Tor Browser Release

Discussion in 'privacy technology' started by 1PW, Apr 28, 2015.

  1. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    700
    Location:
    North of the 38th parallel.
    Last edited: Apr 28, 2015
  2. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    700
    Location:
    North of the 38th parallel.
    Tor Browser 4.5.1 Stable was released 12-May-2015.

    https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser

    Home: https://www.torproject.org/

    Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-451-released

    Download: https://www.torproject.org/projects/torbrowser.html.en#downloads

    SHA-256 Digests: https://dist.torproject.org/torbrowser/4.5.1/sha256sums.txt

    Signing Key Directory: https://dist.torproject.org/torbrowser/4.5.1/


    VT: 0/49
     
    Last edited: May 14, 2015
  3. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    700
    Location:
    North of the 38th parallel.
    Tor Browser 4.5.2 Stable was released 16-June-2015.

    https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser

    Home: https://www.torproject.org/

    Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-452-released

    Download: https://www.torproject.org/projects/torbrowser.html.en#downloads

    SHA-256 Digests: https://dist.torproject.org/torbrowser/4.5.2/sha256sums.txt

    Signing Key Directory: https://dist.torproject.org/torbrowser/4.5.2/


    VT: 0/57 Signed (Windows en-US)
     
    Last edited: Jun 16, 2015
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    There's still no "official" response about the switch to disconnect.me as default search. People have asked on the Tor Project blog, and on the tor-talk list. I asked on the ticket tracker. Not a peep :(
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    I still have startpage set to open on my stuff until I see and hear something about this.

    Have you guys read the privacy policy for disconnect? They record IP's and state they will surrender them for legal requests and such. Hmmm! It doesn't concern me too much as I have VPN's and TOR in my circuit before using either one. Just in principle the policy is bothersome.
     
    Last edited: Jun 17, 2015
  6. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Is that for the VPN service they offer, or for the search engine? I think it's just the VPN. They are US-based though, as opposed to Startpage which is in the Netherlands...

    If that is their search engine policy though, how are they any better than Google when used with Tor?
     
  7. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    My VPN's don't store IP's at all so there would be nothing to give out with a "legal request". It has to make you wonder about how the search engine is being handled behind the scenes. On the other hand, the TOR folks don't usually setup insecure stuff in their browser bundle.

    I guess the benefit would be the adware folks would not see where you search so that part would be solid. Just seems like there are records for legal requests.

    As Mirimir stated though; the silence is o_Oo_Oo_Oo_O's
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    I hesitate to say this, because I'm not a Tor hater. But the Tor Project all too often defaults to the "mirror shades" stare :(
     
  9. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    700
    Location:
    North of the 38th parallel.
    Tor Browser 4.5.3 Stable was released 03-July-2015.

    https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser

    Home: https://www.torproject.org/

    Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-453-released

    Download: https://www.torproject.org/projects/torbrowser.html.en#downloads

    SHA-256 Digests: https://dist.torproject.org/torbrowser/4.5.3/sha256sums.txt

    Signing Key Directory: https://dist.torproject.org/torbrowser/4.5.3/

    VT: 0/46 Signed (Windows en-US)
     
  10. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    I lost all faith in tor when I read they had handed over development of the browser to Mozilla. Mozilla can't even get up to date with the latest IETF TLS ciphers which openssl implemented years ago, yet we are supposed to believe they are at the cutting edge of secure web browsing. IMO they are just playing games.
     
    Last edited: Jul 11, 2015
  11. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    What?!? Where did you read that, and why do you believe it to be true?

    I've worried that handover (sellout) would happen, but AFAICT it's the TOR developers who are still applying the patches, are still building, are still distributing TB.
     
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Yes, Tor developers patch source from Mozilla, and then distribute modified source and compiled binaries.
     
  13. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    700
    Location:
    North of the 38th parallel.
    Tor Browser 5.0 Stable was released 11-August-2015.

    https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser

    Home: https://www.torproject.org/

    Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-50-released

    Download: https://www.torproject.org/projects/torbrowser.html.en#downloads

    SHA-256 Digests: https://dist.torproject.org/torbrowser/5.0/sha256sums.txt

    Signing Key Directory: https://dist.torproject.org/torbrowser/5.0/

    VT: 1/46 Signed (Windows en-US)
     
  14. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    700
    Location:
    North of the 38th parallel.
    Tor Browser 5.0.1 Stable was released 17-August-2015.

    https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser

    Home: https://www.torproject.org/

    Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-501-released

    Download: https://www.torproject.org/projects/torbrowser.html.en#downloads

    SHA-256 Digests: https://dist.torproject.org/torbrowser/5.0.1/sha256sums.txt

    Signing Key Directory: https://dist.torproject.org/torbrowser/5.0.1/

    VT: 0/56 Signed (Windows en-US)
     
  15. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    700
    Location:
    North of the 38th parallel.
    Tor Browser 5.0.2 Stable was released 27-August-2015.

    https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser

    Home: https://www.torproject.org/

    Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-502-released

    Download: https://www.torproject.org/projects/torbrowser.html.en#downloads

    SHA-256 Digests: https://dist.torproject.org/torbrowser/5.0.2/sha256sums.txt

    Signing Key Directory: https://dist.torproject.org/torbrowser/5.0.2/

    VT: 0/54 Signed (Windows en-US)
     
  16. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    700
    Location:
    North of the 38th parallel.
    Tor Browser 5.0.3 Stable was released 22-September-2015.

    https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser

    Home: https://www.torproject.org/

    Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-503-released

    Download: https://www.torproject.org/projects/torbrowser.html.en#downloads

    SHA-256 Digests: https://dist.torproject.org/torbrowser/5.0.3/sha256sums.txt

    Signing Key Directory: https://dist.torproject.org/torbrowser/5.0.3/

    VT: 0/56 Signed (Windows en-US)
     
  17. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Does anyone know the current security checks from the built-in updater?
    At first it used only SSL Pinning(and not very strict, only pinned the CA), and afaik it also checks the digital signature(authenticode) but I thought I read there were plans to hardcode the GPG public key so that it could automatically verify the GPG key as well. Is that already happening?
     
