Tor Browser 6.5.1 is released

Tor Browser 6.5.1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This is the first minor release in the 6.5 series and it mainly contains updates to several of our Tor Browser components: Firefox got updated to 45.8.0esr, Tor to 0.2.9.10, OpenSSL to 1.0.2k, and HTTPS-Everywhere to 5.2.11.

Additionally, we updated the bridges we ship with Tor Browser and fixed some regressions that came with our last release.

In Tor Browser 6.5 we introduced filtering of content requests to resource:// and chrome:// URIs in order to neuter a fingerprinting vector. This change however breaks the Session Manager addon. Users who think having extensions like that one working is much more important than avoiding the possible information leakage associated with that can now toggle the 'extensions.torbutton.resource_and_chrome_uri_fingerprinting' preference, setting it to 'true' to disable our defense against this type of fingerprinting.

An other regression introduced in Tor Browser 6.5 is the resizing of the window. We are currently working on a fix for this issue.

Here is the full changelog since 6.5:

  • All Platforms
    • Update Firefox to 45.8.0esr
    • Tor to 0.2.9.10
    • OpenSSL to 1.0.2k
    • Update Torbutton to 1.9.6.14
      • Bug 21396: Allow leaking of resource/chrome URIs (off by default)
      • Bug 21574: Add link for zh manual and create manual links dynamically
      • Bug 21330: Non-usable scrollbar appears in tor browser security settings
      • Translation updates
    • Update HTTPS-Everywhere to 5.2.11
    • Bug 21514: Restore W^X JIT implementation removed from ESR45
    • Bug 21536: Remove scramblesuit bridge
    • Bug 21342: Move meek-azure to the meek.azureedge.net backend and cymrubridge02 bridge
  • Linux
    • Bug 21326: Update the "Using a system-installed Tor" section in start script
Anonymous

April 03, 2017

Permalink

Thank you for Tor Browser :-) My question is:
As I run Tor to apt-get update my Debian (through the onion depositories), do I have to stop tor before using Tor Browser (installed manually from the torproject website)?

If I let Tor run and launch Tor Browser, is it a case of "Tor over Tor"?

And yet, if you install Tor Browser through the launcher package, Tor gets installed.

So I’m rather confused. Your help will be appreciated!

1. I also update my Debian stable systems using the onion mirrors for better security. I too have found that this does not always run smoothly. Typically I cold boot the machine and plug in an ethernet cable to my router. I have found that for some reason, restarting Tor using

sudo systemctl restart tor.service

is often necessary in order to connect to the Tor network. Only after connecting should one try to "reload" in Synaptic to obtain the list of packages to be updated. I find that it may be necessary to reload several times to get the list.

A particularly frustrating problem is that the critical file containing the gpg signatures is often hard to obtain from the onion mirror. It is critically important to *never* install any packages if one gets a warning that you are about to install unauthenticated packages. I do not know why this happens but I guess it may have something to do with the Debian mirrors becoming strained during updates to the repository itself. When I experience this problem, I wait a few hours and try again.

I would be happy to read a response from anyone who knows a better way of handling these difficulties!

2. Does anyone know what will happen when Debian rolls over to the new stable (perhaps by June)? Will the same onion addresses then point to the repositories needed to update a new stable system? Or will we need to obtain new onion addresses to add the APT sources list?

It seems that the onion mirrors may often be overloaded; unless I misunderstand, this is because there is only one server handling each onion mirror. Certainly my attempts to download upgrades often time out.

In my experience downloading the upgrades often requires considerable patience and care. Especially if the list of packages to be upgraded is lengthy, it can be best to try to break down the task into more manageable pieces.

Some hints, assuming you are using synaptic and have pointed your sources.list at the onion mirrors:

o don't be afraid to occasionally hit "reload" to refresh the current list of packages still to be upgraded, but be very careful about one thing--- if you see a message about "unauthenticated" packages occurring in the list, hit reload again (installing unauthenticated packages would be even worse than not using the onion mirrors)

o if you hit "mark all upgrades" and see a very long list, don't be afraid to write down the names of the packages, start over, and mark the upgrades in small bunches

o if your attempt to download the upgrades you marked times out, respond "don't continue" and start over (apt should not really start from scratch since it should have cached the packages you did succeed in downloading the first time)

o if anything appears to have gone wrong, try to use the "details" window to see if it contains any useful information, e.g. that you require a working python-glade-2 in which case you can try to install that first,

o if synaptic appears to have hung, try being patient; if after several hours it still appears to have hung, try (possibly dangerous!) "sudo killall synaptic" and start over.

In general, it seems that the onion mirrors are great idea and should be standard for all Debian users, but currently we need to figure out how to handle the load. At the very least this would seem to imply Debian Project would have to issue a cryptographically signed public file containing alternative onion addresses for the mirrors (probably one set for security upgrades and one for all the rest).

I think it would be useful for the maintainers of the onion mirrors to write a second blog post in this blog, seeking feedback about user experience. This might suggest ways in which the onion mirrors can be improved.

Anonymous

April 12, 2017

Permalink

Thanks tor for Your Best Services that you provide in a country that blocks / banned some sites :::::::))))))))))