Tor Browser 7.0.4 is released

Tor Browser 7.0.4 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

A lot of Tor Browser components have been updated in this release. Apart from the usual Firefox update (to 52.3.0esr) we include a new Tor stable release (0.3.0.10) + an updated HTTPS-Everywhere (5.2.21) and NoScript (5.0.8.1).

In this new release we continue to fix regressions that happened due to the transition to Firefox 52. Most notably, we avoid the scary warnings popping up when entering passwords on .onion sites without a TLS certificate (bug 21321). Handling of our default start page (about:tor) has improved, too, so that using the searchbox on it is working again and it does no longer need enhanced privileges in order to function.

The full changelog since Tor Browser 7.0.2 (for Linux since Tor Browser 7.0.3) is:

  • All Platforms
    • Update Firefox to 52.3.0esr
    • Update Tor to 0.3.0.10
    • Update Torbutton to 1.9.7.5
      • Bug 21999: Fix display of language prompt in non-en-US locales
      • Bug 18913: Don't let about:tor have chrome privileges
      • Bug 22535: Search on about:tor discards search query
      • Bug 21948: Going back to about:tor page gives "Address isn't valid" error
      • Code clean-up
      • Translations update
    • Update Tor Launcher to 0.2.12.3
      • Bug 22592: Default bridge settings are not removed
      • Translations update
    • Update HTTPS-Everywhere to 5.2.21
    • Update NoScript to 5.0.8.1
      • Bug 22362: Remove workaround for XSS related browser freezing
      • Bug 22067: NoScript Click-to-Play bypass with embedded videos and audio
    • Bug 21321: Exempt .onions from HTTP related security warnings
    • Bug 22073: Disable GetAddons option on addons page
    • Bug 22884: Fix broken about:tor page on higher security levels
  • Windows
    • Bug 22829: Remove default obfs4 bridge riemann.
    • Bug 21617: Fix single RWX page on Windows (included in 52.3.0esr)
  • OS X
    • Bug 22829: Remove default obfs4 bridge riemann.
Anonymous

August 09, 2017

Permalink

They should make the icon and name of the Tor Browser more discrete and/or customizable, in case there may be more than one person using the computer it is installed on. It would be nice to be able to change the Icon to something else, and change the name associated with it to something else. Or maybe offer an alternative install option, just for "same computer privacy" issues. In which the installation of the Tor Browser is given a different name, install path, etc. Other local users may not be as responsible with its use if they found out about it.

What system are you on asking for this so someone can tell you how to do it? An onion on the desktop is an attention seeking conversation starter. I replaced mine with a great big A in a circle and labeled it FU! ;)

When Tor browser bundle is closed no browser history is retained. If any expert is able to view all the files on your device it would be trivial to determine that you have Tor browser bundle installed, even if the name and icon is changed. Using bridges with pluggible transports can make it very difficult for local users to determine that your using tor. You can get bridges with pluggable transports at bridges.torproject.org

Anonymous

August 09, 2017

Permalink

DownThemAll AddOn is installed but will not show in Tools or context menu, why?
In 7.0.2 it was working perfectly.

After a clean install on macOS the DownThemAll AddOn runs fine again.

It seems something gets broken on automatic upgrade of the TorBrowser bundle. I reinstalled a fesh 7.0.2, added the DTA, check it was working. Then waited for the automatic upgrade, restarted the Browser, checked again and DTA was not showing up in the menu anymore.
I deleted the TorBrowser-Data folder and restarted again, but nothing changed. Removed the AddOn, restarted, reinstalled DTA, checked: nothing, restarted, checked again: nothing.

Strange, but as long as the AddOn runs fine again after a clean install I am fine with it.

Hm. I tried to reproduce that on my Linux box but I can't. Could you set extensions.logging.enabled on your about:config page and check your browser console (with Ctrl+Shift+J) after this happens again and report back if there are any related error messages visible?

Never.

Something comparable could be built but is not something I have any plans of working on. If you wish to see it happen and have $250k US or so to fund such a project, e-mail me.

"looking at".

IIRC they made seatbelt profiles, I'm not sure if they're any good though.

Anyway, the original question is totally nonsensical because bubblewrap is a tool that relies entirely on Linux namespaces and seccomp-bpf, neither which are available on OSX.

Anonymous

August 09, 2017

Permalink

I'd like a PARANOID Security Level option added to the slider, right above the High setting.

Enabling this option would enable the most.. paranoid of configurations, blocking as much as possible and really locking things down. Because even at the High setting, there are too many things NOT locked down.

