New Release: Tor Browser 7.5.6
Tor Browser 7.5.6 is now available from the Tor Browser Project page and also from our distribution directory.
This release features important security updates to Firefox.
Tor Browser 7.5.6 updates Firefox to 52.9.0esr and includes newer versions of NoScript and HTTPS Everywhere. Moreover, we added the latest Tor stable version, 0.3.3.7.
This Tor Browser version additionally contains a number of backported patches from the alpha, most notably the feature to treat cookies set by .onion domain as secure as well.
For Windows users we activated an option that prevents an accidental proxy bypass when dealing with UNC paths.
The full changelog since Tor Browser 7.5.5 is:
- All platforms
- Update Firefox to 52.9.0esr
- Update Tor to 0.3.3.7
- Update Tor Launcher to 0.2.14.5
- Bug 20890: Increase control port connection timeout
- Update HTTPS Everywhere to 2018.6.21
- Bug 26451: Prevent HTTPS Everywhere from freezing the browser
- Update NoScript to 5.1.8.6
- Bug 21537: Mark .onion cookies as secure
- Bug 25938: Backport fix for cross-origin header leak (bug 1334776)
- Bug 25721: Backport patches from Mozilla's bug 1448771
- Bug 25147+25458: Sanitize HTML fragments for chrome documents
- Bug 26221: Backport fix for leak in SHA256 in nsHttpConnectionInfo.cpp
- Windows
- Bug 26424: Disable UNC paths to prevent possible proxy bypasses
Does this version will be…
Does this version will be the last on Win XP platforms?
(as firefox 52.9.0esr will be the last no XP for mozilla)
tnx
Don't know, but it will be…
Don't know, but it will be the last FF with a smart
usable intuitive add-on GUI.
Yeah XML/XPCOM is such a …
Yeah XML/XPCOM is such a "smart usable intuitive add-on GUI", reminds me of my WinXP days. C'mon my dawgh Mozilla is waging a full out war on XML since it's old, can be replaced with modern technologies, and is SLOWISH.
Yes, webextensions are…
Yes, webextensions are horrible. Noscript not even a shadow of what it is now.
"webextensions are horrible"…
"webextensions are horrible"
Yes indeed. I would say it's a problem of too much money mozilla has... .
agreed. Also, using the NS…
agreed. Also, using the NS UI is trickier since i like the temporary js enable setting.
UI access to the other per-site enableable features is interesting, but I usually keep those disabled.
Peak Firefox usability was circa version 3.6
The only necessary addons were noscript and httpseverywhere.
GooglebarLite, searchboxSync. and searchboxWP improved usability.
Since 3.6, I've had to use 2 or 3 addons to fix what mozilla broke or removed.
I also use local proxy filtering, which repairs much bad web authoring, bad headers, etc., making the web pages hugely more usable - or making even web pages just viable as web pages.
of course in TBB, I only tighten up some prefs - I don't install addons or use the proxy.
I feel (possibly inaccurate) pseudo-empathy for security challenges that Tor and Moz devs have to take on.
Yes, we usually support the…
Yes, we usually support the same platforms as Mozilla, so the Tor Browser releases based esr60 won't have support for Win XP.
Many thanks as always for…
Many thanks as always for the great work done by the Tor devs and colleagues!! Praise well earned deserves to be repeated frequently, so please accept this sincere tribute offered once again. :)
Any idea when you release…
Any idea when you release TB8 (next ESR)? I'm sure I saw schedule webpage but I can't find it
At the begin of September…
At the begin of September when no further ESR 52 updates will be available (see: https://wiki.mozilla.org/Release_Management/Calendar for the calendar we follow). The first alpha based on ESR60 should get out today.
Just updated Tor Browser,…
Just updated Tor Browser, and it shows the following error when opening the link blog.torproject.org/tor-browser-756-released from "visit our website" link, or from the location bar:
"The page isn’t redirecting properly
Firefox has detected that the server is redirecting the request for this address in a way that will never complete. This problem can sometimes be caused by disabling or refusing to accept cookies."
