Tor Browser 6.5a4 is released

by gk | November 16, 2016

Tor Browser 6.5a4 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Other components got an update as well: Tor to 0.2.9.5-alpha, HTTPS-Everywhere to 5.2.7, and OpenSSL to 1.0.2j.

This release includes numerous bug fixes and improvements. Most notably we improved our Unix domain socket support by resolving all the issues that showed up in the previous alpha and by making sure all connections to tor (not only the control port related ones) are using this feature on OS X and Linux now.

Additionally, we fixed a lot of usability bugs, some caused by Apple's macOS Sierra (meek did not work anymore and windows could not be dragged either). Others were caused by our window resizing logic. We moved that one into a C++ patch which we hope to get upstreamed into Firefox. We improved the usability of our security slider as well by reducing the amount of security levels available and redesigning the custom mode.

Finally, we added a donation banner shown in some localized bundles starting on Nov 23 in order to point to our end-of-the-year 2016 donation campaign.

Update (11/16 2215UTC): We currently have problems with our auto-updater at least on Linux systems. The updates are downloaded but don't get applied for yet unknown reasons. We therefore have decided to disable the automatic updates until we understand the problem and provide a fix for it. Progress on that task can be tracked in ticket 20691 in our bug tracker. We are sorry for this inconvenience. Fresh bundles are available on our download page, though.

Update (11/17 1012UTC): After some investigation and testing it turned out that the Windows platform is not affected by the updating problems. We therefore have enabled updates for it again. Updates for OS X and Linux stay disabled while we are trying to get to the bottom of our problems and to provide fixes/workarounds for them.

Update (11/17 1422UTC): Updates for OS X are enabled now as well as Mac systems are not affected by the bug in the updater code either.

Update (11/18 0953UTC): Updates for Linux are enabled now as well, with an information prompt listing the workarounds. One of the following workarounds can be used to avoid the updater error:

  • in about:config, set app.update.staging.enabled to false before attempting to update
  • in about:config, set extensions.torlauncher.control_port_use_socket to false (disabling the control port Unix domain socket) and restart the browser before attempting to update

Here is the full changelog since 6.5a3:

  • All Platforms
    • Update Firefox to 45.5.0esr
    • Update Tor to tor-0.2.9.5-alpha
    • Update OpenSSL to 1.0.2j
    • Update Torbutton to 1.9.6.7
      • Bug 20414: Add donation banner on about:tor for 2016 campaign
      • Bug 20111: Use Unix domain sockets for SOCKS port by default
      • Bug 19459: Move resizing code to tor-browser.git
      • Bug 20264: Change security slider to 3 options
      • Bug 20347: Enhance security slider's custom mode
      • Bug 20123: Disable remote jar on all security levels
      • Bug 20244: Move privacy checkboxes to about:preferences#privacy
      • Bug 17546: Add tooltips to explain our privacy checkboxes
      • Bug 17904: Allow security settings dialog to resize
      • Bug 18093: Remove 'Restore Defaults' button
      • Bug 20373: Prevent redundant dialogs opening
      • Bug 20388+20399+20394: Code clean-up
      • Translation updates
    • Update Tor Launcher to 0.2.10.2
      • Bug 20111: Use Unix domain sockets for SOCKS port by default
      • Bug 20185: Avoid using Unix domain socket paths that are too long
      • Bug 20429: Do not open progress window if tor doesn't get started
      • Bug 19646: Wrong location for meek browser profile on OS X
      • Translation updates
    • Update HTTPS-Everywhere to 5.2.7
    • Update meek to 0.25
      • Bug 19646: Wrong location for meek browser profile on OS X
      • Bug 20030: Shut down meek-http-helper cleanly if built with Go > 1.5.4
    • Bug 20304: Support spaces and other special characters for SOCKS socket
    • Bug 20490: Fix assertion failure due to fix for bug 20304
    • Bug 19459: Size new windows to 1000x1000 or nearest 200x100 (Firefox patch)
    • Bug 20442: Backport fix for local path disclosure after drag and drop
    • Bug 20160: Backport fix for broken MP3-playback
    • Bug 20043: Isolate SharedWorker script requests to first party
    • Bug 20123: Always block remote jar files
    • Bug 20244: Move privacy checkboxes to about:preferences#privacy
    • Bug 19838: Add dgoulet's bridge and add another one commented out
    • Bug 19481: Point the update URL to aus1.torproject.org
    • Bug 20296: Rotate ports again for default obfs4 bridges
    • Bug 20651: DuckDuckGo does not work with JavaScript disabled
    • Bug 20399+15852: Code clean-up
  • Windows
    • Bug 20342: Add tor-gencert.exe to expert bundle
    • Bug 18175: Maximizing window and restarting leads to non-rounded window size
    • Bug 13437: Rounded inner window accidentally grows to non-rounded size
  • OS X
    • Bug 20204: Windows don't drag on macOS Sierra anymore
    • Bug 20250: Meek fails on macOS Sierra if built with Go < 1.7
    • Bug 20590: Badly resized window due to security slider notification bar on OS X
    • Bug 20439: Make the build PIE on OSX
  • Linux
    • Bug 15953: Weird resizing dance on Tor Browser startup
  • Build System
    • All Platforms
    • OS X
      • Bug 20258: Make OS X Tor archive reproducible again
      • Bug 20184: Make OS X builds reproducible again
      • Bug 20210: In dmg2mar, extract old mar file to copy permissions to the new one

