Tor Browser 6.0 is released

The Tor Browser Team is proud to announce the first stable release in the 6.0 series. This release is available from the Tor Browser Project page and also from our distribution directory.

This release brings us up to date with Firefox 45-ESR, which should mean a better support for HTML5 video on Youtube, as well as a host of other improvements.

Beginning with the 6.0 series code-signing for OS X systems is introduced. This should help our users who had trouble with getting Tor Browser to work on their Mac due to Gatekeeper interference. There were bundle layout changes necessary to adhere to code signing requirements but the transition to the new Tor Browser layout on disk should go smoothly.

The release also features new privacy enhancements and disables features where we either did not have the time to write a proper fix or where we decided they are rather potentially harmful in a Tor Browser context.

On the security side this release makes sure that SHA1 certificate support is disabled and our updater is not only relying on the signature alone but is checking the hash of the downloaded update file as well before applying it. Moreover, we provide a fix for a Windows installer related DLL hijacking vulnerability.

A note on our search engine situation: Lately, we got a couple of comments on our blog and via email wondering why we are now using DuckDuckGo as the default search engine and not Disconnect anymore. Well, we still use Disconnect. But for a while now Disconnect has no access to Google search results anymore which we used in Tor Browser. Disconnect being more a meta search engine which allows users to choose between different search providers fell back to delivering Bing search results which were basically unacceptable quality-wise. While Disconnect is still trying to fix the situation we asked them to change the fallback to DuckDuckGo as their search results are strictly better than the ones Bing delivers.

Update: We plan to post instructions for removing the OS X code signing parts on our website soon. This should make it easier to compare the OS X bundles we build with the actual bundles we ship.