  18. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    700
    Location:
    North of the 38th parallel.
    Hello BoerenkoolMetWorst:

    That is one of the reasons why I have not stated/hinted that self update is available as I do in other update notifications.

    I suppose if the Tor Project folks had upgraded that area, that would have been documented in their change announcements. I have a testbed system with Tor Browser 5.0.2 and perhaps in the next week I can trap the interaction of a self-update with Wireshark if someone else does not do it first.

    For those who require ultra security consciousness, the manual update methods are still indicated.

    Yours is an excellent security question and I would like to know too. Thank you!
     
    Last edited: Sep 23, 2015
  19. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    Ditto

    I hate it when things are silent. If it does NOT GPG verify then even offering the auto/quick update is cruel to users who are depending on TOR to help protect their security. Sure, we are all big "boys/girls" and someone could claimed we have been warned. You know most will use that feature because its quick and frankly slick.

    If its not safe it should be removed to protect USERS and to obviously remove another MITM opportunity from adversaries.

    Generally speaking the update is around a 3 meg download so if there is no gpg verification at least designate the small download to come directly to the desktop. There I/we can run a sha512sum on the file (checksum provided by TOR), which would also be quick, and if it matches we can allow it to update the general TBB. Using the update means we don't have to reconfigure the browser from scratch like you do with a full manual pull through the pipe.

    At one point there was a beta TBB that for sure was testing this auto-update security thing out. The mention was that it would be moved to "stable" versions after completed. That was many months ago though.
     
    Last edited: Sep 23, 2015
  20. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    700
    Location:
    North of the 38th parallel.
    The Tor Project, Inc has released the Tor Browser 5.0.4 Stable on 04-November-2015.

    https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser

    Home: https://www.torproject.org/

    Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-504-released

    Fully Localized Downloads: https://www.torproject.org/projects/torbrowser.html

    SHA-256 Hashes: https://dist.torproject.org/torbrowser/5.0.4/sha256sums.txt

    Signing Key Directory: https://dist.torproject.org/torbrowser/5.0.4/

    VT: 1/54 Signed/Verified (Windows en-US)
     
  21. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    700
    Location:
    North of the 38th parallel.
    The Tor Project, Inc has released the Tor Browser 5.0.5 Stable on 15-December-2015.

    https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser

    Home: https://www.torproject.org/

    Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-505-released

    Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update.

    SHA-256 Hashes: https://dist.torproject.org/torbrowser/5.0.5/sha256sums.txt

    PGP Signing Key Directory: https://dist.torproject.org/torbrowser/5.0.5/

    VT: 1/50 Digitally signed & countersigned (Win32 en-US)

    Note: Uses Mozilla's Firefox 38.5.0esr.
     
  22. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,764
    Location:
    Mexico
    @1PW Thank you.
    SHA-256 doesn't match for me:
    Code:
    My download:
    c717ca07aba66452ca237cb968d70a54ec968aeb0c2fa75953b968cd99c09b73  torbrowser-install-5.0.5_en-US.exe
    
    sha256sums.txt:
    fb65e2a5af9a7d1a26fdadd712defdc06f2a51890a0a72508b9e8914f28f6d77  torbrowser-install-5.0.5_en-US.exe
     
  23. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    700
    Location:
    North of the 38th parallel.
    Hello Mister X:

    Good catch. My findings agree perfectly with yours using two independent hash calculators.

    Let's wait about an hour or so and see if the Tor Project folks make a correction. If not maybe it's worth an inquiry.

    Thank you.

    EDIT/UPDATE: Since the SHA-256 hash has not changed in the last eight hours, I emailed the Tor Project support folks with what we know. Credit goes to you for the catch.
     
    Last edited: Dec 16, 2015
  24. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    700
    Location:
    North of the 38th parallel.
    The Tor Project, Inc has released the Tor Browser 5.0.6 Stable on 17-December-2015.

    https://wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser

    Home: https://www.torproject.org/

    Announcement and Changelog: https://blog.torproject.org/blog/tor-browser-506-released

    Localized Downloads: https://www.torproject.org/projects/torbrowser.html or self update.

    SHA-256 Hashes: https://dist.torproject.org/torbrowser/5.0.6/sha256sums.txt

    PGP Signing Key Directory: https://dist.torproject.org/torbrowser/5.0.6/

    VT: 1/51 Digitally signed & countersigned (Win32 en-US)

    Note: Uses Mozilla's Firefox 38.5.0esr.
     
  25. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,764
    Location:
    Mexico
    Here we go again?

    My DL:
    215c881d9feeda1168a0ff1d4df25189380b32591dee6e7fd933d8ed34d3fbdc torbrowser-install-5.0.6_en-US.exe

    TOR site:
    82f50e115c5a413dcaa1aea9ab5a2dde71a29388870db9b88f9e7fae75617857 torbrowser-install-5.0.6_en-US.exe

    Really I don't get it.
     
Loading...