Tor Browser 7.0.6 is released

by boklm | September 28, 2017

Tor Browser 7.0.6 is now available from the Tor Browser Project page and also from our distribution directory.

[UPDATE: the dist server was temporarily messed up, but it should be better now. Sorry for the troubles!]

This release features important security updates to Firefox.

This release includes security updates for Firefox (52.4.0esr) and a new Tor stable version (0.3.1.7), the first one in the 0.3.1 series. In addition to that we updated the HTTPS Everywhere and NoScript extensions we ship. Moreover, we fixed minor usability issues and a bug which, under particular circumstances, caused all tabs to crash after closing single one.

Note: The release date in the changelog displayed after the update is incorrect. The actual release date is September 28.

The full changelog since Tor Browser 7.0.5 is:

  • All Platforms
    • Update Firefox to 52.4.0esr
    • Update Tor to 0.3.1.7
    • Update Torbutton to 1.9.7.7
      • Bug 22542: Security Settings window too small on macOS 10.12 (fixup)
      • Bug 20375: Warn users after entering fullscreen mode
    • Update HTTPS-Everywhere to 2017.9.12
    • Update NoScript to 5.0.10
    • Bug 21830: Copying large text from web console leaks to /tmp
    • Bug 23393: Don't crash all tabs when closing one tab
  • OS X
    • Bug 23404: Add missing Noto Sans Buginese font to the macOS whitelist
Tags
tor browser
tbb
tbb-7.0
Anonymous

JR (not verified) said:

September 30, 2017

Permalink

Browser won't update ("Failure (unknown reason)"). I've tried a buch of times on different days and circuits.
Using Tor 7.0.4 linux 64bit (20170202040101)

Is that still a problem for you? I just downloaded a "fresh" 7.0.4 and updated to 7.0.6 without problems on my 64bit Linux box. If the problem still persists could you set app.update.log to true and open the browser console (Ctrl+Shift+J) before you are starting the update to check whether you get some error messages in it?

Anonymous

googletor (not verified) said:

September 30, 2017

Permalink

Problem with google captcha. After successfully completing the Google captcha I get the following message even though I have allowed noscript to allow temporary scripts.

Our systems have detected unusual traffic from your computer network. Please try your request again later. Why did this happen?

IP address: 51.15.37.97
Time: 2017-10-01T04:37:52Z
URL: https://www.google.nl/search?q=nslookup+online&ie=utf-8&oe=utf-8&client…

Anonymous

Chuck Rhode (not verified) said:

September 30, 2017

Permalink

I'm not seeing a way to "temporarily enable *javascript* for ['this' or any particular] site." I believe there used to be some *noscript* menu options in the onion menu. These seem to be gone now on all security slider settings. Perhaps the new *noscript* has a different interface. Is there a *noscript* icon somewhere I should be clicking on?

Not today :-)

I could have sweared I restarted a couple of times the other day, though. Maybe I wasn't looking for the *noscript* icon in the right place then. Today it's showing (in spot 2 of 2) to the right of the *https everywhere* icon.

The *noscript* icon has its own context menu with the functionality I require.

Thanks for your response.

The NoScript icon has disappeared

That should be fixed by a restart and is tracked in https://trac.torproject.org/projects/tor/ticket/23724.

- do not restart : it does not work , it came from the update of noscript (5.1.1).
- download another tar.z : it works without trouble.
another funny bug : i do not remember how many i reported it since the beginning of the year , 10 ? 20 ? bug bounty should be less deaf about these alerts from users ... who give them a good opportunity to make money & have a job ... ;)

I actually think the NoScript icon (and NoScript working) is indeed coming back after a restart.

Regarding the bug bounty program: feel free to report your findings to hackerone.com/torproject and we'll look at them.

NoScript 5.1.1 icons and contextual menu disappear if you click "Forget about browsing history" *twice* in one session. NoScript appears to still be running. Reappear if you quit and restart. (Win 7)

Where do I find the "Forget about browsing history" option to click?

i think this refers to "Forget about this site" in History panel ctrl+h (or in ctrl+shift+h)

Tor Browser + the latest Noscript bug:

https://www.reddit.com/r/TOR/comments/73l86t/orbot_and_now_tor_bb_noscr…

You need to fix the add-on icon situation.
It's like every time I use Tor Browser for an extended period of time, after a while the add-ons (I think sometimes through updates) will change whether they're on left or right side, visible or non-visible (on the panel). This must have identification-implications. To solve this you should have some add-on wide rule (show all in panel vs hide all) that locks them like this and preventing add-on updates from changing this.

I think your latest issue is caused b< https://trac.torproject.org/projects/tor/ticket/23724 and we hope to have a fix for that one soon. Apart from that I am not aware of any icons floating around on the toolbar. It certainly did not happen to me over the years and we are trying to make sure the icons stay at their place. Do you have steps to reproduce the problems you have seen in the past?

Tor crashes / won't open until I disable Trusteer Rapport - A big problem as I need to remember to re-enable it

Yes, this is a big and an old problem. We have https://trac.torproject.org/projects/tor/ticket/8337 for that one. Alas, there is not much we can do if you are allowing Trusteer to run on your system as it interferes with Tor Browser and it seems Trusteer is not willing to fix that.

