Tor Browser 7.0.6 is released

Tor Browser 7.0.6 is now available from the Tor Browser Project page and also from our distribution directory.

[UPDATE: the dist server was temporarily messed up, but it should be better now. Sorry for the troubles!]

This release features important security updates to Firefox.

This release includes security updates for Firefox (52.4.0esr) and a new Tor stable version (0.3.1.7), the first one in the 0.3.1 series. In addition to that we updated the HTTPS Everywhere and NoScript extensions we ship. Moreover, we fixed minor usability issues and a bug which, under particular circumstances, caused all tabs to crash after closing single one.

Note: The release date in the changelog displayed after the update is incorrect. The actual release date is September 28.

The full changelog since Tor Browser 7.0.5 is:

  • All Platforms
    • Update Firefox to 52.4.0esr
    • Update Tor to 0.3.1.7
    • Update Torbutton to 1.9.7.7
      • Bug 22542: Security Settings window too small on macOS 10.12 (fixup)
      • Bug 20375: Warn users after entering fullscreen mode
    • Update HTTPS-Everywhere to 2017.9.12
    • Update NoScript to 5.0.10
    • Bug 21830: Copying large text from web console leaks to /tmp
    • Bug 23393: Don't crash all tabs when closing one tab
  • OS X
    • Bug 23404: Add missing Noto Sans Buginese font to the macOS whitelist

Thanks for the report. The issue should be fixed now.

https://trac.torproject.org/projects/tor/ticket/23694

Anonymous

September 28, 2017

Permalink

How much longer will the Tor Browser be based on Firefox ESR? I like Tor, but I disdain Firefox ESR. I want to reap the benefits of the latest Firefox features like the Quantum Project and have my internet traffic flow through Tor.

That's hard to say, probably for a while. We need to audit all the new code and write patches if needed every six weeks which is a lot of work. That's just one of the issues. Another one is that Mozilla needs much more candidate builds to get the release right (for Firefox 56 they needed 6), thus there is a considerable increase in release engineering workload for us included as well even though the issues they had this time could be seen as an exception. And it would drastically reduce our own time for testing our release builds.

OMG noooo! Too much crap features, stay with the more stable ESR. Actually Firefox should reversely base their ESR on Torbrowser ESR (that would become the Firefox TESR version) because the torbrowser version is the best ESR version. Probably simpy because it has even more stripped the crap out of the browser code.
Mac OS X users should know that by experience because on older (OS X) versions Firefox was instable from version 31 (a bit) to 38 (more) to 45 (just unusable) whlie Torbrowser ESR kept on working just fine. Therefor it is still a tragic that torproject keeps following mozilla (ditching users).
One could almost redifine the earlier question like "How much longer will the Tor Browser be based on Firefox?" But then the question is, what would be a good alternative?

Nothing can replace Firefox as a basis for Tor. Firefox is even backporting a truckload of Tor Browser patches into main Firefox, so the proximity between the two browsers is actually increasing, along with the relationship between their respective developers

How much longer will the Tor Browser be based on Firefox ESR?

IMO, I hope TorBrowser never switches off of ESR - that is, unless they switch off of Firefox completely.

I want to reap the benefits of the latest Firefox features like the Quantum Project and have my internet traffic flow through Tor.

And I'm looking to avoid most of the so-called "features" of the new Firefox - particularly the new extension system that breaks every extension out there - most of them unfixably. I like the idea of browser-agnostic extensions, but why couldn't they keep the old extension system running concurrently while they figure out and fix all the shortcomings of the new one? Oh, I forgot, Firefox doesn't have any shortcomings - all the features they've taken out were taken out because you didn't need them, anyway. :-Þ

Anonymous

September 28, 2017

Permalink

Update HTTPS-Everywhere to 2017.9.12 : it runs fine , thank you.
Update NoScript to 5.0.10 : it runs fine , thank you.

Bug #23620 and others are caused by HTTPS-Everywhere. With it disabled:

[xx/xx/2017 00:46:29.300 [NOTICE] Heartbeat: Tor's uptime is x days xx:59 hours, with 3 circuits open. I've sent xxx.xx MB and received x.xx GB.
xx/xx/2017 00:46:29.300 [NOTICE] Average packaged cell fullness: 61.493%. TLS write overhead: 5%

Enabled it:

xx/xx/2017 01:40:00.800 [NOTICE] Our directory information is no longer up-to-date enough to build circuits: We're missing descriptors for some of our primary entry guards
xx/xx/2017 01:40:00.800 [NOTICE] I learned some more directory information, but not enough to build a circuit: We're missing descriptors for some of our primary entry guards
xx/xx/2017 01:56:44.400 [NOTICE] Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.

No anonymous way to report bugs other than through these comments. OFTC doesn't work over Tor.

Hm. I don't really see how HTTPS-Everywhere would have an effect here as this traffic is originating in tor not in the browser and hence the extension has no influence over it. How is that supposed to happen?

Should be fixed now (see the blog update above).

Anonymous

September 29, 2017

Permalink

I tried to update my Tor browser twice today, but each time the update was going on forever, without being completed - are there still problems?

