Tor Browser 7.5a1 is released

Tor Browser 7.5a1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Tor Browser 7.5a1 is the first alpha in the 7.5 series. It updates Firefox to 52.2.0esr and contains all the improvements that went into versions 7.0 and 7.0.1. In addition to that it includes Tor version 0.3.1.3-alpha and sandboxed-tor-browser version 0.0.7.

Here is the full changelog since 7.0a4:

  • All Platforms
    • Update Firefox to 52.2.0esr
    • Update Tor to 0.3.1.3-alpha
    • Update Torbutton to 1.9.7.4
      • Bug 22542: Security Settings window too small on macOS 10.12
      • Bug 22104: Adjust our content policy whitelist for ff52-esr
      • Bug 22457: Allow resources loaded by view-source://
      • Bug 21627: Ignore HTTP 304 responses when checking redirects
      • Bug 22459: Adapt our use of the nsIContentPolicy to e10s mode
      • Translations update
    • Update Tor Launcher to 0.2.12.2
      • Bug 22283: Linux 7.0a4 is broken after update due to unix: lines in torrc
      • Translations update
    • Update HTTPS-Everywhere to 5.2.18
    • Update NoScript to 5.0.5
    • Update sandboxed-tor-browser to 0.0.7
    • Bug 22362: NoScript's XSS filter freezes the browser
    • Bug 21766: Fix crash when the external application helper dialog is invoked
    • Bug 21886: Download is stalled in non-e10s mode
    • Bug 22333: Disable WebGL2 API for now
    • Bug 21861: Disable additional mDNS code to avoid proxy bypasses
    • Bug 21684: Don't expose navigator.AddonManager to content
    • Bug 21431: Clean-up system extensions shipped in Firefox 52
    • Bug 22320: Use preference name 'referer.hideOnionSource' everywhere
    • Bug 16285: Don't ship ClearKey EME system and update EME preferences
    • Bug 21972: about:support is partially broken
    • Bug 21323: Enable Mixed Content Blocking
    • Bug 22415: Fix format error in our pipeline patch
    • Bug 21862: Rip out potentially unsafe Rust code
    • Bug 16485: Improve about:cache page
    • Bug 22462: Backport of patch for bug 1329521 to fix assertion failure
    • Bug 22458: Fix broken `about:cache` page on higher security levels
    • Bug 18531: Uncaught exception when opening ip-check.info
    • Bug 18574: Uncaught exception when clicking items in Library
    • Bug 22327: Isolate Page Info media previews to first party domain
    • Bug 22452: Isolate tab list menuitem favicons to first party domain
    • Bug 15555: View-source requests are not isolated by first party domain
    • Bug 5293: Neuter fingerprinting with Battery API
    • Bug 22429: Add IPv6 address for Lisbeth:443 obfs4 bridge
    • Bug 22468: Add default obfs4 bridges frosty and dragon
  • Windows
  • OS X
    • Bug 22558: Don't update OS X 10.7.x and 10.8.x users to Tor Browser 7.0
  • Linux
    • Bug 16285: Remove ClearKey related library stripping
    • Bug 21852: Don't use jemalloc4 anymore
  • Android
    • Bug 19078: Disable RtspMediaResource stuff in Orfox
Anonymous

June 19, 2017

Permalink

16:55:36.918 ReferenceError: event is not defined 1 browser.xml:1207:17
handleEvent chrome://global/content/bindings/browser.xml:1207:17

1# May i ask if we can run through our own hosted nodes? instead of actively connecting to None trusted nodes? Such as hosting your vary own guard or exit node. so we can trust our exit and guard from doing correlation attacks.

You only need to have a trusted guard node, doing so is easy by changing the torrc

Well, sticking to a chosen guard node is easy by changing the torrc. Having one that's trusted is much more complicated. :)

In particular, you need to think about the network observers between you and the guard, and you need to think about whether somebody might guess which guards you trust and then either a) attack them to get to you, or b) make assumptions about traffic they see coming from those guards to other relays.

You can read much more about guard research issues here:
https://blog.torproject.org/blog/improving-tors-anonymity-changing-guar…
But long story short, I think a lot of people want to tweak and mess with things when they'll be safer and happier just leaving them un-messed-with.

Hi! I got a question. What about:config settings stand behind the new "Security Settings" slider?

