Tor Browser Release

Discussion in 'privacy technology' started by 1PW, Apr 28, 2015.

  1. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    Hello Mister X:

    I agree again. I have not received an acknowledgement/reply from the support folks. Perhaps email from other users might attract more attention.

    Maybe they were temporarily inundated with the latest updates and transitioning of the new Executive Director.

    Cheers.

    Edit: I have opened a Tor Project ticket: https://www.mail-archive.com/tor-bugs@lists.torproject.org/msg87443.html
     
    Last edited: Dec 19, 2015
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    I noticed if you go to the directory: https://dist.torproject.org/torbrowser/5.0.6/
    sha256sums.txt is NOT visible , only sha256sums-unsigned-build.txt and sha256sums-unsigned-build.incrementals.txt
    However, the hashes in sha256sums.txt are exactly the same as the ones in sha256sums-unsigned-build.txt
     
  3. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    Nice move and thank you for your efforts...
     
  4. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    Hello Mister X:

    All hash checks are very important. Yet those hashes, for the Tor Browser, can attract additional attention for those whose privacy could help to protect lives.

    So it's others who should thank you for bringing the issue to light. Thank you Mister X.

    Cheers
     
  5. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    You're welcome.
     
  6. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    Do you guys dislike the gpg --verify method for some reason? Lots of folks seem to avoid it and I always wondered why. Maybe its because I spend so much time using gpg it is second nature to me.
     
  7. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    Hello Planancar:

    Yes you are right! With the necessary customizations, the GnuPG based integrity check seems to be quite valid in this case.

    However, it remains that the published SHA-256 hashes, for the Tor Browser installer, have no present integrity value.

    If I was that very special Tor Browser user and I am deadly serious about all integrity checks, I would be a bit concerned at the least.

    Cheers
     
  8. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    Well I don't know if I am that special :p but I'm still concerned for that inconsistency. FWIW I run it always sandboxed (SBIE) never otherwise, not even for testing or anything. As soon I run the installer to put its files on another partition/folder (Shadow Defender in shadow mode) I reboot the machine and start using Tor sandboxed.
     
  9. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    Hello All:

    I only checked today and found that the Tor Bug Tracker topic I opened on December 18th (Ref: post #26), had been closed the next day:

    hXXps://lists.torproject.org/pipermail/tor-bugs/2015-December/091417.html

    Perhaps, as @Planacar implies (post #31), this elevates the 'gpg --verify' methodology to the best high integrity choice after all.

    Thank you.
     
  10. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    @1PW Thank you.
     
  11. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    Hello Mister X:

    We are wiser for your observation. Thanks to you!
     
  12. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    The Tor Project, Inc has released the Tor Browser 5.0.7 Stable on 07-January-2016.
    https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser

    Home: https://www.torproject.org/

    Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-507-released
    Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update.

    SHA-256 Hashes: https://dist.torproject.org/torbrowser/5.0.7/sha256sums.txt

    PGP Signing Key Directory: https://dist.torproject.org/torbrowser/5.0.7/

    VT: 1/52 Digitally signed & countersigned (Win32 en-US)
     
  13. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    The Tor Project, Inc has released the Tor Browser 5.5 Stable on 27-January-2016.
    https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser

    Home: https://www.torproject.org/

    Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-55-released

    Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update.

    SHA-256 Hashes: https://dist.torproject.org/torbrowser/5.5/sha256sums.txt

    PGP Signing Key Directory: https://dist.torproject.org/torbrowser/5.5/

    VT = 1/54 Digitally signed & countersigned (Win32 en-US)

    Win32 en-US Download SHA256: e337989b728e1488eead6e6d8bcebef4d4ac64a9256df34dd8725401b249d9c6

    Note: Uses Mozilla's Firefox 38.6.0esr.
     
    Last edited: Jan 27, 2016
  14. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    The Tor Project, Inc has released the Tor Browser 5.5.1 Stable on 05-February-2016.
    https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser

    Home: https://www.torproject.org/

    Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-551-released

    Changelog:
    Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update.

