Tor Browser 6.5 is released

Tor Browser 6.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This is a major release and the first one in the 6.5 series. First of all it fixes the usual critical bugs in Firefox by updating to ESR 45.7.0. It contains version updates to other bundle components as well: Tor to 0.2.9.9, OpenSSL to 1.0.2j, HTTPS-Everywhere to 5.2.9, and NoScript to 2.9.5.3.

Besides those updates Tor Browser 6.5 ships with a lot of the improvements we have been working on in the past couple of months.

On the security side we always block remote JAR files now and remove the support for SHA-1 HPKP pins. Additionally we backported from an other firefox branch patches to mark JIT pages as non-writable and other crash fixes that could disrupt a Tor Browser session quite reliably.

With respect to user tracking and fingerprinting we now isolate SharedWorker script requests to the first party domain. We improved our timer resolution spoofing and reduced the timing precision for AudioContext, HTMLMediaElement, and Mediastream elements. We stopped user fingerprinting via internal resource:// URLs, and for Windows users we fixed a regression introduced in Tor Browser 6.0 which could leak the local timezone if JavaScript were enabled.

A great deal of our time was spent on improving the usability of Tor Browser. We redesigned the security slider and improved its labels. We moved a lot of Torbutton's privacy settings directly into the respective Firefox menu making it cleaner and more straightforward to use. Finally, we moved as many Torbutton features as possible into Firefox to make it easier for upstreaming them. This allowed us to resolve a couple of window resizing bugs that piled on over the course of the past years.

The features mentioned above are only some of the highlights in Tor Browser 6.5. The full changelog since 6.0.8 is:

