Tor Browser 5.5a3 is released
A new alpha Tor Browser release is available for download in the 5.5a3 distribution directory and on the alpha download page.
This release features important security updates to Firefox.
Beginning with this alpha version Tor Browser is available in Japanese as well. In addition to that it contains usability improvements for our font fingerprinting defense, a better notification of Tor Browser changes after an update and regression fixes that were caused by our switch to ESR 38 back in August.
Here is the complete changelog since 5.5a2:
- All Platforms
- Update Firefox to 38.3.0esr
- Update Torbutton to 1.9.4
- Bug 16937: Don't translate the hompepage/spellchecker dictionary string
- Bug 16735: about:tor should accommodate different fonts/font sizes
- Bug 16887: Update intl.accept_languages value
- Bug 15493: Update circuit display on new circuit info
- Bug 16797: brandShorterName is missing from brand.properties
- Translation updates
- Bug 10140: Add new Tor Browser locale (Japanese)
- Bug 17102: Don't crash while opening a second Tor Browser
- Bug 16983: Isolate favicon requests caused by the tab list dropdown
- Bug 13512: Load a static tab with change notes after an update
- Bug 16937: Remove the en-US dictionary from non en-US Tor Browser bundles
- Bug 7446: Tor Browser should not "fix up" .onion domains (or any domains)
- Bug 16837: Disable Firefox Hotfix updates
- Bug 16855: Allow blobs to be downloaded on first-party pages (fixes mega.nz)
- Bug 16781: Allow saving pdf files in built-in pdf viewer
- Bug 16842: Restore Media tab on Page information dialog
- Bug 16727: Disable about:healthreport page
- Bug 16783: Normalize NoScript default whitelist
- Bug 16775: Fix preferences dialog with security slider set to "High"
- Bug 13579: Update download progress bar automatically
- Bug 15646: Reduce keyboard layout fingerprinting in KeyboardEvent
- Bug 17046: Event.timeStamp should not reveal startup time
- Bug 16872: Fix warnings when opening about:downloads
- Bug 17097: Fix intermittent crashes when using the print dialog
- Windows
- Bug 16906: Fix Mingw-w64 compilation breakage
- Bug 16707: Allow more system fonts to get used on Windows
- OS X
- Bug 16910: Update copyright year in OS X bundles
- Bug 16707: Allow more system fonts to get used on OS X
- Linux
- Bug 16672: Don't use font whitelisting for Linux users
Update: It seems claiming that our builds are reproducible with LXC as well now was a bit premature (see bug 12240 for details). Thus, this part got removed from the changelog.
Comments
Please note that the comment area below has been archived.
Why are some of the stable
Why are some of the stable changes not listed in the alpha changelog?
Because the automatic
Because the automatic resizing of the browser window was not disabled in the last alpha and is generally enabled to test fixes for https://bugs.torproject.org/14429. Thus, nothing to mention in the changelog then.
Tor Browser & Linux & VPNs =
Tor Browser & Linux & VPNs = The Computing Holy Trinity!
We would be lost without your hard work. Don't forget that it is always appreciated by those who care about privacy and security.
Tails + Mac adress Changing
Tails + Mac adress Changing + dd-wrt = Unbelieveable Security
Well said. :-) Thanks very
Well said. :-) Thanks very much everyone for all your hard work! :-)
Linux? You mean Qube OS?
Linux? You mean Qube OS? What about LPS? Or...Kali Linux?
Hi gk, I noticed that there
Hi gk,
I noticed that there is a problem wherein the "Tor Circuit for this site' tab would disappear after prolong use.
Also, I was wondering if this feature (TOR Circuit for this site) would compromise anonymity? If a hacker were to hack into the TOR browser from the user end, would they be able to see the TOR circuit and slowly trace and eventually see and find the contents that the user is browsing? I understand that TAILS is uncomfortable with feature and thus not include it into their release.
If you are talking about a
If you are talking about a remote attacker using a vulnerability in the browser, yes it might be possible. However, the attacker could potentially use a number of other methods with that same vulnerability to deanonymize the user as well depending on what they manage to access. Keep your browser up to date to (help) avoid this.
On the other hand, yes a local attacker could potentially use that feature; however, disabling the feature doesn't really reduce the attacker's capabilities (in terms of Tor Browser) because they could simply attack the tor process itself. Yes, some projects (like Tails and Whonix) have limited the ability for the browser to see the circuit; however, these projects are designed to deal with (limited) badly behaving programs. Tor Browser doesn't (because it can't) protect you from other programs on your computer spying on it. Your OS might, if your OS isn't the one doing the spying.
Noted with thanks! :-)
Noted with thanks! :-)
I'm glad to tell you, It can
I'm glad to tell you, It can display Chinese fonts in OS X . Thank you.
