Tor Browser 6.5.1 is released

Tor Browser 6.5.1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This is the first minor release in the 6.5 series and it mainly contains updates to several of our Tor Browser components: Firefox got updated to 45.8.0esr, Tor to 0.2.9.10, OpenSSL to 1.0.2k, and HTTPS-Everywhere to 5.2.11.

Additionally, we updated the bridges we ship with Tor Browser and fixed some regressions that came with our last release.

In Tor Browser 6.5 we introduced filtering of content requests to resource:// and chrome:// URIs in order to neuter a fingerprinting vector. This change however breaks the Session Manager addon. Users who think having extensions like that one working is much more important than avoiding the possible information leakage associated with that can now toggle the 'extensions.torbutton.resource_and_chrome_uri_fingerprinting' preference, setting it to 'true' to disable our defense against this type of fingerprinting.

An other regression introduced in Tor Browser 6.5 is the resizing of the window. We are currently working on a fix for this issue.

Here is the full changelog since 6.5:

  • All Platforms
    • Update Firefox to 45.8.0esr
    • Tor to 0.2.9.10
    • OpenSSL to 1.0.2k
    • Update Torbutton to 1.9.6.14
      • Bug 21396: Allow leaking of resource/chrome URIs (off by default)
      • Bug 21574: Add link for zh manual and create manual links dynamically
      • Bug 21330: Non-usable scrollbar appears in tor browser security settings
      • Translation updates
    • Update HTTPS-Everywhere to 5.2.11
    • Bug 21514: Restore W^X JIT implementation removed from ESR45
    • Bug 21536: Remove scramblesuit bridge
    • Bug 21342: Move meek-azure to the meek.azureedge.net backend and cymrubridge02 bridge
  • Linux
    • Bug 21326: Update the "Using a system-installed Tor" section in start script
Anonymous

March 07, 2017

Permalink

Good job . have a question . WikiLeaks says it has obtained over of CIA hacking tool .may this affect on the Tor security?

Somebody commenting here should know more.
I have read little, but it looks like the claims of exploitable devices are old claims.

If we search more, we should find a security site that outlines the initial exploit of ios or android.

I don't think anyone has leaked the actual infection tools.

I think android uses orfox as android version of Tor browser?

Ios has no Tor browser?

There will always be 0days in various programs. I haven't seen anything for Tor or Tor Browser in there, specifically, however I did see mentions of an exploit for the Android (and non-Android?) library for libxml2, which may be used in Tor Browser. Luckily Google is scrambling to find out what the cause of the bug is to get it fixed.

In general, the stuff in the CIA vault boiled down to:
1) Android and iOS exploits and bypasses
2) IoT exploits and spyware (the Samsung Smart TV)
3) Router exploits
4) FAQs and policies for how to write malware, etc
5) Random stuff like lists of Japanese emoticons and diatribes about text editors

I would imagine that anything they get to attack Firefox, they would buy from a contractor like Raytheon SI or Endgame. When it comes to the security of Tor itself, I wouldn't worry. They don't seem particularly invested in breaking the Tor network, from what I'm seeing in this leak.

"Luckily Google is scrambling to find out what the cause of the bug is to get it fixed"?
Oh my God, someone still trusts in Google. Do you really believe that Google is clean?

From tor-talk:

https://lists.torproject.org/pipermail/tor-talk/2017-March/042995.html
CIA Vault 7, Year Zero
krishna e bera
8 Mar 2017

>> ""Year Zero" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of "zero day" weaponized exploits against a wide range of U.S. and European company products" [0]

> The good news is no mention of exploits against Tor, TorBrowser, TAILS,
Orbot. They also appear to have developed ways to hide their traffic at HTTPS
servers, which may be useful for bridge developers if the code is released.
>
> [0] https://wikileaks.org/ciav7p1/

For those who download the Tails ISO image, verify the cryptographic signature, and burn a R/O live DVD: the Vault 7 malware wiki does describe an exploit affecting Nero, so we should avoid that (until the vulnerability is fixed).

WL has stated that it has made the full malwares available to affected companies, and Apple has apparently already patched almost all of the ones affecting its own products.

Anonymous

March 07, 2017

Permalink

if i go to https://portal.dnb.de and search for a book, then close the tab, open a new one and click on 'new circuit' then go to https://portal.dnb.de again i get automatically redirected to the previous site. is this the intented behaviour?

