Tor Browser 6.0 is released

by gk | May 30, 2016

The Tor Browser Team is proud to announce the first stable release in the 6.0 series. This release is available from the Tor Browser Project page and also from our distribution directory.

This release brings us up to date with Firefox 45-ESR, which should mean a better support for HTML5 video on Youtube, as well as a host of other improvements.

Beginning with the 6.0 series code-signing for OS X systems is introduced. This should help our users who had trouble with getting Tor Browser to work on their Mac due to Gatekeeper interference. There were bundle layout changes necessary to adhere to code signing requirements but the transition to the new Tor Browser layout on disk should go smoothly.

The release also features new privacy enhancements and disables features where we either did not have the time to write a proper fix or where we decided they are rather potentially harmful in a Tor Browser context.

On the security side this release makes sure that SHA1 certificate support is disabled and our updater is not only relying on the signature alone but is checking the hash of the downloaded update file as well before applying it. Moreover, we provide a fix for a Windows installer related DLL hijacking vulnerability.

A note on our search engine situation: Lately, we got a couple of comments on our blog and via email wondering why we are now using DuckDuckGo as the default search engine and not Disconnect anymore. Well, we still use Disconnect. But for a while now Disconnect has no access to Google search results anymore which we used in Tor Browser. Disconnect being more a meta search engine which allows users to choose between different search providers fell back to delivering Bing search results which were basically unacceptable quality-wise. While Disconnect is still trying to fix the situation we asked them to change the fallback to DuckDuckGo as their search results are strictly better than the ones Bing delivers.

Update: We plan to post instructions for removing the OS X code signing parts on our website soon. This should make it easier to compare the OS X bundles we build with the actual bundles we ship.

The full changelog since Tor Browser 5.5.5 is:
Tor Browser 6.0 -- May 30

  • All Platforms
    • Update Firefox to 45.1.1esr
    • Update OpenSSL to 1.0.1t
    • Update Torbutton to 1.9.5.4
      • Bug 18466: Make Torbutton compatible with Firefox ESR 45
      • Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
      • Bug 18905: Hide unusable items from help menu
      • Bug 16017: Allow users to more easily set a non-tor SSH proxy
      • Bug 17599: Provide shortcuts for New Identity and New Circuit
      • Translation updates
      • Code clean-up
    • Update Tor Launcher to 0.2.9.3
      • Bug 13252: Do not store data in the application bundle
      • Bug 18947: Tor Browser is not starting on OS X if put into /Applications
      • Bug 11773: Setup wizard UI flow improvements
      • Translation updates
    • Update HTTPS-Everywhere to 5.1.9
    • Update meek to 0.22 (tag 0.22-18371-3)
      • Bug 18371: Symlinks are incompatible with Gatekeeper signing
      • Bug 18904: Mac OS: meek-http-helper profile not updated
    • Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
    • Bug 18900: Fix broken updater on Linux
    • Bug 19121: The update.xml hash should get checked during update
    • Bug 18042: Disable SHA1 certificate support
    • Bug 18821: Disable libmdns support for desktop and mobile
    • Bug 18848: Disable additional welcome URL shown on first start
    • Bug 14970: Exempt our extensions from signing requirement
    • Bug 16328: Disable MediaDevices.enumerateDevices
    • Bug 16673: Disable HTTP Alternative-Services
    • Bug 17167: Disable Mozilla's tracking protection
    • Bug 18603: Disable performance-based WebGL fingerprinting option
    • Bug 18738: Disable Selfsupport and Unified Telemetry
    • Bug 18799: Disable Network Tickler
    • Bug 18800: Remove DNS lookup in lockfile code
    • Bug 18801: Disable dom.push preferences
    • Bug 18802: Remove the JS-based Flash VM (Shumway)
    • Bug 18863: Disable MozTCPSocket explicitly
    • Bug 15640: Place Canvas MediaStream behind site permission
    • Bug 16326: Verify cache isolation for Request and Fetch APIs
    • Bug 18741: Fix OCSP and favicon isolation for ESR 45
    • Bug 16998: Disable <link rel="preconnect"> for now
    • Bug 18898: Exempt the meek extension from the signing requirement as well
    • Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
    • Bug 18890: Test importScripts() for cache and network isolation
    • Bug 18886: Hide pocket menu items when Pocket is disabled
    • Bug 18703: Fix circuit isolation issues on Page Info dialog
    • Bug 19115: Tor Browser should not fall back to Bing as its search engine
    • Bug 18915+19065: Use our search plugins in localized builds
    • Bug 19176: Zip our language packs deterministically
    • Bug 18811: Fix first-party isolation for blobs URLs in Workers
    • Bug 18950: Disable or audit Reader View
    • Bug 18886: Remove Pocket
    • Bug 18619: Tor Browser reports "InvalidStateError" in browser console
    • Bug 18945: Disable monitoring the connected state of Tor Browser users
    • Bug 18855: Don't show error after add-on directory clean-up
    • Bug 18885: Disable the option of logging TLS/SSL key material
    • Bug 18770: SVGs should not show up on Page Info dialog when disabled
    • Bug 18958: Spoof screen.orientation values
    • Bug 19047: Disable Heartbeat prompts
    • Bug 18914: Use English-only label in <isindex/> tags
    • Bug 18996: Investigate server logging in esr45-based Tor Browser
    • Bug 17790: Add unit tests for keyboard fingerprinting defenses
    • Bug 18995: Regression test to ensure CacheStorage is disabled
    • Bug 18912: Add automated tests for updater cert pinning
    • Bug 16728: Add test cases for favicon isolation
    • Bug 18976: Remove some FTE bridges
  • Windows
  • OS X
    • Bug 6540: Support OS X Gatekeeper
    • Bug 13252: Tor Browser should not store data in the application bundle
    • Bug 18951: HTTPS-E is missing after update
    • Bug 18904: meek-http-helper profile not updated
    • Bug 18928: Upgrade is not smooth (requires another restart)
  • Build System
    • All Platforms
      • Bug 18127: Add LXC support for building with Debian guest VMs
      • Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
      • Bug 18919: Remove unused keys and unused dependencies
    • Windows
      • Bug 17895: Use NSIS 2.51 for installer to avoid DLL hijacking
      • Bug 18290: Bump mingw-w64 commit we use
    • OS X
      • Bug 18331: Update toolchain for Firefox 45 ESR
      • Bug 18690: Switch to Debian Wheezy guest VMs
    • Linux
      • Bug 18699: Stripping fails due to obsolete Browser/components directory
      • Bug 18698: Include libgconf2-dev for our Linux builds
      • Bug 15578: Switch to Debian Wheezy guest VMs (10.04 LTS is EOL)

