Tor Browser 6.0.5 is released

Tor Browser 6.0.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox including the recently disclosed extension update vulnerability. All users should upgrade as soon as possible.

That vulnerability allows an attacker who is able to obtain a valid certificate for addons.mozilla.org to impersonate Mozilla's servers and to deliver a malicious extension update, e.g. for NoScript. This could lead to arbitrary code execution. Moreover, other built-in certificate pinnings are affected as well. Obtaining such a certificate is not an easy task, but it's within reach of powerful adversaries (e.g. nation states).

Thanks to everyone who helped investigating this bug and getting a bugfix release out as fast as possible.

We are currently building the alpha and hardened bundles (6.5a3 and 6.5a3-hardened) that will contain the fix for alpha/hardened channel users. We expect them to get released at the beginning of next week. Until then users are strongly encouraged to use Tor Browser 6.0.5.

Apart from fixing Firefox vulnerabilities this release comes with a new Tor stable version (0.2.8.7), an updated HTTPS-Everywhere (5.2.4), and fixes minor bugs.

Here is the full changelog since Tor Browser 6.0.4:

  • All Platforms
    • Update Firefox to 45.4.0esr
    • Update Tor to 0.2.8.7
    • Update Torbutton to 1.9.5.7
      • Bug 19995: Clear site security settings during New Identity
      • Bug 19906: "Maximizing Tor Browser" Notification can exist multiple times
    • Update HTTPS-Everywhere to 5.2.4
    • Bug 20092: Rotate ports for default obfs4 bridges
    • Bug 20040: Add update support for unpacked HTTPS Everywhere
  • Windows
    • Bug 19725: Remove old updater files left on disk after upgrade to 6.x
  • Linux
    • Bug 19725: Remove old updater files left on disk after upgrade to 6.x
  • Android
    • Bug 19706: Store browser data in the app home directory
  • Build system
    • All platforms
      • Upgrade Go to 1.4.3
k239

September 17, 2016

Permalink

Since the following question was still unanswered under the 6.0.4 section, could it pls be answered now?

"Ever since I've installed TBB 6.0.4 the entry node changes more often than previously.
I've read the entry was supposed to be the same for months but if I use TBB for several hours, there's a point when I've got a new entry node, and then another one. About 2 or 3 different entry nodes.
However, when I restart TBB the same "normal" guard node is back.

It's a bug?"

I am not the original poster, but I am sure that he/she and others would appreciate a response from the developers.
Thank you.

k239

September 17, 2016

Permalink

Broken and cant be disabled
Even with this setting, is that a bug?
browser.urlbar.suggest.searches;false

Very annoying because search suggest appearing above bookmarked suggestions when typing something (there is no need for that search suggestion field overthere).
There is a separate search field for searches in the right above corner so there is no reason to make the urlbar as a search(suggestion)field too.

k239

September 17, 2016

Permalink

Bug (also in Firefox)

Printing preferences are not remembered even within the same browser session.
Just give a print order and change a value in the standard setting in "Page headers", "Page footers" or "Appearance values".
The next print order will not remember that setting which is highly annoying if you have to print or save a lot of information.

It always remembered changed printing page values but now it is broken here too.

By the way, the standard setting of date/timeprinting information within the document is also maybe dangerous from a privacy point of view.
You can remove time metadata but you cannot remove this from a pdf document itself when saved as pdf (you would need a pdf editor for that).

Please look at this standard values omissions.

k239

September 17, 2016

Permalink

Torrc configuration possibilities are gone.
Excluding country top level domains is not working anymore!
Please bring this option back.

k239

September 17, 2016

Permalink

Https everywhere toolbar menu does refer to nothing after the arrow.

Why isn't the Https everywhere add-on visible in the toolbar menu so users can directly access its preferences, settings and can be aware that the add-on status is actually active?

k239

September 17, 2016

Permalink

Choosing New Identity not cache cleaning everything (nor closing Torbrowser)

The old Torbrowser versions 4 and earlier did something Torbrowser nowadays does not do anymore.
Torbrowser is keeping information in its memory cache (placing it in computer memory cache) after choosing new identity.
If you for example copy an url from the url bar or other text information from Torbrowser, Torbrowser is keeping that information in its cache after choosing new identity.

Even when you are closing down Torbrowser and opening another standard browser like Firefox you can still past that information.
So the Torbrowser cache is not cleaned anymore like the older (4 and 3) versions did.
Now the only way to get rid of the Torbrowser copy-cache is by overriding information by copying some other non important information.
That is not a really practical procedure.

Please make the cache cleaning after renewal or closing down Torbrowser work again.

