Tor Browser 5.0a1 is released

by mikeperry | May 13, 2015

The first alpha release in the new 5.0 series of the Tor Browser is now available from our extended downloads page as well as the distribution directory.

Tor Browser 5.0a1 is based on Firefox ESR 31.7.0, which features important security updates to Firefox.

In addition to including all of the fixes that were present in the 4.5.1 release, this alpha release also features some additional privacy defenses.

In particular, this release re-enables the automatic window resizing fingerprinting defense that first appeared in 4.5a4. This defense can be disabled by setting the about:config pref extensions.torbutton.resize_windows to false, but please first report any issues you encounter on the feature's trac ticket.

This release also introduces a new defense against various forms of performance fingerprinting and time-based side channel attacks. A handful of new attacks have been published recently that take advantage of Javascript's high-performance timers to determine hardware performance, perform keystroke fingerprinting, extract history information, and even steal sensitive data from memory. Because this defense reduces the resolution of time available to Javascript to 100 milliseconds for all time sources, and to 250 milliseconds for keypress event timestamps, we are especially interested in hearing any reports about issues with HTML5 video, animation, or game sites. Hopefully you will have as much fun testing this defense as we will!

Here is the complete list of changes since Tor Browser 4.5:

  • All Platforms
    • Update Firefox to 31.7.0esr
    • Update meek to 0.18
    • Update Tor Launcher to 0.2.7.5
      • Translation updates only
    • Update Torbutton to 1.9.2.5
      • Bug 15837: Show descriptions if unchecking custom mode
      • Bug 15927: Force update of the NoScript UI when changing security level
      • Bug 15915: Hide circuit display if it is disabled.
      • Bug 14429: Improved automatic window resizing
      • Translation updates
    • Bug 15945: Disable NoScript's ClearClick protection for now
    • Bug 15933: Isolate by base (top-level) domain name instead of FQDN
    • Bug 15857: Fix file descriptor leak in updater that caused update failures
    • Bug 15899: Fix errors with downloading and displaying PDFs
    • Bug 15773: Enable ICU on OS X
    • Bug 1517: Reduce precision of time for Javascript
    • Bug 13670: Ensure OCSP requests respect URL bar domain isolation
    • Bug 13875: Improve the spoofing of window.devicePixelRatio
  • Windows
    • Bug 15872: Fix meek pluggable transport startup issue with Windows 7
  • Build System
    • Bug 15947: Support Ubuntu 14.04 LXC hosts via LXC_EXECUTE=lxc-execute env var
    • Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds

Comments

Please note that the comment area below has been archived.

May 13, 2015

Permalink

The downloaded installer package cannot intall. It said:
NSIS Error
Installer integrity check has failed. Common causes include incomplete download and damaged media. Contact the installer's author to obtain a new copy.

May 13, 2015

Permalink

"Because this defense reduces the resolution of time available to Javascript to 100 milliseconds for all time sources, and to 250 milliseconds for keypress event timestamps"

Doesn't this allow page creators to distinguish Tor users from non-anonymous users with a simple embedded Javascript in the HTML?

The aim is to make Tor Browser users less distinguishable. Blending Tor Browser users into all the other users is probably never going to happen.

May 15, 2015

In reply to gk

Permalink

Why is this the approach? Why make TOR users stand out at all - is it not possible to achieve the same level of anonymity, security and privacy whilst blending as a regular user of FF, Chrome etc?

As I've read, the answer is no, not possible. One reason I believe is that standard installation of firefox has disastrously weak privacy preferences. Few users edit preferences, so tbb with bolstered preferences already appears different than standard firefox.

The goal is instead to have all tbb users appear the same to websites as all other tbb users appear.

i sympathize with your interest in reducing the fingerprintability/distinguishability of Tor users in general, but reaching any page from a Tor exit's IP address presumably will always make it possible--at least heuristically--to distinguish likely Tor users from non-Tor users... unless we add many, many exits to the network!

Its trivial when you have access to the server logs or are able to run additional software on the servers.

This new feature may allow the many users of services like Blogger or WordPress to display different content to either identifiable or anonymous visitors.

May 13, 2015

Permalink

was just thinking about my own gratitude for your work, and wanted to mention that it's a shame that the team can't marshal more funding for advocacy work to upstream more of the fingerprintability/distinguishability patches to mozilla.

for all their talk about being committed to privacy, it's pretty lame that mozilla won't just accept patches that you've literally already written and tested that make firefox more private and secure.

already tbb design must weigh user expectations vs privacy.
Firefox user expectations tend even less toward privacy, and more toward expectations of whizbang websites (which then run amok with user privacy).
iirc, firefox installs allowing all cookies and javascript enabled.

tbb users wear helmet and full racing harness in vehicle with roll cage and fire retardant system.
firefox is designed for users who ride motorcycles shoeless wearing only underwear - not even with sunscreen.

