Tor Browser 6.0.5 is released

by gk | September 16, 2016

Tor Browser 6.0.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox including the recently disclosed extension update vulnerability. All users should upgrade as soon as possible.

That vulnerability allows an attacker who is able to obtain a valid certificate for addons.mozilla.org to impersonate Mozilla's servers and to deliver a malicious extension update, e.g. for NoScript. This could lead to arbitrary code execution. Moreover, other built-in certificate pinnings are affected as well. Obtaining such a certificate is not an easy task, but it's within reach of powerful adversaries (e.g. nation states).

Thanks to everyone who helped investigating this bug and getting a bugfix release out as fast as possible.

We are currently building the alpha and hardened bundles (6.5a3 and 6.5a3-hardened) that will contain the fix for alpha/hardened channel users. We expect them to get released at the beginning of next week. Until then users are strongly encouraged to use Tor Browser 6.0.5.

Apart from fixing Firefox vulnerabilities this release comes with a new Tor stable version (0.2.8.7), an updated HTTPS-Everywhere (5.2.4), and fixes minor bugs.

Here is the full changelog since Tor Browser 6.0.4:

  • All Platforms
    • Update Firefox to 45.4.0esr
    • Update Tor to 0.2.8.7
    • Update Torbutton to 1.9.5.7
      • Bug 19995: Clear site security settings during New Identity
      • Bug 19906: "Maximizing Tor Browser" Notification can exist multiple times
    • Update HTTPS-Everywhere to 5.2.4
    • Bug 20092: Rotate ports for default obfs4 bridges
    • Bug 20040: Add update support for unpacked HTTPS Everywhere
  • Windows
    • Bug 19725: Remove old updater files left on disk after upgrade to 6.x
  • Linux
    • Bug 19725: Remove old updater files left on disk after upgrade to 6.x
  • Android
    • Bug 19706: Store browser data in the app home directory
  • Build system
    • All platforms
      • Upgrade Go to 1.4.3

Comments

Please note that the comment area below has been archived.

September 16, 2016

Permalink

Downloaded TorBrowser-6.0.5-osx64_en-US.dmg sha256
d79e18d691a407c9cc06ec508701bff2283d73b65d4321e254763b17d0a13a09
Sha 256 on dist.torproject.org_torbrowser_6.0.5_sha256sums-unsigned-build
83af8ec2f8f56770a0a18bfe099cd4bf32e204bdcec8583575fb13a4f69b208a
No match, please put the easy to check and correct hashes back on that page as long as you dont explain in your long ago promised how to.
Making things not work and more difficult will only result in not checking at all anymore.

boklm

September 17, 2016

In reply to by Anonymous (not verified)

Permalink

The hash does not match because the sha256sums-unsigned-build.txt file has the hashes from the builds without the code signing that is included in the final dmg files. We did not yet write instructions to remove the code signing to check that it matches the hashes from sha256sums-unsigned-build.txt, but it is still planned to do it:
https://trac.torproject.org/projects/tor/ticket/18925

However, sha256sums-unsigned-build.txt is maybe not what you want to use, depending on what you want to check. If you want to reproduce a build and check that it matches what is distributed, you will get a sha256sums-unsigned-build.txt file that you can compare with ours, and then the code signing needs to be removed from the dmg files we distribute (or added to the build you made) to check that it matches. We are working on ticket #18925 to make that easier. However if you just want to check that the dmg files you downloaded is really what we released, then you should not use the sha256sums-unsigned-build.txt file, but use the gpg signature (each dmg file is signed individually).

September 18, 2016

In reply to boklm

Permalink

That's bullshit. You did that as censorship. My other comments also are not passed. I'm switching to your competitors.

September 19, 2016

In reply to gk

Permalink

Georg, you are quoted in a rather terrifying story about a critical flaw affecting both TB and Tails version of TB:

http://www.theregister.co.uk/2016/09/18/mozilla_tor_flaws/
Mozilla will patch zero-day Firefox bug to fiddle man-in-the-middle diddle
Researcher revealed Tor flaw after initially being ignored
Darren Pauli
18 Sep 2016

> Mozilla will patch a flaw in its Firefox browser that could allow well-resourced attackers to launch man-in-the-middle impersonation attacks that also affects the Tor anonymity network. The flaw was first noticed by researchers describing the attacks against Tor ahead of the publication of a patch in version 6.0.5. "That vulnerability allows an attacker who is able to obtain a valid certificate for addons.mozilla.org to impersonate Mozilla's servers and to deliver a malicious extension update," Tor developer Georg Koppen says. "This could lead to arbitrary code execution. Moreover, other built-in certificate pinnings are affected as well. Obtaining such a certificate is not an easy task, but it's within reach of powerful adversaries such as nation states."

The attack was reported by a researcher who goes by Movrcx:

> The need to obtain a legitimate TLS certificate for addons.mozilla.org was the cause of the high cost of entry to the attack, something Movrcx says was "difficult to accomplish but not impossible. This attack enables arbitrary remote code execution against users accessing specific clearnet resources when used in combination with a targeting mechanism; such as by passively monitoring exit node traffic for traffic destined for specific clearnet resources," he wrote. "Additionally this attack enables an attacker to conduct exploitation at a massive scale against all Tor Browser users and to move towards implantation after selected criteria are met - such as an installed language pack, public IP address, DNS cache, stored cookie, stored web history, and so on."

(For those who have forgotten, some years ago a hacker (apparently living in Iran) was able to obtain the crown jewel of certificates, a genuine certificate claiming that he was wildcard at google.com. That deplorable incident was well handled by Mozilla.org, but that was some time ago and Mozilla's priorities may have changed.)

Disturbingly, Movrcx adds

> members of the Tor Project did not accept his initial private disclosure.

He gives more detail here:

https://hackernoon.com/tor-browser-exposed-anti-privacy-implantation-at…
Tor Browser Exposed: Anti-Privacy Implantation at Mass Scale
Credit: @Ox000000

> The combination of chaining the vulnerabilities described below allows a malicious exit node operator or global adversary to conduct a silent remote code execution attack on all platforms of the Tor Browser. This attack is not limited to just being hypothetical in nature and evidence shows that this attack has already been possible for a number of years. The list of vulnerable deployments to this attack includes the native Tor Browser for Windows, Linux, OSX and also includes Tor Browser installations on dedicated operating systems such as Tails and Whonix.

Concerning TP ignoring his warnings, he says:

> This vulnerability was originally described publicly in concept before the initial confirmation of the feasibility of the attack. Reaction to the theoretical disclosure was mocked as non-credible by Micah Lee and Andrea Shepard.

This seems indefensible, given that Movrcx had proven that the attack works and that Tor users were attempting to post warnings to this blog (which mysteriously never appeared) that an attack appeared to be in progress which possibly involved certificates.

[boklm:]

> There was a reboot of the server hosting the blog today, and for some reason the comments on recent blog posts disappeared.

S--t happens, I know that. But this deletion just seems much too convenient for USG interests. Maybe someone made a mistake accidentally on purpose. Or maybe current or former members of NSA/TAO intruded into the server (they certainly have the motive, means, and opportunity) and deleted the posts, making sure to time the deletion and to leave other misleading clues to encourage you to assume that the "accidental" deletion was due to an intermittent bug which happened to pop up during the reboot, a bug whose appearance is too rare to be worth trying to isolate and fix.

Well, NSA/TAO is not too rare. TP is a high priority target for them, there can be little doubt of that. And I say again, you have to worry not only about current members of NSA/TAO but a steadily growing number of "alumni" who are now working for effects-for-hire companies or even worse, for Comcast. (Seriously-- I could name names but then this post would be censored, eh?)

[gk:]

> We have not been censoring comments.

Well, my warnings about a mystery node with all zeros nickname--- was that Morcvx's testing the method?-- which never completes any circuits, whose appearance in Onion Circuits seems to be associated with the AdBlock Plus (not NoScript) updater running in Tails TB never appeared in the blog. My posts asking if others were seeing the same suspicious certificates I have been seeing never appeared. My posts asking whether it might be possible to persuade news sites likely to be attacked by sophisticated well-funded attackers, such as theintercept.com, to use onion services as a way to (as I understand it) avoid the problems with CAs, especially root CAs trusted by TB which are issued to extremely repressive governments or their FVEY-based contractors.

I believe that *you* believe TP is not censoring anyone here, but I fear that there is so much political pressure being put on Shari by FBI, USIC that someone else might see deleting or censoring posts which are too critical of the USG to be the lesser of two evils, compared to USG suddenly arresting every US TP employee and effectively finishing off the Project.

