Tor Browser 6.0.6 is released

Tor Browser 6.0.6 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release is updating Firefox to 45.5.0esr. Moreover, other components got an update as well: Tor to 0.2.8.9, HTTPS-Everywhere to 5.2.7, and OpenSSL to 1.0.1u.

We fixed a lot of usability bugs, some caused by Apple's macOS Sierra (meek did not work anymore and windows could not be dragged either). We moved directly to DuckDuckGo as our search engine avoiding a roundtrip to Disconnect.me first. Finally, we added a donation banner shown in some localized bundled starting on Nov 23 in order to point to our end-of-the-year 2016 donation campaign.

Here is the full changelog since 6.0.5:

  • All Platforms
    • Update Firefox to 45.5.0esr
    • Update Tor to 0.2.8.9
    • Update OpenSSL to 1.0.1u
    • Update Torbutton to 1.9.5.12
      • Bug 20414: Add donation banner on about:tor for 2016 campaign
      • Translation updates
    • Update Tor Launcher to 0.2.9.4
      • Bug 20429: Do not open progress window if tor doesn't get started
      • Bug 19646: Wrong location for meek browser profile on OS X
    • Update HTTPS-Everywhere to 5.2.7
    • Update meek to 0.25
      • Bug 19646: Wrong location for meek browser profile on OS X
      • Bug 20030: Shut down meek-http-helper cleanly if built with Go > 1.5.4
    • Bug 19838: Add dgoulet's bridge and add another one commented out
    • Bug 20296: Rotate ports again for default obfs4 bridges
    • Bug 19735: Switch default search engine to DuckDuckGo
    • Bug 20118: Don't unpack HTTPS Everywhere anymore
  • Windows
    • Bug 20342: Add tor-gencert.exe to expert bundle
  • OS X
    • Bug 20204: Windows don't drag on macOS Sierra anymore
    • Bug 20250: Meek fails on macOS Sierra if built with Go < 1.7
  • Build system
    • All platforms
Anonymous

November 15, 2016

Permalink

When I click "Restart Tor Browser to Update" it fails:
"Software Update Failed"

Running on Fedora 23.

Anonymous

November 15, 2016

Permalink

will it be more or less protected using tomoyo/apparmor/another similar tools ?

Those will protect from unintended or malicious filesystem access and resource usage, so more or less, sure. An attacker can still call arbitrary syscalls even when using a MAC like AppArmor, TOMOYO, etc. A kernel vulnerability can be used to bypass those protections if one is known to the attacker. You would have to use Seccomp to protect from that, but it requires much more configuration than a MAC. Chrome/Chromium uses Seccomp-BPF to sandbox its processes. Hopefully one day Firefox/Tor browser will be able to do the same. Mozilla wants to, but it's taking a long time.

Note that a MAC and Seccomp are both separate from the browser. The browser doesn't have to be configured to use them, except maybe for rules (Firefox rules, if available, should probably work on Tor Browser). Tor Browser could be run under seccomp using a small wrapper program (or even systems --user, see systems.exec(5)), and maybe a small LD_PRELOAD shim, if you are willing to enumerate all the system calls that it will need for your particular use case. At a minimum, you could most likely block all 32 bit system calls on 64 bit Firefox, and cut the attack surface roughly in half. The exec(2) family of syscalls might be the most important ones on any platform, and really could be blocked for almost all use-cases. Being that Firefox is cross-platform, I doubt that it uses many syscalls directly.

But this is a very tedious situation, and it would be ideal to have something specific to the Tor Browser that can configure seccomp and other security mechanisms automatically and precisely. Luckily, Tor Project developers are already thinking about it: https://blog.torproject.org/category/tags/sandbox

You can use Tor Browser with Seccomp via Firejail, like this:

  1. <br />
  2. $ cat /etc/firejail/tor-browser.profile<br />
  3. noblacklist ~/.tor-browser-en<br />
  4. include /etc/firejail/firefox-esr.profile<br />
  5. whitelist ~/.tor-browser-en</p>
  6. <p>$ firejail --seccomp --profile=/etc/firejail/tor-browser.profile /usr/bin/tor-browser-en<br />

>Seccomp via Firejail
I thank you very very much for this tip (almost perfect : one of the torproject is torsanbox). That is solves one problem but i have still the second : adding a mac protection.
- SE is not for me (it is not my cup of tea).
- AppArmor is buggy after updating or tweaking the .conf:files.
- Tomoyo is very interresting.but will it protect a Torbundle folder (a short link is included and tor must not be run as root) and openvpn files (login & password are mine) put in my :
home/document/[TBfolder] ?

