Tor Browser 7.5a5 is released
Tor Browser 7.5a5 is now available from the Tor Browser Project page and also from our distribution directory.
This release features important security updates to Firefox.
Besides the usual Firefox security and extensions updates this alpha contains a bunch of long-awaited features:
- We include Tor 0.3.2.1-alpha, the first alpha release in the 0.3.2 series, with support for next generation onion services and a new circuit scheduler, KIST.
- Thanks to the work of Jed Davis we are able to ship a content sandbox for Linux users. While the content sandbox is disabled in Firefox 52 ESR versions, which Tor Browser is based on, backported patches allow us to protect our Linux users with the same mechanisms that are provided to regular Firefox users.
- The content sandbox is enabled for Windows users as well. While we still need to clean up our workarounds to get the sandboxing code to work with our mingw-w64 compiler, we think the enabled sandbox is ready for a wider testing in our alpha series. Please give it a try if you can.
- Although this change should be invisible to users, we switched our build system from gitian/tor-browser-bundle to rbm/tor-browser-build. The build should continue to be reproducible and if you want to do a build yourself the README file in the tor-browser-build repository has some informations.
Update: Tor Browser 7.5a5 is broken when using the sandboxed-tor-browser version 0.0.13, due to bug 23692. Version 0.0.14 of the sandboxed-tor-browser has been released to fix that issue.
Note: The release date in the changelog displayed after the update is incorrect. The actual release date is September 28.
The full changelog since Tor Browser 7.5a4 is:
- All Platforms
- Update Firefox to 52.4.0esr
- Update Tor to 0.3.2.1-alpha
- Update Torbutton to 1.9.8.1
- Update Tor Launcher to 0.2.13
- Update HTTPS-Everywhere to 2017.9.12
- Update NoScript to 5.0.10
- Update sandboxed-tor-browser to 0.0.13
- Bug 23393: Don't crash all tabs when closing one tab
- Bug 23166: Add new obfs4 bridge to the built-in ones
- Bug 23258: Fix broken HTTPS-Everywhere on higher security levels
- Bug 21270: NoScript settings break WebExtensions add-ons
- Bug 23104: CSS line-height reveals the platform Tor Browser is running on
- Windows
- OS X
- Bug 23404: Add missing Noto Sans Buginese font to the macOS whitelist
- Linux
- Build System
- All Platforms
- Switch from gitian/tor-browser-bundle to rbm/tor-browser-build
- All Platforms
Comments
Please note that the comment area below has been archived.
This release features…
Your Firefox is out-of-date.
Get the most recent version to keep browsing securely.
Is Mozilla trolling us?
Where do you get that…
Where do you get that message? It might be due to being on the ESR series and they are only checking for the latest and greatest release.
https://www.mozilla.org/en…
https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/
They should probably tell…
They should probably tell them not to show that message when an exit node is used for the connection and the header is that of the most recent Tor Browser.
Are there any v3 HS for the…
Are there any v3 HS for the wider community to test and play with?
Preferably hosted by the Tor project. I would love a few with a wide assortment of content types and configs.
Something the team can throw together and harden that will entice hackers and casual users alike. Haven't found any v3 links at all so far. Anyone care to share?
I guess they'll pop up soon…
I guess they'll pop up soon. Here is one: http://ozmh2zkwx5cjuzopui64csb5ertcooi5vya6c2gm4e3vcvf2c2qvjiyd.onion/ (not run by us).
It was alive for a while and…
It was alive for a while and worked great, later went down...
It looks like many Tor users around the world was trying to access their hidden service because of your comment ;-), now it has been taken down permanently because of the slashdot (torblog?) effect.
I don't know. You can find…
I don't know. You can find more (and more information about the new .onion services) on https://trac.torproject.org/projects/tor/wiki/doc/NextGenOnions.
It's working again...
It's working again...
