Tor Browser 6.0 is released

The Tor Browser Team is proud to announce the first stable release in the 6.0 series. This release is available from the Tor Browser Project page and also from our distribution directory.

This release brings us up to date with Firefox 45-ESR, which should mean a better support for HTML5 video on Youtube, as well as a host of other improvements.

Beginning with the 6.0 series code-signing for OS X systems is introduced. This should help our users who had trouble with getting Tor Browser to work on their Mac due to Gatekeeper interference. There were bundle layout changes necessary to adhere to code signing requirements but the transition to the new Tor Browser layout on disk should go smoothly.

The release also features new privacy enhancements and disables features where we either did not have the time to write a proper fix or where we decided they are rather potentially harmful in a Tor Browser context.

On the security side this release makes sure that SHA1 certificate support is disabled and our updater is not only relying on the signature alone but is checking the hash of the downloaded update file as well before applying it. Moreover, we provide a fix for a Windows installer related DLL hijacking vulnerability.

A note on our search engine situation: Lately, we got a couple of comments on our blog and via email wondering why we are now using DuckDuckGo as the default search engine and not Disconnect anymore. Well, we still use Disconnect. But for a while now Disconnect has no access to Google search results anymore which we used in Tor Browser. Disconnect being more a meta search engine which allows users to choose between different search providers fell back to delivering Bing search results which were basically unacceptable quality-wise. While Disconnect is still trying to fix the situation we asked them to change the fallback to DuckDuckGo as their search results are strictly better than the ones Bing delivers.

Update: We plan to post instructions for removing the OS X code signing parts on our website soon. This should make it easier to compare the OS X bundles we build with the actual bundles we ship.

The full changelog since Tor Browser 5.5.5 is:
Tor Browser 6.0 -- May 30

  • All Platforms
    • Update Firefox to 45.1.1esr
    • Update OpenSSL to 1.0.1t
    • Update Torbutton to 1.9.5.4
      • Bug 18466: Make Torbutton compatible with Firefox ESR 45
      • Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
      • Bug 18905: Hide unusable items from help menu
      • Bug 16017: Allow users to more easily set a non-tor SSH proxy
      • Bug 17599: Provide shortcuts for New Identity and New Circuit
      • Translation updates
      • Code clean-up
    • Update Tor Launcher to 0.2.9.3
      • Bug 13252: Do not store data in the application bundle
      • Bug 18947: Tor Browser is not starting on OS X if put into /Applications
      • Bug 11773: Setup wizard UI flow improvements
      • Translation updates
    • Update HTTPS-Everywhere to 5.1.9
    • Update meek to 0.22 (tag 0.22-18371-3)
      • Bug 18371: Symlinks are incompatible with Gatekeeper signing
      • Bug 18904: Mac OS: meek-http-helper profile not updated
    • Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
    • Bug 18900: Fix broken updater on Linux
    • Bug 19121: The update.xml hash should get checked during update
    • Bug 18042: Disable SHA1 certificate support
    • Bug 18821: Disable libmdns support for desktop and mobile
    • Bug 18848: Disable additional welcome URL shown on first start
    • Bug 14970: Exempt our extensions from signing requirement
    • Bug 16328: Disable MediaDevices.enumerateDevices
    • Bug 16673: Disable HTTP Alternative-Services
    • Bug 17167: Disable Mozilla's tracking protection
    • Bug 18603: Disable performance-based WebGL fingerprinting option
    • Bug 18738: Disable Selfsupport and Unified Telemetry
    • Bug 18799: Disable Network Tickler
    • Bug 18800: Remove DNS lookup in lockfile code
    • Bug 18801: Disable dom.push preferences
    • Bug 18802: Remove the JS-based Flash VM (Shumway)
    • Bug 18863: Disable MozTCPSocket explicitly
    • Bug 15640: Place Canvas MediaStream behind site permission
    • Bug 16326: Verify cache isolation for Request and Fetch APIs
    • Bug 18741: Fix OCSP and favicon isolation for ESR 45
    • Bug 16998: Disable <link rel="preconnect"> for now
    • Bug 18898: Exempt the meek extension from the signing requirement as well
    • Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
    • Bug 18890: Test importScripts() for cache and network isolation
    • Bug 18886: Hide pocket menu items when Pocket is disabled
    • Bug 18703: Fix circuit isolation issues on Page Info dialog
    • Bug 19115: Tor Browser should not fall back to Bing as its search engine
    • Bug 18915+19065: Use our search plugins in localized builds
    • Bug 19176: Zip our language packs deterministically
    • Bug 18811: Fix first-party isolation for blobs URLs in Workers
    • Bug 18950: Disable or audit Reader View
    • Bug 18886: Remove Pocket
    • Bug 18619: Tor Browser reports "InvalidStateError" in browser console
    • Bug 18945: Disable monitoring the connected state of Tor Browser users
    • Bug 18855: Don't show error after add-on directory clean-up
    • Bug 18885: Disable the option of logging TLS/SSL key material
    • Bug 18770: SVGs should not show up on Page Info dialog when disabled
    • Bug 18958: Spoof screen.orientation values
    • Bug 19047: Disable Heartbeat prompts
    • Bug 18914: Use English-only label in <isindex/> tags
    • Bug 18996: Investigate server logging in esr45-based Tor Browser
    • Bug 17790: Add unit tests for keyboard fingerprinting defenses
    • Bug 18995: Regression test to ensure CacheStorage is disabled
    • Bug 18912: Add automated tests for updater cert pinning
    • Bug 16728: Add test cases for favicon isolation
    • Bug 18976: Remove some FTE bridges
  • Windows
  • OS X
    • Bug 6540: Support OS X Gatekeeper
    • Bug 13252: Tor Browser should not store data in the application bundle
    • Bug 18951: HTTPS-E is missing after update
    • Bug 18904: meek-http-helper profile not updated
    • Bug 18928: Upgrade is not smooth (requires another restart)
  • Build System
    • All Platforms
      • Bug 18127: Add LXC support for building with Debian guest VMs
      • Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
      • Bug 18919: Remove unused keys and unused dependencies
    • Windows
      • Bug 17895: Use NSIS 2.51 for installer to avoid DLL hijacking
      • Bug 18290: Bump mingw-w64 commit we use
    • OS X
      • Bug 18331: Update toolchain for Firefox 45 ESR
      • Bug 18690: Switch to Debian Wheezy guest VMs
    • Linux
      • Bug 18699: Stripping fails due to obsolete Browser/components directory
      • Bug 18698: Include libgconf2-dev for our Linux builds
      • Bug 15578: Switch to Debian Wheezy guest VMs (10.04 LTS is EOL)
Anonymous

