Tor Browser 6.0a5-hardened is released

A new hardened Tor Browser release is available. It can be found in the 6.0a5-hardened distribution directory and on the download page for hardened builds.

This release features important security updates to Firefox.

It contains a bunch of noteworthy changes. We switched the browser to Firefox ESR 45 and rebased our old patches/wrote new ones where necessary. We also ship a new Tor alpha version, 0.2.8.2, which makes meek usable again and contains a number of other improvements/stability fixes.

Note: There is no incremental update from 6.0a3-hardened available due to bug 17858. The internal updater should work, though, doing a complete update.

Here is the complete changelog since 6.0a4-hardened:

Tor Browser 6.0a5-hardened -- April 28 2016

  • All Platforms
    • Update Firefox to 45.1.0esr
    • Update Tor to 0.2.8.2-alpha
    • Update Torbutton to 1.9.5.3
      • Bug 18466: Make Torbutton compatible with Firefox ESR 45
      • Translation updates
    • Update Tor Launcher to 0.2.8.4
      • Bug 13252: Do not store data in the application bundle
      • Bug 10534: Don't advertise the help desk directly anymore
      • Translation updates
    • Update HTTPS-Everywhere to 5.1.6
    • Update NoScript to 2.9.0.11
    • Update meek to 0.22 (tag 0.22-18371-2)
      • Bug 18371: Symlinks are incompatible with Gatekeeper signing
    • Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
    • Bug 18900: Fix broken updater on Linux
    • Bug 18042: Disable SHA1 certificate support
    • Bug 18821: Disable libmdns support for desktop and mobile
    • Bug 18848: Disable additional welcome URL shown on first start
    • Bug 14970: Exempt our extensions from signing requirement
    • Bug 16328: Disable MediaDevices.enumerateDevices
    • Bug 16673: Disable HTTP Alternative-Services
    • Bug 17167: Disable Mozilla's tracking protection
    • Bug 18603: Disable performance-based WebGL fingerprinting option
    • Bug 18738: Disable Selfsupport and Unified Telemetry
    • Bug 18799: Disable Network Tickler
    • Bug 18800: Remove DNS lookup in lockfile code
    • Bug 18801: Disable dom.push preferences
    • Bug 18802: Remove the JS-based Flash VM (Shumway)
    • Bug 18863: Disable MozTCPSocket explicitly
    • Bug 15640: Place Canvas MediaStream behind site permission
    • Bug 16326: Verify cache isolation for Request and Fetch APIs
    • Bug 18741: Fix OCSP and favicon isolation for ESR 45
    • Bug 16998: Disable for now
    • Bug 17506: Reenable building hardened Tor Browser with startup cache
    • Bug 18898: Exempt the meek extension from the signing requirement as well
    • Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
    • Bug 18890: Test importScripts() for cache and network isolation
    • Bug 18726: Add new default obfs4 bridge (GreenBelt)
  • Build System
    • Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
    • Bug 18699: Stripping fails due to obsolete Browser/components directory
    • Bug 18698: Include libgconf2-dev for our Linux builds
Anonymous

April 29, 2016

Permalink

How can I upgrade from 5.5.5(stable) to experimental channel?
What do I need to edit in about:config?

Anonymous

April 30, 2016

Permalink

thanks again for another great release, and for keeping close pace with Firefox release cycles!

Anonymous

May 02, 2016

Permalink

Why the tor browser crash immediately in Max os 10.11.4 after clicking the connect button with 5.5.5(stable), and crash when you do any action with 6.0a5 after connecting successfully?

We think there is no need for an emergency release fixing the OpenSSL code we ship with Tor Browser. That said, the next Tor Browser versions will contain an updated OpenSSL.

Anonymous

May 05, 2016

Permalink

Does the hardened alpha auto update like the stable version or would I need to manually update it each time ?

Anonymous

May 06, 2016

Permalink

Disconnect search often produces meaningless results or nothing, whereas StartPage's results are very similar to Google. Today, Disconnect is banned from Google, so their search results are even worse. You should switch back to StartPage unless there is a strong reason not to.

Anonymous

May 07, 2016

Permalink

when you exit and enter the tor network, you end up showing ur real ip address right? when will or can tor be completely hidden from such showings. thats when u will get alot of people wanting to join tor.

when you exit and enter the tor network, you end up showing ur real ip address right?

No, as a client node you'll only show your IP when you enter (assuming you're using Tor properly). When you enter the network, your Guard node will see your IP, but it won't see where you're going nor what you're sending.

Read: https://www.torproject.org/about/overview.html.en

Anonymous

May 08, 2016

Permalink

The Tor browser built-in Torbutton is too simple, anyone tell me is there a GUI Tor manager ?

Anonymous

May 08, 2016

Permalink

Blogspot.com sites (owned by google) give all kinds of problems lately with tor and it has become more difficult to access them. It looks like google tries to redirect all the time, eventually failing to load the site.

Anonymous

May 11, 2016

Permalink

I could not run this hardened build. The stable version works fine . I'm using Debian 8 x64.

When I ran "start-tor-browser" in the terminal nothing happened, no output just nothing.

Let me know if you need any more information.

Anonymous

May 12, 2016

Permalink

Same problem here. My version of Tor Browser 6.0a5-hardened (running on Fedora 23) was working ok until last night. Then I downloaded a few Fedora system updates and now the browser doesn't launch. If I move the tor-browser directory to a Debian box everything works ok, so I guess one of the updates broke it.

Debug output when launching in Fedora:

==1043==AddressSanitizer CHECK failed: ../../.././libsanitizer/asan/asan_rtl.cc:556 "((!asan_init_is_running && "ASan init calls itself!")) != (0)" (0x0, 0x0)

Anonymous

May 14, 2016

Permalink

I received a special format of obfs4 from bridgedb, that is finished with "node-id=ia849c8c3eb819f". What I had before is end with "iat-mode=0".

It just means that the bridge is running an older version of obfs4proxy that uses a different format. See the changelog for obfs4proxy 0.0.3:

Change the obfs4 bridge line format to use a "cert" argument instead of the previous "node-id" and "public-key" arguments. The "cert" consists of the Base64 encoded concatenation of the node ID and public key, with the trailing padding removed. Old style separated bridge lines are still valid, but the newer representation is slightly more compact.

Anonymous

May 14, 2016

Permalink

What are the system requirements for the hardened TB, in terms of ram and cpu (goes without saying other than 64-bit cpu and the linux os)

CPU is not much of a problem, but you definitely need much more RAM than usual with the hardened build.

Anonymous

May 14, 2016

Permalink

doesn´t work with macOs (10.11.4).
Its the same as with the 5.5.5 version.

crashes just right after start for any reason; don´t know...

Since the version 5.0.7 I can´t use Tor .

Anonymous

August 19, 2016

Permalink

I just upgraded to 6.0.5. The moment it finished upgrading, MalwareByte's Anti-ransomeware fired up and quarantined the following as ransomware:

Malware.Ransom.Agent.Generic

Uh...what's up with that?

Hard to say. We don't have a Tor Browser 6.0.5. The most recent version is 6.0.4. How did you upgrade? Does this happen with a clean, new Tor Browser downloaded from our Website as well?