Tor Browser 6.0 is released

The Tor Browser Team is proud to announce the first stable release in the 6.0 series. This release is available from the Tor Browser Project page and also from our distribution directory.

This release brings us up to date with Firefox 45-ESR, which should mean a better support for HTML5 video on Youtube, as well as a host of other improvements.

Beginning with the 6.0 series code-signing for OS X systems is introduced. This should help our users who had trouble with getting Tor Browser to work on their Mac due to Gatekeeper interference. There were bundle layout changes necessary to adhere to code signing requirements but the transition to the new Tor Browser layout on disk should go smoothly.

The release also features new privacy enhancements and disables features where we either did not have the time to write a proper fix or where we decided they are rather potentially harmful in a Tor Browser context.

On the security side this release makes sure that SHA1 certificate support is disabled and our updater is not only relying on the signature alone but is checking the hash of the downloaded update file as well before applying it. Moreover, we provide a fix for a Windows installer related DLL hijacking vulnerability.

A note on our search engine situation: Lately, we got a couple of comments on our blog and via email wondering why we are now using DuckDuckGo as the default search engine and not Disconnect anymore. Well, we still use Disconnect. But for a while now Disconnect has no access to Google search results anymore which we used in Tor Browser. Disconnect being more a meta search engine which allows users to choose between different search providers fell back to delivering Bing search results which were basically unacceptable quality-wise. While Disconnect is still trying to fix the situation we asked them to change the fallback to DuckDuckGo as their search results are strictly better than the ones Bing delivers.

Update: We plan to post instructions for removing the OS X code signing parts on our website soon. This should make it easier to compare the OS X bundles we build with the actual bundles we ship.

The full changelog since Tor Browser 5.5.5 is:
Tor Browser 6.0 -- May 30

  • All Platforms
    • Update Firefox to 45.1.1esr
    • Update OpenSSL to 1.0.1t
    • Update Torbutton to 1.9.5.4
      • Bug 18466: Make Torbutton compatible with Firefox ESR 45
      • Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
      • Bug 18905: Hide unusable items from help menu
      • Bug 16017: Allow users to more easily set a non-tor SSH proxy
      • Bug 17599: Provide shortcuts for New Identity and New Circuit
      • Translation updates
      • Code clean-up
    • Update Tor Launcher to 0.2.9.3
      • Bug 13252: Do not store data in the application bundle
      • Bug 18947: Tor Browser is not starting on OS X if put into /Applications
      • Bug 11773: Setup wizard UI flow improvements
      • Translation updates
    • Update HTTPS-Everywhere to 5.1.9
    • Update meek to 0.22 (tag 0.22-18371-3)
      • Bug 18371: Symlinks are incompatible with Gatekeeper signing
      • Bug 18904: Mac OS: meek-http-helper profile not updated
    • Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
    • Bug 18900: Fix broken updater on Linux
    • Bug 19121: The update.xml hash should get checked during update
    • Bug 18042: Disable SHA1 certificate support
    • Bug 18821: Disable libmdns support for desktop and mobile
    • Bug 18848: Disable additional welcome URL shown on first start
    • Bug 14970: Exempt our extensions from signing requirement
    • Bug 16328: Disable MediaDevices.enumerateDevices
    • Bug 16673: Disable HTTP Alternative-Services
    • Bug 17167: Disable Mozilla's tracking protection
    • Bug 18603: Disable performance-based WebGL fingerprinting option
    • Bug 18738: Disable Selfsupport and Unified Telemetry
    • Bug 18799: Disable Network Tickler
    • Bug 18800: Remove DNS lookup in lockfile code
    • Bug 18801: Disable dom.push preferences
    • Bug 18802: Remove the JS-based Flash VM (Shumway)
    • Bug 18863: Disable MozTCPSocket explicitly
    • Bug 15640: Place Canvas MediaStream behind site permission
    • Bug 16326: Verify cache isolation for Request and Fetch APIs
    • Bug 18741: Fix OCSP and favicon isolation for ESR 45
    • Bug 16998: Disable <link rel="preconnect"> for now
    • Bug 18898: Exempt the meek extension from the signing requirement as well
    • Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
    • Bug 18890: Test importScripts() for cache and network isolation
    • Bug 18886: Hide pocket menu items when Pocket is disabled
    • Bug 18703: Fix circuit isolation issues on Page Info dialog
    • Bug 19115: Tor Browser should not fall back to Bing as its search engine
    • Bug 18915+19065: Use our search plugins in localized builds
    • Bug 19176: Zip our language packs deterministically
    • Bug 18811: Fix first-party isolation for blobs URLs in Workers
    • Bug 18950: Disable or audit Reader View
    • Bug 18886: Remove Pocket
    • Bug 18619: Tor Browser reports "InvalidStateError" in browser console
    • Bug 18945: Disable monitoring the connected state of Tor Browser users
    • Bug 18855: Don't show error after add-on directory clean-up
    • Bug 18885: Disable the option of logging TLS/SSL key material
    • Bug 18770: SVGs should not show up on Page Info dialog when disabled
    • Bug 18958: Spoof screen.orientation values
    • Bug 19047: Disable Heartbeat prompts
    • Bug 18914: Use English-only label in <isindex/> tags
    • Bug 18996: Investigate server logging in esr45-based Tor Browser
    • Bug 17790: Add unit tests for keyboard fingerprinting defenses
    • Bug 18995: Regression test to ensure CacheStorage is disabled
    • Bug 18912: Add automated tests for updater cert pinning
    • Bug 16728: Add test cases for favicon isolation
    • Bug 18976: Remove some FTE bridges
  • Windows
  • OS X
    • Bug 6540: Support OS X Gatekeeper
    • Bug 13252: Tor Browser should not store data in the application bundle
    • Bug 18951: HTTPS-E is missing after update
    • Bug 18904: meek-http-helper profile not updated
    • Bug 18928: Upgrade is not smooth (requires another restart)
  • Build System
    • All Platforms
      • Bug 18127: Add LXC support for building with Debian guest VMs
      • Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
      • Bug 18919: Remove unused keys and unused dependencies
    • Windows
      • Bug 17895: Use NSIS 2.51 for installer to avoid DLL hijacking
      • Bug 18290: Bump mingw-w64 commit we use
    • OS X
      • Bug 18331: Update toolchain for Firefox 45 ESR
      • Bug 18690: Switch to Debian Wheezy guest VMs
    • Linux
      • Bug 18699: Stripping fails due to obsolete Browser/components directory
      • Bug 18698: Include libgconf2-dev for our Linux builds
      • Bug 15578: Switch to Debian Wheezy guest VMs (10.04 LTS is EOL)

