New Release: Tor Browser 8.0a9

Tor Browser 8.0a9 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Tor Browser 8.0a9 is the first alpha release based on Firefox 60 ESR. We rebased all of our patches, updated our toolchains to pick up new requirements like Rust support, and fixed the most important usability issues and broken functionality.

We rely on your feedback to make Tor Browser better for users around the world. Releasing a Tor Browser alpha before each stable release gives us a valuable window of time to learn about and fix bugs before the stable release is used by millions.

New Features

If you are comfortable with Tor Browser, we need your help! This alpha has a lot of new features, including a couple major UX changes, and we want them to be in tip-top shape before the stable release hits this September. Here's a taste of what's new:

  1. Improved Circuit Display:

    We've heard a lot of confusion about how the first guard in the Tor Circuit Display stays the same for months, even if you select "New Identity." This is by design, so now, we're trying to to better communicate that to the user and better manage expectations about both "New Identity" and "New Tor Circuit for this Site."

  2. Onion Indicators:

    We're trying out a new system for indicating .onion sites' relationships to TLS certificates. We mapped all the current padlock states Firefox has for sites' TLS certificates, and from there, we've built a new system for communicating these states when they are related to .onion sites.

  3. New Locales: We added support for da, he, sv-SE, and zh-TW to give users speaking those languages an improved Tor Browser experience. The plan is to add even more locales once we are confident we can handle the additional load and disk space requirements.
  4. New Torbutton Icon: We replaced our old Torbutton icon with a shiny new one. That's the first step in redesigning Tor Browser icons and making them compatible with Firefox's Photon UI. There is more to come in the next alphas.
  5. Full Sandboxing Support for Windows: We are able to provide full content sandboxing support for 64bit Windows bundles now, thanks to the work done by Tom Ritter.

Additionally, we updated a number of components we ship: Tor to 0.3.4.2-alpha, Torbutton to 2.0.1, TorLauncher to 0.2.16.1, HTTPS-Everywhere to 2018.06.21, and NoScript to 10.1.8.2. Expect more bugs than usual in this alpha.

Known Issues

We already collected a number of unresolved bugs in Tor Browser 8.0a9 and tagged them with our ff60-esr keyword to keep them on our radar. The most important ones are listed below:

  1. Meek is currently broken. We need to update the browser part for make it compatible with ESR60.
  2. On Windows localized builds on first start the about:tor page is not shown, rather a weird XML error is visible.
  3. Maybe related to 2) NoScript does not seem to work properly on Windows builds right now.
  4. We are not done yet with reviewing the network code changes between ESR52 and ESR60. While we don't expect that proxy bypass bugs got introduced between those ESR series, we can't rule it out yet.
  5. We disable Stylo on macOS due to reproducibility issues we need to investigate and fix.
  6. We ran into issues while creating the incremental update files. In order to avoid respinning yet another release candidate and redoing the signing work, we opted into patching our mar-tools locally. For those of you who want to reproduce our builds (please do!) bug 26472 has steps that explain what we did.

Give Feedback and Report Bugs

If you find a bug or have a suggestion for how we could improve these changes, please let us know. There are several ways you can reach us with feedback about this alpha including commenting on this post, emailing us at frontdesk@torproject.org, or contacting the developers at the tbb-dev mailing list. We track all Tor Browser 8 related issues with the ff60-esr keyword in our bug tracker and are happy with bug reports, there, too. Be sure to include as many of these as possible:

  • Your OS
  • Tor Browser version
  • Step by step of how you got to the issue, so we can reproduce it (e.g. I opened the browser, typed a url, clicked on (i) icon, then my browser crashed)
  • A screenshot of the problem
  • The debug log
  • A descriptive subject line (if you're emailing us)

Thank you for your support!

Changelog

Note: This alpha release is the first one that gets signed with a new Tor Browser subkey, as the currently used one is about to expire. Its fingerprint is: 1107 75B5 D101 FB36 BC6C  911B EB77 4491 D9FF 06E2. We plan to use it for the stable series, too, once Tor Browser 8 gets released.