May 30, 2016

Permalink

first

Anonymous

June 02, 2016

In reply to by Anonymous (not verified)

Permalink

i am getting an error right now, never had this problem before. tor crashes right now, but worked a few hours ago.

Problem signature:
Problem Event Name: APPCRASH
Application Name: firefox.exe
Application Version: 45.1.1.0
Application Timestamp: 00000000
Fault Module Name: MSVCR120.dll
Fault Module Version: 12.0.21005.1
Fault Module Timestamp: 524f7ce6
Exception Code: c0000005
Exception Offset: 00013b0b
OS Version: 6.1.7601.2.1.0.256.48
Locale ID: 1033
Additional Information 1: 4d1c
Additional Information 2: 4d1ccb1f086e8f68af5ebd400b9240a6
Additional Information 3: a773
Additional Information 4: a7738b1c9bfdec77d1b26715e67e5bda

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

Anonymous

June 04, 2016

In reply to by Anonymous (not verified)

Permalink

After auto updating to version 6.0, TPB terribly slow, get to open only one first site, and then after a time. Then everything usually hangs. I use an old WinXP. Updating the TPB is disabled, and still the browser hangs. Firewall Comodo Free.

Anonymous

June 07, 2016

In reply to by Anonymous (not verified)

Permalink

Tor 6.0 & the latest Beta (6.0a5) won't start. W10x64 Pro non-domain.
Have tried different folders, removed and re-ran but the browser just won't open. Disabling AVG makes no difference. Tried running as admin but didn't make any difference. Restarted system, removed FireFox and so on but still won't open. Some previous versions still work but could do with prominent links to previous versions as I don't like using a really old version.

Please, remove all security crappy software first. And check that its "drivers" were removed too. Then install a new copy of TBB to c:\ and test.

I have the same issue since version 6.0 came out. 6.1 is the same.

The older version 5.x ran fine. I even reinstalled 5.5 and it was fine until I let it update itself, then it wouldnt start

Anonymous

June 08, 2016

In reply to by Anonymous (not verified)

Permalink

Can you please provide a way to disable xpinstall.signatures.required again? This is really sad. I need to use two add-ons I know very well and cannot update to Tor 6.0 because of this. I understand that you focus on security but if the users know what they are doing, you should allow them to decide... Thanks in advance.

Anonymous

May 30, 2016

Permalink

Oh, god. It's finally here. Guys, arm yourselves of cool and patience and prepare for the incoming horde of complaints about upstream changes. (I myself don't know what am I going to do with the new search bar nonsense...)

