Tor Browser 7.5a4 is released
Tor Browser 7.5a4 is now available from the Tor Browser Project page and also from our distribution directory.
This release features important security updates to Firefox.
A lot of Tor Browser components have been updated in this release. Apart from the usual Firefox update (to 52.3.0esr) we include a new Tor alpha release (0.3.1.5-alpha) + an updated OpenSSL (1.0.2l), HTTPS-Everywhere (5.2.21) and NoScript (5.0.8.1). We also update sandboxed-tor-browser (to 0.0.12).
The major new features in this alpha release are selfrando support for 32bit Linux systems, Snowflake support for macOS, and a patch that fixes a lot of our problems with the external helper app dialog. In particular, downloading files via the pdf viewer should work again. As we do in the stable series, we also avoid scary warnings popping up when entering passwords on .onion sites without a TLS certificate. We are also testing a better Tor Browser hardening on Windows by using a newer compiler for our Windows builds. If you encounter any issues that could be caused by the new compiler, we want to know about it!
The full changelog since Tor Browser 7.5a2 (for Linux since Tor Browser 7.5a3) is:
- All Platforms
- Update Firefox to 52.3.0esr
- Update Tor to 0.3.1.5-alpha
- Update OpenSSL to 1.0.2l
- Update Torbutton to 1.9.8
- Bug 22610: Avoid crashes when canceling external helper app related downloads
- Bug 22472: Fix FTP downloads when external helper app dialog is shown
- Bug 22471: Downloading pdf files via the PDF viewer download button is broken
- Bug 22618: Downloading pdf file via file:/// is stalling
- Bug 22542: Resize slider window to work without scrollbars
- Bug 21999: Fix display of language prompt in non-en-US locales
- Bug 18913: Don't let about:tor have chrome privileges
- Bug 22535: Search on about:tor discards search query
- Bug 21948: Going back to about:tor page gives "Address isn't valid" error
- Code clean-up
- Translations update
- Update Tor Launcher to 0.2.12.3
- Bug 22592: Default bridge settings are not removed
- Translations update
- Update HTTPS-Everywhere to 5.2.21
- Update NoScript to 5.0.8.1
- Update sandboxed-tor-browser to 0.0.12
- Bug 22610: Avoid crashes when canceling external helper app related downloads
- Bug 22472: Fix FTP downloads when external helper app dialog is shown
- Bug 22471: Downloading pdf files via the PDF viewer download button is broken
- Bug 22618: Downloading pdf file via file:/// is stalling
- Bug 21321: Exempt .onions from HTTP related security warnings
- Bug 21830: Copying large text from web console leaks to /tmp
- Bug 22073: Disable GetAddons option on addons page
- Bug 22884: Fix broken about:tor page on higher security levels
- Bug 22829: Remove default obfs4 bridge riemann.
- Windows
- Bug 21617: Fix single RWX page on Windows (included in 52.3.0esr)
- OS X
- Bug 22831: Enable Snowflake for mac
- Linux
- Build system
Comments
Please note that the comment area below has been archived.
curious to see what has been…
curious to see what has been changed/improved
Thanks again for another…
Thanks again for another great release! I'm so glad that the team is able to track Firefox release cycles so that whenever there's an update to Firefox about to install, TBB is ready within hours!
my browser updated fine,…
my browser updated fine, loads fine, tests for network connection just fine, but when I open a new tab / try to go to bookmarked pages, the browser crashes with "a program has caused it to crash" error.
What platform are you on?…
What platform are you on? Does this happen with a respective stable bundle (which means Tor Browser 7.0.4) as well?
I get this too. Happened on…
I get this too. Happened on 7.04 and 7.02. Linux.
I have the same problem guys…
I have the same problem guys....it started crashing after updating to the latest version. I am using Windows 10 and its 64bit.
> + an updated OpenSSL (1.0…
> + an updated OpenSSL (1.0.2l)
security update for alphas only?????????