Anonymous

March 07, 2017

In reply to by Anonymous (not verified)

Permalink

If I understand your comment, you did these steps:

1. Go to https://portal.dnb.de (js disabled by noscript)
2. Page redirects to url with sessionid https://portal.dnb.de/opac.htm;jsessionid=XXXX.prod-worker1?view=redire…
3. Search "security" (without quotation)
4. https://portal.dnb.de/opac.htm;jsessionid=XXXX.prod-worker1?query=secur…

I didn't do these following steps. Did you experience these?

5. Then you use TBB Torbutton "New Identity"
6. Go to https://portal.dnb.de (js disabled by noscript)
7. Page redirects to your search result https://portal.dnb.de/opac.htm;jsessionid=XXXX.prod-worker1?query=secur…

Try this:
21. Create bookmark https://portal.dnb.de/ by pasting that into bookmarks toolbar.
22. Use TBB Torbutton "New Identity"
23. Load the bookmark into TBB blank tab

I think you will see https://portal.dnb.de/opac.htm;jsessionid=XXXX.prod-worker1?view=redire…
with a new jsessionid value.

Redirecting to a new jsessionid url would how the page on that site is written to behave.

BTW, you have cookies disabled? As far as I know, "New Identity" flushes cookies, so I don't think allowing cookies setting should matter. But I disable cookies by default, so I don't know.

Note: I replaced the actual jsessionid that site gave me, with "XXXX"

no, the described behaviour is only if i click "new tor circuit for this site". in that case cookies will not be deleted? is this a good idea?

I've also noticed cookies persisting after using 'New Tor Circuit...' and it was (for me) unexpected behaviour. I think this is dangerous because people may assume it also resets the browser state for that site.

One solution is to make 'New Circuit...' delete cookies etc, so that it behaves as expected.

Another is to somehow make it clearer that sessions etc persist when using 'New Circuit..' so that people aren't getting a false sense of security.

Either is fine, but the status quo is unsafe.

im with the comment above, "new circuit" means a new IP, that means, youre in an unclear state if you dont know that all other browser information like cookies, are still there. maybe its the least problem, maybe not, i dont know, but for me it feels unsafe too.

IMO both "new circuit" and "new identity" are useful, but I agree that it is important that users should understand what these user commands do and do not accomplish.

I figured the 'New Tor Circuit' doesn't clear cookies etc. after a while. Up until that point however I used it with the expectation it made me safe.
What's the purpose of this feature anyway? Why would I care for a new circuit if a site can trivially identify me anyway?

Anonymous

March 07, 2017

Permalink

Resize issue, in Tails or in other OS Torbrowser versions there is a function that gets in the way a lot.
When having multiple windows opened and trying to rearrange those windows by moving he cursor to the top of the browser page and then moving the window it is really easy to release your fingers from a trackpad during moving. This results in a double click on that browser page that immediately is resizing full screen! I happens a lot and is really annoying.
How can I disable this double click full screen resizing function? I never do want a full screen size but I happen to end up with it anyway a lot of times.
Thanks

Some window managers allow you to lock a window's size. I don't think Tails' does. Tor Browser doesn't (yet?) provide any way to lock the window's size or reset it to default. The only way to correct it is to restart Tor Browser.

As a quick and dirty solution, hold the Alt key and click anywhere inside the window (not the title bar) and drag to move it. In some window managers, it's the Windows key, so try that if Alt doesn't work, otherwise consult the GNOME documentation.

In the upper right-hand corner of the Tor Browser window, the second button from right (the one with the arrow pointing upward): Clicking-on this maximizes the browser window and, when the window is maximized, reduces it back to its default size, no?

Anonymous

March 07, 2017

Permalink

great

Anonymous

March 07, 2017

Permalink

nice

Anonymous

March 07, 2017

Permalink

Browser works great and thank you for the updates to TOR!!!
Darren Chaker

Mr. Chaker,

I'm Suggesting that TBB users are BEST to be commenting as "Anonymous" for there own good Anonymity :)

"Thank You" will still be (Thank You) from Anonymous users,
;)

Anonymous

March 07, 2017

Permalink

Great,
Thanks,,

This update didn't mess-up with (SessionManager .xpi) like previous 6.5; that which i replaced the (tor-launcher & torbutton .xpi's) from TBB 6.0.8..

