Tor Browser 5.5a3 is released

by gk | September 22, 2015

A new alpha Tor Browser release is available for download in the 5.5a3 distribution directory and on the alpha download page.

This release features important security updates to Firefox.

Beginning with this alpha version Tor Browser is available in Japanese as well. In addition to that it contains usability improvements for our font fingerprinting defense, a better notification of Tor Browser changes after an update and regression fixes that were caused by our switch to ESR 38 back in August.

Here is the complete changelog since 5.5a2:

  • All Platforms
    • Update Firefox to 38.3.0esr
    • Update Torbutton to 1.9.4
      • Bug 16937: Don't translate the hompepage/spellchecker dictionary string
      • Bug 16735: about:tor should accommodate different fonts/font sizes
      • Bug 16887: Update intl.accept_languages value
      • Bug 15493: Update circuit display on new circuit info
      • Bug 16797: brandShorterName is missing from brand.properties
      • Translation updates
    • Bug 10140: Add new Tor Browser locale (Japanese)
    • Bug 17102: Don't crash while opening a second Tor Browser
    • Bug 16983: Isolate favicon requests caused by the tab list dropdown
    • Bug 13512: Load a static tab with change notes after an update
    • Bug 16937: Remove the en-US dictionary from non en-US Tor Browser bundles
    • Bug 7446: Tor Browser should not "fix up" .onion domains (or any domains)
    • Bug 16837: Disable Firefox Hotfix updates
    • Bug 16855: Allow blobs to be downloaded on first-party pages (fixes mega.nz)
    • Bug 16781: Allow saving pdf files in built-in pdf viewer
    • Bug 16842: Restore Media tab on Page information dialog
    • Bug 16727: Disable about:healthreport page
    • Bug 16783: Normalize NoScript default whitelist
    • Bug 16775: Fix preferences dialog with security slider set to "High"
    • Bug 13579: Update download progress bar automatically
    • Bug 15646: Reduce keyboard layout fingerprinting in KeyboardEvent
    • Bug 17046: Event.timeStamp should not reveal startup time
    • Bug 16872: Fix warnings when opening about:downloads
    • Bug 17097: Fix intermittent crashes when using the print dialog
  • Windows
    • Bug 16906: Fix Mingw-w64 compilation breakage
    • Bug 16707: Allow more system fonts to get used on Windows
  • OS X
    • Bug 16910: Update copyright year in OS X bundles
    • Bug 16707: Allow more system fonts to get used on OS X
  • Linux
    • Bug 16672: Don't use font whitelisting for Linux users

Update: It seems claiming that our builds are reproducible with LXC as well now was a bit premature (see bug 12240 for details). Thus, this part got removed from the changelog.

Comments

Please note that the comment area below has been archived.

September 23, 2015

Permalink

Tor Browser & Linux & VPNs = The Computing Holy Trinity!

We would be lost without your hard work. Don't forget that it is always appreciated by those who care about privacy and security.

September 23, 2015

Permalink

Hi gk,

I noticed that there is a problem wherein the "Tor Circuit for this site' tab would disappear after prolong use.

Also, I was wondering if this feature (TOR Circuit for this site) would compromise anonymity? If a hacker were to hack into the TOR browser from the user end, would they be able to see the TOR circuit and slowly trace and eventually see and find the contents that the user is browsing? I understand that TAILS is uncomfortable with feature and thus not include it into their release.

If you are talking about a remote attacker using a vulnerability in the browser, yes it might be possible. However, the attacker could potentially use a number of other methods with that same vulnerability to deanonymize the user as well depending on what they manage to access. Keep your browser up to date to (help) avoid this.
On the other hand, yes a local attacker could potentially use that feature; however, disabling the feature doesn't really reduce the attacker's capabilities (in terms of Tor Browser) because they could simply attack the tor process itself. Yes, some projects (like Tails and Whonix) have limited the ability for the browser to see the circuit; however, these projects are designed to deal with (limited) badly behaving programs. Tor Browser doesn't (because it can't) protect you from other programs on your computer spying on it. Your OS might, if your OS isn't the one doing the spying.