The dist server was temporarily messed up, however the updates files for the internal updater are hosted on a different server which was not affected.

Anonymous

September 29, 2017

Permalink

Is it possible to configure this Tor Browser release in order to use the "ConnectionPadding =1" option included in the Tor 3.1.7 ? Does it make sense?

Cheers
Anonymous

Unfortunately here isn't much we can do to stop it. Tor saves lives, and that responsibly disclosing bugs to us is far better than participating in Zerodium's program would put lives at risk.

Anonymous

September 29, 2017

Permalink

Does some of these environment variables doesn't work anymore??:

TOR_CONFIGURE_ONLY TOR_SOCKS_HOST TOR_SOCKS_PORT TOR_CONTROL_HOST TOR_CONTROL_PORT TOR_CONTROL_COOKIE_AUTH_FILE

After the update the torbrowser can't reach my separately started tor process anymore.
Is there any workaround?

Found the solution. The environment variables still working. But the tor argument "ControlListenAddress IP:PORT" is not working anymore. Instead you have to use "ControlPort IP:PORT"

Anonymous

September 29, 2017

Permalink

Why was the shorthand pgp verification syntax removed for Linux in the docs (it remains for OS X). I seem to remember it used to be shown for both. It works fine for Linux. For example:

gpg --verify tor-browser-linux64-7.0.6_en-US.tar.xz{.asc*,}

I don't have to man gpg because I KNOW the syntax I gave originally works. You think I just posted that without having used that syntax before and it working under Linux perfectly???

Why should I have to type both arguments in the long syntax why I can just type the short syntax and have it work? That would be wasteful and stupid. My question was not whether the syntax works, which it does, but why the Tor documentation shows it as only working for Mac, when it works for LInux as well.

Anonymous

September 29, 2017

Permalink

tiny bug:
noscript (update 5.1.0) icons disappear after clicking TBB 'new identity' twice.

Yes I am, this is bullshit. I can't enable two factor encryption because by the time it finishes the calculation, the 30 second timeout has already passed so I get the message two factor setup failed. I tried dozens of times. We need a way to disable this!

Is that still an issue for you? We had issues with our download server on Friday which might have caused this.

Anonymous

September 30, 2017

Permalink

Since then, Noscript has auto-updated to 5.1.0 and has now vanished from both Tor and regular Firefox. One of the reasons auto update can be a really bad thing.

Anonymous

September 30, 2017

Permalink

Before this update I could watch youtube streams without problem on lowest security setting.
That is no longer the case, as the videos are now just buffering; forever.

Does this work again after restarting your Tor Browser?

Before this update I could watch them on the medium security setting, but not any more.

I just get error messages. Previously i also had all the functionality of Youtube when not going through Tor, but this has disappeared as wel.

Will we be able to get back to the former situation any time soon?

Thanks

What do you mean with "Previously i also had all the functionality of Youtube when not going through Tor". Are you running Tor Browser? If so, how did you configure it to not run over Tor?

I just tested the medium settings and after whitelisting some media it works for me on Youtube. But that has been needed in previous versions as well. How have you been used to watch videos on a medium-high setting?

What I mean by the "functionality of Youtube" is all of the features of YouTube that I had when not watching it over Tor.

Yes, previously (I can't remember the Tor version, as I don't watch YT much) with, in about:config, Javascript Enabled 'True' left as it is and with medium security on the slider, I could watch YT normally, without any whitelisting.

Anonymous

September 30, 2017

Permalink

bonjour
j'ai souvent ce message à l'ouverture d'un site, savez-vous pourquoi? comment faire?

This page can't be displayed. Contact support for additional information.
The incident ID is: 1182314419488.

merci

Not sure where this is coming from but it seems the website that you want to go to is blocking Tor users. There is, alas, not much we can do to prevent that as all of (exit) server are public. I think the best would be to contact this website asking them to allow Tor users as well.

Anonymous

October 02, 2017

In reply to by didier.amann@l… (not verified)

Permalink

si c'est souvent ; ce n'est pas normal : votre système est mal configuré.
si vous êtes sous linux , vous pouvez me joindre ici [ list101 at elude.in ].
si non, vous devriez envisager d'utiliser un vpn en plus de tor_ il y en a de gratuit.

pourquoi : votre demande en utilisant Tor est considéré comme une menace, une attaque, un accès non-autorisé : bloqué.
comment faire : configurer mieux votre o.s voire utiliser un vpn et essayer un bridge avec Tor.
on peut aussi tricher en accèdant au site par un lien indirect ou dans une autre langue.

éviter les serveurs anglais et américains : le blocage est le signe d'une surveillance accrue.

Anonymous

September 30, 2017

Permalink

So the bottom line is TOR, as of this release, will no longer work for the bunch of us still clinging to WinXP SP3? Don't know why I was under the impression TOR would continue to update allowing XP users to stay safe. Hope I'm missing something here.

Tor Browser will be working for XP users until we switch to Firefox 59 ESR which will happen with Tor Browser 8 around June 2018. That said, we can't help you staying secure, though, as Windows XP does not get any security updates anymore for a while now.

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

2 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.