The full changelog since Tor Browser 8.0a8 is:

  • All platforms
    • Update Firefox to 60.1.0esr
    • Update Tor to 0.3.4.2-alpha
    • Update Libevent to 2.1.8
    • Update Binutils to 2.26.1
    • Update Torbutton to 2.0.1
      • Bug 26100: Adapt Torbutton to Firefox 60 ESR
      • Bug 26430: New Torbutton icon
      • Bug 24309: Move circuit display to the identity popup
      • Bug 26128: Adapt security slider to the WebExtensions version of NoScript
      • Bug 23247: Show security state of .onions
      • Bug 26129: Show our about:tor page on startup
      • Bug 26235: Hide new unusable items from help menu
      • Bug 26058: Remove workaround for hiding 'sign in to sync' button
      • Bug 20628: Add locales da, he, sv, and zh-TW
      • Translations update
    • Update Tor Launcher to 0.2.16.1
      • Bug 25750: Update Tor Launcher to make it compatible with Firefox 60 ESR
      • Bug 20890: Increase control port connection timeout
      • Bug 20628: Add more locales to Tor Browser
      • Translations update
    • Update HTTPS Everywhere to 2018.6.21
    • Update NoScript to 10.1.8.2
    • Bug 25543: Rebase Tor Browser patches for ESR60
    • Bug 23247: Show security state of .onions
    • Bug 26039: Load our preferences that modify extensions
    • Bug 17965: Isolate HPKP and HSTS to URL bar domain
    • Bug 26365: Add potential AltSvc support
    • Bug 26045: Add new MAR signing keys
    • Bug 22564: Hide Firefox Sync
    • Bug 25090: Disable updater telemetry
    • Bug 26127: Make sure Torbutton and Tor Launcher are not treated as legacy extensions
    • Bug 26073: Migrate general.useragent.locale to intl.locale.requested
    • Bug 20628: Make Tor Browser available in da, he, sv-SE, and zh-TW
      • Bug 12927: Include Hebrew translation into Tor Browser
      • Bug 21245: Add danish (da) translation
  • Windows
  • OS X
    • Bug 24052: Backport fix for bug 1412081 for better file:// handling
    • Bug 24136: After loading file:// URLs clicking on links is broken on OS X
    • Bug 24243: Tor Browser only renders HTML for local pages via file://
    • Bug 24263: Tor Browser does not run extension scripts if loaded via about:debugging
    • Bug 24632: Disable snowflake for now until its build is fixed
    • Bug 26438: Remove broken seatbelt profiles
  • Linux
    • Bug 24052: Backport fix for bug 1412081 for better file:// handling
    • Bug 24136: After loading file:// URLs clicking on links is broken on Linux
    • Bug 24243: Tor Browser only renders HTML for local pages via file://
    • Bug 24263: Tor Browser does not run extension scripts if loaded via about:debugging
    • Bug 26153: Update selfrando to be compatible with Firefox 60 ESR
    • Bug 22242: Remove RUNPATH in Linux binaries embedded by selfrando
    • Bug 26354: Set SSE2 support as minimal requirement for Tor Browser 8
  • Build System
    • All
      • Bug 26362: Use old MAR format for first ESR60-based alpha
      • Clean up
    • Windows
      • Bug 26203: Adapt tor-browser-build/tor-browser for Windows
      • Bug 26204: Bundle d3dcompiler_47.dll for Tor Browser 8
      • Bug 26205: Don't build the uninstaller for Windows during Firefox compilation
      • Bug 26206: Ship pthread related dll where needed
      • Bug 26396: Build libwinpthread reproducible
      • Bug 25837: Integrate fxc2 into our build setup for Windows builds
      • Bug 25894: Get a rust cross-compiler for Windows
      • Bug 25554: Bump mingw-w64 version for ESR 60
      • Bug 23561: Fix nsis builds for Windows 64
      • Bug 23231: Remove our STL Wrappers workaround for Windows 64bit
      • Bug 26370: Don't copy msvcr100.dll and libssp-0.dll twice
      • Bug 26476: Work around Tor Browser crashes due to fix for bug 1467041
      • Bug 18287: Use SHA-2 signature for Tor Browser setup executables
    • OS X
      • Bug 24632: Update macOS toolchain for ESR 60
      • Bug 9711: Build our own cctools for macOS cross-compilation
      • Bug 25548: Update macOS SDK for Tor Browser builds to 10.11
      • Bug 26003: Clean up our mozconfig-osx-x86_64 file
      • Bug 26195: Use new cctools in our macosx-toolchain project
      • Bug 25975: Get a rust cross-compiler for macOS
      • Bug 26475: Disable Stylo to make macOS build reproducible
    • Linux
      • Bug 26073: Patch tor-browser-build for transition to ESR 60
      • Bug 25540: Stop building and distributing sandboxed tor browser
      • Bug 25481: Rust support for tor-browser and tor
Anonymous

