Tor Browser 6.0.7 is released

Tor Browser 6.0.7 is now available from the Tor Browser Project page and also from our distribution directory.

This release features an important security update to Firefox and contains, in addition to that, an update to NoScript (2.9.5.2).

The security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately. A restart is required for it to take effect.

Tor Browser users who had set their security slider to "High" are believed to have been safe from this vulnerability.

We will have alpha and hardened Tor Browser updates out shortly. In the meantime, users of these series can mitigate the security flaw in at least two ways:

1) Set the security slider to "High" as this is preventing the exploit from working.
2) Switch to the stable series until updates for alpha and hardened are available, too.

Here is the full changelog since 6.0.6:

  • All Platforms
    • Update Firefox to 45.5.1esr
    • Update NoScript to 2.9.5.2

Update: We would like to remind everyone that we (The Tor Project) are having our 2016 fundraising campaign! Donate today!

Anonymous

December 02, 2016

Permalink

More and more exits end connections with blank pages instead of error messages :( :
09:41:19.841 The character encoding of the HTML document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the page must be declared in the document or in the transfer protocol.

Is that caused by the exit node?. I always thought the white page was a form of tor blocking, because if you get a new circuit, sometimes it'll work. (And sometimes it's just bad web development and nothing shows up unless you javascript ;_;)

Yes, it is. Website works with a new circuit, shows special page for blocked IP, works without JS. And it is not actually the white page, it is zero size "page".

Many "javascript-only" articles can be read by simplying pressing -u or right-clicking the page and clicking "view source" (for Orfox mobile type "view-source:" in the front of the address page).

Anonymous

December 02, 2016

Permalink

A Problem on the Mac OS when using transport type scramblesuit it stops working after a period. I found to correct the problem I had to install the old TOR version 6.06 and reinstall from that TOR browser to recover transport type scramblesuit.

I also experienced a problem in which TOR would not start. I found 2 running TOR processes which were still running even though the Yosemite Mac showed the Tor browser not running in the Finder. Once the process were closed Tor would open

You mean a freshly downloaded Tor Browser 6.0.7 has the Scramblesuit issue but downloading a fresh 6.0.6 and updating to 6.0.7 fixes that for you? Interesting because we did not change any pluggable transport related parts in 6.0.7. It is basically just updated with the fix for the zero-day exploit (+ contains the up-to-date NoScript).

understood. I also noticed scramblesiut will stop working after performing the downgrade and then upgrade. IP 83.212.101.3 to port 443 is not responding.

Log
07-12-2016, 9:26:40.100 [NOTICE] Tried for 120 seconds to get a connection to [scrubbed]:443. Giving up. (waiting for circuit)
07-12-2016, 9:28:40.100 [NOTICE] Tried for 120 seconds to get a connection to [scrubbed]:443. Giving up. (waiting for circuit)
07-12-2016, 9:30:14.100 [NOTICE] Tried for 120 seconds to get a connection to [scrubbed]:443. Giving up. (waiting for circuit)
07-12-2016, 9:32:14.100 [NOTICE] Tried for 120 seconds to get a connection to [scrubbed]:443. Giving up. (waiting for circuit)
07-12-2016, 9:38:41.300 [WARN] Proxy Client: unable to connect to 83.212.101.3:443 ("general SOCKS server failure")

Anonymous

December 02, 2016

Permalink

Hello to all.

I have a problem when I try to update Tor browser via update software with TBB.

Here's the return:

There were problems checking for, downloading, or installing this update. Browser Tor could not be updated because:

The integrity of the update could not be verified

It has always worked well for updates but the, I have a worry.

Thank you to you and to all the team.

Ps: I'm running Debian Os Parrotsec Version 3.2 64-bit
Linux kernel 4.8.0-parrot-amd64 x86_64.

Anonymous

December 02, 2016

Permalink

Hello back

My update problem was solved by this: 1) Setting `app.update.staging.enabled` to` false` in your about: config should prevent it avoiding the application in the background.

Thank you for your comments, it is thanks to you that I solved my problem;)

Ps: 64-bit version 3.2
Linux kernel 4.8.0-parrot-amd64 x86_64

Thank you all is all

Anonymous

December 02, 2016

Permalink

When using a Mac I get the following error in the log

Proxy Client: unable to connect to 83.212.101.3:443 ("general SOCKS server failure")

I find the IP above is not responding using 443 with scramblesuit

Anonymous

December 03, 2016

Permalink

used tor with adguard is leaked my real dns is tor protect real ip and dns?

I don't know about adguard in particular, but this sounds like a good illustration of why you shouldn't add random extensions to your Tor Browser -- they can end up doing all sorts of surprising things that mess up your privacy.

Anonymous

December 03, 2016

Permalink

me gusta

Anonymous

December 04, 2016

In reply to by Anonymous (not verified)

Permalink

ei me ayudas

Anonymous

December 03, 2016

Permalink

I announced a problem in gk's blog on TB6.0.6 dated 11/27/2016. Basically I said

According to my torlog it isolates OK :

11/27/2016 17:50:54.800 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.

But I also reported that it actually did not work as I, thoughtlessly, ran an install from the internet and succeeded.

And gk admitted I shouId not have succeeded. I should have needed something like torsocks to get out when I had TB running.

On November 28th, 2016 gk said:

"Not sure how you have configured your package updates/installation but, no, Tor does not automatically tunnel all your network activity. You have to configure every application to do that."

I said I was using TB6.0.6 under ubuntu 16.04 (live-cd) on an old Toshiba Satellite. I burnt a fresh TB after I got suspicious against the old usb I had used so far.

And I reported the other strange symptome I had detected: The new thing that happens is a slight delay. A first attempt to start now allways fails, independent of the configuration I choose.
But after a short while it works fine even with the config that failed to begin with.
Furthermore then communication is very slow, like 60k instead of the 200k I have had recently.

On November 30th, 2016 I reported:

By setting Privacy and Security settings to HIGH. and then in NoScript allowing all in the site I can even view video shows there, otherwise nogo.

The sad thing is that although this all looked like it could have to do with the problem solved by TB-6.0.7, after changeing to TB-6.0.7 my connection works fast enough, BU|T I still have this strange side connection to the internet. DisableNetwork does not work, thats my interpretation,somehow crawling beside it is possible.

And that means I cannot trust TB-6.0.7 either, right?.

I am having a tough time figuring out what you're doing and what you're expecting.

Are you thinking that setting DisableNetwork in the config of the Tor process run by Tor Browser will somehow prevent...something else from happening on your computer?

The DisableNetwork option does not mean that Tor Browser is reaching into your computer and preventing your Internet from working. It simply means that the Tor process run by Tor Browser has been instructed to not make connections out to the Tor network.

Ok, so I am supposed to be able to reach the internet with other means in parallell with the TB. I thought that was stopped. Does Tails do that, perhaps I am confusing Tails and TB

Tails does have a firewall to prevent network traffic going out from applications that aren't properly configured to use Tor.

Tor Browser is just a browser: it tries to make sure that it behaves correctly, and it doesn't try to take over anything else on your computer.

Fine, so my worry about the parallell connection was a confusion.
Remains then this little increased delay, or rather a regular initial failure, to connect to tor network. It appeared when I started to use a CD to load TB6.0.6 from.
Ifconfig tells me the connection is up as both TX an TR are positive, but tor cannot connect (to a first server?; log would clarify?). Once I config to e.g. fte and try again everything is fine, if enough time has passed (?), if not I may fail. And if as a third attempt I revert to the default config, I almost always succeed. Why does this happen? Should I not worry about it?

First attempt
Config default

12/07/2016 17:56:41.700 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:56:41.700 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:56:41.700 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:56:41.700 [NOTICE] Opening Socks listener on 127.0.0.1:9150
12/07/2016 17:56:41.700 [NOTICE] Renaming old configuration file to "/home/lubuntu/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc.orig.1"
12/07/2016 17:56:42.500 [NOTICE] Bootstrapped 5%: Connecting to directory server
12/07/2016 17:56:42.500 [WARN] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Network is unreachable; NOROUTE; count 1; recommendation warn; host 35E8B344F661F4F2E68B17648F35798B44672D7E at 146.0.32.144:9001)
12/07/2016 17:56:46.200 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
12/07/2016 17:56:46.200 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:56:46.200 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
12/07/2016 17:56:46.200 [NOTICE] Delaying directory fetches: DisableNetwork is set.
12/07/2016 17:57:07.200 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:57:07.200 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:57:07.200 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:57:07.200 [NOTICE] Opening Socks listener on 127.0.0.1:9150
12/07/2016 17:57:12.900 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server
12/07/2016 17:57:12.900 [WARN] Proxy Client: unable to connect to 128.105.214.163:8080 ("Network unreachable")
12/07/2016 17:57:12.900 [WARN] Proxy Client: unable to connect to 131.252.210.150:8080 ("Network unr
eachable")
12/07/2016 17:57:12.900 [WARN] Proxy Client: unable to connect to 128.105.214.161:8080 ("Network unreachable")
12/07/2016 17:57:13.000 [WARN] Proxy Client: unable to connect to 128.105.214.162:8080 ("Network unreachable")
12/07/2016 17:57:46.100 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
12/07/2016 17:57:46.100 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:57:46.100 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
Next attempt
Config fte

12/07/2016 17:57:57.100 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:57:57.100 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:57:57.100 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:57:57.100 [NOTICE] Opening Socks listener on 127.0.0.1:9150
12/07/2016 17:57:59.800 [NOTICE] Bootstrapped 15%: Establishing an encrypted directory connection
12/07/2016 17:57:59.900 [NOTICE] Bootstrapped 20%: Asking for networkstatus consensus
12/07/2016 17:58:00.300 [NOTICE] new bridge descriptor 'noether' (fresh): $7B126FAB960E5AC6A629C729434FF84FB5074EC2~noether at 192.99.11.54
12/07/2016 17:58:00.300 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
12/07/2016 17:58:00.900 [NOTICE] new bridge descriptor 'riemann' (fresh): $752CF7825B3B9EA6A98C83AC41F7099D67007EA5~riemann at 198.245.60.50
12/07/2016 17:58:00.900 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
12/07/2016 17:58:01.300 [NOTICE] Bridge 'Lisbeth' has both an IPv4 and an IPv6 address. Will prefer using its IPv4 address (192.95.36.142:443) based on the configured Bridge address.
12/07/2016 17:58:01.300 [NOTICE] new bridge descriptor 'Lisbeth' (fresh): $CDF2E852BF539B82BD10E27E9115A31734E378C2~Lisbeth at 192.95.36.142
12/07/2016 17:58:01.300 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
12/07/2016 17:58:01.600 [NOTICE] new bridge descriptor 'GreenBelt' (fresh): $C73ADBAC8ADFDBF0FC0F3F4E8091C0107D093716~GreenBelt at 154.35.22.9
12/07/2016 17:58:01.600 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
12/07/2016 17:58:01.700 [NOTICE] new bridge descriptor 'Mosaddegh' (fresh): $8FB9F4319E89E5C6223052AA525A192AFBC85D55~Mosaddegh at 154.35.22.10
12/07/2016 17:58:01.700 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
12/07/2016 17:58:01.700 [NOTICE] new bridge descriptor 'MaBishomarim' (fresh): $A832D176ECD5C7C6B58825AE22FC4C90FA249637~MaBishomarim at 154.35.22.11
12/07/2016 17:58:01.700 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
12/07/2016 17:58:01.700 [NOTICE] new bridge descriptor 'LeifEricson' (fresh): $A09D536DD1752D542E1FBB3C9CE4449D51298239~LeifEricson at 83.212.101.3
12/07/2016 17:58:01.700 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
12/07/2016 17:58:01.800 [NOTICE] new bridge descriptor 'JonbesheSabz' (fresh): $00DC6C4FA49A65BD1472993CF6730D54F11E0DBB~JonbesheSabz at 154.35.22.12
12/07/2016 17:58:01.800 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
12/07/2016 17:58:02.100 [NOTICE] Bootstrapped 25%: Loading networkstatus consensus
12/07/2016 17:58:05.700 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
12/07/2016 17:58:05.900 [NOTICE] Bootstrapped 40%: Loading authority key certs
12/07/2016 17:58:06.800 [NOTICE] Bootstrapped 45%: Asking for relay descriptors
12/07/2016 17:58:06.800 [NOTICE] I learned some more directory information, but not enough to build a circuit: We need more microdescriptors: we have 0/7235, and can only build 0% of likely paths. (We have 0% of guards bw, 0% of midpoint bw, and 0% of exit bw = 0% of path bw.)
12/07/2016 17:58:06.800 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
12/07/2016 17:58:06.800 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:58:06.800 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
12/07/2016 17:58:07.000 [NOTICE] Delaying directory fetches: DisableNetwork is set.

There are two attempts to connect to start TB6.0.7 logged above. The first one with default config the second with "fte". Both failed, but a third, which again with default config, succeeded: unfortunately I failed to log it.

After I realized I should enable ufw to have any kind of firewall
and
do a security upgrade of ubuntu
I think problems are far less, if any at all.

Any comment on this sequence of events?

Anonymous

December 03, 2016

Permalink

Tails 2.7.1 has been out for awhile but have read no posting of latest release of Tails on Tor Project blog?

Anonymous

December 04, 2016

Permalink

10:53:36.100 Exception { message: "", result: 2147549183, name: "NS_ERROR_UNEXPECTED", filename: "resource://gre/modules/commonjs/too…", lineNumber: 236, columnNumber: 0, data: null, stack: "CanvasFrameAnonymousContentHelper.p…", location: XPCWrappedNative_NoHelper } protocol.js:907
10:53:36.200 "Protocol error (unknownError): [Exception... "Unexpected error" nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)" location: "JS frame :: resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/highlighters/utils/markup.js :: CanvasFrameAnonymousContentHelper.prototype._insert :: line 236" data: no]" Promise-backend.js:936

Anonymous

December 04, 2016

Permalink

It looks like uMatrix should be part of TorBrowser. This module would give us finer control over what we want to block. NoScript is very good but rather unwieldy. Both modules would be an improvement. NS protects us againt XSS and Clearclick, so we can’t do away with it (though Clearclick protection is disabled in TB NS, don’t know why).

Even in using Firefox, disabling CSS can be a good idea, on untrusted websites, like those of newspapers, and cloudflare hosted websites — maybe I’m wrong but I don’t trust Cloudflare).

I understand that all TB users should view web pages in the same way so as to be anonymous, but enabling JS, images, even CSS, is dangerous.

What do you think?

I think that disabling those things yourself could make you less anonymous but with less possible ways to be hacked.
I also think that it would be awesome if Tor Project could somehow find ways to disable more potentially vulnerable parts of the browser by default without sacrificing ease-of-use too much, and add the rest to the security slider so it can be disabled without making the browser more fingerprintable (see https://panopticlick.eff.org/). If disabling, say, SVG images and CSS animations hurts ease-of-use too much to be default, it could still be done at security slider "high" setting.

Right now it's not even possible to disable SVG manually (see https://trac.torproject.org/projects/tor/ticket/20772).

Anonymous

December 04, 2016

Permalink

i love it

Anonymous

December 05, 2016

Permalink

gracias

Anonymous

December 06, 2016

Permalink

Would the bug be effective in case of TBB running in VirtualBox running windows guest / windows host?

(guest connected to host in NAT mode, both macid and ip are dud in the virtualbox guest)

Anonymous

December 07, 2016

Permalink

I reset NoScript but it seems to have taken it back to the vanilla NoScript rather than the Tor default configuration. How can I reset NoScript to the original Tor settings? I can't find any mention of what they are anywhere.

Open the security setting menu (click on the green onion -> Privacy and Security Settings... -> drag the slider to "Low" -> click "OK" That should give you at least the settings back governed by the security slider. Apart from that there is no general button to reset the NoScript settings to the one we ship by default.

Anonymous

December 08, 2016

Permalink

while using scramblesuit on a mac running yosemite a problem with port 443 on IP 83.212.101.3 responding preventing using that transport. That was corrected now I get the below error

08-12-2016, 19:42:25.900 [NOTICE] Opening Socks listener on 127.0.0.1:9150
08-12-2016, 19:47:25.800 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
08-12-2016, 19:47:25.800 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
08-12-2016, 19:47:25.800 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
08-12-2016, 19:47:26.700 [NOTICE] Delaying directory fetches: DisableNetwork is set.
I

Anonymous

December 08, 2016

Permalink

I always install Tor onto a flash drive. Today I cut the Tor Browser folder from the flash drive and pasted it onto my desktop. I then downloaded the latest version of Tor Browser 6.0.7 to my desktop. I clicked on it and installed Tor 6.0.7 onto the flash drive.I forgot to make a back up copy of my latest bookmarks on the flash drive. I thought no big deal, I'll just close the Tor 6.0.7 program I was running on the flash drive, open the old version of Tor that I pasted onto the desktop, make a copy of my bookmarks and then exit the old version running off my C: drive. Much to my surprise, the latest version of Tor was also running on my C: drive and my latest bookmarks have been erased! I'm confused! I told the program to install Tor 6.0.7 onto the flash drive. Why does it also run Tor 6.0.7 off my C: drive when I installed it to the flash drive? Is there a way to find my last version of Tor, open it up, run it and retrieve my bookmarks? I don't use backup programs as I just try to keep the important stuff on external HDs.