Nah. Have a look at https:/…
Nah. Have a look at https://www.openssl.org/ in the Latest News section: "25-May-2017 OpenSSL 1.0.2l is now available, including various bug fixes (no security fixes)".
> Update HTTPS-Everywhere to…
> Update HTTPS-Everywhere to 5.2.21
When are they going to upgrade to WebExtension as advertised?
When are they going to…
You can follow their progress in this ticket: https://github.com/EFForg/https-everywhere/issues/9958
Hainish has already a pull-request for review for making it an embedded web-extension: https://github.com/EFForg/https-everywhere/pull/11760
Note that the HTTPS Everywhere WebExtension is already done (it's what the Chromium HTTPS Everywhere addon is), the only work needed is to make it work on Firefox and work out the rough edges and the issues that may happen.
Will it be audited by Tor…
Will it be audited by Tor Browser developers in the alphas or just pushed upon the heads of all users as NoScript?
> Bug 18913: Don't let about…
> Bug 18913: Don't let about:tor have chrome privileges
but about:tbupdate still has???
How so? It seems to me about…
How so? It seems to me
about:tbupdate
does not have chrome privileges due tonsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT
we use. Or do you think that's not sufficient?I'm observing that about…
I'm observing that about:tbupdate and about:newtab work even when no content process is running.
Privilege of a website is…
Privilege of a website is not necessarily bound to the respective process it is running in. Think about pre e10s days: there was just a single process but nevertheless existed privilege differences between browser chrome pages and normal web content.
Shouldn't it push…
Shouldn't it push unprivileged pages out to content process in e10s?
This https://trac.torproject…
This https://trac.torproject.org/projects/tor/ticket/22699 can break it.
URI_MUST_LOAD_IN_CHILD
URI_MUST_LOAD_IN_CHILD
Hrm, isn't it better for…
Hrm, isn't it better for security to make about: pages inaccessible from the content?
Content should not be able…
Content should not be able to link to them, yes. That's what the
nsIAboutModule::MAKE_UNLINKABLE
flag is for. It's just that the page itself runs with content privileges. Normal web content should not be able to access it.Is this flag present in your…
Is this flag present in your about: pages?
https://gitweb.torproject…
https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/giti…
leftover?
https://browserprint.info…
https://browserprint.info
Your browser fingerprint appears to be unique among the 38,663 tested so far.
because of System Fonts (JS/CSS) only :(
Windows 7
What values are you getting…
What result values are you getting for this particular test?
What result values are you…
Not original commenter but I got the same problem, here's mine: https://browserprint.info/view?source1=UUID&UUID1UUID=d3745189-2d27-43d…
What platform is that and…
What platform is that and which Tor Browser bundle (which language)? Does that happen with a clean, new one as well?
platform: tor-browser…
platform: tor-browser-sandbox on Linux 64 Debian, lang: en-US.
Just reinstalled it using
./sandboxed-tor-browser install
and my fingerprint looked OK again, thanks Georg! :)https://browserprint.info/view?source1=UUID&UUID1UUID=4f0d685f-9299-421…
While Trac is down, put it…
While Trac is down, put it here:
https://trac.mpc-hc.org/wiki/windows_compatibility
Using Application Verifier Within Your Software Development Lifecycle https://msdn.microsoft.com/en-us/library/aa480483.aspx
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/appl…
Thanks, interesting.
Thanks, interesting.
On second thought could you…
On second thought could you add this to the trac ticket you wanted? That way those links are a bit more visible than in the blog comments. Thanks.
Note: when content process…
Note: when content process crashes, all favicons get reloaded through catch-all circuit.
You mean that's a one time…
You mean that's a one time thing that happens immediately after the content process crashing?
Yes
Yes
Thanks, I opened https:/…
Thanks, I opened https://trac.torproject.org/projects/tor/ticket/23210. We could use some help investigating this one. :)
Just upgraded the Tor…
Just upgraded the Tor browser on 8/10/17 for Windows 10 Pro. Browser crashed and will not restart. An error message for firefox.exe of 0xc0000022 is displayed when attempting to load. Seems related to the update. Any thoughts?
