Tor Browser 5.5a5 is released

A new alpha Tor Browser release is available for download in the 5.5a5 distribution directory and on the alpha download page.

This release features important security updates to Firefox.

Additionally, we included updated versions for Tor (0.2.7.6), OpenSSL (1.0.1q) and NoScript (2.7). Moreover, we fixed an annoying bug in our circuit display (circuits weren't visible sometimes), isolated SharedWorkers to the first-party domain and improved our font fingerprinting defense.

On the usability side we improved the about:tor experience and started to use the bundled changelog to display new features and bug fixes after an update (instead of loading the blog post into a new tab). We'd love to hear feedback about both.

Tor Browser 5.5a5 comes with a banner supporting our donations campaign. The banner is visible on the about:tor page and features either Roger Dingledine, Laura Poitras or Cory Doctorow which is chosen randomly.

Here is the complete changelog since 5.5a4:

  • All Platforms
    • Update Firefox to 38.5.0esr
    • Update Tor to 0.2.7.6
    • Update OpenSSL to 1.0.1q
    • Update NoScript to 2.7
    • Update Torbutton to 1.9.4.2
      • Bug 16940: After update, load local change notes
      • Bug 16990: Avoid matching '250 ' to the end of node name
      • Bug 17565: Tor fundraising campaign donation banner
      • Bug 17770: Fix alignments on donation banner
      • Bug 17792: Include donation banner in some non en-US Tor Browsers
      • Bug 17108: Polish about:tor appearance
      • Bug 17568: Clean up tor-control-port.js
      • Translation updates
    • Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
    • Bug 15564: Isolate SharedWorkers by first-party domain
    • Bug 16940: After update, load local change notes
    • Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
    • Bug 17747: Add ndnop3 as new default obfs4 bridge
    • Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646)
    • Bug 17369: Disable RC4 fallback
    • Bug 17442: Remove custom updater certificate pinning
    • Bug 16863: Avoid confusing error when loop.enabled is false
    • Bug 17502: Add a preference for hiding "Open with" on download dialog
    • Bug 17446: Prevent canvas extraction by third parties (fixup of #6253)
    • Bug 16441: Suppress "Reset Tor Browser" prompt
  • Windows
    • Bug 13819: Ship expert bundles with console enabled
    • Bug 17250: Fix broken Japanese fonts
  • OS X
    • Bug 17661: Whitelist font .Helvetica Neue DeskInterface
Anonymous

December 18, 2015

Permalink

Fonts have long been one of my worst measurements on panopticlick. I always wondered why Tor Browser doesn't just bundle the most common ones and ignore all of the system installed fonts.

Anonymous

December 18, 2015

Permalink

Hooray, you fixed bug #13819! This basically prevented me from using standalone Tor on Windows (for usability reasons). Now I can get Tor up and running the way I like again, thanks so much for the awesome new release!

Anonymous

December 18, 2015

Permalink

i'll share [Later] a-long-ago bug.. but i think it's on Mozilla's Firefox core not Tor's :)

when you agree about it with me.. then u'd be able to contact them to fix it, cuz it might be faster to get response from'em than me :)

Contrary.. that bug not showing in ie.. and it's the only good thing found by M$'s-IE
:))

Later..

Hi All,
That's me who -above- wrote about that "funny" bug,
& will continue as promised :)

it's simple!

you'll click a link.. or (icon) that you can't copy its address..

.. in ie, while page is -trying- to load but otherwise you'll press ESC to stop it before it is fully/partially loaded ..

then y'd be able to see -instantly- the address that ie intend to open!

it can be copied to use for any other reason..

say, you want to open it with Tor Browser :) .. for example..

NOW you got the whole picture..
Right?

So, WHY firefox not doing the same..

while page is -trying- to load but otherwise you'll press ESC to stop it before it is fully/partially loaded ..
>>> NO MORE ADDRESS..

nothing, just about:blank!

FF passed above ver40's and they seem to never notice/care about that 'shameful' bug!

it's OUR right to now where a link is taking us to while a new tab or page is trying to load!

isn't it?

Please do something in your NEXT release of Tor browser to solve this..

OR contact Mozilla if it's a core-thingy..

also, thank you for posting above notice 2 days ago.. that -internally- has nothing other than just a promise..
and i did it..

bye for now..

Anonymous

December 19, 2015

Permalink

this may not matter but I have a question about google I lost my password and tried to recover my google email acct, now they want to know my browser I use (which is tor) and when and where I sign onto and my internet provider...all I did was forget my password and now I feel like I am living in a third world country, really no privacy google?

Yes eventually, but probably not until around the time 38 goes end-of-life.

The Tor Browser developers balance their time between fixing longer-term privacy issues in the browser, and fixing shorter-term bugs and mis-features that Mozilla put in to try to keep up with Chrome, etc in the browser arms races.

I imagine sometime in January or February, one of them will start working on the master list of all privacy and security disasters that are new in ESR 45 (or maybe they already made this list? I haven't been keeping track), and then they'll slowly work their way through it, finishing about the time that they're forced to upgrade since ESR 38 is getting dropped.

More resources (read: money and developers) would let them do it in a less frantic time table. Another thing that would help a lot is for Mozilla to believe that privacy is important -- important enough for them to merge the Tor Browser fixes into Firefox itself. This part is happening, but slowly.

Anonymous

December 30, 2015

Permalink

Hello tbb,

Ive noticed that the tor circuit bug still do exist. After prolong use with multiple tabs, the circuit map still does disappear.

Thanks!