September 23, 2015

Permalink

Just updated. Now I receive the error "Could not find Mozilla runtime". :(

I'm running Windows 10. I'm sure *that* has nothing to do with it.

Yes, but only ones that don't log
I recommend FrootVPN
It's $36/year.
Based in Sweden.
No personal information is required to create an account. Only username, password and email.
Accepts Bitcoin
And since I recommend it, it obviously has a no logging policy

Good question. What Windows version is that? Both on Windows 7 and 8 the signature is valid for me. What SHA 256 sum does the .exe have? Does the signature check for Tor Browser 5.5a2 work for you (see: https://dist.torproject.org/torbrowser/5.5a2/)? I am asking as this alpha is the first version that got signed on a Linux box. Before that we needed to use a Windows machine.

September 24, 2015

In reply to gk

Permalink

My operating system is Windows 10

torbrowser-install-5.5a2_en-US.exe
Digital Signature = OK
Screenshot : http://i.cubeupload.com/Hkkjhv.png
MD5: e831d3bca509613fbb84d78a80e1e256
SHA256: b91700836a7f3f983a4961a06df5492647ccafd2c976c47c2c7e0ab1942f2632

torbrowser-install-5.5a3_en-US.exe
Digital Signature = Error
Screenshot : http://i.cubeupload.com/LDt7aj.png
MD5: 92df31f154ea262f1507271459177fbc
SHA256: b0300a609b3fe9e2f37fc10b5819059cd810b87210ed7e1ace814bafd014a74c

September 25, 2015

In reply to gk

Permalink

Sure

gk

October 05, 2015

In reply to by Anonymous (not verified)

Permalink

I got my hand on a Windows 10 box and there the digital signature was correct. Could you find out what is causing this in your case? Like comparing the things shown to you if you are look at the output after clicking on "Properties" (after right-clicking on the 5.5a2 and 5.5a3 .exe files)?

October 05, 2015

In reply to gk

Permalink

torbrowser-install-5.5a3_de.exe
Digital Signature = Error
MD5: a892c57d2434e34a2cea6cc39653603d
SHA256: 10fc0612f080844c83874d88ba751913ebbc2a9d7447babfd5e2a76e4c8d2134

October 05, 2015

In reply to gk

Permalink

Just because the authenticity of the files (original and not tampered with) this test done

Sorry, why are people using privacy tools under Windows 10? I fail to grasp the point. I lack the phantasy to come up with an explanation why one would willingly use a compromised-by-design OS. Your threat model can't be accurate because private data collections do leak.

September 23, 2015

Permalink

:)

September 24, 2015

Permalink

A sort of offtopic remark that maybe though is worth looking at.
(Did not know where to write this elsewhere on this site.)

Did anyone notice the sudden huge amount of exitnodes risen in Lithuania?
At least 60 sudden/new exitnodes by someone that has the contactname avenueoftor.com ?

Has someone from Torproject looked at this?

September 24, 2015

Permalink

EMAIL ALTERNATIVES CHECK THESE OUT AND PROSPER IN PRIVACY AND FREEDOM!

1) Scramble - https://scramble.io/
2) Sigma - https://sigma.email/
3) ProtonMail - https://protonmail.ch/
4) DarkMail - https://darkmail.info/
5) Sigaint - https://www.sigaint.org/ (Has onion address)
6) Mail2Tor - http://mail2tor.com/
7) RuggedInbox - http://s4bysmmsnraf7eut.onion/

Additional information:

Site:
http://www.emailquestions.com/encrypted-email-service-providers/

Since disabling all javascript, http refferal etc. I cannot sign in to my emails on any of the onion email sites. Even captures rarely work on those sites. https sites probably the same. Looks like some onion sites are using javascript for tracking. Used to be OK on earlier versions of TOR.

They could be using javascript for completely legitimate reasons; it can be used for far more than tracking.

September 24, 2015

Permalink

Many Chinese words(about 1/2) in the browser UI can't be displayed correctly after the 5.5a3 update. These words show like a square box with 4 hex numbers in it. That does not happen in the 5.5a2 version.
It happens in my Win10 OS. I tested the 5.5a3 version in a Win7 OS(VMware), and these words can be displayed correctly but their font are different from other words that can be displayed correctly in Win10.
I guess there is something wrong with the fonts.