Torbutton INFO: tor SOCKS: https://blog.torproject.org/blog/tor-browser-60-released via --NoFirstPartyHost-about-blank--:0
Torbutton INFO: tor SOCKS: http://ocsp.digicert.com/ via --nofirstpartyhost-about-blank--:0
getFirstPartyURI failed for view-source:https://blog.torproject.org/blog/tor-browser-60-released: no host in first party URI view-source:https://blog.torproject.org/blog/tor-browser-60-released

Anonymous

June 02, 2016

Permalink

Every time I try to install this update, it breaks the whole browser. I can't run it without downgrading to 5.5.5 and I don't think that's a good idea to be doing...

I have every single executable file whitelisted in my AV as well, but still no dice

Anonymous

June 03, 2016

Permalink

Regrettably this update slows down the browser speed immensely... i dont know why but still it does... went back to an old version....

Anonymous

June 03, 2016

Permalink

Flawless as usual on a updated debian, so how can you guys sound
so outraged after each update when really you should focus on
the operating system or should i say barely operating system tor is
laying over.
As for network speed (was "i can't play flash player" before), keep on
advertising for a regression to previous versions, try to advocate for
keeping Xp with vidalia's versions you'll look more genuine.

To the builders : keep on rocking ! From Paris with love.

Yep. Never had any of the problems some people complain about here on every freaking release.

Braindead windoze useds? 3-letter agency shills? Whatever.

Anonymous

June 03, 2016

Permalink

I am using windows 10 and since updating TOR won't even start. Nothing at all seems to be happening.

Using Windows Defender & Windows Firewall, so have turned off but still nothing.

Anonymous

June 03, 2016

Permalink

Could u make a video tutorial to teach us installing Tor and establishing Obfs4 bridge on CentOs vps?Please

Anonymous

June 04, 2016

Permalink

That updates changed something bad. I used a cpanel for a website I manage, but as of the 6.0 update, I'm auto-disconnected in a blink. I've read about cookie-related issues, has this updates changed somethings on this end ?

Anonymous

June 04, 2016

Permalink

I have just installed version 6.0 (again!).

When I do a check with ip-check info I get “You are using Tor, but your browser profile differs from the recommended”. It gives an orange rating for Signature and a red one for User-Agent. This happens even after re-installing three times.

With version 5.5.5 both of these were ‘green’.

Please help.
Thanks

Anonymous

June 04, 2016

Permalink

How to edit search providers in the package?

Disconnect is broken and DDG is unusable for latency reasons.

