Tor Browser 6.0a4-hardened is released

by boklm | March 18, 2016

A new hardened Tor Browser release is available. It can be found in the 6.0a4-hardened distribution directory and on the download page for hardened builds.

This release updates firefox to 38.7.1. Mozilla decided to disable the Graphite library in this release and we are taking the same action: irrespective of the security slider settings the Graphite library won't be used for rendering fonts in Tor Browser 6.0a4-hardened. The Graphite font rendering library was already disabled for users on the security level "High" or "Medium-High".

Note: There is no incremental update from 6.0a3-hardened available due to bug 17858. The internal updater should work, though, doing a complete update.

Here is the complete changelog since 6.0a3-hardened:

Tor Browser 6.0a4-hardened -- March 18 2016

  • All Platforms
    • Update Firefox to 38.7.1esr
    • Update Torbutton to 1.9.5.2
      • Bug 18557: Exempt Graphite from the Security Slider
    • Bug 18536: Make Mosaddegh and MaBishomarim available on port 80 and 443

Comments

Please note that the comment area below has been archived.

March 19, 2016

Permalink

I've had this problem for several months now, where I can't watch embedded twitter videos on websites anymore, even with NoScript turned off and security level at the lowest setting.

March 20, 2016

Permalink

Thanks for helping us protect ourselves a bit better from those who are convinced that it's their God-given right to violate our civil liberties.

March 20, 2016

Permalink

希望你们的TOR路由器开发MAC地址克隆的功能,达到更好的匿名性。

Google Translate:
I hope you develop the TOR router MAC address cloning feature to achieve better anonymity.

March 20, 2016

Permalink

MAC地址欺骗功能对于匿名用户可是非常有用。

Google Translate:
MAC address spoofing function, but very useful for anonymous users.

March 20, 2016

In reply to boklm

Permalink

集成到TOR里面更方便,我想任何TOR用户都不希望暴露自己的真实身份。

Google Translate:
Integrated into the TOR which is more convenient, I think any TOR users do not want to expose his true identity.

March 21, 2016

In reply to boklm

Permalink

My friend uses obs4 and has one server then an exit server.
All of the country ids are in a UKUSA agreement country or a third party country except occasionally in russia but never without being in a UKUSA country also.
UKUSA country and third party countries UK, USA, Australia, New Zealand, Norway, Netherlands, Sweden, Germany, Italy, Spain, Belgium, Canada, France and Demark.
My friend is concerned that the tor relay and traffic us being compromised?

March 22, 2016

In reply to boklm

Permalink

Technitium Mac Address Changer is a free, extremely easy to use software at an operating system level.
the above suggested software allows any wired or wireless port to have it's mac address changed to a random one chosen out of hundreds of thousands of bona fide mac addresses in the database. there are no doubt many such softwares all offering the same potential

however RE your original concern, it is my understanding that a mac address is only known on the local network (eg , at a public wi fi spot your computer can be identified out of all the users) but the mac address is never known to the server hosting your internet or the web pages your visit. I believe thus (please correct me if I'm wrong) that mac address is only a reasonably superficial level of vulnerability

however if the 'powers that be' know your computer or device belongs to 'you ', then they know your mac address = ' you '

So this may have ramifications in a court if they need to prove a link

many more experienced viewers may wish to correct me

March 21, 2016

In reply to boklm

Permalink

Last Tails version that spoofed MAC addresses for me was Tails 1.8.2. Starting with Tails 2.0, message appears that my network card is disconnected and I have to unselect 'Enable MAC addrssing spoofing' to connect to the internet.

March 20, 2016

Permalink

Your little Tor Project amounts to extortion. I am going to track you cunts down and rip your fucking heads off.

March 21, 2016

Permalink

what is the VPN to use on TOR.? and what is the best way to set up TOR so it is at the best levels of anonymity for use on the "Dark_Web"

Peace

XxXxX

March 22, 2016

Permalink

i like your hard work
but i am also very upset by your meaningless Captchas

even when i open a saved/bookmarked link in TOR it still appears , and not only single CAPTCHA fucking series of them

CAN YOU PLEASE DO SOMETHING FOR THIS MATTER

please don't say that this is for safety ... it,s insane having too many

April 01, 2016

In reply to gk

Permalink

Would it be possible to move the "Get new Tor circuit for this site" menu option to its own button? It'd make blocking bypass so much easier. (Even better would be if, once clicked, it detected the cloudflare or other common blocking service header/title and automatically kept trying to get new circuits for some amount of tries or the actual page loads.) I can only click-scroll-click so many times until I just give up.

The proof of work solution sounds ridiculous, imo. What's to stop a botmaster from just ripping it out of the tor browser code and popping it in it's bot? (Run out of tokens? Then make a new "browser".) Also, yes, let's place more processor/energy burden on people who are only trying to protect their anonymity. When everything already goes more slowly through tor...
https://github.com/gtank/captcha-draft/blob/master/captcha-plugin-draft…

April 06, 2016

In reply to gk

Permalink

Cloudflare is malware parading as securing software. The most worthless garbage ever developed.

March 24, 2016

Permalink

"Make Mosaddegh and MaBishomarim available on port 80 and 443 " what is this?

March 30, 2016

Permalink

Is it just me or is there a vulnerability to code distribution if this website goes dark or DDS attack.
Would a crypto file in Tor be consulted for updates or ip for site recovery if primary routes become "unreachable"?

would an alert popup "primary ip for update not resolving"
relaunhcing tor to firewalled backup node.

April 07, 2016

Permalink

I can't run this on Gentoo Hardened. Are there any external dependencies I need to have already installed?

April 08, 2016

Permalink

What's the deal with these experimental browsers? I check for update, still on the 5.4 (or something) but then i see this 6.0 for windows? Could some1 please explain