1. This is an alpha version…
1. This is an alpha version and you should expect more issues.
2. This sounds like antivirus software interfering with Tor Browser's ability to function.
Since the last update Tor…
Since the last update Tor Browser keeps "exiting unexpectedly". (Windows 7)
1. This is an alpha version…
1. This is an alpha version and you should expect more issues.
2. This sounds like antivirus software interfering with Tor Browser's ability to function.
Why does this page keep …
Why does this page keep 'refreshing'? What's it with software developers? It it works they have to break it so they can 'fix' it? Keeping themselves in a job?
1. This is an alpha version…
1. This is an alpha version and you should expect more issues.
2. This sounds like antivirus software interfering with Tor Browser's ability to function.
Closing tabs doesn't free…
Closing tabs doesn't free memory. Please, do something with it.
Head over to trac.torproject…
Head over to trac.torproject.org with more details and open a ticket.
13:39:04.627 TypeError: doc…
13:39:04.627 TypeError: doc is null 1 Main.js:4244:9
in NoScript
You're going to need to be…
You're going to need to be way more detailed if you want anybody to do anything with that text.
And perhaps that's a NoScript bug as opposed to a Tor Browser bug.
Good
Good
Tor Browser Toolbar buttons…
Tor Browser Toolbar buttons are blank...I updated to latest version but still blank!
- 2 terminal opened after…
- 2 terminal opened after running the sandbox on only one (it happened one time).
- faster
thank you.
I'm having repeated issues…
I'm having repeated issues with the recent update Trend Micro is showing the update is infecting various files within the build including firefox.exe. I have downloaded build and having the same problem. Am I alone?
This sounds like a Trend…
This sounds like a Trend Micro problem. Antivirus software really hates Tor Browser. Every new release there's people complaining about their favorite antivirus software breaking Tor Browser. Or complaining about a broken Tor Browser but not knowing why it is broken.
Menu>?>About Tor Browser-…
Menu>?>About Tor Browser- Click any link but only once.
https://panopticlick.eff.org/
Medium/Low security level unique
High Security level more unique
https://browserprint.info
Linux machine guessed, experimental Audio test=Red, with or without sandbox pulseaudio enabled.
Sandboxed Linux alpha TB
I am getting Trend Micro…
I am getting Trend Micro tell me that update is posing a threat to my system and is deleting both firefox and tor from my system
This sounds like a Trend…
This sounds like a Trend Micro problem. Antivirus software really hates Tor Browser. Every new release there's people complaining about their favorite antivirus software breaking Tor Browser. Or complaining about a broken Tor Browser but not knowing why it is broken.
sounds like the AV are on…
sounds like the AV are on the team of anti privacy.
----------------------------…
---------------------------------------------------------------------------------------
- sandbox : 0.0.12
- updated : 7.0.4
-
- but yesterday it was 7.5.a4 (We also update sandboxed-tor-browser to 0.0.12).
- have you downgrade it or is it a bug, a hack ?
- if it is a hack you should think twice before promoting Tor ...
- firefox : 52.3
- https-everywhere : 5.2.21
- noscript : 5.0.8.1
-
- conflict with Tor Browser 7.0.4 : noscript & https-everywhere broken !
---------------------------------------------------------------------------------------
Now i must purge both and only choose one for a new install but whitch ?
7.5a4 is an alpha (testing)…
7.5a4 is an alpha (testing) release. You can tell that it's an alpha, because there is an "a" in the version.
7.0.4 is a stable release. You can tell that it's not an alpha release, because there is no "a" in the version.
When first installing a browser bundle via the sandbox, it prompts you to pick between "release" (aka stable, in this case 7.0.4) or "alpha" (7.5a4), and will install the latest version of the particular series and keep it up to date.
For what it's worth 7.0.4 works fine for me, both with a bundle that's been incrementally upgraded for a while, and with a fresh install. And 7.5a4 appears to work from a fresh install as well.
