New Release: Tor Browser 7.5.6

by boklm | June 26, 2018

Tor Browser 7.5.6 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Tor Browser 7.5.6 updates Firefox to 52.9.0esr and includes newer versions of NoScript and HTTPS Everywhere. Moreover, we added the latest Tor stable version, 0.3.3.7.

This Tor Browser version additionally contains a number of backported patches from the alpha, most notably the feature to treat cookies set by .onion domain as secure as well.

For Windows users we activated an option that prevents an accidental proxy bypass when dealing with UNC paths.

The full changelog since Tor Browser 7.5.5 is:

  • All platforms
    • Update Firefox to 52.9.0esr
    • Update Tor to 0.3.3.7
    • Update Tor Launcher to 0.2.14.5
      • Bug 20890: Increase control port connection timeout
    • Update HTTPS Everywhere to 2018.6.21
      • Bug 26451: Prevent HTTPS Everywhere from freezing the browser
    • Update NoScript to 5.1.8.6
    • Bug 21537: Mark .onion cookies as secure
    • Bug 25938: Backport fix for cross-origin header leak (bug 1334776)
    • Bug 25721: Backport patches from Mozilla's bug 1448771
    • Bug 25147+25458: Sanitize HTML fragments for chrome documents
    • Bug 26221: Backport fix for leak in SHA256 in nsHttpConnectionInfo.cpp
  • Windows
    • Bug 26424: Disable UNC paths to prevent possible proxy bypasses

Comments

Please note that the comment area below has been archived.

Anonymous (not verified) said:

June 26, 2018

Permalink

Thank you for your courageous work! Keeping up a close eye on all the Mozilla patches is certainly not easy ^^

markS (not verified) said:

June 26, 2018

Permalink

Does this version will be the last on Win XP platforms?
(as firefox 52.9.0esr will be the last no XP for mozilla)

tnx

Yeah XML/XPCOM is such a "smart usable intuitive add-on GUI", reminds me of my WinXP days. C'mon my dawgh Mozilla is waging a full out war on XML since it's old, can be replaced with modern technologies, and is SLOWISH.

agreed. Also, using the NS UI is trickier since i like the temporary js enable setting.
UI access to the other per-site enableable features is interesting, but I usually keep those disabled.

Peak Firefox usability was circa version 3.6
The only necessary addons were noscript and httpseverywhere.
GooglebarLite, searchboxSync. and searchboxWP improved usability.

Since 3.6, I've had to use 2 or 3 addons to fix what mozilla broke or removed.
I also use local proxy filtering, which repairs much bad web authoring, bad headers, etc., making the web pages hugely more usable - or making even web pages just viable as web pages.

of course in TBB, I only tighten up some prefs - I don't install addons or use the proxy.

I feel (possibly inaccurate) pseudo-empathy for security challenges that Tor and Moz devs have to take on.

Eatoin Shrdlu (not verified) said:

August 23, 2018

Permalink

Mozilla has, unfortunately, become Corporate America ... At least it took more time than it did for a Homebrew Computer Club device to spawn the obscenity Apple.
Am I supposed to trash my wonderful 80486-based IBM Thinkpad, still running XP really strong and replace it with what? Difficult-to-build-and-maintain LINUX or the pathetic Win-Turn Your Computer into a Glass TTY-10 and place my trust in the clouds, oh those beautiful, more easily cracked than TSS/8 clo, timeshare systems running on computers we have no control over, cannot identify, and need to use Tor for talking to.

On a completely different (except for wormy Apple) is the ToB "onion" browser, offered up by the Apple Store a REAL relative, or just another malware construct?

Grateful user (not verified) said:

June 26, 2018

Permalink

Many thanks as always for the great work done by the Tor devs and colleagues!! Praise well earned deserves to be repeated frequently, so please accept this sincere tribute offered once again. :)

John Doe (not verified) said:

June 26, 2018

Permalink

Just updated Tor Browser, and it shows the following error when opening the link ocewjwkdco.tudasnich.de/tor-browser-756-released from "visit our website" link, or from the location bar:

"The page isn’t redirecting properly
Firefox has detected that the server is redirecting the request for this address in a way that will never complete. This problem can sometimes be caused by disabling or refusing to accept cookies."