Comments

Please note that the comment area below has been archived.

November 16, 2016

Permalink

you removed the option for allowing third party cookies and, enabling flash, and "change details that distinguish you from other Tor Browser users".

I use fake facebook account to post anonymous comments on news websites, without ability to enable third party cookies news website is unable to see that I am logged in in to facebook so I am unable to comment.

Forum that I use requires flash to upload avatar pictures even if I enable flash by going to add-ons -- plug-ins and click on enable plug-ins I am no longer able to upload avatar pictures because I also need to disable feature that changes details that distinguish me from other Tor users.

I know that flash can be used to de-anonymize users but I use method described here to make that a little bit harder.

https://anonymous-proxy-servers.net/en/help/flash-applets.html

November 17, 2016

In reply to gk

Permalink

But you forgot to mention about it in a user-friendly manner (not everyone reads bug-tracker).

> Forum that I use requires flash to upload avatar pictures even if I enable flash by going to add-ons -- plug-ins and click on enable plug-ins I am no longer able to upload avatar pictures because I also need to disable feature that changes details that distinguish me from other Tor users.

And this is really weird.

For all regular/normal people it is impossible to use Flash, ActiveX, Java or JavaScript safely. Using QubesOS will help a bit, while being easy and simple for newcomers, but will not completely remove the danger.

November 16, 2016

Permalink

07:40:48.595 1479368448500 addons.xpi-utils ERROR Unable to read anything useful from the database Log.jsm:751:0

November 17, 2016

In reply to gk

Permalink

It is on 6.5a4 when checking for updates.
And it is the contents of en-US:1:50 that was pasted as a text, but is displayed without markup in the blog.

November 17, 2016

Permalink

Torbutton INFO: New Identity: Sending NEWNYM
Is not needed anymore?

November 17, 2016

Permalink

Preserving the size by zooming in maximized or F11 mode instead of showing a warning works for the current tab only. (Win 7)

Windows is dangerous. The NSA backdoors in it are also exploited by China and Russia to join your xomputer to a botnet used to make DDoS attacks against democracy-promoting websites such as WikiLeaks and Reporters without Boundaries.
An easy way to be reasonably secure is simply installing the user-friendly "QubesOS" and having it clean Windows off of your computer. If you like freedom&liberty/democracy, anyways.

