Tor Browser 6.5.1 is released

Tor Browser 6.5.1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This is the first minor release in the 6.5 series and it mainly contains updates to several of our Tor Browser components: Firefox got updated to 45.8.0esr, Tor to 0.2.9.10, OpenSSL to 1.0.2k, and HTTPS-Everywhere to 5.2.11.

Additionally, we updated the bridges we ship with Tor Browser and fixed some regressions that came with our last release.

In Tor Browser 6.5 we introduced filtering of content requests to resource:// and chrome:// URIs in order to neuter a fingerprinting vector. This change however breaks the Session Manager addon. Users who think having extensions like that one working is much more important than avoiding the possible information leakage associated with that can now toggle the 'extensions.torbutton.resource_and_chrome_uri_fingerprinting' preference, setting it to 'true' to disable our defense against this type of fingerprinting.

An other regression introduced in Tor Browser 6.5 is the resizing of the window. We are currently working on a fix for this issue.

Here is the full changelog since 6.5:

  • All Platforms
    • Update Firefox to 45.8.0esr
    • Tor to 0.2.9.10
    • OpenSSL to 1.0.2k
    • Update Torbutton to 1.9.6.14
      • Bug 21396: Allow leaking of resource/chrome URIs (off by default)
      • Bug 21574: Add link for zh manual and create manual links dynamically
      • Bug 21330: Non-usable scrollbar appears in tor browser security settings
      • Translation updates
    • Update HTTPS-Everywhere to 5.2.11
    • Bug 21514: Restore W^X JIT implementation removed from ESR45
    • Bug 21536: Remove scramblesuit bridge
    • Bug 21342: Move meek-azure to the meek.azureedge.net backend and cymrubridge02 bridge
  • Linux
    • Bug 21326: Update the "Using a system-installed Tor" section in start script

> XP is now a 17 years old OS riddled with security vulnerabilities

Just to support the point that cautious netizens tend to avoid using TBB under Windows, or at least very old versions of Windows:

The Vault 7 wiki of CIA malware just published by Wikileaks includes a long list of attacks on (often old versions of) Windows, but not very much on Linux (outside embedded platforms).

Not to imply that Linux users should rest easy, of course, just that all things considered, the preponderance of evidence available to the public would seem to encourage citizens concerned about privacy and data security to move to Linux (and to keep their systems up to date, to avoid installing unsigned software, to use TBB for browsing, to pay attention to valid security bulletins, and so on). Similar remarks hold for MacOS users (Vault 7 also lists some zerodays affecting Mac users).

Anonymous

March 09, 2017

Permalink

Thanks

Anonymous

March 09, 2017

Permalink

great

Anonymous

March 10, 2017

Permalink

Hello Torproject,
2 issues:

1. 'Wrap Long Lines' with 'view_source.tab;false' isn't working reliable

2. Why tor.exe is 32-bit(Image Type) on an Win64? Should be 64-bit?
(firefox.exe(TBB) is 32-bit, too.)

Anonymous

March 10, 2017

Permalink

OOPS, have read:
"On March 8th, 2017 Anonymous said:
Thank you.
"wrap long lines" is still not fixed since TBB 6.5, but noone will die over it." .

Noone will die over it, i too. Second question, 32bit tor.exe, is open.

Anonymous

March 10, 2017

Permalink

"Tor is ready" does not appear every time i choose 'new identity'.
is it an evidence or a trace that something is wrong ?

nothing !
it does not work every time i click on "new identity" : sometimes (rarely) yes , sometimes not.
pff ... i wonder if the users are not the testers of an experimental manipulation in the goal that a subvention be given to a usa rotten team ...
pff ... i use tor for some app but too much bugs means untrust software ...
no comment.

ok : nice tip / i thank very much:i did not know it :
anyway that i try "new identity" or new circuit for this site" ; it could be written [Tor is ready ] ; it is rarely the case , something is wrong in your program or it is a hack very sophisticated.
Shift+Crtl+J
...
it opens a server tab and that is written with pink background:
...
ocsp.int-x3.letsencrypt.org:443 uses an invalid security certificate.
in blue
2 in red

The certificate is only valid for the following names:
*.akamaihd.net, *.akamaihd-staging.net, *.akamaized-staging.net, *.akamaized.net, a248.e.akamai.net

Error code: SSL_ERROR_BAD_CERT_DOMAIN
...
ocsp.digicert.com:443 uses an invalid security certificate.

The certificate is only valid for the following names:
www.digicert.com, content.digicert.com, edge1.digicert.com, edge2.digicert.com, edge3.digicert.com, edge4.digicert.com, cacerts.digicert.com

Error code: SSL_ERROR_BAD_CERT_DOMAIN
in blue
2 in red
...
# i am connecting using tor bundle & vpn.
anyway that i try "new identity" or new circuit for this site" ; it could be written [Tor is ready ] ; it is rarely the case , something is wrong in your program or it is a hack very sophisticated.
maybe my vpn uses a weak encryption or i am yet a target but it does not explain why the banner is not shown : do i need to debug (how to do that pls?) or drop my vpn ?
i have chosen 443 port & not the default port does it matter ?
Thanks a lot for your help, your tip & your explanations.

