Tor Browser 5.0a3 is released

by gk | July 6, 2015

The Tor Browser Team is proud to announce the first alpha released based on Firefox 38 ESR.

As such, this release features many updates to Firefox (including several security updates), as well as to our build system and dependencies. For this release, we performed a thorough network and feature review of Firefox 38, and fixed the most pressing privacy issues, as well as all Tor proxy safety issues that we discovered during the audit.

We also updated our toolchain on OS X to use the OS X 10.7 SDK. For Linux and Windows we switched to GCC 5.1 as our new (cross)-compiler. We are therefore especially interested in feedback if there are stability issues or broken Tor Browser bundles due to these toolchain upgrades.

Besides Firefox 38 and build system changes, we also updated several components. Most notably, we bumped OpenSSL to version 1.0.1o, NoScript to version 2.6.9.27 and Torbutton to version 1.9.3.0. Included as well is a backported Tor patch to improve usability on websites, and we fixed a crash bug impacting users with the security slider level set to "High".

Here is the complete changelog since 5.0a2

  • All Platforms
    • Update Firefox to 38.1.0esr
    • Update OpenSSL to 1.0.1o
    • Update NoScript to 2.6.9.27
    • Update meek to 0.20
    • Update Torbutton to 1.9.3.0
      • Bug 16403: Set search parameters for Disconnect
      • Bug 14429: Make sure the automatic resizing is enabled
      • Bug 16427: Use internal update URL to block updates (instead of
        127.0.0.1)
      • Bug 16200: Update Cache API usage and prefs for FF38
      • Bug 16357: Use Mozilla API to wipe permissions db
      • Translation updates
    • Update Tor Launcher to 0.2.6.7
      • Bug 16428: Use internal update URL to block updates (instead of
        127.0.0.1)
      • Bug 15145: Visually distinguish "proxy" and "bridge" screens.
      • Translation updates
    • Bug 16430: Allow DNS names with _ characters in them (fixes
      nytimes.com) (Tor patch backport)
    • Bug 13247: Fix meek profile error after bowser restarts
    • Bug 16397: Fix crash related to disabling SVG
    • Bug 16403: Set search parameters for Disconnect
    • Bug 16446: Update FTE bridge #1 fingerprint
    • Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent
    • Bug 16005: Relax WebGL minimal mode
    • Bug 16300: Isolate Broadcast Channels to first party
    • Bug 16439: Remove Roku screencasting code
    • Bug 16285: Disabling EME bits
    • Bug 16206: Enforce certificate pinning
    • Bug 13670: Isolate OCSP requests by first party domain
    • Bug 16448: Isolate favicon requests by first party
    • Bug 7561: Disable FTP request caching
    • Bug 6503: Fix single-word URL bar searching
    • Bug 15526: ES6 page crashes Tor Browser
    • Bug 16254: Disable GeoIP-based search results
    • Bug 16222: Disable WebIDE to prevent remote debugging and addon
      downloads.
    • Bug 13024: Disable DOM Resource Timing API
    • Bug 16340: Disable User Timing API
    • Bug 14952: Disable HTTP/2
  • Mac OS
    • Use OSX 10.7 SDK
    • Bug 16253: Tor Browser menu on OS X is broken with ESR 38
  • Build System
    • Bug 16351: Upgrade our toolchain to use GCC 5.1
    • Bug 15772 and child tickets: Update build system for Firefox 38

Comments

Please note that the comment area below has been archived.

July 06, 2015

Permalink

Youtube video failing to load with this release.
also a reproducible crash when temporary allowing noscript on youtube.

July 06, 2015

Permalink

Did upgrade on PCLinuxOS 32-bit using KDE. Now certain sites say Java Script needs to be enabled but nothing I do with NoScript, including disabling it, enables Java Script.

So how do I enable Java Script even when NoScript disabled?

July 06, 2015

Permalink

I get no audio on PCLinuxOS 32-bit. Played with all the Pulse Audio, etc, settings I could thinks of.

July 08, 2015

In reply to arma

Permalink

It's set to Yahoo! search by default. Doesn't matter, it's an alpha release anyway :)

Mine was set to what I had in the previous release, which was DDG. Not sure if it makes any difference, but maybe you didn't update through the browser like I did?

I can confirm problems on Twitter (no pictures shown), also I'm not able to right-click on Twitter and see the context menu and it always shows the cookie warning on top of the page.