We have this ticket:https:/…
We have this ticket:
https://trac.torproject.org/projects/tor/ticket/26516
The URL for the Update that…
The URL for the Update that's given on your Web site works, but the one shown in TorBrowser's Update window (before updating) as well as on the first run tab detailing the latest changes (after updating) (without the final hyphen) fails with "The page isn’t redirecting properly" and "Firefox has detected that the server is redirecting the request for this address in a way that will never complete."
Fix the redirect, guys. A…
Fix the redirect, guys. A browser update dialog links to
https://blog.torproject.org/tor-browser-756-released
When this page address has a hyphen on the end
https://blog.torproject.org/tor-browser-756-released-
Link to this 7.5.6 release…
Link to this 7.5.6 release info on the "Software Update" notice window has a bad URL: https://blog.torproject.org/tor-browser-756-released (it's missing the hyphen at the end of the actual page). This results in a "Problem Loading Page" error.
The Onion address for sci…
The Onion address for sci-hub does not appear to work. Anyone know why?
scihub22266oqcxt.onion
It did not work following…
It did not work following Cloudflare's termination of service of Scihub domains, maybe try to contact Alexandra Elbakyan on her vk.com to ask her to make it work again
Did you try downloading the…
Did you try downloading the new tarball and verifying the detached signature? This always (so far) works for me.
Can you please mark .onions…
Can you please mark .onions as secure like HTTPS so that it doesn't confuse users and that they can serve HTTP/2?
Done in the latest alpha…
Done in the latest alpha release. Please check it out if you can and report bugs. We plan to include that into the Tor Browser 8 release.
can't dl tbb from https:/…
can't dl tbb from https://www.torproject.org/download/download-easy.html
clicking the button to https://www.torproject.org/dist/torbrowser/7.5.6/torbrowser-install-7.5… and "failed" in the Download tab, retry doesn't help and
14:32:33.303 Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://www.torproject.org”). Source: onfocusin attribute on DIV element. 1 download-easy.html
14:38:04.524 Strict-Transport-Security: The site specified a header that could not be parsed successfully. 1 torbrowser-install-7.5.6_en-US.exe
Your optimistic SOCKS bug…
Your optimistic SOCKS bug sometimes corrupts HSTS headers - that's all what comes to mind.
Please, oh please, build Tor…
Please, oh please, build Tor Browser for:
POWER9 (Talos II)
ARMv7 (ASUS C201, Novena, EOMA68 Computer Cards)
https://www.coreboot.org/Board_freedom_levels
https://libreboot.org/docs/hardware/c201.html
https://www.crowdsupply.com/sutajio-kosagi/novena
Ha, Talos II is a thing,…
Ha, Talos II is a thing, indeed! https://www.coreboot.org/Board_freedom_levels
But you should ask Mozilla to support it, first. And then ask Talos II folks to obey the principles of the Tor Project. And then, if they all will be cooperative, you can be sure Tor Browser folks add support for it.
Updates , updates ... will a…
Updates , updates ... will a time come when "stuff" just work and don't
need to be "updated" not talking about Tor specifically but come on
is the "internet" that dynamic or softwares so "soft" that they need repair
every 2 or 3 weeks.
Give me a break and please keep on rocking Tor.
> Updates , updates ... will…
> Updates , updates ... will a time come when "stuff" just work and don't need to be "updated" not talking about Tor specifically but come on is the "internet" that dynamic or softwares so "soft" that they need repair every 2 or 3 weeks.
Those "repairs" are keeping you (and all of us) safe(r).
Insecurity is built so deeply into every aspect of the Internet as we know it that a hoary but unfortunately perfectly valid maxim holds that "convenience is the enemy of security". It's horrible, and possibly true only because DARPA wanted it to be true right from the beginning (see Yasha Levine's book for how dragnet surveillance was generally agreed to be a major goal of ARPANET when that was first introduced).
Many people love vehicular analogies, so here is a vehicular analogy:
salon.com
Driverless cars offer new forms of control — no wonder governments are keen
The surveillance aspects of driverless cars are a big reason why
Neil McBride
27 Jun 2018
> There’s a reason why governments are so keen on driverless cars – and it’s not just because of the potential economic benefits. They offer the chance for even greater tracking and even control of citizens’ every move. Far from setting us free, driverless cars threaten to help enable new forms of surveillance and oppression.
