Tor Browser 5.5.5 is released

Tor Browser 5.5.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates Firefox to 38.8.0esr. Additionally, we bump NoScript to version 2.9.0.11 and HTTPS-Everywhere to 5.1.6.

Moreover, we don't advertise our help desk anymore as we are currently restructuring our user support.

Here is the full changelog since 5.5.4:

Tor Browser 5.5.5 -- April 26 2016

  • All Platforms
    • Update Firefox to 38.8.0esr
    • Update Tor Launcher to 0.2.7.9
      • Bug 10534: Don't advertise the help desk directly anymore
      • Translation updates
    • Update HTTPS-Everywhere to 5.1.6
    • Update NoScript to 2.9.0.11
    • Bug 18726: Add new default obfs4 bridge (GreenBelt)
khled.8@hotmai.com

April 26, 2016

Permalink

Is there a reason why customers cannot shop online at Wal-mart through Tor? If it's a tech issue, please repair.

It is not a tech issue Wal-mart and other online shopping companies are intentional blocking Tor and other anonymity services to prevent criminals from using stolen credit cards anonymously.

I understand that they are preventing anonymous use of credit cards,
but I think the OP meant "shopping" as just window shopping without being tracked.
obviously when it comes to using your credit card. that page should be deanonymized,

They block Tor's nodes.

Use CNET to download older version of Tor, then update.

LOL You are right but your prices are jacked up 10x
who in the world would pay $500 for a toaster :)

I cannot believe people steal credit cards and then proceed to shop at Walmart with them. Good luck low life!

walmart.com.br no blocked.

When are you moving to 45 esr?

The release on 2016-06-07 will be based on Firefox 45.2esr.

There are also plans to make a release based on 45.1esr at the end of May.

Good browser no changes

Thanks for the update guys / girls!

Keep it rocking :)

Thanks

yyyeeeehhhh!!!!!!!!!!)))))))

Thanks to ALL you.. on behalf of TorBrowserestrs :)

Next is not a bug.. but a suggestion,

if possible to include an On/Off Icon (to be per-configured) [for privacy and security settings]

so, instead of:
1-Clicking pull-down-menu of the green Tor icon, Then
2-Selecting privacy and security settings, Then
3-Selcting (temporarily) LOW sec-Level, Then
4-pressing OK..
That's in order (for example) to watch a quick video clip ..

and will go after all above 1-2-3-4 steps AGAIN to "undo" the LOW to be Mid-LOW .. and back&forth again&again for similar instances ..

That's why thought of above suggestion for a near-by icon to the green one.. (side-by-side)

ON- (Green color led) means:
privacy and security set to (ANY level above LOW)
Or set according to what has been chosen under (Tor green icon)

OFF- (Red color led) means:
privacy and security set to (LOW level)

While per-configuration may include some of the following:

Auto-Off: to select how many minutes to AUTO turn the icon to OFF (Green)

for myself i'd mostly chose 3 minutes,
when i forget to click! it will Auto-Off by itself
:)
Hope u all like my contribution,

Thanks Again, Bye for Now..

forgot to mention that the suggested NEW side-by-side icon is a click-able one..

click once- goes Red to view videos
click again- goes Green..

or leave it to auto-off
(according to what time was set in per-configuration)
..
thanks..

This is not a good request. It will only add to the confusion. If people can't read and understand what it says, then that's their issue.

Sorry to say that the "confusion-in-Whole" is that i can't understand any part of your kind comment :)

RGDS: idea-Maker..

yes! it is!
nice trip

Thanks anyway buddy,

if you mean 1-2-3-4 "trip"! will, that's quite long, need to find a motel in the middle, to get rest for 2 days :)

but if you mean to say the miss-spilled (TiP) .. I'd then second thanking you again..

if Tor..Divz, would make the TiP,
i'll then move the 'Great'Green (Tor enabled) icon under the so-called "hamburger Menu" .. and will keep instead of it the On-Off (Red-Green) icon.. so that the privacy will turn (or Auto-Turn) to my own-default & will NEVER be FORGOTTEN after watching any video clip :)

Best RGDS: idea-Maker

First of all, even at the low setting you're still sending your traffic through tor, and Tor Browser still has some additional safety features over vanilla Firefox. Making it seem like you're turning something off as opposed to down will just increase the confusion.
In addition to all of that, I don't think that's a good way to browse the web. While I agree that the security slider could use some changes, I don't believe your suggestion which implies that the amount of time you have security set to low makes a difference. What matters is the sites you visit while the security slider is set to low. It only takes one visit to launch a browser javascript exploit.
Besides, you can still technically play video with the slider set to high. It's click to play and certain sites don't work (i.e. Youtube,) but video can still play. The sites in question do not play video without javascript enabled, so this is a wider issue than Tor Browser and should also be addressed with the sites in question.
Also, concerning Youtube in particular: Youtube is owned by Google and thus actually one of the more dangerous sites to set to Low in terms of privacy. Downloading the video (if possible) and playing it through a local video player might be a better option than viewing it on Youtube itself.

