Tor Browser 5.5 is released

Tor Browser 5.5, the first stable release in the 5.5 series, is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

On the privacy front we finally provide a defense against font enumeration attacks which we developed over the last weeks and months. While there is still room for improvement, it closes an important gap in our fingerprinting defenses. Additionally, we isolate Shared Workers to the first-party domain now and further improved our keyboard fingerprinting defense.

We made also progress on the usability side. First, by providing Tor Browser in another locale, Japanese. Additionally, by showing the changes in the new Tor Browser version immediately after an update and polishing our about:tor appearance. Last but not least we changed the search bar URL for the DuckDuckGo search engine to its onion URL.

Here is the full changelog since 5.0.7:

Tor Browser 5.5 -- January 27 2016

  • All Platforms
    • Update Firefox to 38.6.0esr
    • Update libevent to 2.0.22-stable
    • Update NoScript to 2.9.0.2
    • Update Torbutton to 1.9.4.3
      • Bug 16990: Show circuit display for connections using multi-party channels
      • Bug 18019: Avoid empty prompt shown after non-en-US update
      • Bug 18004: Remove Tor fundraising donation banner
      • Bug 16940: After update, load local change notes
      • Bug 17108: Polish about:tor appearance
      • Bug 17568: Clean up tor-control-port.js
      • Bug 16620: Move window.name handling into a Firefox patch
      • Bug 17351: Code cleanup
      • Translation updates
    • Update Tor Launcher to 0.2.7.8
      • Bug 18113: Randomly permutate available default bridges of chosen type
    • Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
    • Bug 10140: Add new Tor Browser locale (Japanese)
    • Bug 17428: Remove Flashproxy
    • Bug 13512: Load a static tab with change notes after an update
    • Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
    • Bug 15564: Isolate SharedWorkers by first-party domain
    • Bug 16940: After update, load local change notes
    • Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
    • Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646)
    • Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646)
    • Bug 17369: Disable RC4 fallback
    • Bug 17442: Remove custom updater certificate pinning
    • Bug 16620: Move window.name handling into a Firefox patch
    • Bug 17220: Support math symbols in font whitelist
    • Bug 10599+17305: Include updater and build patches needed for hardened builds
    • Bug 18115+18104+18071+18091: Update/add new obfs4 bridge
    • Bug 18072: Change recommended pluggable transport type to obfs4
    • Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
    • Bug 16322: Use onion address for DuckDuckGo search engine
    • Bug 17917: Changelog after update is empty if JS is disabled
  • Windows
    • Bug 17250: Add localized font names to font whitelist
    • Bug 16707: Allow more system fonts to get used on Windows
    • Bug 13819: Ship expert bundles with console enabled
    • Bug 17250: Fix broken Japanese fonts
    • Bug 17870: Add intermediate certificate for authenticode signing
  • OS X
    • Bug 17122: Rename Japanese OS X bundle
    • Bug 16707: Allow more system fonts to get used on OS X
    • Bug 17661: Whitelist font .Helvetica Neue DeskInterface
  • Linux
    • Bug 16672: Don't use font whitelisting for Linux users

Could a MITM attack sit between my computer and the entry or directory node and remove this information to keep himself hidden? Any other ways this information could be removed but Tor still work normally?

Yes, it's possible and doable. In fact the staff at TAO, Tailor Access Operations, discovered and use this exploit to their full advantage.

I'm sorry, but I think this comment is wrong. Or at least, it comes with no supporting details. The fact that Tor Browser's circuit list went away is the bug that gk pointed to. It's not an indication of an attack on your connection to your guard. And no, it's a client-side bug, so a mitm influencing it makes no sense.

Anonymous

February 01, 2016

Permalink

Nice

Anonymous

February 02, 2016

Permalink

Спасибо огромное !!!

Anonymous

February 02, 2016

Permalink

There is a popular website used to download youtube videos: http://savefrom.net It works with previous stable version of TBB, but doesn't work with this 5.5 release. Could you fix it?

Anonymous

February 02, 2016

Permalink

Run a relay ; ???

could you add something like a gui for creating/making config a relay ?

Running a relay sounds very difficult _ your language is not one of my native, sorry !

i could help but too many things are to do, to verify, to check : a gui and an automatic install could be helpful.

5.5 works fine ; thx.

Anonymous

February 02, 2016

Permalink

سلام اگر ورژنش سرعیتر بشه برای اینترنت ایران اخرشه یعنی اینکه برای سرعت کم اینترنت ایران هم بهتر بشه

Anonymous

February 03, 2016

Permalink

On MacOS 10.7 it stalls with 2 tabs open. I close the tabs, then try to quit, it won't quit and the menu still works. All bookmarks randomly appear and disappear.

Activity monitor shows 37(!) threads, 226 MB + 194 virtual mem. That's with no tabs open.

I call that broken. Why not simply release the standard Tor CLI ported to MacOS instead of wasting time on FireFix bloatware?

oh dear my dear ... are you implying tor project is an criminal organization ? if so why the hell you here probably using tor browser ? will you please just do one you will not be missed, by me at least ... i am personally willing to die for others freedom regardless if i agree or disagree with them.

"one person terrorist is another person freedom fighter"

come on who even read this kind of sh*t comment ... let me make it clear most anti-virus companies sell their products mostly based on fear or ignorance.. more than likely the later or both ... so if these hero fear-mongers so factual and trustworthy then why are they looking at the above mentioned sins and so called evils ? my 2 cents they are the evils themselves and fiddlers and pushers ..

my doctor gives me drugs... i give monies to the less fortune than myself ... masturbation of porn prevents diseases or physical contacts...

all of the so called potential criminal actions you mentioned can be achieved on the clear-net and off the dark-net e.g. in someone home or even ignored by the people who should be protecting us e.g. the law enforcement or makers.

It seems you forgot to point to the flip side of the coin, quoting Kate's reply:

"The researchers seem to make conclusory statements about the value of onion services that lie outside the scope of their research results. Onion services are a tool with unique security properties used for a wide range of purposes: They are self authenticated, end-to-end encrypted, and offer NAT punching and the advantage of a limited surface area."

https://nakedsecurity.sophos.com/2016/02/03/dark-web-is-mostly-illegal-…

Anonymous

February 04, 2016

Permalink

Выражаю слова огромной благодарности тем людям,которые предоставляю мне возможность выходить в интернет через Tor Browser ! Здоровья Вам,творческих успехов и удачи во всех ваших делах

Anonymous

February 04, 2016

Permalink

Thank you so much for a real, professional and very good browser!

Anonymous

February 05, 2016

Permalink

Dear Team! Everithing worked for me just fine, but with update 5.5 there has been a problem with vk.com authorization. Anything I tried not working (message "unable to complete authorization... wrong system time(or smth like that) continuously pops up. Thanks in advance.

Anonymous

February 05, 2016

Permalink

5.5.1 update : feedback

ok : done
browsing : frozen screen , all my apps are no-responsive , something is wrong.

ok : shut down
ok : restart
ok : erasing tor folder
ok : download && install torbundle 5.5.1 / good signature && settings && surf

ok : perfect !

:) thx.

Anonymous

February 06, 2016

Permalink

Спасибо !!! Роскомнадзору, привет...

Anonymous

February 10, 2016

Permalink

Starting with this version I cannot run Tor with setgid anymore. I used to do that because I allow outbound access in iptables only for a specific group. Should I file a bug report?

Anonymous

February 20, 2016

Permalink

This information was helpful, thanks for these updates!

Anonymous

August 10, 2017

Permalink

very ok