July 07, 2015

Permalink

Is there a way to choose which permissions to allow within NoScript, rather than what I assume is more-or-less just white-listing a whole page?I used to be able to block specific elements/objects. I think you've raised concerns about fingerprinting before, but I'm more worried about executable content I can't control. The following is an issue regarding NS white-listing,
http://net-security.org/secworld.php?id=18579 but it's loosely tied to my concerns Thank You

July 07, 2015

Permalink

Great update. Ignore the whining above - runs fast, no problems.

Agree that white-listing by element would be preferable as a standard setting in the browser, rather than temporarily allowing all scripts. Also preferable to have Clearclick protection set on trusted and untrusted pages by default, since this is Tor Browser and not Chrome ;-)

Great that the base has been updated to FF38. Once full sandboxing is completed (can Mozilla move that along already?), then this browser will be simply great from a security standpoint.

Also, I'm sure SSL observatory is turned off for a good security reason, but I read on Schneier's blog that the option to submit and check CAs signed by non-standard root CAs can make it much harder for the Stasi for some reason (can't recall right now why).

Anyway, I'm sure your developers are all over this, and the millions who use your software to have a semblance of privacy truly appreciate your hard work and amazing coding skills!

July 08, 2015

Permalink

BIG Thank you to the developers, as always :-)

Unfortunately this time when I download any file from anywhere the download-window doesnt update itself.
Means, whenever I start a download the progress bar stops immediately while the download itself works. Minor problem , but annoying....

I think this might be an intentional design in Firefox.

I go to about:downloads when I want to see status. There's probably something to click on somewhere too.

July 11, 2015

In reply to arma

Permalink

(Not OP)

No, I think it's a bug. I noticed I couldn't get downloads to work either and the terminal was spitting out:
*************************
A coding exception was thrown and uncaught in a Task.

Full message: TypeError: gDownloadLastDir is undefined
Full stack: nsUnknownContentTypeDialog.prototype.promptForSaveToFileAsync/<@resource://gre/components/nsHelperAppDlg.js:295:7
TaskImpl_run@resource://gre/modules/Task.jsm:330:41
Handler.prototype.process@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:867:23
this.PromiseWalker.walkerLoop@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:746:7
this.PromiseWalker.scheduleWalkerLoop/<@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:688:37

*************************
I was trying to download a asc file from this website. Trying it in other places also doesn't work. I hope that's enough info for you to figure it out.

Thanks for all your work.

I thought that was just me & my inability to decipher gibberish. Incredibly frustrating since seemingly every webmaster has jumped onto the Cloudflare bandwagon.

The only way I've been able to get around it is to enable Javascript and cookies, which is something I am very uncomfortable doing.
Seriously, Cloudflare can go F*** itself.

July 08, 2015

Permalink

The update system is fast and saves a lot of time also. Using tor
nowadays is like ridding a bike, all you need is some sense of equilibrium
to get through the shit load of disinformation flying around it.
This blog still is the best place to go before a ride.

Thanks all for keeping us updated and informed.

July 09, 2015

In reply to arma

Permalink

Have you looked into Libressl instead? They are way ahead of Openssl on fixing most vulnerabilities.

July 08, 2015

Permalink

If you want to look into a Tor alternative, look into the new Astoria browser which is trying to focus on anti-NSA tactics. Astoria will be for hardcore anonymity that Tor cannot achieve.

I recommend you read the Astoria paper and talk to the researchers. There *is* no Astoria browser, and it is not trying to compete with Tor. It's just a submitted research paper exploring the security implications of alternative path selection.

(It is worthwhile and useful research, but it has been way misunderstood in the popular press.)

July 12, 2015

Permalink

I'm having trouble making twitter accounts still. Please fix this, they seem to know I'm using Tor browser right away and auto ask for my phone number.

What's there to fix? Tor by design doesn't hide the fact that you are using Tor from the destination (and realistically can't). This seems like something you need to take up with Twitter more than anything that can be fixed on the Tor side of things.

July 13, 2015

In reply to yawning

Permalink

Why are TOR ips public? Is it because of funding or is there another reason like security/openness etc.?

The simple answer is that they cannot be used by users yet still remain secret. Users need to know what relays are in the network in order to use them. You could imagine designs that try to only reveal the entry points, and not reveal the exit relays (which is what most people asking this question are hoping to hide), but then I can run my own website, and visit it repeatedly, and make a list of all the addresses that connect to them.

Here's the more complete answer:
https://www.torproject.org/docs/faq#HideExits