Tor Browser 5.0a1 is released
The first alpha release in the new 5.0 series of the Tor Browser is now available from our extended downloads page as well as the distribution directory.
Tor Browser 5.0a1 is based on Firefox ESR 31.7.0, which features important security updates to Firefox.
In addition to including all of the fixes that were present in the 4.5.1 release, this alpha release also features some additional privacy defenses.
In particular, this release re-enables the automatic window resizing fingerprinting defense that first appeared in 4.5a4. This defense can be disabled by setting the about:config pref extensions.torbutton.resize_windows to false, but please first report any issues you encounter on the feature's trac ticket.
This release also introduces a new defense against various forms of performance fingerprinting and time-based side channel attacks. A handful of new attacks have been published recently that take advantage of Javascript's high-performance timers to determine hardware performance, perform keystroke fingerprinting, extract history information, and even steal sensitive data from memory. Because this defense reduces the resolution of time available to Javascript to 100 milliseconds for all time sources, and to 250 milliseconds for keypress event timestamps, we are especially interested in hearing any reports about issues with HTML5 video, animation, or game sites. Hopefully you will have as much fun testing this defense as we will!
Here is the complete list of changes since Tor Browser 4.5:
- All Platforms
- Update Firefox to 31.7.0esr
- Update meek to 0.18
- Update Tor Launcher to 0.2.7.5
- Translation updates only
- Update Torbutton to 1.9.2.5
- Bug 15837: Show descriptions if unchecking custom mode
- Bug 15927: Force update of the NoScript UI when changing security level
- Bug 15915: Hide circuit display if it is disabled.
- Bug 14429: Improved automatic window resizing
- Translation updates
- Bug 15945: Disable NoScript's ClearClick protection for now
- Bug 15933: Isolate by base (top-level) domain name instead of FQDN
- Bug 15857: Fix file descriptor leak in updater that caused update failures
- Bug 15899: Fix errors with downloading and displaying PDFs
- Bug 15773: Enable ICU on OS X
- Bug 1517: Reduce precision of time for Javascript
- Bug 13670: Ensure OCSP requests respect URL bar domain isolation
- Bug 13875: Improve the spoofing of window.devicePixelRatio
- Windows
- Bug 15872: Fix meek pluggable transport startup issue with Windows 7
- Build System
- Bug 15947: Support Ubuntu 14.04 LXC hosts via LXC_EXECUTE=lxc-execute env var
- Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
Comments
Please note that the comment area below has been archived.
sha256sums.txt file is
sha256sums.txt file is missing in the folders of the releases 4.5a5 and 4.5.1 of the Tor Browser Bundle at the Distribution Directory (https://dist.torproject.org/torbrowser/)...
How can we verify if it is valid the sha256 sum of the downloaded TBB pack?
The file is there in 4.5a5.
The file is there in 4.5a5. However, we changed the name to "sha256sums-unsigned-build.txt" in newer releases due to https://bugs.torproject.org/15864. I'll update the verification instructions shortly. But the verification steps are still the same just the filenames differ now.
The downloaded installer
The downloaded installer package cannot intall. It said:
NSIS Error
Installer integrity check has failed. Common causes include incomplete download and damaged media. Contact the installer's author to obtain a new copy.
Sorry for the inconvenience,
Sorry for the inconvenience, this should be fixed now.
getting crc check fail/nsis
getting crc check fail/nsis error constantly for 5.0a1 download win32/64
"Because this defense
"Because this defense reduces the resolution of time available to Javascript to 100 milliseconds for all time sources, and to 250 milliseconds for keypress event timestamps"
Doesn't this allow page creators to distinguish Tor users from non-anonymous users with a simple embedded Javascript in the HTML?
The aim is to make Tor
The aim is to make Tor Browser users less distinguishable. Blending Tor Browser users into all the other users is probably never going to happen.
Why is this the approach?
Why is this the approach? Why make TOR users stand out at all - is it not possible to achieve the same level of anonymity, security and privacy whilst blending as a regular user of FF, Chrome etc?
As I've read, the answer is
As I've read, the answer is no, not possible. One reason I believe is that standard installation of firefox has disastrously weak privacy preferences. Few users edit preferences, so tbb with bolstered preferences already appears different than standard firefox.
The goal is instead to have all tbb users appear the same to websites as all other tbb users appear.
