Tor Browser 5.5a2 is released

by gk | August 28, 2015

A new release for the alpha Tor Browser is available for download in the 5.5a2 distribution directory and on the alpha download page.

This release features important security updates to Firefox.

Additionally, we included the crash bug fix that was already available in the stable series and a small fix for Unity and Gnome users on Linux. Also, we updated the NoScript version we ship.

Here is the complete changelog since 5.5a1:

  • All Platforms
    • Update Firefox to 38.2.1esr
    • Update NoScript to 2.6.9.36
    • Bug 16771: Fix crash on some websites due to blob URIs
  • Linux
    • Bug 16860: Avoid duplicate icons on Unity and Gnome

Comments

Please note that the comment area below has been archived.

August 29, 2015

Permalink

5.5a2 claims to be out of date but is current. I tried updating from the About box and with a fresh download - no difference. The caution symbol on the onion blinks but no updates are found. Harmless but weird.

August 29, 2015

Permalink

Updated yesterday to 5.5a2, but today Tor Button says TBB is not up-to-date.
Changing "extensions.torbutton.updateNeeded" to false fixed this problem for me.

August 30, 2015

Permalink

TIP AND TRICKS: The fastest way for the 10 minutes configuring-and-run a non-exit relay only, for Win32/64 users

Download the TOR Expert Bundle (Windows 8, 7, Vista, XP, 2000, 2003 Server, ME, and Windows 98SE). Contains just Tor and nothing else. You'll need to configure Tor and all of your applications manually. This installer must be run as Administrator.

Download link:
https://www.torproject.org/download/download

Create the folder TorRelay and put there all the TOR applications.

C:\TorRelay
C:\TorRelay\Data
C:\TorRelay\Data\Tor
geoip
geoip6
torrc to-be-created
C:\TorRelay\Tor
tor.exe
libeay32.dll
libevent-2-0-5.dll
libevent_core-2-0-5.dll
libevent_extra-2-0-5.dll
libgcc_s_sjlj-1.dll
libssp-0.dll
ssleay32.dll
zlib1.dll
TORrelay.cmd to-be-created

Run this command in a CMD window to obtain the HashedControlPassword to protect the torrc file from attackers:
tor.exe --hash-password PASSWORD | more

  1. <br />
  2. C:\TorRelay\Tor>tor --hash-password PASSWORD | more<br />
  3. Aug 30 13:28:07.703 [notice] Tor v0.2.6.10 (git-cab52fe998909e08) running on Win<br />
  4. dows XP with Libevent 2.0.21-stable, OpenSSL 1.0.1p and Zlib 1.2.8.<br />
  5. Aug 30 13:28:07.703 [notice] Tor can't help you if you use it wrong! Learn how t<br />
  6. o be safe at <a href="https://www.torproject.org/download/download#warning
  7. 16:E6DDC7FE32A572DC60FF1750513AA9C9B99E0E77E9F023A989B2B36C31
  8. [/geshifilter-code" rel="nofollow">https://www.torproject.org/download/download#warning<br />
  9. 16:E6DDC7FE32A572D…</a>]</p>
  10. <p>and copy the obtained hash in torrc (you can use any password).<br />
  11. [geshifilter-code]<br />
  12. HashedControlPassword 16:E6DDC7FE32A572DC60FF1750513AA9C9B99E0E77E9F023A989B2B36C31<br />
  13.  

Create the relay torrc file and put this file in C:\TorRelay\Data\Tor:

  1. <br />
  2. Address <i>xxx.xxx.xxx.xxx</i><br />
  3. AvoidDiskWrites 1<br />
  4. Nickname <i>your-relay-name</i><br />
  5. ContactInfo <<i><a href="mailto:contact@any.com" rel="nofollow">contact@any.com</a></i>><br />
  6. ORPort 9001<br />
  7. DirPort 9030<br />
  8. SocksPort 9050<br />
  9. ControlPort 9151<br />
  10. DataDirectory C:\TorRelay\Data\Tor<br />
  11. GeoIPFile C:\TorRelay\Data\Tor\geoip<br />
  12. GeoIPv6File C:\TorRelay\Data\Tor\geoip6<br />
  13. ## tor --hash-password PASSWORD<br />
  14. HashedControlPassword 16:E6DDC7FE32A572DC60FF1750513AA9C9B99E0E77E9F023A989B2B36C31<br />
  15. Log notice stdout<br />
  16. NumEntryGuards 18<br />
  17. RelayBandwidthBurst 5242880<br />
  18. RelayBandwidthRate 5242880<br />
  19. SafeSocks 1<br />
  20. TestSocks 1<br />
  21. NewCircuitPeriod 10<br />
  22. CircuitBuildTimeout 30<br />
  23. DirReqStatistics 0<br />
  24. ExitPolicy reject *:*<br />
  25. HeartbeatPeriod 1800<br />
  26.  

