Tor Browser 6.0.5 is released

Tor Browser 6.0.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox including the recently disclosed extension update vulnerability. All users should upgrade as soon as possible.

That vulnerability allows an attacker who is able to obtain a valid certificate for addons.mozilla.org to impersonate Mozilla's servers and to deliver a malicious extension update, e.g. for NoScript. This could lead to arbitrary code execution. Moreover, other built-in certificate pinnings are affected as well. Obtaining such a certificate is not an easy task, but it's within reach of powerful adversaries (e.g. nation states).

Thanks to everyone who helped investigating this bug and getting a bugfix release out as fast as possible.

We are currently building the alpha and hardened bundles (6.5a3 and 6.5a3-hardened) that will contain the fix for alpha/hardened channel users. We expect them to get released at the beginning of next week. Until then users are strongly encouraged to use Tor Browser 6.0.5.

Apart from fixing Firefox vulnerabilities this release comes with a new Tor stable version (0.2.8.7), an updated HTTPS-Everywhere (5.2.4), and fixes minor bugs.

Here is the full changelog since Tor Browser 6.0.4:

  • All Platforms
    • Update Firefox to 45.4.0esr
    • Update Tor to 0.2.8.7
    • Update Torbutton to 1.9.5.7
      • Bug 19995: Clear site security settings during New Identity
      • Bug 19906: "Maximizing Tor Browser" Notification can exist multiple times
    • Update HTTPS-Everywhere to 5.2.4
    • Bug 20092: Rotate ports for default obfs4 bridges
    • Bug 20040: Add update support for unpacked HTTPS Everywhere
  • Windows
    • Bug 19725: Remove old updater files left on disk after upgrade to 6.x
  • Linux
    • Bug 19725: Remove old updater files left on disk after upgrade to 6.x
  • Android
    • Bug 19706: Store browser data in the app home directory
  • Build system
    • All platforms
      • Upgrade Go to 1.4.3
Anonymous

September 18, 2016

Permalink

I have a threat detection in tor.exe after upgrade to 6.0.5

AVG claim that it is infected by IDP.ARES.Generic (on windows 7 64bit)

Anonymous

September 18, 2016

Permalink

I can not install the update. Got the following message see below. I did not have firefox at all. Installed firefox 48..... with no success. Still got the same message.

The update could not be installed. Please make sure there are no other copies of Firefox running on your computer, and then restart Firefox to try again.

Anonymous

September 18, 2016

Permalink

a reboot of the server hosting the blog is a good idea _ it should be done the first of every month.
,)
have a nice day & thank you very much for your work.

Probably a false alarm. (This comes up a lot.)

That said, the flaw discovered by Movrcx appears to be one of the most devastating flaws in all TB platforms (including Tails and Whonix) ever published, so this may not be business as usual.

Is Ryan Duff's suggestion a sensible future Tor Browser enhancement? That is:

"While TorBrowser will catch the fix from the Mozilla patch, I believe they should actually change how they handle extensions overall. It seems ridiculous to me that they actually use Mozilla’s auto-update process for extensions. If NoScript or HTTPS Everywhere added a new vulnerability with an update, all Tor users would get it within a day of using the browser. Also, with the paranoia their organization seems to have, I would think Mozilla being compelled to push a malicious extension to specific Tor users would be a real concern of theirs.

To me, the logical solution would be to compile NoScript and HTTPS Everywhere themselves, sign those extensions with their own key, hardcode their public key into the TorBrowser, and then do their own cryptographic validation of extensions locally. Extension updates would go out with TorBrowser updates exactly how the TorBrowser Firefox updates are delivered."

Thank you very much.
You people are doing great.
Can you please update the roadmap for tor messenger?

The options are being discussed in this ticket:
https://trac.torproject.org/projects/tor/ticket/20146

Plus one.

Can TP urge our best reporters to make themselves available via TM?

AVG antivitrus detects new version of tor.exe as IDP.ARES.Generic virus.

dis good thank your magisti so mach

idp.ares.generic warning received from AVG when doing latest install. Any suggestions?