How to configure a Tomoyo mac protection for these particular files/folders ?

Anonymous

November 15, 2016

Permalink

AudioContext Fingerprint

AudioContext fingerprint is a property of your machine's audio stack itself. If you choose to see your fingerprint, we will collect the fingerprint along with a randomly assigned identifier, your IP Address, and your User-Agent and store it in a private database so that we can analyze the effectiveness of the technique.

AudioContext Fingerprint Test Page
https://audiofingerprint.openwpm.com/

Anonymous

November 20, 2016

In reply to by Anonymous (not verified)

Permalink

I had tor & onion on an old android device. When govt stepped in, they blocked it in settings. I haven't used it for about 3 mos; however I am still paying 9.99 a month on a credit card. I now have access to this iPad and would like to restart my old account. The problem is I am not very computer savvy and need some help. Could you guide me through it?

On your Android device, uninstall the tor&onion that is charging you 9.99, and install Orbot and Orfox, by searching them on Google Play (easiest) or...
...getting FDroid at https://f-droid.org and enabling GuardianProject repository(ask a techie friend to help if you do it this way. It's safer bit requires more clicks to aet it up).

Legit Tor and Tor Browser (on Android it's called Orbot and Orfox) will never charge you anything.

That device is pretty well shot. I tried to uninstall but keep getting charged. I could probably just install it on this iPad but I don't want to overpay. 10 bucks from.the old then 15 for this. I have the Italian disease.... Funds allow...yuc, yuc!

Anonymous

November 15, 2016

Permalink

Why does the auto-updater not even check for available disk space before attempting the update? This is the third time the auto-updater has failed to update and left a non-working install, riddled with ".updated" files, which however are useless in trying to get back to the previous, working, setup. So, why litter the drive with these useless files if reverting back to the previous version is impossible anyway? How do I get my setup back to working now? Do I really have to disable auto-update to keep this from happening?

Not sure about checking the available disk space question. What operation system are you using? I think if you don't have enough disk space for getting the update applied automatically, then, yes, disabling the auto-updater seems to be a better solution for you.

I have set TBB to clear everything on exit, but the remainder of the system keeps filling up the drive over time or even temporarily (other program's caches for example). And because TBB-updates are only announced _after_ they have been applied (and possibly failed) when auto-update is enabled, it is not possible to make room for the update beforehand. Obviously that is the way "auto-update" is supposed to work, but a basic sanity check before starting a procedure that
1) is irreversible
2) may leave the system in an unusable state
3) has no straightforward method of reverting to the previous state
is good practice (and IMO mandatory).

I ended up downloading the full installer, unpacking it and then locating and copying over the entire profile from the damaged install. I hope that this didn't compromise the anonymizing functionality of the TBB (seems to work OK).

Well, thanks for the update, anyway, now that it's running!

Anonymous

November 15, 2016

Permalink

Hi Team, some YouTube videos only plays the audio part. Already downloaded fresh copy. I'm on Trisquel 7 x32. Works fine with Abrowser with all extensions and plugins disabled. Thanks..

Anonymous

November 15, 2016

Permalink

"We moved directly to DuckDuckGo as our search engine avoiding a roundtrip to Disconnect.me first."

Not working here. Doesn't even redirect to DDG anymore.

Does this TBB, 6.0.6, contain the ESR that switches to search.json.mozl4?
The old searchgengines (in omni.jar I think i have read) should carryover? Unless TBB 6.0.6 explicitly deals with obsolete ddg searchengine?