Mr. Untraceable (not verified) said:

June 26, 2018

Permalink

The URL for the Update that's given on your Web site works, but the one shown in TorBrowser's Update window (before updating) as well as on the first run tab detailing the latest changes (after updating) (without the final hyphen) fails with "The page isn’t redirecting properly" and "Firefox has detected that the server is redirecting the request for this address in a way that will never complete."

It did not work following Cloudflare's termination of service of Scihub domains, maybe try to contact Alexandra Elbakyan on her vk.com to ask her to make it work again

Anonymous (not verified) said:

June 27, 2018

Permalink

Can you please mark .onions as secure like HTTPS so that it doesn't confuse users and that they can serve HTTP/2?

Anonymous (not verified) said:

June 27, 2018

Permalink

can't dl tbb from https://sedvblmbog.tudasnich.de/download/download-easy.html
clicking the button to https://sedvblmbog.tudasnich.de/dist/torbrowser/7.5.6/torbrowser-install-7.5… and "failed" in the Download tab, retry doesn't help and
14:32:33.303 Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://sedvblmbog.tudasnich.de”). Source: onfocusin attribute on DIV element. 1 download-easy.html
14:38:04.524 Strict-Transport-Security: The site specified a header that could not be parsed successfully. 1 torbrowser-install-7.5.6_en-US.exe

Anonymous (not verified) said:

June 28, 2018

Permalink

Your optimistic SOCKS bug sometimes corrupts HSTS headers - that's all what comes to mind.

Me (not verified) said:

June 27, 2018

Permalink

Updates , updates ... will a time come when "stuff" just work and don't
need to be "updated" not talking about Tor specifically but come on
is the "internet" that dynamic or softwares so "soft" that they need repair
every 2 or 3 weeks.
Give me a break and please keep on rocking Tor.

> Updates , updates ... will a time come when "stuff" just work and don't need to be "updated" not talking about Tor specifically but come on is the "internet" that dynamic or softwares so "soft" that they need repair every 2 or 3 weeks.

Those "repairs" are keeping you (and all of us) safe(r).

Insecurity is built so deeply into every aspect of the Internet as we know it that a hoary but unfortunately perfectly valid maxim holds that "convenience is the enemy of security". It's horrible, and possibly true only because DARPA wanted it to be true right from the beginning (see Yasha Levine's book for how dragnet surveillance was generally agreed to be a major goal of ARPANET when that was first introduced).

Many people love vehicular analogies, so here is a vehicular analogy:

salon.com
Driverless cars offer new forms of control — no wonder governments are keen
The surveillance aspects of driverless cars are a big reason why
Neil McBride
27 Jun 2018

> There’s a reason why governments are so keen on driverless cars – and it’s not just because of the potential economic benefits. They offer the chance for even greater tracking and even control of citizens’ every move. Far from setting us free, driverless cars threaten to help enable new forms of surveillance and oppression.

Anonymous (not verified) said:

June 28, 2018

Permalink

Question for gk:

From the PKI cert I see when I connect to ocewjwkdco.tudasnich.de:

03:1E:3D:93:17:B9:6A:40:3F:03:2A:1F:55:14:84:4B:9F:8D
...
Issuer:
CN = Let's Encrypt Authority X3
O = Let's Encrypt
C = US
...
Subject Name:
CN = 5667908084563968-fe2.pantheonsite.io
...
Subject Alt Name:
DNS Name: 5667908084563968-fe2.pantheonsite.io
...
DNS Name: afscmeatwork.org
...
DNS Name: forensicon.com
...
DNS Name: login.afscmeworks.org
...
DNS Name: www.worlddiabetesfoundation.org

Other users have verified these odd features.

So the cert which "authenticates" this blog does not authenticate that concent (e.g. posts) have not been altered since leaving TP control, but only that they have not been altered since leaving pantheonsite.io (whatever that is), yes?

If pantheonsite.io is gifted with an NSL accompanied by a gag order, TP's CEO and GC will never know, yes?