OK. Thanks Again..

Negative!

Wrote upper comments, and UPDATING it now,

YES: Great & Thanks,
..and here comes BUT! :)

On the 2nd or(may be) 3rd restarting after updating TBB, The (SessionManager .xpi) seem to work without Icon-logo showing up in the sliding-bar, (so-called; hamburger Menu)

Did like before:
Exited, Replaced the (tor-launcher & torbutton .xpi's) from TBB 6.0.8, Started TBB 6.5.1,

Then: SessionManager Icon appeared & worked FiNE :)

Again : Great & Thanks

Anonymous

March 07, 2017

Permalink

anyway to use MPROTECT from grsec/pax and use Tor Browser at same time?
also anyplans to use new firefox container in Tor Browser?

Not easily. In the past, Firefox would create RWX pages for JIT, put the bytecode into it, then execute it. In order to support W^X in OpenBSD and iOS, Firefox has changed how it behaves, so now it creates an RW page with mmap(), puts bytecode into it, then uses mprotect() to convert it to RX, so it can execute it. This works fine for the W^X implementation on OpenBSD and iOS, but PaX's MPROTECT implementation is much more aggressive, and additionally denies converting writable pages to executable pages.

I wrote a bit about this on the Tor bug tracker:
https://trac.torproject.org/projects/tor/ticket/21011#comment:10

When the mprotect() call fails, Firefox runs its OOM (Out Of Memory) subroutine, which occurs whenever any memory-related functionality fails (even if it's just for JIT, and JIT will be disabled at runtime). This causes Firefox to crash itself.

All the code is a tangled mess. It's rather sad, really. If you wanted to fix it, it'd be best probably just to get the browser to be able to stop trying to allocate RWX pages in the first place when the config is such that JIT will not be used at runtime.

Anonymous

March 07, 2017

Permalink

This version fails to run on debian stable (jessie 8.7) due to a glibc error:

  1. <br />
  2. ./firefox: /usr/lib/x86_64-linux-gnu/libstdc++.so.6: version `GLIBCXX_3.4.21' not found (required by ./firefox)<br />

This works fine for me on Debian Jessie.

It should work if you use the 'start-tor-browser.desktop' script at the root of the archive. This script adds the 'Browser/TorBrowser/Tor' directory to the LD_LIBRARY_PATH environment variable, so the libstdc++.so.6 from that directory should be used instead of the one from /usr/lib.

There is no problem for me; I use Jessie 8.7.1 amd64.

I just download, extract, and run as normal. Maybe you should do a distribution upgrade (apt-get dist-updrade) to get all the libraries updated. I used to experience the same kind of errors when running new updated programs, and in many of the cases it's because I hadn't upgrade my OS distribution then.

Anonymous

March 08, 2017

Permalink

I went to main onion page: http://expyuzz4wqqyqhjn.onion/projects/torbrowser.html.en
If I point mouse on the link, it shows it uses http://expyuzz4wqqyqhjn.onion/dist/torbrowser/6.5.1/tor-browser-linux64… for download. But when I click on it and see what location is used, it is not onion, but https://dist.torproject.org/torbrowser/6.5.1/tor-browser-linux64-6.5.1_… Why this happens? As I see from onion.torproject.org, the correct address is another: http://rqef5a5mebgq46y5.onion/torbrowser/6.5.1/ Should links on the page http://expyuzz4wqqyqhjn.onion/projects/torbrowser.html.en be fixed?

Anonymous

March 08, 2017

Permalink

Here's hoping that the Trump administration won't interfere with the Tor project funding cycle?

But we cannot assume James Comey is not lobbying hard to change that.

Comey stated in a recent speech that he intends to serve out his ten year term, which would carry him into the (barf) second DJT administration. But Comey is so diminished politically speaking that it could actually benefit the People if against expectation he manages to hang onto his job for another 6.5 years. Back in the Clinton administration, for better or worse, Freeh assured that FBI remained crippled by also hanging onto his job despite being "frozen" out of the rest of the administration. If Comey stays, this could buy us more time to use encryption to keep ourselves, our friends, our clients, and our families safer from our governments.

Thanks to all Tor and Tails people for your work!

@ GK:

This is more Debian than Tor relevant, but in view of the "evil maid" implications in the Vault7 leak, please help me convince Debian Project to fix the backdoor in LUKS encryption!