Tor Browser 6.0 is released

The Tor Browser Team is proud to announce the first stable release in the 6.0 series. This release is available from the Tor Browser Project page and also from our distribution directory.

This release brings us up to date with Firefox 45-ESR, which should mean a better support for HTML5 video on Youtube, as well as a host of other improvements.

Beginning with the 6.0 series code-signing for OS X systems is introduced. This should help our users who had trouble with getting Tor Browser to work on their Mac due to Gatekeeper interference. There were bundle layout changes necessary to adhere to code signing requirements but the transition to the new Tor Browser layout on disk should go smoothly.

The release also features new privacy enhancements and disables features where we either did not have the time to write a proper fix or where we decided they are rather potentially harmful in a Tor Browser context.

On the security side this release makes sure that SHA1 certificate support is disabled and our updater is not only relying on the signature alone but is checking the hash of the downloaded update file as well before applying it. Moreover, we provide a fix for a Windows installer related DLL hijacking vulnerability.

A note on our search engine situation: Lately, we got a couple of comments on our blog and via email wondering why we are now using DuckDuckGo as the default search engine and not Disconnect anymore. Well, we still use Disconnect. But for a while now Disconnect has no access to Google search results anymore which we used in Tor Browser. Disconnect being more a meta search engine which allows users to choose between different search providers fell back to delivering Bing search results which were basically unacceptable quality-wise. While Disconnect is still trying to fix the situation we asked them to change the fallback to DuckDuckGo as their search results are strictly better than the ones Bing delivers.

Update: We plan to post instructions for removing the OS X code signing parts on our website soon. This should make it easier to compare the OS X bundles we build with the actual bundles we ship.

