Tor Browser 6.5a3-hardened is released

A new hardened Tor Browser release is available. It can be found in the 6.5a3-hardened distribution directory and on the download page for hardened builds.

This release features important security updates to Firefox including the recently disclosed extension update vulnerability. All users should upgrade as soon as possible.

In addition to the changes from Tor Browser 6.5a3, the creation of incremental MARs for hardened builds is now fixed.

Note: Due to bug 20185 Tor Browser will not work correctly if the path where it is installed is too long. As a workaround you may need to move it to a directory with a shorter path.

  • All Platforms
  • Update Firefox to 45.4.0esr
  • Update Tor to 0.2.9.2-alpha
  • Update OpenSSL to 1.0.2h (bug 20095)
  • Update Torbutton to 1.9.6.4
    • Bug 17334: Move referrer spoofing for .onion domains into tor-browser.git
    • Bug 17767: Make "JavaScript disabled" more visible in Security Slider
    • Bug 19995: Clear site security settings during New Identity
    • Bug 19906: "Maximizing Tor Browser" Notification can exist multiple times
    • Bug 19837: Whitelist internal URLs that Firefox requires for media
    • Bug 15852: Remove/synchronize Torbutton SOCKS pref logic
    • Bug 19733: GETINFO response parser doesn't handle AF_UNIX entries + IPv6
    • Bug 14271: Make Torbutton work with Unix Domain Socket option
    • Translation updates
  • Update Tor Launcher to 0.2.11
    • Bug 14272: Make Tor Launcher work with Unix Domain Socket option
    • Bug 19568: Set CurProcD for Thunderbird/Instantbird
    • Bug 19432: Remove special handling for Instantbird/Thunderbird
    • Translation updates
  • Update HTTPS-Everywhere to 5.2.4
  • Update NoScript to 2.9.0.14
  • Bug 19851: Fix ASan error by upgrading GCC to 5.4.0
  • Bug 17858: Fix creation of incremental MARs for hardened builds
  • Bug 14273: Backport patches for Unix Domain Socket support
  • Bug 19890: Disable installation of system addons
  • Bug 17334: Spoof referrer when leaving a .onion domain
  • Bug 20092: Rotate ports for default obfs4 bridges
  • Bug 20040: Add update support for unpacked HTTPS Everywhere
  • Bug 20118: Don't unpack HTTPS Everywhere anymore
  • Bug 19336+19835: Enhance about:tbupdate page
  • Build system
    • All platforms
      • Bug 20133: Don't apply OpenSSL patch anymore
      • Bug 19528: Set MOZ_BUILD_DATE based on Firefox version
Anon

September 20, 2016

Permalink

(iMac 2.66 i5Quad Core late 2009 El Capitan 10.11.6)

Had the hardened version 6.5a2 which was working fine. I was waiting for the security update so I also installed and was temporarily using production version 6.0.5 which also was working fine. Both installations are in my Applications folder where they've always been installed (maybe bug 20185?). A day ago I installed ClamXav, which I used in the past, and did a full scan. No issues, no malware,etc., and no indication that Tor was suspect, EXCEPT now neither installation of Tor will work.

Tor Launcher Popup keeps saying Could not connect to Tor control port.

Other than the new ClamXav, I haven't made any other changes to my computer. I read in tonight's blogs that some folks had AVG indicate that TOR had a virus (or that AVG alerted a false-positive), so I removed Clam, restarted, and I still get the same issue.

I then removed both versions of Tor from my machine thinking a fresh download would do the trick. Same thing. It refused to start past the Tor network negotiation screen. There were different previous popups, when I had both copies installed, alerting that there maybe a problem with the torrc file, or other software conflicts on my machine, etc. And until I resolved the problem, Tor would NOT start up.

Not sure what to do. It isn't critical for me to have Tor, however, I would like a working installation of it in case I do.

Firefox version beta 49.0 works fine; Safari version 10.0 also works fine.

Anon

September 21, 2016

Permalink

Did the autoupdate, tor restarts and suddenly can't connect to the control port. Looked at all processes and nothing was lingering, it was a clean start. Redownloading now.....

My bad on the hardened version....I mean the OS X Experimental version. After perusing other sites on FF and Tor issues for the Mac, I wasn't getting anywhere. After seeing it as one of the caveats in the update, I was pretty sure it was Bug 20185 because I hadn't changed anything, except updating.. I read a bit through a recent Tor bug report (from Tor's bug report site) and the suggestion to install a fresh Tor copy to the desktop was a good work around(guess the path was short enough) and....it WORKED! Like a charm. Tor now opens just like before. I appreciate your suggestions to help....you were right with the Linux/Mac bug. Thank you.