Resetting entry node not possible anymore

It is not possible anymore to reset the entrynode anymore.
It used to be possible by replacing all these files
" torrc-defaults, torrc, state, lock, geoip6, geoip, control_auth_cookie,
cached-microdescs.new, cached-microdescs, cached-microdesc-consensus, cached-certs " with the standard files like
" geoip, geoip6, torrc, torrc-defaults " .

Now you have to completely reinstall a Torbrowser and have all the fuzz again with different settings.
Where are all this files "torrc, state, lock, control_auth_cookie, cached-microdescs.new, cached-microdescs, cached-microdesc-consensus, cached-certs"
Gone?

How do I change my entry node manually?

Full screen option (from Menu) : no warning!

There is a full screen option in the menu "Enter Full Screen".
There are two problems with this.

- It does not warn you for 'determining monitor size' like the other screen button way of resizing does.
It just maximizes the screen.

- Maybe an Firefox issue also.
If you choose the "Enter Full Screen" option from the menu and you are not familiar with this function, some people feel they maybe get in deep trouble because they cannot figure out how to get rid of this again.

Even I at first did not find it the way most people probably do.
Esc-function did not work, so I finally choose to renew the identity which gave me a normal window again.

Would it be an idea to make the escape button function work in full screen mode?
And even better to show the main computer task bar again it the mouse is pointed to the border or a corner so people wont be in a 'panic' because they cannot directly have access to their computer navigation menu anymore?

My computer expert son told me to learn how to use TOR by asking those who use it how to get started.

I live in Amsterdam, Netherlands for years now but as yet have found no TOR users.

Any suggestions please?

suzannedk@gmail.com

why do you want Tor users to mail you which might reveal their location if they are using Tor to protect their anonymity?!

the point of using Tor is for anonymity
I cant see a bunch of Tor users meeting in a coffee shop to exchange names, contact Nos, email addresses to discuss Tor and its uses, but maybe anything is possible if youre high.

have a nice day

semiautomated download from https://gettor.torproject.org/ has worked flawlessly and timely now, thank you!

why had this release been previously 'scheduled'? why not just release as soon as it's ready?

Okay so I updated mine and my avg detected a virus or something and i clicked clean now whenever I wanna start for it says The Tor executable is missing. Please help

The link for bug #19906 points wrongly to #19006.

As far as I've been able to understand the 'TB' project is a major effort on the part of a truly talented collection of extremely courageous and socially conscious individuals. The fact that the multi trillion dollar boot on our necks that is being sold as 'governance' isn't being addressed whatsoever, is a human tragedy.
I have no particular reason to be concerned what today's warped sense of' justice can bring to bear against me and mine and only use TB because I know that if enough 'data' becomes inaccessible the plug becomes ever so much closer to being pulled on these profiteers of a fictional war.
I realize that most of the emotional content of this blog is related to the passion of the technical perfectionism the digital age has brought up in us all, my own as a second generation Silicon Valley technician only recently washed his hands of corporations that thought it was a good idea to bid on and receive government and military contracts so I know that any and all discourse pointing out even the tiniest of flaws is absolutely beneficial but I am here to say this: A thousand cheers for the true hero's who are standing up in a very meaningful way for the silenced voice of the people and making a difference! Now all you have to do is ask yourself "What can I do to help?" and the answer is simple: Disappear. That's right for yourself, and tell everyone you know, to offer up not a single byte of any information to these hypocrites who use a nearly unbreachable shield to protect their own movements while they examine every move of yours.
Thank you TB team for making it possible for me to make a difference in some small way and to anyone who is really butt hurt over minutia I hear there is a web sight just for you called facebook or twitter or something where you can share any little concern that you've ever had about anything at all really and the NSACIAFBIPD... won't even need to spy on you to get whatever they want to know- you can just tell them yourself. heh...
PS: I don't really mind if you censor this (LOL!) as long as the team knows that some of us really appreciate the very timely masterpiece they have created.

[This is the kind of comment which FVEY is likely to try to censor or delete]

"Disappear" by using Tor, you mean? Plus one if so.

You might be interested in Julia Angwin's book Dragnet Nation, where she interviews TB developer Mike Perry, a self-described "data refusenik".

One point of which to be aware is that refusing to carry a WiFi-capable device in itself makes you suspicious to the secretive WiFi mesh surveillance which has been constructed in some cities, and which the surveillance-industrial complex is pushing hard to extend to essentially all cities under such slogans as "safe cities". The 2014 Cobham catalog published by theintercept.com is a good place to learn more about how the complex is marketing WiFi meshes.

