Tor Browser 6.5 is released

Tor Browser 6.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This is a major release and the first one in the 6.5 series. First of all it fixes the usual critical bugs in Firefox by updating to ESR 45.7.0. It contains version updates to other bundle components as well: Tor to 0.2.9.9, OpenSSL to 1.0.2j, HTTPS-Everywhere to 5.2.9, and NoScript to 2.9.5.3.

Besides those updates Tor Browser 6.5 ships with a lot of the improvements we have been working on in the past couple of months.

On the security side we always block remote JAR files now and remove the support for SHA-1 HPKP pins. Additionally we backported from an other firefox branch patches to mark JIT pages as non-writable and other crash fixes that could disrupt a Tor Browser session quite reliably.

With respect to user tracking and fingerprinting we now isolate SharedWorker script requests to the first party domain. We improved our timer resolution spoofing and reduced the timing precision for AudioContext, HTMLMediaElement, and Mediastream elements. We stopped user fingerprinting via internal resource:// URLs, and for Windows users we fixed a regression introduced in Tor Browser 6.0 which could leak the local timezone if JavaScript were enabled.

A great deal of our time was spent on improving the usability of Tor Browser. We redesigned the security slider and improved its labels. We moved a lot of Torbutton's privacy settings directly into the respective Firefox menu making it cleaner and more straightforward to use. Finally, we moved as many Torbutton features as possible into Firefox to make it easier for upstreaming them. This allowed us to resolve a couple of window resizing bugs that piled on over the course of the past years.

The features mentioned above are only some of the highlights in Tor Browser 6.5. The full changelog since 6.0.8 is:

  • All Platforms
  • Update Firefox to 45.7.0esr
  • Tor to 0.2.9.9
  • OpenSSL to 1.0.2j
  • Update Torbutton to 1.9.6.12
    • Bug 16622: Timezone spoofing moved to tor-browser.git
    • Bug 17334: Move referrer spoofing for .onion domains into tor-browser.git
    • Bug 8725: Block addon resource and url fingerprinting with nsIContentPolicy
    • Bug 20701: Allow the directory listing stylesheet in the content policy
    • Bug 19837: Whitelist internal URLs that Firefox requires for media
    • Bug 19206: Avoid SOCKS auth and NEWNYM collisions when sharing a tor client
    • Bug 19273: Improve external app launch handling and associated warnings
    • Bug 15852: Remove/synchronize Torbutton SOCKS pref logic
    • Bug 19733: GETINFO response parser doesn't handle AF_UNIX entries + IPv6
    • Bug 17767: Make "JavaScript disabled" more visible in Security Slider
    • Bug 20556: Use pt-BR strings from now on
    • Bug 20614: Add links to Tor Browser User Manual
    • Bug 20414: Fix non-rendering arrow on OS X
    • Bug 20728: Fix bad preferences.xul dimensions
    • Bug 19898: Use DuckDuckGo on about:tor
    • Bug 21091: Hide the update check menu entry when running under the sandbox
    • Bug 19459: Move resizing code to tor-browser.git
    • Bug 20264: Change security slider to 3 options
    • Bug 20347: Enhance security slider's custom mode
    • Bug 20123: Disable remote jar on all security levels
    • Bug 20244: Move privacy checkboxes to about:preferences#privacy
    • Bug 17546: Add tooltips to explain our privacy checkboxes
    • Bug 17904: Allow security settings dialog to resize
    • Bug 18093: Remove 'Restore Defaults' button
    • Bug 20373: Prevent redundant dialogs opening
    • Bug 20318: Remove helpdesk link from about:tor
    • Bug 21243: Add links for pt, es, and fr Tor Browser manuals
    • Bug 20753: Remove obsolete StartPage locale strings
    • Bug 21131: Remove 2016 donation banner
    • Bug 18980: Remove obsolete toolbar button code
    • Bug 18238: Remove unused Torbutton code and strings
    • Bug 20388+20399+20394: Code clean-up
    • Translation updates
  • Update Tor Launcher to 0.2.10.3
    • Bug 19568: Set CurProcD for Thunderbird/Instantbird
    • Bug 19432: Remove special handling for Instantbird/Thunderbird
    • Translation updates
  • Update HTTPS-Everywhere to 5.2.9
  • Update NoScript to 2.9.5.3
  • Bug 16622: Spoof timezone with Firefox patch
  • Bug 17334: Spoof referrer when leaving a .onion domain
  • Bug 19273: Write C++ patch for external app launch handling
  • Bug 19459: Size new windows to 1000x1000 or nearest 200x100 (Firefox patch)
  • Bug 12523: Mark JIT pages as non-writable
  • Bug 20123: Always block remote jar files
  • Bug 19193: Reduce timing precision for AudioContext, HTMLMediaElement, and MediaStream
  • Bug 19164: Remove support for SHA-1 HPKP pins
  • Bug 19186: KeyboardEvents are only rounding to 100ms
  • Bug 16998: Isolate preconnect requests to URL bar domain
  • Bug 19478: Prevent millisecond resolution leaks in File API
  • Bug 20471: Allow javascript: links from HTTPS first party pages
  • Bug 20244: Move privacy checkboxes to about:preferences#privacy
  • Bug 20707: Fix broken preferences tab in non-en-US alpha bundles
  • Bug 20709: Fix wrong update URL in alpha bundles
  • Bug 19481: Point the update URL to aus1.torproject.org
  • Bug 20556: Start using pt-BR instead of pt-PT for Portuguese
  • Bug 20442: Backport fix for local path disclosure after drag and drop
  • Bug 20160: Backport fix for broken MP3-playback
  • Bug 20043: Isolate SharedWorker script requests to first party
  • Bug 18923: Add script to run all Tor Browser regression tests
  • Bug 20651: DuckDuckGo does not work with JavaScript disabled
  • Bug 19336+19835: Enhance about:tbupdate page
  • Bug 20399+15852: Code clean-up
  • Windows
    • Bug 20981: On Windows, check TZ for timezone first
    • Bug 18175: Maximizing window and restarting leads to non-rounded window size
    • Bug 13437: Rounded inner window accidentally grows to non-rounded size
  • OS X
    • Bug 20590: Badly resized window due to security slider notification bar on OS X
    • Bug 20439: Make the build PIE on OSX
  • Linux
    • Bug 20691: Updater breaks if unix domain sockets are used
    • Bug 15953: Weird resizing dance on Tor Browser startup
  • Build system
    • All platforms
      • Bug 20927: Upgrade Go to 1.7.4
      • Bug 20583: Make the downloads.json file reproducible
      • Bug 20133: Don't apply OpenSSL patch anymore
      • Bug 19528: Set MOZ_BUILD_DATE based on Firefox version
      • Bug 18291: Remove some uses of libfaketime
      • Bug 18845: Make zip and tar helpers generate reproducible archives
    • OS X
      • Bug 20258: Make OS X Tor archive reproducible again
      • Bug 20184: Make OS X builds reproducible (use clang for compiling tor)
      • Bug 19856: Make OS X builds reproducible (getting libfaketime back)
      • Bug 19410: Fix incremental updates by taking signatures into account
      • Bug 20210: In dmg2mar, extract old mar file to copy permissions to the new one

