Hello Mister X: I agree again. I have not received an acknowledgement/reply from the support folks. Perhaps email from other users might attract more attention. Maybe they were temporarily inundated with the latest updates and transitioning of the new Executive Director. Cheers. Edit: I have opened a Tor Project ticket: https://www.mail-archive.com/tor-bugs@lists.torproject.org/msg87443.html
I noticed if you go to the directory: https://dist.torproject.org/torbrowser/5.0.6/ sha256sums.txt is NOT visible , only sha256sums-unsigned-build.txt and sha256sums-unsigned-build.incrementals.txt However, the hashes in sha256sums.txt are exactly the same as the ones in sha256sums-unsigned-build.txt
Hello Mister X: All hash checks are very important. Yet those hashes, for the Tor Browser, can attract additional attention for those whose privacy could help to protect lives. So it's others who should thank you for bringing the issue to light. Thank you Mister X. Cheers
Do you guys dislike the gpg --verify method for some reason? Lots of folks seem to avoid it and I always wondered why. Maybe its because I spend so much time using gpg it is second nature to me.
Hello Planancar: Yes you are right! With the necessary customizations, the GnuPG based integrity check seems to be quite valid in this case. However, it remains that the published SHA-256 hashes, for the Tor Browser installer, have no present integrity value. If I was that very special Tor Browser user and I am deadly serious about all integrity checks, I would be a bit concerned at the least. Cheers
Well I don't know if I am that special but I'm still concerned for that inconsistency. FWIW I run it always sandboxed (SBIE) never otherwise, not even for testing or anything. As soon I run the installer to put its files on another partition/folder (Shadow Defender in shadow mode) I reboot the machine and start using Tor sandboxed.
Hello All: I only checked today and found that the Tor Bug Tracker topic I opened on December 18th (Ref: post #26), had been closed the next day: hXXps://lists.torproject.org/pipermail/tor-bugs/2015-December/091417.html Perhaps, as @Planacar implies (post #31), this elevates the 'gpg --verify' methodology to the best high integrity choice after all. Thank you.
The Tor Project, Inc has released the Tor Browser 5.0.7 Stable on 07-January-2016. https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser Home: https://www.torproject.org/ Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-507-released Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update. SHA-256 Hashes: https://dist.torproject.org/torbrowser/5.0.7/sha256sums.txt PGP Signing Key Directory: https://dist.torproject.org/torbrowser/5.0.7/ VT: 1/52 Digitally signed & countersigned (Win32 en-US)
The Tor Project, Inc has released the Tor Browser 5.5 Stable on 27-January-2016. https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser Home: https://www.torproject.org/ Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-55-released Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update. SHA-256 Hashes: https://dist.torproject.org/torbrowser/5.5/sha256sums.txt PGP Signing Key Directory: https://dist.torproject.org/torbrowser/5.5/ VT = 1/54 Digitally signed & countersigned (Win32 en-US) Win32 en-US Download SHA256: e337989b728e1488eead6e6d8bcebef4d4ac64a9256df34dd8725401b249d9c6 Note: Uses Mozilla's Firefox 38.6.0esr.
The Tor Project, Inc has released the Tor Browser 5.5.1 Stable on 05-February-2016. https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser Home: https://www.torproject.org/ Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-551-released Changelog: Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update. SHA-256 Hashes: https://dist.torproject.org/torbrowser/5.5.1/sha256sums.txt PGP Signing Key Directory: https://dist.torproject.org/torbrowser/5.5.1/ VT = 1/52 Digitally signed & countersigned (Win32 en-US) Win32 en-US SHA256: 70d19ac751148bbf15abda3b997e911f5abe96907e9b9d05bb25bb057b488f03 Note: Uses Mozilla's Firefox 38.6.0esr.
The Tor Project, Inc has released the Tor Browser 5.5.2 Stable on 12-February-2016. https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser Home: https://www.torproject.org/ Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-552-released Changelog: Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update. SHA-256 Hashes: https://dist.torproject.org/torbrowser/5.5.2/sha256sums.txt PGP Signing Key Directory: https://dist.torproject.org/torbrowser/5.5.2/ VT = 0/54 Digitally signed & countersigned (Win32 en-US) Win32 en-US SHA256: 31fa548183673449bc0b31b43b919c96663a398bd6895eae9bc6d0d610975963 Note: Uses Mozilla's Firefox 38.6.1esr.
The Tor Project, Inc has released the Tor Browser 5.5.3 Stable on 08-March-2016. https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser Home: https://www.torproject.org/ Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-553-released Changelog: Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update. SHA-256 Hashes: https://dist.torproject.org/torbrowser/5.5.3/sha256sums.txt PGP Signing Key Directory: https://dist.torproject.org/torbrowser/5.5.3/ VT = 1/55 Digitally signed & countersigned (Win32 en-US) Win32 en-US SHA256: 83f95b57a9afc70d34dc6348b51dc30efb466401869c87fe34f9e3180ae4b7f6 Note: Uses Mozilla's Firefox 38.7.0esr.