Comments

Please note that the comment area below has been archived.

June 02, 2016

In reply to by Anonymous (not verified)

Permalink

i am getting an error right now, never had this problem before. tor crashes right now, but worked a few hours ago.

Problem signature:
Problem Event Name: APPCRASH
Application Name: firefox.exe
Application Version: 45.1.1.0
Application Timestamp: 00000000
Fault Module Name: MSVCR120.dll
Fault Module Version: 12.0.21005.1
Fault Module Timestamp: 524f7ce6
Exception Code: c0000005
Exception Offset: 00013b0b
OS Version: 6.1.7601.2.1.0.256.48
Locale ID: 1033
Additional Information 1: 4d1c
Additional Information 2: 4d1ccb1f086e8f68af5ebd400b9240a6
Additional Information 3: a773
Additional Information 4: a7738b1c9bfdec77d1b26715e67e5bda

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

June 04, 2016

In reply to gk

Permalink

I have a similar problem. I installed the latest version, and it will not run. I see the Tor icon appear and disappear in the task master.

June 04, 2016

In reply to by Anonymous (not verified)

Permalink

After auto updating to version 6.0, TPB terribly slow, get to open only one first site, and then after a time. Then everything usually hangs. I use an old WinXP. Updating the TPB is disabled, and still the browser hangs. Firewall Comodo Free.

June 07, 2016

In reply to by Anonymous (not verified)

Permalink

Tor 6.0 & the latest Beta (6.0a5) won't start. W10x64 Pro non-domain.
Have tried different folders, removed and re-ran but the browser just won't open. Disabling AVG makes no difference. Tried running as admin but didn't make any difference. Restarted system, removed FireFox and so on but still won't open. Some previous versions still work but could do with prominent links to previous versions as I don't like using a really old version.

I have the same issue since version 6.0 came out. 6.1 is the same.

The older version 5.x ran fine. I even reinstalled 5.5 and it was fine until I let it update itself, then it wouldnt start

June 08, 2016

In reply to by Anonymous (not verified)

Permalink

Can you please provide a way to disable xpinstall.signatures.required again? This is really sad. I need to use two add-ons I know very well and cannot update to Tor 6.0 because of this. I understand that you focus on security but if the users know what they are doing, you should allow them to decide... Thanks in advance.

May 30, 2016

Permalink

Oh, god. It's finally here. Guys, arm yourselves of cool and patience and prepare for the incoming horde of complaints about upstream changes. (I myself don't know what am I going to do with the new search bar nonsense...)

Anyhow, thanks a lot, Tor Browser team! :)

Thanks. I know about CTR and I use it on Ice Cat. However, I don't like to install extra addons on Tor Browser, especially so when we are talking about big addons, like CTR.

I think I might eventually try to extract just that feature from CTR and create a new tiny addon so that I can confidently put it in Tor Browser.

Dear SysOp :)
"too old title, but can't think of any thing else right now" :))

thanks for posting the link on my above comment,

Question, pls answer,,

case1, did u test/track the link and found its helpful to agree-to-post?
OR
2-just posting that comment as-is without testing?

what difference that makes!?

in case 1: to me it means (like) if the comment is "credited" from TBB for my behalf, and that site might mean even-better than what i thought,,
LoL
waiting.....,bye,

May 30, 2016

Permalink

Thanks for this *awesome* job !

One thing: when restarting after upgrade, TorBrowser did not take care of the window size. ie: it started taking all my screen, and not the usual size.

Restarted TBB again, and everything seems fine.

Thanks again for this awesome number of fixes :o

*Important*

I think this new version (6.0) is dangerously giving away the user's screen resolution when JavaScript is enabled (the default behavior).

New behavior (you can easily test this on the console):

  1. <br />
  2. screen.availWidth<br />
  3. result = 1920</p>
  4. <p>screen.availHeight<br />
  5. result = 1000</p>
  6. <p>screen.width<br />
  7. result = 1920</p>
  8. <p>screen.height<br />
  9. result = 1440<br />

Old behavior (this is the "right behavior", where window size and screen resolution the same and standardized):

  1. <br />
  2. screen.availWidth<br />
  3. result = 1000</p>
  4. <p>screen.availHeight<br />
  5. result = 1000</p>
  6. <p>screen.width<br />
  7. result = 1000</p>
  8. <p>screen.height<br />
  9. result = 1000<br />

Juan Nada
0xA053222C47796683

June 01, 2016

In reply to gk

Permalink

You're right: real websites only can access the standardized Tor window size values. Only browser pages (like blank or about:tor) are showing the real resolution values.

That's one odd behavior compared to previous versions, but it is not giving away the revolution as I was supposing before. I checked with https://www.browserleaks.com/javascript

As unrelated notes:

  • Linux users still can be detected, although the default TBB userAgent string is set to Windows. Link: https://www.browserleaks.com/firefox
  • Connections to .onion websites are still marked as "Not Secure", as any other HTTP page.
  • Tor 6.0 is beautifully fast, stable and predictable.