June 28, 2018

Permalink

FCC Message Alert!
An FCC error has occured

We're sorry, an unexpected error occurred with your request.

Reference # 18.2418ae8c.1530208790.8e4a5b

Anonymous

June 28, 2018

Permalink

18:04:09.454 TypeError: Argument 1 of PrecompiledScript.executeInGlobal is not an object. 1 ExtensionContent.jsm:489:18

To disable javascript you can click the onion, select "Security Settings", then select the "Safest" level. If you don't want to change the security level, you can go to the addons page (entering about:addons in the URL bar), click on the Noscript preferences button, then uncheck the "script" check-box on the DEFAULT sites.

Anonymous

June 28, 2018

Permalink

NoScript is broken on Linux 64-bit 8.0a9 but it was fine on the previous alpha. It's disabled because "NoScript is incompatible with Tor Browser 60.1.0." The version is 10.1.8.2 like it's supposed to be.

Anonymous

June 28, 2018

Permalink

The "sig" for the 64bit" "8.0a9" from the TOR download page could not be verified with the downloaded program.

And the fingerprint from above: 1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2, brings up the current (signing key - 15 Dec 14 to 24 Aug 20) when you search on a "keysever", so I am unable to the verify the downloaded program.

Please Advise - email address: siranger@protonmail.com

With both the "torbrowser-install-win64-8.0a9_en-US.exe" & "torbrowser-install-win64-8.0a9_en-US.exe.asc" in the same folder, I right clicked on the 8.0a9 install file and selected "Verify". This normally come back with a msg saying the two file verify, but this time I got a msg saying "The Data could not be verified."

Is there a way to attached an image file here?

Anonymous

June 28, 2018

Permalink

I downloaded the installer twice from the Project page, and installed and then re-installed 8.0a9. I got the same result both times:

1. After clicking "Test Tor Network Settings" link to reach https://check.torproject.org/?lang=en_US , the page says the browser is configured to use tor, but it is not tor browser in big orange letters.

2. There is no green padlock on "https" pages, and info from the address bar says the pages are NOT encrypted.

I have deleted 8.0a9 from my windows machine, and I will watch for further commentary here.

I'm back, and re-downloaded the 8.0a9 installer from https://www.torproject.org/projects/torbrowser.html.en#downloads-alpha on Windows for a test. All https sites that I checked report as not secure, nor encrypted. Onion sites report as secure. Here goes:
Tested - NOT ENCRYPTED, NOT SECURE
https://check.torproject.org/?lang=en_US
https://www.startpage.com/
https://search.disconnect.me/
https://en.wikipedia.org/wiki/Main_Page
https://searx.me/
Tested - ENCRYPTED, SECURE
https://3g2upl4pq6kufc4m.onion/ ... duckduckgo onion
http://ulrn6sryqaifefld.onion/ ... searx onion
Thank you for your reply, and best wishes.