You like to see a media clip the site don't want you can easy download -ugly javascript&no download button, without good reason.
You can temporary allow all this page and hope clip is playing.
You can allow custom [...] and NoScript presenting you a clickable
'allow' with a full URL, e.g. .mp4. But i can't copy this link and need more doing to get this.

zoobab

January 25, 2017

Permalink

Awesome! I love the privacy improvements and especially fixing resource:// leakage. The security slider change is also great, I never able to figure out what medium-low settings is useful for and now without it, fingerprintability is reduced! Thanks again for all the excellent changes. Can't wait for Tor browser to become multi-process and speed up the browsing experience!

zoobab

January 25, 2017

Permalink

What will the browser's "useragent" for this release be reported as, exact string, please ?

zoobab

January 25, 2017

Permalink

well

zoobab

January 25, 2017

Permalink

Comment regarding:
Changelog:
Tor Browser 6.5 -- January 24 2017
* All Platforms
* Update Firefox to 45.7.0esr
* Tor to 0.2.9.9
----------------------------------------------------------
You are good human beings. Stand tall and receive the vibes and warmth from this one little guy out here on the blustery slopes of ignorance.
Your inclusion of the Changelog is a great gift. Browsing it taught me things about the meaning of life,
You think I am kidding. No.
This is how life should be; can be.
Look at one another around the edges of your cubicles and nod. You have made good choices. Thanks.

zoobab

January 25, 2017

Permalink

Thanks Tor people! :) Hopefully we'll see Selfrando integration in Tor Browser 7 :D

zoobab

January 25, 2017

Permalink

My 'fruit OS' Console.app got to enthusiastic generating new mind breaking messages, one of many is this one.
- NaN
['t/i/m/e'] [0x0-0x30030].org.mozilla.tor browser ['number process'] ['t/i/m/e'] ['localhostname/modem name'] firefox ['number process'] : replacing NaN with 0.

