Tor Browser 6.5 is released

Tor Browser 6.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This is a major release and the first one in the 6.5 series. First of all it fixes the usual critical bugs in Firefox by updating to ESR 45.7.0. It contains version updates to other bundle components as well: Tor to 0.2.9.9, OpenSSL to 1.0.2j, HTTPS-Everywhere to 5.2.9, and NoScript to 2.9.5.3.

Besides those updates Tor Browser 6.5 ships with a lot of the improvements we have been working on in the past couple of months.

On the security side we always block remote JAR files now and remove the support for SHA-1 HPKP pins. Additionally we backported from an other firefox branch patches to mark JIT pages as non-writable and other crash fixes that could disrupt a Tor Browser session quite reliably.

With respect to user tracking and fingerprinting we now isolate SharedWorker script requests to the first party domain. We improved our timer resolution spoofing and reduced the timing precision for AudioContext, HTMLMediaElement, and Mediastream elements. We stopped user fingerprinting via internal resource:// URLs, and for Windows users we fixed a regression introduced in Tor Browser 6.0 which could leak the local timezone if JavaScript were enabled.

A great deal of our time was spent on improving the usability of Tor Browser. We redesigned the security slider and improved its labels. We moved a lot of Torbutton's privacy settings directly into the respective Firefox menu making it cleaner and more straightforward to use. Finally, we moved as many Torbutton features as possible into Firefox to make it easier for upstreaming them. This allowed us to resolve a couple of window resizing bugs that piled on over the course of the past years.

The features mentioned above are only some of the highlights in Tor Browser 6.5. The full changelog since 6.0.8 is:

  • All Platforms
  • Update Firefox to 45.7.0esr
  • Tor to 0.2.9.9
  • OpenSSL to 1.0.2j
  • Update Torbutton to 1.9.6.12
    • Bug 16622: Timezone spoofing moved to tor-browser.git
    • Bug 17334: Move referrer spoofing for .onion domains into tor-browser.git
    • Bug 8725: Block addon resource and url fingerprinting with nsIContentPolicy
    • Bug 20701: Allow the directory listing stylesheet in the content policy
    • Bug 19837: Whitelist internal URLs that Firefox requires for media
    • Bug 19206: Avoid SOCKS auth and NEWNYM collisions when sharing a tor client
    • Bug 19273: Improve external app launch handling and associated warnings
    • Bug 15852: Remove/synchronize Torbutton SOCKS pref logic
    • Bug 19733: GETINFO response parser doesn't handle AF_UNIX entries + IPv6
    • Bug 17767: Make "JavaScript disabled" more visible in Security Slider
    • Bug 20556: Use pt-BR strings from now on
    • Bug 20614: Add links to Tor Browser User Manual
    • Bug 20414: Fix non-rendering arrow on OS X
    • Bug 20728: Fix bad preferences.xul dimensions
    • Bug 19898: Use DuckDuckGo on about:tor
    • Bug 21091: Hide the update check menu entry when running under the sandbox
    • Bug 19459: Move resizing code to tor-browser.git
    • Bug 20264: Change security slider to 3 options
    • Bug 20347: Enhance security slider's custom mode
    • Bug 20123: Disable remote jar on all security levels
    • Bug 20244: Move privacy checkboxes to about:preferences#privacy
    • Bug 17546: Add tooltips to explain our privacy checkboxes
    • Bug 17904: Allow security settings dialog to resize
    • Bug 18093: Remove 'Restore Defaults' button
    • Bug 20373: Prevent redundant dialogs opening
    • Bug 20318: Remove helpdesk link from about:tor
    • Bug 21243: Add links for pt, es, and fr Tor Browser manuals
    • Bug 20753: Remove obsolete StartPage locale strings
    • Bug 21131: Remove 2016 donation banner
    • Bug 18980: Remove obsolete toolbar button code
    • Bug 18238: Remove unused Torbutton code and strings
    • Bug 20388+20399+20394: Code clean-up
    • Translation updates
  • Update Tor Launcher to 0.2.10.3
    • Bug 19568: Set CurProcD for Thunderbird/Instantbird
    • Bug 19432: Remove special handling for Instantbird/Thunderbird
    • Translation updates
  • Update HTTPS-Everywhere to 5.2.9
  • Update NoScript to 2.9.5.3
  • Bug 16622: Spoof timezone with Firefox patch
  • Bug 17334: Spoof referrer when leaving a .onion domain
  • Bug 19273: Write C++ patch for external app launch handling
  • Bug 19459: Size new windows to 1000x1000 or nearest 200x100 (Firefox patch)
  • Bug 12523: Mark JIT pages as non-writable
  • Bug 20123: Always block remote jar files
  • Bug 19193: Reduce timing precision for AudioContext, HTMLMediaElement, and MediaStream
  • Bug 19164: Remove support for SHA-1 HPKP pins
  • Bug 19186: KeyboardEvents are only rounding to 100ms
  • Bug 16998: Isolate preconnect requests to URL bar domain
  • Bug 19478: Prevent millisecond resolution leaks in File API
  • Bug 20471: Allow javascript: links from HTTPS first party pages
  • Bug 20244: Move privacy checkboxes to about:preferences#privacy
  • Bug 20707: Fix broken preferences tab in non-en-US alpha bundles
  • Bug 20709: Fix wrong update URL in alpha bundles
  • Bug 19481: Point the update URL to aus1.torproject.org
  • Bug 20556: Start using pt-BR instead of pt-PT for Portuguese
  • Bug 20442: Backport fix for local path disclosure after drag and drop
  • Bug 20160: Backport fix for broken MP3-playback
  • Bug 20043: Isolate SharedWorker script requests to first party
  • Bug 18923: Add script to run all Tor Browser regression tests
  • Bug 20651: DuckDuckGo does not work with JavaScript disabled
  • Bug 19336+19835: Enhance about:tbupdate page
  • Bug 20399+15852: Code clean-up
  • Windows
    • Bug 20981: On Windows, check TZ for timezone first
    • Bug 18175: Maximizing window and restarting leads to non-rounded window size
    • Bug 13437: Rounded inner window accidentally grows to non-rounded size
  • OS X
    • Bug 20590: Badly resized window due to security slider notification bar on OS X
    • Bug 20439: Make the build PIE on OSX
  • Linux
    • Bug 20691: Updater breaks if unix domain sockets are used
    • Bug 15953: Weird resizing dance on Tor Browser startup
  • Build system
    • All platforms
      • Bug 20927: Upgrade Go to 1.7.4
      • Bug 20583: Make the downloads.json file reproducible
      • Bug 20133: Don't apply OpenSSL patch anymore
      • Bug 19528: Set MOZ_BUILD_DATE based on Firefox version
      • Bug 18291: Remove some uses of libfaketime
      • Bug 18845: Make zip and tar helpers generate reproducible archives
    • OS X
      • Bug 20258: Make OS X Tor archive reproducible again
      • Bug 20184: Make OS X builds reproducible (use clang for compiling tor)
      • Bug 19856: Make OS X builds reproducible (getting libfaketime back)
      • Bug 19410: Fix incremental updates by taking signatures into account
      • Bug 20210: In dmg2mar, extract old mar file to copy permissions to the new one