More and more I must conclude that the USA is not a safe home for TP and the whole kit and kaboodle, especially critical keyrings, should relocate to a safer place (maybe Iceland or Norway?).

I have already concluded we should not trust Roger's judgment (he apparently hired CIA agent David Chasteen to write code), and if there is any fire behind the veil of smoke covering up the firing of Jacob A, he too may have shown a lack of judgment in how our enemies would exploit his personal life to harm the Project.

And now I have to question Andrea's judgment. And even that of Micah Lee. Who's left? You and a few others who never write anything in the blog.

I've been trying hard to be supportive of the Shari regime but she's certainly not making it easy right now by remaining silent on so many critical issues, such as the question of whether or not TP supports a pardon for Edward Snowden, or what TP is doing to counter the dangerous demands for backdoors and free hacking powers--- not to mention the smearing of Snowden and the entire Tor community--- by FBI Director James Comey.

Georg, please, please, please, post a blog about the attack described by Movrcx and whether or not it can be mitigated. The new edition of Tails is due tomorrow but I don't know whether it will be delayed because of the emergency.

David Chasteen was not hired to write code, he was hired for his fine skillset as a project manager.

Personally i feel the torproject lost a lot by accepting his resignation. He was dedicated to the ideals of the project and his jobset would not have touched code.

I do recall it was ioerror who bullied Dave Chasteen into quitting his job.

And to mention people with US Millitary credentials movrcx is also former infantryman. Can't attack David Chasteen and then praise movrcx.

Sigghhh, so much work to undo the confusion ...

The attack was reported by a researcher who goes by Movrcx:

@movrcx (also @jmprcx, compare the avatar pictures) initiated #TorFork, while #TorStrike backfired. He planned to completely rewrite Tor and start his own network. He started by downloading the wrong repository from GitHub, much to the amusement of several TP staff, especially Isis Lovecruft. He asked Isis for help, and she gave him a pointer, but not without a teasing tweet about how Tor Project had finally tricked someone into picking up the torch and now all Tor Project personnel could go home: https://twitter.com/isislovecruft/status/766372347892920320 (Note @movrcx was @jmprcx there, and ... it's funny!).

Disturbingly, Movrcx adds

members of the Tor Project did not accept his initial private disclosure.

...

This seems indefensible, given that Movrcx had proven that the attack works and that Tor users were attempting to post warnings to this blog (which mysteriously never appeared) that an attack appeared to be in progress which possibly involved certificates.

With the above in mind, you'll have to reconsider whether he was going to be taken seriously by TP staff. Yet, there's more ...

In his article, https://hackernoon.com/tor-browser-exposed-anti-privacy-
implantation-at-mass-scale-bd68e9eb1e95, @movrcx states:

"The list of vulnerable deployments to this attack includes ... dedicated operating systems such as Tails ..."

As a TAILS user, I can tell you absolutely this is not true!. Unlike TBB, the fine Tails folks sensibly switched off add on auto-update (also TBB auto-update), because they take care of these updates in their six weekly update cycle (more frequently if there are emergency updates). In about:config, I find:

extensions.torbutton.no_updates = true
extensions.update.enabled = false

Thus, Tails was never exposed to @movrcx's attack.

Also, the document you should have read is this one:
"Deep down the certificate pinning rabbit hole of "Tor Browser Exposed"", by Ryan Duff (@flyryan).
http://seclists.org/dailydave/2016/q3/51.

As Ryan Duff explains, @movrcx claimed the exploit started to work when he recompiled Firefox after editing one of its configuration files (the one that contained all Certificate Authority (CA) certificates that Firefox would consider 'built-in' to refer presented certificates against: certdata.txt (See https://hg.mozilla.org/
mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt)). Specifically, he added the Burp CA to alow MITM proxy to work. That's another reason why @movrcx's claim was initially dismissed: it required a step that wasn't expectable, requiring on-site physical access (or an already pwned system).

Yet, here's the funny thing that got Ryan Duff and Erinn Atwater (@errorinn) intrigued that something really was wrong: although vanilla Firefox does not pin certificates by default, TBB switched this to do so, so the exploit should have failed even though @movrcx had compiled Burp CA in as a 'built-in' CA certificate.

Only when they got together (he writes "She had actually put a bunch of students on this task last night because she had the same concerns I did about this not being taken seriously.") did he work out why the exploit worked anyway and the truth of the matter emerge.

Essentially, Ryan explains: "It turns out that Mozilla actually doesn't use normal HPKP for certs related to their operations (like addons.mozilla.org). Instead, they use a form of static key pinning. ... it appears that with statically pinned certs, the only requirement for validation is that the certificate validates through a 'built in' CA. However, since it's not using libNSS to do the validation, [as it should have done]." And that is the actual bug that is to be fixed, not the one @movrcx thought he'd found (see https://twitter.com/errorinn/status/776859565908434944). (There's another one about Firefox's certificates expiring before they are due to be updated, but it's noticed now.)

(Someone posted a thank you to @flyryan and @movrcx, to which I posted not to forget to thank @errorinn as well, but that disappeared as the blog comments went AWOL.)

In any case, @movrcx was misattributing a Firefox bug to Tor, and @errorinn (amongst others) challenged him about why he notified Tor instead of Mozilla (https://twitter.com/errorinn/status/775823742270251010), which @movrcx never went on to do. Despite that, he tweets "And where tf is my bug bounty @Torproject?" (https://twitter.com/movrcx/status/776832762816892932).

Also, you asked:

Well, my warnings about a mystery node with all zeros nickname--- was that Morcvx's testing the method?-- which never completes any circuits, ...

I doubt it connects to @movrcx's exploit. In any case, your Tails 2.5 should not have been updating any add-ons. Tails 2.6 is now up for downloading. See if that changes anything - I expect not. (I also do not see an all zeroes nickname in my Onion Circuits. Screeshot please? imgur.com?)

It's a shame. He seems highly motivated and technically experienced, and this could have been a redeeming opportunity where he might have become an important contributer to Tor, but instead I think he's salted the Earth with TP.

Some of his tweets:

14 Sep - Angry, he talks of weaponising his exploit (https://twitter.com/movrcx/status/776193019406090240).

16 Sep - Incensed at his unfair treatment by the Tor Project, he threatens this: "Next time I'll be responsibly disclosing to the FBI, NSA, and GCHQ." (https://twitter.com/movrcx/status/776790169739530244).

16 Sep - Here @movrcx 'confirms' he has handed over another zero-day exploit he found in Tor to the Intelligence Community (https://twitter.com/movrcx/status/776864357598826496). (I think it's a bluff.)

19 Sep - Lately, he won't acknowledge @flyryan's or @errorinn's work (https://twitter.com/movrcx/status/778017637326524416).

20 Sep - Now, he won't be reasonable to @errorinn because 'she's a man...' (https://twitter.com/errorinn/status/778020004587458560).

So, you've got to ask yourself: are you going to spurn Tor based on what he says?

(Seriously-- I could name names but then this post would be censored, eh?)

Oh no, surely not! Why don't you try it and see? Test test test everything!

The announcements of Tails 2.6 and TB 6.0.5 should have stated clearly that they have been immunized (we hope) against the dangerous attack found by Movrcx.

Not sure what Tails did but that information is available on our blog post: "including the recently disclosed extension update vulnerability" with a link to the best write-up that was available back then.

The announcements of Tails 2.6 and TB 6.0.5 should have stated clearly that they have been immunized (we hope) against the dangerous attack found by Movrcx.

Even if Tails 2.6 is "immunized" against the dangerous attack found by Movrcx, Tails contains an unpatched security vulnerability in the Linux kernel that has the potential to unmask your anonymity.

According to Tails' official website, version 2.6 uses Linux kernel 4.6. As of the time of this post the said kernel is still unpatched by Debian (cf: https://security-tracker.debian.org/tracker/CVE-2016-5696).

Conclusion: Use Tails 2.6 at your own risk.

See:

   https://blog.patternsinthevoid.net/cve-2016-5696-and-its-effects-on-tor…

The "potential to unmask your anonymity" is seriously overegged. The attack, using TCP blind in-window DoS attack to try and bump Tor clients towards a hostile set of relays hardly helps a de-anonymisation attack because, as Isis Lovecruft explains, Tor builds new circuits whole from scratch.

I'm using Tails 2.6 right now (with Linux kernel 4.6) and I don't experience any DoS.

Thank you for the link. Tails is based on Debian, and Georg K is Tor Project's invaluable liason with Debian Project, so I'd like to hear his response.

The flaw you mention does sound scary:

> net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack.

It is not clear to me that Tor sessions would be vulnerable; perhaps you can explain?