Sandbox log on Win 10:…
Sandbox log on Win 10:
Process Sandbox BLOCKED: NtCreateFile for : \??\pipe\chrome.3736.1.48797690
Process Sandbox Broker ALLOWED: NtCreateFile for : \??\pipe\chrome.3736.1.48797690
Process Sandbox BLOCKED: NtCreateFile for : \??\pipe\chrome.3736.2.129251956
Process Sandbox BLOCKED: NtCreateFile for : \??\pipe\chrome.3736.3.116815476
Process Sandbox Broker ALLOWED: NtCreateFile for : \??\pipe\chrome.3736.3.116815476
Process Sandbox Broker ALLOWED: NtCreateFile for : \??\pipe\chrome.3736.2.129251956
Process Sandbox BLOCKED: NtCreateFile for : \??\pipe\chrome.3736.4.13357681
Process Sandbox Broker ALLOWED: NtCreateFile for : \??\pipe\chrome.3736.4.13357681
Process Sandbox Broker ALLOWED: DuplicateHandle
Disable experimental…
Disable experimental-webgl
https://browserleaks.com/webgl
04:10:25.421 Error: WebGL: getExtension('MOZ_WEBGL_lose_context'): MOZ_ prefixed WebGL extension strings are deprecated. Support for them will be removed in the future. Use unprefixed extension strings. To get draft extensions, set the webgl.enable-draft-extensions preference. 1 webgl.js:4:12124
Bug 23104: CSS line-height…
Bug 23104: CSS line-height reveals the platform Tor Browser is running on
eats lower parts of letters in the address bar on Windows 10.
Thanks, I opened https:/…
Thanks, I opened https://trac.torproject.org/projects/tor/ticket/23701.
04:20:20.582 Will-change…
04:20:20.582 Will-change memory consumption is too high. Budget limit is the document surface area multiplied by 3 (600000 px). Occurrences of will-change over the budget will be ignored. 1 www.youtube.com
Could you be a bit more…
Could you be a bit more explicit about the bug report? How can I reproduce that?
The hyperlink provided.
The hyperlink provided.
The link only goes to the…
The link only goes to the main page of YouTube.
REALLY? You are smart…
REALLY? You are smart.
Maybe, you also know what's wrong with it?
Thanks for all the content…
Thanks for all the content sandboxing work, much needed!
The empty clickable item in …
The empty clickable item in "About Tor Browser" menu is yet there... https://trac.torproject.org/projects/tor/ticket/22942
Yes, patches welcome!
Yes, patches welcome!
thanks for another great…
thanks for another great release; i am especially grateful that the team is closely tracking mozilla's release cycle!
It doesn't download from…
It doesn't download from mega.nz
I have tried to download a PDF bit it's stuck at 99%
Just try to download something
Thank you
NoScript fixed a bug in 5.1…
NoScript fixed a bug in 5.1.1 that might affect you as well (https://trac.torproject.org/projects/tor/ticket/23718). Does it work with that NoScript version for you? (You might need to restart your browser after the NoScript update to work around https://trac.torproject.org/projects/tor/ticket/23724).
Thank You all for the hard…
Thank You all for the hard work, especially on 7.5a5 and for addressing Bug #21270, in particular. I know that additional extensions are strongly discouraged, but the few that I use are necessary for how I use TorBrowser. I thought that the issues I had may have been due to Mozilla's push towards WebExtensions making the (updated) ones I use incompatible with FF ESR. So far, everything seems to be working. I look forward to playing around with this release and bothering you in the future when something doesn't go my way. Thanks Tor Team!
I take back what I said; lol…
I take back what I said; lol. my previous comment hasn't appeared yet, but I still seem to have problems with extensions. They seem to work fine unless I happen to change even a singular NoScript setting.
sorry for the multiple…
sorry for the multiple responses... The comments take a while to appear & I want to submit this before I forget; if a mod can join the three replies into one thread, that would be great.add-on functionality breaks even without changing the security slider. There was an assertion made that the bug only occurs when the slider is set to medium or high, but I still have issues even when it's left on default/low."Synced Tabs" button also magically re-appears in the menu even if I remove it in "Customize". That's usually when I notice that extensions have broken. Thanks again
Now I have no idea what is…
Now I have no idea what is causing the issue. I turned off javascript in config, then HTTPS Everywhere broke; then I set the value back to true and HTTPS Everywhere is working like normal again. This is without restarting, btw.
