Tor Browser 7.5.2 is released

by gk | March 17, 2018

Tor Browser 7.5.2 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Note: Users of the Tor Browser alpha series are strongly encouraged to use the stable series while we are preparing a new alpha release.

The full changelog since Tor Browser 7.5.1 is:

  • All platforms
    • Update Firefox to 52.7.2esr

Comments

Please note that the comment area below has been archived.

The easiest answer is "install and use Tor Browser"--- the latest version, for the appropriate architecture (e.g. Windows, Linux) obtained from sedvblmbog.tudasnich.de.

For more privacy protections, you may want to consider using Tails:

https://tails.boum.org/about/index.en.html

Tails will enable you to browse the web anonymously:

https://tails.boum.org/doc/anonymous_internet/Tor_Browser/index.en.html

Within limits:

https://tails.boum.org/doc/about/warning/index.en.html

You can't. Tor provides no protection against global adversaries, but USA, People's Republic of China and other govenments are global adversaries because of MLATs and CLOUD. Say thank to Trump and the Congress.

Tor Project products, such as Tor Browser, cannot by themselves protect against flaws in your operating system, much less hardware vulnerabilities such as speculative execution.

If you are concerned about Spectre/Meltdown, good, and you may want to consider using Tails, which uses Tor Browser but has further protections; see

tails.boum.org

Tails Project is independent of Tor Project but allied with it.

The current version of Tails is hardened against some Spectre attacks and should be immune to known Meltdown attacks. It is not currently possible, and may never be possible, to be completely protected from Spectre attacks, for reasons discussed in previous comments in this blog.

Tor Browser, cannot by themselves protect against flaws in your operating system, much less hardware vulnerabilities such as speculative execution.

Actually, Retpoline does just that. Firefox was going to compile with Retpoline, but since Tor has its own build of Firefox, it would be great to hear that Retpoline is definitely enabled in the build target.

What does "instantly" mean? Just after trying to start Tor Browser? Or once you start surfing? I suspect your local AV/Firewall software does not like the new version. Could you try removing it and see whether it fixes your problem? Which previous version did work for you?

robert.fraser1… (not verified) said:

March 17, 2018

Permalink

Thanks,
what so I do now you have told me re update?
Rob

Anonymous (not verified) said:

March 19, 2018

Permalink

Follow the first link in the post to the Tor Project download page, download the new version of Tor Browser, verify the file, unpack it, and surf! Feel free to flip the bird in the general direction of Cambridge Analytica.

Anonymous (not verified) said:

March 18, 2018

Permalink

Thanks for allowing comments, but where are the details about this vulnerability?
"Users of higher security levels are not affected", "do not allow ogg/vorbis" and so on?

We did not have time to analyze the implications for Tor Browser and don't have access to the PoC. So, it's hard to say something which is constructive at this point. That's the reason behind just saying: "Update!".

[Edit: I got told that setting media.ogg.enabled to false would make sure the vulnerable code would not have been triggered. It's not clear yet whether setting media.webaudio.enabled to false, which is possible with the security slider, would have helped as well.]

Anonymous (not verified) said:

March 19, 2018

Permalink

Okay. The most decent solution "Automatic updates" eliminates the need to even say "Update!" :) But is there some place where you publish (later) the results of analysis of effectiveness of the measures taken in Tor Browser (ssp, selfrando, etc)?

Phil (not verified) said:

March 18, 2018

Permalink

Sorry for a simple question. I'm no security expert. Does 'Ghostery' work with Tor? If so, does it work well or ok? cheers.

Tor Project recommendation — Don't enable or install browser plugins. Tor Browser will block browser plugins such as Flash, RealPlayer, Quicktime, and others: they can be manipulated into revealing your IP address. Similarly, do not install additional addons or plugins into Tor Browser, as these may bypass Tor or otherwise harm your anonymity and privacy: https://sedvblmbog.tudasnich.de/download/download-easy.html.en#warning

It's simple, assuming you want to use Tor Browser to surf the internet anonymously:

1. download Tor Browser from https://sedvblmbog.tudasnich.de/download/download-easy.html.en

2. verify the file (a tarball)

3. unpack the tarball on your computer using your regular OS

4. use the provide startup script to start Tor Browser

5. surf!