Just updated. Now I receive
Just updated. Now I receive the error "Could not find Mozilla runtime". :(
I'm running Windows 10. I'm sure *that* has nothing to do with it.
I have the same problem
I have the same problem
Would you recommend using
Would you recommend using TOR in conjunction with with VPNs?
Yes, but only ones that
Yes, but only ones that don't log
I recommend FrootVPN
It's $36/year.
Based in Sweden.
No personal information is required to create an account. Only username, password and email.
Accepts Bitcoin
And since I recommend it, it obviously has a no logging policy
Just because a VPN doesn't
Just because a VPN doesn't have a logging policy doesn't mean they don't log.
Hello Why digital signature,
Hello
Why digital signature, can not be confirmed?
please check
URL : http://i.cubeupload.com/1MNeEx.png
Thank you
Good question. What Windows
Good question. What Windows version is that? Both on Windows 7 and 8 the signature is valid for me. What SHA 256 sum does the .exe have? Does the signature check for Tor Browser 5.5a2 work for you (see: https://dist.torproject.org/torbrowser/5.5a2/)? I am asking as this alpha is the first version that got signed on a Linux box. Before that we needed to use a Windows machine.
My operating system is
My operating system is Windows 10
torbrowser-install-5.5a2_en-US.exe
Digital Signature = OK
Screenshot : http://i.cubeupload.com/Hkkjhv.png
MD5: e831d3bca509613fbb84d78a80e1e256
SHA256: b91700836a7f3f983a4961a06df5492647ccafd2c976c47c2c7e0ab1942f2632
torbrowser-install-5.5a3_en-US.exe
Digital Signature = Error
Screenshot : http://i.cubeupload.com/LDt7aj.png
MD5: 92df31f154ea262f1507271459177fbc
SHA256: b0300a609b3fe9e2f37fc10b5819059cd810b87210ed7e1ace814bafd014a74c
Thanks. The SHA 256 sum is
Thanks. The SHA 256 sum is good. Could you test one or two other bundles just to be sure that this is a more generic problem and not en-US only?
Sure
Sure
I got my hand on a Windows
I got my hand on a Windows 10 box and there the digital signature was correct. Could you find out what is causing this in your case? Like comparing the things shown to you if you are look at the output after clicking on "Properties" (after right-clicking on the 5.5a2 and 5.5a3 .exe files)?
torbrowser-install-5.5a3_de.e
torbrowser-install-5.5a3_de.exe
Digital Signature = Error
MD5: a892c57d2434e34a2cea6cc39653603d
SHA256: 10fc0612f080844c83874d88ba751913ebbc2a9d7447babfd5e2a76e4c8d2134
Just because the
Just because the authenticity of the files (original and not tampered with) this test done
5.5a2 = OK 5.5a3 = Error
5.5a2 = OK
5.5a3 = Error
Sorry, why are people using
Sorry, why are people using privacy tools under Windows 10? I fail to grasp the point. I lack the phantasy to come up with an explanation why one would willingly use a compromised-by-design OS. Your threat model can't be accurate because private data collections do leak.
:)
:)
Thank you!! Guys & Gals for
Thank you!! Guys & Gals for your hard work, its much appreciated..
England, London, and Britain
England, London, and Britain wants to control the Internet and all of you.
A sort of offtopic remark
A sort of offtopic remark that maybe though is worth looking at.
(Did not know where to write this elsewhere on this site.)
Did anyone notice the sudden huge amount of exitnodes risen in Lithuania?
At least 60 sudden/new exitnodes by someone that has the contactname avenueoftor.com ?
Has someone from Torproject looked at this?
EMAIL ALTERNATIVES CHECK
EMAIL ALTERNATIVES CHECK THESE OUT AND PROSPER IN PRIVACY AND FREEDOM!
1) Scramble - https://scramble.io/
2) Sigma - https://sigma.email/
3) ProtonMail - https://protonmail.ch/
4) DarkMail - https://darkmail.info/
5) Sigaint - https://www.sigaint.org/ (Has onion address)
6) Mail2Tor - http://mail2tor.com/
7) RuggedInbox - http://s4bysmmsnraf7eut.onion/
Additional information:
Site:
http://www.emailquestions.com/encrypted-email-service-providers/
Since disabling all
Since disabling all javascript, http refferal etc. I cannot sign in to my emails on any of the onion email sites. Even captures rarely work on those sites. https sites probably the same. Looks like some onion sites are using javascript for tracking. Used to be OK on earlier versions of TOR.
They could be using
They could be using javascript for completely legitimate reasons; it can be used for far more than tracking.
Your efforts are hugely
Your efforts are hugely appreciated, many thanks indeed.
