Tor Browser 6.0a5 is released

A new alpha Tor Browser release is available for download in the 6.0a5 distribution directory and on the alpha download page.

This release features important security updates to Firefox.

This will probably be our last alpha release before the stable 6.0 and it contains a bunch of noteworthy changes.

First, we switched the browser to Firefox ESR 45 and rebased our old patches/wrote new ones where necessary.

Second, we ship a new Tor alpha version, 0.2.8.2, which makes meek usable again and contains a number of other improvements/stability fixes.

Third, this alpha release introduces code signing for OS X in order to cope with Gatekeeper, the OS X mechanism for allowing only authorized applications to run. There were bundle layout changes necessary to adhere to code signing requirements. Please test that everything is still working as expected if you happen to have an OS X machine. We plan to post instructions for removing the code signing parts on our website soon. This should make it easier to compare the bundles we build with the actual bundles we ship.

The fourth highlight is the fix for an installer related DLL hijacking vulnerability. This vulnerability made it necessary to deploy a newer NSIS version to create our .exe files. Please test that the installer is still working as expected if you happen to have a Windows machine.

Known issues:

  • It seems there is a bug regarding our search engine selection in non-en-US bundles. The search engines actually used are the ones contained in the respective language packs but not those we ship. There is no easy workaround for this short of disabling the language pack or adding the search engines one wants to have by hand. We are sorry for this inconvenience.
  • An other issue is an error "Unable to start tor" after upgrading from an older version, on Mac OS (Bug 18928). Quitting and restarting a second time should fix the problem.
  • A third issue we found is the missing HTTPS-Everywhere extension in Mac OS bundles after an update from previous Tor Browser versions. Workarounds are either installing HTTPS-Everywhere manually from EFF's website or using a clean, new 6.0a5 Mac OS bundle.

Here is the full changelog since 6.0a4:

Tor Browser 6.0a5 -- April 28 2016

  • All Platforms
    • Update Firefox to 45.1.0esr
    • Update Tor to 0.2.8.2-alpha
    • Update Torbutton to 1.9.5.3
      • Bug 18466: Make Torbutton compatible with Firefox ESR 45
      • Translation updates
    • Update Tor Launcher to 0.2.9.1
      • Bug 13252: Do not store data in the application bundle
      • Bug 10534: Don't advertise the help desk directly anymore
      • Translation updates
    • Update HTTPS-Everywhere to 5.1.6
    • Update NoScript to 2.9.0.11
    • Update meek to 0.22 (tag 0.22-18371-2)
      • Bug 18371: Symlinks are incompatible with Gatekeeper signing
    • Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
    • Bug 18900: Fix broken updater on Linux
    • Bug 18042: Disable SHA1 certificate support
    • Bug 18821: Disable libmdns support for desktop and mobile
    • Bug 18848: Disable additional welcome URL shown on first start
    • Bug 14970: Exempt our extensions from signing requirement
    • Bug 16328: Disable MediaDevices.enumerateDevices
    • Bug 16673: Disable HTTP Alternative-Services
    • Bug 17167: Disable Mozilla's tracking protection
    • Bug 18603: Disable performance-based WebGL fingerprinting option
    • Bug 18738: Disable Selfsupport and Unified Telemetry
    • Bug 18799: Disable Network Tickler
    • Bug 18800: Remove DNS lookup in lockfile code
    • Bug 18801: Disable dom.push preferences
    • Bug 18802: Remove the JS-based Flash VM (Shumway)
    • Bug 18863: Disable MozTCPSocket explicitly
    • Bug 15640: Place Canvas MediaStream behind site permission
    • Bug 16326: Verify cache isolation for Request and Fetch APIs
    • Bug 18741: Fix OCSP and favicon isolation for ESR 45
    • Bug 16998: Disable <link rel="preconnect"> for now
    • Bug 18898: Exempt the meek extension from the signing requirement as well
    • Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
    • Bug 18890: Test importScripts() for cache and network isolation
    • Bug 18726: Add new default obfs4 bridge (GreenBelt)
  • Windows
  • OS X
    • Bug 6540: Support OS X Gatekeeper
    • Bug 13252: Tor Browser should not store data in the application bundle
  • Build System
    • All Platforms
      • Bug 18127: Add LXC support for building with Debian guest VMs
      • Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
    • Windows
      • Bug 17895: Use NSIS 2.51 for installer to avoid DLL hijacking
      • Bug 18290: Bump mingw-w64 commit we use
    • OS X
      • Bug 18331: Update toolchain for Firefox 45 ESR
      • Bug 18690: Switch to Debian Wheezy guest VMs
    • Linux
      • Bug 18699: Stripping fails due to obsolete Browser/components directory
      • Bug 18698: Include libgconf2-dev for our Linux builds
Anonymous

April 28, 2016

Permalink

hello . Good jobs

How can i get New bridges?the E-mail address has beenchanged?i am not able to get new bridges by the current method and e-mail address

Anonymous

April 30, 2016

Permalink

Haven't been able to use this software in a windows PE environment since the Vidalia days... always get the XPCOM error, every time.

Anonymous

April 30, 2016

Permalink

BUG: the zoom level keeps changing on websites without me changing it on my own. I have tried changing the zoom level back to default using CTRL+0, and also through the menu, which resets it, but it changes on its own after going to new links.

bugzilla confirms that some webpages force the ugly rectangle at the bottom on Win to disappear without resizing the window, so the only option for this is zoom. And yes, this happens on 38esr.

Anonymous

May 01, 2016

Permalink

How does browser choose bridge? If use obfs4 (recommended), see that always same bridge. New Tor Circuit, New Identity, diy close re open browser.....always same bridge. Should not be random? Always same bridge good or bad for anonymity?

Also why about:config have 11 almost same bridges? Meaning, 11 have IP address with same first 3 numbers. Should not have more variety?

Anonymous

May 01, 2016

Permalink

Also
Tor button show Tor circuit:
This browser
Bridge: obfs4 (country)
Country (IP address)

Why not show bridge IP? Need to use other software to see bridge IP.

Also thank you.

Anonymous

May 07, 2016

Permalink

Hi, is there any possibility for the following for the android client?
Orbot should detect any connection to an unencrypted wifi network, block all other connection until it has connected to tor.
Also should handle free wifi login screens the same time.

This would be just awesome. :)

There is no one yet, alas. There is still https://trac.torproject.org/projects/tor/ticket/13694 which I did not get to, yet. The best we have is: https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking pointing to our reproducible builds. Or you could take a look at the script driving the build: https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/giti….