Juan Nada
0xA053222C47796683

June 08, 2016

In reply to gk

Permalink

With High Security Level the experience is awful: no controls & timeline in player, timeline doesn't work, no way to enable/disable html5 video in NoScript menu, but it starts to play without permission!

May 30, 2016

Permalink

anyway, thanks for this update..

thou,

can't figure-out privacy under "Tor enabled" (green icon), in compliance with NoScript + click to play!!
so tired playing mouse & cat with that combination!

disabling something will disable most unwanted-to,
as will as when..
enabling something will enable other most unwanted-to!

How to enable ALL scripts in every site WHiLE that WiLL NEVER run a Video/Audio .period.

never play V/A without intending-to (eg. click to play)...??!

thanks again..

May 30, 2016

Permalink

which should mean a better support for HTML5 video on Youtube, as well as

You broke sound in youtube. Videos stop during playing (network problem), after pause video continues, but without sound. I need to reload the same video 10 times to get it played up to the end... This is just one of examples: https://www.youtube.com/watch?v=WSq7oxM_fyo However, I see this problem on most of videos. Previous stable TBB worked fine.

June 01, 2016

In reply to gk

Permalink

Linux amd64. I found one hack to repair sound: if it stopped (video then contunies to play but without sound), just click on next timemoment (like plus few seconds in video), and then sound appears. Otherwise, video will be played after interruption, but without sound.

June 08, 2016

In reply to gk

Permalink

A lot of "Network error" in Browser Console are not so harmless: some of them interrupt the video or make it play from the beginning!

May 30, 2016

Permalink

Oh hell yea! This must mean that Subresource Integrity is now supported, since that came in Firefox 43. This means that webpage authors can hash any included CSS or JS and include the hash in the webpage. If the downloaded file has a different hash, the browser won't load it.

I agree... I wonder if anyone has looked at this Firefox feature (not TBB feature) from a user privacy perspective. It also seems like the sort of thing that could potentially be used to block NoScript surrogate scripts depending on where it's implemented.

May 30, 2016

Permalink

Fantastic, but Avast Antivirus cosiders Tor malware and is blocking it...

AVG did the same and is labeling tor browser 6.0 a Trojan horse. Completely deleted tor browser with all my bookmarks/settings...

I use Avast free 2016 and no virus warning even though the settings I use will give more false positives. In the past Avast did sometimes considered Tor to be malware but that was not often.

May 30, 2016

Permalink

Tangentially related to Tor upgrades: If anyone from Agora is reading this, thousands of people are begging for your return. Even if you can't come back right now but still have plans, we beg of you to make a single Reddit post giving a timeline. Please!!!

And kudos to the Tor team as well for all their hard work, of course. :-)

May 30, 2016

Permalink

It was about 160MB before updating and now 217MB. Is it normal? Updated using auto-updater.

gk, updater.exe leaves updater.mar (33 MiB) in folder, and no update history is shown (but it is in updates.xml). Looks like update process stalls at NS_main: unable to remove directory: tobedeleted, err: 41

May 31, 2016

In reply to gk

Permalink

Again: history of updates in Options isn't showed now, but it is in updates.xml file (since 5.0.7)

Thanks for the info,
may you please pin-point (without much details)
what risk in using TBB +W10?!

Thought TBB will "isolate" us from ANY risk.. no matter WHAT OS is!

Right?

OK, ThanksAgain :)

note; if anyone aware what this user is talking about, then pls enlighten us,..
(( that if he didn't answer "for any of his own reasons" ))

it is closed source os. only ms knows how much holes they insert to satisfy nsa friends. remember microsoft icons bug?
"Thought TBB will "isolate" us from ANY risk.. no matter WHAT OS is!" - where did you get such a strange ads?

LoL,,
"isolate" huh!
remember when waving 2 fingers in each hand?
to resemble the 2 above marks!

although, TBB -alomost- "isolate" us,
BUT still --truly-- it is (&will be) far better than closest comparative.

&the best above ALL: it's FREE..
&works for any OS that you may think of,,
nuf ADS ;)

Sure, Tor Browser on Windows 10 is rather pointless for most use cases of tor.

...How exactly is a VPN any better? You're still going to leak the same info. If you've got to use Windows 10 securely, I'd suggest using it behind a firewall that blocks access to most/all of Microsoft. Then you can use Tor Browser without fear (at least from Win10's tracking.)

June 01, 2016

In reply to gk

Permalink

I am using windows 10 and since updating TOR won't even start. Nothing at all seems to be happening. I am really disappointed and wish the update had not been done

Which kind of firewall/anti virus software are you running? Could you uninstall it for testing whether it is interfering with Tor Browser (which is the likely cause of your problem)?

June 02, 2016

In reply to gk

Permalink

I disabled ESET Smart Security and disabled the firewall too but it has had no effect. TOR browser still does nothing at all

June 02, 2016

In reply to by Anonymous (not verified)

Permalink

I am getting error, Tor Browser crashes on bootup. Di with update and fresh install of 6. Windows 7 here

May 31, 2016

Permalink

6.0a5 doesn't auto-update to this, I assume this is by design, different channel?

Or will there be an update available to that browser soon? Either to 6.0 or other?

Thanks for this release.

Heh, gk, it's worth mentioning that it's better to update alpha channel first (even with new stable when you do it without new alpha) to avoid stupid questions like this ;)

June 04, 2016

In reply to by Anonymous (not verified)

Permalink

And the hinting is quite a lot better in the top picture (uniform stem widths, smoother curves, symmetrical characters are symmetrical), not to mention the color fringes due to overexaggerated subpixel effect in the bottom picture. So I'm not seeing a problem here.