Anonymous

March 10, 2017

Permalink

Tails 2.11 came out on schedule; why no announcement in this blog?

Reason for confusion is that Tails has (until 2.11) posted release announcements in their account at this blog.

Can you help ensure that Tails users who use a 32 bit CPU machine know that the next edition of Tails will only be usable with 64 bit CPUs? I don't disagree with their decision to go 64 but the Tor community needs to get the word out well in advance that this change is coming soon.

In a related plea, can you help ensure that Debian users get a clear explanation of how the onion mirrors of the Debian repositories (as discussed elsewhere in this blog) will handle the change (perhaps in May or June) to the new stable distribution? Can I DL an iso image of the new stable, verify the key, install normally, then point synaptic at the same onion mirrors? Or will I need to use new onion mirrors?

Anonymous

March 10, 2017

Permalink

OP here.

Yes, I've read y'alls anon responses to my query but only gk's replies can be accepted as authentic by m'self.

Thanks, gk!

This simply means that I'm gonna hafta dl a GUI enabled Linux version to an external hdd and so use Linux as an additional OS for a Linux based TBB. Neva mind. I got 6 months to figger the how out.

As for XP now being " a 17 years old OS riddled with security vulnerabilities..." I guess that depends only on which sites one interacts with, not so?

The only hassle I can anticipate is spending more time backing up folders in the event of a system failure. In 2015 Verbatim was offering a 7 year warranty on its 1tb external hdd but sadly, such items are not permitted in my country.

@ gk

Just a passing thought... but both Mozilla and y'selves interact with a large (in the hundreds of millions) XP community. See

https://www.google.com/search?q=how+many+xp%27s+still+in+use%3F&ie=utf-…

for detail.

How will this issue affect y'alls collective futures?

I can go where I like onna www and my laptop - Japanese made- is soooo reliable. I reformatted it in early 2014 and I still don't see the need for any upgrades.

It's not like I'm a rocket scientist planning to put someone onto Mars an' I desperately need the latest doodads to so do. I have a monthly 2Gb data cap and I'm hard-pressed to utilize it all.

I jus' don't see the sense of upgrading to Win 10/11/12/13 whatever in order to accommodate a web browser.

Any marketing wonk thinking/hoping/praying I'm now gonna be compelled to embrace the latest Windows or Apple offering is vaping the wrong stuff!

I thankfully avoided all the hassles associated with Vista, Win7, 8 and 10. And when I eventually do upgrade, the new OS - personal computers and autos - will all be thought-controlled.

Until then, y'all, stay well...

Anonymous

March 10, 2017

Permalink

love tor

Are you sure it works on the previous version? They are probably blocking Tor. It wouldn't surprise me one bit. The list of Tor-friendly email providers on the Whonix wiki says that once you have a Google account, you have to sign in without Tor and then enable Tor without deleting cookies and load a page while you're signed in. After that it says you should be able to connect through Tor, but I wouldn't get my hopes up.

Anonymous

March 15, 2017

Permalink

In WIN10 (in Chinese) running on a black square block of text, complete the configuration to scrape through memory, stop running after open the browser interface.

Reinstall the old version can be normal use.

Which old version do you mean? Do you have some antivirus software that could interfere with Tor Browser? If so, could you uninstall that one for testing and check whether things get better (disabling is often not enough)?

Anonymous

March 16, 2017

Permalink

Is the Tor network still relevant to the general public?

Far as I can see, it's mostly used to shield the activities of drug dealers and paedophiles. Am I wrong?

The few others which use it for political activism against repressive regimes will soon be stymied as a consequence of Mozilla/TorBrowserBundle excluding Microsoft's venerable XP OS after September 2017.

XP has been the OS choice of activists almost since its inception due to its ubiquity, simplicity and reliability. Later MS systems (Win10, various handheld gadgets etc) sold in dictatorships such as China, Russia and many Asian and African nations must comply with governmental modifications- modifications not only to the newest devices but also monitor and censor of the network of their local isps.

Also, exchange rate issues in these tyrannical and despotic regimes militate against the acquisition of more modern equipment -whether over the counter or via a smugglers route.

I daresay this also applies to the USA and EU to some degree -but there the various democratic movements have ensured that such "modifications" are strictly controlled by legislative authorities to only combat global terrorism.

Mozilla stated that it could extend ESR with XP support if there would be a reason. And who as not the Tor Project is interested in spreading Tor Browser to countries with old computers?

> Far as I can see, it's mostly used to shield the activities of drug dealers and paedophiles. Am I wrong?

I suppose that depends upon

1. your definition of the meaning of "mostly" ("more than 1%?" "more than 50%"?),

2. whether you can present some statistics and explain how we may independently verify them.

