Tor Browser 6.0a1-hardened is released

A new hardened Tor Browser release is available. It can be found in the 6.0a1-hardened distribution directory and on the download page for hardened builds.

This release features important security updates to Firefox.

Note: There is no incremental update from 5.5a6-hardened available due to bug 17858. The internal updater should work, though, doing a complete update.

Here is the complete changelog since 5.5a6-hardened:

  • All Platforms
    • Update Firefox to 38.6.0esr
    • Update NoScript to 2.9.0.2
    • Update Torbutton to 1.9.5
      • Bug 16990: Show circuit display for connections using multi-party channels
      • Bug 18019: Avoid empty prompt shown after non-en-US update
      • Bug 18004: Remove Tor fundraising donation banner
      • Code cleanup
      • Translation updates
    • Update Tor Launcher to 0.2.8.3
      • Bug 18113: Randomly permutate available default bridges of chosen type
      • Bug 11773: Setup wizard UI flow improvements
      • Translation updates
    • Bug 17428: Remove Flashproxy
    • Bug 18115+18104+18071+18091: Update/add new obfs4 bridge
    • Bug 18072: Change recommended pluggable transport type to obfs4
    • Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
    • Bug 16322: Use onion address for DuckDuckGo search engine
    • Bug 17917: Changelog after update is empty if JS is disabled
    • Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646)
Anonymous

January 27, 2016

Permalink

Is it safe to use the hardened version in terms of security/anonymity? I remember a few years ago only the alpha version of TBB was targeted by adversaries and this is also in alpha....or is it better to stick with the stable version?

Qihoo is a Chinese antivirus company. They cheated on independent test by using Bitdefender virus detection for the test while using their inferior QVM virus detection in their products.

http://www.pcmag.com/article2/0,2817,2483498,00.asp

QVM has a lower detection rate with more false positives. Since their product is based in Beijing with China being a primary market for them, of course they will tell users that Tor is malware!

Anonymous

January 28, 2016

Permalink

I've downloaded tails five different times to update my existing version manually and everytime it stops at exactly 72 percent. This is awful so is getting help. I can't even use pigeon to chat and email....ha good luck getting anything back. I've gone that road before. Why are you guys making things so difficult when you say you are making things easier? Feel sorry for the people in third world oppressive regimes sweating the download out.

Have you contributed to ToR? Have you paid money, written how-to, contributed code. Or do you think that software you paid nothing for should be giving you support all the while you are crying like a dirty little Democrat. Free stuff every one. You didn't do it my way so I'm pissed off now.,
What juvenile attitude.

Goof ball!

P.S. Good job guys! There are always a few trolls around. Try to ignore them. Mostly you are highly appreciated.

Usability is king. Without it, you get complaints.

Your above statement is valid provided that users have paid for it or have donated funds towards its development or contributed software code to improve it.

Have you paid for it? or have you made a monetary donation or contributed software code?

If you have done neither of the above, please stop complaining.

Except that simply by using tor you're contributing. You're adding yourself to the noise.
However, to take a page from your book: unless you're affiliated with The Tor Project, why don't you leave it to those who are to tell people to stop complaining. Otherwise you're just being a troll who'll discourage new users.

Except that simply by using tor you're contributing.

Flawed logic.

However, to take a page from your book: unless you're affiliated with The Tor Project,

Define "affiliate". My friends and I do contribute to the Tor Project in different ways. What about you?

Otherwise you're just being a troll who'll discourage new users.

We know who the real new users are and the regular NSA troll who's lurking in the background, monitoring and reporting back to his overlord.

I've downloaded tails five different times to update my existing version......

So the NSA troll is now spamming this blog with posts about Tails. He used to spam here about the latest version of TBB not being able to work with Adobe Flash.

While I can understand the frustration with getting the same questions about flash (some of which, but not all, are from trolls,) by repeatedly complaining about it you're scaring off legitimate potential users who are uneducated in the technical complexities.

While I can understand the frustration with getting the same questions about flash (some of which, but not all, are from trolls,)

Our regular NSA troll always complains about Adobe Flash not working AND telling us he's reverting to using an older version DESPITE repeated cautionary advices from us.

by repeatedly complaining about it you're scaring off legitimate potential users who are uneducated in the technical complexities.

Give specific examples and dates of our posts in which we complain about Adobe Flash not working with TBB.

