Tor Browser 6.5a1 is released

A new alpha Tor Browser release is available for download in the 6.5a1 distribution directory and on the alpha download page.

This release features important security updates to Firefox.

Tor Browser 6.5a1 is the first release in our 6.5 series. It updates Firefox to 45.2.0esr and contains all the improvements that went into Tor Browser 6.0. Compared to that there are additional noteworthy things that went into this alpha release: we bumped the Tor version to 0.2.8.3-alpha and backported additional security features: exploiting the JIT compiler got made harder and support for SHA1 HPKP pins got removed.

On the infrastructure side, we are now using fastly to deliver the update files. We thank them for their support.

Here is the complete changelog since 6.0a5:

  • All Platforms
    • Update Firefox to 45.2.0esr
    • Update Tor to 0.2.8.3-alpha
    • Update Torbutton to 1.9.6
      • Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
      • Bug 18905: Hide unusable items from help menu
      • Bug 17599: Provide shortcuts for New Identity and New Circuit
      • Bug 18980: Remove obsolete toolbar button code
      • Bug 18238: Remove unused Torbutton code and strings
      • Translation updates
      • Code clean-up
    • Update Tor Launcher to 0.2.9.3
      • Bug 18947: Tor Browser is not starting on OS X if put into /Applications
    • Update HTTPS-Everywhere to 5.1.9
    • Update meek to 0.22 (tag 0.22-18371-3)
      • Bug 18904: Mac OS: meek-http-helper profile not updated
    • Bug 19121: The update.xml hash should get checked during update
    • Bug 12523: Mark JIT pages as non-writable
    • Bug 19193: Reduce timing precision for AudioContext, HTMLMediaElement, and MediaStream
    • Bug 19164: Remove support for SHA-1 HPKP pins
    • Bug 19186: KeyboardEvents are only rounding to 100ms
    • Bug 18884: Don't build the loop extension
    • Bug 19187: Backport fix for crash related to popup menus
    • Bug 19212: Fix crash related to network panel in developer tools
    • Bug 18703: Fix circuit isolation issues on Page Info dialog
    • Bug 19115: Tor Browser should not fall back to Bing as its search engine
    • Bug 18915+19065: Use our search plugins in localized builds
    • Bug 19176: Zip our language packs deterministically
    • Bug 18811: Fix first-party isolation for blobs URLs in Workers
    • Bug 18950: Disable or audit Reader View
    • Bug 18886: Remove Pocket
    • Bug 18619: Tor Browser reports "InvalidStateError" in browser console
    • Bug 18945: Disable monitoring the connected state of Tor Browser users
    • Bug 18855: Don't show error after add-on directory clean-up
    • Bug 18885: Disable the option of logging TLS/SSL key material
    • Bug 18770: SVGs should not show up on Page Info dialog when disabled
    • Bug 18958: Spoof screen.orientation values
    • Bug 19047: Disable Heartbeat prompts
    • Bug 18914: Use English-only label in <isindex/> tags
    • Bug 18996: Investigate server logging in esr45-based Tor Browser
    • Bug 17790: Add unit tests for keyboard fingerprinting defenses
    • Bug 18995: Regression test to ensure CacheStorage is disabled
    • Bug 18912: Add automated tests for updater cert pinning
    • Bug 16728: Add test cases for favicon isolation
    • Bug 18976: Remove some FTE bridges
  • OS X
    • Bug 18951: HTTPS-E is missing after update
    • Bug 18904: meek-http-helper profile not updated
    • Bug 18928: Upgrade is not smooth (requires another restart)
  • Linux
    • Bug 19189: Backport for working around a linker (gold) bug
  • Build System
    • All PLatforms
      • Bug 18333: Upgrade Go to 1.6.2
      • Bug 18919: Remove unused keys and unused dependencies
      • Bug 18291: Remove some uses of libfaketime
      • Bug 18845: Make zip and tar helpers generate reproducible archives
Mateus

June 07, 2016

Permalink

The update is repeating itself.
Update > downloading > upgrade > restart > show TBB notes
> I close TBB > open again > back to home

There were incremental updates but they did not get used due to a bug (see: https://trac.torproject.org/projects/tor/ticket/19348 for details). The side-effect was the updater falling back to an en-US full update (which is only intended for locales we are not supporting yet in Tor Browser). https://blog.torproject.org/blog/tor-browser-601-released#comment-185048 as a workaround although getting a new Tor Browser might be safer.