The full changelog since Tor Browser 5.5.5 is:
Tor Browser 6.0 -- May 30

  • All Platforms
    • Update Firefox to 45.1.1esr
    • Update OpenSSL to 1.0.1t
    • Update Torbutton to 1.9.5.4
      • Bug 18466: Make Torbutton compatible with Firefox ESR 45
      • Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
      • Bug 18905: Hide unusable items from help menu
      • Bug 16017: Allow users to more easily set a non-tor SSH proxy
      • Bug 17599: Provide shortcuts for New Identity and New Circuit
      • Translation updates
      • Code clean-up
    • Update Tor Launcher to 0.2.9.3
      • Bug 13252: Do not store data in the application bundle
      • Bug 18947: Tor Browser is not starting on OS X if put into /Applications
      • Bug 11773: Setup wizard UI flow improvements
      • Translation updates
    • Update HTTPS-Everywhere to 5.1.9
    • Update meek to 0.22 (tag 0.22-18371-3)
      • Bug 18371: Symlinks are incompatible with Gatekeeper signing
      • Bug 18904: Mac OS: meek-http-helper profile not updated
    • Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
    • Bug 18900: Fix broken updater on Linux
    • Bug 19121: The update.xml hash should get checked during update
    • Bug 18042: Disable SHA1 certificate support
    • Bug 18821: Disable libmdns support for desktop and mobile
    • Bug 18848: Disable additional welcome URL shown on first start
    • Bug 14970: Exempt our extensions from signing requirement
    • Bug 16328: Disable MediaDevices.enumerateDevices
    • Bug 16673: Disable HTTP Alternative-Services
    • Bug 17167: Disable Mozilla's tracking protection
    • Bug 18603: Disable performance-based WebGL fingerprinting option
    • Bug 18738: Disable Selfsupport and Unified Telemetry
    • Bug 18799: Disable Network Tickler
    • Bug 18800: Remove DNS lookup in lockfile code
    • Bug 18801: Disable dom.push preferences
    • Bug 18802: Remove the JS-based Flash VM (Shumway)
    • Bug 18863: Disable MozTCPSocket explicitly
    • Bug 15640: Place Canvas MediaStream behind site permission
    • Bug 16326: Verify cache isolation for Request and Fetch APIs
    • Bug 18741: Fix OCSP and favicon isolation for ESR 45
    • Bug 16998: Disable <link rel="preconnect"> for now
    • Bug 18898: Exempt the meek extension from the signing requirement as well
    • Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
    • Bug 18890: Test importScripts() for cache and network isolation
    • Bug 18886: Hide pocket menu items when Pocket is disabled
    • Bug 18703: Fix circuit isolation issues on Page Info dialog
    • Bug 19115: Tor Browser should not fall back to Bing as its search engine
    • Bug 18915+19065: Use our search plugins in localized builds
    • Bug 19176: Zip our language packs deterministically
    • Bug 18811: Fix first-party isolation for blobs URLs in Workers
    • Bug 18950: Disable or audit Reader View
    • Bug 18886: Remove Pocket
    • Bug 18619: Tor Browser reports "InvalidStateError" in browser console
    • Bug 18945: Disable monitoring the connected state of Tor Browser users
    • Bug 18855: Don't show error after add-on directory clean-up
    • Bug 18885: Disable the option of logging TLS/SSL key material
    • Bug 18770: SVGs should not show up on Page Info dialog when disabled
    • Bug 18958: Spoof screen.orientation values
    • Bug 19047: Disable Heartbeat prompts
    • Bug 18914: Use English-only label in <isindex/> tags
    • Bug 18996: Investigate server logging in esr45-based Tor Browser
    • Bug 17790: Add unit tests for keyboard fingerprinting defenses
    • Bug 18995: Regression test to ensure CacheStorage is disabled
    • Bug 18912: Add automated tests for updater cert pinning
    • Bug 16728: Add test cases for favicon isolation
    • Bug 18976: Remove some FTE bridges
  • Windows
  • OS X
    • Bug 6540: Support OS X Gatekeeper
    • Bug 13252: Tor Browser should not store data in the application bundle
    • Bug 18951: HTTPS-E is missing after update
    • Bug 18904: meek-http-helper profile not updated
    • Bug 18928: Upgrade is not smooth (requires another restart)
  • Build System
    • All Platforms
      • Bug 18127: Add LXC support for building with Debian guest VMs
      • Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
      • Bug 18919: Remove unused keys and unused dependencies
    • Windows
      • Bug 17895: Use NSIS 2.51 for installer to avoid DLL hijacking
      • Bug 18290: Bump mingw-w64 commit we use
    • OS X
      • Bug 18331: Update toolchain for Firefox 45 ESR
      • Bug 18690: Switch to Debian Wheezy guest VMs
    • Linux
      • Bug 18699: Stripping fails due to obsolete Browser/components directory
      • Bug 18698: Include libgconf2-dev for our Linux builds
      • Bug 15578: Switch to Debian Wheezy guest VMs (10.04 LTS is EOL)
Anonymous

May 30, 2016

Permalink

Fantastic, but Avast Antivirus cosiders Tor malware and is blocking it...

AVG did the same and is labeling tor browser 6.0 a Trojan horse. Completely deleted tor browser with all my bookmarks/settings...

I use Avast free 2016 and no virus warning even though the settings I use will give more false positives. In the past Avast did sometimes considered Tor to be malware but that was not often.

Anonymous

May 30, 2016

Permalink

Tangentially related to Tor upgrades: If anyone from Agora is reading this, thousands of people are begging for your return. Even if you can't come back right now but still have plans, we beg of you to make a single Reddit post giving a timeline. Please!!!

And kudos to the Tor team as well for all their hard work, of course. :-)

Anonymous

May 30, 2016

Permalink

It was about 160MB before updating and now 217MB. Is it normal? Updated using auto-updater.

gk, updater.exe leaves updater.mar (33 MiB) in folder, and no update history is shown (but it is in updates.xml). Looks like update process stalls at NS_main: unable to remove directory: tobedeleted, err: 41

Thanks for the info,
may you please pin-point (without much details)
what risk in using TBB +W10?!

Thought TBB will "isolate" us from ANY risk.. no matter WHAT OS is!

Right?

OK, ThanksAgain :)

note; if anyone aware what this user is talking about, then pls enlighten us,..
(( that if he didn't answer "for any of his own reasons" ))

it is closed source os. only ms knows how much holes they insert to satisfy nsa friends. remember microsoft icons bug?
"Thought TBB will "isolate" us from ANY risk.. no matter WHAT OS is!" - where did you get such a strange ads?