Since there's a commonality between your failed attempts to download and the point at which you are being stopped I'd have to say that you are running out of disk space, you are using your persistence partition or even both. By the sounds of it I'm assuming that you are upgrading manually with the intermediate download attempt of the ISO...meaning that you already have Tails 2.0 obviously. If that is the case, make sure that you are choosing the Tor browser folder NON-persistence for the location to save. Save the ISO there and then upgrade a new copy "with ISO" in the Tails installer, then follow the rest of the directions.

That isn't mentioned in the directions and it is understandable that one would make this mistake. Hope this helps!

"meaning that you already have Tails 2.0 obviously."

I think he/she meant to say that the original poster probably has 1.8.2 tails. But I concur that the op looks to have been struggling with disk space and inadvertently was directing it into the persistence folder.

Over the years, at times I have also experienced frustrating problems downloading the iso for the latest Tails edition. Using wget with the -c flag running in the previous Tails edition seems to work for me. Try man wget (in a console in your current Tails) and ask if it isn't clear. You don't need to worry about torsocks if you use Tails (someone please correct me if I am wrong!).

Don't get upset by the two replies accusing you of being an "NSA troll", and thanks to the other poster who tried to help you (the post beginning "Since there's a commonality between your failed attempts to download and the point at which you are being stopped I'd have to say that you are running out of disk space...")

Don't get upset by the two replies accusing you of being an "NSA troll"

A troll is one who, despite numerous reminders that this blog isn't the right place to ask for technical support for Tails, persists in doing so and thus spamming it.

Tails, on its official website, lists several options for users who need technical support. The URL is https://tails.boum.org/support/index.en.html

You are a troll too, you pick an choose some people to criticize for posting about tails but not all, you only pick on those who ask about tails and not on those who talk about anything else not related to tbb.You do this only to annoy people who need help. the people from tails do not respond to all questions received, but someone may get lucky by asking for help here, not from you tho, you TROLL.
"someone who ​leaves an ​intentionally ​annoying ​message on the internet, in ​order to get ​attention or ​cause ​trouble" That's exactly what you do, complain, complain, complain about people not posting exclusively about tbb, just to annoy.

you pick an choose some people to criticize for posting about tails but not all, you only pick on those who ask about tails and not on those who talk about anything else not related to tbb.

Where's your proof? Give specific examples.

You do this only to annoy people who need help.

False accusation. We merely pointed out to people who need Tails' support to use the relevant channels. Those people who, despite our repeated advice, persisted in posting for Tails' help here are really trolls.

the people from tails do not respond to all questions received,

Another false accusation, this time not against us but against the Tails' team. Where's your proof that Tails' tech support do not respond to all questions received?

Two false accusations, one against us and another against Tails, have proved to all readers of this blog that you're really the NSA troll.

We hope that you are being handsomely remunerated for your effort in trolling here. Staff at NSA are each paid at least a million dollars annually for their contributions to the US mass surveillance programs. We doubt very much your derisory annual compensation is anywhere near a million dollars.

Of course it would only be fitting that we help someone when it's only formally appropriate. You need more bureaucracy in your life. Enforce and stay within the lines!

Yes, except none of these are available to non-technical users who what to keep their contact through tor. I'm not saying that this is the right place for it, but part of the reason it ends up here is that the Tails team hasn't exactly made it easy for people who can't figure out how to email through tor to contact them.

but part of the reason it ends up here is that the Tails team hasn't exactly made it easy for people who can't figure out how to email through tor to contact them.

Look here, I fail to see why people need to use Tor to send emails asking Tails for technical support. What's so secret or confidential about the contents of Tails' tech support?

Do these same people also use Tor to post their comments here? Why do they need to do so?

Not everyone wants others to know that they're using tor. Therefore they use pluggable transports to connect to tor and can only contact the Tails team or post here through tor (via pluggable transports.)

Not everyone wants others to know that they're using tor.

You haven't exactly answered our question.

Let us rephrase it. Why do people need to use Tor to contact Tails' tech support? As for us, we don't.

Because if you're trying to get Tails' tech support you're probably trying to use tails, and if you're trying to use tails you're trying to use tor.
So if you're trying to hide that you're using tor, you've got to hide any contact to Tails' tech support
I don't know why I'm even responding to you at this point. Given your sheer number of posts and the speed of your responses, you're probably the NSA troll you're claiming to warn us about. The negativity that you spew is just the thing that turns people off. It also explains why you refer to yourself as plural.

Because if you're trying to get Tails' tech support you're probably trying to use tails, and if you're trying to use tails you're trying to use tor.

So if you're trying to hide that you're using tor, you've got to hide any contact to Tails' tech support

OMG.....