May 31, 2016

Permalink

When making audio/video elements click-to-play (medium-low settings and higher), and loading such an element directly, the resource starts loading and after a short period gets blocked by noscript.

This is a regression from previous versions, no?

that explains what "sufferings" my limited-internet-package will face!

i don't mind if it's direct -unlimited- DSL connection,
search my above comment (Cat) & (mouse) game :)
this update seems "great"
thou, preferred previous TBB

May 31, 2016

Permalink

TBB6.0 has an error, TBB5.5.5 has not:

i can customize a lot -set/unset Preferences,about:config- in TBB6.0, but when i erase

identity.fxaccounts.remote.webchannel.uri;https://accounts.firefox.com/

the Customize menu, for drag and drop Tool/Feature-icons, is blank.
Please fix it.

May 31, 2016

Permalink

Is there currently no way to view my cookies?

Tor Button used to have a nice list where I could "protect" certain cookies and have them last across sessions, while others were ephemeral. Is that feature gone for good?

Also, recent previous versions of Tor Browser have no had a "show cookies" button in the standard place firefox does (unless I'm mistaken?) but this new version does have the button. Unfortunately, it shows a window with no cookies.

This is particularly misleading! Many Tor Browser users I've talked to assume that Tor Browser completely "disables cookies". Showing them an empty list of cookies reenforces this incorrect belief.

Thanks for all your hard work! Other than the cookie thing this seems like a great release.

May 31, 2016

In reply to gk

Permalink

I find it vexing that Mozilla hasn't fixed this for so darn long..

From the same site I get 1 in 1000 +/- on a Win7 system, which is slightly worse than 5.5. I am back to 10+ bits from 7... something on 5.5. I do understand that this is not an absolute benchmark for anonymity neither do I know exactly what causes the measure to go up or down, or even if EFF has retained the same benchmark measures it used 1-2 months ago.

June 02, 2016

In reply to arma

Permalink

why would anyone here enjoy having to identify themselves with their email to post anythin, especially on a site that it refuses post even when a REAL email is used?

You go post this answer because your system wouldn't let me!

"When 5.5 and 5.5.5 came out I updated within hours or less and went to panopticlick and I was amazed at the improvement. I must have been one of the first few and it was down to 5xx something. With 6 it is more than double. I redownloaded 5.5.5 again and it is still the same rating I got back ... a month or more ago. So your theory does not hold water. eff can't tell what browser you are using in specific just a version of FF and your OS.

One thing to watch for is your plugins, most will reveal identity information (identifiers) which group you with users with same FF plugins.

Based on the same use though why would 6 be inferior to 5.5.5?"

But doesn't it still contact OCSP servers in the (very common) case that the HTTPS server doesn't include an OCSP response in the TLS handshake?

May 31, 2016

Permalink

Help. I cannot change the Preferences settings and can't get move between any of the options. I'm using a Mac 10.8.5.

Thanks

May 31, 2016

Permalink

just upgraded to v6 this morning and nothing happens when i run the shortcut. have been using tor browser for the last 7 or so versions with no issues. my system is windows 7 64 bit. have tried running as Administrator, disabling firewall, and antivirus with no joy. please help

June 01, 2016

In reply to by Anonymous (not verified)

Permalink

tyvm for the reply. as far as i can tell the installation is self contained in the one directory and not in the registry? there was no uninstall that i could find...Tor Browser isnt listed in Programs. I did delete the upgraded Tor Browser directory and ran the install again..still no joy. apologies if im missing something obvious

May 31, 2016

Permalink

ok i just installed v6 to new directory after upgraded directory would not load Tor Browser. the new directory install also will not load. no processes for firefox or tor shows up in my windows 7 64 bit system.

Do you get any error messages? Have you tried removing your antivirus and firewall software for testing purposes? It happens that merely disabling them is not enough.

June 01, 2016

In reply to gk

Permalink

no error messages anywhere. i have not tried uninstalling antivirus and firewall yet. just a bit peeved to have to do this as multiple previous versions have worked fine without this step. not complaining just maybe a little lazy

May 31, 2016

Permalink

I can't find the torrc file anywhere
i'm using os x 10.11.5
in 5.5.5 version it was with torrc-default file
but now i cant find it?

May 31, 2016

Permalink

I store Tor Browser inside a Veracrypt volume, but It will not upgrade after updating it, I have to cut and paste outside the volume, and only then, will upgrade to new version. What could be? Happens the same with plugins, they won't update, only out of the volume.

May 31, 2016

Permalink

hey tor browser wont start on debian jessie or 8 basicly. it will just say connecting to the Tor network and grabbing certificate authorities and stuff but it stays stuck 1/4 of the way there. icant get the network to load no matter what i do let alone the browser to pop up...

What output do you get when you start it on the terminal like so: ./start-tor-browser.desktop --debug inside your tor-browser_$LOCALE directory? Do older Tor Browser versions work?

May 31, 2016

Permalink

Meek pluggable transport not working on OS X. meek-client-torbrowser proxy is not launching.

Probably due to new directory structure, noted /Applications/TorBrowser.app/Contents/Resources/TorBrowser/Tor/PluggableTransports/template-profile.meek-http-helper

folder exists

actual proxy located in:

/Applications/TorBrowser.app/Contents/MacOS/Tor/PluggableTransports/meek-client-torbrowser

Maybe the link to the transport has not been updated for the new setup or in torrc.

Other proxies work.

In 5.5, meek was only located in /Applications/TorBrowser.app/TorBrowser/Tor/PluggableTransports/meek-client-torbrowser and worked.

This error occurs on a fresh install of 6.0.

LOG:

DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.

...

Opening Socks listener on 127.0.0.1:9150

...

The communication stream of managed proxy 'PluggableTransports/meek-client-torbrowser' is 'closed'. Most probably the managed proxy stopped running.

...

