • Bug 10599+17305: Include updater and build patches needed for hardened builds
    • Bug 18115+18104+18071+18091: Update/add new obfs4 bridge
    • Bug 18072: Change recommended pluggable transport type to obfs4
    • Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
    • Bug 16322: Use onion address for DuckDuckGo search engine
    • Bug 17917: Changelog after update is empty if JS is disabled
  • Windows
    • Bug 17250: Add localized font names to font whitelist
    • Bug 16707: Allow more system fonts to get used on Windows
    • Bug 13819: Ship expert bundles with console enabled
    • Bug 17250: Fix broken Japanese fonts
    • Bug 17870: Add intermediate certificate for authenticode signing
  • OS X
    • Bug 17122: Rename Japanese OS X bundle
    • Bug 16707: Allow more system fonts to get used on OS X
    • Bug 17661: Whitelist font .Helvetica Neue DeskInterface
  • Linux
    • Bug 16672: Don't use font whitelisting for Linux users
Anonymous

January 27, 2016

Permalink

Me gusta utilizar el 5.5 para navegar en sitios web bloqueados en mi pais, Guinea Ecuatorial

Anonymous

January 27, 2016

Permalink

Hi,
I'm not familiar with the nuts & bolts of updates or browsers in general, but is the visual change in the font used due to "a defense against font enumeration attacks?"

Anonymous

January 27, 2016

Permalink

In an older version, signing into my yahoo.com email would frequently trigger a yahoo security block, saying I was logging in from a foreign country, and would have to change my password before I could log in.
Am I reading that this was fixed, so I can start using TOR more regularly?

It won't have been 'fixed', because it's not Tor's fault.

From experience with Hotmail (Microsoft owns both Hotmail and Yahoo), you have to keep logging in from the same country as last time in order not to trip their two factor authentication security. To do this, choose one country you always want to appear to log in from: either of Germany or USA is best as they have the most exit nodes. Speaking unixish, edit /etc/tor/torrc to add a new line thus:

ExitNodes {us}

or

ExitNodes {de}

Restart Tor to enforce this.

If you are using Tails, Vidalia may show paths that don't conform (at first). Don't worry about this, as non-compliant paths won't get used, but if you choose any low exit node count country, it may take time for Tor to make the right paths (I think Tor doesn't aim for the country you specify, just still selects nodes randomly).

You'll still have to satisfy the two-factor authentication first time round, probably.

Anonymous

January 27, 2016

Permalink

Здравствуйте! После обновления у меня в игре исчез чат, помогите востановить. В остальном проблем нет. Спасибо ))

Anonymous

January 28, 2016

Permalink

Просто БОЛЬШОЕ ВАМ ЧЕЛОВЕЧЕСКОЕ СПАСИБО ! Туркменистан - Ашхабад

Anonymous

January 28, 2016

Permalink

Thank you from the sunny Uzbekistan. I wish you all the best on your projets!!!! Tor is cool !!!!

Anonymous

January 28, 2016

Permalink

hi. nice update.
sadly the squirrel mail web interface is now unusable, every single click opens in a new tab.

i am using squirrel mail with security settings set to high (javascript disabled) and having the same issue. clicking any link in the left frame (folders list, the check mail or folder sizes link) opens a new tab instead of loading the page in the right frame.

in tor browser 5.0.7 all worked well.

check this live-demo to reproduce the issue:
http://www.tagindex.net/html/frame/example_t04.html

Anonymous

January 28, 2016

Permalink

Hi my dear friends
Thank you of this program...
At Iran isnot freedom internet.
thanks.....thanks

Anonymous

January 28, 2016

Permalink

I just applied this update and now some fonts and font sizes are not rendering. I tested this on a local website.

Fonts not rendering:

Candara (default bootstrap.css font), Calibri, "Franklin Gothic",

Arial font declaration:

font-family: arial; font-size:11px; text-transform: uppercase;
(renders as lower case and ignores 11px)

We are shipping a font whitelist now to avoid font enumeration by tracking websites. You can see the whitelist on about:config. The preference `font.system.whitelist` as all the items.

Anonymous

January 28, 2016

Permalink

Спасибо огромное !!!

Anonymous

January 28, 2016

Permalink

Я счастлив, что имею возможность выходить в интернет через браузер TOR оставаясь под чужим ip !!!! Свобода действий. Класс. Пишите русско-говорящие, найдем общую тему, прокачаемся по полной.

Anonymous

January 28, 2016

Permalink

От души Вам братья и сестры! Всем Мира и Баланса во всем))

Anonymous

January 28, 2016

Permalink

So I've been using custom obfs3 bridges before and they work fine but now I tried custom obfs4 and I can't connect to any sites. Already tried 6 different bridges. If I use the provided obfs4 bridges everything works fine. What can I do to solve this?

From log,

[WARN] Proxy Client: unable to connect to ............. ("general SOCKS server failure")

[NOTICE] Delaying directory fetches: No running bridges

[WARN] Proxy Client: unable to connect to ............. ("general SOCKS server failure")

[NOTICE] Tried for 120 seconds to get a connection to [scrubbed]:80. Giving up. (waiting for circuit)

Anonymous

January 28, 2016

Permalink

Super

Anonymous

January 28, 2016

Permalink

That's great to have another new release. I'm just wondering that, when will there be a new Tor Brower release of zh_TW version ? Since I have finished that part of translation on Transifex last week.

Adding new locales is currently tricky as it is quite resource intensive for us to ship additional ones for all platforms we support + alpha and stable series at least. Per locale this would add ca 1GB disk space we'd need. We are therefore working on a generic bundle which would contain at least some locales (e.g. zh_TW). You can follow (and, of course, participate in) the discussion in https://bugs.torproject.org/17400.

Anonymous

January 28, 2016

Permalink

Speaking of progress on the usability side... It would be nice if all those fixed bugs listed in the changelog were clickable links!

Yeah, we are trying this first with the bugs in the alpha changelog on our blog and were just waiting for feedback, thanks! Or do you mean the changelog shown after update within Tor Browser itself (as well)?

At first I meant the blog post, but then I realized that the only reason I clicked to the blog post in the first place was in hopes of finding links to details on specific bugs. So if the release notes in the browser were clicky it would be even handier!

Anonymous

January 29, 2016

Permalink

good