Create the TORrelay.cmd and put this file in C:\TorRelay\Tor:

  1. <br />
  2. start /B /DC:\TorRelay\Tor\ tor -f C:\TorRelay\Data\Tor\torrc >> log<br />
  3.  

Open the ports 9001, 9030, 9050, 9151 in your firewall and forward these ports if you are behind a router to allow to be accessed from the Internet.

If you have a private IP, make your router DHCP 192.168.xxx.xxx IP static:
- Open the Local Area Connection Status -> Properties
- Internet Protocol (TCP/IP) -> Properties
- Check the Use the following IP address and put there the IP Address, Subnet Mask and the Default Gateway from the Local Area Connection Support.

Hit the TORrelay.cmd and that's all folks!

Check your log file created in C:\TorRelay\Tor for these notice to ensure that everything is OK:

Now checking whether ORPort xxx.xxx.xxx.xxx:9001 and DirPort xxx.xxx.xxx.xxx:9030 are reachable... (this may take up to 20 minutes -- look for log messages indicating success)
Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Self-testing indicates your DirPort is reachable from the outside. Excellent.

Check periodically your non-exit relay (your-relay-name) health at:
https://atlas.torproject.org/#search/
https://consensus-health.torproject.org/consensus-health.html

When you want to stop your non-exit relay end the process tor.exe from Task Manager.

August 30, 2015

Permalink

The indicator is not much of a problem showing a false out of date but when the actual 5.5.a3 comes out we have to keep an eye for it so we can try the update then. I suspect they forgot to change the code so the a2 still thinks it's a1.

September 05, 2015

In reply to gk

Permalink

I didn't notice the response. No problem, it only appeared as out of date on that first day, Now 5.5a2 seems current.
Thanks

August 30, 2015

Permalink

Since TB v5 my Settings page is broken; the options are shown, but I can't choose anything, and no checkmarks are visible. This is weird (and not secure). In the regular Firefox this is not a problem.

August 31, 2015

Permalink

All the RSA keys (906 bytes) will be replaced by Ed25519 keys (96 bytes)?

Are these keys more secure? I run a relay server powered by tor.exe v0.2.7.2-alpha and I saw 4 new Ed25519 keys in my keys folder.

Regards,
TORques

From http://ed25519.cr.yp.to/
High security level. This system has a 2^128 security target; breaking it has similar difficulty to breaking NIST P-256, RSA with ~3000-bit keys, strong 128-bit block ciphers, etc. The best attacks known actually cost more than 2^140 bit operations on average, and degrade quadratically in success probability as the number of bit operations drops.

The existing RSA keys are 1024 bit, so yes, assuming the Ed25519 math is correct (likely), there is an increase in security. Comparing the actual key size directly is a mistake since the underlying algorithms are radically different (EdDSA vs RSA).

August 31, 2015

Permalink

Do you consider adding the ability to add a proxy in the circuit after the exit node for circumventing Tor blocks?

September 01, 2015

Permalink

I download 5.1and 5.5a many times during lask week,but Software double-click does not open

from yesterday 4.8 cannot cannot connect bridges too.

china beijing,windows xp sp3, administrator account or system account

September 03, 2015

Permalink

win 7 new install gets run firefox app error after install "the instruction at referenced memory at 0x4dea4fb. the memory could not be written." using administrator mode....regular mode just disappears from task mgr. after 30s. Thanks!

September 04, 2015

Permalink

By to way, should beacon.enabled to be false on about:config ?

Now it is true.

Or is this handled on NoScript ?

September 05, 2015

Permalink

How to bring back or turn on short info about https connection technical details in TBB(linux)? In regular fox all works ok ( for example info about this site appear: Connection encrypted TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 128 bit keys, TLS 1.2). but under TBB cannt find this info.

September 05, 2015

Permalink

Would it be possible to have a javascript observatory and stricter CSP (Content Security Policy) and implement it for the Tor Browser?

A javascript observatory should work similar to EFF's SSL observatory, it should observe javascript and check if it is an exploit or XSS code and block it, instead of the allow all or nothing from domain X approach used by NoScript. NoScript XSS filter is flawed. NoScript offers no protection against a trusted domain X that get hacked and javascript exploit code injected. This has be done several times before by the FBI, but other hackers could repeat this of course.