You should probably read a bit about how to use Tor Browser wisely before you do too much surfing, though:

https://sedvblmbog.tudasnich.de/download/download-easy.html.en#warning

Ideally you should also read a bit about how the Tor network (including the underlying Tor client/server software) works:

https://sedvblmbog.tudasnich.de/about/overview.html.en#thesolution

You may also want to consider using Tails for additional protections. But Tails, much less Tor Browser, cannot protect you against some threats:

https://tails.boum.org/doc/about/warning/index.en.html

@ Tor Project: the OP asked a FAQ. Why is there no one document easily found in the Tor Project site which answers it?

Good question. I am actually not sure whether we have an entry in the FAQ for the question or not as I am not sure what is meant by "How does it work?". But, yes, once we figured that out and the FAQ does indeed not contain it we should add an entry.

We plan to help the Guardian Project getting an updated Orfox out in the coming days. And meanwhile we are continuing to work on getting Tor Browser for Android into shape. The first alpha is planned for July, so stay tuned.

Anonymous (not verified) said:

March 19, 2018

Permalink

good

I hope the following explainer will help, in which <--> means unencrypted data link and <==> means encrypted data link.

Ordinary websurfing with a browser other than Tor Browser works like this:

DNS.server <--> your.computer <--> your.ISP <--> some.website

Websurfing with Tor Browser works like this:

your.computer <==> your.ISP <==> entry.node <==> middle.node <==> exit.node <--> http.site

your.computer <==> your.ISP <==> entry.node <==> middle.node <==> exit.node <==> https.site

Details:

The Tor network consists of entry, middle, exit nodes, and special servers called Directory Authorities.

The Tor circuit entry <==> middle <==> exit is triply encrypted. Middle node knows IP of entry and exit, but exit node and entry node do not know each other's identity. The encryption is stripped off in layers by the next node in the circuit, as packets traverse the Tor network. Hence the term "onion routing", which is the core concept characterizing Tor.

The identity of exit nodes and some entry/middle nodes is public information. Nonpublished entry nodes are bridges, which can afford additional anonymity and censorship-resistance. There are various kinds of bridges, some especially designed to resist very censorious governmental monitoring.

When you first join the Tor network using Tor Browser, your computer contacts a Directory Authority via an encrypted connection, to get current information on which Tor nodes are operating, so your ISP can see that you are using Tor. Unless, possibly, if you use a bridge (because bridges are not publicly associated with Tor) to try to join the Tor network.

The exit node in a Tor circuit must contact a DNS server (via unencrypted data link) to locate the IP of the website you type into Tor Browser's location pane, but since it doesn't know your real IP, neither does the operator of the DNS server, nor the operator of the website you are visiting.

Tor Browser is a fully functional browser based on Mozilla Firefox, but carefully tailored to maximize anonymity via the Tor network.

Tor Project offers various other software in addition to Tor Browser. All of them use the underlying client/server Tor software and are open source and free to the public.

"Onions" are bit more complicated and offer additional protections for people who need to publish information anonymously.

Other names: "entry guard" = entry node, "relay" = entry/middle node, "hidden service" = onion.

KMac (not verified) said:

March 20, 2018

Permalink

I am just getting started again, it has been a year or so since I have been here, just updating everything. Have a peaceful day...

Anon (not verified) said:

March 21, 2018

Permalink

Hi guys - After upgrading to 7.5.2, Tor always insists on connecting to the UK as its first relay node, no matter how many times I try a different circuit.

Has anyone experienced this, and what's up with it?

> Tor always insists on connecting to the UK as its first relay node, no matter how many times I try a different circuit.

Assuming you live in the UK, that sounds like how entry guards are supposed to work. (The first node in a Tor circuit is called an entry guard.) Your Tor client is supposed to choose two and stick with them for some time--- I forget how long exactly, but several months. Each new circuit should use new relay and exit nodes (second and third nodes). Your Tor client should try to choose an exit node "near" your destination website, so if that is in a country with few nodes, you might see the same exit node more often than you might desire.