That's expected…
That's expected. WebExtensions need JavaScript enabled.
WebExtensions need…
WebExtensions need JavaScript enabled!? Seriously! If it isn't bad enough that limiting Firefox to WebExtensions will effectively kill Firefox, as an absolute majority of users are there for the extensions. On a wider note, is it a case of someone(s) deliberately trying to make Firefox insecure?, kill Firefox? You would think that the gugle guys and girls are on the 'development' team :D
They fixed that later on and…
They fixed that later on and the patch will be in ESR 59.
Thank you!
Thank you!
Tor WARN: Tried connecting…
Tor WARN: Tried connecting to router at 144.76.26.175:9011, but RSA identity key was not as expected: wanted 2BA2C8E96B2590E1072AECE2BDB5C48921BF8510 + no ed25519 key but got 94B0AC1151F5611E801A04AEE29D7D65C3B1A5F5 + no ed25519 key.
Another one semi-broken add…
Another one semi-broken add-on update (NoScript 5.1)
06:33:57.300 XML Parsing Error: undefined entity
Location: jar:file:///C:/Browser/TorBrowser/Data/Browser/profile.default/extensions/%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D.xpi!/chrome/content/noscript/noscriptOverlayFx57.xul?1br8nr5ksqe742k1ufps
Line Number 27, Column 5: 1 noscriptOverlayFx57.xul:27:5
06:33:57.302 TypeError: widgetTemplate is null 1 Restartless.jsm:90:7
06:34:24.235 [Exception... "Failure" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: chrome://noscript/content/Restartless.jsm?0.4271424961007011.1506753222200 :: loadIntoWindow :: line 139" data: no] 1 (unknown)
loadIntoWindow chrome://noscript/content/Restartless.jsm:139:5
observe chrome://noscript/content/Restartless.jsm:164:11
06:34:24.235 Could not overlay chrome://browser/content/browser.xul 1 Restartless.jsm:170
loadIntoWindow chrome://noscript/content/Restartless.jsm:170:5
observe chrome://noscript/content/Restartless.jsm:164:11
That's https://trac…
That's https://trac.torproject.org/projects/tor/ticket/23723 but it should not break anything as far as I can see.
When the Tor message about …
When the Tor message about "This website (www.facebookcorewwwi.com) attempted to extract html5" appears, if the mouse is clicked elsewhere the message closes and there is no chance to click the "Never for this site" button.
When this happens does it mean facebook is allowed to extract html5, or is it a default of blocked? Thank you.
The default is to block it…
The default is to block it. So, even if you click it away as long as you are not enabling it explicitly you are safe.
UX guides say that the…
UX guides say that the default option should be "Allow" (as in Firefox), because that dialog box is a question to the user to allow canvas. So that if it disappears users won't bother you with such questions.
I agree the dialog has room…
I agree the dialog has room for improvement. There are several tickets concerned with it, e.g. https://trac.torproject.org/projects/tor/ticket/22396.
I Want To Be With You
I Want To Be With You
It's been two days and my…
I've been experiencing issues with extensions breaking since the last couple alphas.
It's been two days and my comment hasn't shown up, so I'm going to assume that it didn't go through. Mod, can you disallow the three comments I made re:extensions which as of now haven't displayed? I don't remember if I included any more detailed information than the following...
I initially presumed that the issues with add-ons breaking was due to Mozilla's push towards WebExtensions, making my updated extensions incompatible with ESR, which somehow affected other (legacy?) add-ons. Then, I had a suspicion that NoScript may be at fault, but I didn't know until seeing the 7.5a5 changelog about Bug #21270. Now, I'm not sure what the root cause of the problem is.
In the bug-tracker, there was an assertion that extensions break when the security level slider is moved to medium or high, but not if it's left on the default security setting. However, I have issues even when the slider is left on default/low.
If I change any of the browser's options/about:preferences, nothing seems to be affected. But, if I turn javascript off in about:config, then extensions break. If I turn javascript back on (without exit/restart), then extensions appear to work again. I don't know if changing the value of any other config preferences have the same effect.