I'm not sure why you think this is a bad way to use the Tor Browser.
Sure, it takes just one visit to launch an exploit. But if on 95% of the sites that I visit, I can do without javascript and on 5% I can't, am I not safer lowering the security slider only when visiting those 5%?

I also think it would be great to convince popular sites (like Youtube) not to require the use of javascript. But we live in the real world and simply pointing the finger realistically doesn't help anyone much.

I'm also unsure whether downloading a youtube video through some dedicated, torified application would be more secure, since it's obviously detectable and you're distinguishing yourself from the crowd. (Same problems over and over again)

Actually, in order to watch youtube you don't have to disable all protections, you only need to do 3 things when the security slider is set to max:
1. Enable audio/video in noscript.
2. Enable svg.in-content in about:config.
3. Add youtube.com and ytimg.com to the whitelist in noscript

This way, you only expose yourself to javascript and svg security risks in youtube.com and ytimg.com which are operated by google and you stay protected from all other known browser attack vectors. Obviously, from a privacy angle this settings could make your browser fingerprint unique in the eyes of google should they bother to fully collect and analyze every ancillary aspect of your browsing behaviour.

You could claim however that if you only use low security settings after taking a new identity and then browsing only youtube.com and after you finish you set the security slider back to max and starting a new session, then perhaps the slightly larger attack surface you give google is not worth the privacy sacrifice you make by choosing a rare browser fingerprint. But that depents perhaps on your threat model. For example, to the best of my knowledge google has never used it's servers to actively attack users in any circumstances, though it is possible of course that it was done against terrorists with a NSL. On the other hand google is widely known of passively collecting huge amounts of information about its' user base from commercial reasons.

So the conclusion is that perhaps unless you are a very high target, then you should be more afraid of google passively collecting information than of it actually trying to hack into your device. And in that case, your method of watching youtube might be better than mine, as long as you make sure you never visit any other non google site when you're in low security settings.

Thank you for elaborating on the matter. I think I agree with everything you said.

I'm glad you brought up the browser fingerprint. I've had concern about that since reading an article proving users can usually be completely uniquely identified with only a browser fingerprint. I had no idea I was broadcasting so much detailed information. I'm wondering why no one has built a spoof for this that would truncate the point point point release versions of add-ons, etc,, substitute a standard list of fonts, etc. Do you know anything about this? I'm not technically savvy enough about browsers to know at what level this information is being snatched and sent and if that could be hijacked for us.

Autoupdate hosed my installation this time. Cannot start browser; instead I get a "Can't load FXCOM" dialog, that does nothing but close.

I had it wrong, my previous comment. Errmsg is
“Couldn't load XPCOM”

I have the same issue, can not launch Tor at all now, what to do!!! help!!

Perhaps your antivirus quarantined a component. In a previous release Panda Antivirus did that to me, thinking some part of Tor was bad news. A false positive. I have now set Panda to ask me whether to do this or not so I have a chance to exclude things that are not a threat that it makes a mistake with, such as Tor.

Same error have not seen a solution posted yet

A search of this problem suggested that those using "WebRoot" software need to allow certain .dll files through the identity protection filter. In my case, after updating Tor and Firefox, i allowed the file "nss3.dll" and Tor browser ran as normal. Hope this helps!

I have webroot and having same problem how do I allow the files or know wich files I need to allow?

When are you going to move to 45 esr?

This is probably the last ESR38 based one. The alpha we are about to release is already ESR45 based.

<3

tor seems sort of faster past this update. don't see why that would be, but I'm pleased either way.

Sometimes, you just gotta go with the flow. ( ͡° ͜ʖ ͡°)

this update was well managed and bring us a better protection : thx.

Hardened update release?

Is in the works. We'll release it today or tomorrow together with the alpha. We had to rebuild both in a last minute fashion due to a severe bug we found while testing (https://bugs.torproject.org/18900)

Great, thanks for the update.