We were supposed to connect to bridge '0.0.2.0:3' using pluggable transport 'meek', but we can't find a pluggable transport proxy supporting 'meek'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.

June 01, 2016

In reply to gk

Permalink

Maybe would be better to test on 10.11 before just saying everything is fine?

June 02, 2016

In reply to gk

Permalink

10.11 is the latest, and only version of OS X Apple issues full security updates for, so you'd think TorProject would want to test on it.

I just used a Mac OS 10.11.5 system to try to reproduce this problem. I could not. I tried both en-US and es-ES packages.

In Tor Browser 6.0, the template-profile.meek-http-helper directory contents should be copied to TorBrowser-Data/Tor/PluggableTransports/profile.meek-http-helper by the meek client when it starts up. If the original commenter is still having problems, they should open a trac ticket so we can discuss this problem and investigate further.

June 04, 2016

In reply to mcs

Permalink

Will try to when I have time. Does anyone know how to enable logging on the meek proxy?

In torrc, change the ClientTransportPlugin line to:

ClientTransportPlugin meek exec PluggableTransports/meek-client-torbrowser --log meek-client-torbrowser.txt -- PluggableTransports/meek-client --log meek-client.txt

This will give you two log files, meek-client-torbrowser.txt and meek-client.txt. meek-client-torbrowser is the program that starts up a headless copy of Firefox for TLS camouflage. meek-client actually implements the transport.

June 28, 2016

In reply to dcf

Permalink

Note to all OSX users encountering similar error: make sure before upgrade/clean install for 6.0+ that user installing has sudo privileges. TorBrowser needs write access to /Applications/TorBrowser-Data/ which will fail unless the user is an administrator. sudo privileges can be removed after installation and first run without problems.

June 05, 2016

In reply to gk

Permalink

Maybe we should think carefully when consulting ip-check.info.

Since with TOR 6.0, when checking on ip-check.info, I was getting an orange and a red rating for Signature and User-Agent respectively I decided to reinstall TOR 5.5.5 and check the results again.

The Signature ‘Orange’ rating for TOR 6.0 becomes a ‘Green’ rating for TOR 5.5.5 showing EXACTLY the SAME ‘Value’.

In the case of User Agent the only difference between the Green rating for TOR 5.5.5 and a Red rating for TOR 6.0 is that for TOR 5.5.5 38.0 appears under Value and for TOR 6.0 that changes to 45.0.

Keep up the good work.

May 31, 2016

Permalink

This forced ass raping of updates for 6.0 is bullshit.

Please make preventing auto updates an enjoyable, and possible, experience.

Yes, the updates still download when the respectively located update files have been removed and when about:config and the file crying about not being edited that directs you there have been altered to prevent them from doing so.

More trust in users would be nice :)

about:config
app.update.auto = false

With that said, is there any reason why you don't want updates? You're leaving yourself open to known security vulnerabilities.

May 31, 2016

Permalink

This isn't a Tor bug, but a Youtube one.

I was using 5.5.5 to surf Youtube without issue (each time using a fresh Tor extraction), then a few days ago HTML5 started to crash reliably after watching a few videos (does the same with v6.0).

Getting a "new identity" didn't fix the issue. You have to shut it down, kill Firefox in task manager, and restart in order to view HTML5 videos again (non-video websites still work).

Obviously Youtube made a change that is crashing Tor (since I used a fresh Tor extraction each time for weeks without issue).

For security reasons it's probably a good idea to restart as much as possible when getting a new identity, especially HTML5, so settings/cache/bugs/and other data aren't retained, and this would provide a fix to not only this issue, but countless others.

June 01, 2016

In reply to gk

Permalink

So is it normal that it is about 200MB? It was about 160 before this update.

The "hardened" version specifically includes Address Sanitizer(ASan) which has a significant impact on performance in both memory usage and speed, which is why hardened is permanently stuck in alpha.
As for why it isn't available on Windows: Last I checked, ASan didn't fully support Windows.

June 01, 2016

Permalink

Thank you for CTRL+SHIFT+L !!!!!!!!!!!!!! :DDDDDDDDDDDDDDDD
Now maybe getting a new circuit to bypass Cloudflare & co will be less annoying.

June 01, 2016

Permalink

Automatic update from 5.5.5 doesn't work. It says that there was an error (doesn't say which) and says to download from the website.

June 01, 2016

Permalink

Tor browser now fullscreens itself rather than keeping to a standard size for greater anonymity.

I imagine this isn't seen in most common setups (unless it's a deliberate change). But I'm using a tiling WM (XMonad), and the behaviour I have always seen before is TB keeping itself to those fixed proportions to the left of the screen. If you start moving "tiles" about, it ends up losing track and fullscreening itself, but not if left alone. Now with 6.0, it is always fullscreen, though it does briefly display the initial tab at the smaller size on first opening, just for a split second before expanding to fill the whole screen..

We did not change anything regarding that particular code. I guess there are some underlying changes Mozilla did that are causing this. Could you open a ticket on trac.torproject.org so that we can investigate this? Thanks!

June 01, 2016

Permalink

When I updated and restarted Tor, AVG Free Edition blocked and quarantined Trojan horse inject3.ASKH coming from Tor Browser. Anyone else have this situation?

June 01, 2016

Permalink

Duckduckgo is owned by Gabriel Weinberg who earlier ran the site The Names Database, a community portal created for the purpose of data mining.

The Names Database was exceptionally underhanded in that it did not mine only its users, but offered them community perks if they exposed personal information of friends and relatives who could then be profiled with no say of their own.

If anyone thinks his stripes have faded you only have to look at his profile here, where he lists himself as a current a board member of Locality, which is a company that by its own words specializes in user data mining.

https://angel.co/yegg
https://angel.co/locately

I doubt I need to explain why the integrating the platform of a current data miner, with a history of unethical practice, in a suite intended for user privacy is a really bad idea. Your data simply is not safe in the hands of this person.