The Linux distributions which have reported that their version of earlier kernels are vulnerable appear to be:

> Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia

but I don't see Debian on that list. I don't know what if anything that means, but possibly Debian stable is not vulnerable. Tails uses older kernels than current Debian stable, I believe, but may patch important bugs. GK would know much more about this, I think.

If you *are* correct, I imagine the Tails 2.7 announcement will include a reference to the flaw you cited.

There *are* no competitors: aye, there's the rub.

I completely agree with you that this accidental deletion is much too convenient for USG interests, and because TP is currently based in the USA, pressure can be brought. Maybe "they" got to someone.

September 20, 2016

In reply to boklm

Permalink

> for some reason

No kidding.

> the comments on recent blog posts disappeared.

Recent? As far as I can see, *all* comments *ever* mysteriously vanished.

September 24, 2016

In reply to boklm

Permalink

boklm,
your reply is dated Sep. 17th to a post done on Sep. 18th is quite interesting, what's going on with your servers??

September 28, 2016

In reply to boklm

Permalink

Seems to be some kind of heavy moderation going on, certain questions aren't made through, such as, why boklm above replying on the seventeenth to a post written on eighteenth.
Hope you guys get your servers in order and check the date is correctly setted, thanks in advance for letting my comment through, I hope.

Long-time users of Tor and Tails will recall that, back before the Snowden leaks, Tails Project also had a blog. One day, it vanished.

Tails Project is based in France, which has government agencies which can act pretty much act as they please.

Tor Project is based in USA, which has government agencies which can pretty much act as they please.

There may still be a few nations whose governments are not so ugly as the FR or US governments. Maybe one of them would be a better home for TP?

What were they thinking when created this projects in FR or US? Or maybe it was decided by infiltrator, who promoted this locations, so now they have full control.

September 16, 2016

Permalink

Hello, how should I turn off auto-update for extensions and tor browser? So that I will not be affected by any future vulnerabilities of similar kind. I am a person used to doing update manually (apt-get update && apt-get dist-upgrade).

Thank you!

Possibilities include:

1. there are no backups

2. they don't know how (because a bug makes this too hard)

3. they don't have time (I have no doubt TP will insist this is the reason)

4. they could but are under threat of dire reprisal if they do

5. they could but know that our enemies will simply redelete them.

turn off auto-update for extensions
Tools (menu)
Add-ons Ctrl+Shift+A

click gear (symbol of a mechanical ring gear)
in menu, uncheck "Update Add-ons Automatically"

turn off auto-update for... tor browser (and search engines)
Tools (menu)
Options (windows) or Preferences (linnux)

Advanced (choice in left side)
Update (choice in top row)

"Tor browser updates: ..
Check for updates..let me choose.." (click the round circle)

"Automatically update:
Search engines" (uncheck box)

also for firefox help, there is "?" (a question mark symbol) at top right. Clicking "?" opens page in new tab https://support.mozilla.org/en-US/kb/advanced-panel-settings-in-firefox

September 18, 2016

Permalink

Thank you for updating tor browser.
After updating it crashed, please help.
Can you please update the roadmap for tor messenger ?

September 16, 2016

Permalink

thks

Can some TP employee state whether or not 6.0.5 fixes the critical flaw discussed here?

https://hackernoon.com/tor-browser-exposed-anti-privacy-implantation-at…
Tor Browser Exposed: Anti-Privacy Implantation at Mass Scale
Credit: @Ox000000

Can Movrcx clarify whether or not he/she ran the mysterious "node zero" (all zeros nickname, no information in Onion Circuits, never completes any circuits, appears as AdblockPlus updater is running in TB)? Or was that FVEY or RU or some such entity?

For what it may be worth, TB 6.0.5 appears to run on my Debian system.

September 21, 2016

In reply to gk

Permalink

Thanks, Georg!

Do you happen to know whether the TB included in Tails 2.6 has also been immunized against that particular attack? TIA!

September 21, 2016

In reply to gk

Permalink

Thanks! Any idea about the mysterious node which never completes any circuits, has a nickame consiting of a long string of zeros (according to Tor Circuits in Tails 2.5), and appears to be associated with the AdBlock Plus updater running (in Tails 2.5)?

I know, Tails is a separate project, but since they closed their own blog they are impossible to reach.

TIA.

And thanks for working to improve security in Debian and Tor!

Can you provide up to date instructions for reaching Tails using TM from a Calyx account?

I have never been able to figure this out.

Years ago I tried regularly to reach Tails devs in the old chat room, but they were almost never available,.

September 21, 2016

In reply to gk

Permalink

Oops, panic is not optimal for putting two and two together, but now I see that the post about Tails 2.6 says TB has been upgraded to TB 6.0.5 in Tails 2.6, so current versions of TBB and Tails are immune against the attack found by Movrcx. Whew!

so current versions of TBB and Tails are immune against the attack found by Movrcx. Whew!

Don't be too happy just yet.

Tails contains an unpatched security vulnerability in the Linux kernel that has the potential to unmask your anonymity.

According to Tails' official website, version 2.6 uses Linux kernel 4.6. As of the time of this post the said kernel is still unpatched by Debian (cf: https://security-tracker.debian.org/tracker/CVE-2016-5696).

Conclusion: Use Tails 2.6 at your own risk.

September 18, 2016

Permalink

Yo
where did all the comments go?
and why was the check.torproject.org link down for over 20 hours?

September 18, 2016

Permalink

I have a threat detection in tor.exe after upgrade to 6.0.5

AVG claim that it is infected by IDP.ARES.Generic (on windows 7 64bit)

September 18, 2016

Permalink

I can not install the update. Got the following message see below. I did not have firefox at all. Installed firefox 48..... with no success. Still got the same message.

The update could not be installed. Please make sure there are no other copies of Firefox running on your computer, and then restart Firefox to try again.

September 18, 2016

Permalink

a reboot of the server hosting the blog is a good idea _ it should be done the first of every month.
,)
have a nice day & thank you very much for your work.

Probably a false alarm. (This comes up a lot.)

That said, the flaw discovered by Movrcx appears to be one of the most devastating flaws in all TB platforms (including Tails and Whonix) ever published, so this may not be business as usual.

September 16, 2016

Permalink

Is Ryan Duff's suggestion a sensible future Tor Browser enhancement? That is:

"While TorBrowser will catch the fix from the Mozilla patch, I believe they should actually change how they handle extensions overall. It seems ridiculous to me that they actually use Mozilla’s auto-update process for extensions. If NoScript or HTTPS Everywhere added a new vulnerability with an update, all Tor users would get it within a day of using the browser. Also, with the paranoia their organization seems to have, I would think Mozilla being compelled to push a malicious extension to specific Tor users would be a real concern of theirs.

To me, the logical solution would be to compile NoScript and HTTPS Everywhere themselves, sign those extensions with their own key, hardcode their public key into the TorBrowser, and then do their own cryptographic validation of extensions locally. Extension updates would go out with TorBrowser updates exactly how the TorBrowser Firefox updates are delivered."

September 18, 2016

Permalink

Thank you very much.
You people are doing great.
Can you please update the roadmap for tor messenger?

September 18, 2016

Permalink

idp.ares.generic warning received from AVG when doing latest install. Any suggestions?

September 18, 2016

Permalink

Updated and TOR was deleted by AVG due to IDP.ares.Generic virus threat. What the heck is going on?

September 18, 2016

Permalink

Hello gk, & everybody ..Devs & Anonymz :)

I disabled it because according to the ADD-ONS: "About:Addons-Memory" shows >>HTTPS-Everywhere<< usage of memory is about 10-times (or sometimes more) than >>NoScript<<

Thou: it -apparently- not providing that much of a security since famous websites like (google/gmail, yahoo, "bing", twitter, facebook..etc..etc..) are HTTPs< by default!

and --by logic-- if any other website NOT "equipped" with HTTPs then that add-on will NOT "enforce' to a-must-use!! LoL..

Looks really funny: Why is it too-essential to-must have it! While it 'eats' & wastes 10- times of memory (than: NoScript) for NOTHING!?

Thank You ALL,

NP: feeling sorry when yesterday the blog were unacceptable but now HAPPY its back to work, also noticed the "ticket" issue, Hopping the blog wont go OFF again :)

September 16, 2016

Permalink

On my computer AVG antivitrus detects new version of tor.exe as IDP.ARES.Generic virus.

So avg considers a whole hell of a lot virus, the only way to circumvent it. Is to allow the program trough the filter. So make it an exception instead of letting it block it or sandbox it.

As normal virus programs will remove a program and put them in a secure space called a sandbox. Cutting it off from the live os.