  • All Platforms
  • Update Firefox to 45.7.0esr
  • Tor to 0.2.9.9
  • OpenSSL to 1.0.2j
  • Update Torbutton to 1.9.6.12
    • Bug 16622: Timezone spoofing moved to tor-browser.git
    • Bug 17334: Move referrer spoofing for .onion domains into tor-browser.git
    • Bug 8725: Block addon resource and url fingerprinting with nsIContentPolicy
    • Bug 20701: Allow the directory listing stylesheet in the content policy
    • Bug 19837: Whitelist internal URLs that Firefox requires for media
    • Bug 19206: Avoid SOCKS auth and NEWNYM collisions when sharing a tor client
    • Bug 19273: Improve external app launch handling and associated warnings
    • Bug 15852: Remove/synchronize Torbutton SOCKS pref logic
    • Bug 19733: GETINFO response parser doesn't handle AF_UNIX entries + IPv6
    • Bug 17767: Make "JavaScript disabled" more visible in Security Slider
    • Bug 20556: Use pt-BR strings from now on
    • Bug 20614: Add links to Tor Browser User Manual
    • Bug 20414: Fix non-rendering arrow on OS X
    • Bug 20728: Fix bad preferences.xul dimensions
    • Bug 19898: Use DuckDuckGo on about:tor
    • Bug 21091: Hide the update check menu entry when running under the sandbox
    • Bug 19459: Move resizing code to tor-browser.git
    • Bug 20264: Change security slider to 3 options
    • Bug 20347: Enhance security slider's custom mode
    • Bug 20123: Disable remote jar on all security levels
    • Bug 20244: Move privacy checkboxes to about:preferences#privacy
    • Bug 17546: Add tooltips to explain our privacy checkboxes
    • Bug 17904: Allow security settings dialog to resize
    • Bug 18093: Remove 'Restore Defaults' button
    • Bug 20373: Prevent redundant dialogs opening
    • Bug 20318: Remove helpdesk link from about:tor
    • Bug 21243: Add links for pt, es, and fr Tor Browser manuals
    • Bug 20753: Remove obsolete StartPage locale strings
    • Bug 21131: Remove 2016 donation banner
    • Bug 18980: Remove obsolete toolbar button code
    • Bug 18238: Remove unused Torbutton code and strings
    • Bug 20388+20399+20394: Code clean-up
    • Translation updates
  • Update Tor Launcher to 0.2.10.3
    • Bug 19568: Set CurProcD for Thunderbird/Instantbird
    • Bug 19432: Remove special handling for Instantbird/Thunderbird
    • Translation updates
  • Update HTTPS-Everywhere to 5.2.9
  • Update NoScript to 2.9.5.3
  • Bug 16622: Spoof timezone with Firefox patch
  • Bug 17334: Spoof referrer when leaving a .onion domain
  • Bug 19273: Write C++ patch for external app launch handling
  • Bug 19459: Size new windows to 1000x1000 or nearest 200x100 (Firefox patch)
  • Bug 12523: Mark JIT pages as non-writable
  • Bug 20123: Always block remote jar files
  • Bug 19193: Reduce timing precision for AudioContext, HTMLMediaElement, and MediaStream
  • Bug 19164: Remove support for SHA-1 HPKP pins
  • Bug 19186: KeyboardEvents are only rounding to 100ms
  • Bug 16998: Isolate preconnect requests to URL bar domain
  • Bug 19478: Prevent millisecond resolution leaks in File API
  • Bug 20471: Allow javascript: links from HTTPS first party pages
  • Bug 20244: Move privacy checkboxes to about:preferences#privacy
  • Bug 20707: Fix broken preferences tab in non-en-US alpha bundles
  • Bug 20709: Fix wrong update URL in alpha bundles
  • Bug 19481: Point the update URL to aus1.torproject.org
  • Bug 20556: Start using pt-BR instead of pt-PT for Portuguese
  • Bug 20442: Backport fix for local path disclosure after drag and drop
  • Bug 20160: Backport fix for broken MP3-playback
  • Bug 20043: Isolate SharedWorker script requests to first party
  • Bug 18923: Add script to run all Tor Browser regression tests
  • Bug 20651: DuckDuckGo does not work with JavaScript disabled
  • Bug 19336+19835: Enhance about:tbupdate page
  • Bug 20399+15852: Code clean-up
  • Windows
    • Bug 20981: On Windows, check TZ for timezone first
    • Bug 18175: Maximizing window and restarting leads to non-rounded window size
    • Bug 13437: Rounded inner window accidentally grows to non-rounded size
  • OS X
    • Bug 20590: Badly resized window due to security slider notification bar on OS X
    • Bug 20439: Make the build PIE on OSX
  • Linux
    • Bug 20691: Updater breaks if unix domain sockets are used
    • Bug 15953: Weird resizing dance on Tor Browser startup
  • Build system
    • All platforms
      • Bug 20927: Upgrade Go to 1.7.4
      • Bug 20583: Make the downloads.json file reproducible
      • Bug 20133: Don't apply OpenSSL patch anymore
      • Bug 19528: Set MOZ_BUILD_DATE based on Firefox version
      • Bug 18291: Remove some uses of libfaketime
      • Bug 18845: Make zip and tar helpers generate reproducible archives
    • OS X
      • Bug 20258: Make OS X Tor archive reproducible again
      • Bug 20184: Make OS X builds reproducible (use clang for compiling tor)
      • Bug 19856: Make OS X builds reproducible (getting libfaketime back)
      • Bug 19410: Fix incremental updates by taking signatures into account
      • Bug 20210: In dmg2mar, extract old mar file to copy permissions to the new one
Anonymous

February 07, 2017

In reply to by Anonymous (not verified)

Permalink

YES

Anonymous

February 12, 2017

In reply to by Anonymous (not verified)

Permalink

how did you get it? i've been trying for 3 hours ad cannot get the linux version to either update(unknown error) or download from scratch (file not available)

Anonymous

January 24, 2017

Permalink

thanks !

browserfingerprint result is even in the highest setting not very good

"Are you unique? Almost! (You can most certainly be tracked.)"

[details snipped]

But only 301 browsers out of the 301007 observed browsers (0.09 %) have exactly the same fingerprint as yours.

middle setting
--------------------
"Are you unique?" Almost! (You can most certainly be tracked.)"