Such convoluted thinking....can only come from people with severe paranoia.

What if we were to tell you and your severely paranoid friends that the NSA has found some vulnerabilities in Tor?

What if I were to tell you that I had a magic anonymity system that nobody could break, no matter what?

The "what if I were to tell you" rhetoric is exactly the one used to spread FUD without providing any facts or details. Please don't do it.

Anonymous

January 28, 2016

Permalink

Can't use browser in full screen. I am using screen size spoofing in headers. Where do I remove the limitation?

Full screen works for me on different machines. What do you mean with "I am using screen size spoofing in headers"? How can I reproduce your problem? Does it go away if you click on the green onion and choose "New Identity"?

You mean gray bars lettersizing your screen when you maximize?

That's there to reduce unification by screen size.

Tor browser gives a warning not to use maximise screen for risk of compromising your identity. I had problems like that in the previous rc version of tails 2.0 but now in the New Tails 2.0 version I could maximise if I wanted it.

Looking at the AddressSanitizer documentation, i386 seems to be supported. The problem is that, as a large, complex program, Firefox uses a lot of memory. With ASan added to that, you're going to run out of 32-bit address space, and your browsing session will come to an abrupt end.

32-bit user space is only 3GiB (unless you have a kernel with hugemem patches). Browsing more than a few simple web pages causes the current hardened Tor Browser to allocate more than that.

Yeah looks like ASan allows a smaller shadow region on 32 bit platforms, but that severely cuts into usable address space. Another issue is that the quarantine zone size directly affects how effective ASan's use-after-free protections are, and 32 bit systems likely don't have enough RAM to provide effective protection there either.

Something in Firefox leaks memory like a sieve (I messed around with reducing the quarantine zone size to force memory to be released back to the system), so the 32 bit ASan build will die horrible screaming death sooner than later.

Anonymous

January 28, 2016

Permalink

Still has the problem of eating up all available memory and doesn't seem to free it
up once those windows are exited.

Anonymous

January 28, 2016

Permalink

I would use Tor a lot more if it could stream video. That would truly make it a full service browser. As it is, it's very limited. Isn't there some way to create a secure Tor friendly substitute for adobe flash?

I would use Tor a lot more if it could stream video.

We should never ever stray from Tor's first principles, one of which is to help people living in authoritarian and oppressive regimes to communicate.

We don't see how streaming and watching videos through Tor can help advance the latter's first principles.

What immediately comes to mind are the slick video clips produced by IS (Islamic State), ISIL (Islamic State of Iraq and the Levant) or ISIS (Islamic State of Iraq and Syria) which are in great demand by jihadis. Such video clips are readily found using Tor.

Perhaps you're a jihadi-wannabe interested in streaming videos clips produced by Islamic State?

> What immediately comes to mind are the slick video clips produced by IS (Islamic State), ISIL (Islamic State of Iraq and the Levant) or ISIS (Islamic State of Iraq and Syria) which are in great demand by jihadis. Such video clips are readily found using Tor.
>
> Perhaps you're a jihadi-wannabe interested in streaming videos clips produced by Islamic State?

I think you may have been reading too much USG scare mongering ("ISIS in all our heads" [sic]).

Isn't it more likely that a random internet user is

(i) interested in Tor Browser because it is getting a reputation for being the most secure easy to install/use browser?

(ii) interested in streaming videos to watch instruction videos like Khan Academy or "how to install a network card"?

(iii) doesn't yet understand how dangerous Flash can be if you are trying to stay secure online?

> We should never ever stray from Tor's first principles, one of which is to help people living in authoritarian and oppressive regimes to communicate.

Plus one.

> We don't see how streaming and watching videos through Tor can help advance the latter's first principles.

I hope we all agree that the goal of "mainstreaming" Tor which Shari Steele has said will be a major priority is absolutely necessary to ensure the long term survival of the Project. For so many reasons, but to mention just two: (i) if everyone in "the West" uses Tor on a daily basis, hostile FVEY governments will find it politically difficult to simply declare TP illegal (ii) the more people who use Tor daily for all kinds of ordinary things, that easier it will be for people living in "active conflict zones" or nations with harshly repressive governments to "hide among the noise".

But this means that we will need to be explain to prospective Tor users who are shocked to find something they consider "essential" [sic] is harder with Tor Browser that anonymity, security, and convenience sometimes conflict, so the developers often need to make design choices, and quite properly give extra weight to the personal security needs of those users whose lives quite literally depend upon Tor keeping them anonymous.