June 01, 2016

Permalink

How can I set a ExitNodes country code in the Mac OS X version of Tor 6.0? The torrc file apparently is no longer in the app bundle so where does Tor 6.0 look for torrc assuming torrc is still supported on a Mac? Or is there some other way of doing this now?

June 01, 2016

Permalink

cannot set the "extensions.brief.homeFolder" for Brief addon
even if I set it manually from the "about:config", cannot set the integer more than "5"
!!!!!!!!!!!!!!!!!!!!!

It was worked normal on ver 5.5

June 01, 2016

Permalink

when downloading this version of tor it started out as having 7min left to finish dwnloading and than started climbing up to 15 mins left why would it do this? I have fast internet service

June 01, 2016

Permalink

I used to be able to use a version of Tor on a flash drive and carry it across computers (IE: copying it to my work computer) and all my preferences (No script whitelist, addons, etc) would remain. Now, it behaves like a clean install every single time. It's VERY annoying/time consuming.

Hard to tell what is going wrong. Could you open a ticket in our bug tracker (trac.torproject.org) giving us some details on what worked and what is broken now so that we can investigate further? Thanks!

June 02, 2016

In reply to gk

Permalink

If this is OS X, this is no doubt because of the hasty decision to move profile files to Application Support folder vs having them in the Application itself simply to satisfy Gatekeeper which is easy for an attacker to bypass anyway.

Just an FYI: It only puts it in the application support folder if you put Tor in the Application folder. If you put Tor anywhere else (IE: a flash drive or the Desktop - which I do for a portable Tor browser and at work), it creates the data file in that directory - which makes it easy to find later for deleting purposes.

I wouldn't mind this change if they provided an easy way for me to point to the location of the profile information as I copy/paste tor.app across computers. But, as far as I could find, that doesn't exist right now.

A messy work-around:
1) Open the DMG and put Tor.app in the file you want it (I used my flash drive for this)
2) Open it so that it creates the TorBrowser-Data file
3) Set up Tor as desired
4) On new device, open DMG and put Tor.App in file you want
5) Open it so that it creates the TorBrowser-Data file
6) Quit Tor
7) Copy files from TorBrowser-Data file old device to same folder on the new device.
8) Open Tor (and your settings should all be there).

This is a messy fix (for some reason, some of my NoScript settings went a little wonky), but not as time consuming as how I had to do it before.

June 02, 2016

In reply to gk

Permalink

I'd love to do that, but it keeps rejecting my registration as spam no matter what browser I use.

So here are additional details:
All computers running OSX 10.9.5

Under 5.5.5 and earlier, I could save Tor.app to whatever folder I like, set up all my preferences/addons (IE: ghostery, adblock plus, disconnect for social media, bookmarks, etc) load addon specific details (IE my noscript whitelist) and then exit out of Tor, copy the Tor.app to a flash drive and then either use Tor from the flash drive, or copy it to other computers as needed with all preferences/settings in tact.

Now, even if I copy the Tor-Data folder along with the Tor.app to a flash drive, Tor always behaves as a 'clean version', so I have to reload all these preferences for every individual computer.

I figured that was because the data was unpackaged from the rest of Tor (as mentioned in the bug fixes), but then I didn't see a place where I could easily change the setting in Tor to point to the location of the "Tor-Data" file.

It would be nice to know all file locations for version 6.0 vs 5.5.5 in OS X. If you uninstall version 5.5.5 by removing the .app file is there anything else to remove before installing 6.0 to achieve a clean install?

For 5.5.5, removing the .app folder should be enough.
For 6.0, you also need to remove the TorBrowser-Data folder which will either be next to the .app or, if you place the .app bundle in /Applications, it will be at ~/Library/Application Support/TorBrower-Data.

With Tor Browser 6.x on Mac OS, if you move or copy the TorBrowser-Data folder and make sure it is next to TorBrowser.app, the browser profile, Tor data, and other settings should be used. It works for me. The data folder name is important; you should not rename it.

June 03, 2016

In reply to mcs

Permalink

This doesn't work across file systems.
My work computer profile is "TorWork", then the file structure is Torwork/...

My Home computers are Mini/...
Laptop/...

My flash drive is Flash/...

The only way to get Tor to copy/paste somewhat cleanly across systems is how I described above. Just copy pasting Tor.app and Tor-Data wasn't good enough. Tor.app is somehow linked to how it creates Tor-Data.

June 01, 2016

Permalink

Terrible. I clicked to update, it got to the connecting to the Tor network and it did nothing for 3 hours. I exited and now cannot access the browser at all. I then downloaded the new version and when I click to install it freezes Windows Explorer. I have to manually restart that process. The browser is unusable now when it was perfect. Now it sucks and reminds me of IE.
I am running Windows 8.1 No error messages nothing. Just does nothing.

If anyone has any ideas? I am open to suggestion.

Do you have any antivirus/firewall software running on your system? The symptoms you mentioned fit well to such a software trying to protect you and while doing so is interfering with Tor Browser. If so, could you uninstall it for testing purposes (disabling is often not enough).

June 01, 2016

Permalink

I've searched some and don't see where the 'maximize' issue was resolved. Can someone say whether maximizing is a fingerprinting risk now or not?

Also does using fullscreen mode (F11) represent a risk?

>I've searched some and don't see where the 'maximize' issue was resolved.

It cannot be resolved easily. My guess is that it would require the rendering engine itself to be thoroughly changed, something Tor Browser devs are not very likely to do. If you want a more precise answer, be yourself more precise about what you mean with "maximize issue".

>Can someone say whether maximizing is a fingerprinting risk now or not?

It has always been and it continues to be.

>Also does using fullscreen mode (F11) represent a risk?

Yes.