I would like to better understand the mechanics of it, not the least because I want to be sure there's nothing I should additionaly tweak in about:config settings. Does this slider only change about:config settings or does it do more than that?

Yes, it does just change about:config settings. You'll find them here: https://gitweb.torproject.org/torbutton.git/tree/src/modules/security-p… ff.

Thank you. What was the state of these settings in previous releases of the TorBrowser? Was it "low" by default prior to intruducing the slider?

Yes.

20:43:20.686 TypeError: realSpellChecker is null 1 InlineSpellCheckerContent.jsm:55:5

20:40:15.652 Error: aboutMemory.js assertion failed: _amount already set for non-leaf node 1 aboutMemory.js:85:11
assert chrome://global/content/aboutMemory.js:85:11
fillInNonLeafNodes chrome://global/content/aboutMemory.js:1260:9
fillInNonLeafNodes chrome://global/content/aboutMemory.js:1242:22
fillInNonLeafNodes chrome://global/content/aboutMemory.js:1242:22
fillInTree chrome://global/content/aboutMemory.js:1270:3
appendProcessAboutMemoryElements chrome://global/content/aboutMemory.js:1522:5
displayReports chrome://global/content/aboutMemory.js:1087:7
updateAboutMemoryFromReporters/processLiveMemoryReports/displayReportsAndFooter chrome://global/content/aboutMemory.js:526:9

We tell all Linux user in Iran or any one, please use tail 3.0 and TOR separately for the deep state in Iran. Watch all Iranian sett-elite TV from any where in the world without deep state of Iran knows. We shall over come the most terrorist occupier of Iranian people . Iranian people love USA and EU and we are not any way hate any one nations. We only hate mullahs.

First, thank you for Tor! I have a $100 money order to support this project going out in tomorrow's mail.

Since you say it is not safe to use add-ons, why don't you include some sort of native non-'referer' feature?

Why, after I delete every history that can be deleted, do I see my history come up in the URL box?

I am not happy with this last release. I used to be able to control which sites I would allow to run scripts. Now, it seems that my favorite sites scripts won't run at all, even when the slider is full open! Nothing fancy, they're just ordinary forums.

I have exactly the same problem as many, that it doesn't start. I have windows 7 64 bit. Tor use to work with my antivirus and firewall. I keep reading close them both and try again. I have done that and still no luck. I refreshed the installation of I have installed it in a different location still no luck.

Does the stable (7.0.1) Tor Browser work for you?

I am not a Tor Browser dev, but ...

- Tor Browser fixed this issue or a similar one a long time ago. See here.

- Things like this are why it is much smarter to use Tor Browser instead of trying to patch up any other browser. Tor Browser is a lot more than a couple addons and config changes that you can make yourself.

Are you citing comments from bugzilla for me?
The main thing there is

However the same issue do not exist in 53.0 beta edition.

Firefox 53 has something that 52-based Tor Browser doesn't have.

The main thing there is:

> We have a patch to prevent that kind of thing happening as we got bitten by this kind of issue in the past. So, this is not a problem for Tor Browser based on ESR52.

Since updating to TBB 7 twitter automatically reverts to it's mobile version when I visit the site. I don't actually know if it's a TOR issue or some autofeature of twitter when the bandwidth is low, but it happens always and regardless of amount of traffic.
I read android users encountered the same problem but unlike them, TOR has no feature to request desktop version. Maybe you could add something like that (not just for twitter) or figure out if TBB is causing the problem. Thank you.

It looks like twitter is sending you a meta refresh request, wrapped in a noscript tag.

That means if you have javascript disabled, then your Browser will honor the meta refresh request, and off you'll go to the mobile version of Twitter.

Okay, but the thing is, I disable JS rarely and never when visiting twitter. Anyways, what can I do to avoid my browser responding to the refresh request? Or is my browser somehow corrupted?

Hi,
Since upgrading to the TOR v. 7.5a1, I notice that the first node on my connection circuit stays the same.
Regardless of how many times I request a "New Tor Circuit for this site," my browser remains pointed to the same URL.
I'm naturally concerned about this because
a) I was able to change all three nodes previously after each request, and
b) Whoever owns that node can easily identify my browser details and identity.
I hope this issue can be resolved soon.
Best Regards

> a) I was able to change all three nodes previously after each request, and

No you weren't.

