Tor Browser 6.5.2 is released

Tor Browser 6.5.2 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This should be the last minor release in the 6.5 series. This release updates Firefox to 45.9.0esr, Noscript to 5.0.2, and HTTPS-Everywhere to 5.2.14.

Moreover, we included a fix for the broken Twitter experience and worked around a Windows related crash bug. To improve our censorship resistance we additionally updated the bridges we ship.

Here is the full changelog since 6.5.1:

  • All Platforms
    • Update Firefox to 45.9.0esr
    • Update HTTPS-Everywhere to 5.2.14
    • Update NoScript to 5.0.2
    • Bug 21555+16450: Don't remove Authorization header on subdomains (e.g. Twitter)
    • Bug 19316: Make sure our Windows updates can deal with the SSE2 requirement
    • Bug 21917: Add new obfs4 bridges
    • Bug 21918: Move meek-amazon to d2cly7j4zqgua7.cloudfront.net backend
  • Windows
    • Bug 21795: Fix Tor Browser crashing on github.com
khled.8@hotmai.com

April 19, 2017

Permalink

\o/

khled.8@hotmai.com

April 19, 2017

Permalink

I'm getting this error:

Tor Browser could not be updated because: Update XML file malformed (200)

6.5.1, Debian 64, en-US.

I just tested with another system that I have with the same characteristics and I don't get this issue, so I think the problem is just with my install, so I'll just do a manual upgrade and hope that this issue wont repeat itself again.

Update HTTPS-Everywhere to 5.2.15?

I don't understand that particular piece of blurb myself, and await explanation.
I take it my settings, eg directly to non-Java sites & other preferences concerning my basic security settings, are auto-carried over? I don't have to go through my entire Settings drop-down from the logo and onion to manually update THOSE do I?

5.2.15 was released few hours after 6.5.2, i don't think it's any more complicated than that.

so is my ip address safe

best tor update ever :D

how we can install flash player on this browser?

flash is DEAD!

khled.8@hotmai.com

May 10, 2017

In reply to by Anonymous (not verified)

Permalink

how do you watch Flash videos then?

i don't visit websites requiring flashplayer.
new web standard is html5.

> how we can install flash player on this browser?

Do you want to de-anonymise yourself?

hy dude i am just a kid i wana anonymise ....here the speed of internet is very slow so tor isn't connecting afta installing...showing this error :Establishing an encrypted directory connection failed (connection timeout - 31.185.104.20:443).may U suggest me somtin' alternative to tor

I want to be able to use the web and watch videos.

Avast reports "firefox.exe" Virus found "IDP.Generic" after updating from Tor Version 6.5.1 to 6.5.2 over online update!

I use now a fresh install - i´m online over that since my updated Version is now in quarantine - and do not notice any virus here... hm... strange...

Win7 32Bit SP1, 4GB

Thanks!

I'm not an Internet security expert - is this upgrade the reason why I couldn't enter Tor Browser for a half hour or so? Whenever I tried to enter, it said, "Couldn't load XPCOM."

My guess is that you have some antivirus/firewall software that does not like parts of the Tor Browser update. You could try uninstalling that (disabling is often not enough) to check whether it is really the problem.

I am having this same problem. I cannot us my TOR browser for the same reason! How do I fix it??

NoScript: how long will it be pushed up our throats by the various anonymity products like Tor Browser, Tails, etc.?

Just open the advanced (about:config) settings in TorBrowser/Firefox and do a search on the word "NoScipt". You'll see some exception URLs, some local directory/file paths, some unique IDs... There are more of them than in the past. One weird ID value is said to be user-assigned, yet I didn't set it. Did you?

Was it in the past AdBlock's blog - an article about the NoScript's malicious and deceptive operation in the past?
Can you trust it without the code review? Is anyone going to audit it, or continue assuming it's OK for anonymity?

Various agencies probably delight in the TorBrowser community using this mysterious NoScript for so long. Or is it perhaps an agenda? Yes, low priority, not enough people/time, etc.

uMatrix as an alternative, per Rise-up advice? It may not have the whatever "ClearClick" defense, but is more open and seems to have a better reputation. So far.

> "Can you trust [NoScript] without the code review? Is anyone going to audit it, or continue assuming it's OK for anonymity?"

