Tor Browser 6.5.1 is released

Tor Browser 6.5.1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This is the first minor release in the 6.5 series and it mainly contains updates to several of our Tor Browser components: Firefox got updated to 45.8.0esr, Tor to 0.2.9.10, OpenSSL to 1.0.2k, and HTTPS-Everywhere to 5.2.11.

Additionally, we updated the bridges we ship with Tor Browser and fixed some regressions that came with our last release.

In Tor Browser 6.5 we introduced filtering of content requests to resource:// and chrome:// URIs in order to neuter a fingerprinting vector. This change however breaks the Session Manager addon. Users who think having extensions like that one working is much more important than avoiding the possible information leakage associated with that can now toggle the 'extensions.torbutton.resource_and_chrome_uri_fingerprinting' preference, setting it to 'true' to disable our defense against this type of fingerprinting.

An other regression introduced in Tor Browser 6.5 is the resizing of the window. We are currently working on a fix for this issue.

Here is the full changelog since 6.5:

  • All Platforms
    • Update Firefox to 45.8.0esr
    • Tor to 0.2.9.10
    • OpenSSL to 1.0.2k
    • Update Torbutton to 1.9.6.14
      • Bug 21396: Allow leaking of resource/chrome URIs (off by default)
      • Bug 21574: Add link for zh manual and create manual links dynamically
      • Bug 21330: Non-usable scrollbar appears in tor browser security settings
      • Translation updates
    • Update HTTPS-Everywhere to 5.2.11
    • Bug 21514: Restore W^X JIT implementation removed from ESR45
    • Bug 21536: Remove scramblesuit bridge
    • Bug 21342: Move meek-azure to the meek.azureedge.net backend and cymrubridge02 bridge
  • Linux
    • Bug 21326: Update the "Using a system-installed Tor" section in start script
khled.8@hotmai.com

March 08, 2017

Permalink

Any chance the next version will have the flag privacy.trackingprotection.enabled set to true?

khled.8@hotmai.com

March 08, 2017

Permalink

Thanks for another great release. It's awesome how closely the TBB team has been tracking Firefox's release schedule lately!

khled.8@hotmai.com

March 08, 2017

Permalink

Thank you GR8 release.

Why is Tor Browser signed with key id C3C07136

Where did this GPG key come from? It was never used prior to 6.5

How do we know this is actually the TOR Project in control of these releases now?

C3C07136 is a subkey of the Tor Browser key (4E2C6E8793298290). If you imported the Tor Browser key before it had this subkey, you can refresh it to get the new subkey:
$ gpg --refresh-keys 4E2C6E8793298290

like i am tor browser

Once again the process of applying an update takes up a disproportionate amount of disk space.

Even with app.update.staging.enabled set to false I observed it consuming around 220MiB.

(I believe it takes up even more when this is set to true).

If it runs out of space before it's done applying the update, it breaks TBB completely ('3817 Bus error' on line 368 of Browser/start-tor-browser).

Maybe having staging.enabled set to true prevents the breakage, but I don't have enough disk space to apply updates that way (uses something ridiculous like 400-500MiB).

Anything you can do to apply updates in a way which doesn't use all the disk space at once would be great.

Tor is helping me to get out of a hacking that that killed my business

That would be a very interesting story to tell to a reporter, if you are able and willing to consider doing that! You could negotiate in advance how "anonymous" you want to be in the published story. Many of the better sort of news organizations now use SecureDrop.

keeptup

Since installing the latest version of tor my antivirus keeps blocking tor from running, and say that tor is infect by IDP.Generic virus

Download Tor again, delete the earlier install, and install it again. Don't forget to verify the download!

downloaded it 2 times still gettin something about a virus

Upload the file to virustotal.com to verify with most available AVs

Thou, you didn't tell what AV u r using,

Suggesting to Temporary-disable AV until TBB installed

& then Run it,

Enable AV,

See what happens,

you might need to switch to other AV product like: AVAST..

free Avast visions are great too :)

Safety everyone needs help

Sadly, all too true. All persons everywhere are at risk from thousands of cyberwarriors working for various governments.

But both the Snowden and Vault7 leaks (which have provided the public with invaluable information about NSA and CIA spying respectively) suggest that USIC (and probably adversary services) have had considerable difficulty in spying on people who (correctly) use cyberprotection tools such as Tor.

good

thanks for release.

i logged in but tor didnt say i dont have the latest version. so i have to start it manually over browser help / about tor browser.

after the update i checked addons, update all. and there was an update for https everywhere. it installed and then restart.

shouldnt the update of tor browser and addons be automatically?

thanks

There is usually a delay before we deprecate the old version (12-24h) in order to the old browser time to download the update in the background. Not sure why you needed to do that manually. One explanation is Tor Browser checking only twice a day for new updates (+ after start-up). Similarly, Tor Browser is checking for updates extensions only once a day.

thx for your kind explanation!

