A new hardened Tor Browser release is available. It can be found in the 6.5a4-hardened distribution directory and on the download page for hardened builds.

This release features important security updates to Firefox. Other components got an update as well: Tor to 0.2.9.5-alpha, HTTPS-Everywhere to 5.2.7, and OpenSSL to 1.0.2j.

This release includes numerous bug fixes and improvements. Most notably we improved our Unix domain socket support by resolving all the issues that showed up in the previous alpha and by making sure all connections to tor (not only the control port related ones) are using this feature now.

Additionally, we fixed a lot of usability bugs, most notably those caused by our window resizing logic. We moved the relevant code out of Torbutton into a C++ patch which we hope to get upstreamed into Firefox. We improved the usability of our security slider as well by reducing the amount of security levels available and redesigning the custom mode.

Finally, we added a donation banner shown in some localized bundles starting on Nov 23 in order to point to our end-of-the-year 2016 donation campaign.

For those who want to know in which ways the alpha and the hardened series differ: check out the discussion we had on the tbb-dev mailing list a while back.

Update (11/16 2213UTC): We currently have problems with our auto-updater at least on Linux systems. The updates are downloaded but don't get applied for yet unknown reasons. We therefore have decided to disable the automatic updates until we understand the problem and provide a fix for it. Progress on that task can be tracked in ticket 20691 in our bug tracker. We are sorry for this inconvenience. Fresh bundles are available on our download page, though.

Update (11/18 0937UTC): We enabled the updates again with an information prompt. One of the following workarounds can be used to avoid the updater error:

in about : config , set app . update . staging . enabled to false before attempting to update

, set to before attempting to update in about : config , set extensions . torlauncher . control_port_use_socket to false (disabling the control port Unix domain socket) and restart the browser before attempting to update

Here is the full changelog since 6.5a3-hardened: