Tor Browser 6.0.8 released

Tor Browser 6.0.8 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Besides updating Firefox to 45.6.0esr which is fixing important security bugs we ship the latest Tor stable version, 0.2.8.11. HTTPS-Everywhere is updated as well (to 5.2.8) and we make improvements to our default obfs4 bridges.

Here is the full changelog since 6.0.7:

  • All Platforms
    • Update Firefox to 45.6.0esr
    • Update Tor to 0.2.8.11
    • Update Torbutton to 1.9.5.13
    • Update HTTPS-Everywhere to 5.2.8
    • Bug 20809: Use non-/html search engine URL for DuckDuckGo search plugins
    • Bug 20837: Activate iat-mode for certain obfs4 bridges
    • Bug 20838: Uncomment NX01 default obfs4 bridge
    • Bug 20840: Rotate ports a third time for default obfs4 bridges
PETER

December 15, 2016

Permalink

I´m having lots of troubles running Tor on Kali Linux 2.0.

I only can run it from a terminal window and changing my clock to UTC, it rarely opens as a browser itself. I´ve tried with bridges, but connection proccess seems to last forever: it stays the whole night without changes.

Your help will be welcome. Thank you.

PETER

December 15, 2016

Permalink

I like more this apps since i have started to use it.
thankfully for your work guys. much love to you

PETER

December 16, 2016

Permalink

Thanks

Your task manager is correct. For Windows we only have 32bit builds yet mainly as Mozilla introduced 64bit Firefox builds for Windows not that long ago and we wanted to see that platform stabilized first before supporting it as well. That said we plan to work on a 64bit Tor Browser for Windows next year, after we switched to the new long-term support version, ESR52.

But Sebastian was correct as well. He was talking about tor the network program that Tor Browser ships.

PETER

December 16, 2016

Permalink

Every Tor Binary since Tor Browser 5.0.7 release has caused the following error on XP:

"Tor exited during startup. This might be due to an error in your torrc file, a bug in Tor or another program on your system, or faulty hardware. Until you fix the underlying problem and restart Tor, Tor Browser will not start."

PETER

December 16, 2016

Permalink

Two bugs

1 bug inherited from firefox that is more than highly annoying.
When printing and saving Torbrowser is not remembering the printing settings anymore which means every time adjusting 4,5,6,7, settings while the older ESRs (38) were remembering these settings.
Highly annoying if you have to print articles a lot and do the setting thing over and over and over again.

It also does not make sense for example that in the 'page header' section first the title is chosen and 3rd the page url.
In this order you will almost never get the full url on your print and then it is wasted information anyway.
It makes more sense tot reverse these two (or delete the page title) and start with the full url only.

For the page footer and I already remarked that on this site a long while ago, printing data and time is not always helpful because you cannot visually remove this while you can remove the creation dates in you want to.
Keep it blank as a standard setting gives more privacy.

2, other bug, when javascript is turned off the redirection of the ddgo search engine is not redirecting to the non-javascript search engine page.

Thanks

I also just tested the setting and picked up also a very good working 10.6.8 system and the redirect is not working at all.

It is stuck wit this message
"You are being redirected to the non-JavaScript site.
Click here if it doesn't happen automatically."

So, No, it does not redirect to duckduckgo to the javascriptfree site automatically.

I think it is NoScript again.
I do not use the security slider but manual security settings in NoScript.

With these higher security settings Torbrowser is also still (for several browser versions now (6, 5, 4?) completely crashing (!) when trying to print as pdf web content on some websites as mentioned before (long ago).

When I have time, I'll consider finally to look for the procedure making a (or a list of) bug report(s) on Torproject, but will not also go for the 'account' hassle on mosilla over there for reporting other browser things.
I do not believe they will pickup Mac bug things anyway because they are on this (in my opinion negative) ignoring old userbase track of making support for mac's smaller and smaller and smaller as a practical solution for their problems with making a stable browser for the Mac OS X platform (which they did not really succeed from Australis versions from around 28 or so for 32 bit systems and also even 64 bit mac systems).

Torbrowser 5 works relatively fine on older Mac systems (better than FF38 itself) and also some 4 versions do well by the way.
For Torbrowser version 6 I highly dislike that the browser profile is stored in the local library instead of within Torbrowser.app itself, this solution is against mobile and clean usage, leaving traces everywhere.
I like the 5 version still more because of less bugs.

But, it has to be said,
thanks for the good work on this browser anyway.

PETER

December 16, 2016

Permalink

The browser that says "-Nan:Nan"

This error is showing up on youtube.
Probably because you disabled this setting in about:config?
svg.in-content.enabled;false

Now I was already wondering why I could not open that nice Tor image from the about:tor page in a new window in Torbrowser.
"onion-heart.svg"
It's an svg and thats disabled.

Therefor I knew that playing youtube content would be a problem because the play-button-bar has something to do with svg.
Enabling "svg.in-content.enabled" is fixing the playing choices and does let disapperar the magic "-Nan:Nan" (any rabbits around?) language.

Didn't mozilla solve the svg issue?

O, and please consider to change the Torbrowser icon in that lovely nice hearted onion! It's far more beautiful and positive looking then that (not so nice) green world icon.

PETER

December 17, 2016

Permalink

Problem: Mac OSx running Yosemite

-When a find is initiated in Torbrowser it is copied to Firefox 50.02 demonstrating some sort of link between the 2 applications.

-Meek Asure transport type does not work.

Yes that is a strange problem already mentioned here long time ago.
It is a General Mac OS X problem with mozilla browsers.

See why-where this is happening
Make a search attempt in one of your mozilla browsers, with 'cmd' 'f' .
Open your TextEdit program from the applications folder.
Open find-replace function (with 'cmd' 'f') in TextEdit and you will see exactly the word you used in your mozilla browser is filled in in the "Find:" space.

As long as the word is over there it will be shown in the search field of mozilla browsers. Even if you close the browsers and open them again it will be there!

The only user solution is to remove that particular word or phrase from the "Find:" space in TextEdit program or don't use the 'find' function in your browser at all if that is a privacy concern to you.
No workaround, unlles Torbrowser (or mozilla) devs are fixing this and break the relationship of the find function in Torbrowser and Mac OS X.

We will see, or not.

Re your first issue: Yes, this is a bug and in our bug tracker I believe (I can't seem to find the ticket right now, though :/ ).
Re your second issue: Albeit slow it works for me. I just tested it on a Linux machine. Do you get errors you could paste somewhere?

PETER

December 17, 2016

Permalink

Privacy security concern ?

Why is local file browsing in Torbrowser enabled?
One can browse local files via Torbrowser with these url's

file://
file:///

Would it be possible (thinking from an attackers point of view) that this would be embedded as a (hidden) file path on a website and stealing one way or another that local file directory displayed information?
Like, or even an url file:///followed by a standard path to a local documents directory/

Is it possible to steal local directory information (with the help of standard enabled javascripts) from some sort of cache-history directory in a current session?
I really hope not.

Now, I do not think people use this function on a regular basis or even a lot, probably almost never.
Can you consider, will you do, or tell us how to disable this function to prevent privacy and security related issues and accidents?

Thank you in advance for looking at this possible privacy security concern

Content is not supposed to have access to file:/// URLs. (Although there have been path traversal bugs in the past in Firefox) Being able to view local files (e.g.PDFs in the Tor Browser PDF viewer) is a neat feature to have actually.

Thanks.
In-browser pdf viewing is still standard enabled by the way. From a security point of view I should think, just download pdf files, use a local pdf viewer application and make sure that pdf viewer has no access to internet and or disable embedded pdf javascripts. But maybe in-browser viewing has a better security management perspective from Torproject point of view.

PETER

December 19, 2016

Permalink

Is Google search in Tor Browser completely broken for anyone else now, or just me?

For the last few days, if the Privacy and Security slider is set to any level other than High, any Google searches I attempt in Tor Browser seem to trigger the Robots test by default, resulting in a series of "Select all images with X" and/or "Select all squares with X" type reCaptcha puzzles that must be solved first, instead of the usual "To continue, please type the characters below:" reCaptcha prompt. And if I manage to pass this significantly more laborious reCaptcha test and get the tick in the box signifying that "I'm not a robot", clicking the "Submit" button just redirects me to a Google error page with a picture of a robot, broken and in pieces, with the following text:

"400. That’s an error.

