Tor Browser 7.5.4 is released

by boklm | May 9, 2018

Tor Browser 7.5.4 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates Firefox to 52.8.0esr, HTTPS Everywhere to 2018.4.11, and NoScript to 5.1.8.5. In addition, we exempt .onion domains from mixed content warnings, fixed a fingerprinting issue and an issue with localized content.

The full changelog since Tor Browser 7.5.3 is:

  • All platforms
    • Update Firefox to 52.8.0esr
    • Update HTTPS Everywhere to 2018.4.11
    • Update NoScript to 5.1.8.5
    • Bug 23439: Exempt .onion domains from mixed content warnings
    • Bug 22614: Make e10s/non-e10s Tor Browsers indistinguishable
    • Bug 22659: Changes to `intl.accept.languages` get overwritten after restart
    • Bug 25973: Backport off-by-one fix (bug 1352073)
    • Bug 25020: Add a tbb_version.json file

Comments

Please note that the comment area below has been archived.

Anonymous (not verified) said:

May 09, 2018

Permalink

Nice

Anonymous (not verified) said:

May 10, 2018

Permalink

Nice

Anonymous (not verified) said:

May 13, 2018

Permalink

Nice

masa (not verified) said:

May 09, 2018

Permalink

GJ

Anonymous (not verified) said:

May 10, 2018

Permalink

Never going beyond FF 56 would be too soon for me. FF57 is when all 'legacy' extensions will cease to work and that will kill off my effectiveness as a full time researcher because vital extensions I need to use constantly are not being recoded to work under FF new ext scheme.

One cannot blame the extension devs because it is one hell of a lot of work to try and implement the full feature set they had in their legacy extensions --and even them most conversions have only partial functionality of the old ones

I love Tor and its devs and have nothing but praise for them and their great work --FF is another story as cosmetics, like rounded tab corners v square tab corners, seem to be more important to them than the functionality needed by power users.

Mozilla talked about extending ESR52 support for another year, but, of course, it was a lie!
And later this year, your Tor Browser will turn into a pumpkin automatically! ;-(

geeyp (not verified) said:

May 09, 2018

Permalink

Hello, how are you? I have always gotten an email regarding updates. This time I didn't. I would rather have the assurance that this is happening officially in an email in future, please. I don't know why this did not happen this time. Not a complaint, just feel safer this way. Thank you.

geeyp (not verified) said:

May 10, 2018

Permalink

I know I should have received one 'cause, as I stated, I always have. Do I need to do anything? Thank you so much in advance.

Anonymous (not verified) said:

May 10, 2018

Permalink

Can you tell Mozilla to no longer show that "Your Firefox is out-of-date." warning when I go to their website with Tor Browser it's annoooooying... if user agent = (firefox 52.x or firefox 60.x) & ip == exit node; then don't show that annoying popup

Tor User (not verified) said:

May 10, 2018

Permalink

Any news regarding the launch of Tor Browser Bundle for Android?

Orbot/Orfox are pretty much unusable now. I'm constantly blocked by websites that redirect me to Captcha challenges, which are absolutely unsolvable in Orfox, and the current version of Orbot no longer allows you to swipe the onion icon to create a new circuit, forcing you to restart Orbot if you want to change circuit.

Anonymous (not verified) said:

May 10, 2018

Permalink

  • Bug 23439: Exempt .onion domains from mixed content warnings

Many comments on that bug and tickets they link to debate how to treat HTTPS clearnet the same as HTTP onion services, but I don't see a perspective of the consequences from the insecure end. Meaning:

Now that HTTP onion services are treated as secure and now that HTTP onions are exempt from mixed content warnings, then is HTTP onion service traffic recognized and warned as different from HTTP to clearnet? If an HTTP .onion webpage loads content from an HTTP clearnet domain, does Tor Browser still warn about mixed content? Or since they are both HTTP, does the warning not appear?