Hi GK
Tested this issue in different Torbrowser versions, on different Mac OS X systems, with different OS versions, with different separated Mac OS X configs and different Mac hardware systems.

For example, it is not happening on Torbrowser versions based on Firefox ESR 38.
It is happening in the ESR 45 based Torbrowser versions (even the newest alfa 7 version) depending on the OS system you use and is not depending on blocking or allowing javascripts, it does happen even if you block almost everything in NoScript.

I did not feel the urge (yet) to test it on all Mac OS X systems between 10.6 and 10.12, because I do not want Torbrowser code on every system. I like my privacy but life offers more than checking and using Torbrowser.
But I did test Torbrowser versions in two Mac OS X versions.
Torbrowser 45 is working fine on OS X 10.10
Installing Torbrowser 5.5.5./ESR 38.8 again, this one is working fine on OS X 10.6

Torbrowser 45 is NOT working (that) fine on OS X 10.6 (but far far far better than the latest ESR mozilla Firefox versions that hang and freeze on a very regular basis. GooD job TorTeam, you are better than the mozilla devs!).
This Torbrowser NaN problem seems (at least) to be a specific Mac OS X 10.6 related problem no matter which hardware, OS X or Torbrowser configuration.

While attempting to save a PDF to file the Mac will immediately start other connection processes (on that particular tested website).
Two mDNSResponder connections over port 5353, one 5353 connection over ipv6 and one over ipv4 to an address starting with 224.
At the same time also starting two local network ipv4 connection attempts by the nmblookup process over port 137.
These connections were allowed so it was not a result of blocking connections.

At the same time (during save print to pdf) one can see around 20 (error) messages in console regarding that 'NaN error' warning.
This will happen every time when I save a webpage as pdf file on that particular website.
I tested it a lot of times, every time same result, same connection activity.

User feedback settings issue?
Now, Firefox used to have user interaction feedback code embedded, to inform the website owner about some browser activities the user was performing (If the website used the (anti privacy) opportunities in Firefox).
I can remember some feedback function things like acting on copy, printing, right mouse click actions by the user but I don't see them anymore in the about config.
It gives still a very a lot of DOM values and I do not know the fuctions of a lot of them, but hopefully you do.

Apparently there is some Torbrowser code activated by this website to start other processes in Torbrowser while printing a webpage, but apparently this gives some errors 'along the network road' popping up in my console program.
I don't know much about this 'Nan' or computer code at all but it seams to be a warning about a value that does not match or exist? What is Torbrowser doing by request while I just save a webpage as pdf?
My concern is that Torbrowser (in this particular case) apparently is getting triggered to start a network process that maybe can be used in a way we do not like it to be that way, because it is leaving my local network or end up in my modem logs or anywhere else?

