Tor Browser 5.5a5-hardened is released

We are pleased to announce the second release in our hardened Tor Browser series. The download can be found in the 5.5a5-hardened distribution directory and on the download page for hardened builds.

This release features important security updates to Firefox.

Additionally, we included updated versions for Tor (0.2.7.6), OpenSSL (1.0.1q) and NoScript (2.7). Moreover, we fixed an annoying bug in our circuit display (circuits weren't visible sometimes), isolated SharedWorkers to the first-party domain and improved our font fingerprinting defense.

On the usability side we improved the about:tor experience and started to use the bundled changelog to display new features and bug fixes after an update (instead of loading the blog post into a new tab). We'd love to hear feedback about both.

On the hardening side we are compiling Firefox with -fwrapv now. This is mitigating possible issues with some types of undefined behavior in Mozilla's code.

Tor Browser 5.5a5-hardened comes with a banner supporting our donations campaign. The banner is visible on the about:tor page and features either Roger Dingledine, Laura Poitras or Cory Doctorow which is chosen randomly.

Note: There are no incremental updates from 5.5a4-hardened available this time due to a bug we detected while building. The internal updater should work, though, doing a complete update.

Here is the complete changelog since 5.5a4-hardened:

  • Update Firefox to 38.5.0esr
  • Update Tor to 0.2.7.6
  • Update OpenSSL to 1.0.1q
  • Update NoScript to 2.7
  • Update Torbutton to 1.9.4.2
    • Bug 16940: After update, load local change notes
    • Bug 16990: Avoid matching '250 ' to the end of node name
    • Bug 17565: Tor fundraising campaign donation banner
    • Bug 17770: Fix alignments on donation banner
    • Bug 17792: Include donation banner in some non en-US Tor Browsers
    • Bug 17108: Polish about:tor appearance
    • Bug 17568: Clean up tor-control-port.js
    • Translation updates
  • Update Tor Launcher to 0.2.8.1
    • Bug 17344: Enumerate available language packs for language prompt
    • Code clean-up
    • Translation updates
  • Bug 12516: Compile Tor Browser with -fwrapv
  • Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
  • Bug 15564: Isolate SharedWorkers by first-party domain
  • Bug 16940: After update, load local change notes
  • Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
  • Bug 17747: Add ndnop3 as new default obfs4 bridge
  • Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646)
  • Bug 17369: Disable RC4 fallback
  • Bug 17442: Remove custom updater certificate pinning
  • Bug 16863: Avoid confusing error when loop.enabled is false
  • Bug 17502: Add a preference for hiding "Open with" on download dialog
  • Bug 17446: Prevent canvas extraction by third parties (fixup of #6253)
  • Bug 16441: Suppress "Reset Tor Browser" prompt
Anonymous

December 18, 2015

Permalink

Hi gk

First off, your contributions to Tor are just awesome.

However as an end user, I am confused as to which version to download: the hardened or the non-hardened one?

Please advise.

P.S. Will using the hardened release break my computer as it might be too hard for my machine to take?...Just kidding.

At present there is no stable release of Hardened Tor Browser. Alpha releases have new features that can be buggier than stable. In a sense, it may have more security features but those features are more likely to fail.

Anonymous

December 18, 2015

Permalink

update from 5.0.5 FAILS

complains about other versions of firefox.
Cant remove vanilla firefox as CANT access ALL websites with TOR.

Anonymous

December 18, 2015

Permalink

Hello there!
Whatever you enabled on this Version about the Fonts, please enable it it the default-release.

It seems like this release has by default some clear-type-like Font-Randering enabled.
I very much like it!

Anonymous

December 19, 2015

Permalink

Nice

Hi,

I have recently noticed something very troubling with TOR, in terms of privacy protection.

I am using using TOR with only the "out of the box" settings. Looking on the EFF's Panopticlick ( https://panopticlick.eff.org/ ), as I have done since I began using TOR. I used to get great results with their testing page, such as out of their 6 million+ database, 1 in 217 browsers have my exact settings. Which meant, over 27,649 other browsers / users looked like me. Now however, there are only 19 (nineteen) browsers that also look like mine. I always check Panoptic everytime I get on TOR. It's my first stop every session, after verifying that I am in fact using TOR.