> b) Whoever owns that node can easily identify my browser details and identity.

No they can't.

Thanks for the reply. I remain convinced about (a).

Why does the first node stay the same?

> I remain convinced about (a).

Don't let something that's been part of the design and the implementation for years keep you from your delusions.

> Why does the first node stay the same?

https://www.torproject.org/docs/faq.html.en#EntryGuards

My original question remains unanswered.
I have collected more than two dozen pages of notes consisting of hundreds of different combinations of URLs for the Tor circuit nodes.

In each combination, the entry node is different; it's always changed after each request for either "New Identity," or "New Circuit for this site," resulting in a new set of three URLs.

However, as of a few days ago, the entry node for the circuit has frozen and is no longer changing on request.

I did not find the answer to my question in the links posted by arma or yawning. In fact yawning, or someone else, deleted my earlier reply, posted more than 24 hours ago.

My confidence in TOR is rapidly eroding, while my suspicions are growing!

> In each combination, the entry node is different; it's always changed after each request for either "New Identity," or "New Circuit for this site," resulting in a new set of three URLs.

If this actually happened (which I sincerely doubt) it would have been a major bug that dramatically reduces both the security and anonymity.

> However, as of a few days ago, the entry node for the circuit has frozen and is no longer changing on request.

Good, that's how Tor's path selection is supposed to work, as has been the case for years. In fact, every single browser release for as long as I can remember, gets people like you freaking out over the Guard design.

> In fact yawning, or someone else, deleted my earlier reply, posted more than 24 hours ago.

Wasn't me.

>gets people like you freaking out over the Guard design
Perhaps people like me have a good reason for "freaking out."
You write as if you are in some way superior to everyone else posting a message on this forum. I despise that attitude.
Do you represent Tor legally, or otherwise?
You should start worrying because someone hacked my PC and switched on the camera, while I was connected to a TOR circuit last week.

> Perhaps people like me have a good reason for "freaking out."

Because they don't understand that Tor uses Guards that persist for quite a while, between sessions?

If you're so sure about the previous behavior, why not prove it by downloading an old bundle (https://archive.torproject.org/tor-package-archive/torbrowser/) disabling the auto updater, and examining the circuits that get built. It's easy to prove right?

(I'm deliberately ignoring the genetic fallacies.)

>(I'm deliberately ignoring the genetic fallacies.)

I've been using TOR for several years, but this was the first time to contact the blog because my PC was hacked in real-time while connected to a TOR circuit.
Typecasting, or burying your head in the sand, albeit deliberately, doesn't change the facts that the Browser is NO longer secure!
As I said before, my confidence in TOR has eroded, while my suspicions have grown.
Your snide remarks helped tip the balance.
If you're in fact a benign civilian, and not the opposite, get off your high horse and help find out whether the browser is salvageable.

PS. I just came across the following written four years ago:
https://www.yahoo.com/news/tors-anonymous-internet-still-secure-2018214…

If anything, if Tor Browser used to always have a different entry node for every circuit you built and now it doesn't, then Tor Browser is more secure now than it used to be.

Thank you for TOR.

GOOD AND BRAVO TOR....

I'm running Mac OS 10.12.4. All of the Tor Browsers in the 7 series give me this message when I try to open them:

Close Tor Browser

A copy of Tor Browser is already open. Only one copy of Tor Browser can be open at a time.

I cannot find any other copy of Tor Browser on my computer. I first encountered this after a routine update of Tor Browser, and many attempts at downloading it again and trashing old versions have not been successful. I would try an earlier-than-7 version, but can't find an active link to one on your site.

A quick internet search led me to:

https://tor.stackexchange.com/questions/2189/tor-wont-open-on-mac-sayin…

I bet there are more answers on the Internet too. :) Good luck!

The browser is working again with the new update now. Thank you. I spent a lot of time with these with new luck, only to have the browser work fine after just restarting the computer -_- oh well.

Hi Peeps! I wanna find out how to use BitCoin core over tor but can't find any good guide on it. The guides on the internet are old... they all refer to the tor which used vidalia and had that separate icon down right on your desktop... but now i can only find the tor browser bundle on your site... not the seperate tor thingy.. does bitcoin core work with tor browser bundle? how do i make it work, just open the tor browser bundle?