Not sure. Could you give us…
Not sure. Could you give us steps for reproducing your problem? On which platform does this happen? How are you trying to save images? Example link?
Could you be a bit more…
Could you be a bit more explicit about what exactly you are doing and what is not working for you anymore?
Question for gk: From the…
Question for gk:
From the PKI cert I see when I connect to blog.torproject.org:
03:1E:3D:93:17:B9:6A:40:3F:03:2A:1F:55:14:84:4B:9F:8D
...
Issuer:
CN = Let's Encrypt Authority X3
O = Let's Encrypt
C = US
...
Subject Name:
CN = 5667908084563968-fe2.pantheonsite.io
...
Subject Alt Name:
DNS Name: 5667908084563968-fe2.pantheonsite.io
...
DNS Name: afscmeatwork.org
...
DNS Name: forensicon.com
...
DNS Name: login.afscmeworks.org
...
DNS Name: www.worlddiabetesfoundation.org
Other users have verified these odd features.
So the cert which "authenticates" this blog does not authenticate that concent (e.g. posts) have not been altered since leaving TP control, but only that they have not been altered since leaving pantheonsite.io (whatever that is), yes?
If pantheonsite.io is gifted with an NSL accompanied by a gag order, TP's CEO and GC will never know, yes?
The nexus with AFCSME is worrisome because of reports about a concerted effort backed by the Walton and Koch families to break that union, together with the landmark SCOTUS decision issued yesterday:
nytimes.com
Supreme Court Ruling Delivers a Sharp Blow to Labor Unions
Adam Liptak
27 Jun 2018
> Janus v. AFSCME (American Federation of State, County and Municipal Employees), No. 16-1466, was brought by Mark Janus, a child support specialist who works for the state government in Illinois.
Other certificates from news sites and other NGOs all seem to actually be owned by the site owner, with one exception: aclu.org has the same worrisome features.
It seems to me that using this kind of cert is tantamount to inviting bad trouble from the USG. Can TP obtain a cert which fufills the implied promise to authenticates that the content we see is under TP control and not "pantheonsite.io (whoever that is)?
To make matters worse, forensicon is a digital investigations company. Perhaps they own the pantheon site?
TIA
Asking repeatedly about the…
Asking repeatedly about the blog's TLS cert when it's been explained that it is a CDN/shared hosting cert doesn't seem all that productive.
> Not sure. Could you give…
> Not sure. Could you give us steps for reproducing your problem? On which platform does this happen? How are you trying to save images? Example link?
> Could you be a bit more explicit about what exactly you are doing and what is not working for you anymore?
Using 64bit Win7 Enterprise
Every website I go to in Tor, whether i right-click to save an image or open the image in its own window and save, it will not save unless i save it to my local drive. Image format makes no difference. Multiple websites make no difference. If I choose to save on a network, everything happens as thought it worked but nothing is saved.
Tried the 8.0a9 alpha version and that does work. The version previous to 7.5.6 also worked but this one does not.
Okay, thanks for getting…
Okay, thanks for getting back to us. What happens if you flip network.file.disable_unc_paths
to false
in your about:config
? (You might need to restart Tor Browser for this to take effect).
Any chance of getting a…
Any chance of getting a 52ESR Windows 64 bit build? I'm not comfortable updating to FF60 for many reasons. Now I need to choose between staying on 8.0a8 or switching to 7.5.6 32 bit build
We don't plan to backport…
We don't plan to backport the Windows 64bit builds support to the esr52 branch. So you will have to wait for the 8.0 release to switch to a 64bit build.
FWIW, I experienced no…
FWIW, I experienced no problems with verifying the detached sig or running TB 7.5.6.
Thanks to everyone at TP for all your hard work, and please do not fail to disobey any gag orders accompanying an NSL handed to TP! We need that kind of protection too...
Thank you for your…
Thank you for your courageous work! Keeping up a close eye on all the Mozilla patches is certainly not easy ^^