LoL,,
"isolate" huh!
remember when waving 2 fingers in each hand?
to resemble the 2 above marks!

although, TBB -alomost- "isolate" us,
BUT still --truly-- it is (&will be) far better than closest comparative.

&the best above ALL: it's FREE..
&works for any OS that you may think of,,
nuf ADS ;)

Sure, Tor Browser on Windows 10 is rather pointless for most use cases of tor.

...How exactly is a VPN any better? You're still going to leak the same info. If you've got to use Windows 10 securely, I'd suggest using it behind a firewall that blocks access to most/all of Microsoft. Then you can use Tor Browser without fear (at least from Win10's tracking.)

Which kind of firewall/anti virus software are you running? Could you uninstall it for testing whether it is interfering with Tor Browser (which is the likely cause of your problem)?

Anonymous

June 02, 2016

In reply to by Anonymous (not verified)

Permalink

I am getting error, Tor Browser crashes on bootup. Di with update and fresh install of 6. Windows 7 here

Anonymous

May 31, 2016

Permalink

6.0a5 doesn't auto-update to this, I assume this is by design, different channel?

Or will there be an update available to that browser soon? Either to 6.0 or other?

Thanks for this release.

Heh, gk, it's worth mentioning that it's better to update alpha channel first (even with new stable when you do it without new alpha) to avoid stupid questions like this ;)

Anonymous

June 04, 2016

In reply to by Anonymous (not verified)

Permalink

And the hinting is quite a lot better in the top picture (uniform stem widths, smoother curves, symmetrical characters are symmetrical), not to mention the color fringes due to overexaggerated subpixel effect in the bottom picture. So I'm not seeing a problem here.

Anonymous

May 31, 2016

Permalink

When making audio/video elements click-to-play (medium-low settings and higher), and loading such an element directly, the resource starts loading and after a short period gets blocked by noscript.

This is a regression from previous versions, no?

that explains what "sufferings" my limited-internet-package will face!

i don't mind if it's direct -unlimited- DSL connection,
search my above comment (Cat) & (mouse) game :)
this update seems "great"
thou, preferred previous TBB

Anonymous

May 31, 2016

Permalink

TBB6.0 has an error, TBB5.5.5 has not:

i can customize a lot -set/unset Preferences,about:config- in TBB6.0, but when i erase

identity.fxaccounts.remote.webchannel.uri;https://accounts.firefox.com/

the Customize menu, for drag and drop Tool/Feature-icons, is blank.
Please fix it.

Anonymous

May 31, 2016

Permalink

Is there currently no way to view my cookies?

Tor Button used to have a nice list where I could "protect" certain cookies and have them last across sessions, while others were ephemeral. Is that feature gone for good?

Also, recent previous versions of Tor Browser have no had a "show cookies" button in the standard place firefox does (unless I'm mistaken?) but this new version does have the button. Unfortunately, it shows a window with no cookies.

This is particularly misleading! Many Tor Browser users I've talked to assume that Tor Browser completely "disables cookies". Showing them an empty list of cookies reenforces this incorrect belief.

Thanks for all your hard work! Other than the cookie thing this seems like a great release.

From the same site I get 1 in 1000 +/- on a Win7 system, which is slightly worse than 5.5. I am back to 10+ bits from 7... something on 5.5. I do understand that this is not an absolute benchmark for anonymity neither do I know exactly what causes the measure to go up or down, or even if EFF has retained the same benchmark measures it used 1-2 months ago.

why would anyone here enjoy having to identify themselves with their email to post anythin, especially on a site that it refuses post even when a REAL email is used?

You go post this answer because your system wouldn't let me!

"When 5.5 and 5.5.5 came out I updated within hours or less and went to panopticlick and I was amazed at the improvement. I must have been one of the first few and it was down to 5xx something. With 6 it is more than double. I redownloaded 5.5.5 again and it is still the same rating I got back ... a month or more ago. So your theory does not hold water. eff can't tell what browser you are using in specific just a version of FF and your OS.

One thing to watch for is your plugins, most will reveal identity information (identifiers) which group you with users with same FF plugins.

Based on the same use though why would 6 be inferior to 5.5.5?"