Clean installation of stable, High security. Opened console severely slows down the browser?
TypeError: chromeWindow.gBrowser is undefined[Learn More] devtools-browser.js:496:7
Error: Script terminated by timeout at:
[138] resource://devtools/client/shared/vendor/react.js:18540:1
[72] resource://devtools/client/shared/vendor/react.js:11944:7
mountComponentIntoNode@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/client/shared/vendor/react.js:11392:3
[113] resource://devtools/client/shared/vendor/react.js:17257:13
batchedMountComponentIntoNode@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/client/shared/vendor/react.js:11406:3
[53] resource://devtools/client/shared/vendor/react.js:8847:7
batchedUpdates@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/client/shared/vendor/react.js:15333:3
[72] resource://devtools/client/shared/vendor/react.js:11600:5
[72] resource://devtools/client/shared/vendor/react.js:11674:21
[72] resource://devtools/client/shared/vendor/react.js:11694:12
WebConsoleFrame.prototype.createLocationNode@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/client/webconsole/webconsole.js:2627:5
Messages.Simple.prototype<._renderLocation@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/client/webconsole/console-output.js:1052:12
Messages.Simple.prototype<._renderBody@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/client/webconsole/console-output.js:991:20
Messages.Simple.prototype<.render@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/client/webconsole/console-output.js:911:16
WebConsoleFrame.prototype.reportPageError@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/client/webconsole/webconsole.js:1528:16
WebConsoleFrame.prototype._outputMessageFromQueue@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/client/webconsole/webconsole.js:2198:16
WebConsoleFrame.prototype._flushMessageQueue@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/client/webconsole/webconsole.js:2087:20

17:48:58.446 b.loadURIWithFlags is not a function 1 tabbrowser.xml:2274
addTab chrome://browser/content/tabbrowser.xml:2274:17
loadOneTab chrome://browser/content/tabbrowser.xml:1564:23
openLinkIn chrome://browser/content/utilityOverlay.js:393:26
openUILinkIn chrome://browser/content/utilityOverlay.js:197:3
BrowserOpenTab chrome://browser/content/browser.js:1993:3
oncommand chrome://browser/content/browser.xul:1:1
17:49:08.071 A promise chain failed to handle a rejection. Did you forget to '.catch', or did you forget to 'return'?
See https://developer.mozilla.org/Mozilla/JavaScript_code_modules/Promise.j…

Date: Sat Jul 01 2017 17:48:58 GMT+0000 (UTC)
Full Message: TypeError: eventLoop is undefined
Full Stack: ThreadActor<._popThreadPause@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/script.js:537:5
ThreadActor<.onResume/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/script.js:1021:7
Handler.prototype.process@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:932:23
this.PromiseWalker.walkerLoop@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:813:7
this.PromiseWalker.scheduleWalkerLoop/<@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:747:11
EventLoop.prototype.enter@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/script.js:349:5
ThreadActor<._pushThreadPause@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/script.js:532:5
ThreadActor<.onInterrupt@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/script.js:1394:7
onPacket@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/main.js:1743:15
ChildDebuggerTransport.prototype.receiveMessage@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/transport/transport.js:761:7
DT_setSlowScriptDebugHandler/debugService.activationHandler@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/client/framework/devtools-browser.js:505:9
browserForChannel@chrome://torbutton/content/tor-circuit-display.js:170:1
collectBrowserCredentials/createTorCircuitDisplay<@chrome://torbutton/content/tor-circuit-display.js:185:21
observe/observer.observe@resource://torbutton/modules/utils.js:61:9
torbutton_do_async_versioncheck@chrome://torbutton/content/torbutton.js:869:5
torbutton_new_tab@chrome://torbutton/content/torbutton.js:2066:5
addTab@chrome://browser/content/tabbrowser.xml:2250:13
loadOneTab@chrome://browser/content/tabbrowser.xml:1564:23
openLinkIn@chrome://browser/content/utilityOverlay.js:393:26
openUILinkIn@chrome://browser/content/utilityOverlay.js:197:3
BrowserOpenTab@chrome://browser/content/browser.js:1993:3
oncommand@chrome://browser/content/browser.xul:1:1
1 script.js:537

obfs4proxy has problems with Dr. Watson on Windows: when it crashes, it hangs dwwin.exe, and tor.exe can no longer start (exiting during start), until all dwwin.exe processes forcibly terminated.

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our ​support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

6 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.