Install www/linux-firefox to pull in all the needed libs, deinstall linux-firefox if you want after this.

Use the 32-bit version of tor browser.

If you're running amd64, edit out the lines

  1. SYSARCHITECTURE=$(getconf LONG_BIT)<br />
  2. TORARCHITECTURE=$(expr "$(file TorBrowser/Tor/tor)" : '.*ELF \([[:digit:]]*\)')</p>
  3. <p>if [ $SYSARCHITECTURE -ne $TORARCHITECTURE ]; then<br />
  4. complain "Wrong architecture? 32-bit vs. 64-bit."<br />
  5. exit 1<br />
  6. fi

from the startup script.

Good luck.

Did you use the built-in updater or did you download a new package and install it manually? Did you look to see if Tor Browser made any backups that you could use to recover your bookmarks?

May 14, 2015

Permalink

Hi,
i have a question.

I'am using Tails and don't really understand difference between
Tor Browser(TBB) 4.5 and TBB 4.5.1(Tails1.4). And if the seen Browser behaviour is OK/normal.
1 open Browser Tab creates at least 2 and more different open circuits.
Especially with middle-click new Tab and manually drop link from same domain.
Final result is 1 site generates a lot of DIFFRERENT circuits?
Normal or Bug?

https://blog.torproject.org/blog/tails-14-out
Tor Browser(TBB) 4.5
"Tor Browser 4.5 now keeps using the SAME TOR CIRCUIT while you are visiting a website. This prevents the website from suddenly changing language, behavior, or logging you out."

https://blog.torproject.org/blog/tor-browser-451-released
TBB 4.5.1 (in Tails 1.4 !)
"Bug 15933: Isolate by base (top-level) domain name instead of FQDN"

May 14, 2015

Permalink

Update created a duplicate browser folder so now two browsers in one program. Will have to instal afresh yet again!!

May 14, 2015

Permalink

I am having 100% lack of connection since the last, most recent May 2015 update to the Tor Bundle. I went back to the stable April 2015 release, and have 100% connection, with no issue, other than being told to update browser, and update Tor. Anyone else having same issue? Anyone have an idea what is going on?

May 14, 2015

Permalink

re: resize_windows

I like the changes as far as usability is concerned, but when I disable it, the window sticks with the resized dimensions as if it was still enabled.
& can fingerprinting only be done while loading the page? If I disable resize_windows after I already loaded pages which I want to view in full-res, I shouldn't have anything to worry about if there's no JS or anything else active, right?

May 14, 2015

Permalink

I'm not crazy about allowing all scripts on a site I don't fully trust. Is there any way to have NoScript behave like it used to? I realize that cherry-picking scripts could provide a unique profile of a user, but there's tracking scripts, for example that I'm not keen on allowing.

May 14, 2015

Permalink

Hello, i installed the update and now I'm getting a Runtime error. Its not letting me activate the browser, and it keeps asking me to restart the tor browser.

May 15, 2015

Permalink

Why not make all TBB users screens fullscreen as default? Wouldn't this be just as effective as leaving it as it is now + better usability?

May 16, 2015

Permalink

Are the Tor DEVS finally going to get GTK working in Tor for Linux?

This is something that has been broke for over a year, would be nice to finally see this fixed...

Is there a ticket for it? If not, odds are good nobody knows what you're talking about. (And if that's so, you should make a ticket, and include as much information as you can.)

May 16, 2015

Permalink

Google recaptcha is using html5 animation to show captcha images ?
Tor browser is useless if don't work with google recaptcha.

at least in 2014, google offered a noscript (noscript html element, not noscript extension) alternative that required pasting a long generated string into another form box. Maybe google stopped providing the noscript alternative?

May 17, 2015

Permalink

Cannot now save photos from tumblr or flickr using latest version? Always worked before wit javascipt off.

May 17, 2015

Permalink

Google recaptcha not working here too
No matter what i do, still not working.
I tried disable noscript and https and nothing

May 17, 2015

Permalink

@arma,

Yes there's a ticket, in fact there have been several tickets I've seen for a few years and nothing has been done about it...

Is there a ticket for it? If not, odds are good nobody knows what you're talking about. (And if that's so, you should make a ticket, and include as much information as you can.)

May 17, 2015

Permalink

How can I completely disable that resize stuff? Even if I set the about:config stuff related to it to false, after a restart I still get that behaviour (I don't like)!

May 17, 2015

Permalink

Whatever I do, user_pref("extensions.torbutton.resize_new_windows", true); and user_pref("extensions.torbutton.startup_resize_period", true); always are set to true after closing and restarting... meh.

May 20, 2015

Permalink

> Isolate by base (top-level) domain name instead of FQDN

There should be an option to turn back isolate by FQDN

A unique prefix for FQDN-based authenticators in each torbrowser instance is also needed. So isolation for different instances would be provided when surfing the same sites.