Read: https://sedvblmbog.tudasnich.de/projects/torbrowser/design/ . In particular the section "7. Monitor, Widget, and OS Desktop Resolution" under "Specific Fingerprinting Defenses in the Tor Browser".

June 01, 2016

Permalink

channe-prefs.js: pref("app.update.channel", "alpha");

I set it to alpha from stable a few months ago because I want to use latest version as possible.
So should I switch back to "release" to receive this update?

I'm expecting alpha gets alpha and release(latest as possible) version; if not please consider it.

June 01, 2016

Permalink

This is giving me quite a headache...how do I update TOR within TAILS os? Any help would be GREATLY appreciated.

June 02, 2016

Permalink

tbb 5.5.5 disappears (crashes) without error message by clicking a specific website
os: win7 sp1

June 04, 2016

In reply to gk

Permalink

couldn' t reproduce it after restart, maybe it was a disc space problem (windows caching...)

June 02, 2016

Permalink

Shumway doesn't support proxy settings? Maybe that should be addressed with the Mozilla's devs?

June 02, 2016

Permalink

Version 6.0 is Garbage! Not only it doesn't even open (stays stuck on ''Connecting to the Tor network'') but now I cannot even get older versions to work, as the same problem happens with version 5.5, when before it was perfectly alrigth!

Are you guys working for NSA/GCHQ and trying to screw us over by coming up with this ''upgrade'' which doesn't even work to force us to use Firefox/Internet Explorer?...

Otherwise what on Heaven's sake is going on here?? I have just wasted another hour trying to get this Demonic thing to work for NOTHING...I'm FED UP!!!!!

Maybe your local antivirus/firewall software got an update and is blocking now bot versions? Tor Browser is self-contained and does not mess with older/other versions. Even if 6.0 would not work this would not impede 5.5. Thus, there is a different thing wrong on your computer.

June 02, 2016

Permalink

New error in TBB6.0:

when you try to see the page source(right click -> View page Source/View Selection Source), browser is open a new tab
with source, e.g. view-source:https://ocewjwkdco.tudasnich.de/blog/tor-browser-60-released

view-source:data:text/html;charset=utf-8,%EF%B7%90If%20you%20can%20wait%20a%20couple%20of%20day%EF%B7%AFs%2C%20next%20week%20will%20be%20a%20new%20alpha%20available.2Fp>

June 04, 2016

In reply to gk

Permalink

It's a bad feature.

In "an own window" you can format the page easy.
In the "new tab instead" not!

June 08, 2016

In reply to gk

Permalink

Torbutton INFO: tor SOCKS: https://ocewjwkdco.tudasnich.de/blog/tor-browser-60-released via --NoFirstPartyHost-about-blank--:0
Torbutton INFO: tor SOCKS: http://ocsp.digicert.com/ via --nofirstpartyhost-about-blank--:0
getFirstPartyURI failed for view-source:https://ocewjwkdco.tudasnich.de/blog/tor-browser-60-released: no host in first party URI view-source:https://ocewjwkdco.tudasnich.de/blog/tor-browser-60-released

June 02, 2016

Permalink

Every time I try to install this update, it breaks the whole browser. I can't run it without downgrading to 5.5.5 and I don't think that's a good idea to be doing...

I have every single executable file whitelisted in my AV as well, but still no dice

June 03, 2016

Permalink

Regrettably this update slows down the browser speed immensely... i dont know why but still it does... went back to an old version....

June 03, 2016

Permalink

Flawless as usual on a updated debian, so how can you guys sound
so outraged after each update when really you should focus on
the operating system or should i say barely operating system tor is
laying over.
As for network speed (was "i can't play flash player" before), keep on
advertising for a regression to previous versions, try to advocate for
keeping Xp with vidalia's versions you'll look more genuine.

To the builders : keep on rocking ! From Paris with love.

Yep. Never had any of the problems some people complain about here on every freaking release.

Braindead windoze useds? 3-letter agency shills? Whatever.

June 03, 2016

Permalink

I am using windows 10 and since updating TOR won't even start. Nothing at all seems to be happening.

Using Windows Defender & Windows Firewall, so have turned off but still nothing.

June 03, 2016

Permalink

Could u make a video tutorial to teach us installing Tor and establishing Obfs4 bridge on CentOs vps?Please

June 19, 2016

In reply to dcf

Permalink

Thank u.

June 04, 2016

Permalink

That updates changed something bad. I used a cpanel for a website I manage, but as of the 6.0 update, I'm auto-disconnected in a blink. I've read about cookie-related issues, has this updates changed somethings on this end ?

June 04, 2016

Permalink

I have just installed version 6.0 (again!).

When I do a check with ip-check info I get “You are using Tor, but your browser profile differs from the recommended”. It gives an orange rating for Signature and a red one for User-Agent. This happens even after re-installing three times.

With version 5.5.5 both of these were ‘green’.

Please help.
Thanks

June 04, 2016

Permalink

How to edit search providers in the package?

Disconnect is broken and DDG is unusable for latency reasons.

Please help :)

June 04, 2016

Permalink

I installed tor 6.0. After that I found that the first connection is always to same IP address (23.254.166.222) even if I try to create a new tor circuit. Is this some new feature and is 23.254.166.222 tor project's own node server?

June 04, 2016

Permalink

Won't open, removed antivirus and still won't open.

Downgraded to old version, network seems to lose connections if not regularly used (timeout issue?) new identity and new circuit for this website now no longer work in old version.

June 05, 2016

Permalink

What is this 23.254.166.222 in Tor circuit? I cannot avoid it whetever I'm doing. Is Tor secure any longer?

