Tor Browser 7.0.4 is released

by boklm | August 08, 2017

Tor Browser 7.0.4 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

A lot of Tor Browser components have been updated in this release. Apart from the usual Firefox update (to 52.3.0esr) we include a new Tor stable release (0.3.0.10) + an updated HTTPS-Everywhere (5.2.21) and NoScript (5.0.8.1).

In this new release we continue to fix regressions that happened due to the transition to Firefox 52. Most notably, we avoid the scary warnings popping up when entering passwords on .onion sites without a TLS certificate (bug 21321). Handling of our default start page (about:tor) has improved, too, so that using the searchbox on it is working again and it does no longer need enhanced privileges in order to function.

The full changelog since Tor Browser 7.0.2 (for Linux since Tor Browser 7.0.3) is:

  • All Platforms
    • Update Firefox to 52.3.0esr
    • Update Tor to 0.3.0.10
    • Update Torbutton to 1.9.7.5
      • Bug 21999: Fix display of language prompt in non-en-US locales
      • Bug 18913: Don't let about:tor have chrome privileges
      • Bug 22535: Search on about:tor discards search query
      • Bug 21948: Going back to about:tor page gives "Address isn't valid" error
      • Code clean-up
      • Translations update
    • Update Tor Launcher to 0.2.12.3
      • Bug 22592: Default bridge settings are not removed
      • Translations update
    • Update HTTPS-Everywhere to 5.2.21
    • Update NoScript to 5.0.8.1
      • Bug 22362: Remove workaround for XSS related browser freezing
      • Bug 22067: NoScript Click-to-Play bypass with embedded videos and audio
    • Bug 21321: Exempt .onions from HTTP related security warnings
    • Bug 22073: Disable GetAddons option on addons page
    • Bug 22884: Fix broken about:tor page on higher security levels
  • Windows
    • Bug 22829: Remove default obfs4 bridge riemann.
    • Bug 21617: Fix single RWX page on Windows (included in 52.3.0esr)
  • OS X
    • Bug 22829: Remove default obfs4 bridge riemann.
Tags
tor browser
tbb
tbb-7.0
khled.8@hotmai.com

Anonymous (not verified) said:

August 09, 2017

Permalink

They should make the icon and name of the Tor Browser more discrete and/or customizable, in case there may be more than one person using the computer it is installed on. It would be nice to be able to change the Icon to something else, and change the name associated with it to something else. Or maybe offer an alternative install option, just for "same computer privacy" issues. In which the installation of the Tor Browser is given a different name, install path, etc. Other local users may not be as responsible with its use if they found out about it.

What system are you on asking for this so someone can tell you how to do it? An onion on the desktop is an attention seeking conversation starter. I replaced mine with a great big A in a circle and labeled it FU! ;)

When Tor browser bundle is closed no browser history is retained. If any expert is able to view all the files on your device it would be trivial to determine that you have Tor browser bundle installed, even if the name and icon is changed. Using bridges with pluggible transports can make it very difficult for local users to determine that your using tor. You can get bridges with pluggable transports at bridges.torproject.org

khled.8@hotmai.com

Tester (not verified) said:

August 09, 2017

Permalink

DownThemAll AddOn is installed but will not show in Tools or context menu, why?
In 7.0.2 it was working perfectly.

After a clean install on macOS the DownThemAll AddOn runs fine again.

It seems something gets broken on automatic upgrade of the TorBrowser bundle. I reinstalled a fesh 7.0.2, added the DTA, check it was working. Then waited for the automatic upgrade, restarted the Browser, checked again and DTA was not showing up in the menu anymore.
I deleted the TorBrowser-Data folder and restarted again, but nothing changed. Removed the AddOn, restarted, reinstalled DTA, checked: nothing, restarted, checked again: nothing.

Strange, but as long as the AddOn runs fine again after a clean install I am fine with it.

Hm. I tried to reproduce that on my Linux box but I can't. Could you set extensions.logging.enabled on your about:config page and check your browser console (with Ctrl+Shift+J) after this happens again and report back if there are any related error messages visible?

Thank you so much!

icon appears now immediately );
but puny_code is still set to false ;(
Torsandbox ? not found !

When will the sandbox with bubblewrap be available on macOS?

Never.

Something comparable could be built but is not something I have any plans of working on. If you wish to see it happen and have $250k US or so to fund such a project, e-mail me.

Will macOS get any type of sandbox for Tor Browser bundle.

int he past you said that a sandbox would be available on macOS.

Which operating system will the sandbox support?

We need a sandbox for Linux, OSX, and Windows. I’m working on the Linux one. The Tor browser team is looking at OSX. In the future we’d like to do Windows.
https://blog.torproject.org/blog/q-and-yawning-angel

"looking at".

IIRC they made seatbelt profiles, I'm not sure if they're any good though.

Anyway, the original question is totally nonsensical because bubblewrap is a tool that relies entirely on Linux namespaces and seccomp-bpf, neither which are available on OSX.

Right, the plan was to test and use seatbelt profiles. We need to revisit that and think about future plans given breakages like #22000 (see in particular https://trac.torproject.org/projects/tor/ticket/22000#comment:7 for the problem at hand).

Keep up the awesome work, guys. I (and probably thousands of people) use Tor Browser daily.

Many more than thousands. look here https://metrics.torproject.org/userstats-relay-country.html

I'd like a PARANOID Security Level option added to the slider, right above the High setting.

Enabling this option would enable the most.. paranoid of configurations, blocking as much as possible and really locking things down. Because even at the High setting, there are too many things NOT locked down.

Which are missing in your opinion?