The problem with this, is it gives the program/.exe full access to run as it likes and if it at some point turns into an actual virus i guess avg will just look away.

But other then that, just say fuck you avg and allow the program to run, if it is indeed a false positive.

I am another tor user, using another scanner.
Manually started scan.
My scanner finished "Clean"
---------------

False Positives are a problem for malware/virus scanners.
You'll see these reported at the "suspected" software forum or the malware scanner forum.

Check these web searches.
avg
false positive avg.com IDP.ARES.Generic

compare to
false positive examined IDP.ARES.Generic virus | detected
(possibly, "IDP.ARES.Generic" is avg's name for whatever code avg finds)

tor.exe
false positive tor.exe IDP.ARES.Generic

September 16, 2016

Permalink

Many recent releases of the Tor browser tend to be crashy when printing. When this occurs, I lose all open tabs. When I highlight some text, right-click and search DuckDuckGo, it is regarded as a cross-site scripting violation. Why does the user interface only address small security issues, while excluding meaningful tools like Self-destructing Cookies, Toggle Referer, Blend In, Stop Fingerprinting, Calomel, et cetera?

And why is the NoScript menu pared down to a choice of all or nothing? If you really need to enable scripts, 99% of the time you only need top level scripts to make the site work... not a dozen off-site tracking scripts. "Allow everything" should be the very last option, not the first and only option! If manual approval is required to right-click & search, why is manual approval not even available for "allow top level scripts on this page"? It seems like a contradiction.

Going back to the original problem: if I attempt to change the history settings, a pop-up message says: "Tor browser must restart to enable this feature." A normal person would read that as a reminder, not a restart warning: Since there is no CANCEL button, OK typically means DISMISS THE WINDOW, not CLOSE THE BROWSER. It should never restart without the user's permission. There go my tabs again - another weeks work down the drain!

This service is essential in oppressive regimes, and I am thankful for it despite the frustrations. However, I think some of the user interface security policies should be subject to review. If there is a debate about whether a common security extension should be included in Tor browser, perhaps the category should be listed in TorProject wiki, along with the justifications for excluding the feature. It makes no sense when NoScript is hobbled in a way that reduces security, referer enabled by default, weak certificates not indicated, and cookies preserved after tabs are closed. Can someone explain the logic behind all of this?

"why is the NoScript menu pared down to a choice of all or nothing?"
Try this.
Optionally, take screenshot of "general" tab of noscript options, as a "visual backup".

Drag or paste into url bar
about:config?filter=noscript.show

Optionally, take screenshot, as a "visual backup".

noscript.showAddress;true
noscript.showBaseDomain;true
noscript.showDistrust;true
noscript.showDomain;true
noscript.showGlobal;false
noscript.showRecentlyBlocked;true
noscript.showTemp;true
noscript.showUntrusted;true

Those are "user set" that I have decided that I like, after much time using noscript extension.
Edit (toggle) whichever you want

Use tor browser (try blog.torproject.org). See how noscript GUI has changed for you.
Optionally, take another screenshot of "general" tab of noscript options.

Also, you can use "Reset" button at bottom of noscript options "General" tab.

change the history settings, a pop-up message says: "Tor browser must restart to enable this feature." A normal person would read that as a reminder, not a restart warning: Since there is no CANCEL button, OK typically means DISMISS THE WINDOW, not CLOSE THE BROWSER

I also fell into this pitfall, months ago.
This "trap" is in firefox menus, Options/Preferences
Privacy (click the eye mask symbol in left column)
"History
Tor Browser will" (choose)

I'm not going to recheck this behavior, but instead of OK, maybe close the message by clicking "X" at top right corner? Is there an "X" there?
I think this qualifies for a UI bug report, if one doesn't already exist.

Some screenshots (but the older GUI in which eye mask is in top row): http://www.blogtechnika.com/how-to-disable-browsing-history-feature-in-…

Please report your issues to the bug tracker or mailing list. Not here.

Using these extensions may appear to increase your privacy. Anything they do offer is minimal and not worth the cost of diverging from the standard tor-browser user. This also applies to NoScript's lacking granularity.

Additionally, to deny tracking services may harm the site that you are interested in as they may not know which webpages are of interest by their users.

The real problem here is the centralization of the tracking services - while what they offer is no more than the site you visit already has in their own logs. If you want to opt out of tracking, you may opt out of these services... But you remain in the site's own normal [under respected] logs.

Tor browser already disassociates your tracked profile between sites. Third party cookies are isolated in per top-level domains.

The best suggestion I have is to reduce your modifications of tor-browser to the defaults. Maybe select in torbutton's menu a higher security level. Enable JavaScript on only the sites you trust (preferably the whole page.) And finally, do not use sites you do not trust. Especially do not identify yourself - even with a pseudonym.

I do agree that tor-browser could be hardened better. As you said:

- referrals aren't generally necessary (however some sites break without them :/)
- cookies preserving when tabs are closed can be inconvenient and may require the user to login more frequently

Or better yet if tor-browser supported isolated windows where you could login to different users at the same time.

September 18, 2016

Permalink

For the auto-updating process, can TorProject please state the basic known requirements so this safe and convenient method can be expected to work?
E.g. Default file locations? Security slider? Others?

This makes even more sense because TorProject provides not even a description of how to maintain installation integrity after overwriting an old version with a fresh download.
E.g. guard node continuity is broken.

Perhaps can start with an acknowledgment on the download page?

Thank you.

September 16, 2016

Permalink

Many of us use the last version to download the new version, so we would be vulnerable until we obtain the new version.

If we check the signature of the new version, is it safe to use (all other things being equal)?

If in doubt, can we disable the NoScript updater until we get the new version and install it?

Not sure what you mean exactly but the updater is not supposed to overwrite any user data. Thus, it won't touch your browser profile (including selected security slider level) etc. If that's not the case, please file a bug.

"If we check the signature of the new version, is it safe to use (all other things being equal)?"
The attack that you imply I think requires coordinated attacks on
the download and signature (the sha files?)
and on your computer's hash checker

maybe the easiest defense is two "independent" downloads:
1 - your computer downloads from torproject server. You check hash.
2 - a school or friend's computer, running different operating system and browser downloads from a mirror server. Check hash.

September 21, 2016

In reply to gk

Permalink

Sorry I was not clear. I was trying to be nice.

In plain English the updater is fussy and doesn't work so could its prerequisites/requirements to have it work please be stated. To the extent they are known. (Win7/64)

Examples: what set of folder locations are allowable for Tor to be running from and have the updater work, what slider status, etc. etc.

Thank you.

As I started to read this post yesterday using Tails 2.5 (current version and apparently vulnerable to the cited vulnerability), I noticed the AdBlock updater was running on my device. Groan.

I wish I understood better how onion services can protect against this kind of state-sponsored fake cert, or at least knew some way of checking that a cert my browser has been served is genuine.

Question for Citizen Lab and others who know how state-sponsored MITM schemes work: when I connect to some sites, I have been noticing a warning as you "drill down" into the provided information about certs that something cannot be verified (ownership?).

Particularly strange, some USG public websites like (ooh, the irony) fbi.org have a cert and get a green lock icon, but the cert is actually owned by our favorite company cloudflare:

Issuer:

CN = COMODO ECC Domain Validation Secure Server CA 2
O = COMODO CA Limited
L = Salford
ST = Greater Manchester
C = GB

Owner:

CN = ssl[nnnnnn].cloudflaressl.com
OU = PositiveSSL Multi-Domain
OU = Domain Control Validated

"Multi-domain"?!

There is no indication that the served web pages have not be maliciously modified by that company. Recently I get a captcha page with what purports to be an image of the FBI logo, but in past I got what appears to be the genuine page, however served by cloudflaressl.com not by fbi.gov, with a cloudflare cert. So I am reading something which has a green lock icon and claims to FBI public website, but is not actually served by FBI. I hope it is obvious why this is a big problem.

Seems a bit strange that FBI uses a UK CA, unless you assume that USIC regularly relies on UK GCHQ to attack US persons, while NSA/TAO attacks UK persons, to evade national laws in the US and UK restricting attacks on own citizens.

Similar green lock icon misinformation observed at many news sites which allegedly use https. Another oddity seen at slate.com; for some articles (often those related to computer security), the lock icon suddenly breaks, as if some articles are served using broken https protocols that my browser refuses to use.

Recall that

o NSA/TAO is known to use fake Facebook phishing sites to serve malware (to US citizens for example)

o GCHQ/JTRIG is known to use fake BBC News phishing site to serve malware (to Wikileaks volunteers for example)

o FBI is known to use fake AP News phishing site to serve malware (to US high school students for example)

What to make of all this?

