Tor Browser 7.0.4 is released

Tor Browser 7.0.4 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

A lot of Tor Browser components have been updated in this release. Apart from the usual Firefox update (to 52.3.0esr) we include a new Tor stable release (0.3.0.10) + an updated HTTPS-Everywhere (5.2.21) and NoScript (5.0.8.1).

In this new release we continue to fix regressions that happened due to the transition to Firefox 52. Most notably, we avoid the scary warnings popping up when entering passwords on .onion sites without a TLS certificate (bug 21321). Handling of our default start page (about:tor) has improved, too, so that using the searchbox on it is working again and it does no longer need enhanced privileges in order to function.

The full changelog since Tor Browser 7.0.2 (for Linux since Tor Browser 7.0.3) is:

  • All Platforms
    • Update Firefox to 52.3.0esr
    • Update Tor to 0.3.0.10
    • Update Torbutton to 1.9.7.5
      • Bug 21999: Fix display of language prompt in non-en-US locales
      • Bug 18913: Don't let about:tor have chrome privileges
      • Bug 22535: Search on about:tor discards search query
      • Bug 21948: Going back to about:tor page gives "Address isn't valid" error
      • Code clean-up
      • Translations update
    • Update Tor Launcher to 0.2.12.3
      • Bug 22592: Default bridge settings are not removed
      • Translations update
    • Update HTTPS-Everywhere to 5.2.21
    • Update NoScript to 5.0.8.1
      • Bug 22362: Remove workaround for XSS related browser freezing
      • Bug 22067: NoScript Click-to-Play bypass with embedded videos and audio
    • Bug 21321: Exempt .onions from HTTP related security warnings
    • Bug 22073: Disable GetAddons option on addons page
    • Bug 22884: Fix broken about:tor page on higher security levels
  • Windows
    • Bug 22829: Remove default obfs4 bridge riemann.
    • Bug 21617: Fix single RWX page on Windows (included in 52.3.0esr)
  • OS X
    • Bug 22829: Remove default obfs4 bridge riemann.
Anonymous

August 12, 2017

Permalink

Please fix:
- start standalone tor;
- start torbrowser;
- all ok;
- close standalone tor;
- start standalone tor;
- all ok, but tor circuit become hidden in torbutton

and add onion version of blog.torproject.org (missing in https://onion.torproject.org)

Anonymous

August 12, 2017

Permalink

Hi, is it normal that the tor circuit network to be so slow ? Can't even watch a video on youtube correctly since some days :/
Takes me up to 30 mn to find a circuit able to load the videos :/

Do I have to check something in the settings ? Any suggestion ?

Anonymous

August 12, 2017

Permalink

How can I enable the function which re-establishes tabs of last session? I see it is grayed out. TY.

Anonymous

August 12, 2017

Permalink

When turn on Tor Browser 7.0.4 and previous versions, in Noscript recently blocked sites it says "aliexpress.com". Only Tor Browser does this not Firefox.

Anonymous

August 13, 2017

Permalink

about:config -> browser.chrome:

favicons and site icons should be disabled (toggled FALSE) for various reasons.

Anonymous

August 13, 2017

Permalink

The function for reestablishing tabs from a previous session is disabled (grayed). How can I enable it? TY

I'd suggest making sure there's a trac.torproject.org ticket about the topic, else it's likely to get lost. Keeping track of blog threads is not easy, and definitely not the right place for keeping track of potential bugs. :)

Ok, but then why did you guys ask me substantive questions in the original thread instead of directing me to create a ticket straight away?.. This gave the impression that this (the blog) was also a valid avenue to discuss bugs.

Often things can get solved without creating tickets in our bug tracker which is why I tried to get information that would help me reproducing your bug. But so far I don't see this behavior on any of my machines and you are the only one reporting it. I've opened https://trac.torproject.org/projects/tor/ticket/23342 for this issue with another question for you.

(1) I tried re-installing Tor Browser 7.0.4 on my system again (as I had done here https://blog.torproject.org/comment/269931#comment-269931 with version 7.0.2), same result, AdBlock loses its settings.

BTW, how do I get rid of the annoying warning not to maximize my window?.. I tried pressing the "Ok" button, I tried pressing the cross next to the "Ok" button, same result - warning reappears. I know with previous reinstalls the warning would disappear after a while. But how do I get the browser to understand I am serious about keeping my window maximized? :) I mean, how many presses on those buttons does it take?

(2) I see the ticket, thank you. So you want me to install Firefox ESR, right? I already have regular Firefox (with uBlock Origin, not AdBlock Plus) and Tor Browser. How do I proceed to ensure installing Firefox ESR does not mess up my main Firefox profile, settings, etc?

Re (1) It takes 3. You can disable this early if you want by flipping the extensions.torbutton.resize_new_windows preference. (Thanks for testing again)

Re (2) if you run the installer you choose the custom installation where you can specify a path for the ESR to be installed. If you are starting with your old profile (not sure if you have more than one) then you can create a new one on about:profiles. After a restart you should get the option to choose between your main profile and the newly created testing one.

Also, surely, I CANNOT be the only one relying on a combination of Tor Browser + AdBlock Plus to protect my privacy and security!.. One simply HAS to use an adblocker (if not to block ads, then to block trackers) if one were to attempt to browse safely and privately. So this issue HAS to affect a lot of other people. Or am I the only one??? I don't think I have some unique configuration, pretty run-of-the-mill stuff...