The nexus with AFCSME is worrisome because of reports about a concerted effort backed by the Walton and Koch families to break that union, together with the landmark SCOTUS decision issued yesterday:

nytimes.com
Supreme Court Ruling Delivers a Sharp Blow to Labor Unions
Adam Liptak
27 Jun 2018

> Janus v. AFSCME (American Federation of State, County and Municipal Employees), No. 16-1466, was brought by Mark Janus, a child support specialist who works for the state government in Illinois.

Other certificates from news sites and other NGOs all seem to actually be owned by the site owner, with one exception: aclu.org has the same worrisome features.

It seems to me that using this kind of cert is tantamount to inviting bad trouble from the USG. Can TP obtain a cert which fufills the implied promise to authenticates that the content we see is under TP control and not "pantheonsite.io (whoever that is)?

To make matters worse, forensicon is a digital investigations company. Perhaps they own the pantheon site?

TIA

Anonymous (not verified) said:

June 28, 2018

Permalink

> Not sure. Could you give us steps for reproducing your problem? On which platform does this happen? How are you trying to save images? Example link?

> Could you be a bit more explicit about what exactly you are doing and what is not working for you anymore?

Using 64bit Win7 Enterprise

Every website I go to in Tor, whether i right-click to save an image or open the image in its own window and save, it will not save unless i save it to my local drive. Image format makes no difference. Multiple websites make no difference. If I choose to save on a network, everything happens as thought it worked but nothing is saved.

Tried the 8.0a9 alpha version and that does work. The version previous to 7.5.6 also worked but this one does not.

Anonymous (not verified) said:

June 28, 2018

Permalink

Any chance of getting a 52ESR Windows 64 bit build? I'm not comfortable updating to FF60 for many reasons. Now I need to choose between staying on 8.0a8 or switching to 7.5.6 32 bit build

Anonymous (not verified) said:

June 28, 2018

Permalink

FWIW, I experienced no problems with verifying the detached sig or running TB 7.5.6.

Thanks to everyone at TP for all your hard work, and please do not fail to disobey any gag orders accompanying an NSL handed to TP! We need that kind of protection too...

Anonymous (not verified) said:

June 29, 2018

Permalink

Game over for Torbrowser?

A 'littke' marketing problem for Torbrowser is that it is usually framed as highly suspicious,
people that are not really into tech are easily to convince that torbrowser is almost using criminal stuff as well.

And now this marketing/framing threat is getting a little bigger, suddenly there is a standard -aka normal- browser that has tor functionality and is pretending, claiming in suggestion that it can offer tor-privacy as well with special 'tor-tabs' in this browser.

This browser is calling herself, brave.
A very attrackting, maybe even very convincing name for the normal internet user.
But how brave is it?

Is it really brave enough to fight all the privacy attacks that torbrowser can survive?
I am very curious.
Curious because I like Torbrowser and bevause it would be a shame if some new project is stealing the tor privacy olympic title when even not really offering the same lkind of real privacy.

So, when comparing Brave browser vs Torbrowser, who is the best?
I want to know, and you want to know this too!
Don't let others steal your marketshare, not with false hope, and maybe not when the claims are kind of true, try to be better!

Privacy marketing is a real threat to people when it is not offering real privacy protection, and it is a real threat to Tor when bad products are associated with it.

What does the real tor community think of brave vs torbrowser?

Non Mouse (not verified) said:

June 29, 2018

Permalink

Not sure if this is a 'my end' problem or a 'your end problem' or even if relevant or helpful but here ya go -
Fresh install 7.5.6 32 bit running under Knoppix 8.2-2018-05-10.EN boot-strap failed / hung. Re-tried using an obfs4 bridge, same result (twice) but worked when selecting an obfs3. System date/time/timezone set correctly.