You could add it to Windows DLL Blocklist to stop the noise.

HTML5 WebAudio not working in TOR v7
in TOR v6 the sound works, in firefox 52 - works

http://websdr.sp3pgx.uz.zgora.pl:8901/
Your browser does not seem to support HTML5 WebAudio

Thanks, I opened https://trac.torproject.org/projects/tor/ticket/23729 to further investigate your issue.

The web site https://www.yougetsignal.com/tools/open-ports/ will not display its output. the browser security is set for low and the I tried several transport types.

Does it work after restarting your browser?

Yes. it now works.

Thx

My Yosemite Mac has 2 torbrowser process when torbrowser is started up. Is this correct operation?

Yes, it shows that the content sandbox is active (which is good). The parent process which is responsible for all the browser menus and other privileged parts/code is starting the content process soon after start-up where all the websites run in. That allows to enforce security policies which should make it harder to exploit the browser.

Then something is wrong with the operation. After restarting my Mac running Yosemite I no longer see 2 tor browser process when I start up the Tor browser, I only see one process.

If you open about:support what value do you get in the "Multiprocess Windows" row?

for what it's worth, in Windows 7, in TBB 7.0.6 (based on Mozilla Firefox 52.4.0) (32-bit), copied from about:support:
Multiprocess Windows 1/1 (Enabled by default)

Also, web search for
about:support "Safe Mode false"
finds (from late 2015 into 2017) differing values for the Multiprocess Windows line

The value is Multiprocess Windows = 1/1 (Enabled by default)

This update skipped all the settings I had done manually in NoScript Options dialog menu. I disabled java and javascript much time before now and they were stored across all previous updates, but after this one I revealed that java and javascript were enabled again without any notification. (Button "Crossed S in the red circle" changed to "S! and no red circle")

That might in fact be due to a NoScript update. Do you get your settings back after restarting the browser?

I restored my settings immediately on noticing that the button changed to S! So I can't say how torbrowser would have behaved after restart in case I haven't touched settings. And yes, the (manually) restored settings are now persistent across restarts.

smeels like NoScript will be soon our new CCleaner

I just updated loaded 6.0,7 But when I started Tor it says I am out of date and is offering me a 61.1 MB update.
Does this make sense or am I being hacked?

After the update, which version number is showing up in the upper right corner on the about:tor page? If it is 7.0.6, do you still get the offer to update when you click on the hamburger menu on the right side of the toolbar and then on the "?" and then on "About Tor Browser"?

HTTP-blocking, counting in HTTPS-Everywhere aren't working. Security slider high, javascript off.
Noscript with more practicality is working normal with the same browser setting.
Bug 23258: Fix broken HTTPS-Everywhere on higher security levels
https://trac.torproject.org/projects/tor/ticket/23258 is
fixing that?

Yes, but if you are disabling JavaScript in your about:config that fix won't have any effect. WebExtensions need JavaScript to run.

Noscript with more practicality(?) is working normal with JavaScript disabled in
about:config. HTTPS-Everywhere should do, too?
If not, may introduce a usefull setting for blocking ALL http-traffic in about:config?

JavaScript generally on for running WebExtensions is a .....little wild idea especially when you are running pure Firefox without NoScript.

Yes, I think Mozilla fixed that with https://bugzilla.mozilla.org/show_bug.cgi?id=1329731. I was just talking about Tor Browser as it is right now.

I have noticed that the Tor circuit always shows "Bridge: Obfs4 (United States)", when I look at my "Tor circuit for this site". It never changes from (United States). Is that normal?

Yes. For some reason you've told Tor Browser that you need to use bridges in order to get to the Tor network.

Bridges are treated similarly as guards. It's normal for you to use one for very long periods of time without changing. https://www.torproject.org/docs/faq.html.en#EntryGuards

how do I tell Torbrowser not to use bridges? I thought this is the default operation of torbrowser is to use Tor bidges such as OBFS4, OBFS3, meek-azure, meek-amazon.

You click on the green onion next to the URL bar and choose Tor Network Settings... and then you uncheck the "My Internet Service Provider..." option.

https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dh…

Is this a problem with Tails?

noscript doesn't block frames/iframes

You can try on ebay: Look for any item, click on any offer. Usually you get a description of the item/offer in an iframe. If frames and iframes are forbidden in the settings of noscript you will have to click on the noscript icon on the upper left corner of the frame in order to get the description of the item offered on ebay.. This works correctly with noscript 5.1.1 in a regular firefox, but not within tor browser. The last version of noscript did block the frames, but the noscript icon was missing. This behaviour seems to be due to the tor browser and / or the noscript version of tor browser, because it doesn't occur within the regular firefox.

Another point concernig noscript: On several sites you will see the bottom of the page instead of the top. Try it on: "http://www.duden.de/" – for instance. This behaviour seems to be due to noscript, because it has been occurring for several versions of noscript, both in the tor browser and the regular firefox