Your client has issued a malformed or illegal request. That’s all we know."

If the Privacy and Security slider is set to High, any Google searches I attempt in Tor Browser also seem to trigger the Robots test by default now, causing the "To continue, please type the characters below:" reCaptcha prompt to appear. And if the correct "characters" are submitted, I get a brief wait a moment while we redirect you notification, then get taken to my Google search results, then immediately after the tab with my Google search results has finished "Connecting" and loaded completely, I get dumped on a Google error page with the same picture of a robot, broken and in pieces, with the following text:

"403. That’s an error.

Your client does not have permission to get URL /sorry..."

Getting these problems too, using google in Tor is becoming harder and harder - they make you jump through hoops ticking images only to tell yo at the end that "Your client has issued a malformed or illegal request. That’s all we know." That's all they know!!!!

PETER

December 20, 2016

Permalink

Not exactly anonymous that Torbrowser?

I always wondered why I was exactly landing on the mac part of the Tor download page when I clicked on a Torbrowserlink for updating Torbrowser.
I forgot it some time ago.
But now it happened again when I was checking an insecurity warning near de lock in the url bar.
I clicked on the lock, clicked on the right arrow and the clicked at the 'Learn more' link.
Then I was redirected to a Mozilla page in two steps.
This was the final landing page
https://support.mozilla.org/en-US/kb/mixed-content-blocking-firefox?red…

But for a very short moment I first saw another page in the url bar, that was this one
https://support.mozilla.org/1/firefox/45.6.0/Darwin/en-US/mixed-content
A surprising accurate link.

Apparently all the measures of changing the useragent string and some more values in about:config does not make my Torbrowser anonymous.
This link is telling the accurate version of my Torbrowser and the system I was on, Darwin is referring to the Mac OS X version of Torbrowser and is far from what the useragent string is telling
general.useragent.override;Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0

Now my question is,
apparently there is code in Torbrowser active that can tell someone else the right information about the exact kind of Torbrowser version I am on.
Information that my Torbrowser is trying to hide.

If Torproject can read this information and Mozilla can, who else can detect this browser information?
No-one? Any-one? Only Smart 'web developers'?
And if they can, is changing the useragent string a half privacy solution then?

I am very curious for the privacy answer
Thank you in advance

The browser itself knows these things. Have a look at the value for "app.support.baseURL" in your about:config. There you'll find placeholders like %OS% which are filled in by your browser just before the request goes out. That does not mean that web content has the same capabilities. In fact, that would be a severe bug if that were the case.

PETER

December 20, 2016

Permalink

feature or bug?

in the past (dont know when exactly) when you change the security slider the website automatically load with the new settings. now you have to click reload. ty

PETER

December 21, 2016

Permalink

:D

PETER

December 21, 2016

Permalink

can you answer me why this browser is too slowly!!? and i cant search anything nothing in the page is just blank page what the fuck???

PETER

December 22, 2016

Permalink

Do wish you all could find a way to spoof the window size, not a lot of real estate on a netbook. Great work though really.

PETER

December 22, 2016

Permalink

SUPER

PETER

December 23, 2016

Permalink

Nice

PETER

December 26, 2016

Permalink

Hi, i've been having this problem since the day i installed tor browser, all the other browser stop responding or the just crash..and my cam light blinks..help...

PETER

December 28, 2016

Permalink

Why not remove Disconnect from the Torbrowser search bar in the top right? It only defaults to Duckduckgo

PETER

December 29, 2016

Permalink

Just started with you guys....
Hope to have a wonderful ride... :)

PETER

December 31, 2016

Permalink

I am using the DuckDuck go thing. However I am using Torbrowser with its circuit. And if I try to go on a onion site, It says I cant get in the site.

PETER

December 31, 2016

Permalink

Has the circuit info panel recently been removed? I'm using a system wide installation of Tor if that makes any difference, but a few days ago I also couldn't see it with the bundled Tor version. In both cases extensions.torbutton.display_circuit was set to true.