Tor Browser 6.0.5 is released

Tor Browser 6.0.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox including the recently disclosed extension update vulnerability. All users should upgrade as soon as possible.

That vulnerability allows an attacker who is able to obtain a valid certificate for addons.mozilla.org to impersonate Mozilla's servers and to deliver a malicious extension update, e.g. for NoScript. This could lead to arbitrary code execution. Moreover, other built-in certificate pinnings are affected as well. Obtaining such a certificate is not an easy task, but it's within reach of powerful adversaries (e.g. nation states).

Thanks to everyone who helped investigating this bug and getting a bugfix release out as fast as possible.

We are currently building the alpha and hardened bundles (6.5a3 and 6.5a3-hardened) that will contain the fix for alpha/hardened channel users. We expect them to get released at the beginning of next week. Until then users are strongly encouraged to use Tor Browser 6.0.5.

Apart from fixing Firefox vulnerabilities this release comes with a new Tor stable version (0.2.8.7), an updated HTTPS-Everywhere (5.2.4), and fixes minor bugs.

Here is the full changelog since Tor Browser 6.0.4:

  • All Platforms
    • Update Firefox to 45.4.0esr
    • Update Tor to 0.2.8.7
    • Update Torbutton to 1.9.5.7
      • Bug 19995: Clear site security settings during New Identity
      • Bug 19906: "Maximizing Tor Browser" Notification can exist multiple times
    • Update HTTPS-Everywhere to 5.2.4
    • Bug 20092: Rotate ports for default obfs4 bridges
    • Bug 20040: Add update support for unpacked HTTPS Everywhere
  • Windows
    • Bug 19725: Remove old updater files left on disk after upgrade to 6.x
  • Linux
    • Bug 19725: Remove old updater files left on disk after upgrade to 6.x
  • Android
    • Bug 19706: Store browser data in the app home directory
  • Build system
    • All platforms
      • Upgrade Go to 1.4.3
Anonymous

September 19, 2016

Permalink

The Addon TorButton does not update recent release.

It remains blocked version 1.9.4.5.

How do I upgrade to the latest version ? > 1.9.5.7 ???

Anonymous

September 16, 2016

Permalink

Thanks.

There is no update mechanism of Torbutton other than updating the browser. Are you saying you are running 6.0.5 and being stuck on that old Torbutton version? What does the about:tor page say in its upper right corner?

I'm on 6.0.5

What's up with your buildID?

To make the build reproducible, we used a fixed buildid. This is causing some problems, so we are fixing this in the next alpha, using a different buildid for each release:
https://trac.torproject.org/projects/tor/ticket/19528

Hello!
Can it be used on a Windows 7?
I never changed my PC to the version 8 because of... reasons, you know.
I don't know right now what version was the latest and if Windows got better because Windows 8 is basically Windows 7 looking like *#*@* and the rest I really didn't have time to care much about solving the interface problem, I was too busy at University.
So, I really feel like... 7 years old is more than it was from XP to Vista! I'm old!
Really... can Windows 7 still cover current Tor?
Because Windows 10 is way too much pretty far away in time from 7 right now. I really don't know about the compatibility...
But I can still run the latest released games I download such as The Elder Scrolls Online.
Sorry for being so strange and English is not my first language, I don't know if I write well or specially speak well.
Thank you all

Yes, Tor Browser should work on Windows 7.

friend you are not old, I was old when windows 3.1 came out.
Do yourself a favor and if you value your anonymity stay away from win, especially 8 and up.
You see, everyone claims newer is more secure, but newer may have builtin insecurity that did not exist in the past. Keep your 7 alive for playing around and donate about 25Gb of your disk and install linux (debian LXDE is a good start) and get comfortable with it. There is so much more you can control with security by learning than trusting blind closed code. It is not a 3 day switch but eventually you will be going back to 7 less and less.
Yes tor runs fine on 7 but what is around it while it is running can not be trusted, like your other browser with social media (hint hint)

There is also bitmask VPN it only runs on linux, you can run tor on top of that and nobody can tell you are running it. There is also Tor hardened which is only available for linux.

If you have a spare USB stick 2GB+ try the Live system of debian, or tails from this mainpage here.

Just fired it up on a Windows XP VM. Works fine. Haven't tried the alpha though.

This is the first time that an update of TOR will not work from a flashdrive. What is wrong?

hi is it normal that the page opening is mozilla firefox, because the tab coains in the middle the logo of mozilla firefox, and till now i couldn't open any site, it's always telling try again proxy settings, the older versions were better, and in options i can't change it permanently to never remember history, everytime i opened it i had to go to options, and to click never remember history, do you have a better file to download it for windows 7 ?

Does your browser look something like this now?
https://bugs.torproject.org/16441#comment:1
If so, it might have refreshed itself and removed the necessary Tor addons.

The download for Windows 7 is here:
https://www.torproject.org/download/download-easy.html.en
You can make sure you got the right file by verifying the signature:
https://www.torproject.org/docs/verifying-signatures.html.en

Do you have some error message?

If you look at your about:addons page which extensions are shown there?

and its keep telling me no proxy settings, yes it looks like the page you putted it, and for the proxy i have already checked manual configutation for socks5 but nothing working at all, in any other option

Even though this question should have been asked long ago here it is:

On debian (and I suspect other linux distros) tor and tor-config are packages within the system. I tend to run a stand alone single user tor (2 currently, 6.0.5 and 6.5.a2 Hardened. I have uninstalled the two system packages and it worked fine, due to a recent update/system restructure the 2 were re-installed by default. When I checked their configuration it uses 9050 as the shocks port.

Should I keep the debian/tor packages, does it make a difference? I also use icedove with torbirdie, is there a chance it will communicate through the system's package? Are there any conflicts because of them? With the update going on and things not being responsive yesterday I was digging around trying to find out what's going on.