Ok, then why does the Tor Browser in Tails come with a pre-installed uBlock Origin? :)

And even if you think adblockers and their ilk don't enhance one's privacy, how about security? Using adblockers is almost universally recommended by computer / IT security experts. Bruce Schneier, to name just one.

https://mailman.boum.org/pipermail/tails-dev/2014-November/007299.html ff. and the discussion on tails-dev in October 2014 has some more information about their stance. IIRC it was seen as a political statement.

Regarding security: I guess those blockers are recommended to "normal" browser users not having a specially crafted browser available. For the security part we have the security slider included into Tor Browser.

Ok, I guess you are mostly :) right on privacy and security. (However, suppose someone keeps the security slider on Low, for more convenient browsing. Wouldn't an adblocker still offer protection against, I don't know, stuff like malware being served in 1x1 transparent pixel ads?)

But, I mean, come on, I think you gotta concede on the sheer horrendousness of adblock-free browsing!.. I don't think I can add much to this:

>> Why give shitty ads to our users when it's easy to avoid them? I
>> think a good number of them are going to manually install and
>> persist adblock, which will be worse than having it by default
>> for everybody (I assure you, nobody ever complained that ads
>> are blocked).

Another thought, which hadn't occured to me earlier for some reason. :)

Browsing with adblockers is known to be significantly FASTER. I think it's a pretty important consideration for Tor Browser, which is, after all, known for being slow! (Not the browser itself, obviously, but the Tor network itself.)

Anonymous

August 15, 2017

Permalink

https://trac.torproject.org/projects/tor/ticket/22981
JS in Medium over https: trusted key not key holder, minimize surface.

https://trac.torproject.org/projects/tor/ticket/23151
https://trac.torproject.org/projects/tor/ticket/22985
https://trac.torproject.org/projects/tor/ticket/22982
https://trac.torproject.org/projects/tor/ticket/22980
+others

Maintain largest user pool, diverge from default High only per component per tab.

Current High/Medium/Low option ensures each user signals a divide between themselves, splitting the largest pool based on subjective "feels" creating three separate identifiable pools. Implement as default "Your Tor Browser is at highest.." with option to "reduce security level for minimal *"
Per basic component: *Video, Audio, in browser Email Encryption etc per tab via click to play menu?

Anonymous

August 15, 2017

Permalink

https-everywhere 2017.08.15 stable release doesn't work properly.
the small option window in toolbar is blank and there is no option menu in about:addons.

Anonymous

August 16, 2017

Permalink

What's with all of the France and Germany nodes? Often I'll see:

France
France
France

Germany
Germany
France

Germany
France
Germany

Germany
Germany
Germany

and so on.

Anonymous

August 16, 2017

Permalink

New HTTPS Everywhere add-on (v.2017.8.15) is broken in current Linux, 64-bit, TBB version.

Manually/auto update(s) install the add-on, but when you click on the blue box it opens up a white box with no text and one check mark for some invisible option. Removed and reinstalled previous version (v.5.2.21).

I have the same problem. Did anyone even bother to test the updated addon before releasing it?

See, this is what concerns me. They say to update the included addons which ship with TBB but when something like this happens, couldn't it have other ripple effects including but not limited to potential security/privacy issues?

> See, this is what concerns me. They say to update the included addons which ship with TBB but when something like this happens, couldn't it have other ripple effects including but not limited to potential security/privacy issues?

Yes. The plan moving forward is to disable auto-updates for all built in addons.

See:
https://trac.torproject.org/projects/tor/ticket/22974
https://trac.torproject.org/projects/tor/ticket/10394

Anonymous

August 16, 2017

Permalink

I seem to not be able to run Tor v7 on my windows 7 enterprise laptop. Has anyone else had this problem? I have had to reload earlier versions of Tor (V6) in place of the upgraded Tor version.

Anonymous

August 16, 2017

Permalink

7.0.4 : bug /attack
noscript : removed 5 lines set on https tab vs https forced of course (cookies checked !)
noscript : permissions = no set vs proxy/tor
https everywhere : set unblocked vs https block all unencrypted requests of course (red)

x3 install until a clean install
sandbox not affected

interference of the user behavior using terminal or usual task ? i do not think so.
suspicion of a sophisticated attack/a very bad relay/a big bug lol

Anonymous

August 17, 2017

Permalink

'HTTPS EVERYWHERE" sort of corrupts itself after every few days of using "TB 7.0.4". All items/options from the drop down menu which appears after pressing the 'https everywhere' icon disappear. Only two checkboxes & the word "version" remain. Anyone with similar experience or info about the cause and its solution ? OS:- WIN 7

Thanks for the quick response. Question:- Can't we just remove 'https everywhere' from addons and then reinstall it from mozilla's addons in tor browser itself only ? FYI:- I did this once it seemed to work well enough as far as all the items/options, etc got back into there former (active & being there) state.Is doing this allright ? Although one thing seems obvious, that this will be a shortlasting solution.Untill there is a sure fix. (Wanted to keep 'noscript' enabled globally) If i am making a mistake by acting on the procedure mentioned above, please 'warn' me ! Please reply !

This may break incremental updating. Since this issue is a browser bug at the core, I don't expect fetching the addon from a different source to give different results, assuming the versions are the same.

As an alternative, you can selectively disable automatic updates for addons under `about:addons`, which should prevent

Anonymous

August 21, 2017

Permalink

Is the maximize-window-warning handling a bad joke??

Site is loading, WRONG click, browserwindow pops maximizing, site seeing
monitor size, THEN maximize-warning pops up.
What? Are you kidding me?

Warning must popup/asking before browser maximize.

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

7 + 13 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.