Whom ever told you that is spreading false information

The NoScript extension contains the source code. You just need to unzip it. The whole source code is publicly available in every each XPI.

From the author Giorgio's:
- - -
"This topic was about the availability of a public version-controlled repository, not about the availability of the source code or the validity of its GPL, which is not "a claim", but the license NoScript is released under not just on AMO or my website, but in several GNU Linux distributions including the source-only Gentoo."
"You've got it on your hard disk right now, if you're a NoScript user, otheriwise you can download it here."
"You can examine and/or modify it by unzipping the XPI and the JAR inside, and "building" it back by rezipping both.
It's been like that for ever, since the very first version."
- - -
See Giorgio's reply at http://forums.informaction.com/viewtopic.php?p=9212#p9212

Cheers,

-Francewhoa

>> "Can you trust [NoScript] without the code review? Is anyone going to audit it,
>> or continue assuming it's OK for anonymity?"
>
> Whom ever told you that is spreading false information
>
>The NoScript extension contains the source code. You just need to unzip it.
>The whole source code is publicly available in every each XPI.

You introduced the "Red Herring" fallacy. The original subject here is a lack of the security review, and not a lack of the published source code.

There is a big difference. One can download and look at the code all day long and still miss something like an allowance for a certain dynamic encrypted advertisement/backdoor frame. Or something like this: https://adblockplus.org/blog/attention-noscript-users
https://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-…

A couple of years ago or so, one of the Tor developers replied in this blog that NoScript has not been audited due to lack of resources / low priority / whatever.

Unless already being done, a regular security audit of NoScript code is still needed.

>Unless already being done, a regular security audit of NoScript code is still needed.

I await breathlessly for you to donate the time and money for one. You have the source code, what's stopping you?

- just another satisfied tor user

for just a while saw a comment from someone hopes it worked in mobiles too..

yes it dose.. check here pls.(but .. yet can't find his comment after i got below link ) .. it's real: lol ;)

>> https://guardianproject.info/apps/orbot/

Hi Tor Network
Am I safe from monitoring and tracking in a situation that is less secure and what is your advice in order not to know my identity by the security services?
Thank you Team Network Tor

Good job

In previous version it was impossible to Likes and retweets on Twitter But in this version, this problem has been fixed.it's election season in Iran And it was very necessary

thanks so much

lovely

Hello,

Is the homograph attack a concern? I mean internationalized domain names, like using cyrillic letters instead of latin ones in URLs. I never liked changing default settings in about:config and I usually don't turn on javascript while browsing clearnet using Tor, so I won't change the network.IDN_show_punycode setting, but there are people who could be at risk.
If somebody wants to know more, please read Wikipedia's "IDN homograph attack" article.

Thank you for your attention.

I'm having the same question. Is it ok to manually change this in about:config?

See explanation and sample website on
https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/

The epic example does not always work fine.
This example works better, even in Tails!

Not exactly an apple domain
https://www.xn--80ak6aa92e.com/

Except in Torbrowser it is.
I'll show this, https://www.аррӏе.com/

We have a bug to discuss what we do about it: https://trac.torproject.org/projects/tor/ticket/21961.

thx. what about manually change it, possible or problem?

avast reports virus 'IDP.Generic'

Tor Version 6.5.2

firefox.exe

Is that OK?

Same here on FF and Waterfox. Avast put it in the virus chest, then I up'd the version of Waterfox and Avast put that .exe in the virus chest also. Next step is to remove and then install both but ... I'm also thinking there is a second component to this virus that lurks elsewhere waiting for another exe to show up.

installing this, messed up my other browsers completely

> messed up my other browsers completely

What do you mean by that?

thank yuo

Why can't I use Magnet downloads?

magnet worked here with a download program
hope you find a solution

TOR ALWAYS goes to US 67.92.173,228 ALWAYS, ALWAYS, ALWAYS, ALWAYS,

Who is that? NSA?????????????????

Perhaps you would like
https://www.torproject.org/docs/faq#EntryGuards
?

This is a feature, to protect you from attacks over time.

For way way way more details, also check out
https://blog.torproject.org/blog/improving-tors-anonymity-changing-guar…

Maybe you should write another article on the new entry guard algorithm (proposal 271-another-guard-selection) to raise more awareness about this :)

+1

The Future of Freedom: A Feature Interview with NSA Whistleblower William Binney

https://vimeo.com/117440574