Hi,
we are excited to announce the first stable version in the 4.5 series being ready for testing. It will be the next alpha as well. Bundles can be found on
https://people.torproject.org/~mikeperry/builds/4.5-build4/
Compared to 4.5a5 we were able to put another couple of important usability fixes into this release. We improved HTTP connection handling, the HTTP authentication experience and fixed the TLS connection display, to name a few. Moreover, we neutered Blob URIs to a great deal which can get used to track users across domains and, finally, brought all Tor Browser components up-to-date.
The complete changelog since 4.5a5 is:
Tor Browser 4.5 -- Apr 28 2015 * All Platforms * Update Tor to 0.2.6.7 with additional patches: * Bug 15482: Reset timestamp_dirty each time a SOCKSAuth circuit is used * Update NoScript to 2.6.9.22 * Update HTTPS-Everywhere to 5.0.2 * Bug 15689: Resume building HTTPS-Everywhere from git tags * Update meek to 0.17 * Update obfs4proxy to 0.0.5 * Update Tor Launcher to 0.2.7.4 * Bug 15704: Do not enable network if wizard is opened * Bug 11879: Stop bootstrap if Cancel or Open Settings is clicked * Bug 13576: Don't strip "bridge" from the middle of bridge lines * Bug 15657: Display the host:port of any connection faiures in bootstrap * Update Torbutton to 1.9.2.1 * Bug 15562: Bind SharedWorkers to thirdparty pref * Bug 15533: Restore default security level when restoring defaults * Bug 15510: Close Tor Circuit UI control port connections on New Identity * Bug 15472: Make node text black in circuit status UI * Bug 15502: Wipe blob URIs on New Identity * Bug 14429: Disable automatic window resizing for now * Bug 4100: Raise HTTP Keep-Alive back to 115 second default * Bug 13875: Spoof window.devicePixelRatio to avoid DPI fingerprinting * Bug 15411: Remove old (and unused) cacheDomain cache isolation mechanism * Bugs 14716+13254: Fix issues with HTTP Auth usage and TLS connection info display * Bug 15502: Isolate blob URI scope to URL domain; block WebWorker access * Bug 15562: Disable Javascript SharedWorkers due to third party tracking * Bug 15757: Disable Mozilla video statistics API extensions * Bug 15758: Disable Device Sensor APIs * Linux * Bug 15747: Improve start-tor-browser argument handling * Bug 15672: Provide desktop app registration+unregistration for Linux * Windows * Bug 15539: Make installer exe signatures reproducibly removable * Bug 10761: Fix instances of shutdown crashes
Georg
Georg Koppen:
Hi,
we are excited to announce the first stable version in the 4.5 series being ready for testing. It will be the next alpha as well. Bundles can be found on
https://people.torproject.org/~mikeperry/builds/4.5-build4/
Compared to 4.5a5 we were able to put another couple of important usability fixes into this release. We improved HTTP connection handling, the HTTP authentication experience and fixed the TLS connection display, to name a few. Moreover, we neutered Blob URIs to a great deal which can get used to track users across domains and, finally, brought all Tor Browser components up-to-date.
The complete changelog since 4.5a5 is:
Tor Browser 4.5 -- Apr 28 2015
- All Platforms
- Update Tor to 0.2.6.7 with additional patches:
- Update NoScript to 2.6.9.22
- Update HTTPS-Everywhere to 5.0.2
- Update meek to 0.17
- Update obfs4proxy to 0.0.5
- Update Tor Launcher to 0.2.7.4
- Update Torbutton to 1.9.2.1
** I attempted to update using tor-browser-linux64-4.5a5-4.5_en-US.incremental.mar and ended up with the following errors:
ERROR: There must be at least one signature. ERROR: Not all signatures were verified. ERROR: There must be at least one signature. ERROR: Not all signatures were verified.
and so downloaded the full version instead. I haven't tried the MAR update before with the 4.5 series, but followed the same process as with the 4.0 series. **
** HTTPS-Everywhere is v 5.0.3, not 5.0.2 Torbutton is v 1.9.2.0, not 1.9.2.1 **
Testing: tor-browser-linux64-4.5_en-US.tar.xz Platform: Debian 7.8 Processor: Intel(R) Pentium(R) CPU B950 @ 2.10GHz
Tor *v0.2.6.7* (git-ac600bec40c14864) Libevent 2.0.21-stable OpenSSL 1.0.1m Zlib 1.2.7 Firefox: 31.6.0 (Tor Browser 4.5)
TBB Launches successfully: yes Connects to the Tor network: yes
All extensions are present and functional: yes - HTTPS-Everywhere *5.0.3* - NoScript *2.6.9.22* - TorButton *1.9.2.0* - TorLauncher *0.2.7.4*
WebBrowsing works as expected - HTTP, HTTPS, .onion browsing works - HTML5 videos work (http://videojs.com/) - http://ip-check.info/?lang=en - ok - https://panopticlick.eff.org/ - one in 584,881 browsers, 19.16 bits of identifying information
SOCKS/external apps (Torsocks) work as expected: yes
Katya Titov:
** I attempted to update using tor-browser-linux64-4.5a5-4.5_en-US.incremental.mar and ended up with the following errors:
ERROR: There must be at least one signature. ERROR: Not all signatures were verified. ERROR: There must be at least one signature. ERROR: Not all signatures were verified.and so downloaded the full version instead. I haven't tried the MAR update before with the 4.5 series, but followed the same process as with the 4.0 series. **
So you tried to verify if your Tor Browser accepts unsigned MAR files and it failed? Good! :) Seriously, the MAR files are not signed at this stage in the release process and the 4.5 alpha series already enforces signed MAR files. Thus, this error is expected and I am glad I am seeing it.
