Tor Browser 5.5a1 is released

by mikeperry | August 11, 2015

The Tor Browser Team is proud to announce the first alpha release in the 5.5 series. The release is available for download in the 5.5a1 distribution directory and on the alpha download page.

This release features important security updates to Firefox. In particular, while the recent PDF.js exploit did not affect 4.5 users, it does affect users of 5.0a3 and 5.0a4. Although the High security level of the Security Slider also prevented the exploit from working against even those users, all alpha users are still strongly encouraged to upgrade as soon as possible.

In addition to fixing these security issues, the remaining major issues with Firefox 38 from 5.0a4 were also fixed. This release also features improvements to fingerprinting defenses. In particular, we continue to refine our font fingerprinting defense that was added in 5.0a4. With this defense, Tor Browser now ships with a standard set of fonts, and prefers to use the provided fonts instead of native ones in most cases. Interested users are encouraged to help us refine this defense by commenting on the associated ticket in our bugtracker.

This release also will reset the permanent NoScript whitelist, due to an issue where previous NoScript updates had added certain domains to the whitelist during upgrade. The whitelist is reset to the default for all users as a result, and future updates to the whitelist by NoScript have been disabled.

Here is the complete changelog since 5.0a4:

  • All Platforms
    • Update Firefox to 38.2.0esr
    • Update NoScript to 2.6.9.34
    • Update Torbutton to 1.9.3.3
      • Bug 16731: TBB 5.0 a3/a4 fails to download a file on right click
      • Bug 16730: Reset NoScript whitelist on upgrade
      • Bug 16722: Prevent "Tiles" feature from being enabled after upgrade
      • Bug 16488: Remove "Sign in to Sync" from the browser menu (fixup)
      • Bug 14429: Make sure the automatic resizing is enabled
      • Translation updates
    • Update Tor Launcher to 0.2.7.7
      • Translation updates
    • Bug 16730: Prevent NoScript from updating the default whitelist
    • Bug 16715: Use ThreadsafeIsCallerChrome() instead of IsCallerChrome()
    • Bug 16572: Verify cache isolation for XMLHttpRequests in Web Workers
    • Bug 16311: Fix navigation timing in ESR 38
    • Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent (fixup)
    • Bug 16672: Change font whitelists and configs for rendering issues (partial)

Comments

Please note that the comment area below has been archived.

August 11, 2015

Permalink

Same bug again: once the "SocksListenAddress 0.0.0.0:9150" added into torrc , Tor Browser 5.5a1 will crashed at start, so as Tor Browser 5.0. I am a chinese user,so I cannot use whonix without "SocksListenAddress 0.0.0.0:9150".

Yes. Tor Browser is crashing. I have also found that if I search for gmail or yahoo I have found two hacks to my accounts. One was at 3 am East time...(I am not up at that time of the morning.... One just now in Yahoo. It came up in another language (other than English) with an unknown USER NAME sitting at the top of the screen where mine usual sits.
Does anyone have any idea what the heck this is about?
And Yes it took no time at all for Gmail and Yahoo to ask me for 'proof it was me'.

August 12, 2015

Permalink

I still use Vidalia to view Tor traffic, manage tor relays, circuits, is there any vulnerable bug to stop using Vidalia?

August 13, 2015

Permalink

When installing Tor bundle "torbrowser-install-5.0_en-US" in Windows 10, and trying to open Tor I get the following message:

XML Parsing Error: undefined entity
Location: chrome://browser/content/browser.xul
Line Number 1401, Column 11:

August 15, 2015

In reply to yawning

Permalink

Thank you for replying! So, when it gets fixed, will I have to download and install a new version of TOR or will it update itself next time I launch it? Also, any idea of how long will it take them to fix it?

August 17, 2015

In reply to gk

Permalink

Yeah, I always see notices on the "About Tor" page about when there's a new version out. But I wanted to make sure and ask because I didn't know if fixing this bug was something that required a total new download of the app or something that could get fixed like, for example, one of the extensions. The other day I saw that the extension NoScript was gonna be updated next time I restarted my browser/TOR without the need to download and instal a new version of it. Thank you for replying!

August 13, 2015

Permalink

I am currently using tor browser bundle 5.0 ... is there good feedback on this alpha 5.5 yet? should i just stick with this until the full release? I also noticed reset in white list .... what does this mean for me if i download? do i have to config anything ? I do not have a tor browser drop down like i see in people's videos .... the orange bar "tor browser" in the top left corner why is this ? is it just because my browser type or is that a plugin or something added to the bundle by users ?

not completely tech / computer savvy ... don't worry i am motivated to learn xD it's just not as easy when reading and not having someone there to explain in real time or chat with at least . I barely knew how to change my face book settings not too long ago though so .. i think i am doing alright ... so ignore the noobness of my questions .