Exactly
Exactly so.
https://www.torproject.org/projects/torbrowser/design/
i sympathize with your
i sympathize with your interest in reducing the fingerprintability/distinguishability of Tor users in general, but reaching any page from a Tor exit's IP address presumably will always make it possible--at least heuristically--to distinguish likely Tor users from non-Tor users... unless we add many, many exits to the network!
Distinguishing Tor users
Distinguishing Tor users from non-anonymous users is pretty trivial just by looking at the IP lol
Its trivial when you have
Its trivial when you have access to the server logs or are able to run additional software on the servers.
This new feature may allow the many users of services like Blogger or WordPress to display different content to either identifiable or anonymous visitors.
They already can, using the
They already can, using the Tor exit point list.
was just thinking about my
was just thinking about my own gratitude for your work, and wanted to mention that it's a shame that the team can't marshal more funding for advocacy work to upstream more of the fingerprintability/distinguishability patches to mozilla.
for all their talk about being committed to privacy, it's pretty lame that mozilla won't just accept patches that you've literally already written and tested that make firefox more private and secure.
already tbb design must
already tbb design must weigh user expectations vs privacy.
Firefox user expectations tend even less toward privacy, and more toward expectations of whizbang websites (which then run amok with user privacy).
iirc, firefox installs allowing all cookies and javascript enabled.
tbb users wear helmet and full racing harness in vehicle with roll cage and fire retardant system.
firefox is designed for users who ride motorcycles shoeless wearing only underwear - not even with sunscreen.
Does this work on FreeBSD as
Does this work on FreeBSD as well?
Install www/linux-firefox to
Install www/linux-firefox to pull in all the needed libs, deinstall linux-firefox if you want after this.
Use the 32-bit version of tor browser.
If you're running amd64, edit out the lines
from the startup script.
Good luck.
Hi I installed the update
Hi I installed the update and all my bookmarks have disappeared.
Check for a JSON file under
Check for a JSON file under bookmarkbackups and then restore bookmarks in browser
Did you use the built-in
Did you use the built-in updater or did you download a new package and install it manually? Did you look to see if Tor Browser made any backups that you could use to recover your bookmarks?
Hi, i have a question. I'am
Hi,
i have a question.
I'am using Tails and don't really understand difference between
Tor Browser(TBB) 4.5 and TBB 4.5.1(Tails1.4). And if the seen Browser behaviour is OK/normal.
1 open Browser Tab creates at least 2 and more different open circuits.
Especially with middle-click new Tab and manually drop link from same domain.
Final result is 1 site generates a lot of DIFFRERENT circuits?
Normal or Bug?
https://blog.torproject.org/blog/tails-14-out
Tor Browser(TBB) 4.5
"Tor Browser 4.5 now keeps using the SAME TOR CIRCUIT while you are visiting a website. This prevents the website from suddenly changing language, behavior, or logging you out."
https://blog.torproject.org/blog/tor-browser-451-released
TBB 4.5.1 (in Tails 1.4 !)
"Bug 15933: Isolate by base (top-level) domain name instead of FQDN"
Update created a duplicate
Update created a duplicate browser folder so now two browsers in one program. Will have to instal afresh yet again!!
I am having 100% lack of
I am having 100% lack of connection since the last, most recent May 2015 update to the Tor Bundle. I went back to the stable April 2015 release, and have 100% connection, with no issue, other than being told to update browser, and update Tor. Anyone else having same issue? Anyone have an idea what is going on?
re: resize_windows I like
re: resize_windows
I like the changes as far as usability is concerned, but when I disable it, the window sticks with the resized dimensions as if it was still enabled.
& can fingerprinting only be done while loading the page? If I disable resize_windows after I already loaded pages which I want to view in full-res, I shouldn't have anything to worry about if there's no JS or anything else active, right?
I'm not crazy about allowing
I'm not crazy about allowing all scripts on a site I don't fully trust. Is there any way to have NoScript behave like it used to? I realize that cherry-picking scripts could provide a unique profile of a user, but there's tracking scripts, for example that I'm not keen on allowing.
Why can't my mcbookpro
Why can't my mcbookpro update to tor's new ver.5?
Hello, i installed the
Hello, i installed the update and now I'm getting a Runtime error. Its not letting me activate the browser, and it keeps asking me to restart the tor browser.