Georg
Georg Koppen:
Katya Titov:
** I attempted to update using tor-browser-linux64-4.5a5-4.5_en-US.incremental.mar and ended up with the following errors:
ERROR: There must be at least one signature. ERROR: Not all signatures were verified. ERROR: There must be at least one signature. ERROR: Not all signatures were verified.and so downloaded the full version instead. I haven't tried the MAR update before with the 4.5 series, but followed the same process as with the 4.0 series. **
So you tried to verify if your Tor Browser accepts unsigned MAR files and it failed? Good! :) Seriously, the MAR files are not signed at this stage in the release process and the 4.5 alpha series already enforces signed MAR files. Thus, this error is expected and I am glad I am seeing it.
Georg
Good news!
Also:
* Bug 14429: Disable automatic window resizing for now
is good from a usability perspective, and the warning when maximising the window is also good.
We had to do a rebuild over the weekend for two bugs: * Bug 15794: Crash on some pages with SVG images if SVG is disabled * Bug 15795: Some security slider prefs do not trigger custom checkbox
We also updated HTTPS-Everywhere to 5.0.3.
New builds are at: https://people.torproject.org/~mikeperry/builds/4.5-build5/
Georg Koppen:
Hi,
we are excited to announce the first stable version in the 4.5 series being ready for testing. It will be the next alpha as well. Bundles can be found on
https://people.torproject.org/~mikeperry/builds/4.5-build4/
Compared to 4.5a5 we were able to put another couple of important usability fixes into this release. We improved HTTP connection handling, the HTTP authentication experience and fixed the TLS connection display, to name a few. Moreover, we neutered Blob URIs to a great deal which can get used to track users across domains and, finally, brought all Tor Browser components up-to-date.
The complete changelog since 4.5a5 is:
Tor Browser 4.5 -- Apr 28 2015
- All Platforms
- Update Tor to 0.2.6.7 with additional patches:
- Bug 15482: Reset timestamp_dirty each time a SOCKSAuth circuit is
used
- Update NoScript to 2.6.9.22
- Update HTTPS-Everywhere to 5.0.2
- Bug 15689: Resume building HTTPS-Everywhere from git tags
- Update meek to 0.17
- Update obfs4proxy to 0.0.5
- Update Tor Launcher to 0.2.7.4
- Bug 15704: Do not enable network if wizard is opened
- Bug 11879: Stop bootstrap if Cancel or Open Settings is clicked
- Bug 13576: Don't strip "bridge" from the middle of bridge lines
- Bug 15657: Display the host:port of any connection faiures in
bootstrap
- Update Torbutton to 1.9.2.1
- Bug 15562: Bind SharedWorkers to thirdparty pref
- Bug 15533: Restore default security level when restoring defaults
- Bug 15510: Close Tor Circuit UI control port connections on New
Identity * Bug 15472: Make node text black in circuit status UI * Bug 15502: Wipe blob URIs on New Identity * Bug 14429: Disable automatic window resizing for now
- Bug 4100: Raise HTTP Keep-Alive back to 115 second default
- Bug 13875: Spoof window.devicePixelRatio to avoid DPI fingerprinting
- Bug 15411: Remove old (and unused) cacheDomain cache isolation
mechanism
- Bugs 14716+13254: Fix issues with HTTP Auth usage and TLS
connection info display
- Bug 15502: Isolate blob URI scope to URL domain; block WebWorker access
- Bug 15562: Disable Javascript SharedWorkers due to third party tracking
- Bug 15757: Disable Mozilla video statistics API extensions
- Bug 15758: Disable Device Sensor APIs
- Linux
- Bug 15747: Improve start-tor-browser argument handling
- Bug 15672: Provide desktop app registration+unregistration for Linux
- Windows
- Bug 15539: Make installer exe signatures reproducibly removable
- Bug 10761: Fix instances of shutdown crashes
Georg
tor-qa mailing list tor-qa@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-qa
-
Georg Koppen -
Katya Titov -
Mike Perry