Tor Browser 5.5.3 is released

Tor Browser 5.5.3 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release bumps the versions of several of our external components: Firefox to 38.7.0esr, OpenSSL to 1.0.1s, NoScript to 2.9.0.4 and HTTPS-Everywhere to 5.1.4.

Additionally, we fixed long-standing bugs in our Tor circuit display and window resizing code, and improved the usability of our font fingerprinting defense further.

The full changelog since 5.5.2 is:

Tor Browser 5.5.3 -- March 8 2016

  • All Platforms
    • Update Firefox to 38.7.0esr
    • Update OpenSSL to 1.0.1s
    • Update NoScript to 2.9.0.4
    • Update HTTPS Everywhere to 5.1.4
    • Update Torbutton to 1.9.4.4
      • Bug 16990: Don't mishandle multiline commands
      • Bug 18144: about:tor update arrow position is wrong
      • Bug 16725: Allow resizing with non-default homepage
      • Translation updates
    • Bug 18030: Isolate favicon requests on Page Info dialog
    • Bug 18297: Use separate Noto JP,KR,SC,TC fonts
    • Bug 18170: Make sure the homepage is shown after an update as well
  • Windows
    • Bug 18292: Disable staged updates on Windows
Anonymous

March 08, 2016

Permalink

Does Tor Project have any comment regarding the playpen bust in 2015? Zero-day?

one of the pedos had javascript activated. if you catch one greedy of them, you catch all them greedy.
stupid pedos.. they deserved it! i myself would install a backdoor into tor to catch all those childf****ng guys and bust them. But unlucky me is not member of tor creators :D

Anonymous

March 08, 2016

Permalink

Thanks!

Anonymous

March 08, 2016

Permalink

The about:tbupdate tab loads every time when i start the browser since this update, how to switch this off?

Anonymous

March 08, 2016

Permalink

TAILS 2.2 is out, i haven't test it, yet.

Problem is i need editing the torcc file when booting from DVD. Bridges are no substitute!
Booting from USB is no substitute, too.
I Hope, Tails distributors have considered that,
torcc editing, hasn't seen in the docs.

The only bad alternative would be using old TAILS. Or mabe don't using Tor anymore.

Anonymous

March 08, 2016

Permalink

Time wrap on restart

[geshifilter-code]
Mar 09 06:30:13.000 [notice] New control connection opened from 127.0.0.1.
Mar 09 06:30:13.000 [notice] New control connection opened from 127.0.0.1.
Mar 09 06:31:36.000 [notice] Owning controller connection has closed -- exiting now.
Mar 09 06:31:36.000 [notice] Catching signal TERM, exiting cleanly.
Mar 09 04:31:39.553 [notice] Tor v0.2.7.6 (git-7a489a6389110120) running on Linux with Libevent 2.0.22-stable, OpenSSL 1.0.1s and Zlib 1.2.3.3.
Mar 09 04:31:39.553 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
[/geshifilter-code
]

Anonymous

March 08, 2016

Permalink

Hello (torproject),
https://blog.torproject.org/blog/tails-22-out
has no Comment, support-feedback-visit the Support section is complicated, so i try it here:

In older TAILS versions -with Vidalia- i can edit the torcc file easy. Important.
I like Tails and i use it sometimes on DVD, no USB!(read the HackingTeam archive and you know why).
Very convenient -with VIDALIA !- and you see the complete relay list with country and the Fingerprint, nice for editing the torcc.

Bridges are NO substitute for the capability to editing the torcc -in Tails, too. With some exclamation points.

Onion Circuits -on tails.boum.org- looks rudimentarely, only )-: sorry, i like Tails.
Can i do this -editing torcc normal- in the new version of TAILS with"Onion Circuits"?
May with arm, with the persistence feature? Bad hacks like manually searching, editing torcc -really bad with DVD-booting and no complete relay list?
Can you answer?

Thanks for reading

Anonymous

March 09, 2016

In reply to by Anonymous (not verified)

Permalink

" Can i do this -editing torcc normal- in the new version of TAILS with"Onion Circuits"? "

torcc editor is gone? Would be bad, very bad. Hope this is only a rumour. Vidalia was well thought-out.

Anonymous

March 08, 2016

Permalink

Thank YOU for hard job !!!!! T H A N K S !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Anonymous

March 08, 2016

Permalink

Tor! -Hm

Anonymous

March 08, 2016

Permalink

What's going on with entry relays? I had install fresh TBB for windows 50 times and every time entry relay was the same from France, Germany or Netherlands. Is it safe to use only 3 entry relays for all users of the Tor network?

