New Release: Tor Browser 7.5.6

Tor Browser 7.5.6 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Tor Browser 7.5.6 updates Firefox to 52.9.0esr and includes newer versions of NoScript and HTTPS Everywhere. Moreover, we added the latest Tor stable version, 0.3.3.7.

This Tor Browser version additionally contains a number of backported patches from the alpha, most notably the feature to treat cookies set by .onion domain as secure as well.

For Windows users we activated an option that prevents an accidental proxy bypass when dealing with UNC paths.

The full changelog since Tor Browser 7.5.5 is:

  • All platforms
    • Update Firefox to 52.9.0esr
    • Update Tor to 0.3.3.7
    • Update Tor Launcher to 0.2.14.5
      • Bug 20890: Increase control port connection timeout
    • Update HTTPS Everywhere to 2018.6.21
      • Bug 26451: Prevent HTTPS Everywhere from freezing the browser
    • Update NoScript to 5.1.8.6
    • Bug 21537: Mark .onion cookies as secure
    • Bug 25938: Backport fix for cross-origin header leak (bug 1334776)
    • Bug 25721: Backport patches from Mozilla's bug 1448771
    • Bug 25147+25458: Sanitize HTML fragments for chrome documents
    • Bug 26221: Backport fix for leak in SHA256 in nsHttpConnectionInfo.cpp
  • Windows
    • Bug 26424: Disable UNC paths to prevent possible proxy bypasses
Anonymous

June 26, 2018

Permalink

Thank you for your courageous work! Keeping up a close eye on all the Mozilla patches is certainly not easy ^^

Anonymous

June 26, 2018

Permalink

Does this version will be the last on Win XP platforms?
(as firefox 52.9.0esr will be the last no XP for mozilla)

tnx

Yeah XML/XPCOM is such a "smart usable intuitive add-on GUI", reminds me of my WinXP days. C'mon my dawgh Mozilla is waging a full out war on XML since it's old, can be replaced with modern technologies, and is SLOWISH.

agreed. Also, using the NS UI is trickier since i like the temporary js enable setting.
UI access to the other per-site enableable features is interesting, but I usually keep those disabled.

Peak Firefox usability was circa version 3.6
The only necessary addons were noscript and httpseverywhere.
GooglebarLite, searchboxSync. and searchboxWP improved usability.

Since 3.6, I've had to use 2 or 3 addons to fix what mozilla broke or removed.
I also use local proxy filtering, which repairs much bad web authoring, bad headers, etc., making the web pages hugely more usable - or making even web pages just viable as web pages.

of course in TBB, I only tighten up some prefs - I don't install addons or use the proxy.

I feel (possibly inaccurate) pseudo-empathy for security challenges that Tor and Moz devs have to take on.

Anonymous

June 26, 2018

Permalink

Many thanks as always for the great work done by the Tor devs and colleagues!! Praise well earned deserves to be repeated frequently, so please accept this sincere tribute offered once again. :)

Anonymous

June 26, 2018

Permalink

Just updated Tor Browser, and it shows the following error when opening the link blog.torproject.org/tor-browser-756-released from "visit our website" link, or from the location bar:

"The page isn’t redirecting properly
Firefox has detected that the server is redirecting the request for this address in a way that will never complete. This problem can sometimes be caused by disabling or refusing to accept cookies."

Anonymous

June 26, 2018

Permalink

The URL for the Update that's given on your Web site works, but the one shown in TorBrowser's Update window (before updating) as well as on the first run tab detailing the latest changes (after updating) (without the final hyphen) fails with "The page isn’t redirecting properly" and "Firefox has detected that the server is redirecting the request for this address in a way that will never complete."

Anonymous

June 27, 2018

Permalink

can't dl tbb from https://www.torproject.org/download/download-easy.html
clicking the button to https://www.torproject.org/dist/torbrowser/7.5.6/torbrowser-install-7.5… and "failed" in the Download tab, retry doesn't help and
14:32:33.303 Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://www.torproject.org”). Source: onfocusin attribute on DIV element. 1 download-easy.html
14:38:04.524 Strict-Transport-Security: The site specified a header that could not be parsed successfully. 1 torbrowser-install-7.5.6_en-US.exe

Anonymous

June 27, 2018

Permalink

Updates , updates ... will a time come when "stuff" just work and don't
need to be "updated" not talking about Tor specifically but come on
is the "internet" that dynamic or softwares so "soft" that they need repair
every 2 or 3 weeks.
Give me a break and please keep on rocking Tor.