Hello (not verified) said:

May 10, 2018

Permalink

i that the former post says that "Domain Fronting Is Critical to the Open Web" and also i note that the tor project tor browser has enabled the following about:configs

media.getusermedia.screensharing.allowed_domains;
media.getusermedia.screensharing.enabled;true

many many domains sharing and trusted and allowed!

so why not trust them for your other purposes as well?

itsjustme (not verified) said:

May 11, 2018

Permalink

Brand new user here, still working my way around. I am not as technologically-inclined like a lot of you are, so I hope to get lots of tips on how to properly use TOR.

Welcome to the club!

Good advice on using Tor Browser wisely:
https://sedvblmbog.tudasnich.de/download/download-easy.html.en#warning

Advice on using Tails wisely:
https://tails.boum.org/doc/index.en.html

If you want help trying to explain to your friends why privacy matters, some of the best books I have read which explain why ordinary citizens need Tor are:

Julia Angwin, Dragnet Nation, 2014
Daniel J. Solove, Nothing to Hide, Yale U Press, 2011
Cathy O'Neill, Weapons of Math Destruction, Crown, 2016
Jennifer Granick, American Spies, Cambridge U Press, 2017
Virginia Eubanks, Automating Inequality, St Martin's Press, 2017
Cyrus Farivar, Habeus Data, Melville House, 2018

In coming months, look for upcoming stories (unless USIC kills them) on how US National Labs have constructed supercomputer models in which every USPER is individually modeled, along with their relations to family, friends, and coworkers. These models are built using USG and private databases holding information on education, employment, finances, health, travel, local government interactions, social media, &c. The models are run, tweaked by some possible government action, then rerun to see which alternative most increases the government's self-defined "utility value". This is, rather literally, surveillance of The People by the Government for the Good of the Government and against the Good of the People. Anything you (or your family or friends) say or do today can be used against you decades into the future. This is what Snowden is talking about when he uses the apt term "databases of ruin".

These population control supercomputer modeling programs were one of USG's most closely guarded secrets for decades, but former LANL scientists are finally beginning to hint in interviews with major news organizations what they have been doing, starting with modeling which might appear "benign" or even beneficial:

wired.com
Scientists Know How You’ll Respond to Nuclear War—and They Have a Plan
Using an unprecedented level of data from more than 40 different sources, resear
chers can now make synthetic populations of entire cities.
Megan Molteni
13 Feb 2018

Much of this work has been done under cover of "traffic engineering" (no joking). The people who do this work know very well that this is merely a cover for much nastier modeling. Think "predictive policing" on steroids.

Another leader in this is China, which is doing it openly. Joseph Stalin would have loved this technology.

anonomous (not verified) said:

May 11, 2018

Permalink

None of my Obfs bridges work anymore with Tails 3.7. They did work with Tails 3.6.2. Don't know if this is a Tor issue, Tor Browser issue or a Tails issue.

kel (not verified) said:

May 11, 2018

Permalink

In Linux, Ubunutu 17.04 with Mate Desktop, Tor browser bundle leaves opened files that prevents of unmounting encrypted files. I have to find them with lsof and kill the processes. I've noticed that all of them are related with gvfsd.

Thanks for the great work.

Anonymous (not verified) said:

May 11, 2018

Permalink

Thank you.. I am not very computer literate, but really like this anonymous, and not being traced on the web. Thank you for the time, and effort that it takes to continue this.

I don't understand your concern. Suppressing steganoography would be much like suppressing encryption itself--- hiding the fact, content, and destination of traffic is what Tor products are all about, so it doesn't really make sense to complain to Tor Project about steganography.

The article describes a long used method of steganography, which is useful for activists and endangered dissidents who live in repressive nations. It also mentions digital watermarking, which can be used by activists for good purposes as well as by censorship-enabling companies such as Forensicon for (apparently) bad purposes. In short, like everything else, software cannot know who is using it and why. Sometimes the bad guys use good things for bad purposes--- that's life.