(By the way, BLM OSINT has a legitimate need to visit fbi.gov to obtain some USG crime stats not available elsewhere, as well as cdc.gov and other USG sites which have similar issues.)

Relevant news stories:

https://theintercept.com/2016/09/16/new-film-tells-the-story-of-edward-…

A list of several dozen highlights from The Intercept's coverage of the Snowden leaks.

http://www.theregister.co.uk/2016/09/16/ixp_sues_german_govt_surveillan…
World's largest internet exchange sues Germany over mass surveillance
DE-CIX questions legality of government tapping its system
Kieren McCarthy
16 Sep 2016

> The world's largest internet exchange point is suing the German government for tapping its communications systems.

September 19, 2016

Permalink

Also
https://check.torproject.org/
was unreachable.

1- Why server reboots? Attack? What else?

2- Did you consider alternatives to *.torptoject.org if you where under some sort of attack?
I think .onion services, tor.stackexchange.com ...

Thank you

> Did you consider alternatives to *.torptoject.org if you where under some sort of attack?I think .onion services,

See onion.torproject.org a.k.a. yz7lpwfhhzcdyc5y.onion for a list. There's also an onion.debian.org.

September 19, 2016

Permalink

The Addon TorButton does not update recent release.

It remains blocked version 1.9.4.5.

How do I upgrade to the latest version ? > 1.9.5.7 ???

There is no update mechanism of Torbutton other than updating the browser. Are you saying you are running 6.0.5 and being stuck on that old Torbutton version? What does the about:tor page say in its upper right corner?

September 19, 2016

Permalink

Hello!
Can it be used on a Windows 7?
I never changed my PC to the version 8 because of... reasons, you know.
I don't know right now what version was the latest and if Windows got better because Windows 8 is basically Windows 7 looking like *#*@* and the rest I really didn't have time to care much about solving the interface problem, I was too busy at University.
So, I really feel like... 7 years old is more than it was from XP to Vista! I'm old!
Really... can Windows 7 still cover current Tor?
Because Windows 10 is way too much pretty far away in time from 7 right now. I really don't know about the compatibility...
But I can still run the latest released games I download such as The Elder Scrolls Online.
Sorry for being so strange and English is not my first language, I don't know if I write well or specially speak well.
Thank you all

September 19, 2016

In reply to boklm

Permalink

friend you are not old, I was old when windows 3.1 came out.
Do yourself a favor and if you value your anonymity stay away from win, especially 8 and up.
You see, everyone claims newer is more secure, but newer may have builtin insecurity that did not exist in the past. Keep your 7 alive for playing around and donate about 25Gb of your disk and install linux (debian LXDE is a good start) and get comfortable with it. There is so much more you can control with security by learning than trusting blind closed code. It is not a 3 day switch but eventually you will be going back to 7 less and less.
Yes tor runs fine on 7 but what is around it while it is running can not be trusted, like your other browser with social media (hint hint)

There is also bitmask VPN it only runs on linux, you can run tor on top of that and nobody can tell you are running it. There is also Tor hardened which is only available for linux.

If you have a spare USB stick 2GB+ try the Live system of debian, or tails from this mainpage here.

September 19, 2016

In reply to boklm

Permalink

Just fired it up on a Windows XP VM. Works fine. Haven't tried the alpha though.

September 16, 2016

Permalink

This is the first time that an update of TOR will not work from a flashdrive. What is wrong?

September 19, 2016

Permalink

hi is it normal that the page opening is mozilla firefox, because the tab coains in the middle the logo of mozilla firefox, and till now i couldn't open any site, it's always telling try again proxy settings, the older versions were better, and in options i can't change it permanently to never remember history, everytime i opened it i had to go to options, and to click never remember history, do you have a better file to download it for windows 7 ?

Does your browser look something like this now?
https://bugs.torproject.org/16441#comment:1
If so, it might have refreshed itself and removed the necessary Tor addons.

The download for Windows 7 is here:
https://www.torproject.org/download/download-easy.html.en
You can make sure you got the right file by verifying the signature:
https://www.torproject.org/docs/verifying-signatures.html.en

September 20, 2016

In reply to gk

Permalink

and its keep telling me no proxy settings, yes it looks like the page you putted it, and for the proxy i have already checked manual configutation for socks5 but nothing working at all, in any other option

September 19, 2016

Permalink

Even though this question should have been asked long ago here it is:

On debian (and I suspect other linux distros) tor and tor-config are packages within the system. I tend to run a stand alone single user tor (2 currently, 6.0.5 and 6.5.a2 Hardened. I have uninstalled the two system packages and it worked fine, due to a recent update/system restructure the 2 were re-installed by default. When I checked their configuration it uses 9050 as the shocks port.

Should I keep the debian/tor packages, does it make a difference? I also use icedove with torbirdie, is there a chance it will communicate through the system's package? Are there any conflicts because of them? With the update going on and things not being responsive yesterday I was digging around trying to find out what's going on.

Also, while the check.tor... was down I run eff's panopticlick and browserprint.info to test my connection and the response was "using tor=no". One possible explanation was the exit node was new. But I kept switching and it would still say no. Today it says yes again.

September 16, 2016

Permalink

Good Job . thanks . i have a question :

iranian government claims the internet has been nationalized and all the users are being supervised. In other words all the internet communications would be through nationalized channels.
How do you think we need to react?using tor is still safe ?

"Good Job . thanks "
I agree!
--------------

"internet communications would be through nationalized channels
... using tor is still safe?
"

As I understand (hopefully correctly), that method of surveillance is exactly what Tor is meant to defend against.
Essentially, tor encrypts everything from inside your computer to tor system's last "exit node".
Usually, the "exit node" is already outside your nationalized internet.
But is it possible that your nation operates exit nodes?
Yes, but this not very useful for surveillance because of tor's intermediate nodes. Tor sends your encrypted internet communication through intermediary nodes, which are already outside your nation's internet.

1 - the communications are unreadable because encrypted to the exit node.
2 - it is difficult to associate communications to your computer because tor system scatters communications "pieces" through multiple worldwide tor node computers.

"Tor sends your encrypted internet communication through intermediary nodes,
which are already outside your nation's internet."

But not outside "your nation's" internet **reach**.

Any nation (especially one with all the human resources and "security" priorities of Iran) can set up Tor nodes all over the world.

Unlike with the German project that failed in attempting to offer only effectively vetted/certified nodes, Tor doesn't even try to certify because its too big a job. They seem to be increasing/improving their surveillance of nodes, looking for suspicious behavior.

September 19, 2016

Permalink

I see all the comments disappeared.

Where do you report the websites that block tor?

September 19, 2016

In reply to dcf

Permalink

What about a page to submit suspicious certificates we are handed when we visit websites using Tor Browser?

I've seen many suspicious ones and want to know if others are seeing them too, and what it means.

September 21, 2016

In reply to dcf

Permalink

Can somone answer a general question?

Is it expected behavior that when you surf to some http site (e.g. a news site, a USG agencypublic homepage) and get a green icon with the home page (not a captcha warning), that the cert associated with the green lock icon makes no mention of the expected site, but only mentions cloudflare as owner of the cert?

To my mind this shows the CA system is completely broken, because a green lock icon for slate.com or fbi.gov should mean that the cert was issued to Slate or FBI, not to Cloudflare. Again, just reading news sites or FBI's home page, nothing "suspicious" other than using Tor.

Or is an indication that I am being state-sponsored MITM'd (maybe Cloudflare has been issued a root cert allowing it to impersonate anyone, say google.com?)

September 16, 2016

Permalink

installed this on one PC and AVG free has detected this as a virus
will add details when I can later
Seems this PC has already updated to it as well
restart or what?
delete (using AVGFree) or what?

September 19, 2016

Permalink

In this blog post you are sayng that a bug on android version of Tor Browser/Orfox was fixed but there are no updated versions of Orfox available from F-droid?

Android

Bug 19706: Store browser data in the app home directory

That bugfix makes it only possible to use our code base we have for desktop Tor Browser for mobile as well. The Guradian Project is working on a new release I have heard. not sure, though, when this is coming out.

September 19, 2016

Permalink

What could have caused a fresh Tor Browser folder to randomly appear on my desktop after this update? This occured while I was using other programs on my computer so I don't think it was something I initiated.

September 19, 2016

Permalink

NoScript Bug

Torbrowser is still totally crashing on printing (to file pdf) on different websites.
That is already an issue for years.
It seems to be a very, very persistent NoScript crashbug.

For example, take this one
https://news.drweb.com/show/review/?lng=en&i=10184

There goes the browser,
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000000013d9da000
and so on, very long crash report.