Tor Browser only implements a very limited set of Content Security Policy, it does not allow blocking XSS and other malicious javascripts using Content Security Policy rules like script-src 'none'.

i do not activate eff observatory and i do not think it should be a good idea to have one for JavaScript ...
noscript is a very good add-on.
I should have prefered an embedded calomel but it does not seem possible (anyway a grey lock is yet with firefox).
If a trust domain is hacked (you do not need a hacker or an unknown enterprise for that) ; it is more often because a lot of person are agree than it is easy to do it : compromised means exactly that.
ev is the best counter measure if that i read is right.
(banking_trusted domain = in the usa, all or almost are monitored by the nsa (it is their job to protect their investment) so your account too ; none respect of your privacy or laws are protecting your funds., in eu, all or almost are the propriety of the bank (it is their job to protect their transactions) so your account too ; none privacy or laws are protecting your funds. A trusted domain is based on a chain of trust : it is the reason why most of foreigners/strangers/tourists/refugees choose their own national bank -Jew bank, Portuguese bank etc.- according their origin.
the term 'bank' is an example of course.)
I do not think that a very strict policy set in tor could stop that.
if a site is broken/compromised/hacked you should write an email to the admin.
if an add-on is not as good as your wish you should write to the dev.
i did it several time and ,sometimes, i had a very good response from them.
tor is not a certified (inter)national trust of web ; there are another organizations for that but maybe will become it for the hidden services.
*it is only an opinion, nothing serious.

September 05, 2015

Permalink

@yawning - if a bridge was to change from a bridge to regular node, would Tor Browser know that it has changed and notify user or will users be still using it under the false impression that it is still a bridge?

September 08, 2015

Permalink

Mempo Project
Install Tor, configure with proper options:

As root, configure this and restart tor.
In file /etc/tor/torrc find line with "SockPort" (or add it) and add there following options so it will read as:
SocksPort 9050 IsolateClientAddr IsolateSOCKSAuth IsolateClientProtocol IsolateDestPort IsolateDestAddr
This is very important, otherwise same Tor circuit is re-used even for different programs and servers making it much easier to correlate your various activities!
TEST: To test if that works, open few "what is my IP" pages and verify if they show different IP each usually

does it mean that tor bundle (from tor site) is not configured with proper options yet ?

September 09, 2015

Permalink

All Tor users! You are all terrorists now! By the way, everyone needs to get the plug in add on BLUR and DISCONNECT! They block trackers and various other intrusive entries! Also, make sure you get PEERBLOCK to block even more intrusive entities!

September 10, 2015

Permalink

Tor Browser 5.5 a1& a2 can't display Chinese word on my OS X v10.10.5

It seems as Firefox can't recognize the NotoSansCJKsc-Regular.otf

The other 30 NotoSans*.ttf can list in Firefox‘s about:preferences#content

Do you see any Chinese characters anywhere? Or do you see unrendered unicode boxes everywhere? Is there a particular web page where Chinese characters aren't working?

September 16, 2015

In reply to arthuredelstein

Permalink

The Firefox‘s menu is correct.
Both he dialog box and all of the chinese web pages display unicode boxes.

September 10, 2015

Permalink

There will never be privacy or safety because...

“The Department of Homeland Security got in touch with our Police Department,” Fleming told Propublica.

Taken back by the reaction from the city, the library chose to shut down the relay after “local police and city officials discussed how Tor could be exploited by criminals.”

“Right now we’re on pause,” Fleming said. “We really weren’t anticipating that there would be any controversy at all.”

Despite Tor relays being completely legal and the Tor network itself being regularly utilized by whistleblowers, journalists and the privacy-conscious, many law enforcement agencies continue to express disdain over the technology’s strong encryption.

September 13, 2015

Permalink

Does the NOSQUINT plug-ing affect Tor's security and privacy? I choose options to have black background and white text.

September 14, 2015

Permalink

hi
in my country(iran), these are organization that filtered tor browser!
they do supply internet only via "Kerio Control VPN Client" tool.
this strategy is smartly because tor do not able connect from inside of kerio!
please help us!
this means a lion fight a lion! and we can not connect to free internet via tor browser.

September 18, 2015

Permalink

my no script setting was modified :
yesterday * advanced>https>recommended with Tor
today * never

Is it a malfunction, a bug , a hack,an attack, a warning ?
From/against noscript, Tor, a webmail, an app, ?

Is it happened yet to you ?

pls do not censured this message, thx.

September 21, 2015

Permalink

Dear the Tor Project Team:

Please switch back to Startpage as the default search engine.

Sincerly, Anonymous.