Many Chinese words(about
Many Chinese words(about 1/2) in the browser UI can't be displayed correctly after the 5.5a3 update. These words show like a square box with 4 hex numbers in it. That does not happen in the 5.5a2 version.
It happens in my Win10 OS. I tested the 5.5a3 version in a Win7 OS(VMware), and these words can be displayed correctly but their font are different from other words that can be displayed correctly in Win10.
I guess there is something wrong with the fonts.
Thanks for reporting this.
Thanks for reporting this. What variant of Chinese are you using (Simplified or Traditional) and can you give me a web page example where you see this problem?
http://22u75kqyl666joi2.onion
http://22u75kqyl666joi2.onion/
greatfire.org
greatfire.org
https://zh.greatfire.org/
https://zh.greatfire.org/
Chinese Simplified. The
Chinese Simplified.
The problem is not about any web page, it's about the browser UI (all the menus, toolbars and dialogs). There is nothing wrong with the Chinese words in web pages.
These words show like this :
___
|7F|
|16|
ˉˉˉˉˉ
The "7F16" in the square box is the unicode of the word.
Sorry. My reply above is
Sorry. My reply above is partial wrong. I tested some web pages and found there is the same problem with Chinese words in all the web pages. So the problem is about both the browser UI and web pages.
This problem happens in any Chinese web page.
e.g.
zh.wikipedia.org
I'm not seeing this problem
I'm not seeing this problem on the pages listed. What version of Windows are you using? Also, could you paste the value of the pref "font.system.whitelist" (in about:config)?
When I visit zh.wikipedia.org, the font used for the main text is "Microsoft YaHei".
Windows 10
Windows 10
windows 10 pro insider
windows 10 pro insider preview build 10576 displayed correctly.
Hello, Im new to TOR. I was
Hello, Im new to TOR. I was exploring the TOR hidden services for the first time, and I noticed that under the TOR circuit map, it shows that there are 6 relays between my browser and the onion site. Does this thus mean that firstly, the TOR traffic never leaves the TOR circuit (unlike the normal non- hidden service websites) and there are 6 onion layers of encryption instead of the normal 3 which makes hidden services much more private?
yup
yup
怎么用啊。看不懂英
怎么用啊。看不懂英文
I'm using openSUSE and want
I'm using openSUSE and want to create an Apparmor profile for TBB, what things should be modified to /usr/share/apparmor/extra-profiles/usr.lib.firefox.firefox
@gk or other Tor
@gk or other Tor developers
If a bridge was to change from a bridge to regular node, would Tor Browser know that it has changed and notify user (error message) or will users be still using it under the false impression that it is still a bridge?
Hello I use TB5.5a3 and this
Hello
I use TB5.5a3 and this morning, Atlas is not responding?!
like tor map, does not works
like tor map, does not works since some days.
hope it will be operative again
Did I understand that TOR
Did I understand that TOR cannot protect you from programs spying on you? Then what program can?
It depends on what you mean
It depends on what you mean by programs spying on you; Tor can protect you from some attacks from programs running on external computers. For attacks from programs running on the local computer you're going to need protection at the OS level itself. Tails may be a better option than Tor Browser for you threat model.
Tor can only offer partial
Tor can only offer partial protection from dirwct identification,( you can still be identified even if using tor) if you really want to protect yourself from malicious programs you need to do additional housekeeping over and above using tor..
Why did they make Torbrowser
Why did they make Torbrowser bundle slower?
example: TorBrowser Bundle 4.53 surfs faster and has less connection timeouts than newer TBB versions. Anyone have any info about this change? I have not been able to find any info related to the bottlenecking that happens on TBB versions higher than 4.53. Any info would be great.
Latest versions of Tor
Latest versions of Tor (stable and Alpha) not working on Mac OsX from China. I can only use a Tor 4.0 version I have. Newer versions don't connect throw me mismatch identity errors.
I still can't download the
I still can't download the recent version of the tor browser on Linux.
What is the error you get?
What is the error you get?
Hi, thank you all for your
Hi, thank you all for your great work.
But could you PLEASE integrate a function so we can minimize to tray the Tor Browser (Windows) ? There was an extension before, but it stopped wortking...
Many thanks :-)
Patches are welcome.
Patches are welcome.
I understand from some users
I understand from some users above that using TAILS would offer better security, however, while using TAILS, i noticed that there is no default bridges such as OBFS4, scrambleSuit, etc. The only option that they gave was to add in your own protocol and for the non-tech savy, we wont know how to use it. Thus, wont TAILS's NON-Bridged traffic be easier to identify?
If you're worried about the
If you're worried about the situation where some adversary is trying to identify your traffic (i.e. learn whether you are a Tor user), then using the default bridges is probably not a wise plan for you -- they can look for traffic to those known IP addresses, even if it's hard to do Deep Packet Inspection on the traffic flows themselves.