June 05, 2016

Permalink

when i am open chat cam show to me:
(video format or MME type is not supported)
how can I solve this?
thank you

June 05, 2016

Permalink

Facebook and Twitter are censoring free speech, Bloomberg reported in an article which downplayed what’s really going on: the hijacking of the Internet to destroy national identity, culture and the free exchange of ideas in favor of an 1984-style virtual superstate.

i do agree.
give a try to diaspora.
a lot of site propose to let you posting but they do not publish your comments.
mailing-list are also in this case.
1984 was about a brutal state which opium & diamonds were the goals and have free servants were the gift, a virtual state is a commercial deal where the goal is to be on the right side (a silence for an agreement) : the others will not survive in a good condition.

June 05, 2016

Permalink

Tor 6.0 exit nodes instability? Irregular jumping between nodes within two seconds?

June 06, 2016

Permalink

I must say that I have ever increasing problems with running tor browser in a transparent proxying environment. Short list:

* Having a tor update installed without being asked beforehand
* than Tor browser doesn't start until I delete the launcher plugin manually
* afterwards I am not able to open torbutton network settings
* onion addresses do not work anymore, although AutoMapHostsOnResolve is set to 1, and they work with wget.

I understand that the team focuses on average users deploying torbrowser out of the box, but all the other use cases shoudn't just be fully ignored!

You can disable the auto-updater if you want. That said filing issues on our bug tracker (trac.torproject.org) might be a smart move as we are otherwise not aware of the problem or forget about it. Once that is done working on a patch might speed up solving your problem considerably. So, no, there is no ignoring going on. It is just that we are not enough to fix all the bug reports we get. :(

June 09, 2016

In reply to gk

Permalink

Oops, good idea to use the bug tracker. :)

By the way, for anybody who reads this: .onion addresses can be (re-)enabled by setting

network.dns.blockDotOnion to False

and thanxxx!!! for all your excellen work!

June 07, 2016

Permalink

I don't know if anyone else is having this problem but tor seems to be stuck on the 'example.com' page when i try to look at any sites circuit. It just says example A, example B example C instead of the IP's and countries. any help would be greatly appreciated.

June 07, 2016

Permalink

Among other problems I've never had before with tor the amount of identifying information that comes out of 5.5.5 is a fraction of what is in 6. This has been the first backwards step in this direction I know. I have gone back to 5.5.5 and disabled updates (irritating) in both win and linux64 and I am waiting for a better version in the future.

Why isn't there some feedback on all the complaints listed here.

June 07, 2016

In reply to gk

Permalink

When I use panopticlick.eff testing 5.5.5 shows 1 of 204 browsers and 6 show more than a 1000

But now I am noticing another problem, as I turn off updates in preferences adanced update the update still happens when it is left idel for a while

June 07, 2016

Permalink

It seems there is no way to block updates anymore, unless a firewall blocks torptoject

The new update 6.01 is even worse than 6 and reveals twice as much bits of identifying information to https://panopticlick.eff.org than 5.5.5 did.

Do you guys have any clue of why this is happening. Maybe there is something in ff that reveals more identifying info?

Yes, the problem is the Panopticlick test. It is not suited for the things you want to get tested. You want to know how identifiable you are in the Tor Browser crowd. Not how identifiable you are compared to Internet Explorer or Firefox etc. And not how identifiable you are compared to older browser versions.

And, sure, you can disable automatic updates if you really want to in your browser. But it not advisable doing so.

June 07, 2016

Permalink

Where can I find the old 5.5.5 version?

I used to have it until Tor automatically updated to 6.0 and now Tor won't open. And I see am not the only one with this problem.

Should we wait for a 6.0.2 version to fix the unintended consequences of 6.0?

We don't have found a single Windows system where we could reproduce the problem. Our guess is that there is still software running on your and other Windows users' computer that is responsible for this. That said we have https://trac.torproject.org/projects/tor/ticket/19334 to investigate this trying to find out what is going on. It would be much appreciated if you or other Windows users affected by this could participate there and test bundles we make. Thanks.

June 07, 2016

Permalink

A forced update downloaded for 6.0.1 even though I have removed the package update files and edited the about:config page.

What else can I do to stop these, they are a risk to my physical safety. I need to download Tor elsewhere safely.

Please help.

June 08, 2016

Permalink

Hello. In Privacy section, I can't configure it to "Never remember history"
Thanks for your helping

June 09, 2016

Permalink

U guess the response was that "we took down 5.5.5" yesterday so you don't use it.

I have gone to great lengths in preventing 5.5.5 from updating and once it remains idle it autoupdates anyway. My next move is to firewall torproject so no connection can be made.

June 09, 2016

Permalink

Warning: wrong shasum on 6.0 browser download

https://oiyfgiixvl.tudasnich.de/torbrowser/6.0/
https://oiyfgiixvl.tudasnich.de/torbrowser/6.0/TorBrowser-6.0-osx64_en-US.d…

$ shasum -a 256 /***/***/***/TorBrowser-6.0-osx64_en-US.dmg
0f4f6ca01028c2956c811dd94d67a76feb507cad176c031f32e6f95873003b4c

https://oiyfgiixvl.tudasnich.de/torbrowser/6.0/sha256sums-unsigned-build.txt
d68d01889ba38764ebf2057b3cd3263f638a74205031a6d1df11ab8ca13a3618 TorBrowser-6.0-osx64_en-US.dmg

Shasums are not matching downloads
Tried 3 times with download over 3 different extitnodes
all downloads and shasums are "same same but different"

I know there is a new browser version available
but still ..

See my update note on the blog post above: the OS X bundles are signed now and we are still working on providing instructions to remove the signature in a way that you can get compare the SHA256 sums easily.

June 11, 2016

Permalink

Installed the update, and now it just won't open the browser, nno matter how many times i click on the icon

June 17, 2016

Permalink

Won't load for me. Have to resort to 5.5 although would attempt newer version but cant find link - using windows 10. Have not disabled anti-virus - getting no error message, no activity in task manager. Cheers.