Tor Browser 5.5.1 is released

Tor Browser 5.5.1 is now available from the Tor Browser Project page and also from our distribution directory.

Most notably, this release features fixes for regressions caused by our font fingerprinting defense: chinese users should have a functional Tor Browser again and emoji support is restored on OS X and Linux systems (we are still working on a fix for Windows).

Moreover, we fixed an oversight in one of our patches which broke some websites depending heavily on iframes.

The full changelog since 5.5 is:

Tor Browser 5.5.1 -- February 5 2016

  • All Platforms
    • Bug 18168: Don't clear an iframe's window.name (fix of #16620)
    • Bug 18137: Add two new obfs4 default bridges
  • Windows
  • OS X
  • Linux
Anonymous

February 05, 2016

Permalink

There's still an annoying bug that prevent TOR to use native OSX full screen. When pressing the green button the window remains the same size but is black on the rest of the screen. To have the real full screen, I have to press full screen in the menu bar.

Dude, F11 in menu is the only full screen option for any app. Stop trying to maximize - it's not secure. And did you see your bug fixed in this release to write that?

tbb in windows
I have accidentally, out of habit, clicked the maximize button.
in tbb 4.x, that window became huge.
in recent 5.x, the window either maximizes or increases to a size nearly equal to display size. i then click restore button which restores tbb window size as restore normally does.
if relevant, i usually have multiple tabs open, and only one tbb window open.

and, thanks to node operators and tor developers.

I have this issue with 5.5.1 and it IS a problem. I use Tor to enhance my security but not at the expense of convenience. Moreover, when connecting to my very own hidden service, I couldn't care less about leaking the resolution. But the fact that I can't stretch the window is really annoying :-)

"There's still an annoying bug that prevent TOR to use native OSX full screen."

Strange I don't have that experience on OS X at all. I'l try this new release later on.
What I did experience (for a longer time in different versions) is that if you have another Torbrowser window minimized to dock a renewal of the connection as a whole in another open window and after that opening older open windows from dock and from the previous session again, then you'll get a black window which will disappear after another renewal of your identity in Torbutton.

Another NoScript bug that I once mentioned here and Gk. could not reproduce, Torbrowser completely crashing while trying to print a page to file is still existing. Maybe probably also in this new release. I'll test it again but because it is also happening in regular versions of Firefox I consider that as an NoScript problem in general that exists with some sites and in combination with very high security settings of NoScript.

I'll probably have to contact NoScriptMalone for that issue I guess.

Hello can you help me, every time i want to start tor browser i have to restart my computer. It will start if i restart it but once i close it i have to restart to reopen tor browser, Can anyone help me out??

Anonymous

February 05, 2016

Permalink

Super

Anonymous

February 05, 2016

Permalink

Please use Nimbus Sans L font instead, it looks very ugly since 5.5.0!

I agree about the default font being less pretty now...

But I'm so happy about the DuckDuckGo onion search being added!! (But never understood why Amazon and ebay are left in by default... does anyone even use those? I can't believe I'm the only person to accidentally run a search on Amazon from the search box.)

Anonymous

February 05, 2016

Permalink

I've heard Tor is not secure for http sites ! in fact encryption is not end-to-end and the data is encrypted Only between Tor servers ,So ISP can tracks user On Target site (http)

is it true? Please answer me, certainly This is a question of many users

Tor traffic is only unencrypted (via Tor) once it leaves the exit node. The ISP of the exit node can track the activity on the target site, but the ISP of the user cannot. The ISP of the user only sees you connecting to the first node.
Note: this is only necessarily true with Tor Browser; if you use other web browsers through Tor some may leak what website you're browsing; this is as true for HTTP as HTTPS. Moral of the story: Use Tor Browser, not some homebrewed setup.

That's true to a certain degree. The browser bundle has implemented several mitigations like Isolating circuits to each domain, and creating a uniform profile for all users to appear the same among other things.

Now if you start logging into personal accounts or start divulging personal information over http then with little effort and collusion you could be de-anonymized.

Otherwise even if your are trackable as a toruser, unless you give away your identity as stated above, they won't know who their tracking.

Tor is not recommended for HTTP traffic, unless you are just accessing sites with public information, such as a news site, output nodes can intercept your sensitive information, so always use HTTPS encryption.

The same is true for normal HTTP traffic, except with (usually) fewer possible interceptors. It's not like your ISP can't do the same thing. Yes, you should use HTTPS whenever possible, but tor isn't that inherently insecure compared to the normal internet for HTTP (depending on your threat model.)

"HTTPS encryption" is fake for clown sites -> cloudflare "intercept your sensitive information" even and especially if you use https.
wonder if tbb can mark such compromized sites?
or maybe ssl observatory can help?
it is an emergency problem that you can't believe even https encryption.