In any event, I very much doubt Tor Project can "do something" about the use of steganography even if anyone wanted to do that.

Skink (not verified) said:

May 12, 2018

Permalink

Here Here for Orbot Captcha hell...

I am here now because I have Tor on 3 windows lappies and when I accept the 7.5.4 update all of them give a ("general SOCKS server failure") I have a good copy of 7.5.3 and have reverted back on all 3 and they connect fine...

Not a complaint just an observation...

Keep up the necessary good work for the fight for anonymity...

Could that be that an old Tor is not properly shut down during the update? Could you make sure that no Tor is running anymore and then install a fresh, new Tor Browser 7.5.4 to a different location and check whether that solves your problem?

Grandejuanjuli… (not verified) said:

May 13, 2018

Permalink

I don't know much about HTML code, JavaScript, Scores of Languages or Linux operating systems but I feel as though computers might be my thing. Yeah.... a paradox. But I'm looking into going to college for IT next year and I would like to volunteer for Tor Browser. So any advice, tips, tricks, or special invitations to help me out?

Here is one piece of advice: get to know The Enemy. This is a project to work on over the next few months, not a easy path but I think essential for anyone who wants to work for Tor Project.

You should probably begin by downloading all the published Snowden links, ANT catalog, SpyFiles catalog, etc. before the end of Net Neutrality (11 Jun 2018) just to be sure you will be able to read them when you know enough to understand them. Then you can start reading the following links (roughly prioritized from easy/short/recent to technical/lengthy/dated):

Up to date and readable outline of the basic issues:
https://theyarewatching.org/

Dated but easy reading (WARNING: dodgy cert):
https://www.aclu.org/issues/privacy-technology/surveillance-technologies

A bit more technical, somewhat dated:
https://ssd.eff.org/

Excellent source for latest information on surveillance-as-a-service companies:
https://citizenlab.ca/

Good advice from Micah Lee:
https://theintercept.com/2016/11/12/surveillance-self-defense-against-t…

Fabulous compendium of surveillance-as-a-service companies and their products:
https://theintercept.com/surveillance-catalogue/

Another excellent source of information on surveillance-as-a-service-companies:
https://wikileaks.org/The-Spyfiles

Searchable index of the leaked emails from defunct spyco HB Gary Federal:
https://www.wikileaks.org/hbgary-emails/?q=&mfrom=&mto=&title=&notitle=…

Leaked newsletters from a spyco: Stratfor:
https://search.wikileaks.org/gifiles/

The best source of information on NSA surveillance (highly technical):
https://www.eff.org/nsa-spying/nsadocs
(Read Jennifer Granick's book American Spies for some help understanding Snowden leaks.)

The ANT catalog, the most important post-Snowden leak (includes copies of original NSA docs):
https://en.wikipedia.org/wiki/NSA_ANT_catalog

Information on CIA cyberespionage (technical and at the center of political controversy in USA):
https://wikileaks.org/vault7/

Excellent source of information on the revolving door between US miltary/USIC and spycos:
https://icwatch.wikileaks.org/search?action=index&controller=search&doc…

Dated but invaluble (WARNING: not an https site?)
http://projects.washingtonpost.com/top-secret-america/
(Many of the companies named have merged or changed names.)

The Intercept (theintercept.com) regularly publish stories on surveillance mercenaries, private security forces like BlackSwan, police misconduct around the world. The Guardian (theguardian.com) has published many important stories on outrageous infiltration by UK police of EU peace/environmental groups and extralegal killings of environmentalists and reporters. Human Rights Watch (hrw.org), Amnesty (amesty.org), Reporters without Borders (rsf.org) are excellent sources of information upon current human rights abuses, very few of which are covered by most major US/EU newspapers.

Years ago, Bloomberg News published many good articles on spycos, for example:
https://www.bloomberg.com/news/articles/2012-08-29/spyware-matching-fin…
But they appear to have removed their index to these stories after it was revealed the company was routinely spying on its own reporters.