> Updates , updates ... will a time come when "stuff" just work and don't need to be "updated" not talking about Tor specifically but come on is the "internet" that dynamic or softwares so "soft" that they need repair every 2 or 3 weeks.

Those "repairs" are keeping you (and all of us) safe(r).

Insecurity is built so deeply into every aspect of the Internet as we know it that a hoary but unfortunately perfectly valid maxim holds that "convenience is the enemy of security". It's horrible, and possibly true only because DARPA wanted it to be true right from the beginning (see Yasha Levine's book for how dragnet surveillance was generally agreed to be a major goal of ARPANET when that was first introduced).

Many people love vehicular analogies, so here is a vehicular analogy:

salon.com
Driverless cars offer new forms of control — no wonder governments are keen
The surveillance aspects of driverless cars are a big reason why
Neil McBride
27 Jun 2018

> There’s a reason why governments are so keen on driverless cars – and it’s not just because of the potential economic benefits. They offer the chance for even greater tracking and even control of citizens’ every move. Far from setting us free, driverless cars threaten to help enable new forms of surveillance and oppression.

Question for gk:

From the PKI cert I see when I connect to blog.torproject.org:

03:1E:3D:93:17:B9:6A:40:3F:03:2A:1F:55:14:84:4B:9F:8D
...
Issuer:
CN = Let's Encrypt Authority X3
O = Let's Encrypt
C = US
...
Subject Name:
CN = 5667908084563968-fe2.pantheonsite.io
...
Subject Alt Name:
DNS Name: 5667908084563968-fe2.pantheonsite.io
...
DNS Name: afscmeatwork.org
...
DNS Name: forensicon.com
...
DNS Name: login.afscmeworks.org
...
DNS Name: www.worlddiabetesfoundation.org

Other users have verified these odd features.

So the cert which "authenticates" this blog does not authenticate that concent (e.g. posts) have not been altered since leaving TP control, but only that they have not been altered since leaving pantheonsite.io (whatever that is), yes?

If pantheonsite.io is gifted with an NSL accompanied by a gag order, TP's CEO and GC will never know, yes?

The nexus with AFCSME is worrisome because of reports about a concerted effort backed by the Walton and Koch families to break that union, together with the landmark SCOTUS decision issued yesterday:

nytimes.com
Supreme Court Ruling Delivers a Sharp Blow to Labor Unions
Adam Liptak
27 Jun 2018

> Janus v. AFSCME (American Federation of State, County and Municipal Employees), No. 16-1466, was brought by Mark Janus, a child support specialist who works for the state government in Illinois.

Other certificates from news sites and other NGOs all seem to actually be owned by the site owner, with one exception: aclu.org has the same worrisome features.

It seems to me that using this kind of cert is tantamount to inviting bad trouble from the USG. Can TP obtain a cert which fufills the implied promise to authenticates that the content we see is under TP control and not "pantheonsite.io (whoever that is)?

To make matters worse, forensicon is a digital investigations company. Perhaps they own the pantheon site?

TIA

> Not sure. Could you give us steps for reproducing your problem? On which platform does this happen? How are you trying to save images? Example link?

> Could you be a bit more explicit about what exactly you are doing and what is not working for you anymore?

Using 64bit Win7 Enterprise

Every website I go to in Tor, whether i right-click to save an image or open the image in its own window and save, it will not save unless i save it to my local drive. Image format makes no difference. Multiple websites make no difference. If I choose to save on a network, everything happens as thought it worked but nothing is saved.

Tried the 8.0a9 alpha version and that does work. The version previous to 7.5.6 also worked but this one does not.

Anonymous

June 28, 2018

Permalink

Any chance of getting a 52ESR Windows 64 bit build? I'm not comfortable updating to FF60 for many reasons. Now I need to choose between staying on 8.0a8 or switching to 7.5.6 32 bit build

Anonymous

June 28, 2018

Permalink

FWIW, I experienced no problems with verifying the detached sig or running TB 7.5.6.

Thanks to everyone at TP for all your hard work, and please do not fail to disobey any gag orders accompanying an NSL handed to TP! We need that kind of protection too...

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

2 + 10 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.