Mateus

June 08, 2016

Permalink

SOCKS_USERNAME="--unknown--" SOCKS_PASSWORD="7"
34 BUILT
SOCKS_USERNAME="--unknown--" SOCKS_PASSWORD="8"
35 BUILT
Is this OK? (As TBB starts "thinking" slowly when refreshes a webpage.)

The catchall circuit is force refreshed periodically by altering the password, but the snippet you posted is devoid of time information, so I can't tell if it's doing it earlier than it should be or not.

This is also how the "New Tor Circuit for this Site" command works.

Mateus

June 08, 2016

Permalink

after this update , the bundle crashes, as in the browser just closes on its own, there was no problem with the previous version, I noticed it first after a copy paste, but later it just crashed on its own , its broken fix it

Mateus

June 09, 2016

Permalink

shasum is not matching download

https://dist.torproject.org/torbrowser/6.5a1/sha256sums-unsigned-build…
4a893be28dc925a5054e051820c698c605fd997089926a118b701ffa9b6393fa TorBrowser-6.5a1-osx64_en-US.dmg

https://dist.torproject.org/torbrowser/6.5a1/
https://dist.torproject.org/torbrowser/6.5a1/TorBrowser-6.5a1-osx64_en-…
$ shasum -a 256 /----/----/TorBrowser-6.5a1-osx64_en-US.dmg
63cbbd87864c4422d72a3f34048658c2261132079e7f5399b4c91b687f8e2fe8

Tested on different computers with different os x
same dismatch

This is to be expected. The SHA256 sums are for the DMGs without the OSX Gatekeeper signatures ("sha256sums-UNSIGNED-build.txt), while the DMGs you can download are signed, so it will not match.

Eventually it will be possible to strip off the Gatekeeper signature information to compare SHA256 sums (See https://trac.torproject.org/projects/tor/ticket/18925), but verifying integrity of the downloads should be done with PGP to begin with.

Mateus

June 09, 2016

Permalink

i HAD AUTO UPDATES TURNED OFF AND TOR UPDATES ANYWAY! THE NOSCRIPT IS SHUT OFF WHEN USING STARTPAG SEARCH, i THINK THE AUTO UPDATE COMPROMISES THE TOR PROGRAM IN SOME WAY.

Mateus

June 10, 2016

Permalink

This new 6.5 version again does not work for me just like 6.0.1 did not! I was fine before 6.0.1 running on Windows 10 but now nothing works. Really cannot understand what has gone wrong but have been without TOR for more than 2 weeks now. Can anyone help guide me in the right direction please?

We have numerous reports from Windows users that usually boil down to some software on their computer interfering with Tor, like antivirus/firewall software. The first thing you can try is to uninstall those for testing purposes (disabling is not enough).

Mateus

June 10, 2016

Permalink

i can handle more memory usage should i use this version or stable version? i am thinking this version is hardened but might be targeted by adverseries using the new alpha updates or another vector...please let me know

Mateus

June 10, 2016

Permalink

I just updated and now it will not start.

I downloaded a new one to USB, that updated itself and now that will not start.

Mateus

June 11, 2016

Permalink

Widows 10 user, Tor browser no longer works since last update. Have no Antivirus/firewall software.

Mateus

June 13, 2016

Permalink

My 2c
With any new installation of the 6.xx the root setup icon will not run but the same file inside the torbrowser directory will run the 1st time setup, then the installation root icon switches to the normal tor-browser and will run. It did this consistently so in every try. This was on Debian 8.5 amd64

An other issue I've had on this same system with 2Gb memory was that the 6.5a1 64hardened will run close to the border of memory and will eventually crash the system. This was with a single tab opened and nothing else running. I switched to a 6.01 64bit and the same thing wouldn't use a quarter of the memory

I wonder if anyone else has had the same problem

All is well now.
Question, https-everywhere has been reuptdated, should we use this new edition?
Also is eff privacy badger plug-in safe to use?

Mateus

June 16, 2016

Permalink

dear tech support,

win 7 64bit

since the 6.0 update did not work, i had copy of version 5 something that i am using and removed the update file so i cannot update.

i even tried to run from multiple machines all windows based but still no luck, even on brand new machine with no security software, firewall disabled.

looking forward to speedy resolution.