Anyhow, thanks a lot, Tor Browser team! :)

The addon Classic Theme Restorer has an option to revert to the old search bar (and to revert tons of other stuff to how they were before)

Thanks. I know about CTR and I use it on Ice Cat. However, I don't like to install extra addons on Tor Browser, especially so when we are talking about big addons, like CTR.

I think I might eventually try to extract just that feature from CTR and create a new tiny addon so that I can confidently put it in Tor Browser.

Dear SysOp :)
"too old title, but can't think of any thing else right now" :))

thanks for posting the link on my above comment,

Question, pls answer,,

case1, did u test/track the link and found its helpful to agree-to-post?
OR
2-just posting that comment as-is without testing?

what difference that makes!?

in case 1: to me it means (like) if the comment is "credited" from TBB for my behalf, and that site might mean even-better than what i thought,,
LoL
waiting.....,bye,

Anonymous

May 30, 2016

Permalink

Thanks for this *awesome* job !

One thing: when restarting after upgrade, TorBrowser did not take care of the window size. ie: it started taking all my screen, and not the usual size.

Restarted TBB again, and everything seems fine.

Thanks again for this awesome number of fixes :o

*Important*

I think this new version (6.0) is dangerously giving away the user's screen resolution when JavaScript is enabled (the default behavior).

New behavior (you can easily test this on the console):

  1. <br />
  2. screen.availWidth<br />
  3. result = 1920</p>
  4. <p>screen.availHeight<br />
  5. result = 1000</p>
  6. <p>screen.width<br />
  7. result = 1920</p>
  8. <p>screen.height<br />
  9. result = 1440<br />

Old behavior (this is the "right behavior", where window size and screen resolution the same and standardized):

  1. <br />
  2. screen.availWidth<br />
  3. result = 1000</p>
  4. <p>screen.availHeight<br />
  5. result = 1000</p>
  6. <p>screen.width<br />
  7. result = 1000</p>
  8. <p>screen.height<br />
  9. result = 1000<br />

Juan Nada
0xA053222C47796683

You're right: real websites only can access the standardized Tor window size values. Only browser pages (like blank or about:tor) are showing the real resolution values.

That's one odd behavior compared to previous versions, but it is not giving away the revolution as I was supposing before. I checked with https://www.browserleaks.com/javascript

As unrelated notes:

  • Linux users still can be detected, although the default TBB userAgent string is set to Windows. Link: https://www.browserleaks.com/firefox
  • Connections to .onion websites are still marked as "Not Secure", as any other HTTP page.
  • Tor 6.0 is beautifully fast, stable and predictable.

Juan Nada
0xA053222C47796683

With High Security Level the experience is awful: no controls & timeline in player, timeline doesn't work, no way to enable/disable html5 video in NoScript menu, but it starts to play without permission!

Anonymous

May 30, 2016

Permalink

anyway, thanks for this update..

thou,

can't figure-out privacy under "Tor enabled" (green icon), in compliance with NoScript + click to play!!
so tired playing mouse & cat with that combination!

disabling something will disable most unwanted-to,
as will as when..
enabling something will enable other most unwanted-to!

How to enable ALL scripts in every site WHiLE that WiLL NEVER run a Video/Audio .period.

never play V/A without intending-to (eg. click to play)...??!

thanks again..

Anonymous

May 30, 2016

Permalink

which should mean a better support for HTML5 video on Youtube, as well as

You broke sound in youtube. Videos stop during playing (network problem), after pause video continues, but without sound. I need to reload the same video 10 times to get it played up to the end... This is just one of examples: https://www.youtube.com/watch?v=WSq7oxM_fyo However, I see this problem on most of videos. Previous stable TBB worked fine.

Linux amd64. I found one hack to repair sound: if it stopped (video then contunies to play but without sound), just click on next timemoment (like plus few seconds in video), and then sound appears. Otherwise, video will be played after interruption, but without sound.

Hmm, with my settings it works fine, but if TBB isn't fast enough to load the next video chunk, then the video starts from the beginning.

Anonymous

May 30, 2016

Permalink

Oh hell yea! This must mean that Subresource Integrity is now supported, since that came in Firefox 43. This means that webpage authors can hash any included CSS or JS and include the hash in the webpage. If the downloaded file has a different hash, the browser won't load it.

I agree... I wonder if anyone has looked at this Firefox feature (not TBB feature) from a user privacy perspective. It also seems like the sort of thing that could potentially be used to block NoScript surrogate scripts depending on where it's implemented.