Relative problem or not?
I know that firefox is ending their support for 3 Mac OS X versions any time soon and one can see that as a solution of this (Mozilla Firefox and not Torbrowser) problem. At least I do not have to test it on OS X 10.7 / 10.8 / 10.9 for now, but maybe this problem appears in 10.7 or even 10.8 as well?
Anyway, I should think that it is worth to analyze this problem because if you know what the source is of this particular problem you can prevent yourself from related unknown and invisible bugs in Torbrowser in future Torbrowser versions.
Hopefully.

Because I can imagine that not all Torbrowser users are monitoring their network, system and console processes to see if there is 'some creative deviation in the normal part of the program', I thought is was worth mentioning it here anyway.
So if you want to reproduce this, just take a Mac that still can run that marvelous OS X 10.6, take torbrowser 6 or 7 , set Noscript on the highest setting, open console program (show log list) go to that particular website, just print the front-page, or any page and save it as a pdf file anywhere.
And if you have any kind of extra firewall software, look at it and see which connections Torbrowser is activating when doing the print tot file job.

Thanks for your answer anyway and I hope you can address / repair / disable this specific behavior in future versions.
A possible about:config correction clue would be nice as well.

Bye

Additional answer while earlier (long) answer is still in moderation

It is also the case on the front page of Wired, wired.com
Even up to 72 NaN error console messages within 2 seconds every time I print a pdf to file.
Happens also with Torbrowser 7.0a1 (based on Mozilla Firefox 45.7.0) in combination with the latest version of OS X 10.6.
So there must be some kind of web code that is triggering this behavior on some websites while printing a webpage.

Thanks for that report. Just to make it clear (and make it easier to reproduce): This is just happening on an OS X 10.6 system and later macOS versions are unaffacted?

(As a sidenote: the upcoming alpha will be the last in its series that supports macOS < 10.9. We'll drop support for those older macOS versions with the switch to ESR 52 as Mozilla does).

GK,

Please read the long answer again, the answers are there.
You missed a positive remark @ Torproject also.
So give yourself that chance for a compliment again, but you are free to stop support on (relatively) very good working products on a relatively safe and relatively malware free operating system.

I tested OS X 10.6 and 10.10 (for now).
It is up to you to test OS X 10.7/10.8 and 10.9 if you have them directly available.

But if the second part of your answer is also ment as an easy solution / excuse.
Well then, what can I do? This is an asymmetric discussion, I cannot force anyone to look at possible bugs and security issues that maybe can affect newer browser versions as well.
Because you do not see it directly (as seen in OS X 10.6) it does not mean a possible bug is not there in your newer Torbrowser code with all risks to come.
You will only know future safety of your browser by knowing what is the error background of the bug now.

That dns thing mentioned, may be a Mac OS X specific behavior of samba and bonjour things on MacOS.
But, the combination of DNS and malware has relevant attention in real life as well, so.. there you go.
http://blog.talosintelligence.com/2017/03/dnsmessenger.html

I hope you'll figure out and understand what I wrote, I was not born as a native english speaker.
Regarding languages,.. some language advice for the midst of march, order "een fluitje bier" if you want to code next day, or a lot of "vaasje" if you don't bother at all doing anything but having one big hangover that week.
And "Duvel" means "Devil", just think of it before you are ordering this (belgium) beer.

Have fun.

Answered 2 times, friday-saturday but moderation is quite behind (takes at least 2 days) or making decisions to not publish the answers. I do not mind as long that they are reaching you anyway. Bye

Anonymous

April 09, 2017

Permalink

I have a concern. I am able to access the link http://timesofindia.indiatimes.com/ using TOR, however I am unable to sign into the page as the "SIGN IN" option does not appear on using TOR. As a result I cannot use the features of comment/like/dislike on any article. A quick update on this wud be appreciated.

Anonymous

April 09, 2017

Permalink

Hi guys I have just downloaded torbrowser-install-6.5.1_en-US.exe and I can't verify it neither by GPG not by SHA256:

gpg --verify torbrowser-install-6.5.1_en-US.exe.asc torbrowser-install-6.5.1_en-US.exe
gpg: Signature made 03/06/17 18:11:37 RTZ 2 (чшьр) using RSA key ID C3C07136
gpg: Good signature from "Tor Browser Developers (signing key) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136

SHA256 of *.exe gives this value:

656DF6D342002CCE912584675CBBE0533BD794383E30B7138622BB2985B47608

However, what I see in the link

https://dist.torproject.org/torbrowser/6.5.1/sha256sums-unsigned-build…

d535f2ac460dd5d34cce5ba73e11126eec9170081b11b12f8332a88b2765e525 torbrowser-install-6.5.1_en-US.exe

What is wrong with it, or has it been replaced (attacked) somehow?