The full changelog since Tor Browser 5.5.5 is:
Tor Browser 6.0 -- May 30

  • All Platforms
    • Update Firefox to 45.1.1esr
    • Update OpenSSL to 1.0.1t
    • Update Torbutton to 1.9.5.4
      • Bug 18466: Make Torbutton compatible with Firefox ESR 45
      • Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
      • Bug 18905: Hide unusable items from help menu
      • Bug 16017: Allow users to more easily set a non-tor SSH proxy
      • Bug 17599: Provide shortcuts for New Identity and New Circuit
      • Translation updates
      • Code clean-up
    • Update Tor Launcher to 0.2.9.3
      • Bug 13252: Do not store data in the application bundle
      • Bug 18947: Tor Browser is not starting on OS X if put into /Applications
      • Bug 11773: Setup wizard UI flow improvements
      • Translation updates
    • Update HTTPS-Everywhere to 5.1.9
    • Update meek to 0.22 (tag 0.22-18371-3)
      • Bug 18371: Symlinks are incompatible with Gatekeeper signing
      • Bug 18904: Mac OS: meek-http-helper profile not updated
    • Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
    • Bug 18900: Fix broken updater on Linux
    • Bug 19121: The update.xml hash should get checked during update
    • Bug 18042: Disable SHA1 certificate support
    • Bug 18821: Disable libmdns support for desktop and mobile
    • Bug 18848: Disable additional welcome URL shown on first start
    • Bug 14970: Exempt our extensions from signing requirement
    • Bug 16328: Disable MediaDevices.enumerateDevices
    • Bug 16673: Disable HTTP Alternative-Services
    • Bug 17167: Disable Mozilla's tracking protection
    • Bug 18603: Disable performance-based WebGL fingerprinting option
    • Bug 18738: Disable Selfsupport and Unified Telemetry
    • Bug 18799: Disable Network Tickler
    • Bug 18800: Remove DNS lookup in lockfile code
    • Bug 18801: Disable dom.push preferences
    • Bug 18802: Remove the JS-based Flash VM (Shumway)
    • Bug 18863: Disable MozTCPSocket explicitly
    • Bug 15640: Place Canvas MediaStream behind site permission
    • Bug 16326: Verify cache isolation for Request and Fetch APIs
    • Bug 18741: Fix OCSP and favicon isolation for ESR 45
    • Bug 16998: Disable <link rel="preconnect"> for now
    • Bug 18898: Exempt the meek extension from the signing requirement as well
    • Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
    • Bug 18890: Test importScripts() for cache and network isolation
    • Bug 18886: Hide pocket menu items when Pocket is disabled
    • Bug 18703: Fix circuit isolation issues on Page Info dialog
    • Bug 19115: Tor Browser should not fall back to Bing as its search engine
    • Bug 18915+19065: Use our search plugins in localized builds
    • Bug 19176: Zip our language packs deterministically
    • Bug 18811: Fix first-party isolation for blobs URLs in Workers
    • Bug 18950: Disable or audit Reader View
    • Bug 18886: Remove Pocket
    • Bug 18619: Tor Browser reports "InvalidStateError" in browser console
    • Bug 18945: Disable monitoring the connected state of Tor Browser users
    • Bug 18855: Don't show error after add-on directory clean-up
    • Bug 18885: Disable the option of logging TLS/SSL key material
    • Bug 18770: SVGs should not show up on Page Info dialog when disabled
    • Bug 18958: Spoof screen.orientation values
    • Bug 19047: Disable Heartbeat prompts
    • Bug 18914: Use English-only label in <isindex/> tags
    • Bug 18996: Investigate server logging in esr45-based Tor Browser
    • Bug 17790: Add unit tests for keyboard fingerprinting defenses
    • Bug 18995: Regression test to ensure CacheStorage is disabled
    • Bug 18912: Add automated tests for updater cert pinning
    • Bug 16728: Add test cases for favicon isolation
    • Bug 18976: Remove some FTE bridges
  • Windows
  • OS X
    • Bug 6540: Support OS X Gatekeeper
    • Bug 13252: Tor Browser should not store data in the application bundle
    • Bug 18951: HTTPS-E is missing after update
    • Bug 18904: meek-http-helper profile not updated
    • Bug 18928: Upgrade is not smooth (requires another restart)
  • Build System
    • All Platforms
      • Bug 18127: Add LXC support for building with Debian guest VMs
      • Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
      • Bug 18919: Remove unused keys and unused dependencies
    • Windows
      • Bug 17895: Use NSIS 2.51 for installer to avoid DLL hijacking
      • Bug 18290: Bump mingw-w64 commit we use
    • OS X
      • Bug 18331: Update toolchain for Firefox 45 ESR
      • Bug 18690: Switch to Debian Wheezy guest VMs
    • Linux
      • Bug 18699: Stripping fails due to obsolete Browser/components directory
      • Bug 18698: Include libgconf2-dev for our Linux builds
      • Bug 15578: Switch to Debian Wheezy guest VMs (10.04 LTS is EOL)
Anonymous

June 01, 2016

Permalink

Thank you for CTRL+SHIFT+L !!!!!!!!!!!!!! :DDDDDDDDDDDDDDDD
Now maybe getting a new circuit to bypass Cloudflare & co will be less annoying.

Anonymous

June 01, 2016

Permalink

Automatic update from 5.5.5 doesn't work. It says that there was an error (doesn't say which) and says to download from the website.

Anonymous

June 01, 2016

Permalink

Tor browser now fullscreens itself rather than keeping to a standard size for greater anonymity.

I imagine this isn't seen in most common setups (unless it's a deliberate change). But I'm using a tiling WM (XMonad), and the behaviour I have always seen before is TB keeping itself to those fixed proportions to the left of the screen. If you start moving "tiles" about, it ends up losing track and fullscreening itself, but not if left alone. Now with 6.0, it is always fullscreen, though it does briefly display the initial tab at the smaller size on first opening, just for a split second before expanding to fill the whole screen..

We did not change anything regarding that particular code. I guess there are some underlying changes Mozilla did that are causing this. Could you open a ticket on trac.torproject.org so that we can investigate this? Thanks!

Anonymous

June 01, 2016

Permalink

When I updated and restarted Tor, AVG Free Edition blocked and quarantined Trojan horse inject3.ASKH coming from Tor Browser. Anyone else have this situation?

Anonymous

June 01, 2016

Permalink

Duckduckgo is owned by Gabriel Weinberg who earlier ran the site The Names Database, a community portal created for the purpose of data mining.

The Names Database was exceptionally underhanded in that it did not mine only its users, but offered them community perks if they exposed personal information of friends and relatives who could then be profiled with no say of their own.