More than a hundred times in one minute.
NaN again? Has this anything to do with the SVG security issue?
First it said several times something like , : doClip: empty path.

Another one is about updating addons over an insecure connection?
Does not matter if you disable automatic updates.
- Addons
['t/i/m/e'] [0x0-0x51051].org.mozilla.tor browser['number process'] 1485302776300 addons.productaddons ERROR Request failed certificate checks: [Exception... "SSL is required and URI scheme is not https." nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)" location: "JS frame :: resource://gre/modules/CertUtils.jsm :: checkCert :: line 145" data: no]

Also this one
['t/i/m/e'] [0x0-0x96096].org.mozilla.tor browser ['number process'] 1484838545725 addons.update-checker WARN HTTP Request failed for an unknown reason

Thanks for looking at it

Not sure what the former is but the latter two are due to TorLauncher and Torbutton not being allowed to ping Mozilla's Add-on server for update checks. Those messages are harmless.

zoobab

January 25, 2017

Permalink

Thanks!

zoobab

January 25, 2017

Permalink

TOR BROWSER 6.5 (updated today).

From Tor toolbar button | Security Settings there are three options High, Medium and Low.

===================
Medium:
JavaScript is disabled by default on all sites non-HTTPS sites.
On sites where JavaScript is enabled, performance optimizations are disabled. Scripts on some sites may run slower.
===================
Above is OK.

===================
High:
JavaScript is disabled by default on all sites.
On sites where JavaScript is enabled, performance optimizations are disabled. Scripts on some sites may run slower.
===================
This is now confusing, isn't it? If JavaScript is disabled (first sentence), how can it be enabled on some sites. Is this copy/paste problem?

In case you need to allow JavaScript on some site but do not want to touch the other settings on level "high" it assures you that other JavaScript features like JIT stay disabled.

zoobab

January 25, 2017

Permalink

I'm getting a signing key mismatch that's bugging me. What I should see according to https://www.torproject.org/docs/verifying-signatures.html.en is this:

gpg --fingerprint 0x4E2C6E8793298290
You should see:

pub 4096R/93298290 2014-12-15
Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid Tor Browser Developers (signing key)
sub 4096R/F65C2036 2014-12-15
sub 4096R/D40814E0 2014-12-15
sub 4096R/C3C07136 2016-08-24

What I see instead is this:

gpg --fingerprint 0x4E2C6E8793298290
pub 4096R/93298290 2014-12-15 [expires: 2020-08-24]
Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid Tor Browser Developers (signing key)
sub 4096R/F65C2036 2014-12-15 [expires: 2017-08-25]
sub 4096R/D40814E0 2014-12-15 [expires: 2017-08-25]
sub 4096R/C3C07136 2016-08-24 [expires: 2018-08-24]

Trying to upgrade the TBB automagically from the Applications > Internet menu (XFCE on Debian) told me that "signature verification failed" and warned me that I might be under attack; so I downloaded & unpacked the tarball from Tor's site and again there's a mismatch but it looks less frightening. So I'm hesitating to use it 6.5 until checking it out with the pros here.

It looks like the signing key was renewed but the website just hasn't been updated to reflect that, which is trivial, but then there's a (probably very small) chance that I could be "under attack" or that this release is somehow compromised.

Please advise.

I guess the first upgrade mechanism fails as you are using torbrowser-launcher which does not have the new subkey baked in. Not sure why the one where you download from our website fails. What commands are you using and what is the output you get? What is the sha256 sum of the .tar.xz and the respective .asc?

I'm just cutting & pasting from the Mac OS X and Linux section of https://www.torproject.org/docs/verifying-signatures.html.en, except changing the filenames to reflect my 64-bit system.

sha256sum gets these:

c4714061748a70d3871dd84ff88d2f317b386d290a5c1fb94a504a1c256f1960 tor-browser-linux64-6.5_en-US.tar.xz

d922daa46e3c8aa2d4056579258a1fa4efe553da797102d0a0a8572851218d94 tor-browser-linux64-6.5_en-US.tar.xz.asc

If that's right then I shouldn't have to worry.