The Tor Project, Inc has released the Tor Browser 5.5.4 Stable on 18-March-2016. https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser Home: https://www.torproject.org/ Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-554-released Changelog: Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update. SHA-256 Hashes: https://dist.torproject.org/torbrowser/5.5.4/sha256sums.txt PGP Signing Key Directory: https://dist.torproject.org/torbrowser/5.5.4/ VT = 1/54 Digitally signed & countersigned (Win32 en-US) Win32 en-US SHA256: 7c975affbfa95b924e84a678b599e92e8889af09254ce2aa78893baab4e4144f
The Tor Project, Inc has released the Tor Browser 5.5.5 Stable on 26-March-2016. https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser Home: https://www.torproject.org/ Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-555-released Changelog: Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update. SHA-256 Hashes: https://dist.torproject.org/torbrowser/5.5.5/sha256sums.txt PGP Signing Key Directory: https://dist.torproject.org/torbrowser/5.5.5/ VT = 0/56 Digitally signed & countersigned (Win32 en-US) Win32 en-US SHA256: 5586619eeb19e5d38d80865cd0213e3afa0e26f43ceb21ca93a1c9f59d939269 Note: Uses Mozilla's Firefox 38.8.0esr.
The Tor Project, Inc has released the Tor Browser 6.0 Stable on 30-May-2016. https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser Home: https://www.torproject.org/ Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-60-released Spoiler Tor Browser 6.0 -- May 30 All Platforms Update Firefox to 45.1.1esr Update OpenSSL to 1.0.1t Update Torbutton to 1.9.5.4 Bug 18466: Make Torbutton compatible with Firefox ESR 45 Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu Bug 18905: Hide unusable items from help menu Bug 16017: Allow users to more easily set a non-tor SSH proxy Bug 17599: Provide shortcuts for New Identity and New Circuit Translation updates Code clean-up Update Tor Launcher to 0.2.9.3 Bug 13252: Do not store data in the application bundle Bug 18947: Tor Browser is not starting on OS X if put into /Applications Bug 11773: Setup wizard UI flow improvements Translation updates Update HTTPS-Everywhere to 5.1.9 Update meek to 0.22 (tag 0.22-18371-3) Bug 18371: Symlinks are incompatible with Gatekeeper signing Bug 18904: Mac OS: meek-http-helper profile not updated Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45 Bug 18900: Fix broken updater on Linux Bug 19121: The update.xml hash should get checked during update Bug 18042: Disable SHA1 certificate support Bug 18821: Disable libmdns support for desktop and mobile Bug 18848: Disable additional welcome URL shown on first start Bug 14970: Exempt our extensions from signing requirement Bug 16328: Disable MediaDevices.enumerateDevices Bug 16673: Disable HTTP Alternative-Services Bug 17167: Disable Mozilla's tracking protection Bug 18603: Disable performance-based WebGL fingerprinting option Bug 18738: Disable Selfsupport and Unified Telemetry Bug 18799: Disable Network Tickler Bug 18800: Remove DNS lookup in lockfile code Bug 18801: Disable dom.push preferences Bug 18802: Remove the JS-based Flash VM (Shumway) Bug 18863: Disable MozTCPSocket explicitly Bug 15640: Place Canvas MediaStream behind site permission Bug 16326: Verify cache isolation for Request and Fetch APIs Bug 18741: Fix OCSP and favicon isolation for ESR 45 Bug 16998: Disable <link rel="preconnect"> for now Bug 18898: Exempt the meek extension from the signing requirement as well Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile Bug 18890: Test importScripts() for cache and network isolation Bug 18886: Hide pocket menu items when Pocket is disabled Bug 18703: Fix circuit isolation issues on Page Info dialog Bug 19115: Tor Browser should not fall back to Bing as its search engine Bug 18915+19065: Use our search plugins in localized builds Bug 19176: Zip our language packs deterministically Bug 18811: Fix first-party isolation for blobs URLs in Workers Bug 18950: Disable or audit Reader View Bug 18886: Remove Pocket Bug 18619: Tor Browser reports "InvalidStateError" in browser console Bug 18945: Disable monitoring the connected state of Tor Browser users Bug 18855: Don't show error after add-on directory clean-up Bug 18885: Disable the option of logging TLS/SSL key material Bug 18770: SVGs should not show up on Page Info dialog when disabled Bug 18958: Spoof screen.orientation values Bug 19047: Disable Heartbeat prompts Bug 18914: Use English-only label in <isindex/> tags Bug 18996: Investigate server logging in esr45-based Tor Browser Bug 17790: Add unit tests for keyboard fingerprinting defenses Bug 18995: Regression test to ensure CacheStorage is disabled Bug 18912: Add automated tests for updater cert pinning Bug 16728: Add test cases for favicon isolation Bug 18976: Remove some FTE bridges Windows Bug 13419: Support ICU in Windows builds Bug 16874: Fix broken