Anonymous

February 05, 2016

Permalink

Seria muito bom que escolheriiamos qual circuito a ser criado.

What operating system are you using (Windows, Mac OS, GNU/Linux)? What web site does not display Punjabi correctly?

I tried going to https://pa.wikipedia.org/ and it seems to be working fine, using the system fonts "Raavi" and "Mangal":
Screenshot of text on pa.wikipedia.org.
You can find out what font the browser is trying to use by right-clicking on some text, selecting "Inspect Element", and then clicking on "Fonts".

Anonymous

February 05, 2016

Permalink

Here comes the font war, use whatever it takes to minimize the attack surface,
who really care about font rendering ? what really matters is what is being read
and Tor browser ability to make it hard to find who is reading it.

Anonymous

February 05, 2016

Permalink

is Tor secure on http sites? i don't know why don't publish this comment ! I have written this comment in another posts several times

Anonymous

February 05, 2016

Permalink

great

Anonymous

February 05, 2016

Permalink

veryyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy niceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee

Anonymous

February 05, 2016

Permalink

thank you
problem with frames and iframes was fixed so my webapp works again

bless you

Anonymous

February 05, 2016

Permalink

Hm... Tor-Browser update (over Tor-Browser) will download 54mb (and do a smaller update before - i must restart 2 times to complete it), and the standalone version has only 42mb... why? (Win7, english)

Not sure what you mean. From which version to which are you upgrading? If you are coming from 5.0.7 or 5.5 the update to 5.5.1 will only download an incremental update where you need to restart once. If you are coming from an older version (which already has the updater functionality) your Tor Browser will download the large file and you have to restart only once as well. If you modified 5.0.7 or 5.5 Tor Browser will try an incremental download first and start the full update later as the diff is not matching (due to your modifications). Nevertheless, in this scenario you only need to restart the browser once as well.

The full update files are bigger as a different compressions algorithm is used for them.

Anonymous

February 05, 2016

Permalink

Hello.
Thanks for partial fix of Bug 18168 but sadly the regression still occurs when the page is using nested frames.

Steps to reproduce:

Visit this page:
http://www.cs.laurentian.ca/rsgrewal/c2206/html/examples/frames/frameSe…

Click link frameSet2.html (Side-by-side frames)
(t loads another frameset inside right frame)

Now click any of the new links opened:

  • CNN
  • Canoe
  • JavaScript site

All the links are now opened in new tabs instead of the correct "content" frame.

Anonymous

February 05, 2016

Permalink

could someone explain to me the reason why the site is written only in us/uk/ language ?
are there more us posters/volunteers/donators ?
are you so lazy to not dare an international site ?
do you know an hidden service where it could be translated in another language ?
... boring barriers ...
recipe : take a couple of tor admin and cut the ears then lets boil the legs few minutes in an encrypted swap ; it smells good. take the head and look at him ; his tongue must be pink or blue -sometimes black but it is an other story- now , you have to slowly say few words followed with the magic number : 1 -repeat the special op x 3- now it is ready for the female and for the male, he will answer in 12 + 1 different languages. the female will add 'not this one' in the fail test.

could someone explain to me the reason why the site is written only in us/uk/ language ?
are there more us posters/volunteers/donators ?

Let us give you the reasons:

1. Perhaps you didn't know that National Security Agency of the USA and GCHQ of the UK are both operating in native English-speaking countries? The two agencies combined made up the largest government-approved snooping employers in the world.

(a) Estimated staff strength is about 100,000 employees. They--the employees--are proficient in English only. If this site were in Chinese or Arabic, they'd be totally lost.

(b) Before World War II, the Brits were the most superior race in the world. Have you not heard of the phrase "The sun never sets on the British Empire"?

After World War II, the Yankees were the most superior race in the world. "The sun never sets on the American Empire" holds true today. The Yankees have the power and the means to topple foreign governments that they view as threats or support foreign dictators based on their oil-producing capacities, eg. Saudi Arabia.

Given the above, why would the superior race of today tolerate any other foreign languages?

(c) Perhaps you didn't know that Tor was first conceived and developed under the auspices of the US government and was its only and major sponsor? Even as we speak, the US government is still a sponsor of Tor and Tails.

Nah, the reason is much less sinister: we lack the resources to provide the websites in different languages *and* to keep them up-to-date (the latter is much harder but at least as important as the former). But there are plans to change that in the near future, stay tuned.

Anonymous

February 05, 2016

Permalink

I keep getting a message that 5.5.1 has been downloaded but could not be installed. Then is opens up. LXLE Ubuntu 14.04.