Tor Browser 6.0a5-hardened is released

by boklm | April 28, 2016

A new hardened Tor Browser release is available. It can be found in the 6.0a5-hardened distribution directory and on the download page for hardened builds.

This release features important security updates to Firefox.

It contains a bunch of noteworthy changes. We switched the browser to Firefox ESR 45 and rebased our old patches/wrote new ones where necessary. We also ship a new Tor alpha version, 0.2.8.2, which makes meek usable again and contains a number of other improvements/stability fixes.

Note: There is no incremental update from 6.0a3-hardened available due to bug 17858. The internal updater should work, though, doing a complete update.

Here is the complete changelog since 6.0a4-hardened:

Tor Browser 6.0a5-hardened -- April 28 2016

All Platforms
- Update Firefox to 45.1.0esr
- Update Tor to 0.2.8.2-alpha
- Update Torbutton to 1.9.5.3
  - Bug 18466: Make Torbutton compatible with Firefox ESR 45
  - Translation updates
- Update Tor Launcher to 0.2.8.4
  - Bug 13252: Do not store data in the application bundle
  - Bug 10534: Don't advertise the help desk directly anymore
  - Translation updates
- Update HTTPS-Everywhere to 5.1.6
- Update NoScript to 2.9.0.11
- Update meek to 0.22 (tag 0.22-18371-2)
  - Bug 18371: Symlinks are incompatible with Gatekeeper signing
- Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
- Bug 18900: Fix broken updater on Linux
- Bug 18042: Disable SHA1 certificate support
- Bug 18821: Disable libmdns support for desktop and mobile
- Bug 18848: Disable additional welcome URL shown on first start
- Bug 14970: Exempt our extensions from signing requirement
- Bug 16328: Disable MediaDevices.enumerateDevices
- Bug 16673: Disable HTTP Alternative-Services
- Bug 17167: Disable Mozilla's tracking protection
- Bug 18603: Disable performance-based WebGL fingerprinting option
- Bug 18738: Disable Selfsupport and Unified Telemetry
- Bug 18799: Disable Network Tickler
- Bug 18800: Remove DNS lookup in lockfile code
- Bug 18801: Disable dom.push preferences
- Bug 18802: Remove the JS-based Flash VM (Shumway)
- Bug 18863: Disable MozTCPSocket explicitly
- Bug 15640: Place Canvas MediaStream behind site permission
- Bug 16326: Verify cache isolation for Request and Fetch APIs
- Bug 18741: Fix OCSP and favicon isolation for ESR 45
- Bug 16998: Disable for now
- Bug 17506: Reenable building hardened Tor Browser with startup cache
- Bug 18898: Exempt the meek extension from the signing requirement as well
- Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
- Bug 18890: Test importScripts() for cache and network isolation
- Bug 18726: Add new default obfs4 bridge (GreenBelt)
Build System
- Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
- Bug 18699: Stripping fails due to obsolete Browser/components directory
- Bug 18698: Include libgconf2-dev for our Linux builds

Comments

Please note that the comment area below has been archived.

The 'Pocket' feature is not

The 'Pocket' feature is not disabled/removed in this release.

There is a ticket about

There is a ticket about that:
https://trac.torproject.org/projects/tor/ticket/18886

How can I upgrade from

How can I upgrade from 5.5.5(stable) to experimental channel?
What do I need to edit in about:config?

You need to change the pref

You need to change the pref "app.update.channel" from "release" to "alpha", in the file Browser/defaults/pref/channel-prefs.js.

thanks again for another

thanks again for another great release, and for keeping close pace with Firefox release cycles!

When we can access Vimeo or

When we can access Vimeo or similar video sites using Tor?

Why the tor browser crash

Why the tor browser crash immediately in Max os 10.11.4 after clicking the connect button with 5.5.5(stable), and crash when you do any action with 6.0a5 after connecting successfully?

Is this reproducible?

Is this reproducible? Please, file a bug report at https://bugs.torproject.org for further investigation (and questions).

could you add a 32 bits

could you add a 32 bits build for old PCs?

We don't do hardened 32 bit

We don't do hardened 32 bit builds. Hardened builds require a lot of memory and cpu, so it would not work well on old PCs.

My PC is old and 32 bits but

My PC is old and 32 bits but has 4GB of RAM, a fast CPU and a PAE kernel. It is surely more than enough for any web browser.

Is Tor affected

Is Tor affected by

https://www.openssl.org/news/secadv/20160503.txt

We think there is no need

We think there is no need for an emergency release fixing the OpenSSL code we ship with Tor Browser. That said, the next Tor Browser versions will contain an updated OpenSSL.