Please help :)

Anonymous

June 04, 2016

Permalink

I installed tor 6.0. After that I found that the first connection is always to same IP address (23.254.166.222) even if I try to create a new tor circuit. Is this some new feature and is 23.254.166.222 tor project's own node server?

Anonymous

June 04, 2016

Permalink

Won't open, removed antivirus and still won't open.

Downgraded to old version, network seems to lose connections if not regularly used (timeout issue?) new identity and new circuit for this website now no longer work in old version.

Anonymous

June 05, 2016

Permalink

What is this 23.254.166.222 in Tor circuit? I cannot avoid it whetever I'm doing. Is Tor secure any longer?

Anonymous

June 05, 2016

Permalink

when i am open chat cam show to me:
(video format or MME type is not supported)
how can I solve this?
thank you

Anonymous

June 05, 2016

Permalink

Facebook and Twitter are censoring free speech, Bloomberg reported in an article which downplayed what’s really going on: the hijacking of the Internet to destroy national identity, culture and the free exchange of ideas in favor of an 1984-style virtual superstate.

i do agree.
give a try to diaspora.
a lot of site propose to let you posting but they do not publish your comments.
mailing-list are also in this case.
1984 was about a brutal state which opium & diamonds were the goals and have free servants were the gift, a virtual state is a commercial deal where the goal is to be on the right side (a silence for an agreement) : the others will not survive in a good condition.

Anonymous

June 05, 2016

Permalink

Tor 6.0 exit nodes instability? Irregular jumping between nodes within two seconds?

Anonymous

June 06, 2016

Permalink

I must say that I have ever increasing problems with running tor browser in a transparent proxying environment. Short list:

* Having a tor update installed without being asked beforehand
* than Tor browser doesn't start until I delete the launcher plugin manually
* afterwards I am not able to open torbutton network settings
* onion addresses do not work anymore, although AutoMapHostsOnResolve is set to 1, and they work with wget.

I understand that the team focuses on average users deploying torbrowser out of the box, but all the other use cases shoudn't just be fully ignored!

You can disable the auto-updater if you want. That said filing issues on our bug tracker (trac.torproject.org) might be a smart move as we are otherwise not aware of the problem or forget about it. Once that is done working on a patch might speed up solving your problem considerably. So, no, there is no ignoring going on. It is just that we are not enough to fix all the bug reports we get. :(

Oops, good idea to use the bug tracker. :)

By the way, for anybody who reads this: .onion addresses can be (re-)enabled by setting

network.dns.blockDotOnion to False

and thanxxx!!! for all your excellen work!

Anonymous

June 07, 2016

Permalink

I don't know if anyone else is having this problem but tor seems to be stuck on the 'example.com' page when i try to look at any sites circuit. It just says example A, example B example C instead of the IP's and countries. any help would be greatly appreciated.

Anonymous

June 07, 2016

Permalink

Among other problems I've never had before with tor the amount of identifying information that comes out of 5.5.5 is a fraction of what is in 6. This has been the first backwards step in this direction I know. I have gone back to 5.5.5 and disabled updates (irritating) in both win and linux64 and I am waiting for a better version in the future.

Why isn't there some feedback on all the complaints listed here.

When I use panopticlick.eff testing 5.5.5 shows 1 of 204 browsers and 6 show more than a 1000

But now I am noticing another problem, as I turn off updates in preferences adanced update the update still happens when it is left idel for a while

Anonymous

June 07, 2016

Permalink

It seems there is no way to block updates anymore, unless a firewall blocks torptoject

The new update 6.01 is even worse than 6 and reveals twice as much bits of identifying information to https://panopticlick.eff.org than 5.5.5 did.

Do you guys have any clue of why this is happening. Maybe there is something in ff that reveals more identifying info?

Yes, the problem is the Panopticlick test. It is not suited for the things you want to get tested. You want to know how identifiable you are in the Tor Browser crowd. Not how identifiable you are compared to Internet Explorer or Firefox etc. And not how identifiable you are compared to older browser versions.

And, sure, you can disable automatic updates if you really want to in your browser. But it not advisable doing so.

Anonymous

June 07, 2016

Permalink

Where can I find the old 5.5.5 version?

I used to have it until Tor automatically updated to 6.0 and now Tor won't open. And I see am not the only one with this problem.

Should we wait for a 6.0.2 version to fix the unintended consequences of 6.0?

We don't have found a single Windows system where we could reproduce the problem. Our guess is that there is still software running on your and other Windows users' computer that is responsible for this. That said we have https://trac.torproject.org/projects/tor/ticket/19334 to investigate this trying to find out what is going on. It would be much appreciated if you or other Windows users affected by this could participate there and test bundles we make. Thanks.