If anyone thinks his stripes have faded you only have to look at his profile here, where he lists himself as a current a board member of Locality, which is a company that by its own words specializes in user data mining.

https://angel.co/yegg
https://angel.co/locately

I doubt I need to explain why the integrating the platform of a current data miner, with a history of unethical practice, in a suite intended for user privacy is a really bad idea. Your data simply is not safe in the hands of this person.

Anonymous

June 01, 2016

Permalink

How can I set a ExitNodes country code in the Mac OS X version of Tor 6.0? The torrc file apparently is no longer in the app bundle so where does Tor 6.0 look for torrc assuming torrc is still supported on a Mac? Or is there some other way of doing this now?

Anonymous

June 01, 2016

Permalink

cannot set the "extensions.brief.homeFolder" for Brief addon
even if I set it manually from the "about:config", cannot set the integer more than "5"
!!!!!!!!!!!!!!!!!!!!!

It was worked normal on ver 5.5

Anonymous

June 01, 2016

Permalink

when downloading this version of tor it started out as having 7min left to finish dwnloading and than started climbing up to 15 mins left why would it do this? I have fast internet service

Anonymous

June 01, 2016

Permalink

I used to be able to use a version of Tor on a flash drive and carry it across computers (IE: copying it to my work computer) and all my preferences (No script whitelist, addons, etc) would remain. Now, it behaves like a clean install every single time. It's VERY annoying/time consuming.

Hard to tell what is going wrong. Could you open a ticket in our bug tracker (trac.torproject.org) giving us some details on what worked and what is broken now so that we can investigate further? Thanks!

If this is OS X, this is no doubt because of the hasty decision to move profile files to Application Support folder vs having them in the Application itself simply to satisfy Gatekeeper which is easy for an attacker to bypass anyway.

Just an FYI: It only puts it in the application support folder if you put Tor in the Application folder. If you put Tor anywhere else (IE: a flash drive or the Desktop - which I do for a portable Tor browser and at work), it creates the data file in that directory - which makes it easy to find later for deleting purposes.

I wouldn't mind this change if they provided an easy way for me to point to the location of the profile information as I copy/paste tor.app across computers. But, as far as I could find, that doesn't exist right now.

A messy work-around:
1) Open the DMG and put Tor.app in the file you want it (I used my flash drive for this)
2) Open it so that it creates the TorBrowser-Data file
3) Set up Tor as desired
4) On new device, open DMG and put Tor.App in file you want
5) Open it so that it creates the TorBrowser-Data file
6) Quit Tor
7) Copy files from TorBrowser-Data file old device to same folder on the new device.
8) Open Tor (and your settings should all be there).

This is a messy fix (for some reason, some of my NoScript settings went a little wonky), but not as time consuming as how I had to do it before.

I'd love to do that, but it keeps rejecting my registration as spam no matter what browser I use.

So here are additional details:
All computers running OSX 10.9.5

Under 5.5.5 and earlier, I could save Tor.app to whatever folder I like, set up all my preferences/addons (IE: ghostery, adblock plus, disconnect for social media, bookmarks, etc) load addon specific details (IE my noscript whitelist) and then exit out of Tor, copy the Tor.app to a flash drive and then either use Tor from the flash drive, or copy it to other computers as needed with all preferences/settings in tact.

Now, even if I copy the Tor-Data folder along with the Tor.app to a flash drive, Tor always behaves as a 'clean version', so I have to reload all these preferences for every individual computer.

I figured that was because the data was unpackaged from the rest of Tor (as mentioned in the bug fixes), but then I didn't see a place where I could easily change the setting in Tor to point to the location of the "Tor-Data" file.

It would be nice to know all file locations for version 6.0 vs 5.5.5 in OS X. If you uninstall version 5.5.5 by removing the .app file is there anything else to remove before installing 6.0 to achieve a clean install?

For 5.5.5, removing the .app folder should be enough.
For 6.0, you also need to remove the TorBrowser-Data folder which will either be next to the .app or, if you place the .app bundle in /Applications, it will be at ~/Library/Application Support/TorBrower-Data.