    SHA-256 Hashes: https://dist.torproject.org/torbrowser/5.5.1/sha256sums.txt

    PGP Signing Key Directory: https://dist.torproject.org/torbrowser/5.5.1/

    VT = 1/52 Digitally signed & countersigned (Win32 en-US)

    Win32 en-US SHA256: 70d19ac751148bbf15abda3b997e911f5abe96907e9b9d05bb25bb057b488f03

    Note: Uses Mozilla's Firefox 38.6.0esr.
     
  15. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    The Tor Project, Inc has released the Tor Browser 5.5.2 Stable on 12-February-2016.
    https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser

    Home: https://www.torproject.org/

    Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-552-released

    Changelog:
    Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update.

    SHA-256 Hashes: https://dist.torproject.org/torbrowser/5.5.2/sha256sums.txt

    PGP Signing Key Directory: https://dist.torproject.org/torbrowser/5.5.2/

    VT = 0/54 Digitally signed & countersigned (Win32 en-US)

    Win32 en-US SHA256: 31fa548183673449bc0b31b43b919c96663a398bd6895eae9bc6d0d610975963

    Note: Uses Mozilla's Firefox 38.6.1esr.
     
  16. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    The Tor Project, Inc has released the Tor Browser 5.5.3 Stable on 08-March-2016.
    https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser

    Home: https://www.torproject.org/

    Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-553-released

    Changelog:
    Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update.

    SHA-256 Hashes: https://dist.torproject.org/torbrowser/5.5.3/sha256sums.txt

    PGP Signing Key Directory: https://dist.torproject.org/torbrowser/5.5.3/

    VT = 1/55 Digitally signed & countersigned (Win32 en-US)

    Win32 en-US SHA256: 83f95b57a9afc70d34dc6348b51dc30efb466401869c87fe34f9e3180ae4b7f6

    Note: Uses Mozilla's Firefox 38.7.0esr.
     
  17. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    The Tor Project, Inc has released the Tor Browser 5.5.4 Stable on 18-March-2016.
    https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser

    Home: https://www.torproject.org/

    Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-554-released

    Changelog:

    Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update.

    SHA-256 Hashes: https://dist.torproject.org/torbrowser/5.5.4/sha256sums.txt

    PGP Signing Key Directory: https://dist.torproject.org/torbrowser/5.5.4/

    VT = 1/54 Digitally signed & countersigned (Win32 en-US)

    Win32 en-US SHA256: 7c975affbfa95b924e84a678b599e92e8889af09254ce2aa78893baab4e4144f
     
  18. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    The Tor Project, Inc has released the Tor Browser 5.5.5 Stable on 26-March-2016.
    https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser

    Home: https://www.torproject.org/

    Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-555-released

    Changelog:
    Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update.

    SHA-256 Hashes: https://dist.torproject.org/torbrowser/5.5.5/sha256sums.txt

    PGP Signing Key Directory: https://dist.torproject.org/torbrowser/5.5.5/

    VT = 0/56 Digitally signed & countersigned (Win32 en-US)

    Win32 en-US SHA256: 5586619eeb19e5d38d80865cd0213e3afa0e26f43ceb21ca93a1c9f59d939269

    Note: Uses Mozilla's Firefox 38.8.0esr.
     
  19. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    The Tor Project, Inc has released the Tor Browser 6.0 Stable on 30-May-2016.
    https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser

    Home: https://www.torproject.org/

    Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-60-released

    Tor Browser 6.0 -- May 30

    All Platforms
    Update Firefox to 45.1.1esr
    Update OpenSSL to 1.0.1t
    Update Torbutton to 1.9.5.4
    Bug 18466: Make Torbutton compatible with Firefox ESR 45
    Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
    Bug 18905: Hide unusable items from help menu
    Bug 16017: Allow users to more easily set a non-tor SSH proxy
    Bug 17599: Provide shortcuts for New Identity and New Circuit
    Translation updates
    Code clean-up
    Update Tor Launcher to 0.2.9.3
    Bug 13252: Do not store data in the application bundle
    Bug 18947: Tor Browser is not starting on OS X if put into /Applications
    Bug 11773: Setup wizard UI flow improvements
    Translation updates
    Update HTTPS-Everywhere to 5.1.9
    Update meek to 0.22 (tag 0.22-18371-3)
    Bug 18371: Symlinks are incompatible with Gatekeeper signing
    Bug 18904: Mac OS: meek-http-helper profile not updated
    Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
    Bug 18900: Fix broken updater on Linux
    Bug 19121: The update.xml hash should get checked during update
    Bug 18042: Disable SHA1 certificate support
    Bug 18821: Disable libmdns support for desktop and mobile
    Bug 18848: Disable additional welcome URL shown on first start
    Bug 14970: Exempt our extensions from signing requirement
    Bug 16328: Disable MediaDevices.enumerateDevices
    Bug 16673: Disable HTTP Alternative-Services
    Bug 17167: Disable Mozilla's tracking protection
    Bug 18603: Disable performance-based WebGL fingerprinting option
    Bug 18738: Disable Selfsupport and Unified Telemetry
    Bug 18799: Disable Network Tickler
    Bug 18800: Remove DNS lookup in lockfile code
    Bug 18801: Disable dom.push preferences
    Bug 18802: Remove the JS-based Flash VM (Shumway)
    Bug 18863: Disable MozTCPSocket explicitly
    Bug 15640: Place Canvas MediaStream behind site permission
    Bug 16326: Verify cache isolation for Request and Fetch APIs
    Bug 18741: Fix OCSP and favicon isolation for ESR 45
    Bug 16998: Disable <link rel="preconnect"> for now
    Bug 18898: Exempt the meek extension from the signing requirement as well
    Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
    Bug 18890: Test importScripts() for cache and network isolation
    Bug 18886: Hide pocket menu items when Pocket is disabled
    Bug 18703: Fix circuit isolation issues on Page Info dialog
    Bug 19115: Tor Browser should not fall back to Bing as its search engine
    Bug 18915+19065: Use our search plugins in localized builds
    Bug 19176: Zip our language packs deterministically
    Bug 18811: Fix first-party isolation for blobs URLs in Workers
    Bug 18950: Disable or audit Reader View
    Bug 18886: Remove Pocket
    Bug 18619: Tor Browser reports "InvalidStateError" in browser console
    Bug 18945: Disable monitoring the connected state of Tor Browser users
    Bug 18855: Don't show error after add-on directory clean-up
    Bug 18885: Disable the option of logging TLS/SSL key material
    Bug 18770: SVGs should not show up on Page Info dialog when disabled
    Bug 18958: Spoof screen.orientation values
    Bug 19047: Disable Heartbeat prompts
    Bug 18914: Use English-only label in <isindex/> tags
    Bug 18996: Investigate server logging in esr45-based Tor Browser
    Bug 17790: Add unit tests for keyboard fingerprinting defenses
    Bug 18995: Regression test to ensure CacheStorage is disabled
    Bug 18912: Add automated tests for updater cert pinning
    Bug 16728: Add test cases for favicon isolation
    Bug 18976: Remove some FTE bridges
    Windows
    Bug 13419: Support ICU in Windows builds
    Bug 16874: Fix broken https://sports.yahoo.com/dailyfantasy page
    Bug 18767: Context menu is broken on Windows in ESR 45 based Tor Browser
    OS X
    Bug 6540: Support OS X Gatekeeper
    Bug 13252: Tor Browser should not store data in the application bundle
    Bug 18951: HTTPS-E is missing after update
    Bug 18904: meek-http-helper profile not updated
    Bug 18928: Upgrade is not smooth (requires another restart)
    Build System
    All Platforms
    Bug 18127: Add LXC support for building with Debian guest VMs
    Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
    Bug 18919: Remove unused keys and unused dependencies
    Windows
    Bug 17895: Use NSIS 2.51 for installer to avoid DLL hijacking
    Bug 18290: Bump mingw-w64 commit we use
    OS X
    Bug 18331: Update toolchain for Firefox 45 ESR
    Bug 18690: Switch to Debian Wheezy guest VMs
    Linux
    Bug 18699: Stripping fails due to obsolete Browser/components directory
    Bug 18698: Include libgconf2-dev for our Linux builds
    Bug 15578: Switch to Debian Wheezy guest VMs (10.04 LTS is EOL)

    Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update.