In general people will probably have a better experience with the stable bundle, because that's what I use. If people want to see the alpha better supported, then people should fund development.
i do agree _like most users_…
i do agree _like most users_ but ... when a suspicious behavior of a soft happens ; i must report it :
- SandBox7.5a4 : an update downgrades it as 7.0.4 (2 days ago)_works fine/not broken
- TorBrowser-7.0.4 : broken (2 days ago).
is it related at selinux, apparmor, tomoyo ? is it related at my work on my computer/console in the same time ? is it a bug ? is is it a bad coding or an attack ?
i report it for improving your work not for criticize / calumny/ hurt you _ team & project included_.
it is not at all normal that an update downgrades Tor-sandbox & breaks my TorBundle_stable (moved in another folder); i do repeat it , something is wrong.
Sorry for the misunderstanding & the inconvenience.
# When first installing a browser bundle via the sandbox, it prompts you to pick between "release" (aka stable, in this case 7.0.4) or "alpha" (7.5a4), and will install the latest version of the particular series and keep it up to date.
No, that's wrong ; i install 0.0.12 as alpha (unstable/unsecure) = 7.5a4 : none choice/option is shown & the latest version is not 7.0.4 !
ho !!! grrr ...
Installing 2 versions (TorBundle & Tor-Sandbox) does not work at all ...
red avert : you do ask to be involved and you do not accept the answers when it does not give you an advantage or a good reputation : bad,sneak,nasty,undeveloped mind.
This is incoherent and not…
This is incoherent and not worth responding to beyond:
"Come back when you learn how to write something with clear steps for reproduction, and without incomprehensible ad hominem attacks."
my trend micro antivirus…
my trend micro antivirus software deletes tor browser (not entirely, but it deletes some files saying they contain visurses: heu_cdpl...)
This sounds like a Trend…
This sounds like a Trend Micro problem. Antivirus software really hates Tor Browser. Every new release there's people complaining about their favorite antivirus software breaking Tor Browser. Or complaining about a broken Tor Browser but not knowing why it is broken.
Your browser security is at…
Your browser security is at risk.
Update Firefox now to protect yourself from the latest malware.
Update now
on https://www.mozilla.org/en-US/firefox/52.3.0/releasenotes/
Try to open :) chrome:/…
Try to open :) chrome://browser/content/browser.xul
sandbox 0.0.12 : i success…
sandbox 0.0.12 : i success update https-everywhere addon , i did not know that it was possible/allowed.
It's not actually updating,…
It's not actually updating, though it appears to succeed.
Guess I should try to make the failure more apparent.
I went and filed https://trac.torproject.org/projects/tor/ticket/23265 for this, but it's a low priority because it requires explicit user intervention, and even if the update appears to work, it won't actually do anything.
After running up, will not…
After running up, will not work at all
What do you mean? Do you get…
What do you mean? Do you get any error messages?
14:30:31.152 A promise chain…
14:30:31.152 A promise chain failed to handle a rejection. Did you forget to '.catch', or did you forget to 'return'?
See https://developer.mozilla.org/Mozilla/JavaScript_code_modules/Promise.j…
Date: Mon Aug 21 2017 14:30:14 GMT+0000 (UTC)
Full Message: TypeError: inspector is undefined
Full Stack: nsContextMenu.prototype.inspectNode/<@chrome://browser/content/nsContextMenu.js:576:11
Handler.prototype.process@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:932:23
this.PromiseWalker.walkerLoop@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:813:7
this.PromiseWalker.scheduleWalkerLoop/<@resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js:747:11
1 nsContextMenu.js:576
Please explain how to…
Please explain how to reproduce this.
Are you a Tor Browser…
Are you a Tor Browser developer? If so, you should know how.