More tech-savvy people might consider GenodeOS, SubgraphOS or Trisquel, but note these aren't focussed on ease-of-use (QubesOS is).

i do not try yet GenodeOS - avoid trisquel - Qubes & subgraph are not so interresting.
Window is a good product for intellectual deficiency.
Users need a graphic install, a secure o.s, updated & user friendly & a strong & sincere community (forums, blogs, mailing-list, support, doc, contact).
*how to avoid 14 eyes ? (5 is very difficult yet ! )

Anti viruses use very paranoid heuristics in an attempt to detect polymorphic viruses.
These heuristics are easy to overcome for anyone trying to overcome them, but any legit program that uses a slightly unorthodox build system gets blocked.
If you want to be secure there is no perfect solution, but here's a much better solution than running Windows with an antivirus;

Replace Windows with QubesOS(unlike what you hear about Linux, QubesOS doesn't require command lines, terminals, typing, wizardry, reading, etc. It has a simple, user-friendly GUI with very small learning curve).

If you get a virus in QubesOS, you just close the application and re-open it, and it automatically gets a whole fresh operating in under a second without you having to do anything. It's like running TAILS and restarting it every time you close a program, but it only takes a s-lit second to restart, and most important EASY TO JSE REQUIRING NO TECHNICAL KNOWLEDGE.
https://www.qubes-os.org/downloads/

The other ones (GenodeOS/SubgraphOS/Trisquel) are possibilities but not recommended for normal users. The first two are harder to setup and Trisquel needs a lot done to make it reasonably secure (it is basically just Ubuntu with less BLOBs)

ubuntu has some backdoors than trisquel has not (none for trisquel).

ubuntu & distrib based on must be avoided if privacy or security is your priority.

Subgraph & Qubes are based on virtual machine.
- A virtual machine is not for securing the communication or your desktop but the data inside the process, during the protocol ... perfect for journalist, whistle-blogger ,but not for every day : installing into an usb-key (signed_encrypted according your model of threat) is one of the best choice for the challenge privacy/security.

Debian can be hardened with some tweaks but the community is not as responsive smart alive than ubuntu.

Try it and choose one will suit you _ TOR is present for each version.

November 17, 2016

Permalink

Regression(?): browser.zoom.siteSpecific is reset to false on shutdown. user.js doesn't override this.

November 17, 2016

Permalink

I'm getting an error accessing preferences:

"XML-Verarbeitungsfehler: Nicht definierte Entität
Adresse: about:preferences
Zeile Nr. 653, Spalte 7:

November 23, 2016

Permalink

Hope someone read this:

my 6.5a4 browser when fullscreen always go to zoom 132% after I do something in browser. I must put down to 100% each time. this only happen when fullscreen. on windows 10. what wrong?!

That is probably due to our code trying to round the window for you in case you are going fullscreen. Without that one you would probably end up with fairly distinguishing screen dimensions.

November 24, 2016

In reply to gk

Permalink

Sorry I no understand. it no happen in 6.0.6, only alpha.
it happen when i fullscreen already, always blow up to 132% then I down to 100%.

Yes, this happens only on the alphas as we don't ship that feature of rounding your window properly in all situations on the stable channel yet. It is not ready for prime-time.

November 24, 2016

Permalink

Tor Browser 6.5a3 linux 64:

WARNING: this browser is out of date.

I do the upgrade clicking update on the popup window.

It download the upgrade patch, few MB of data.
Something too fast to read appears and then another window download ~82 MB of data. Then the window show:

The Update could not be installed (patch apply failed)

And It do not upgrade, I have to do a fresh download.

November 24, 2016

Permalink

Do not consider my previous comment, I have done the workaround in about:config:

app.update.staging.enabled to false
extensions.torlauncher.control_port_use_socket to false

I have not restarted the browser before attempting the update, but Tor Browser was updated!

Than I have reset
app.update.staging.enabled to <b>true</b>
extensions.torlauncher.control_port_use_socket to <b>true</b>
the previous default value, is that correct?

Cheers