https://sports.yahoo.com/dailyfantasy page Bug 18767: Context menu is broken on Windows in ESR 45 based Tor Browser OS X Bug 6540: Support OS X Gatekeeper Bug 13252: Tor Browser should not store data in the application bundle Bug 18951: HTTPS-E is missing after update Bug 18904: meek-http-helper profile not updated Bug 18928: Upgrade is not smooth (requires another restart) Build System All Platforms Bug 18127: Add LXC support for building with Debian guest VMs Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds Bug 18919: Remove unused keys and unused dependencies Windows Bug 17895: Use NSIS 2.51 for installer to avoid DLL hijacking Bug 18290: Bump mingw-w64 commit we use OS X Bug 18331: Update toolchain for Firefox 45 ESR Bug 18690: Switch to Debian Wheezy guest VMs Linux Bug 18699: Stripping fails due to obsolete Browser/components directory Bug 18698: Include libgconf2-dev for our Linux builds Bug 15578: Switch to Debian Wheezy guest VMs (10.04 LTS is EOL) Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update. SHA-256 Hashes: https://dist.torproject.org/torbrowser/6.0/sha256sums.txt PGP Signing Key Directory: https://dist.torproject.org/torbrowser/6.0/ VT = 1/56 Digitally signed & countersigned (Win32 en-US) Win32 en-US SHA256: f1655f7f04195d7ac9cd210b4ff07d930169f6f41d75e9ff0b59354dd4264e95 (Installer file only)
I guess this confirms GPG verification is indeed NOT used by the autoupdater: "On the security side this release makes sure that SHA1 certificate support is disabled and our updater is not only relying on the signature alone but is checking the hash of the downloaded update file as well before applying it." Questions like this can be asked here: https://www.wilderssecurity.com/forums/general-topics.5/ To answer your question, just go to the subforum where you would like to create a new topic and click the Post New Thread button in the right upper corner.(Though I'm not sure new members automatically have the permission to do that.) You can experiment here: https://www.wilderssecurity.com/forums/test-forum.7/
The Tor Project, Inc has released the Tor Browser 6.0.1 Stable on 07-June-2016. https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser Home: https://www.torproject.org/ Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-601-released Spoiler Tor Browser 6.0.1 is released Posted June 7th, 2016 by boklm in tbb tbb-6.0 tor browser Tor Browser 6.0.1 is now available from the Tor Browser Project page and also from our distribution directory. This release features important security updates to Firefox. Tor Browser 6.0.1 is the first point release in our 6.0 series. It updates Firefox to 45.2.0esr, contains fixes for two crash bugs and does not ship the loop extension anymore. Note (June, 8, 12:28 UTC): We just found out that our incremental updates for Windows users were not working. After a short investigation this issue could get resolved and incremental updates are working again. One of the unfortunate side effects of this bug was that all users upgrading from 6.0 got the English 6.0.1 version. The safest way to get a properly localized Tor Browser again is to download it from our homepage. We are sorry for any inconvenience due to this. Here is the full changelog since 6.0: All Platforms Update Firefox to 45.2.0esr Bug 18884: Don't build the loop extension Bug 19187: Backport fix for crash related to popup menus Bug 19212: Fix crash related to network panel in developer tools Linux Bug 19189: Backport for working around a linker (gold) bug Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update. SHA-256 Hashes: https://dist.torproject.org/torbrowser/6.0.1/sha256sums.txt PGP Signing Key Directory: https://dist.torproject.org/torbrowser/6.0.1/ VT = 0/54 Digitally signed & countersigned (Win32 en-US) Win32 en-US SHA256: 33fa01571717fcea64f3ee668e7cb1845d59c564dd2952380757e99fcef7eb80
The Tor Project, Inc has released the Tor Browser 6.0.2 Stable on 21-June-2016. https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser Home: https://www.torproject.org/ Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-602-released Spoiler Here is the full changelog since 6.0.1: All Platforms Update Torbutton to 1.9.5.5 Bug 19417: Clear asmjscache Bug 19401: Fix broken PDF download button Bug 19411: Don't show update icon if a partial update failed Bug 19400: Back out GCC bug workaround to avoid asmjs crash Windows Bug 19348: Adapt to more than one build target on Windows (fixes updates) Linux Bug 19276: Disable Xrender due to possible performance regressions Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update. SHA-256 Hashes: https://dist.torproject.org/torbrowser/6.0.2/sha256sums.txt PGP Signing Key Directory: https://dist.torproject.org/torbrowser/6.0.2/ VT = 0/54 Digitally signed & countersigned (Win32 en-US) Win32 en-US SHA256: 3a2e05304345936fd713b638612088fa0914102389c15c7bf7aa1d74803e5db8