06/29/18 21:41:33.600 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
06/29/18 21:41:33.600 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
06/29/18 21:41:33.600 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
06/29/18 21:41:33.600 [NOTICE] Opening Socks listener on 127.0.0.1:9150
06/29/18 21:41:33.600 [NOTICE] Renaming old configuration file to "/home/knoppix/.local/share/torbrowser/tbb/i686/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc.orig.1"
06/29/18 21:41:34.400 [NOTICE] Bootstrapped 5%: Connecting to directory server
06/29/18 21:41:34.400 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server
06/29/18 21:41:34.500 [NOTICE] Bootstrapped 15%: Establishing an encrypted directory connection
06/29/18 21:41:34.600 [NOTICE] Bootstrapped 20%: Asking for networkstatus consensus
06/29/18 21:41:34.600 [NOTICE] Bootstrapped 25%: Loading networkstatus consensus
06/29/18 21:41:35.800 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
06/29/18 21:41:35.900 [NOTICE] Bootstrapped 40%: Loading authority key certs
06/29/18 21:41:36.400 [NOTICE] Bootstrapped 45%: Asking for relay descriptors
06/29/18 21:41:36.400 [NOTICE] I learned some more directory information, but not enough to build a circuit: We need more microdescriptors: we have 0/6340, and can only build 0% of likely paths. (We have 0% of guards bw, 0% of midpoint bw, and 0% of exit bw = 0% of path bw.)
06/29/18 21:41:36.500 [NOTICE] Bootstrapped 50%: Loading relay descriptors
06/29/18 21:41:37.900 [NOTICE] Bootstrapped 57%: Loading relay descriptors
06/29/18 21:41:38.300 [NOTICE] Bootstrapped 66%: Loading relay descriptors
06/29/18 21:41:38.400 [NOTICE] Bootstrapped 71%: Loading relay descriptors
06/29/18 21:41:38.500 [NOTICE] Bootstrapped 80%: Connecting to the Tor network
06/29/18 21:41:39.300 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
06/29/18 21:41:40.400 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
06/29/18 21:41:41.300 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.

<< DUPLICATE ERROR MESSAGES DELETED >>

06/29/18 21:42:35.300 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
06/29/18 21:42:36.300 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
06/29/18 21:42:36.500 [NOTICE] Bootstrapped 85%: Finishing handshake with first hop
06/29/18 21:42:37.300 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
06/29/18 21:42:38.300 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
06/29/18 21:42:39.300 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.

<< DUPLICATE ERROR MESSAGES DELETED >>

06/29/18 21:46:41.300 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
06/29/18 21:46:42.000 [WARN] Received NETINFO cell with skewed time (OR:128.31.0.34:9101): It seems that our clock is ahead by 3 hours, 59 minutes, or that theirs is behind. Tor requires an accurate clock to work: please check your time, timezone, and date settings.
06/29/18 21:46:42.000 [WARN] Problem bootstrapping. Stuck at 85%: Finishing handshake with first hop. (Clock skew 14399 in NETINFO cell from OR; CLOCK_SKEW; count 1; recommendation warn; host 9695DFC35FFEB861329B9F1AB04C46397020CE31 at 128.31.0.34:9101)
06/29/18 21:46:42.100 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
06/29/18 21:46:42.100 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
06/29/18 21:46:42.100 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
06/29/18 21:46:42.300 [NOTICE] Delaying directory fetches: DisableNetwork is set.

<< START UP HUNG AT ABOUT 85% ON PROGRESS BAR >>

Voltar (not verified) said:

June 30, 2018

Permalink

Ive just done an update, but the home page looks different, and I get the following messages.

Congratulations. This browser is configured to use Tor

However, it does not appear to be Tor Browser.

I tried a system restore to go back to past version, but this did not work.
Ideas?

Alibaba (not verified) said:

July 03, 2018

Permalink

Wondering if anyone can help. Updated to latest Tor and now it displays a simple home page without graphics and says,

Something Went Wrong!

Tor is not working in this browser.
WARNING: this browser is out of date.
ALSO, this browser is out of date.
Click on the onion and then choose Check for Tor Browser Update.

Had no issues with Tor until now, on a Mac btw.

tortor (not verified) said:

July 03, 2018

Permalink

I have Firefox 60 and tor running on my Mac high sierra and when I disable cookies on my Firefox browser Tor doesn't work on the same web site showing "please enable cookies" it appears Firefox and tor are sharing files. the site is https://www.zoominfo.com/c/Toronto-Public-Library/245366994 and when I try to complete the capcha it continues to repeat the captch even though it states I am not a robot.