The entry node business might sound like it weakens anonymity, but actually it is intended to strengthen your anonymity against certain kinds of de-anonymization attacks. IIRC, arma discussed the math behind this a few years ago. AFAIK, choosing the number of entry guards and the length of time to stick with those is subject to review as new information becomes available about how the bad guys (government agencies) are trying to mess with the Tor network.

Hi... thanks for the response. If that was the case, why is it that v7.5.1 (and all the other versions I've been using) do not work that way? For example, now I am on 7.5.1 and my circuit shows as 'This browser - Netherlands - Russia - Germany - Internet'. If I were to change circuit it would show different countries but it would not stick to the UK, hope my question makes sense.

Say whaat? Someone claimed

> Tor always insists on connecting to the UK as its first relay node, no matter how many times I try a different circuit

and now you (I presume you are the OP) say

> my circuit shows as 'This browser - Netherlands - Russia - Germany - Internet'. If I were to change circuit it would show different countries but it would not stick to the UK

Netherlands? So not the UK after all?

Please explain:

1. how Tor Browser is behaving on your computer

2. what you want it to do instead

> hope my question makes sense

Not yet.

I'm sure that's done for reproducibility (the time stamps all get set to some fixed value, so that anybody else who compiles the Tor browser is able to produce a file that is 100% identical to the file that is released by Tor.)

It would be better to have these time stamps set to something sensible like the browser release date, or maybe just to hide the time stamps completely, but that would take more work and I'm sure this is a low priority for the developers. Having a reproducible binary is more important than fixing the appearance of an internal user interface (about:addons) that users shouldn't normally be messing with anyway.

Anonymous (not verified) said:

March 21, 2018

Permalink

Tor Browser 7.5.2 seems to be working fine under Debian stretch on my computer!

Thanks to everyone for providing Tor! Your work is much appreciated.3

tortor (not verified) said:

March 21, 2018

Permalink

The Android phone has a global setting which allows connection through the country of choice. Is the Desktop version going to have this capability?

Anonymous (not verified) said:

March 21, 2018

Permalink

What is the ETA of 64-bit Windows builds?
Memory corruption vulnerabilities are easier to exploit in 32-bit applications because of the limited address space.

We still need to iron out some bugs in our 64bit bundles but plan to make them available to stable users with the switch to Firefox 60 ESR which is going to happen later this year, in August.

GCHQ loves tor… (not verified) said:

March 21, 2018

Permalink

You shits STILL haven't fixed this?!?

When initially starting, torbrowser allows several sites to install spyware:
addons.mozilla.org
testpilot.firefox.com

you can disallow them using
Edit > Preferences > Security > Exceptions > Remove All Sites

There is no any reason for these to be allowed unless torbrowser sucking GCHQ dick.

When restart these spyware sites are re-allowed!!!

This issue was reported several versions ago. Why is it still here?
GCHQ did not find alternative backdoor????

Is torbrowser SPYWARE????

Anonymous (not verified) said:

March 22, 2018

Permalink

In current version of TB, I see this in one of the torrc configs:

## snowflake configuration
ClientTransportPlugin snowflake exec ./TorBrowser/Tor/PluggableTransports/snowflake-client -url https://snowflake-reg.appspot.com/ -front www.google.com -ice stun:stun.l.google.com:19302

This is new to me, what exactly is it? I'm running as a Tor client only.

Teresa Dreams (not verified) said:

March 23, 2018

Permalink

Can anybody tell me why, since the update, every time I have closed TOR and then try to launch the next day, I keep getting this:

UNABLE TO START TOR

FAILED TO GET HASHED PASSWORD

So far, the only way I get TOR back is to re-install.

Any help for this?

Jimmy (not verified) said:

March 25, 2018

Permalink

I have an older version. Should I just delete that directory and install the new version, or is another method of upgrading recommended?

Depends on how old your version is. The recommended version is to use the Tor Browser updater. It should download an update automatically. If, however, your Tor Browser is too old for that then, yes, grabbing a new version from our website and starting over is the best solution.