[details snipped]

"But only 391 browsers out of the 301001 observed browsers (0.09 %) have exactly the same fingerprint as yours."

source https://amiunique.org/

It's getting better but still too trackable:

"But only 2356 browsers out of the 301620 observed browsers (0.80 %) have exactly the same fingerprint as yours."

Let's wait

Yes this is clear. Still thought that more Users use Tor.

"But only 2442 browsers out of the 302327 observed browsers (0.81 %) have exactly the same fingerprint as yours."

I guess on websites where I am the only one with TorBrowser it could be even more conspicuous to use TBB.

Wouldn't it be quite ironic if the site "amiunique.org" were run by the FBI or the CIA ?

As a honeypot, I can see little that is more attractive to people worrying about their security....

Anonymous

January 24, 2017

Permalink

Some months ago if you visit a webpage and changed the security slider the webpage automatically reload. For some time it doesn't do that. Is this the right way?

Anonymous

January 24, 2017

Permalink

I have three questions/suggestions:

  1. Some time ago I had to edit start-tor-browser script adding option -no-remote for tor-browser, as otherwise I couldn't run 2 different tor-browsers at the same time (with different Tor ports and different security slider settings, all are binded to system Tor). Starting from some moment it became no loner necessary, as second browser starts even if the first browser is already running. Is it safe to no longer indicate this option (-no-remote) in start-tor-browser script? I afraid the risk that the contexts of different browsers can be mixed.
  2. I see this new version comes with many improvements, but there is one issue. In previous versions in order to use TBB with system Tor I had to follow the instruction in start-tor-browser script and change many options (e.g. extensions.torbutton.settings_method) which are no longer needed for this version. However, old instruction with these old options is still in place in this script (see, Sec. "Using a system-installed Tor process with Tor Browser"). Should that be fixed?
  3. Before this release I saw 3 different SOCKS-options in about:config. I had to change all of them to get my TBB reliably working with external (system) Tor with custom port. Now I see only single option, which looks as a nice replacement for all of them. So, could I change SOCKS host/port in conventional place in Edit → Prefernces? That would be more convenient than looking at necessary options in about:config.

Thanks for those questions/suggestions:

Re 1) Hm. I can't remember right now that we changed something in that regard. I guess this got introduce with Tor Browser 6.0 when we switched to ESR45? Could you track the version down where that changed (https://archive.torproject.org/tor-package-archive/torbrowser/ has all the old Tor Browser versions)? Without knowing exactly what causes this "new" behavior it is hard to tell whether you are on the safe side.

Re 2) Do you mind filing a bug on https://trac.torproject.org/projects/tor? Ideally with some explanation about what is not needed anymore/needed now so we can fix it (we even accept patches ;) ).

Re 3): Could you elaborate on which options you saw and which single option you are seeing now? Depending on that, yes, it might be possible to just set the options via the Firefox settings menu.

Thanks!

Re 1) As part of https://trac.torproject.org/projects/tor/ticket/11641, we made --no-remote the default and added support for a new (at the time) --allow-remote flag. But note that remoting is still enabled if the browser is started with the -osint flag. That means that it should be safe to leave --no-remote off unless somehow your Tor Browser is being started with the -osint flag (that probably only happens if you make Tor Browser your default browser and start it by clicking an URL in another application such as Thunderbird).

Thanks for reply!

  1. I see that mcs already replied well to both of us: https://blog.torproject.org/comment/reply/1301/232631
  2. I filed it just now: https://trac.torproject.org/projects/tor/ticket/21326
  3. I meant options:
    1. <br />
    2. extensions.torbutton.custom.socks_host<br />
    3. extensions.torbutton.custom.socks_port<br />
    4. extensions.torbutton.socks_host<br />
    5. extensions.torbutton.socks_port<br />
    6. network.proxy.socks<br />
    7. network.proxy.socks_port<br />

    Now we have only network.proxy.socks and network.proxy.socks_port in about:config. I described it in the aforementioned ticket 21326 too.
Anonymous

January 24, 2017

Permalink

I hate it.
As usual problems with tabgroups after update. Add-on "Tabgruppen" no function. All tabgroups lost!!!