Hello ... I'm the same person as before who posted about no green padlocks. I have re-tested TB 8.0a9 today, and I'm getting green padlocks plus security certificate data. Some tested websites follow:
https://www.theguardian.com/world
https://www.startpage.com/
https://www.nytimes.com/
https://www.rt.com/
https://www.bbc.com/news
https://www.washingtonpost.com/
https://www.reuters.com/
https://www.aljazeera.com/
https://theintercept.com/
I don't know what changed, or how it changed - but thanks.

Anonymous

June 28, 2018

Permalink

I am using Windows. The Check Tor Project page of 8.0a9 has orange graphics. The page
reports that although the browser is configured to use Tor, the browser itself is not tor browser. Also, the address bar information ("i" encircled) reports that encrypted pages are not encrypted ... starting with the Check Tor Project page itself! I have downloaded the installer twice from the project page, and installed 8.0a9 twice. I have used the Tor button installation method, also. The results are the same each time. Thanks for all that the Tor team has done for us. I will use 8.0a8 for now, and hope to see more information in the comments.

Anonymous

June 28, 2018

Permalink

On Windows, the Check Tor Project page reports that the browser is configured for Tor but is not Tor Browser ... in orange font. Also, encrypted pages are reported by the encircled "i" icon in the address bar as NOT ENCRYPTED (I'm not shouting, just kind of excited - that's all). I have downloaded the installer twice from the project page, and installed 8.0a9 twice. I have also used the Tor button update option. I get the same results each time. Thank you for your hard work to help us all. I'll use 8.0a8 for now until some clarification results.

Anonymous

June 29, 2018

Permalink

Wow, I can see that as someone stated (not very politely), TP is staggering under a long long list of issues to fix just to keep TB from becoming more insecure week by week, in the face of so many technical threats.

Quick comment on appearances: IMO, security/privacy should always be prioritized over cosmetics. My main concern with FF's changing design (have they never heard of "if it aint broke dont fix it"?) forcing TB to follow suit is that regular users will be confused by appearances, possibly even harmed owing to some misunderstanding based on previous experience of using TB.

Anonymous

June 29, 2018

Permalink

> 2016 IRS Form 990 and other forms expected like usual in late 2017

Nu? It's Jun 2018 and Form 990 nowwhere to be seen.

Anonymous

June 30, 2018

Permalink

I removed NS when I meant to temporarily disable it. Are there any NS settings specifically for TorBrowser or can I just download it from the add-ons page? Yes or no is sufficient.

Anonymous

July 01, 2018

Permalink

ADVANCED_LAYERS
available by user: Enabled for Windows 7 via user-preference

->:

GPU_PROCESS
failed by runtime: Failed to connect GPU process
(#3) Error Killing GPU process due to IPC reply timeout
(#4) Error Failed to connect GPU process
(#5) Error Receive IPC close with reason=AbnormalShutdown

Anonymous

July 02, 2018

Permalink

Hello,

Is that mean the current version base on the 52.x version of Firefox will be discontinued any time soon ?

The problem with this new version is that gtk3 is required, which mean dbus too along with some other lib that will help the remote seats

Anonymous

July 02, 2018

Permalink

ogni volta che cerco di aprire tramite Torbrowser un file .onion mi da il seguente errore:
-Impossibile stabilire una connessione con il server proxy
Firefox è configurato per utilizzare un server proxy che non risulta raggiungibile.
Verificare la correttezza delle impostazioni del proxy.
Verificare se il computer ha una connessione di rete funzionante.
Se il computer o la rete sono protetti da un firewall o un proxy, assicurarsi che Tor Browser abbia i permessi per accedere al web.
ho configurato le configurazioni avanzate come descritto in più siti, ma niente, consigli o soluzioni?
grazie

Anonymous

July 02, 2018

Permalink

When visiting a handful of onion links, I'm told I can't view them because I need a Tor browser. Not a lot of sites, just a few...but enough to make it a pain in the butt.

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

2 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.