The 'funny' thing with this NoScript bug (I am really sure it is) is that if you choose an older mozilla browser, just pick any flavor version (Firefox/Torbrowser/ ..) in the 30's-range, and install a new NoScript version that is still officially matching that range, you almost simply can't miss a crashing browser while printing a webpage to file.

It somehow has something to do with activating a-lot or to activate almost all the security settings in NoScript.
Just go from full activation to less activation and try to find out (yourself) which setting in Noscript is letting mozilla browsers crash.

September 19, 2016

Permalink

Full screen option (from Menu) : no warning!

There is a full screen option in the menu "Enter Full Screen".
There are two problems with this.

- It does not warn you for 'determining monitor size' like the other screen button way of resizing does.
It just maximizes the screen.

- Maybe an Firefox issue also.
If you choose the "Enter Full Screen" option from the menu and you are not familiar with this function, some people feel they maybe get in deep trouble because they cannot figure out how to get rid of this again.

Even I at first did not find it the way most people probably do.
Esc-function did not work, so I finally choose to renew the identity which gave me a normal window again.

Would it be an idea to make the escape button function work in full screen mode?
And even better to show the main computer task bar again it the mouse is pointed to the border or a corner so people wont be in a 'panic' because they cannot directly have access to their computer navigation menu anymore?

September 16, 2016

Permalink

Thanks for the quick vuln fix. Reddit noobs had a huge argument about it.
In Tor we trust.

September 19, 2016

Permalink

Choosing New Identity (nor closing Torbrowser) is not cache-cleaning everything

The old Torbrowser versions 4 and earlier did something Torbrowser nowadays does not do anymore.
Torbrowser is keeping information in its memory cache (placing it in computer memory cache) after choosing new identity.
If you for example copy an url from the url bar or other text information from Torbrowser, Torbrowser is keeping that information in its cache after choosing new identity.

Even when you are closing down Torbrowser and opening another standard browser like Firefox you can still past that information.
So the Torbrowser cache is not cleaned anymore like the older (4 and 3) versions did.
Now the only way to get rid of the Torbrowser copy-cache is by overriding information by copying some other non important information.
That is not a really practical procedure.

Please make the cache cleaning after renewal or closing down Torbrowser work again.

Err... that is the desktop clipboard, which TBB (Firefox) does not (and should not) control.

What is in the desktop clipboard needs to stay there until the user clears or overwrites it, because the user might want to paste the contents multiple times. There is no way your system can ever guess when you've finished with the clipboard's current contents. You must clear it yourself.

Anyway, I like the current clipboard behaviour: if I want to visit a link I just read on one website, I can copy it, change identity, then paste it straight into a fresh browser instance. Your way would make that a pain to do.

It's my experince too, just clicking "new identity" doesn't minimize the browser memory usage at all.
Cleaning out all cache and surfing history, and flushing the memory (about:memory) doesn't help either.
Restarting the browser (Ctrl+Alt+R) is the only way I know which get the browser down to its initial memory footprint.

September 16, 2016

Permalink

What's been happening to the obfs4 bridges? Can't seem to get them lately on the bridge website.

September 19, 2016

Permalink

Https everywhere toolbar menu does refer to nothing after the arrow.

Why isn't the Https everywhere add-on visible in the toolbar menu so users can directly access its preferences, settings and can be aware that the add-on status is actually active?

Not sure what you mean with "refer to nothing after the arrow". Do you have HTTPS-Everywhere visible on your about:addons page? The icon is e.g. not visible in the toolbar if the width of your screen is not sufficient.

September 20, 2016

In reply to gk

Permalink

Torbrowser MacOS (X)
Main Torbrowser menu at the top
-> Tools -> HTTPS Everywhere -> (arrow) ... (empty)

I cannot remember changing window screen, 'we do not do that as been told, right?'
But I cannot check it now because I am not using the 6 version anymore because I am very highly dissatisfied with the mayor changes you made for MacOS after the 5 version.

But because I do like the main concept for making this browser and other people probably use this browserversion 6 I just wanted to point at this.

(Just think of MacOS if you see other comments overhere about bugs you may not understand directly)

September 16, 2016

Permalink

Many thanks and praise to all the devs for the great work they have one and are doing on this wonderful thing called Tor :)

September 19, 2016

Permalink

Bug (also in Firefox)

Printing preferences are not remembered even within the same browser session.
Just give a print order and change a value in the standard setting in "Page headers", "Page footers" or "Appearance values".
The next print order will not remember that setting which is highly annoying if you have to print or save a lot of information.

It always remembered changed printing page values but now it is broken here too.

By the way, the standard setting of date/timeprinting information within the document is also maybe dangerous from a privacy point of view.
You can remove time metadata but you cannot remove this from a pdf document itself when saved as pdf (you would need a pdf editor for that).

Please look at this standard values omissions.

September 19, 2016

Permalink

Annoying urlbar search suggestion cant be disabled

Even with this setting
browser.urlbar.suggest.searches;false
Is that a bug?

Very annoying because search suggest appearing above bookmarked suggestions when typing something (there is no need for that search suggestion field overthere).
There is a separate search field for searches in the right above corner so there is no reason to make the urlbar as a search(suggestion)field too.

If you go to about:preferences#search, you'll see under your chosen default search engine two tick boxes, the first marked "Provide search suggestions", and the second (conditional to that) marked "Show search suggestions in location bar results". Check that second tick off.

Note that if you went to about:preferences#privacy, and set History to Tor Browser will: "Never remember history", the second tick box will have a warning below: "Search suggestions will not be shown in location bar results because you have configured Tor Browser to never remember history."

September 19, 2016

Permalink

ок

September 16, 2016

Permalink

Thank you all !!! Special thanks to @movrcx and @flyryan for pointing out the mozilla bug. Thanks to flyryan for working so long with the dev team while they fixed it.

Despite differences of opinion all worked together towards the common good. I am proud of the good work !

September 19, 2016

Permalink

Ok, so I arrived to this page looking for this shasum in duckduckgo:

d79e18d691a407c9cc06ec508701bff2283d73b65d4321e254763b17d0a13a09

Which is not the same as the one I found in your link for verifying shasums:

https://dist.torproject.org/torbrowser/6.0.5/sha256sums-unsigned-build…

In summary :

d79e18d691a407c9cc06ec508701bff2283d73b65d4321e254763b17d0a13a09 ≠ 83af8ec2f8f56770a0a18bfe099cd4bf32e204bdcec8583575fb13a4f69b208a

I am doing all the process of verification well. What's the problem? Where are the comments referring the same problem? Is Tor able to continue guarantying our fundamental rights? If not, please do just tell us for us to take appropriate measures.

Thanks.

September 16, 2016

Permalink

"Update Firefox to 45.4.0esr"

On mozilla.org, 45.4.0esr doesn't exist! ?

Mozilla plans to release 45.4.0esr on September 20th. This was also the plan for Tor Browser 6.0.5 but we released it earlier due to the vulnerability.

September 20, 2016

In reply to gk

Permalink

That person has a question about sha checking as well.

I asked that question as a first poster in the former (comments-version #1) of the article-blog "Tor Browser 6.0.5 is released" .

This was the initial question:

"Downloaded TorBrowser-6.0.5-osx64_en-US.dmg sha256
d79e18d691a407c9cc06ec508701bff2283d73b65d4321e254763b17d0a13a09
Sha 256 on dist.torproject.org_torbrowser_6.0.5_sha256sums-unsigned-build
83af8ec2f8f56770a0a18bfe099cd4bf32e204bdcec8583575fb13a4f69b208a
No match, please put the easy to check and correct hashes back on that page as long as you dont explain in your long ago promised how to.
Making things not work and more difficult will only result in not checking at all anymore."

And this was the aswer (thanks to web.archive.org):

The hash does not match because the sha256sums-unsigned-build.txt file has the hashes from the builds without the code signing that is included in the final dmg files. We did not yet write instructions to remove the code signing to check that it matches the hashes from sha256sums-unsigned-build.txt, but it is still planned to do it:
https://trac.torproject.org/projects/tor/ticket/18925

However, sha256sums-unsigned-build.txt is maybe not what you want to use, depending on what you want to check. If you want to reproduce a build and check that it matches what is distributed, you will get a sha256sums-unsigned-build.txt file that you can compare with ours, and then the code signing needs to be removed from the dmg files we distribute (or added to the build you made) to check that it matches. We are working on ticket #18925 to make that easier. However if you just want to check that the dmg files you downloaded is really what we released, then you should not use the sha256sums-unsigned-build.txt file, but use the gpg signature (each dmg file is signed individually)."

web.archive.org
18 september 2016 snapshot with all the comments just right before the blog went down :
https://web.archive.org/web/20160918123532/https://blog.torproject.org/…

September 21, 2016

In reply to gk

Permalink

He downloaded the TBB, googled the hash, and the sha256 for that file matched one somewhere on this page (although not that I can find), but the hash did not match the one released along with the TBB files (the URL he mentioned above). Until there is an explanation, I would be very alarmed about a hash mismatch.