Heidi (not verified) said:

July 04, 2018

Permalink

Tor Browser 7.5.6 shows me the following problem:

Tor failed to establish a Tor network connection.

Loading authority certificates failed ( Clock skew -6475 in microdesc flavor consensus from CONSENSUS - ? )

Libre1 (not verified) said:

July 09, 2018

Permalink

Hi guys, thanks a lot for the continuous updates.

Humble feedback at your disposal. Upto v7.5.4, setup was running smooth out of the box, no special configs were required for plugs & bridges. Couldn't say the same for later ones.
v7.5.5 wasn't working at all, stuck at "not connecting to tor network". Finally v7.5.6 came out but again quite disappointing, so started diggin around, tried all built-in bridges [fte, obfs 3 & 4], nothing worked. Tried manually received bridges [plug-transport=none], same result. Then tried meek [azure], took a while but it delivered. Tor is up & running now, though quite a bit slower @50-60kbps than the good-old-vanilla (~200kbps). Strangely enough, TAILSv3.8 has same tor7.5.6 but it doesn't require any bridge configuration..

What's missing here?

Thanks a lot folks!

Computerwiz0000000 (not verified) said:

July 10, 2018

Permalink

Greetings Tor Users,

I come in peace: to provide insight regarding the new release Tor version 7.5.6 for MAC OSX 64. Which exits unexpectedly for more than three iterations, upon downloading. Happy testing.??‍???

Bill Javert (not verified) said:

July 13, 2018

Permalink

I use Linux. I downloaded the Tor 756 but it did not work. did not link to Firefox. so I downloaded Tor 8.0a9.
with it I was able to enter the Tor. But some problems arose with the opening of images and access to some links. What to do ? I would like to continue with the 756 ...

Anonymous (not verified) said:

July 16, 2018

Permalink

WTH with Trac?

Content Encoding Error

The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.

Please contact the website owners to inform them of this problem.

tastycakes (not verified) said:

July 20, 2018

Permalink

The automatic updates bother me. How do we know they aren't tampered? When version 5.0 was new, we were emphatically told to NOT upgrade using the check for update mechanism.

kkk365 (not verified) said:

July 21, 2018

Permalink

I am using translation software, and the language may not be smooth. How can I start the tor built-in browser directly? The tor route is not configured at startup. I use it in China because the built-in browser is very secure, so I want to use it to browse the web, and I don't need a tor route.

Eve (not verified) said:

July 27, 2018

Permalink

I can't get my proxy settings to work with this update. After hours of trying and online research, I just reinstalled old version. Now it's auto-updated again, and I'm not restarting, because I don't have time. Any solutions to this?

Hookerrz (not verified) said:

August 16, 2018

Permalink

I am thinking of installing Bitdefender Internet Security and am currently testing it.

Under ‘Protection / Online threat prevention / Web attack prevention’ it says: “Checks every page you access for threats to avoid them being downloaded on your device”

This may be a silly question, but does this mean that it ‘sees’ every page I go to via Tor?

I know Tor is sandboxed. Does this prevent Bitdefender from seeing the pages?

This may be something that other users – not just those using Bitdefender ( as all the latest internet protection programs seem to have this ‘web-page checking facility’) – would like an answer to, so could I/we please have one from the developers?

Keep up the good work

Thanks

Jimmy (not verified) said:

August 18, 2018

Permalink

I just tried to install TOR. When I try to execute it, I get a message "couldn't load XPCOM". I have no idea what that means. Any idea what's happening? Is there a simple fix for this?

TANISH (not verified) said:

August 21, 2018

Permalink

GOOD

tor user (not verified) said:

August 27, 2018

Permalink

signing sub-key expired. can't verify download.

gpg: Note: This key has expired!
Subkey fingerprint: A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136

DoDoitsanic (not verified) said:

August 29, 2018

Permalink

Hi all very new to this not sure other than wanting to surf without being followed around, not up to anything out of the ordinary, just don't think anyone has the right o invade our privacy other than GOD Himself lol thanks for working so hard to make that happen!

Gustav (not verified) said:

September 11, 2018

Permalink

dieser bescheuerte browser macht was er will. keine updates heißt nicht installieree updates wie du lustig bist :(