Why not make all TBB users
Why not make all TBB users screens fullscreen as default? Wouldn't this be just as effective as leaving it as it is now + better usability?
Are the Tor DEVS finally
Are the Tor DEVS finally going to get GTK working in Tor for Linux?
This is something that has been broke for over a year, would be nice to finally see this fixed...
Is there a ticket for it? If
Is there a ticket for it? If not, odds are good nobody knows what you're talking about. (And if that's so, you should make a ticket, and include as much information as you can.)
Google recaptcha is using
Google recaptcha is using html5 animation to show captcha images ?
Tor browser is useless if don't work with google recaptcha.
Works for me? (Are you
Works for me? (Are you turning Javascript off too?)
at least in 2014, google
at least in 2014, google offered a noscript (noscript html element, not noscript extension) alternative that required pasting a long generated string into another form box. Maybe google stopped providing the noscript alternative?
Cannot now save photos from
Cannot now save photos from tumblr or flickr using latest version? Always worked before wit javascipt off.
Do you have examples?
Do you have examples?
Google recaptcha not working
Google recaptcha not working here too
No matter what i do, still not working.
I tried disable noscript and https and nothing
Maybe this has something to
Maybe this has something to do with Google's new "Thintinel" Javascript addition to the captcha process?
https://www.google.com/js/th/_changing_string_.js
See also:
https://stackoverflow.com/questions/23246560/my-site-with-recaptcha-is-…
Seems to be working great on
Seems to be working great on my end.
@arma, Yes there's a ticket,
@arma,
Yes there's a ticket, in fact there have been several tickets I've seen for a few years and nothing has been done about it...
Is there a ticket for it? If not, odds are good nobody knows what you're talking about. (And if that's so, you should make a ticket, and include as much information as you can.)
How can I completely disable
How can I completely disable that resize stuff? Even if I set the about:config stuff related to it to false, after a restart I still get that behaviour (I don't like)!
Whatever I do,
Whatever I do, user_pref("extensions.torbutton.resize_new_windows", true); and user_pref("extensions.torbutton.startup_resize_period", true); always are set to true after closing and restarting... meh.
Please fix Tor
Please fix Tor Team
https://trac.torproject.org/projects/tor/ticket/13592
> Isolate by base
> Isolate by base (top-level) domain name instead of FQDN
There should be an option to turn back isolate by FQDN
A unique prefix for FQDN-based authenticators in each torbrowser instance is also needed. So isolation for different instances would be provided when surfing the same sites.
Can't get the newer captchas
Can't get the newer captchas to appear. It will tell me to identify all Burgers and show me the example burger image, but then it will not show any other images. I can select and deselect each square of the grid but of course I can't tell which square is what.
Trying to change to the audio challenge will not help. It will not play any sounds.
Disabling NoScript does not help.
FREAK Attack and Tor
FREAK Attack and Tor OK?
Hello?
the logjam attack
the logjam attack ?
www.weakdh.org
Hi. I too am having trouble
Hi. I too am having trouble with recaptcha. The picture matching images are not showing up. How do I resolve?
Thank you.
TOR recaptcha is impossible
TOR recaptcha is impossible to solve, how do you fix this?
Complain to the recaptcha
Complain to the recaptcha provider; it isn't a problem with Tor.
Guess this is the wrong way.
Guess this is the wrong way. Within an onion network, there are captchas everywhere (even google search, not that i would use it). This should work properly and imho, its nothing a user has to solve. Guess whats the answer, when a user asks "hey google, your recaptchas dont work with TOR browser. Would you mind to change things up?".
I reckon its a hard thing to handle but its a problem, a user can and will not solve, even if he/she wanted to...
Actually it's a pretty easy
Actually it's a pretty easy thing to solve. For Google. If they wanted too. For anyone else it's pretty difficult.
google been jamming tor
google been jamming tor visitors with the endless ipv4.google.com, for years. the page reloads the same, except with a new captcha. google simply won't accept tor visitors.
same problem with recaptcha,
same problem with recaptcha, plz help
Spyware.password Malware
Spyware.password Malware File c:\Users\xLm\Desktop\Tor Browser 4.5.1\Browser\AccessibleMarshal.dll
Spyware.password Malware File c:\Users\xLm\Desktop\Tor Browser 4.5.1\Browser\libEGL.dll
Spyware.password Malware File c:\Users\xLm\Desktop\Tor Browser 4.5.1\Browser\libGLESv2.dll
Spyware.password Malware File c:\Users\xLm\Desktop\Tor Browser 4.5.1\Browser\mozalloc.dll
Spyware.password Malware File c:\Users\xLm\Desktop\Tor Browser 4.5.1\Browser\mozglue.dll
Spyware.password Malware File c:\Users\xLm\Desktop\Tor Browser 4.5.1\Browser\components\browsercomps.dll
Malwarebytes V 2.1.6.1022
Halp - thx
Looks
Looks like
https://www.torproject.org/docs/faq#VirusFalsePositives
Interesting read, tor devs
Interesting read, tor devs should too if they haven't!
