Tor Browser 6.5.1 is released

Tor Browser 6.5.1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This is the first minor release in the 6.5 series and it mainly contains updates to several of our Tor Browser components: Firefox got updated to 45.8.0esr, Tor to 0.2.9.10, OpenSSL to 1.0.2k, and HTTPS-Everywhere to 5.2.11.

Additionally, we updated the bridges we ship with Tor Browser and fixed some regressions that came with our last release.

In Tor Browser 6.5 we introduced filtering of content requests to resource:// and chrome:// URIs in order to neuter a fingerprinting vector. This change however breaks the Session Manager addon. Users who think having extensions like that one working is much more important than avoiding the possible information leakage associated with that can now toggle the 'extensions.torbutton.resource_and_chrome_uri_fingerprinting' preference, setting it to 'true' to disable our defense against this type of fingerprinting.

An other regression introduced in Tor Browser 6.5 is the resizing of the window. We are currently working on a fix for this issue.

Here is the full changelog since 6.5:

  • All Platforms
    • Update Firefox to 45.8.0esr
    • Tor to 0.2.9.10
    • OpenSSL to 1.0.2k
    • Update Torbutton to 1.9.6.14
      • Bug 21396: Allow leaking of resource/chrome URIs (off by default)
      • Bug 21574: Add link for zh manual and create manual links dynamically
      • Bug 21330: Non-usable scrollbar appears in tor browser security settings
      • Translation updates
    • Update HTTPS-Everywhere to 5.2.11
    • Bug 21514: Restore W^X JIT implementation removed from ESR45
    • Bug 21536: Remove scramblesuit bridge
    • Bug 21342: Move meek-azure to the meek.azureedge.net backend and cymrubridge02 bridge
  • Linux
    • Bug 21326: Update the "Using a system-installed Tor" section in start script
Anonymous

March 08, 2017

Permalink

Any chance the next version will have the flag privacy.trackingprotection.enabled set to true?

Anonymous

March 08, 2017

Permalink

Thanks for another great release. It's awesome how closely the TBB team has been tracking Firefox's release schedule lately!

Anonymous

March 08, 2017

Permalink

Why is Tor Browser signed with key id C3C07136

Where did this GPG key come from? It was never used prior to 6.5

How do we know this is actually the TOR Project in control of these releases now?

C3C07136 is a subkey of the Tor Browser key (4E2C6E8793298290). If you imported the Tor Browser key before it had this subkey, you can refresh it to get the new subkey:
$ gpg --refresh-keys 4E2C6E8793298290

Anonymous

March 08, 2017

Permalink

Once again the process of applying an update takes up a disproportionate amount of disk space.

Even with app.update.staging.enabled set to false I observed it consuming around 220MiB.

(I believe it takes up even more when this is set to true).

If it runs out of space before it's done applying the update, it breaks TBB completely ('3817 Bus error' on line 368 of Browser/start-tor-browser).

Maybe having staging.enabled set to true prevents the breakage, but I don't have enough disk space to apply updates that way (uses something ridiculous like 400-500MiB).

Anything you can do to apply updates in a way which doesn't use all the disk space at once would be great.

That would be a very interesting story to tell to a reporter, if you are able and willing to consider doing that! You could negotiate in advance how "anonymous" you want to be in the published story. Many of the better sort of news organizations now use SecureDrop.

Anonymous

March 08, 2017

Permalink

keeptup

Anonymous

March 08, 2017

Permalink

Since installing the latest version of tor my antivirus keeps blocking tor from running, and say that tor is infect by IDP.Generic virus

Thou, you didn't tell what AV u r using,

Suggesting to Temporary-disable AV until TBB installed

& then Run it,

Enable AV,

See what happens,

you might need to switch to other AV product like: AVAST..

free Avast visions are great too :)

Sadly, all too true. All persons everywhere are at risk from thousands of cyberwarriors working for various governments.

But both the Snowden and Vault7 leaks (which have provided the public with invaluable information about NSA and CIA spying respectively) suggest that USIC (and probably adversary services) have had considerable difficulty in spying on people who (correctly) use cyberprotection tools such as Tor.