1503346952700 addons…
1503346952700 addons.webextension. WARN Loading extension 'null': Reading manifest: Error processing permissions.1: Unknown permission "privacy"
1503346966700 addons.webextension. WARN Loading extension 'null': Reading manifest: Error processing devtools_page: An unexpected property was found in the WebExtension manifest.
https://vbdvexcmqi.oedi.net…
https://vbdvexcmqi.oedi.net/blog/tor-browser-75a4-released
Error 501 Not Implemented
Not Implemented
Guru Mediation:
Details: cache-ord1740-ORD 1503395051 588594675
Varnish cache server
This isn't helpful at all…
This isn't helpful at all without context.
I thought the same when got…
I thought the same when got that instead of that page.
08:37:21.629 A promise chain…
08:37:21.629 A promise chain failed to handle a rejection. Did you forget to '.catch', or did you forget to 'return'?
See https://developer.mozilla.org/Mozilla/JavaScript_code_modules/Promise.j…
Date: Wed Aug 23 2017 08:37:07 GMT+0000 (UTC)
Full Message: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [imgIRequest.image]
Full Stack: JS frame :: chrome://browser/content/content.js :: PageInfoListener.serializeElementInfo :: line 1279
JS frame :: chrome://browser/content/content.js :: PageInfoListener.getMediaItems/addImage :: line 1170
JS frame :: chrome://browser/content/content.js :: PageInfoListener.getMediaItems :: line 1204
JS frame :: chrome://browser/content/content.js :: PageInfoListener.processFrames :: line 1144
JS frame :: resource://gre/modules/Task.jsm :: TaskImpl_run :: line 319 1 content.js:1279
So how do I download this…
So how do I download this for iPhone? I'm not sure what I'm doing here
There is no official Tor…
There is no official Tor Browser for the iPhone. You could try Onion Browser instead. See: https://vbdvexcmqi.oedi.net/blog/tor-heart-onion-browser-and-more-ios-t….
17:02:19.418 TypeError:…
17:02:19.418 TypeError: parentWin.torbutton_get_property_string is not a function 1 external-app-blocker.js:92:17
According to console.log…
According to console.log NoScript also uses moz-extension://c576e1fa-1243-4695-8cc2-c924a0b93789/legacy.js
That means it doesn't block such addresses when configured properly.
I'm no programmer, but it…
I'm no programmer, but it looks like you folks are constantly improving TOR. When I learned that Google was doing the nasty's, I started using TOR more often to keep unwanted critters out of my life. Thanks for all your dedication and hard work.
TypeError: can't access dead…
TypeError: can't access dead object
Stack trace:
getRootBindingParent@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/layout/utils.js:504:7
isAnonymous@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/layout/utils.js:539:31
WalkerActor<.attachElements@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/inspector.js:1058:46
WalkerActor<.attachElement@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/inspector.js:1037:33
WalkerActor<.findInspectingNode@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/inspector.js:1494:12
generateRequestHandlers/ resource://devtools/shared/protocol.js:1042:19
onPacket@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/main.js:1743:15
ChildDebuggerTransport.prototype.receiveMessage@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/transport/transport.js:761:7
protocol.js:906
A promise chain failed to handle a rejection. Did you forget to '.catch', or did you forget to 'return'?
See https://developer.mozilla.org/Mozilla/JavaScript_code_modules/Promise.j…
Date: Mon Sep 04 2017 18:10:49 GMT+0000 (UTC)
Full Message: Protocol error (unknownError): can't access dead object
Full Stack: JS frame :: resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js :: PendingErrors.register :: line 194
JS frame :: resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js :: this.PromiseWalker.completePromise :: line 715
JS frame :: resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js :: Handler.prototype.process :: line 968
JS frame :: resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js :: this.PromiseWalker.walkerLoop :: line 813
JS frame :: resource://gre/modules/Promise.jsm -> resource://gre/modules/Promise-backend.js :: this.PromiseWalker.scheduleWalkerLoop/< :: line 747
[09-07 14:09:16] Torbutton…
[09-07 14:09:16] Torbutton INFO: controlPort >> 650 STREAM 30 DETACHED 7 aus1.torproject.org:443 REASON=END REMOTE_REASON=RESOURCELIMIT