May 20, 2015

Permalink

Can't get the newer captchas to appear. It will tell me to identify all Burgers and show me the example burger image, but then it will not show any other images. I can select and deselect each square of the grid but of course I can't tell which square is what.

Trying to change to the audio challenge will not help. It will not play any sounds.

Disabling NoScript does not help.

May 23, 2015

Permalink

Hi. I too am having trouble with recaptcha. The picture matching images are not showing up. How do I resolve?

Thank you.

Guess this is the wrong way. Within an onion network, there are captchas everywhere (even google search, not that i would use it). This should work properly and imho, its nothing a user has to solve. Guess whats the answer, when a user asks "hey google, your recaptchas dont work with TOR browser. Would you mind to change things up?".
I reckon its a hard thing to handle but its a problem, a user can and will not solve, even if he/she wanted to...

google been jamming tor visitors with the endless ipv4.google.com, for years. the page reloads the same, except with a new captcha. google simply won't accept tor visitors.

May 27, 2015

Permalink

Spyware.password Malware File c:\Users\xLm\Desktop\Tor Browser 4.5.1\Browser\AccessibleMarshal.dll

Spyware.password Malware File c:\Users\xLm\Desktop\Tor Browser 4.5.1\Browser\libEGL.dll

Spyware.password Malware File c:\Users\xLm\Desktop\Tor Browser 4.5.1\Browser\libGLESv2.dll

Spyware.password Malware File c:\Users\xLm\Desktop\Tor Browser 4.5.1\Browser\mozalloc.dll

Spyware.password Malware File c:\Users\xLm\Desktop\Tor Browser 4.5.1\Browser\mozglue.dll

Spyware.password Malware File c:\Users\xLm\Desktop\Tor Browser 4.5.1\Browser\components\browsercomps.dll

Malwarebytes V 2.1.6.1022

Halp - thx

June 09, 2015

Permalink

TOR Browser has become totally useless! Recently Google made a change to their Recaptcha to choose images matching an image. Such as to choose all the Coffees or all the Burgers etc.. But Tor doesn't show the matching images.

This is not about the captcha on Google's site. This is about the Recaptcha that many other websites are using but which uses Google recaptcha component.

Making it absolutely impossible to view these websites.

Tor does not work with Google's new recaptcha. I see here many people complain abot it and nothing has been done.

June 09, 2015

Permalink

Bug with Wordpress 4.2 ?

There seems to be a general problem with the Canvas fingerprinting warning on websites that have implemented the new Wordpress april version 4.2 code.
It seems to trigger the Torbrowser warning on code that seems to have something to do with emoticon functionality using canvas code.

Example website : https://wordpress.org/news/2015/05/wordpress-4-2-2/

Could it be that this is not correct warning behavior?
Or is it? Why?

June 17, 2015

Permalink

Can't get on many sites because new recaptcha not working.
It doesn't show images i have to match.
I tried enable all script and still not working.

The same problem.

I'm more than a week trying to resolve this problem. ANY SITE containing CAPTCHA is INACCESSIBLE for me.

Even writing correctly, always appears an error Feedback that not me access to the site. In some cases the image does not even appear. TOR installed on various platforms such as Linux Ubuntu 15.04, Windows 10 and TailLinux 1.5.

All had the same problem. I tested several settings, including withdrew all security lock TOR and adiconei the latest updates of Java and Flash. Nothing. I tested three different versions of TOR (4.0.4, 5.0 and the new 5.5) all showed the same result.

The biggest problem is that much of the Deep Web sites (.onion .i2p and .freenet) require this type of security protocol to access them. Mainly e-mail creating websites and forums.

I need to urgently create an account on Tor2mail (yes I know that this FBI spying ¬.¬) But I need.

I know that the TOR of the team is working hard to keep the program away from the NSA, FBI and others. And help us to have anonymity and privacy. And I thank them very much for that! But this error should not be ignored.

If anyone knows how to solve this problem please let me know. If I found something new warning you.

Thank you all!

August 17, 2015

Permalink

Google recaptcha doesn't work on ANY site when NoScript is enabled. I've tried new OS installs, new TOR Browser installs and get the same problem since May until now. This is what happens to me:

If NoScript is enabled, I will see the recaptcha that has the grainy black and white letters over the black and white background that are nearly impossible to read. The recaptcha is rigged not to work. There's been a few times where I know with 100% certainty I solved the recaptcha right because the letters were very legible and unambiguous. STILL won't work.

If NoScript is disabled, then I get a different kind of recaptcha which is much easier to solve. But I lose the benefit of NoScript blocking the FBI from using an XSS attack on my through a flash object or invisible iframe.

I consider TOR worthless until this is fixed because Actionscript and Flash objects will ALWAYS have leaks that the FBI can use to put de-anonymizing malware onto my machine.

I'm switching to I2P, I have no other choice.