Ray (not verified) said:

May 13, 2018

Permalink

Tor 7.5.4 hangs even worse than the past 2 versions e.g.
tripadvisor.com
vrbo.com
flipkey.com
suddenlink.com
nationwide.com
usps.com
Unusable.

iridesce (not verified) said:

May 14, 2018

Permalink

Thank you for your ongoing work. You help create as much liberty as we can experience in these times.

Donation in transit.

Health, happiness and prosperity to you and yours

acute-sense-of… (not verified) said:

May 15, 2018

Permalink

One thing I have noticed that has arisen in 7.5.4 is that the entry (first country listed) circuit is static and cannot / will not change even when requested.

In one install I am forced to use United States.

In another install (yes, both 7.5.4) I am forced to use Switzerland.

In both cases the other two (second and third) circuits will change, but the first - never.

This is a Windows browser. Thanks.

acute-sense-of… (not verified) said:

May 18, 2018

Permalink

Thanks for the reply, gk.

And of course infinite thanks also to all the fine people who work on this project.

What does "hangs" mean? When does this happen? On particular web sites? If so, on which? Which Windows version are you using? Do you have an antivirus/firewall software that could interefere with Tor Browser? If so, which one?

Dimitri (not verified) said:

May 16, 2018

Permalink

Thank you so very much for your constant great work. It is absolutely essential to have TOR available. I can not stress out how important it is.

So, thank you for your fantastic work.

Anonymous (not verified) said:

May 16, 2018

Permalink

In TBB media.gmp is off.
How can i switch off this s..t in vanilla Firefox?

I have turn off all media.gmp but nevertheless FF is downloading
.dll in profile-directory 'gmp-gmpopenh264'.

Howdy Doody (not verified) said:

May 18, 2018

Permalink

I have a question similar to one asked by a couple of Tor users under 7.5.3 but never answered.

I have noticed that occasionally when I switch between pages of the same web-site, the guard node changes. Why is this?

Why is the ‘new’ guard node trying to ‘muscle in’?

Please let me and the users from 7.5.3 know.

Thanks for all your work.

Anonymous (not verified) said:

May 20, 2018

Permalink

If you use bookmarks in the Tor Browser such as RSS feeds is it possible to deanonymize yourself if you have the same RSS feeds in a non-tor browser. I notice that the tor browser loads information from all the feeds when I click on the folder containing the feeds in the onion circuits.

Zharko Gjurov … (not verified) said:

May 22, 2018

Permalink

In about:config "false" value need to be set as default in next version for:

browser.taskbar.lists.frequent.enabled
browser.taskbar.lists.enabled

These two settings are actually allowing anyone who has access on PC where Tor is installed to run it, and with simple right click on taskbar icon of Tor Browser Bundle to see frequently visited web sites via Tor which actually acts as some kind of “View History” what definitely is flaw from privacy point of view.

tortor (not verified) said:

May 22, 2018

Permalink

Is it possible to choose the first guard connection in TOR? Since sites have the capability to know all the exit nodes of Tor it would be a good feature to choose the first entry point into Tor circuit.

HlR (not verified) said:

May 24, 2018

Permalink

Thank you for contributing to our online privacy. The amazing improvements make such a noticeable difference to the protection you provide - especially during the past 12 months. Your service to the community is admirable.

rainbow dash (not verified) said:

May 25, 2018

Permalink

Meltdown/Spectre strikes again!
CVE-2018-3639 (Speculative Store Bypass) Spectre V4
CVE-2018-3640 (Rogue System Register Read) Spectre V3a
Do these affect Tor?

Joe Stein (not verified) said:

May 30, 2018

Permalink

you people are great! you are making it possible for people to use the internet how it was intended to be used. I love what you're about. please i beg you don't give up . keep fighting the good fight.
thank you all very much ,
sincerely, Joe Stein