Anonymous

March 08, 2017

Permalink

good

Anonymous

March 08, 2017

Permalink

thanks for release.

i logged in but tor didnt say i dont have the latest version. so i have to start it manually over browser help / about tor browser.

after the update i checked addons, update all. and there was an update for https everywhere. it installed and then restart.

shouldnt the update of tor browser and addons be automatically?

thanks

There is usually a delay before we deprecate the old version (12-24h) in order to the old browser time to download the update in the background. Not sure why you needed to do that manually. One explanation is Tor Browser checking only twice a day for new updates (+ after start-up). Similarly, Tor Browser is checking for updates extensions only once a day.

Anonymous

March 08, 2017

Permalink

OpenSSL to 1.0.1k
and
OpenSSL to 1.0.2k
are referred in article. Both can't be right.

Anonymous

March 08, 2017

Permalink

can anyone advise as to the best method of browsing i.e. duckduck etc with Tor? i dont know much about it all

Thank you

Anonymous

March 08, 2017

Permalink

Wow!

You fixed the print to pdf issue for OS X 10.6.
That is very nice to see and takes away some console stress!

Thanks, bye

Yes, Bug still there,
I did discover that shortly therafter too.

Wired did fix the issue, on their website

but the bug is still existing in Torbrowser on other websites.
So I guess that Wired devs know the answer to a guestion that was addressed at toredevs to look at and solve.

With a little help from the friends: Should I convice them to work for Torproject to really make things in Torbrowser better? :)

Anonymous

March 08, 2017

Permalink

When is Tor Browser going to FF 52ESR?
Another question I was wondering for quite some time:
Why is the TorBrowser not spoofing or disabling the referer header?

Anonymous

March 08, 2017

Permalink

Thanks FOR THE AWESOME WORK!!!!!!!!

Will TBB run on RPI RPI2 RPI3 or RPI0/W?
How do i do it?
Would Tails help HERE?

Thanks

By "RPI" you mean RaspberryPi? If so, you'll have to compile it yourself and see. There are no official Tor Browser builds for RaspberryPis.

> Would tor and Whonix work well together?

Yes. Why do you think that they don't work so well? :)

Whonix is all about isolating the Tor process from the Tor Browser, so to prevent any leaks in case your browser gets compromised (so they'll have to use even more sophisticated attacks such as VM escape).

You can read about it in this blog post: https://blog.torproject.org/blog/tor-heart-whonix

just tried Whonix .org but it seem not working,

instead, leme suggest trying Tails | >> https://tails.boum.org/

C&P:
( Tails is a live operating system that you can start on almost any computer from a DVD, USB stick, or SD card.

It aims at preserving your privacy and anonymity, and helps you to:

*use the Internet anonymously and circumvent censorship;
all connections to the Internet are forced to go through the Tor network;

*leave no trace on the computer you are using unless you ask it explicitly;

*use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.)

Anonymous

March 08, 2017

Permalink

Thank you.

"wrap long lines" is still not fixed since TBB 6.5, but noone will die over it.

Read the post carefully. If you think having features "like that one working is much more important than avoiding the possible information leakage associated with that can now toggle the 'extensions.torbutton.resource_and_chrome_uri_fingerprinting' preference, setting it to 'true' to disable our defense against this type of fingerprinting."

Anonymous

March 09, 2017

Permalink

Uh oh!

Mozilla support for XP will end in September 2017.

Does this mean that TBB too - as from September 2017 - will no longer be available for the XP series?

And how does Avast interact with TBB when used as a regular browser on the regular internet?

I use Mozilla with the identical TBB settings - except that my TBB browser bookmarks facility remains unused.

Tia

Breaking ESR in the middle of its lifetime will be EPIC!
(Extended support even from M$ for NT5 series ends on April 9, 2019. Mozilla, shame upon you!)

> Does this mean that TBB too - as from September 2017 - will no longer be available for the XP series?

Yes. XP is now a 17 years old OS riddled with security vulnerabilities, you can't expect developers to support it for a longer time. See https://trac.torproject.org/projects/tor/ticket/21080 "My guess is we're going to triage and decide not to try to rescue XP when Mozilla has decided to abandon it."