Whichever is happening, I'd try this:
In old profile, save copies of pref.js and export bookmarks.
Shutdown TBB.
Empty profile location.
Startup TBB which should let TBB generate new profile?
Import the bookmarks
Shutdown.
Copy your saved prefs.js over the freshly generated prefs.js
Startup TBB and try DGG to check if it works.

Do you really want DDG anyways? Cloudflare doesn't let anyone read anything anonymously. The only advantages to DDG are it has a .onion version(so less reliant on certificate authorities) and that it doesn't use Google.

https://ixquick.com/ and https://startpage.com/ use Google but all Google knows is that a request came from ixquick. Isn't that worth it to read articles censored by cloudflare? Just click "proxy" in search results and you can read. Some sites block https://archife.org/web/ but none block ixquick's/startpage's ever-changing proxies.

I've used startpage as my only search engine and without scripts. It rarely lets me down. Anything that involves the root "cloud" I stay away from, and I am glad I am not a meteorologist, or a pilot. The wider the web the narrower it has gotten for some of us. Altering an old saying, "if it is not written in plain HTML chances are you don't need it or can live without it". But I only wish this was true, as people these days instead of writing down something they find it easier to say it in front of a camera and upload it to utube.

Anonymous

November 15, 2016

Permalink

There was a problem checking for, downloading, or installing this update. Tor Browser could not be updated because: Failed(unknown reason)

on Windows?

In the FF 3.5 era, I saw that error. A proxy such as some anti-virus might cause this.
On the other hand, TB is "portable" and possibly the anti-virus scanner installs its proxy extension only into browsers that formally install themselves. (Antivirus installer later finds browser installer registry values)

Anonymous

November 15, 2016

Permalink

works fine here thanks!

OT: some sites aks for html5 canvas. i always want to decline it is there a way to do this automatically für all sites? thanks

Goto about:config and set javascript.enabled to "false". You should do this anyways, unless you like viruses. For non-accessibility-com-liant websites made by sub-human trash that require javascript for no reason other than to tryd to get everyone hacked, just use view-source to read their content.

As suggested, I went to about:config and set javascript.enabled to "false" whereby I noticed, however, that there be also the following two settings pertaining to javascript within about:config,,,:
capability.policy.maonoscript.javascript.enabled;allAccess
and
services.sync.prefs.sync.javascript.enabled;true

Is it correct to leave those setting unchanged? Or should those settings also get toggled to "false"?

Btw I am using Linux at this desktop (LinuxMint 17.3 freshly updated) and the new (freshly updated) Tor Browser 6.0.6

Mozilla developers and community members Olli Pettay, Christian Holler, Ehsan Akhgari, Jon Coppeard, Gary Kwong, Tooru Fujisawa, Philipp, and Randell Jesup reported memory safety bugs present in Firefox 49 and Firefox ESR 45.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

Anonymous

November 15, 2016

Permalink

I must admit I am getting fed up of Tor 'unexpectedly exiting' for no apparent reason, in Windows 7 at least. This fault has been dogging Tor for the past three or so versions. It never used to happen. Tor used to remain connected all the time, now it will 'unexpectedly exit' up to ten times a day. Can someone look to see what changed that might cause this? Or is Windows 7 just no good for Tor any more? Naturally I'd like to hear whether anyone else is experiencing this. If it's just me then I can't imagine why it is happening, nothing new has been added so far as I know that may conflict with Tor.

Could you get more information regarding what is causing the unexpected exit? So far, we have not heard many such reports and without further information it is hard to debug it. Can you reproduce the problem? Do you have an antivirus/firewall software you could uninstall to check whether that one is interfering?

I can't reproduce the problem. It's not antivirus or firewall interfering as far as I can tell. It happens most often when I have gone away from the computer or Tor a bit, although it has also happened when I have been using Tor, just more rarely. As I say, about three versions back it never happened, and I haven't changed anything since then so far as I know. I can't say what may be causing it, but it seems like a problem in Tor itself. But if no-one else has reported 'unexpected exits' in Windows 7 then I suppose it must be something my end, but no idea what.