Is it safer to use hardened

Is it safer to use hardened or stable?

what is the main different

what is the main different of "hardened" in comparison to other bundles ? thanks

Does the hardened alpha auto

Does the hardened alpha auto update like the stable version or would I need to manually update it each time ?

It is updating automatically

It is updating automatically as well, although we currently only provide a full update not an incremental one due to bug 17858.

WTF? http://antiwar.com/blog/

WTF?

http://antiwar.com/blog/2016/05/05/tor-developer-created-malware-for-fb…

Complete bullcrap propaganda

How much safer is hardened

How much safer is hardened edition and how?

Disconnect search often

Disconnect search often produces meaningless results or nothing, whereas StartPage's results are very similar to Google. Today, Disconnect is banned from Google, so their search results are even worse. You should switch back to StartPage unless there is a strong reason not to.

Yes, Disconnect got bad

Yes, Disconnect got bad lately due to not having Google results anymore. We are working on that.

Sometimes Disconnect shows

Sometimes Disconnect shows google results, but most of the times it says google doesn't work or something. Switch to duckduckgo onion.

when you exit and enter the

when you exit and enter the tor network, you end up showing ur real ip address right? when will or can tor be completely hidden from such showings. thats when u will get alot of people wanting to join tor.

when you exit and enter the

when you exit and enter the tor network, you end up showing ur real ip address right?

No, as a client node you'll only show your IP when you enter (assuming you're using Tor properly). When you enter the network, your Guard node will see your IP, but it won't see where you're going nor what you're sending.

Read: https://sedvblmbog.tudasnich.de/about/overview.html.en

The Tor browser built-in

The Tor browser built-in Torbutton is too simple, anyone tell me is there a GUI Tor manager ?

Do you mean a 'controller'?

Do you mean a 'controller'? If so, you can try Nyx (formerly Arm), an ncurses application.

Blogspot.com sites (owned by

Blogspot.com sites (owned by google) give all kinds of problems lately with tor and it has become more difficult to access them. It looks like google tries to redirect all the time, eventually failing to load the site.

I could not run this

I could not run this hardened build. The stable version works fine . I'm using Debian 8 x64.

When I ran "start-tor-browser" in the terminal nothing happened, no output just nothing.

Let me know if you need any more information.

Does the alpha version work

Does the alpha version work for you? What do you get back if you do something like ./start-tor-browser.desktop --debug --log?

Same problem here. My

Same problem here. My version of Tor Browser 6.0a5-hardened (running on Fedora 23) was working ok until last night. Then I downloaded a few Fedora system updates and now the browser doesn't launch. If I move the tor-browser directory to a Debian box everything works ok, so I guess one of the updates broke it.

Debug output when launching in Fedora:

==1043==AddressSanitizer CHECK failed: ../../.././libsanitizer/asan/asan_rtl.cc:556 "((!asan_init_is_running && "ASan init calls itself!")) != (0)" (0x0, 0x0)

See:

See: https://trac.torproject.org/projects/tor/ticket/19040 for a solution.

I received a special format

I received a special format of obfs4 from bridgedb, that is finished with "node-id=ia849c8c3eb819f". What I had before is end with "iat-mode=0".

It just means that the

It just means that the bridge is running an older version of obfs4proxy that uses a different format. See the changelog for obfs4proxy 0.0.3:

Change the obfs4 bridge line format to use a "cert" argument instead of the previous "node-id" and "public-key" arguments. The "cert" consists of the Base64 encoded concatenation of the node ID and public key, with the trailing padding removed. Old style separated bridge lines are still valid, but the newer representation is slightly more compact.

What are the system

What are the system requirements for the hardened TB, in terms of ram and cpu (goes without saying other than 64-bit cpu and the linux os)

CPU is not much of a

CPU is not much of a problem, but you definitely need much more RAM than usual with the hardened build.

How much more ram, 2 gb, 4

How much more ram, 2 gb, 4 gb? Even ram hungry desktop environments (like kde) will run on at least 2 gb.

doesn´t work with macOs

doesn´t work with macOs (10.11.4).
Its the same as with the 5.5.5 version.

crashes just right after start for any reason; don´t know...

Since the version 5.0.7 I can´t use Tor .

I just upgraded to 6.0.5.

I just upgraded to 6.0.5. The moment it finished upgrading, MalwareByte's Anti-ransomeware fired up and quarantined the following as ransomware:

Malware.Ransom.Agent.Generic

Uh...what's up with that?

Hard to say. We don't have a

Hard to say. We don't have a Tor Browser 6.0.5. The most recent version is 6.0.4. How did you upgrade? Does this happen with a clean, new Tor Browser downloaded from our Website as well?