The difference is that, unlike what the web pages tells me to look for, I'm seeing expiration dates in brackets:

pub 4096R/93298290 2014-12-15
Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid Tor Browser Developers (signing key)
sub 4096R/F65C2036 2014-12-15
sub 4096R/D40814E0 2014-12-15
sub 4096R/C3C07136 2016-08-24

becomes

pub 4096R/93298290 2014-12-15 [expires: 2020-08-24]
Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid Tor Browser Developers (signing key)
sub 4096R/F65C2036 2014-12-15 [expires: 2017-08-25]
sub 4096R/D40814E0 2014-12-15 [expires: 2017-08-25]
sub 4096R/C3C07136 2016-08-24 [expires: 2018-08-24]

Like I said it seems minor but Tor is one thing I feel justified in getting slightly paranoid about. If it's supposed to work this way why not include the expiration dates on what the web page tells us to look for?

What does

  1. <br />
  2. gpg --verify tor-browser-linux64-6.5_en-US.tar.xz.asc<br />
  3. tor-browser-linux64-6.5_en-US.tar.xz<br />

say *after* you updated your local key (i.e. fetched the subkey which signed the tar.xz file)?

zoobab

January 25, 2017

Permalink

a [BUG] !?

Thanks,
Both updates of TBB 6.5a2 & 7.0a1 on my 32bit Desktop, and TBB 6.5a2 & 7.0a1 on my 64bit noteBook: Works fine except for the (Torbutton 1.9.6.12)..addon!

When disable the new TorButton then the icon of [Session Manager addon] will appear!

Any idea Why!?

However, Will try to install older TorButton .xpi from previous TBB version, and feedback you results..

NP: another copy of All this comment will paste into:
https://blog.torproject.org/blog/tor-browser-70a1-released

Disabling Torbutton breaks your Tor Browser. This is not going to work. Or do you mean your Torbutton extension did not get updated? If so, did it just vanish? What does about:addons show you?

Disabled Torbutton but luckily the TBB didn't break..
and the icon of Session Manager appeared..
as described above,

Copied Torbutton xpi from previous releases over the new one, pasted into /extensions folder..
Session Manager icon not appearing..

Copied ALSO tor-launcher xpi from previous releases over the new one, pasted into /extensions folder..

Session Manager icon: finally appeared! sort of lite-weight hack ;)

previous xpi's used from: torbrowser-install-6.0.6_en-US..

zoobab

January 25, 2017

Permalink

Firstly thank you very much for this new TBB!
But I have a problem after updating to 6.5. When I start TBB the screensize of TBB is every time changed and not the usually screensize of TBB. I do not mean the fullscreen of TBB, just the normal scrennsize of TBB.

I'm think that I'm also getting this.

Window size is much smaller than normal.

I noticed the changes notes listed some size alterations.
Bug 19459: Size new windows to 1000x1000 or nearest 200x100 (Firefox patch)

Perhaps that is related to this?

This size reduction seems a bit much, is it safe to change the window from it's default size?

zoobab

January 25, 2017

Permalink

So thanks, seems like a lot of fixes here.

But still, after automatically and then manually upgrading -since first way didn't change anything- , my privacy preferences bug still persists and I cannot change it to "never remember history" .

Am I really the only one with this? Are the tickets on bug tracker even beeing considered anymore?

Before this, it seems that I could use tor browser and every site that only wanted to work with cookies enabled did so without in this fine peace of engineering. But no more, now I have to allow cookies here too for those pages to function, from online banking to fuckbook. Everywhere.

Is that supposed to be this way?

The changelog did not contain an entry that fixes your problem. That said, yes, tickets in our bug tracker are considered and we work on them after prioritization. As we have way more tickets than developer capacity and as we encourage help from the community we'd be glad if we would see contributions especially on those tickets that are not our top priority.

That cookie problem seems orthogonal to me as you can easily disable cookies in Firefox' privacy settings.

zoobab

January 25, 2017

Permalink

good work but for us linux users who use WM that auto resizes windows , how to prevent Tor browser from being resized ? very problematic for anonymty purpose .

zoobab

January 25, 2017

Permalink

Would it ever be possible to add a single-click "New Tor Circuit for this Site" button to the toolbar? As it is it's 2 clicks or an awkward key combo, but one click would make life so much easier. Thanks.

zoobab

January 25, 2017

Permalink

The default browser window size for 6.5 appears to be much smaller than the size of the window in the previous release.

Painfully so. >_<

My understanding is adjusting the window size can lead to a less secure TOR browser.

Is there a reason the window has had it's size reduced to this extent?

zoobab

January 25, 2017

Permalink

On some sites like en.wikipedia.org or marc.info, the destination of links is not shown at the bottom anymore while hovering over it, but on others like this one it still is. Is this on purpose?

zoobab

January 26, 2017

Permalink

360 total security flags both 6.5 and 7.0 Tor as a trojan!
is this normal? false positive?