Everything alright.

Updated and TOR was deleted by AVG due to IDP.ares.Generic virus threat. What the heck is going on?

This is the best, better, cool, perfect browser I seen.

Getting a virus in my update... Whats going on?

Updated but avg detected IDP.ARES.Generic virus threat.

Hello gk, & everybody ..Devs & Anonymz :)

I disabled it because according to the ADD-ONS: "About:Addons-Memory" shows >>HTTPS-Everywhere<< usage of memory is about 10-times (or sometimes more) than >>NoScript<<

Thou: it -apparently- not providing that much of a security since famous websites like (google/gmail, yahoo, "bing", twitter, facebook..etc..etc..) are HTTPs< by default!

and --by logic-- if any other website NOT "equipped" with HTTPs then that add-on will NOT "enforce' to a-must-use!! LoL..

Looks really funny: Why is it too-essential to-must have it! While it 'eats' & wastes 10- times of memory (than: NoScript) for NOTHING!?

Thank You ALL,

NP: feeling sorry when yesterday the blog were unacceptable but now HAPPY its back to work, also noticed the "ticket" issue, Hopping the blog wont go OFF again :)

Couldn’t agree more. HTTPS-Everywhere is useless. I don’t see the point of it.

What do I have to do if my AVG consider new version as virus?

On my computer AVG antivitrus detects new version of tor.exe as IDP.ARES.Generic virus.

So avg considers a whole hell of a lot virus, the only way to circumvent it. Is to allow the program trough the filter. So make it an exception instead of letting it block it or sandbox it.

As normal virus programs will remove a program and put them in a secure space called a sandbox. Cutting it off from the live os.

The problem with this, is it gives the program/.exe full access to run as it likes and if it at some point turns into an actual virus i guess avg will just look away.

But other then that, just say fuck you avg and allow the program to run, if it is indeed a false positive.

The same for my AVG too. Is it normal or not? Would you please give a comment about this?

I am another tor user, using another scanner.
Manually started scan.
My scanner finished "Clean"
---------------

False Positives are a problem for malware/virus scanners.
You'll see these reported at the "suspected" software forum or the malware scanner forum.

Check these web searches.
avg
false positive avg.com IDP.ARES.Generic

compare to
false positive examined IDP.ARES.Generic virus | detected
(possibly, "IDP.ARES.Generic" is avg's name for whatever code avg finds)

tor.exe
false positive tor.exe IDP.ARES.Generic

This just happened to me, too.

Here too!

Anonymous

September 17, 2016

In reply to by Anonymous (not verified)

Permalink

AVG is not a good program ..

We hope you'll delay alphas to get new Tor alphas.

Many recent releases of the Tor browser tend to be crashy when printing. When this occurs, I lose all open tabs. When I highlight some text, right-click and search DuckDuckGo, it is regarded as a cross-site scripting violation. Why does the user interface only address small security issues, while excluding meaningful tools like Self-destructing Cookies, Toggle Referer, Blend In, Stop Fingerprinting, Calomel, et cetera?

And why is the NoScript menu pared down to a choice of all or nothing? If you really need to enable scripts, 99% of the time you only need top level scripts to make the site work... not a dozen off-site tracking scripts. "Allow everything" should be the very last option, not the first and only option! If manual approval is required to right-click & search, why is manual approval not even available for "allow top level scripts on this page"? It seems like a contradiction.

Going back to the original problem: if I attempt to change the history settings, a pop-up message says: "Tor browser must restart to enable this feature." A normal person would read that as a reminder, not a restart warning: Since there is no CANCEL button, OK typically means DISMISS THE WINDOW, not CLOSE THE BROWSER. It should never restart without the user's permission. There go my tabs again - another weeks work down the drain!

This service is essential in oppressive regimes, and I am thankful for it despite the frustrations. However, I think some of the user interface security policies should be subject to review. If there is a debate about whether a common security extension should be included in Tor browser, perhaps the category should be listed in TorProject wiki, along with the justifications for excluding the feature. It makes no sense when NoScript is hobbled in a way that reduces security, referer enabled by default, weak certificates not indicated, and cookies preserved after tabs are closed. Can someone explain the logic behind all of this?