Addons may very well deanonymise you. That is why The Tor Project doesn't develop the TBB for the stability all other addons (except for the ones that comes with it) in mind.

Anonymous

January 24, 2017

Permalink

Heads up, I'm seeing an increase in circuit retries of the form "We tried for 15 seconds to connect to '[scrubbed]' using exit... at...".

Ok, so after a few minutes the notices appeared again, the faulty destination is ocsp.comodoca.com. I looked in the browser console, and sure enough, it reports the getFirstPartyURI failure for the ocsp server, and an invalid security certificate for ocsp.digicert.com.

(Roger, could you remove my previous, and as of yet unpublished comment, I wouldn't want to add noise to the blog. Thanks for the prompt reply.)

Anonymous

January 24, 2017

Permalink

Right after the update, as no transition scheme was developed, my Medium-High settings landed to Medium with some minor inconsistencies in NoScript:
05:31:12.993 ReferenceError: PolicyState is not defined Main.js:3946:1

The same is with Medium-Low.
But no problem, just change the new security slider settings to be sure.

Anonymous

January 24, 2017

Permalink

DDG from about:tor instead of search results gave me empty https://duckduckgo.com/ with my request in its search bar and:
06:18:53.521 TypeError: DDG.Pages.SERP is not a constructor
duckduckgo.com:1
duckduckgo.com:1:12
06:18:53.599 ReferenceError: DDH is not defined
nrji() duckduckgo.com:1
d2048.js:61
bL.Callbacks/b6() d2048.js:26
bL.Callbacks/cf.fireWith() d2048.js:26
.ready() d2048.js:15
bZ() d2048.js:15
duckduckgo.com:1:347
06:18:54.782 TypeError: DDG.page is undefined
d.js:1
d.js:1:61
06:18:55.137 TypeError: DDG.duckbar is undefined
t.js:1
t.js:1:1

Anonymous

January 24, 2017

Permalink

Strange. Tor Browser didn't auto-update this time. I had to do it manually. Any reason as to why?

Your Tor Browser checks every so often to see if there's an update. My guess is that if you'd left it alone for a few hours, it would have noticed and started you on the update path.

(We actually don't want every Tor Browser to update itself at the very same time. Check out the "thundering herd" problem for more details:
https://en.wikipedia.org/wiki/Thundering_herd_problem )

Anonymous

January 24, 2017

Permalink

Tools > HTTPS Everywhere >

This sub-menu doesn't open, doesn't do anything.

I'm on Windows 7.

The extension is on the far-right menu button okay, and expands. And now is okay from the Tools menu too, so just a glitch when updating I guess.

I take that back, the menu on the Tools menu is not expanding again now, so clearly something is wrong, an intermittent fault. Yes, it appears in about:addons.

Anonymous

January 24, 2017

Permalink

Can you bring back the "Custom" warning/field in
Tor Browser Security Settings under the slider ?

Instead of the pane with the Restore Defaults button? Why? It seems to me having just that tiny checkbox makes it easy to overlook that one is in the custom mode (which is a thing we don't want).

"tiny checkbox makes it easy to overlook that one is in the custom mode"
Yes, like in TBB6.0.8. TBB6.5 hasn't.

"Restore Defaults button"
Where? 1 click to set all customs back to default, may conditional on "Security Level" slider.
Has moving "Security Level" slider back,forth the same result?

'"Restore Defaults button"
Where? 1 click to set all customs back to default, may conditional on "Security Level" slider.'

What do you mean?

If you moved the security slider back/forth on 6.0.8 you got our of the custom mode.

Anonymous

January 24, 2017

Permalink

Can you make it working to get media links without to heavy javascript?
E.g. custom allow in NoScript, get clickable allow in Noscript for a full media url BUT cannot simple copy this link!