Most importantly, to the OP,
Please spend some time learning how to verify the PGP signatures distributed with all Tor Browser releases. It is a much more secure procedure than comparing hashes, even without participating in the web of trust, and prevents you from ending up in a situation like this (where it is unclear what the correct hash is). PGP might look intimidating at first, but it's not as hard as you might think. The time to start is before compromise, not after.

same here ;)
sha256sum
d79e18d691a407c9cc06ec508701bff2283d73b65d4321e254763b17d0a13a09

same here, sha256sum:
d79e18d691a407c9cc06ec508701bff2283d73b65d4321e254763b17d0a13a09

September 16, 2016

Permalink

good

September 20, 2016

Permalink

I have the same TOR update problem with my AVG antivirus for an IDP.ARES.Generic detect! I've seen at least 4 more post in this regard. Does anybody know what's going on? It's is only related to AVG or does any other Antivrus Program has the same issue? Please, some information would be really appreaciated. Thanks.

September 16, 2016

Permalink

Is there an about:config option which can mitigate this temporarily on systems where an upgrade is not feasible at the moment?

What about "extensions.update.enabled"?

By the way, I'm using TAILS OS. Tails developers make further tweaks to TBB. The above option defaults to "false" in TAILS, so the claim by @movrcx in:

https://hackernoon.com/tor-browser-exposed-anti-privacy-
implantation-at-mass-scale-bd68e9eb1e95

that "The list of vulnerable deployments to this attack includes ... Tails ..." is false.

September 17, 2016

Permalink

Recent months is tough time, Tbb is very difficult to connect to Chinese websites, which their servers locate in Chinese mainland. Have Chinese Party limited Tor users very hard or every other country who is trying to connect to Chinese?

Going by my own anecdotal experience, there was recently a change in the Great Firewall, such that it now blocks Tor exit nodes in addition to entry nodes (before, it only blocked entry nodes). The blocks go in both directions, so an exit node outside of China cannot reach a server inside of China.

For example, http://cnnic.cn/ times out for me when using Tor, but works when not using Tor. I think the change happened some time in August, 2016. We could probably find out exactly when by looking at OONI reports.

September 17, 2016

Permalink

On my computer AVG antivitrus detects new version of tor.exe as IDP.ARES.Generic virus.

September 21, 2016

Permalink

I always visit this buy and sell website on normal firefox browser. but
when I visit the site using tor browser it says:

Access Denied
You don't have permission to access "http://www.olx.ph/" on this server.
Reference #18.8f643e17.1474466683.4a84b0f

what should I do?

September 21, 2016

Permalink

I'm sorry to have to use this space to address Tails' users. (There used to be a Tails' public forum but it was discontinued a few years back.)

To: Tails users

Before you decide to use Tails 2.6, you need to know that it contains an unpatched security vulnerability that has the potential to unmask your anonymity.

According to Tails' official website, version 2.6 uses Linux kernel 4.6. As of the time of this post the said kernel is still unpatched by Debian (cf: https://security-tracker.debian.org/tracker/CVE-2016-5696).

Conclusion: Use Tails 2.6 at your own risk.

See:

   https://blog.patternsinthevoid.net/cve-2016-5696-and-its-effects-on-tor…

The "potential to unmask your anonymity" is seriously overegged. The attack, using TCP blind in-window DoS attack to try and bump Tor clients towards a hostile set of relays hardly helps a de-anonymisation attack because, as Isis Lovecruft explains, Tor builds new circuits whole from scratch.

I'm using Tails 2.6 right now (with Linux kernel 4.6) and I don't experience any DoS.

September 21, 2016

Permalink

Hi, when you maximize your window TOR states that something like this. When maximizing your window websites can gather data and find out the size of your screen, we recommend you keep it as it is. Or something like that. Can't TOR do something about this so even if you do maximize your screen you can choose what size the website can see, something similar to fraudfox? Thanks

September 21, 2016

Permalink

How come I keep getting CAPTCHA loops when trying to join certain onion sites?

September 21, 2016

Permalink

TOR Project is overtaken, stay away from new versions. I was suspicious for 6.0.4 version and I was right. It's not bug, it's intentional backdoor.

> TOR Project is overtaken, stay away from new versions. I was suspicious for 6.0.4 version and I was right. It's not bug, it's intentional backdoor.

The Snowden leaks include a number of published documents which explain the methods and goals of NSA and GCHQ trolling operations. These include:

o short comments,

o repetitive comments which ignore any corrections or contrary information,

o comments which attempt to reinforce notions which benefit our enemies ("everyone knows there is a backdoor in Tor"--- if ordinary citizens around the world believe that, they won't use Tor, which is what NSA and GCHG want),

o comments which attempt to exploit systemic vulnerabilities in a community (such as Tor users); for example, the difficulty which ordinary citizens experience in gaining reliable information about computer network or software vulnerabilities.

Of course, much the same could be said of commentards paid by the RU or CN governments. And to be sure, not every comment which satisfies these conditions need be posted by an enemy operative. But over time a suggestive pattern becomes sufficiently clear to make a pretty good guess.

On balance, it is likely that our enemies want to discourage users from adopting the current versions of Tails precisely because it closed a vulnerability they had been using against selected victims.

September 17, 2016

Permalink

Since the following question was still unanswered under the 6.0.4 section, could it pls be answered now?

"Ever since I've installed TBB 6.0.4 the entry node changes more often than previously.
I've read the entry was supposed to be the same for months but if I use TBB for several hours, there's a point when I've got a new entry node, and then another one. About 2 or 3 different entry nodes.
However, when I restart TBB the same "normal" guard node is back.

It's a bug?"

I am not the original poster, but I am sure that he/she and others would appreciate a response from the developers.
Thank you.

September 17, 2016

Permalink

Broken and cant be disabled
Even with this setting, is that a bug?
browser.urlbar.suggest.searches;false

Very annoying because search suggest appearing above bookmarked suggestions when typing something (there is no need for that search suggestion field overthere).
There is a separate search field for searches in the right above corner so there is no reason to make the urlbar as a search(suggestion)field too.

September 17, 2016

Permalink

Bug (also in Firefox)

Printing preferences are not remembered even within the same browser session.
Just give a print order and change a value in the standard setting in "Page headers", "Page footers" or "Appearance values".
The next print order will not remember that setting which is highly annoying if you have to print or save a lot of information.

It always remembered changed printing page values but now it is broken here too.

By the way, the standard setting of date/timeprinting information within the document is also maybe dangerous from a privacy point of view.
You can remove time metadata but you cannot remove this from a pdf document itself when saved as pdf (you would need a pdf editor for that).

Please look at this standard values omissions.

September 17, 2016

Permalink

Torrc configuration possibilities are gone.
Excluding country top level domains is not working anymore!
Please bring this option back.

September 17, 2016

Permalink

Https everywhere toolbar menu does refer to nothing after the arrow.

Why isn't the Https everywhere add-on visible in the toolbar menu so users can directly access its preferences, settings and can be aware that the add-on status is actually active?

September 17, 2016

Permalink

Choosing New Identity not cache cleaning everything (nor closing Torbrowser)

The old Torbrowser versions 4 and earlier did something Torbrowser nowadays does not do anymore.
Torbrowser is keeping information in its memory cache (placing it in computer memory cache) after choosing new identity.
If you for example copy an url from the url bar or other text information from Torbrowser, Torbrowser is keeping that information in its cache after choosing new identity.

Even when you are closing down Torbrowser and opening another standard browser like Firefox you can still past that information.
So the Torbrowser cache is not cleaned anymore like the older (4 and 3) versions did.
Now the only way to get rid of the Torbrowser copy-cache is by overriding information by copying some other non important information.
That is not a really practical procedure.

Please make the cache cleaning after renewal or closing down Torbrowser work again.

September 17, 2016

Permalink

Resetting entry node not possible anymore

It is not possible anymore to reset the entrynode anymore.
It used to be possible by replacing all these files
" torrc-defaults, torrc, state, lock, geoip6, geoip, control_auth_cookie,
cached-microdescs.new, cached-microdescs, cached-microdesc-consensus, cached-certs " with the standard files like
" geoip, geoip6, torrc, torrc-defaults " .

