Tor Browser 7.0a1-hardened is released

by boklm | January 25, 2017

A new hardened Tor Browser release is available. It can be found in the 7.0a1-hardened distribution directory and on the download page for hardened builds.

This release features important security updates to Firefox.

Tor Browser 7.0a1-hardened is the first hardened alpha in the 7.0 series. Apart from the usual Firefox update (to 45.7.0 ESR) it contains the first alpha in the tor 0.3.0 series (0.3.0.1-alpha) and an updated HTTPS-Everywhere (5.2.9) + NoScript (2.9.5.3).

Tor Browser 7.0a1-hardened is the first hardened alpha allowing Linux users to test Snowflake, a new WebRTC-based pluggable transport.

The full changelog since 6.5a6-hardened is:

  • All Platforms
    • Update Firefox to 45.7.0esr
    • Tor to 0.3.0.2-alpha
    • Update Torbutton to 1.9.7
      • Bug 19898: Use DuckDuckGo on about:tor
      • Bug 21091: Hide the update check menu entry when running under the sandbox
      • Bug 21243: Add links to es, fr, and pt Tor Browser manual
      • Bug 21194: Show snowflake in the circuit display
      • Bug 21131: Remove 2016 donation banner
      • Translation updates
    • Update HTTPS-Everywhere to 5.2.9
    • Update NoScript to 2.9.5.3
    • Bug 20471: Allow javascript: links from HTTPS first party pages
    • Bug 20651: DuckDuckGo does not work with JavaScript disabled
    • Bug 20589: Add new MAR signing key
    • Bug 20735: Add snowflake pluggable transport to alpha Linux builds
  • Build system
    • All platforms

Comments

Please note that the comment area below has been archived.

Anonymous (not verified) said:

January 24, 2017

Permalink

Tor hardened and alpha do not allow Tor Birdy to connect using defaults like it used to, how do we fix this?

Anonymous (not verified) said:

January 24, 2017

Permalink

I can wait just fine, but I am thinking this is disabling many, many clients running Tor Birdy who may not be able to suffer extended downtime.

On their behalf, is there any estimation on how long we will be waiting? It seems this has been on the radar for 2 months already with no fix, according to the trac link you provided:

https://trac.torproject.org/projects/tor/ticket/20761

The problem is it needs a fix on the tor side as well. That one got merged to master yesterday. I am not sure about backporting/new alpha releases with that fix yet but I'd say we should be able to have this fixed in the next regular alpha/hardened releases.

Anonymous (not verified) said:

January 25, 2017

Permalink

=) Thanks for the reply! We will be looking forward to the next release for a fix. Cheers!

If you just need a tor that listens on TCP port 9150 for SOCKS (which is probably all TorBirdy requires), you can disable the new Unix domain sockets feature and get back your TCP SOCKS port by using about:config inside Tor Browser to set the following preferences to false:

  1. <br />
  2. extensions.torlauncher.control_port_use_ipc<br />
  3. extensions.torlauncher.socks_port_use_ipc<br />

You will need to restart Tor Browser after making these changes,

Anonymous (not verified) said:

January 25, 2017

Permalink

Could it be that the signature .asc files for the tor browser bundle 6.5 miss the public key of the developers?
I have just downloaded and tried to verify the 64 bit version of the en-US and de language file. And on both gnupg throws me out, that the public key is missing. And I definitely have saved the tor browser developers signing key on my computer.

The key from the Tor Browser developers involves a long-term identity, and a set of shorter-term signing subkeys. These subkeys last for a year or so, and they make new ones periodically, because "key rotation" is a good way to limit the scope of damage if something goes wrong sometime.

So, you likely have the old subkeys since you "saved the tor browser developers signing key on your computer", but if you fetch a new copy of the key, you'll get the new subkey too. Hopefully everything will work smoothly from there.

Anonymous (not verified) said:

February 02, 2017

Permalink

Thank you for that hint.
After refreshing the the signing keys via the keyservers, the check of the downloaded bundles now runs fine with gpg.
It was a little confusing, because I couldn't see any information about that shot-term subkeys on the explaining page on how to check the integrity of that bundles with gpg.
But now it makes sense to me.

Anonymous (not verified) said:

January 26, 2017

Permalink

Bit offtopic but ...funny:
https://www.burojansen.nl/bvd-aivd/dutch-secret-service-tries-to-recrui…

"[...] He said they were mostly interested in building a community of techies around the developers of Tor and Tails and that it would be an international effort. This was an option that wouldn’t require me to work with the Dutch secret service AIVD officially but voluntarily and I could state the expenses and determine my own salary. He said: “this is a possibility too, if you’re not asking 5.000 euros a month but we cover travels too.”"

Anonymous (not verified) said:

January 26, 2017

Permalink

Hello! Tails 2.10Rc1 and the 2.10 can't start for me. After the login procedure nothing happeming, just a new login screen and procedure. This is an Acer Aspire, my older Acer laptop can't boot totally.

Anonymous (not verified) said:

January 26, 2017

Permalink

I dont't get the automatic updates.

I want to get the latest version from my distro's repo
Not being pushed with a new version.

Any improvements on RAM usage?

Anonymous (not verified) said:

January 26, 2017

Permalink

There is a margin at the bottom of the screen after updating.
I'm using Windows 10.

Anonymous (not verified) said:

January 27, 2017

Permalink

Would like to see the ability to choose which countries Tor chooses for proxies or at least be able to have a block country list.

One issue I have with browsing is I prefer to use Eastern block / less developed countries for relays as they are less sophisticated and therefore less likely to be able to intercept and decrypt Tor communications, where as more developed countries such as the USA, UK, Germany etc, have more developed systems.

It also worries me when my country is the last hop before my ISP as this potentially make surveillance much easier as they can trace the IP of my ISP much more easily as it's the next hop.

Anonymous (not verified) said:

January 28, 2017

Permalink

Hi, I'm trying to run Tor Browser, but there's kind of three days it just returns a downloading error 404, and even if I change the server, it doesn't work anyways. Apparently the server is offline, or, 6.5 TOR version 64 bits for Debian is not working anymore, could you guys help? Thanks.

Anonymous (not verified) said:

January 30, 2017

Permalink

Firefox Version 53.0a2, first offered to Firefox Developer Edition channel users on January 27, 2017
Windows XP and Vista are no longer supported.
Ended Firefox Linux support for SSE processors
32-bit Mac OS X is no longer supported.

R.I.P. Firefox. Now it is worse than Adobe with it's Flash Player...

Anonymous (not verified) said:

January 30, 2017

Permalink

Compile it with LibreSSL or this so called "hardened" is a joke.

Youtube "LibreSSL: The first 30 days, and what the Future Holds" to see what a pos OpenSSL is.

One reason for currently not using DDG's .onion is that we are not sure how well it scales if all Tor Browser users start to using it. And it's even slower than the non-onion search.

Anonymous (not verified) said:

February 10, 2017

Permalink

the key fails on torbrowser-launcher in debian and ubuntu

Anonymous (not verified) said:

February 15, 2017

Permalink

yea I know its seperate I also know it worked for a very long time

Anonymous (not verified) said:

February 15, 2017

Permalink

this is using 4.6GB of ram on ubuntu 16.04. and 16.10 something has to be wrong it doesnt do that on debian