You probably lack the time, but I wish at least one Tor dev was regularly skimming the Wikileaks Vault 7 documents, Citizen Lab tech reports on reverse engineered state-sponsored malware, etc., trying to make sure that you are not missing any technical clues which could assist you in improving Tor Browser's resistance to state-sponsored malware. I suspect that you could skim several dozen such documents and find nothing relevant to Tor, but then the very next one would tell you something you really need to know. To find the interesting one you might have to read dozens of boring ones, that's the catch.

Many thanks to you and all the other devs for your hard work! I often feel that our very lives depend upon it.

I don't see that option on the Mac OS x? sha256: 0a227d179cdd1096c877f9836097eb38ed554fbae6657753a72690a183e2766d

Have you looked at the file containing the signed bundes? https://dist.torproject.org/torbrowser/7.0.4/sha256sums-signed-build.txt. It's shown there.

7.0.4 - set the security settings to high, notice globalscript icon isn't crossed out, check manually - allow scripts globally (dangerous) is still checked as enabled. wtf.

Does this happen with a clean Tor Browser 7.0.4? On which platform?

Edit: More importantly: on which page is this happening. Note that we exempted the Tor Browser startpage, about:tor, from those restrictions as it is a trusted page and it would be broken otherwise.

What is the latest update

Question: Is server-versions in cached-microdesc-consensus only a suggestion, 0.2.4.24&0.2.4.23 are routable too, or only torversions in server-versions are
routable?

I cant open https websites in this version.
Returns:

Secure Connection Failed

An error occurred during a connection to www.google.com. SSL received an unexpected extension. Error code: SSL_ERROR_RX_UNEXPECTED_EXTENSION

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Does that only happen with google.com? Even after a restart of Tor Browser?

All https connections in all websites.

Same issue here. Both in 7.0.4 and alpha version.
Firewall off no antivirus.

I have noticed some versions below, that updating over the TorBrowser itself caused my antivirus Avast to report an infection. In that case i've deleted my old version and installed the new archive from the website - without any problems. The last version without any founds was 7.0.1.

The newest update will acted the same but this time in the new version 7.0.4 and the fresh Alphaversion 7.5a4 will reported as virusses - not only from Avast - many other tools will do it too (Malwarebytes Antimalware, EEK). I think this is a false positive but what if it is not? TorBrowser Win7 32bit

This was found:
Avast: firefox.exe - IDP.ALEXA.51
torbrowser-install-7.0.4_en-US.exe - IDP.GENERIC
Malwarebytes-Free: firefox.exe - Trojan.Agent.E

Other Tools will found similar infections...

Using Linux now until this case is closed as save...

Is that the official Tor Browser binary, downloaded from our website? It should be signed with a digital signature from us. And verifying the GPG signature should show that it is signed by our signing key

Well, if it would not be a false positive then all our Linux build machines would need to be infected with the same viruses/trojans or better: would need to have tools installed that implant those trojans/viruses into the executables during build or after it. We use several different build machines to verify that we get bit-for-bit matching binaries before we release a new version which is a defense against compromising one build machine and infecting the resulting binaries with malware.

So given that, I still believe those reports are false positives.

I can't tell if your complaining avast is right or not. But I have even seen my avast stop the download of the avast antivirus update file some time ago. The file to be downloaded 100% sure came from the avast site. I was stunned :) The solution was to use the avast live updater on several machines in our classroom one after the other.

But in your case: asking is ok. Better safe than sorry

Thanks! OK!

Just wanted to suggest a "New Tor Circuit for this site" button be added to the toolbar since it would make things much easier than having to always press Ctrl+Shift+L

We are currently thinking about redesigning the toolbar in Tor Browser, feel free to chime in in https://trac.torproject.org/projects/tor/ticket/23151.

Hi my friends.
thanks this program. this program is very excelent...
thank you.....thank you

Sehr geehrte Damen und Herren

Ich bin begeistert von Ihrer Alternative.

Mit freundlichen Grüssen

Siegmar Koehler

Tor Browser 7.0.2 and 7.0.4 (OS X 10.9.5) cause 85-95% CPU usage when scrolling through Facebook (https://www.facebookcorewwwi.onion/) news feed. This issue probably has been existed since 7.0.0. Does anyone notice this? Now I have to switch back to 6.0.8.

Which security slider level are you on? If not "low" does this happen with "low" as well?

It is always at default (low).

By the way, the high CPU usage doesn't all happen at once but will increase more and more as I scroll down the news feed.

I deliberately selected "never check for updates (not recommended: security risk)". But it still updates to 7.0.4 on its own.

UPDATER and FIREFOX - in Tor Browser\Browser both in capitals - were quarantined.

After the "update", all browser extensions were gone and the startpage was an ordinary Mozilla Firefox one, leaving me with a stripped Tor Browser.

What the hell happened?

It seems your antivirus/firewall tool thought the update is some malware and decided unilaterally to break Tor Browser. I guess one way you could try to work around that is installing Tor Browser new again. Or better: you could think about removing/replacing your antivirus/firewall tool.

An error occurred when shutting down browser.

APPCRASH
firefox.exe
52.3.0.6242
00000000
nssckbi.dll_unloaded
0.0.0.0
00000000
c0000005
71b7da4c
6.1.7601.2.1.0.320.65
1042
0a9e
0a9e372d3b4ad19135b953a78882e789
0a9e
0a9e372d3b4ad19135b953a78882e789

That's https://trac.torproject.org/projects/tor/ticket/22581. We are working on it and hope to have it fixed soon.

On a Mac should I not see the obfs4 bridge? On My Mac I still see the bridge but it looks like it should of been removed according to the update "Bug 22829: Remove default obfs4 bridge riemann."

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our ​support portal or ways to get in touch with us.

About text formats
CAPTCHA

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

4 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.