Now you have to completely reinstall a Torbrowser and have all the fuzz again with different settings.
Where are all this files "torrc, state, lock, control_auth_cookie, cached-microdescs.new, cached-microdescs, cached-microdesc-consensus, cached-certs"
Gone?

How do I change my entry node manually?

September 17, 2016

Permalink

Full screen option (from Menu) : no warning!

There is a full screen option in the menu "Enter Full Screen".
There are two problems with this.

- It does not warn you for 'determining monitor size' like the other screen button way of resizing does.
It just maximizes the screen.

- Maybe an Firefox issue also.
If you choose the "Enter Full Screen" option from the menu and you are not familiar with this function, some people feel they maybe get in deep trouble because they cannot figure out how to get rid of this again.

Even I at first did not find it the way most people probably do.
Esc-function did not work, so I finally choose to renew the identity which gave me a normal window again.

Would it be an idea to make the escape button function work in full screen mode?
And even better to show the main computer task bar again it the mouse is pointed to the border or a corner so people wont be in a 'panic' because they cannot directly have access to their computer navigation menu anymore?

September 17, 2016

Permalink

My computer expert son told me to learn how to use TOR by asking those who use it how to get started.

I live in Amsterdam, Netherlands for years now but as yet have found no TOR users.

Any suggestions please?

suzannedk@gmail.com

the point of using Tor is for anonymity
I cant see a bunch of Tor users meeting in a coffee shop to exchange names, contact Nos, email addresses to discuss Tor and its uses, but maybe anything is possible if youre high.

have a nice day

September 17, 2016

Permalink

why had this release been previously 'scheduled'? why not just release as soon as it's ready?

September 17, 2016

Permalink

Okay so I updated mine and my avg detected a virus or something and i clicked clean now whenever I wanna start for it says The Tor executable is missing. Please help

September 25, 2016

Permalink

As far as I've been able to understand the 'TB' project is a major effort on the part of a truly talented collection of extremely courageous and socially conscious individuals. The fact that the multi trillion dollar boot on our necks that is being sold as 'governance' isn't being addressed whatsoever, is a human tragedy.
I have no particular reason to be concerned what today's warped sense of' justice can bring to bear against me and mine and only use TB because I know that if enough 'data' becomes inaccessible the plug becomes ever so much closer to being pulled on these profiteers of a fictional war.
I realize that most of the emotional content of this blog is related to the passion of the technical perfectionism the digital age has brought up in us all, my own as a second generation Silicon Valley technician only recently washed his hands of corporations that thought it was a good idea to bid on and receive government and military contracts so I know that any and all discourse pointing out even the tiniest of flaws is absolutely beneficial but I am here to say this: A thousand cheers for the true hero's who are standing up in a very meaningful way for the silenced voice of the people and making a difference! Now all you have to do is ask yourself "What can I do to help?" and the answer is simple: Disappear. That's right for yourself, and tell everyone you know, to offer up not a single byte of any information to these hypocrites who use a nearly unbreachable shield to protect their own movements while they examine every move of yours.
Thank you TB team for making it possible for me to make a difference in some small way and to anyone who is really butt hurt over minutia I hear there is a web sight just for you called facebook or twitter or something where you can share any little concern that you've ever had about anything at all really and the NSACIAFBIPD... won't even need to spy on you to get whatever they want to know- you can just tell them yourself. heh...
PS: I don't really mind if you censor this (LOL!) as long as the team knows that some of us really appreciate the very timely masterpiece they have created.

[This is the kind of comment which FVEY is likely to try to censor or delete]

"Disappear" by using Tor, you mean? Plus one if so.

You might be interested in Julia Angwin's book Dragnet Nation, where she interviews TB developer Mike Perry, a self-described "data refusenik".

One point of which to be aware is that refusing to carry a WiFi-capable device in itself makes you suspicious to the secretive WiFi mesh surveillance which has been constructed in some cities, and which the surveillance-industrial complex is pushing hard to extend to essentially all cities under such slogans as "safe cities". The 2014 Cobham catalog published by theintercept.com is a good place to learn more about how the complex is marketing WiFi meshes.

In case anyone missed the point: the mesh nodes (which are often located on streetlights) are not simply passive APs, they ping every nearby WiFi device for their unique identifier, so that the backend database can track every WiFi capable device (phone, laptop, tablet, PDA, bitfit, "smart clothing" [sic]) as it (and the person carrying it) moves around the city. There is no need to subpoena anyone to correlate devices with IRL identities of persons because the data reveals where people live and work, and that is usually more than half way to uniquely identify a person residing in a major city, as research on deanonymization shows. The Cobham meshes are designed to tie together public and private sector audiovideo surveillance, secret transit surveillance systems (many people dont seem to realize many city buses are bugged, not just videoed), spy Cessnas, police vehicles, uncover agents, and covert in-home surveillance systems, in real time.

Don't believe it because I say so, believe it because Cobham says so. Read the catalog, it will open your eyes.

September 26, 2016

Permalink

I am using Mac OS running Yosemite. Firefox had a problem in which when reinstalling the Firefox software or Torbrowser the system reports that a newer version already exists even though it is the same Torbrowser or Firefox version installed. It appears something is being modified within an aproximate 24 hour period. This issue has been corrected in Firefox version 49 but the problem still exists for Torbrowser

October 03, 2016

Permalink

Dear Tor project Team,
I am experiencing difficulties with one of
your android browser App... known as TorFox.., TorFox when
used with Tor browser in Android system..., dose not work...!
Why...? is it because it's still under Beta testing...? Please
endeavor ...'t' get it fix up...Okay!
God bless you.
CG.

Not familiar with "Torfox" and I don't think it comes from Tor Project (someone please correct me if I am wrong!) since it is not listed here:

https://www.torproject.org/

In general, you should not trust anything which does not come from Tor Project (torproject.org). In the past, some items which had "tor" in their name but which were not from TP turned out to be very badly designed, maybe even state-sponsored snares.

Orfox is the TOR browser for android. You need to run it through Orbot. You need to download both apps. Start Orbot like any normal app and then long press it to start TOR connection. When the browser button lights up (lower left) touch it and Orfox will automatically start. I'm using them right now. :-)

October 04, 2016

Permalink

attention idiot coders:

you are assuming the Tor port is 9150 after custom previously set to for example 9750

goodday

October 04, 2016

Permalink

6.05 hangs on startup when it cant connect to 1 or more bridges instead of failing and moving onto to ones that it can connect to and loading firefox.

October 04, 2016

Permalink

Tor is failing to connect with the built in obfs4 & obfs3 bridges
fails with a separate newly extracted bundle.

no basically nothing is working

October 08, 2016

Permalink

Tor Browser 6.0.5 x64 linux

I noticed this empty directory: /tmp/mozilla_user0

That could be privacy related or worse.
Modification time is updated every now and then, maybe to store temporary data?

Thank you

October 10, 2016

In reply to gk

Permalink

YES, this happen when I run Tor Browser.

When I close it, the directory doesn't disappear.

It happen every now and then, frequently.
Maybe watching some video on youtube or so. My privacy settings are at default.

Please, investigate.

I can help you if you tell me how.

Cheers :)

October 10, 2016

In reply to gk

Permalink

tor-browser-linux64-6.0.5_en-US

I tried with "mega" and the directory mozilla_user0 appear in /tmp when the download of a file was ready.

There are other cases that make this happen because I don't go to mega often.

Which conditions let the directory mozilla_user0 appear in /tmp ?

What about linux x86 (32bit), Windows and macOS versions ?

I have discovered that it's pleasant to find out bugs, but at the moment I have no VM e very few experience and time in this period. If you need more informations, help me to help you.

Cheers :)

October 11, 2016

In reply to gk

Permalink

Finally I got it happen on youtube, as I said before, but not always: maybe some youtube advertisement? Some youtube script? I go to youtube as a guest, without login.

Cheers :)

October 09, 2016

Permalink

Firefox on Mac OS "find" feature directly linked to TOR browser "find". If I place a search criteria say "germany" in Firefox ver 49 for the Mac OS running Yosemite. The search criteria "germany" immediately shows in the TOR browser suggesting a link from the regular browser to the TOR browser.

Why does this link exist the browsers should be separate.

October 20, 2016

Permalink

I would like to ask that we add an option within the privacy or security settings allowing a modifier to specify how many times the TOR circuit bounces before landing on a site, instead of the usual 3.

October 25, 2016

Permalink

Прошу допомоги! Не знаю у кого і як запитати. У мене на комп'ютері локальна інтрамережа.
Як зробити так, що б браузер Тор міг знайти, бачив її?