    SHA-256 Hashes: https://dist.torproject.org/torbrowser/6.0/sha256sums.txt

    PGP Signing Key Directory: https://dist.torproject.org/torbrowser/6.0/

    VT = 1/56 Digitally signed & countersigned (Win32 en-US)

    Win32 en-US SHA256: f1655f7f04195d7ac9cd210b4ff07d930169f6f41d75e9ff0b59354dd4264e95 (Installer file only)
     
    Last edited: May 31, 2016
  20. MOD53

    MOD53 Registered Member

    Joined:
    May 30, 2016
    Posts:
    2
    Location:
    Australia
    I know this is not the right place to ask but where do you go to start new post ?
     
  21. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    I guess this confirms GPG verification is indeed NOT used by the autoupdater:
    "On the security side this release makes sure that SHA1 certificate support is disabled and our updater is not only relying on the signature alone but is checking the hash of the downloaded update file as well before applying it."



    Questions like this can be asked here:
    https://www.wilderssecurity.com/forums/general-topics.5/

    To answer your question, just go to the subforum where you would like to create a new topic and click the Post New Thread button in the right upper corner.(Though I'm not sure new members automatically have the permission to do that.)
    You can experiment here:
    https://www.wilderssecurity.com/forums/test-forum.7/
     
  22. MOD53

    MOD53 Registered Member

    Joined:
    May 30, 2016
    Posts:
    2
    Location:
    Australia
    I think you're spot on !! new members are not able to create new posts
     
  23. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    The Tor Project, Inc has released the Tor Browser 6.0.1 Stable on 07-June-2016.
    https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser

    Home: https://www.torproject.org/

    Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-601-released

    Tor Browser 6.0.1 is released
    Posted June 7th, 2016 by boklm in

    tbb tbb-6.0 tor browser

    Tor Browser 6.0.1 is now available from the Tor Browser Project page and also from our distribution directory.

    This release features important security updates to Firefox.

    Tor Browser 6.0.1 is the first point release in our 6.0 series. It updates Firefox to 45.2.0esr, contains fixes for two crash bugs and does not ship the loop extension anymore.

    Note (June, 8, 12:28 UTC): We just found out that our incremental updates for Windows users were not working. After a short investigation this issue could get resolved and incremental updates are working again. One of the unfortunate side effects of this bug was that all users upgrading from 6.0 got the English 6.0.1 version. The safest way to get a properly localized Tor Browser again is to download it from our homepage. We are sorry for any inconvenience due to this.

    Here is the full changelog since 6.0:

    All Platforms

    Update Firefox to 45.2.0esr
    Bug 18884: Don't build the loop extension
    Bug 19187: Backport fix for crash related to popup menus
    Bug 19212: Fix crash related to network panel in developer tools
    Linux

    Bug 19189: Backport for working around a linker (gold) bug

    Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update.

    SHA-256 Hashes: https://dist.torproject.org/torbrowser/6.0.1/sha256sums.txt

    PGP Signing Key Directory: https://dist.torproject.org/torbrowser/6.0.1/

    VT = 0/54 Digitally signed & countersigned (Win32 en-US)

    Win32 en-US SHA256: 33fa01571717fcea64f3ee668e7cb1845d59c564dd2952380757e99fcef7eb80
     
  24. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    The Tor Project, Inc has released the Tor Browser 6.0.2 Stable on 21-June-2016.
    https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser

    Home: https://www.torproject.org/

    Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-602-released

    Here is the full changelog since 6.0.1:

    All Platforms
    Update Torbutton to 1.9.5.5
    Bug 19417: Clear asmjscache
    Bug 19401: Fix broken PDF download button
    Bug 19411: Don't show update icon if a partial update failed
    Bug 19400: Back out GCC bug workaround to avoid asmjs crash
    Windows
    Bug 19348: Adapt to more than one build target on Windows (fixes updates)
    Linux
    Bug 19276: Disable Xrender due to possible performance regressions

    Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update.

    SHA-256 Hashes: https://dist.torproject.org/torbrowser/6.0.2/sha256sums.txt

    PGP Signing Key Directory: https://dist.torproject.org/torbrowser/6.0.2/

    VT = 0/54 Digitally signed & countersigned (Win32 en-US)

    Win32 en-US SHA256: 3a2e05304345936fd713b638612088fa0914102389c15c7bf7aa1d74803e5db8
     
  25. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I might give this a go on my new laptop, when it arrives. ;)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.