"Academics build a new Tor client designed to beat the NSA"
http://www.dailydot.com/politics/tor-astoria-timing-attack-client/
otima ferramenta esse tor
otima ferramenta esse tor browser.
TOR Browser has become
TOR Browser has become totally useless! Recently Google made a change to their Recaptcha to choose images matching an image. Such as to choose all the Coffees or all the Burgers etc.. But Tor doesn't show the matching images.
This is not about the captcha on Google's site. This is about the Recaptcha that many other websites are using but which uses Google recaptcha component.
Making it absolutely impossible to view these websites.
Tor does not work with Google's new recaptcha. I see here many people complain abot it and nothing has been done.
This isn't a problem of Tor
This isn't a problem of Tor or the Tor Browser it is Googles fault!
You should write them.
Bug with Wordpress 4.2
Bug with Wordpress 4.2 ?
There seems to be a general problem with the Canvas fingerprinting warning on websites that have implemented the new Wordpress april version 4.2 code.
It seems to trigger the Torbrowser warning on code that seems to have something to do with emoticon functionality using canvas code.
Example website : https://wordpress.org/news/2015/05/wordpress-4-2-2/
Could it be that this is not correct warning behavior?
Or is it? Why?
Can't get on many sites
Can't get on many sites because new recaptcha not working.
It doesn't show images i have to match.
I tried enable all script and still not working.
The same problem. I'm more
The same problem.
I'm more than a week trying to resolve this problem. ANY SITE containing CAPTCHA is INACCESSIBLE for me.
Even writing correctly, always appears an error Feedback that not me access to the site. In some cases the image does not even appear. TOR installed on various platforms such as Linux Ubuntu 15.04, Windows 10 and TailLinux 1.5.
All had the same problem. I tested several settings, including withdrew all security lock TOR and adiconei the latest updates of Java and Flash. Nothing. I tested three different versions of TOR (4.0.4, 5.0 and the new 5.5) all showed the same result.
The biggest problem is that much of the Deep Web sites (.onion .i2p and .freenet) require this type of security protocol to access them. Mainly e-mail creating websites and forums.
I need to urgently create an account on Tor2mail (yes I know that this FBI spying ¬.¬) But I need.
I know that the TOR of the team is working hard to keep the program away from the NSA, FBI and others. And help us to have anonymity and privacy. And I thank them very much for that! But this error should not be ignored.
If anyone knows how to solve this problem please let me know. If I found something new warning you.
Thank you all!
Google recaptcha doesn't
Google recaptcha doesn't work on ANY site when NoScript is enabled. I've tried new OS installs, new TOR Browser installs and get the same problem since May until now. This is what happens to me:
If NoScript is enabled, I will see the recaptcha that has the grainy black and white letters over the black and white background that are nearly impossible to read. The recaptcha is rigged not to work. There's been a few times where I know with 100% certainty I solved the recaptcha right because the letters were very legible and unambiguous. STILL won't work.
If NoScript is disabled, then I get a different kind of recaptcha which is much easier to solve. But I lose the benefit of NoScript blocking the FBI from using an XSS attack on my through a flash object or invisible iframe.
I consider TOR worthless until this is fixed because Actionscript and Flash objects will ALWAYS have leaks that the FBI can use to put de-anonymizing malware onto my machine.
I'm switching to I2P, I have no other choice.
Tor can't access FunCaptcha.
Tor can't access FunCaptcha. :(
i hope soon we can access the FunCsptchs
Yes, please fix funcaptcha
Yes, please fix funcaptcha problems, ty.
is it possible to create a
is it possible to create a blacklist for some sites using tor?
CAPTCHA not working for me
CAPTCHA not working for me ether.
No matter what I type in it wont accept it.