In case anyone missed the point: the mesh nodes (which are often located on streetlights) are not simply passive APs, they ping every nearby WiFi device for their unique identifier, so that the backend database can track every WiFi capable device (phone, laptop, tablet, PDA, bitfit, "smart clothing" [sic]) as it (and the person carrying it) moves around the city. There is no need to subpoena anyone to correlate devices with IRL identities of persons because the data reveals where people live and work, and that is usually more than half way to uniquely identify a person residing in a major city, as research on deanonymization shows. The Cobham meshes are designed to tie together public and private sector audiovideo surveillance, secret transit surveillance systems (many people dont seem to realize many city buses are bugged, not just videoed), spy Cessnas, police vehicles, uncover agents, and covert in-home surveillance systems, in real time.

Don't believe it because I say so, believe it because Cobham says so. Read the catalog, it will open your eyes.

I am using Mac OS running Yosemite. Firefox had a problem in which when reinstalling the Firefox software or Torbrowser the system reports that a newer version already exists even though it is the same Torbrowser or Firefox version installed. It appears something is being modified within an aproximate 24 hour period. This issue has been corrected in Firefox version 49 but the problem still exists for Torbrowser

Thank you very much.

thank you

great awsome

Dear Tor project Team,
I am experiencing difficulties with one of
your android browser App... known as TorFox.., TorFox when
used with Tor browser in Android system..., dose not work...!
Why...? is it because it's still under Beta testing...? Please
endeavor ...'t' get it fix up...Okay!
God bless you.
CG.

Not familiar with "Torfox" and I don't think it comes from Tor Project (someone please correct me if I am wrong!) since it is not listed here:

https://www.torproject.org/

In general, you should not trust anything which does not come from Tor Project (torproject.org). In the past, some items which had "tor" in their name but which were not from TP turned out to be very badly designed, maybe even state-sponsored snares.

Orfox is the TOR browser for android. You need to run it through Orbot. You need to download both apps. Start Orbot like any normal app and then long press it to start TOR connection. When the browser button lights up (lower left) touch it and Orfox will automatically start. I'm using them right now. :-)

attention idiot coders:

you are assuming the Tor port is 9150 after custom previously set to for example 9750

goodday

why isnt 6.05 build signed by Tor Browser Developers?

6.05 hangs on startup when it cant connect to 1 or more bridges instead of failing and moving onto to ones that it can connect to and loading firefox.

Tor is failing to connect with the built in obfs4 & obfs3 bridges
fails with a separate newly extracted bundle.

no basically nothing is working

Tor Browser 6.0.5 x64 linux

I noticed this empty directory: /tmp/mozilla_user0

That could be privacy related or worse.
Modification time is updated every now and then, maybe to store temporary data?

Thank you

I don't see such a directory on my Linux box. Does this happen when you run Tor Browser? Does it go away when you close it?

YES, this happen when I run Tor Browser.

When I close it, the directory doesn't disappear.

It happen every now and then, frequently.
Maybe watching some video on youtube or so. My privacy settings are at default.

Please, investigate.

I can help you if you tell me how.

Cheers :)

tor-browser-linux64-6.0.5_en-US

I tried with "mega" and the directory mozilla_user0 appear in /tmp when the download of a file was ready.

There are other cases that make this happen because I don't go to mega often.

Which conditions let the directory mozilla_user0 appear in /tmp ?

What about linux x86 (32bit), Windows and macOS versions ?

I have discovered that it's pleasant to find out bugs, but at the moment I have no VM e very few experience and time in this period. If you need more informations, help me to help you.

Cheers :)

Finally I got it happen on youtube, as I said before, but not always: maybe some youtube advertisement? Some youtube script? I go to youtube as a guest, without login.

Cheers :)

Reported
https://trac.torproject.org/projects/tor/ticket/20339

Also Tor Browser 6.5a3 is affected ( tor-browser-linux64-6.5a3_en-US )

Firefox on Mac OS "find" feature directly linked to TOR browser "find". If I place a search criteria say "germany" in Firefox ver 49 for the Mac OS running Yosemite. The search criteria "germany" immediately shows in the TOR browser suggesting a link from the regular browser to the TOR browser.

Why does this link exist the browsers should be separate.

I would like to ask that we add an option within the privacy or security settings allowing a modifier to specify how many times the TOR circuit bounces before landing on a site, instead of the usual 3.

Прошу допомоги! Не знаю у кого і як запитати. У мене на комп'ютері локальна інтрамережа.
Як зробити так, що б браузер Тор міг знайти, бачив її?

On mac os x 10.6 torbrowser is not able to connect to
after the version 6 update

Tor browser is the best i have ever used