No need to delay it. The alphas will have tor 0.2.9.2-alpha.

"why is the NoScript menu pared down to a choice of all or nothing?"
Try this.
Optionally, take screenshot of "general" tab of noscript options, as a "visual backup".

Drag or paste into url bar
about:config?filter=noscript.show

Optionally, take screenshot, as a "visual backup".

noscript.showAddress;true
noscript.showBaseDomain;true
noscript.showDistrust;true
noscript.showDomain;true
noscript.showGlobal;false
noscript.showRecentlyBlocked;true
noscript.showTemp;true
noscript.showUntrusted;true

Those are "user set" that I have decided that I like, after much time using noscript extension.
Edit (toggle) whichever you want

Use tor browser (try blog.torproject.org). See how noscript GUI has changed for you.
Optionally, take another screenshot of "general" tab of noscript options.

Also, you can use "Reset" button at bottom of noscript options "General" tab.

nickm is going to release 0.2.9.3-alpha this week.

change the history settings, a pop-up message says: "Tor browser must restart to enable this feature." A normal person would read that as a reminder, not a restart warning: Since there is no CANCEL button, OK typically means DISMISS THE WINDOW, not CLOSE THE BROWSER

I also fell into this pitfall, months ago.
This "trap" is in firefox menus, Options/Preferences
Privacy (click the eye mask symbol in left column)
"History
Tor Browser will" (choose)

I'm not going to recheck this behavior, but instead of OK, maybe close the message by clicking "X" at top right corner? Is there an "X" there?
I think this qualifies for a UI bug report, if one doesn't already exist.

Some screenshots (but the older GUI in which eye mask is in top row): http://www.blogtechnika.com/how-to-disable-browsing-history-feature-in-…

Please report your issues to the bug tracker or mailing list. Not here.

Using these extensions may appear to increase your privacy. Anything they do offer is minimal and not worth the cost of diverging from the standard tor-browser user. This also applies to NoScript's lacking granularity.

Additionally, to deny tracking services may harm the site that you are interested in as they may not know which webpages are of interest by their users.

The real problem here is the centralization of the tracking services - while what they offer is no more than the site you visit already has in their own logs. If you want to opt out of tracking, you may opt out of these services... But you remain in the site's own normal [under respected] logs.

Tor browser already disassociates your tracked profile between sites. Third party cookies are isolated in per top-level domains.

The best suggestion I have is to reduce your modifications of tor-browser to the defaults. Maybe select in torbutton's menu a higher security level. Enable JavaScript on only the sites you trust (preferably the whole page.) And finally, do not use sites you do not trust. Especially do not identify yourself - even with a pseudonym.

I do agree that tor-browser could be hardened better. As you said:

- referrals aren't generally necessary (however some sites break without them :/)
- cookies preserving when tabs are closed can be inconvenient and may require the user to login more frequently

Or better yet if tor-browser supported isolated windows where you could login to different users at the same time.

For the auto-updating process, can TorProject please state the basic known requirements so this safe and convenient method can be expected to work?
E.g. Default file locations? Security slider? Others?

This makes even more sense because TorProject provides not even a description of how to maintain installation integrity after overwriting an old version with a fresh download.
E.g. guard node continuity is broken.

Perhaps can start with an acknowledgment on the download page?

Thank you.

Many of us use the last version to download the new version, so we would be vulnerable until we obtain the new version.

If we check the signature of the new version, is it safe to use (all other things being equal)?

If in doubt, can we disable the NoScript updater until we get the new version and install it?

Not sure what you mean exactly but the updater is not supposed to overwrite any user data. Thus, it won't touch your browser profile (including selected security slider level) etc. If that's not the case, please file a bug.