However, as of yesterday (and I haven't been on TOR in a few weeks, so not sure when it would have started), Panoptic says my browser has a "nearly unique" fingerprint.

None of my settings have changed, I always deny canvas requests, I'm using TAILS 1.8 (1.7 when Panoptic did this the first time), and I never resize my browser window.

So, what gives? I have tried the tool across multiple sessions, new identities, etc., always the same "nearly unique" fingerprint results. Some sessions produced results that were more unique than others. Sometimes TOR will block invisible trackers, other times only partially.

Would love to hear anyone's thoughts about this. Is it an issue with multiple different TOR nodes? I realize this is not the be-all, but it *is* a marked and troubling result, especially considering this started within mere days of the EFF's Shari Steele coming on as TOR's new executive director. I am not pointing any fingers at Ms. Steele, TOR, the EFF, or anyone else for that matter. I simply find it very concerning. Try Panoptic for yourself (as I said, I'm using TAILS), see if you get the same results.

Here is a paste of what I got a moment ago:

A RESEARCH PROJECT OF THE ELECTRONIC FRONTIER FOUNDATION
DONATE
Is your browser safe against tracking?

How well are you protected against non-consensual Web tracking? After analyzing your browser and add-ons, the answer is ...

Mixed results: you have some protection against Web tracking, but it has some gaps. We suggest re-configuring your protection software, or consider installing EFF's Privacy Badger.
Install Privacy Badger
and Enable Do Not Track

Click here for Chrome version
Test Result
Is your browser blocking tracking ads? ✓ yes
Is your browser blocking invisible trackers? ⚠ partial protection
Does your browser unblock 3rd parties that promise to honor Do Not Track? ✗ no
Does your browser protect from fingerprinting? ✗
your browser has a nearly-unique fingerprint

Note: because tracking techniques are complex, subtle, and constantly evolving, Panopticlick does not measure all forms of tracking and protection.

Within our dataset of several million visitors, only one in 310732.4 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 18.25 bits of identifying information.

Different versions have different fingerprints. Give some other uses a chance to check out Panopticlick and your rating will get better.
With that said, this is a alpha version of Tor Browser. It's likely to not have as many users as stable, and is a platform to experiment with new features that may have unintended side effects.

Downloaded the latest version and this is what I get when I try to run it on OS X Yosemite:

"The application “TorBrowser.app” can’t be opened."

It was working fine before the update.

What version are you talking about (+ which locale)? The hardened series is Linux 64bit only currently.

I downloaded the Mac version from here: https://www.torproject.org/download/download-easy.html.en#mac

I just tried it again with the same result.

okay

>The banner is visible on the about:tor page and features either Roger Dingledine, Laura Poitras or Cory Doctorow which is chosen randomly.

How i disable it? This is similar Wikipedia-man with huge eyes, im I worry about this type of banners.

about:config
extensions.torbutton.donation_banner.shown_count -> 99999

Thank you, huge eyes dissapears :)

...which PGP/GPG sig are we supposed to use for this?

Is tor browser hardened supposed to hog up a lot of RAM?

Seems to release very little memory although I kill some windows?

The longer I run it the less RAM I have left.
Is there some kind of memory leek?

It ran me dry on RAM and I have no swap so freezed up my system.

Are now running a program monitoring RAM, seems like availible mem
is steadily going down

Yes, Address Sanitizer is supposed to use a lot of memory. The exact overhead is tricky to determine but up to 3x the amount of stack memory have been reported.

That said I was wondering the same as you and tried to look at this problem a while ago, alas with no definite results. I have opened https://bugs.torproject.org/17925 to collect all the findings and keep this on the radar.

Is it safe to use the hardened version or is it not recommended?

Is it normal or ok for Tor browser to maintain the same entry node all the time. I have noticed that my entry node has been persistently the same node (same ip address) no matter the time of day or if I request a new Tor server node. I find this troubling

Anonymous

January 02, 2016

In reply to by arma

Permalink

The FAQ talks about multiple nodes, not a single one that monitors us for a long (how long actually?) period of time.