August 14, 2015

Permalink

The New Version 5.0 is very bad, because under Page-Info the Media-Info is missing.
THisn is not Uswrfriendly. AVOID THIS!!!!!!!!!!!!!!!!!!!!!!!.

August 14, 2015

Permalink

i do not update , i download the new stable version 5.0 : no problem.
do not forget that downloading unstable version are for test bugger & dev.

August 14, 2015

Permalink

Does this version still have NoScript disabled by default which helped the FBI bust hidden services in previous years?

https://thehackernews.com/2013/08/Firefox-Exploit-Tor-Network-child-por…
Be sure you're running a recent enough Tor Browser Bundle. That should keep you safe from this attack. Windows users are advised to Update Tor Browser Bundle, version 2.3.25-10 (released June 26 2013), 2.4.15-alpha-1 (released June 26 2013), 2.4.15-beta-1 (released July 8 2013), 3.0alpha2 (released June 30 2013) includes the fix. Consider disabling JavaScript (click the blue"S" beside the green onion, and select "Forbid Scripts Globally"). Disabling JavaScript will reduce your vulnerability to other attacks like this one, but disabling JavaScript will make some websites not work like you expect.

Update: According to Baneki Privacy Labs research, the IP address 65.222.202.53 hardcoded into the exploit belongs to Virginia is actually owned by Science Applications International Corporation (SAIC), a major intelligence, military, aerospace, engineering and systems contractor involved with the Federal Bureau of Investigation (FBI), Defense Advanced Research Projects Agency (DARPA) , Central Intelligence Agency (CIA) and National Security Agency (NSA).

They believe that the hardcoded IP address is directly allocated to the NSA's Autonomous Systems (AS), so its probably not the FBI, its NSA who used Firefox Zero-Day exploit to compromise Freedom Hosting and TOR network.

troll ; same question on torbrowser 5.0 & 5.5a1 released

August 15, 2015

Permalink

Nightmare installing Tor on linux mint, I have DL the package and running it by just double clicking on Tor Browser Icon. Is it secure?

Yes, just download the Tor Browser from the big download button on torproject.org. Then you can click on the archive you downloaded and extract it to wherever you want. Then just click on the launch icon to open it up. This is secure, I do it in Mint all the time.

August 15, 2015

Permalink

Tor Browser updated itself, I did not not want this 5.0 version, until the bugs were worked out. Not sure how it updated without a prompt message; I don't like it at all. My browser add-on preferences were gone from header space. Every time I customize, it crashes. I'm moderately computer savvy, but I don't like updates that are this frustrating and counter-intuitive. Don't force an update that people will dislike; wait until it's ready to go-- and only if it's wanted.

August 16, 2015

Permalink

I am using Brief addon (RSS reader)
now, I cannot add the folder of the RSS in the Bookmark, so the addon cannot find or show me any feed!

Given that Astoria and Hornet themselves aren't yet really usable, it is a bit premature to be talking about a browser built on them. Besides, neither of them are projects of The Tor Project so you're probably better off asking on some other website.

yes
if it happens, the signature and the signing key does not match.
usually it cannot be because you must verify the integrity/authenticity of the tor file with the key ; both must match.

is it meaning just one more time secure than the checksum?
checksum is less secure than a signature (sig/asc).

signature does a deep verification and a checksum does a weak verification of the data integrity/authenticity.

August 18, 2015

Permalink

Does anyone know anything about the Firefox tiles in the Tor Browser Bundle? Tiles seem to be enabled if you tell Tor to stop dumping history on exit. I know what they do in Firefox, but do they still send data back to Mozilla in Tor?

August 19, 2015

Permalink

GDATA Antivirus (German) discovered a vermin in the browser: (Fingerprint: [b7eb851e])
He said it was deactivated!?

Can anyone followed this?

Hello ,I have the same "problem". But I did both tor and checked the subsequently installed by AddOn Multi Engine Virus Scanner. - No virus.
Perhaps because the scanner detects something which is not even there.Must be time to watch what if I new installation both.

August 23, 2015

Permalink

If right click on the selected text and click search, then I get redirected to the homepage of a search engine. If I search from address bar or search bar, it is mostly I get the search result.

August 24, 2015

Permalink

which one ad remover is safe enough to use in tor browser?
I use it years ago untouched "official"state, without java, but i began to hate all ad on net now,