Also, while the check.tor... was down I run eff's panopticlick and browserprint.info to test my connection and the response was "using tor=no". One possible explanation was the exit node was new. But I kept switching and it would still say no. Today it says yes again.

so should I skip this update? opinions?

Good Job . thanks . i have a question :

iranian government claims the internet has been nationalized and all the users are being supervised. In other words all the internet communications would be through nationalized channels.
How do you think we need to react?using tor is still safe ?

"Good Job . thanks "
I agree!
--------------

"internet communications would be through nationalized channels
... using tor is still safe?
"

As I understand (hopefully correctly), that method of surveillance is exactly what Tor is meant to defend against.
Essentially, tor encrypts everything from inside your computer to tor system's last "exit node".
Usually, the "exit node" is already outside your nationalized internet.
But is it possible that your nation operates exit nodes?
Yes, but this not very useful for surveillance because of tor's intermediate nodes. Tor sends your encrypted internet communication through intermediary nodes, which are already outside your nation's internet.

1 - the communications are unreadable because encrypted to the exit node.
2 - it is difficult to associate communications to your computer because tor system scatters communications "pieces" through multiple worldwide tor node computers.

"Tor sends your encrypted internet communication through intermediary nodes,
which are already outside your nation's internet."

But not outside "your nation's" internet **reach**.

Any nation (especially one with all the human resources and "security" priorities of Iran) can set up Tor nodes all over the world.

Unlike with the German project that failed in attempting to offer only effectively vetted/certified nodes, Tor doesn't even try to certify because its too big a job. They seem to be increasing/improving their surveillance of nodes, looking for suspicious behavior.

Thanks for the quick update!

I see all the comments disappeared.

Where do you report the websites that block tor?

Report them by adding to this wiki page:
https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlo…

To create a wiki account, go to https://trac.torproject.org/projects/tor/register. Then click the Edit button at the bottom of the page.

What about a page to submit suspicious certificates we are handed when we visit websites using Tor Browser?

I've seen many suspicious ones and want to know if others are seeing them too, and what it means.

Can somone answer a general question?

Is it expected behavior that when you surf to some http site (e.g. a news site, a USG agencypublic homepage) and get a green icon with the home page (not a captcha warning), that the cert associated with the green lock icon makes no mention of the expected site, but only mentions cloudflare as owner of the cert?

To my mind this shows the CA system is completely broken, because a green lock icon for slate.com or fbi.gov should mean that the cert was issued to Slate or FBI, not to Cloudflare. Again, just reading news sites or FBI's home page, nothing "suspicious" other than using Tor.

Or is an indication that I am being state-sponsored MITM'd (maybe Cloudflare has been issued a root cert allowing it to impersonate anyone, say google.com?)

Mozilla is in the process of banishing WoSign which issues the StartSSL certs which appear to be the ones involved in suspected state-sponsored MITM.

installed this on one PC and AVG free has detected this as a virus
will add details when I can later
Seems this PC has already updated to it as well
restart or what?
delete (using AVGFree) or what?

In this blog post you are sayng that a bug on android version of Tor Browser/Orfox was fixed but there are no updated versions of Orfox available from F-droid?

Android

Bug 19706: Store browser data in the app home directory

That bugfix makes it only possible to use our code base we have for desktop Tor Browser for mobile as well. The Guradian Project is working on a new release I have heard. not sure, though, when this is coming out.

read false positive comment on this page

hey good job

What could have caused a fresh Tor Browser folder to randomly appear on my desktop after this update? This occured while I was using other programs on my computer so I don't think it was something I initiated.

TH YOU FOR ALL

Any news on the 6.5a3 release yet?

update
AVGFree detection states IDP.ARES.Generic on Tor.exe

nejo741@mail2tor.com
nejo741@yandex.com
twitter.com/nejo741

NoScript Bug

Torbrowser is still totally crashing on printing (to file pdf) on different websites.
That is already an issue for years.
It seems to be a very, very persistent NoScript crashbug.

For example, take this one
https://news.drweb.com/show/review/?lng=en&i=10184

There goes the browser,
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000000013d9da000
and so on, very long crash report.

The 'funny' thing with this NoScript bug (I am really sure it is) is that if you choose an older mozilla browser, just pick any flavor version (Firefox/Torbrowser/ ..) in the 30's-range, and install a new NoScript version that is still officially matching that range, you almost simply can't miss a crashing browser while printing a webpage to file.

It somehow has something to do with activating a-lot or to activate almost all the security settings in NoScript.
Just go from full activation to less activation and try to find out (yourself) which setting in Noscript is letting mozilla browsers crash.

im anonymous

STOP USING AVG. it's terrible.

is it safe to upgrade from tor browser??

Full screen option (from Menu) : no warning!

There is a full screen option in the menu "Enter Full Screen".
There are two problems with this.

- It does not warn you for 'determining monitor size' like the other screen button way of resizing does.
It just maximizes the screen.

- Maybe an Firefox issue also.
If you choose the "Enter Full Screen" option from the menu and you are not familiar with this function, some people feel they maybe get in deep trouble because they cannot figure out how to get rid of this again.

Even I at first did not find it the way most people probably do.
Esc-function did not work, so I finally choose to renew the identity which gave me a normal window again.

Would it be an idea to make the escape button function work in full screen mode?
And even better to show the main computer task bar again it the mouse is pointed to the border or a corner so people wont be in a 'panic' because they cannot directly have access to their computer navigation menu anymore?

The Tor Browser updater uses signed files, so it should be safe. But you should do the update as soon as possible to limit the risk of a malicious extension update.

Thanks for the quick vuln fix. Reddit noobs had a huge argument about it.
In Tor we trust.