"If we check the signature of the new version, is it safe to use (all other things being equal)?"
The attack that you imply I think requires coordinated attacks on
the download and signature (the sha files?)
and on your computer's hash checker

maybe the easiest defense is two "independent" downloads:
1 - your computer downloads from torproject server. You check hash.
2 - a school or friend's computer, running different operating system and browser downloads from a mirror server. Check hash.

Sorry I was not clear. I was trying to be nice.

In plain English the updater is fussy and doesn't work so could its prerequisites/requirements to have it work please be stated. To the extent they are known. (Win7/64)

Examples: what set of folder locations are allowable for Tor to be running from and have the updater work, what slider status, etc. etc.

Thank you.

Can the bug also affect Adblock Plus updater?

As I started to read this post yesterday using Tails 2.5 (current version and apparently vulnerable to the cited vulnerability), I noticed the AdBlock updater was running on my device. Groan.

I wish I understood better how onion services can protect against this kind of state-sponsored fake cert, or at least knew some way of checking that a cert my browser has been served is genuine.

Question for Citizen Lab and others who know how state-sponsored MITM schemes work: when I connect to some sites, I have been noticing a warning as you "drill down" into the provided information about certs that something cannot be verified (ownership?).

Particularly strange, some USG public websites like (ooh, the irony) fbi.org have a cert and get a green lock icon, but the cert is actually owned by our favorite company cloudflare:

Issuer:

CN = COMODO ECC Domain Validation Secure Server CA 2
O = COMODO CA Limited
L = Salford
ST = Greater Manchester
C = GB

Owner:

CN = ssl[nnnnnn].cloudflaressl.com
OU = PositiveSSL Multi-Domain
OU = Domain Control Validated

"Multi-domain"?!

There is no indication that the served web pages have not be maliciously modified by that company. Recently I get a captcha page with what purports to be an image of the FBI logo, but in past I got what appears to be the genuine page, however served by cloudflaressl.com not by fbi.gov, with a cloudflare cert. So I am reading something which has a green lock icon and claims to FBI public website, but is not actually served by FBI. I hope it is obvious why this is a big problem.

Seems a bit strange that FBI uses a UK CA, unless you assume that USIC regularly relies on UK GCHQ to attack US persons, while NSA/TAO attacks UK persons, to evade national laws in the US and UK restricting attacks on own citizens.

Similar green lock icon misinformation observed at many news sites which allegedly use https. Another oddity seen at slate.com; for some articles (often those related to computer security), the lock icon suddenly breaks, as if some articles are served using broken https protocols that my browser refuses to use.

Recall that

o NSA/TAO is known to use fake Facebook phishing sites to serve malware (to US citizens for example)

o GCHQ/JTRIG is known to use fake BBC News phishing site to serve malware (to Wikileaks volunteers for example)

o FBI is known to use fake AP News phishing site to serve malware (to US high school students for example)

What to make of all this?

(By the way, BLM OSINT has a legitimate need to visit fbi.gov to obtain some USG crime stats not available elsewhere, as well as cdc.gov and other USG sites which have similar issues.)

Relevant news stories:

https://theintercept.com/2016/09/16/new-film-tells-the-story-of-edward-…

A list of several dozen highlights from The Intercept's coverage of the Snowden leaks.

http://www.theregister.co.uk/2016/09/16/ixp_sues_german_govt_surveillan…
World's largest internet exchange sues Germany over mass surveillance
DE-CIX questions legality of government tapping its system
Kieren McCarthy
16 Sep 2016

> The world's largest internet exchange point is suing the German government for tapping its communications systems.

the only transport types working are obfs3 & obfs4

Good job guys.

Also
https://check.torproject.org/
was unreachable.

1- Why server reboots? Attack? What else?

2- Did you consider alternatives to *.torptoject.org if you where under some sort of attack?
I think .onion services, tor.stackexchange.com ...

Thank you

> Did you consider alternatives to *.torptoject.org if you where under some sort of attack?I think .onion services,

See onion.torproject.org a.k.a. yz7lpwfhhzcdyc5y.onion for a list. There's also an onion.debian.org.

WoW, thank you!!