Tor Browser 6.0.3 is released

Tor Browser 6.0.3 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates Firefox to 45.3.0esr. Additionally, it bumps NoScript to 2.9.0.12, HTTPS-Everywhere to 5.2.1, disables asmjs, removes meek-google and contains a few other bug fixes.

Note: Due to bug 19410, on OSX the incremental update will not be working for users who installed the previous version using the .dmg file. The internal updater should still work, though, doing a complete update.

Update (August 11, 10:04 UTC): Starting from a couple of hours ago Tor Browser users might see a notification box in their browser claiming that Firefox is too old providing a button to get a newer one. This is both due to a server-side code change on Mozilla's side and an oversight by us during the ESR45 transition. Clicking on the "Get Firefox" button is safe and leads the user to our Tor Browser download page. Needless to say, this whole behavior is highly confusing and we apologize for it. We are working on a fix as quickly as possible and hope to get Mozilla to exempt Tor Browser users from this feature while we are working on a new release. For technical details see our bug tracker.

Here is the full changelog since 6.0.2:

  • All Platforms
    • Update Firefox to 45.3.0esr
    • Update Torbutton to 1.9.5.6
    • Update HTTPS-Everywhere to 5.2.1
    • Update NoScript to 2.9.0.12
    • Bug 19715: Disable the meek-google pluggable transport option
    • Bug 19714: Remove mercurius4 obfs4 bridge
    • Bug 19585: Fix regression test for keyboard layout fingerprinting
    • Bug 19515: Tor Browser is crashing in graphics code
    • Bug 18513: Favicon requests can bypass New Identity
  • OS X
    • Bug 19269: Icon doesn't appear in Applications folder or Dock
  • Android
    • Bug 19484: Avoid compilation error when MOZ_UPDATER is not defined
Ferri

August 03, 2016

In reply to by Anonymous (not verified)

Permalink

Thanks

Actually, Tor tools>options>advanced>updates already has dashboard options available as in:

"Automatically install updates (recommended: improved security)"

Or

"Check for updates, but let me choose whether to install them."

Or

"Never check for updates (not recommended: security risk)"

Tor, like any other app, requires fettling to conform it to your personal requirements.

Using Tor, as is, is a poor security choice so please take the trouble to read and understand the values of all the options on offer - not only in the tools menu but also in NoScript and in Tor button.

Understand also that the Tor browser is only fully secure when accessing sites available on the Tor network and nowhere else.

Ferri

August 04, 2016

In reply to by Anonymous (not verified)

Permalink

Now the comment above, "... the Tor browser is only fully secure when accessing sites available on the Tor network and nowhere else." caught my attention like a hornet in a coke can.

I freely admit to limited understanding of Tor/anonymous nuances but that comment sounds as if I should have heard it first day in class.

How does one know if accessing a site with Tor on another network?

Said another way, if the site is on another network and not Tor's network I did think, until now, that it would be virtually impossible to pierce the Tor veil.

If you've the patience, a little dumb down would be appreciated, or point me to another source.

dontwanttocsun

Ferri

August 02, 2016

Permalink

thanks!

Ferri

August 02, 2016

Permalink

thanks

Ferri

August 02, 2016

Permalink

thanks !

i have a question : is telegram desktop safe if i set it with tor ? i mean telegram desktop get tor DNS Given that there are no options in the remote DNS on it?

Ferri

August 02, 2016

Permalink

good

Ferri

August 02, 2016

Permalink

The changelog says, that NoScript was updated to 2.9.0.12. After I`ve updated (OS X) to TorBrowser 6.0.3, I`m using NoScript 2.9.0.13.

Ferri

August 03, 2016

Permalink

ty

Ferri

August 03, 2016

Permalink

thanks

Ferri

August 03, 2016

Permalink

I updated TBB using the "About Tor Brower".
Initially everything seemed alright. TBB finished updating and I restarted it.
The home page said that my TBB is ver 6.0.3.
After a while, I realized that https everywhere was gone. I checked the add-ons list and it only listed noscript, torbutton, and tor launcher.
I ended up downloading a fresh copy of TBB; now everything is okay.

Ferri

August 03, 2016

Permalink

Is this correct that I'm uniquely fingerprintable with Medium-High security settings, because there's no font fingerprinting defense?

The slider is only concerned with the security of your Tor Browser not with your fingerprintability, say, by examining the fonts available. That said this risk should got minimized from Tor Browser 5.5 on where we started shipping the same fonts to use (roughly) for all users of the same platform.

Ferri

August 03, 2016

Permalink

thanks

Ferri

August 03, 2016

Permalink

I clicked Enable plugins in Add-ons Manager, then opened Privacy and Security Settings and found Disable browser plugins still selected. So are plugins enabled or disabled now?

Some sites are bound to be unusable at High Security, as they require features that are disabled at High Security in order to function. Last I checked, Youtube didn't like that HTML5 was click to play at high security. There's some concern that a bug might allow a video to be used in an exploit, therefore HTML5 video is click to play.

Youtube JS player crashes when a browser says it supports SVG, but doesn't allow to draw player's elements. Video plays automatically, though.

You can use youtube-dl software. When a video interests you, download it with this stuff, with --proxy "socks5://127.0.0.1:9150"
9150 will use your tor browser's tor. If you prefer, you can run another tor instance and use theirs port.
You can open and watch a video before it's fully downloaded, just can't seek to a time that hasn't downloaded yet
For better security you might want to use app that hooks youtube-dl and force every connection through tor, like freecap, AdvOR etc

You could try the Tor Browser in Tails at High Security setting and see if it works for you. Tor Browser in Tails runs faster ( for me ) than the same Tor Browser version for Windows. YouTube videos play much clearer and smoother in Tails than Windows, although at a lower Security setting.

Ferri

August 03, 2016

Permalink

I have tried uninstalling and reinstalling but the new version keeps telling me firefox is not found for installation. I gone though searching my whole c drive(after making sure I have removing older copies), %appdata% threads and drives and removing or renaming directories like they recommend but nothing is working, I know firefox has released two new versions in two days but their update chart and your comment thread says everything is fine. Have you guys been getting any similar reports or is something up with my system. This is my first upgrade with you guys since being forced into win10. Thanks ahead of time, Johnny