OpenSSL to 1.0.1k
and
OpenSSL to 1.0.2k
are referred in article. Both can't be right.

Corrected. Thanks.

can anyone advise as to the best method of browsing i.e. duckduck etc with Tor? i dont know much about it all

Thank you

Wow!

You fixed the print to pdf issue for OS X 10.6.
That is very nice to see and takes away some console stress!

Thanks, bye

Actually, no. We did not fix anything in that regard. But glad that it works for you now. :)

Yes, Bug still there,
I did discover that shortly therafter too.

Wired did fix the issue, on their website

but the bug is still existing in Torbrowser on other websites.
So I guess that Wired devs know the answer to a guestion that was addressed at toredevs to look at and solve.

With a little help from the friends: Should I convice them to work for Torproject to really make things in Torbrowser better? :)

Crashed on startup on Mac OS X 10.12.3

Could you be a bit more specific? Is that reproducible? Did/does that happen with Tor Browser 6.5 as well (https://dist.torproject.org/torbrowser/6.5/ has the older version)? Did you get some crash report that could help us understand what is going on? Did that happen after an update or with a clean, new Tor Browser 6.5.1?

When is Tor Browser going to FF 52ESR?
Another question I was wondering for quite some time:
Why is the TorBrowser not spoofing or disabling the referer header?

The alpha we'll release in April will be based on ESR 52 (we hope) and the stable series will switch in June. Regarding your referer question: https://www.torproject.org/projects/torbrowser/design/#Transparency section A.1.1 has some rationale for this.

Thanks FOR THE AWESOME WORK!!!!!!!!

Will TBB run on RPI RPI2 RPI3 or RPI0/W?
How do i do it?
Would Tails help HERE?

Thanks

By "RPI" you mean RaspberryPi? If so, you'll have to compile it yourself and see. There are no official Tor Browser builds for RaspberryPis.

Would tor and Whonix work well together?
Is this a good idea?

> Would tor and Whonix work well together?

Yes. Why do you think that they don't work so well? :)

Whonix is all about isolating the Tor process from the Tor Browser, so to prevent any leaks in case your browser gets compromised (so they'll have to use even more sophisticated attacks such as VM escape).

You can read about it in this blog post: https://blog.torproject.org/blog/tor-heart-whonix

just tried Whonix .org but it seem not working,

instead, leme suggest trying Tails | >> https://tails.boum.org/

C&P:
( Tails is a live operating system that you can start on almost any computer from a DVD, USB stick, or SD card.

It aims at preserving your privacy and anonymity, and helps you to:

*use the Internet anonymously and circumvent censorship;
all connections to the Internet are forced to go through the Tor network;

*leave no trace on the computer you are using unless you ask it explicitly;

*use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.)

Thank you.

"wrap long lines" is still not fixed since TBB 6.5, but noone will die over it.

Read the post carefully. If you think having features "like that one working is much more important than avoiding the possible information leakage associated with that can now toggle the 'extensions.torbutton.resource_and_chrome_uri_fingerprinting' preference, setting it to 'true' to disable our defense against this type of fingerprinting."

Maybe, as https://bugzilla.mozilla.org/show_bug.cgi?id=1172165 was fixed in Firefox 47, it could be whitelisted too.

Uh oh!

Mozilla support for XP will end in September 2017.

Does this mean that TBB too - as from September 2017 - will no longer be available for the XP series?

And how does Avast interact with TBB when used as a regular browser on the regular internet?

I use Mozilla with the identical TBB settings - except that my TBB browser bookmarks facility remains unused.

Tia

Breaking ESR in the middle of its lifetime will be EPIC!
(Extended support even from M$ for NT5 series ends on April 9, 2019. Mozilla, shame upon you!)

That won't happen. XP is supported through the whole ESR 52 series. It won't be available in ESR 59 anymore, though.

We believe you'll keep your promise.
But Firefox is going to suicide, and ESR 52 will be the last version of ESR as we all know it.
https://duckduckgo.com/?q=Mozilla+support+XP+September+2017
https://blog.mozilla.org/futurereleases/2016/12/23/firefox-support-for-…

> Does this mean that TBB too - as from September 2017 - will no longer be available for the XP series?

Yes. XP is now a 17 years old OS riddled with security vulnerabilities, you can't expect developers to support it for a longer time. See https://trac.torproject.org/projects/tor/ticket/21080 "My guess is we're going to triage and decide not to try to rescue XP when Mozilla has decided to abandon it."

No, the first Tor Browser that won't run on XP anymore will be one based on ESR 59.