You probably lack the time, but I wish at least one Tor dev was regularly skimming the Wikileaks Vault 7 documents, Citizen Lab tech reports on reverse engineered state-sponsored malware, etc., trying to make sure that you are not missing any technical clues which could assist you in improving Tor Browser's resistance to state-sponsored malware. I suspect that you could skim several dozen such documents and find nothing relevant to Tor, but then the very next one would tell you something you really need to know. To find the interesting one you might have to read dozens of boring ones, that's the catch.

Many thanks to you and all the other devs for your hard work! I often feel that our very lives depend upon it.

Anonymous

August 09, 2017

Permalink

7.0.4 - set the security settings to high, notice globalscript icon isn't crossed out, check manually - allow scripts globally (dangerous) is still checked as enabled. wtf.

Does this happen with a clean Tor Browser 7.0.4? On which platform?

Edit: More importantly: on which page is this happening. Note that we exempted the Tor Browser startpage, about:tor, from those restrictions as it is a trusted page and it would be broken otherwise.

Anonymous

August 10, 2017

Permalink

Question: Is server-versions in cached-microdesc-consensus only a suggestion, 0.2.4.24&0.2.4.23 are routable too, or only torversions in server-versions are
routable?

Anonymous

August 10, 2017

Permalink

I cant open https websites in this version.
Returns:

Secure Connection Failed

An error occurred during a connection to www.google.com. SSL received an unexpected extension. Error code: SSL_ERROR_RX_UNEXPECTED_EXTENSION

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Anonymous

August 10, 2017

Permalink

I have noticed some versions below, that updating over the TorBrowser itself caused my antivirus Avast to report an infection. In that case i've deleted my old version and installed the new archive from the website - without any problems. The last version without any founds was 7.0.1.

The newest update will acted the same but this time in the new version 7.0.4 and the fresh Alphaversion 7.5a4 will reported as virusses - not only from Avast - many other tools will do it too (Malwarebytes Antimalware, EEK). I think this is a false positive but what if it is not? TorBrowser Win7 32bit

This was found:
Avast: firefox.exe - IDP.ALEXA.51
torbrowser-install-7.0.4_en-US.exe - IDP.GENERIC
Malwarebytes-Free: firefox.exe - Trojan.Agent.E

Other Tools will found similar infections...

Using Linux now until this case is closed as save...

Is that the official Tor Browser binary, downloaded from our website? It should be signed with a digital signature from us. And verifying the GPG signature should show that it is signed by our signing key

Well, if it would not be a false positive then all our Linux build machines would need to be infected with the same viruses/trojans or better: would need to have tools installed that implant those trojans/viruses into the executables during build or after it. We use several different build machines to verify that we get bit-for-bit matching binaries before we release a new version which is a defense against compromising one build machine and infecting the resulting binaries with malware.

So given that, I still believe those reports are false positives.

I can't tell if your complaining avast is right or not. But I have even seen my avast stop the download of the avast antivirus update file some time ago. The file to be downloaded 100% sure came from the avast site. I was stunned :) The solution was to use the avast live updater on several machines in our classroom one after the other.

But in your case: asking is ok. Better safe than sorry

Anonymous

August 10, 2017

Permalink

Just wanted to suggest a "New Tor Circuit for this site" button be added to the toolbar since it would make things much easier than having to always press Ctrl+Shift+L

Anonymous

August 11, 2017

Permalink

Hi my friends.
thanks this program. this program is very excelent...
thank you.....thank you

Anonymous

August 11, 2017

Permalink

Sehr geehrte Damen und Herren

Ich bin begeistert von Ihrer Alternative.

Mit freundlichen Grüssen

Siegmar Koehler

Anonymous

August 11, 2017

Permalink

UPDATER and FIREFOX - in Tor Browser\Browser both in capitals - were quarantined.

After the "update", all browser extensions were gone and the startpage was an ordinary Mozilla Firefox one, leaving me with a stripped Tor Browser.

What the hell happened?

It seems your antivirus/firewall tool thought the update is some malware and decided unilaterally to break Tor Browser. I guess one way you could try to work around that is installing Tor Browser new again. Or better: you could think about removing/replacing your antivirus/firewall tool.

Anonymous

August 11, 2017

Permalink

An error occurred when shutting down browser.

APPCRASH
firefox.exe
52.3.0.6242
00000000
nssckbi.dll_unloaded
0.0.0.0
00000000
c0000005
71b7da4c
6.1.7601.2.1.0.320.65
1042
0a9e
0a9e372d3b4ad19135b953a78882e789
0a9e
0a9e372d3b4ad19135b953a78882e789

Anonymous

August 12, 2017

Permalink

On a Mac should I not see the obfs4 bridge? On My Mac I still see the bridge but it looks like it should of been removed according to the update "Bug 22829: Remove default obfs4 bridge riemann."

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

4 + 9 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.