The few others which use it for political activism against repressive regimes will soon be stymied as a consequence of Mozilla/TorBrowserBundle excluding Microsoft's venerable XP OS after September 2017.

I suppose you simply forgot to present your evidence for these further dubious claims?

> XP has been the OS choice of activists

"Activists" is a pretty broad term. Maybe you should clarify what groups in what countries you are talking about.

I can't tell whether you are attacking/praising XP, or attacking Tor, or what. But it may be worth pointing out that activists who do not yet use Tails should perhaps consider switching, although this may not be the best choice for everyone.

> Far as I can see, [Tor is] mostly used to shield the activities of drug dealers and paedophiles. Am I wrong?

Yes, and I suspect you know it. Certainly over the past year, this blog has offered many posts explaining how ordinary people use Tor every day to circumvent censorship, engage in political speech, and perform research in the public interest.

> The few others which use it for political activism against repressive regimes

Care to back that up with some actual statistics?

> will soon be stymied as a consequence of Mozilla/TorBrowserBundle excluding Microsoft's venerable XP OS after September 2017. XP has been the OS choice of activists almost since its inception due to its ubiquity, simplicity and reliability

Interesting... you urge activists to continue to use an OS which has been successfully targeted by many zerodays exploited by the bad guys (see for example the Vault 7 leaks at wikileaks.org).

A much better choice which should work "out of the box" on almost any computer which uses a 64 bit CPU* is the free Linux based distribution Tails; see tail.boum.org. Tails enables you to boot an "amnesiac" system from a live DVD (or USB), browse with TorBrowser, email, produce videos, documents, etc., then shut down leaving no trace (we hope) on your usual OS on your computer. It is thought to be much more secure than almost any other OS; the Snowden leaks prove that as late as spring 2013 NSA was experiencing great difficulty finding exploitable vulnerabilities in Tails.

(It later turned out that they apparently missed some pretty bad holes, which have been closed. Tails isn't perfect but it's just about the best thing we've got.)

* Currently Tails works for 32 bit CPUs, but the next edition will no longer support 32 bit CPUs.

> Far as I can see, it's mostly used to shield the activities of drug dealers and paedophiles. Am I wrong?

This has been addressed extensively throughout the history of the Tor Project. I guess some debates never die. There is a "Who uses Tor?" link on the main page of the site. Edward Snowden is one example of a Tor user who is not a drug dealer nor a paedophile. There are many more, probably in the millions.

Dropping XP support is a good thing in my opinion. It doesn't get security updates anymore. There would really be no point in using Tor Browser on XP. You could use a random unpatched Linux distribution, and you'd still be better off. Tails is quickly becoming the de-facto OS of choice among Tor users, and Qubes is growing too. Both are far superior to XP, and arguably to any general purpose OS.

Anonymous

March 16, 2017

Permalink

Upload speed is limited to 3 Mb/s on 32-bit Windows. While download speed remains unaffected. Speedtest service was used to test the bandwidth.

Anonymous

March 17, 2017

Permalink

\(*c*)/

love you all
love your work \(*c*)/
stay strong

\(*c*)/

\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/

Anonymous

March 18, 2017

Permalink

Thanks

Anonymous

March 21, 2017

Permalink

After connection is established, it reports an error on Win 7. Don't know why. Version 6.5.1.

Anonymous

March 22, 2017

Permalink

I have installed Tor. What is the best email program to use with it? I guess I should encrypt my emails. additionally what program is the best for a lay person?

Anonymous

March 23, 2017

Permalink

In WIN10 (in Chinese) running on a black square block of text, complete the configuration to scrape through memory, stop running after open the browser interface.
Reinstall the old version can be normal use.

I'm having this problem in Win 7.

Anonymous

March 27, 2017

Permalink

I have Torbrowser for the Mac sha256 :4155633dd51db9c805e8a81a9fd180e7235077f15023b5f002648f1c2a8bef92

It is incorrectly showing the web site https://sciex.com/ as not secure. I have tried several transports with the same results.

Anonymous

March 28, 2017

Permalink

I checked my Ubuntu workstation and it has transports FTE, Meek-Amazon, Meek azure, obfs3 and obfs4.

My Mac's torbrowser does not have the FTE transports ?

Anonymous

March 29, 2017

Permalink

I was running 6.5 fine but a few days ago it refused to connect to onion servers. So installed 7.2 and the same problem. I can get normal http sites but onion ones it just refuses. Does this mean my Win XP system is no longer supported? I have a Win 7 computer but hate the bloody thing because of all the logs it keeps as well as auto connections to MS.

I am in the UK

Anonymous

March 30, 2017

Permalink

does anyone know if the UK has found a way to block .onion sites? I cannot get any links despite checking all my phone system and computer, reloading tor several times and all i can get is http sites.

Found the problem. My computer clock had mysteriously jumped forward by one day. Why is it necessary for TOR to detect the time and date on someones computer?