Same here.....same thing, Germany, France and Netherlands exact same order, exact everything. no matter where i or how many times i refresh he exact same entry From Germany.

1st.) thank you guys so much for everything you do, your time, your work everything you do is awesome. 2.) same thing here, same exact entry, no matter where i go or what i do.

Limiting the entry relay to one protects from the eventuality of randomly selecting an entry relay and exit relay that are collaborating.

Imagine using Tor to browse the web and one time you are unlucky and pick and entry/exit pair operated by the same entity. By using a timing attack, that entity now knows with complete certainty your IP address and destination. All it takes is one time.

The odds of eventually choosing collaborating relays at both ends of the Tor circuit are surprisingly high when using a pool of entry relays. By using only one, as long as you weren't unlucky with that first choice, those odds are sharply reduced.

Since the single point of entry can be deduced by monitoring a user, wouldn't adding a relay to the chain be preferable?

Anonymous

March 08, 2016

Permalink

Can U guys do anything about saving passwords? I cant do that I have to write in same thing everytime

Anonymous

March 09, 2016

Permalink

hi boklm please give me a clear answer: is tor safe on http sites? or isp can track my traffic on target site ?

The problem is that it loads the page fresh from the server without using the credentials from the rendered page. So if I want to look at the source for a page in a site that requires a login, I'll get the source for the login page, or whatever. Why on earth doesn't the browser just use the source from it's own cache?

Now that I've read that ticket, it sure sounds like the same bug. Someone suggests using Firefox development tools to view the source. What's the quickest was to invoke that?

My experience with regular Firefox, not TBB, may help:
on the regular html page, select all (Ctrl+A), then context click view source.
The source apparently is as rendered not as received.
I discovered this while fiddling with rss news feeds, which render very differently than as received.

If that doesn't work for you, maybe there' a Firefox pref?

Anonymous

March 09, 2016

Permalink

do you intend to add something like 'Onion Circuits' to TBB?

i would like to know who i am connected to.
'Tor circuits for this site' shows just IP addresses i'm not able
to handle.

Old versions of TBB has had the great tool Vidalia; canceled.
The only alternative was Tails.Have seen 'Onion Circuits' on the documents(homepage) and it's looking strong cut back. Vidalia has been unmaintained for years but unsecure enough to cancel it in Tails?
If 'Onion Circuits' has not the same practicality like Vidalia(goodlokin' relay list, editing tor behaviour, Message Log etc.),
Tails would be a Gadget only.........)-:. I hope it isn't so.

Yes, being unmaintained for years is a very valid reason to stop using it. Even if it was secure (very questionable,) it was a GUI control for tor and tor is still currently under active development.

There are alternatives that include at least some of the functionality (see https://www.atagar.com/arm/;) they do not, however, include the nice map display that was pretty but unnecessary. Most people used Vidalia for the map display. I did, with the exception of requesting new circuits, which is functionality best left to Tor Browser at this time (because it can do new circuits for individual sites in addition to all connections.

"There are alternatives ... (see https://www.atagar.com/arm/;)".

With Vidalia in Tails you had a smart, usefull, handy Tor GUI.
With Onion Circuits you have nearly nothing?
With Vidalia and arm you can close connections, you have a complete relay list, you can edit the torcc(some tor user like it to have normal Guard security......., the Tails developers obvious not?).

Without Vidalia and with Onion Circuits Tails is a -little bit- *WTF*. I'm speechless.
I like handy innovation but Onion Circuits is not. It is cripple(sic!) Tails. Sorry, i wannabe constructive.

+1 to adding the new "onion circuits" tool

I'm glad to hear the Tor Button circuit display bugs are fixed but I just got a "Secure connection failed" error (probably due to a bad exit) and Tor Button didn't show me the circuit that caused it. (It did show my new circuit after I selected "New Tor Circuit for this Site" and loaded the page, and so far it has shown circuits for every successful page load I've tried, but I want cicuit display for unsuccessful requests like SSL errors).

your IP based circuit information is crap.
i'm still using vidalia standalone especially to terminate suspicious
circuits like

EntryNode 1 - random relay - EntryNode 2 or
EntryNode 2 - random relay - EntryNode 1
(both among ExcludeExitNodes ... and StrictNodes 1)

OR

the 1st is busy and the 2nd EntryNode is building this:

EntryNode 2 - random relay - static Exit (=always the same ExitNode)

you call it feature - i don't want such circuits.

Anonymous

March 09, 2016

Permalink

cool