No, sorry, I already enabled…
No, sorry, I already enabled them. (We can leave them there, it's okay). Re: JavaScript: yes, you need that enabled in your
about:config
otherwise WebExtensions won't work. NoScript is dealing with that on higher security levels by whitelisting JavaScript from WebExtensions.ok, thank you, gk. I saw…
ok, thank you, gk. I saw that Bug 1329731 was fixed in FF54. Is the patch detailed on that page something that TorDevs could apply on your end to TBB? If not, do you have a rough idea of what the ESR release schedule is projected to be? I couldn't make sense of this diagram I take it to mean that it would be a few years before we get to 54? : )
Nah, not years "just" months…
Nah, not years "just" months. We'll switch to the next ESR mid-June next year. That said what is the use case for backporting this patch as we have the security slider on level "high" that is supposed to achieve the same as flipping the JavaScript preference while allowing WebExtensions to work.
Well, I got into the habit…
Well, I got into the habit of enabling javascript for a single, specific page only when I absolutely needed to, then immediately turning it back off. the Majority of the time I use TBB for day-to-day browsing, unless I need to send/receive sensitive data or more data than I think is reasonable over Tor, e.g. longer-duration content, high-res video/audio, etc.
For the longest time, I had the security slider on "high" & I thought that may have been causing the issues, so I reverted it back to "low/default" for a while. I didn't even realize that setting it to "medium" or "high" was an option that could still retain the functionality of WebExtensions while restricting javascript.
[10-02 18:28:08] Torbutton…
[10-02 18:28:08] Torbutton WARN: Version check failed! Web server error: 0
Is there a problem with…
Is there a problem with Google captchas? Google denying captchas for tor exit nodes?
Why adblok is missing?? Hard…
Why adblok is missing?? Hard to browse with ads.
Because an ad blocker does…
Because an ad blocker does not help us with our privacy-by-design approach to defend against tracking. See: https://sedvblmbog.tudasnich.de/projects/torbrowser/design/#philosophy section 5. No Filters for a more elaborate argumentation.
Is adblock included in tour ?
Is adblock included in tour ?
Admin. there used to be an…
Admin. there used to be an easy software way to become a relay with a windows OS.
you would start TOR browser and also the relay. Now you have to edit files etc. What happened to the easy way.
Also, why no more map of the hops you are connected to.
thanks for the help. Love the TOR and use it all the time.
The Tor Browser Bundle…
The Tor Browser Bundle included Vidalia previously that allowed this functionality. But this is gone as it was a usability nightmare. Instead we wrote Firefox extensions start are starting and dealing with Tor before the browser window gets visible giving a much smoother user experience.
We have the expert bundle for Windows users now that you might want to use when running a relay on Windows: https://sedvblmbog.tudasnich.de/dist/torbrowser/7.0.6/tor-win32-0.3.1.7.zip.
Admin, Can i just use the…
Admin, Can i just use the old relay software, or would that mess things up.
I think this is a great software and cause (Privacy) And I will start making some donations.
thanks for answering my questions.
I think everyone out there needs to quit griping about the FREE software you created and donate, even if it is $5
<<<<<
How do I obtain the patch…
How do I obtain the patch that makes the Torbrowser from Firefox? I can't find a tagged Firefox version in the git repository.
Audio isn't working on Tor…
Audio isn't working on Tor Browser 7.0.6 or 7.5a5 on OS X 10.13.
Anytime a page attempts to play audio, you get the "Gah. Your tab just crashed." message. youtube.com, embedded mp3 players, etc.
It appears there was a bug related to this in Firefox that was fixed in the 56 version:
https://bugzilla.mozilla.org/show_bug.cgi?id=1376163
https://bugzilla.mozilla.org/show_bug.cgi?id=1388655
05:29:25.346 Sync…
05:29:25.346 Sync encountered an error - see about:sync-log for the log file. 1 policies.js:729
resetFileLog/onComplete resource://services-sync/policies.js:729:9
Does it mean Sync is somehow…
Does it mean Sync is somehow enabled?
That's hard to say without…
That's hard to say without more context than this log line. Might be good to understand the particular Tor Browser setup at least.
With TOR we can not be…
With TOR we can not be censored by the government when we make comments on the blog