With Tor Browser 6.x on Mac OS, if you move or copy the TorBrowser-Data folder and make sure it is next to TorBrowser.app, the browser profile, Tor data, and other settings should be used. It works for me. The data folder name is important; you should not rename it.

This doesn't work across file systems.
My work computer profile is "TorWork", then the file structure is Torwork/...

My Home computers are Mini/...
Laptop/...

My flash drive is Flash/...

The only way to get Tor to copy/paste somewhat cleanly across systems is how I described above. Just copy pasting Tor.app and Tor-Data wasn't good enough. Tor.app is somehow linked to how it creates Tor-Data.

Anonymous

June 01, 2016

Permalink

Terrible. I clicked to update, it got to the connecting to the Tor network and it did nothing for 3 hours. I exited and now cannot access the browser at all. I then downloaded the new version and when I click to install it freezes Windows Explorer. I have to manually restart that process. The browser is unusable now when it was perfect. Now it sucks and reminds me of IE.
I am running Windows 8.1 No error messages nothing. Just does nothing.

If anyone has any ideas? I am open to suggestion.

Do you have any antivirus/firewall software running on your system? The symptoms you mentioned fit well to such a software trying to protect you and while doing so is interfering with Tor Browser. If so, could you uninstall it for testing purposes (disabling is often not enough).

Anonymous

June 01, 2016

Permalink

I've searched some and don't see where the 'maximize' issue was resolved. Can someone say whether maximizing is a fingerprinting risk now or not?

Also does using fullscreen mode (F11) represent a risk?

>I've searched some and don't see where the 'maximize' issue was resolved.

It cannot be resolved easily. My guess is that it would require the rendering engine itself to be thoroughly changed, something Tor Browser devs are not very likely to do. If you want a more precise answer, be yourself more precise about what you mean with "maximize issue".

>Can someone say whether maximizing is a fingerprinting risk now or not?

It has always been and it continues to be.

>Also does using fullscreen mode (F11) represent a risk?

Yes.

Read: https://www.torproject.org/projects/torbrowser/design/ . In particular the section "7. Monitor, Widget, and OS Desktop Resolution" under "Specific Fingerprinting Defenses in the Tor Browser".

Anonymous

June 01, 2016

Permalink

channe-prefs.js: pref("app.update.channel", "alpha");

I set it to alpha from stable a few months ago because I want to use latest version as possible.
So should I switch back to "release" to receive this update?

I'm expecting alpha gets alpha and release(latest as possible) version; if not please consider it.

Anonymous

June 01, 2016

Permalink

This is giving me quite a headache...how do I update TOR within TAILS os? Any help would be GREATLY appreciated.

Anonymous

June 02, 2016

Permalink

tbb 5.5.5 disappears (crashes) without error message by clicking a specific website
os: win7 sp1

Anonymous

June 02, 2016

Permalink

Shumway doesn't support proxy settings? Maybe that should be addressed with the Mozilla's devs?

Anonymous

June 02, 2016

Permalink

Version 6.0 is Garbage! Not only it doesn't even open (stays stuck on ''Connecting to the Tor network'') but now I cannot even get older versions to work, as the same problem happens with version 5.5, when before it was perfectly alrigth!

Are you guys working for NSA/GCHQ and trying to screw us over by coming up with this ''upgrade'' which doesn't even work to force us to use Firefox/Internet Explorer?...

Otherwise what on Heaven's sake is going on here?? I have just wasted another hour trying to get this Demonic thing to work for NOTHING...I'm FED UP!!!!!

Maybe your local antivirus/firewall software got an update and is blocking now bot versions? Tor Browser is self-contained and does not mess with older/other versions. Even if 6.0 would not work this would not impede 5.5. Thus, there is a different thing wrong on your computer.

Anonymous

June 02, 2016

Permalink

New error in TBB6.0:

when you try to see the page source(right click -> View page Source/View Selection Source), browser is open a new tab
with source, e.g. view-source:https://blog.torproject.org/blog/tor-browser-60-released

view-source:data:text/html;charset=utf-8,%EF%B7%90If%20you%20can%20wait%20a%20couple%20of%20day%EF%B7%AFs%2C%20next%20week%20will%20be%20a%20new%20alpha%20available.2Fp>