Thanks for reporting this. What variant of Chinese are you using (Simplified or Traditional) and can you give me a web page example where you see this problem?

September 26, 2015

In reply to arthuredelstein

Permalink

greatfire.org

September 26, 2015

In reply to arthuredelstein

Permalink

Chinese Simplified.
The problem is not about any web page, it's about the browser UI (all the menus, toolbars and dialogs). There is nothing wrong with the Chinese words in web pages.

These words show like this :
___
|7F|
|16|
ˉˉˉˉˉ
The "7F16" in the square box is the unicode of the word.

September 26, 2015

In reply to arthuredelstein

Permalink

Sorry. My reply above is partial wrong. I tested some web pages and found there is the same problem with Chinese words in all the web pages. So the problem is about both the browser UI and web pages.

This problem happens in any Chinese web page.
e.g.
zh.wikipedia.org

I'm not seeing this problem on the pages listed. What version of Windows are you using? Also, could you paste the value of the pref "font.system.whitelist" (in about:config)?

When I visit zh.wikipedia.org, the font used for the main text is "Microsoft YaHei".

October 07, 2015

In reply to arthuredelstein

Permalink

Windows 10

September 25, 2015

Permalink

Hello, Im new to TOR. I was exploring the TOR hidden services for the first time, and I noticed that under the TOR circuit map, it shows that there are 6 relays between my browser and the onion site. Does this thus mean that firstly, the TOR traffic never leaves the TOR circuit (unlike the normal non- hidden service websites) and there are 6 onion layers of encryption instead of the normal 3 which makes hidden services much more private?

September 29, 2015

Permalink

I'm using openSUSE and want to create an Apparmor profile for TBB, what things should be modified to /usr/share/apparmor/extra-profiles/usr.lib.firefox.firefox

September 30, 2015

Permalink

@gk or other Tor developers

If a bridge was to change from a bridge to regular node, would Tor Browser know that it has changed and notify user (error message) or will users be still using it under the false impression that it is still a bridge?

October 09, 2015

Permalink

Did I understand that TOR cannot protect you from programs spying on you? Then what program can?

It depends on what you mean by programs spying on you; Tor can protect you from some attacks from programs running on external computers. For attacks from programs running on the local computer you're going to need protection at the OS level itself. Tails may be a better option than Tor Browser for you threat model.

October 11, 2015

Permalink

Tor can only offer partial protection from dirwct identification,( you can still be identified even if using tor) if you really want to protect yourself from malicious programs you need to do additional housekeeping over and above using tor..

October 11, 2015

Permalink

Why did they make Torbrowser bundle slower?

example: TorBrowser Bundle 4.53 surfs faster and has less connection timeouts than newer TBB versions. Anyone have any info about this change? I have not been able to find any info related to the bottlenecking that happens on TBB versions higher than 4.53. Any info would be great.

October 15, 2015

Permalink

Latest versions of Tor (stable and Alpha) not working on Mac OsX from China. I can only use a Tor 4.0 version I have. Newer versions don't connect throw me mismatch identity errors.

October 21, 2015

Permalink

Hi, thank you all for your great work.
But could you PLEASE integrate a function so we can minimize to tray the Tor Browser (Windows) ? There was an extension before, but it stopped wortking...
Many thanks :-)

October 29, 2015

Permalink

I understand from some users above that using TAILS would offer better security, however, while using TAILS, i noticed that there is no default bridges such as OBFS4, scrambleSuit, etc. The only option that they gave was to add in your own protocol and for the non-tech savy, we wont know how to use it. Thus, wont TAILS's NON-Bridged traffic be easier to identify?

If you're worried about the situation where some adversary is trying to identify your traffic (i.e. learn whether you are a Tor user), then using the default bridges is probably not a wise plan for you -- they can look for traffic to those known IP addresses, even if it's hard to do Deep Packet Inspection on the traffic flows themselves.