Anon

September 21, 2016

Permalink

Sometimes Tor Browser stops connecting via Tor network, I waited 10 minutes to see if if could connect to the websites again, not. I have to restart it but that means I have to re-login the account, which I don't like as I have to redo something, how to re-activate the Tor again with no restarting TBB?

From that first article itself:

In June, the Tor Project added a feature to its privacy-protecting Web browser to notify users when a website attempts to use the canvas feature and sends a blank canvas image. But other Web browsers did not add notifications for canvas fingerprinting.

The hypertext link under "added a feature" points to a closed ticket: https://trac.torproject.org/projects/tor/ticket/6253. (Note the use of javascript being necessary to make canvas fingerprinting work.)

The second article mentions evercookies, which are much more insidious, I think still require javascript, and I think still doesn't work against Tails with javascript disabled. Instead, by evercookies this article means flash cookies, but we all know: don't use Flash! (Don't we all?)

What remains interesting to us here is the existence of commercial organisations which are very interested in tagging us without respect for our privacy wishes, yet the techniques they use remain somewhat fuzzy ("90% accurate" for one javascript code for canvas fingerprinting).

Was there any other point to the post that I missed?

The Propublica article by noted journalist Julia Anguin (author of the book Dragnet Nation) recommends using Tor Browser to try to circumvent canvas fingerprinting.

Just thought I'd point this out.

All seems fine here (Debian 8.6stable)

This version seems to improve the hardened builds thirst for RAM.

Still maxing out mine after longer use but better than previous version I believe.

Figured out how to add a shortcut key combo for
tor-button "Privacy and Security Settings..."
This makes for a much better experience browsing the web and
fastly being able to change Security/javascript level.

Obs! I don't get executed if my identity is revealed so this may not be a
good practice for all

Really, really, really appreciate all of the help the Tor folks provide here. I'm amazed at how hard you work and am incredibly grateful. Thank You!

Plus one! You guys offer our best hope as ordinary citizens to resist the encroaching tide of fascism which is sweeping away civil rights and freedom of speech all over the globe.

Version 6.5.a3 DOES NOT WORK!
I have repeatedly installed/uninstalled/replaced with 6.5a2 and just tried it again.

IT WILL NOT LAUNCH.

I just discovered that when I try to launch it via LaunchBar I get an error message - error code 10810.

Version 6.5a2 works just fine every time I reinstall it. Then I install 6.5a3 and it won't open. No Console messages are created.

OS X 10.11.6

You are probably hitting bug 18753 or 20210. See comment 15 there for an explanation and a possible remedy.

Okay, your comment is #16, which makes mine #15.
You just told me to read my own message.

Bugs 18753 and 20210 aren't mentioned anywhere on this page except your reply, so where am I supposed to look for "an explanation and a possible remedy?"

My Console hasn't been working right lately - can't get it to stay on the current time, it keeps displaying earlier events even when I hit the Now button.
So I didn't see any messages yesterday when my message was posted.

Now when I launch Tor from Finder I get a message that TorBrowser.app can't be opened, and Console throws these messages:

10/3/16 9:58:00.354 AM com.apple.xpc.launchd[1]: (org.mozilla.tor browser.67872[31510]) Could not find and/or execute program specified by service: 13: Permission denied: /Applications/TorBrowser.app/Contents/MacOS/firefox
10/3/16 9:58:00.354 AM Finder[31410]: spawn_via_launchd() failed, errno=111 label=org.mozilla.tor browser.67872 path=/Applications/TorBrowser.app/Contents/MacOS/firefox flags=1 : LaunchApplicationClient.cp #1136 LaunchApplicationViaLaunchDJobLabel() q=com.apple.root.default-qos
10/3/16 9:58:00.354 AM Finder[31410]: spawn_via_launchd() failed, errno=111 label=org.mozilla.tor browser.67872 path=/Applications/TorBrowser.app/Contents/MacOS/firefox flags=1
10/3/16 9:58:00.354 AM com.apple.xpc.launchd[1]: (org.mozilla.tor browser.67872[31510]) Service setup event to handle failure and will not launch until it fires.

The file is signed by unknown key 0xC3C07136, is this ok?

Is this signed with a new PGP key?

There is a new subkey, yes. The longid is 0xD1483FA6C3C07136. You'll find information regarding our signing keys on https://www.torproject.org/docs/signing-keys.html.en.

Can not run hardened version with grsec patched kernel

Yes, this is unfortunate. We have https://bugs.torproject.org/19413 for it.

What is the difference between version 6.0.5 and 6.5a3-hardened?

I always get the message when openning this new build "Tor unexpectedly exited. This might be due to a bug in Tor itself, another program on your system, or faulty hardware. Until you restart Tor, the Tor Browser will not able to reach any websites. If the problem persists, please send a copy of your Tor Log to the support team. Restarting Tor will not close your browser tabs." message.

Where do you extract your hardened bundle to?