New Release: Tor Browser 8.0a10

Update (8/21 7:45UTC): We got reports from users facing a weird update behavior: even after successfully applying an update to 8.0a10 the updater keeps downloading and applying updates. This is tracked in bug 27221. As a workaround, please either use a fresh 8.0a10 or go to about:config, search for 8.0a9. browser.startup.homepage_override.torbrowser.version and extensions.lastTorBrowserVersion will show up. Switch their values to 8.0a10. Sorry for the inconvenience.

Update 2 (8/23 16:20UTC): Today NoScript got released which broke the security slider interaction due to a new messaging protocol. We fixed this problem in bug 27276 and the patch will be available in the Tor Browser 8 release. However, there is no alpha release planned to pick up this fix. Users that depend on the security slider functionality are encouraged to use the stable Tor Browser or a nightly version (starting with the one from tomorrow, August 24) until Tor Browser 8 and the next regular alpha release get out. Again, sorry for the inconvenience.

Tor Browser 8.0a10 is now available from the Tor Browser Project page and also from our distribution directory.

It is the second alpha release based on Firefox ESR 60 and contains a number of improvements and bug fixes. The highlights are the following features and major bug fixes:

  1. This alpha includes big changes to the user onboarding experience, and there are more to come.
  2. We included a revamped start page (special thanks to Mark and Kathy for the implementation on short notice).
  3. The meek pluggable transport should be fully functional now.
  4. We audited and enabled HTTP2 which should give performance improvements on many websites.
  5. We added another bunch of locales and ship our bundles now additionally in ca, ga-IE, id, is, and nb-NO.

For Windows users we worked around a bug in mingw-w64 which affected updates on Windows (64bit) resulting in intermittent update failures. Moreover, we finally enabled hardware acceleration for improved browser rendering performance after applying a fix for a long-standing bug, which often caused crashes on Windows systems with graphics cards, e.g. from Nvidia.

The Tor version we ship is now and it would be a good time now to report client issues, noticed with this release candidate or previous alpha releases, in case they did not get fixed so far.

Known Issues

We already collected a number of unresolved bugs since Tor Browser 8.0a9 and tagged them with our ff60-esr keyword to keep them on our radar. The most important ones are listed below:

  1. On Windows localized builds on first start the about:tor page is not shown, rather a weird XML error is visible.
  2. Maybe related to the previous item, NoScript does not seem to work properly on Windows builds right now.
  3. We are not done yet with reviewing the network code changes between ESR52 and ESR60. While we don't expect that proxy bypass bugs got introduced between those ESR series, we can't rule it out yet.
  4. We disable Stylo on macOS due to reproducibility issues we need to investigate and fix. This will likely not get fixed for Tor Browser 8, as we need some baking time on our nightly/alpha channel before we are sure there are no reproducibility/stability regressions. The tentative plan is to get it ready for Tor Browser 8.5.

Note: This alpha release is the second one that gets signed with a new Tor Browser subkey, as the currently used one is about to expire. Its fingerprint is: 1107 75B5 D101 FB36 BC6C  911B EB77 4491 D9FF 06E2. We plan to use it for the stable series, too, once Tor Browser 8 gets released.

The full changelog since Tor Browser 8.0a9 is:

  • All platforms
    • Update Tor to
    • Update Torbutton to 2.0.2
      • Bug 26960: Implement new about:tor start page
      • Bug 26961: Implement new user onboarding
      • Bug 26321: Move 'New Identity', 'New Circuit' to File, hamburger menus
      • Bug 26590: Use new svg.disabled pref in security slider
      • Bug 26655: Adjust color and size of onion button
      • Bug 26500: Reposition circuit display relay icon for RTL locales
      • Bug 26409: Remove spoofed locale implementation
      • Bug 26189: Remove content-policy.js
      • Bug 27129: Add locales ca, ga, id, is, nb
      • Translations update
    • Update Tor Launcher to
      • Bug 26985: Help button icons missing
      • Bug 25509: Improve the proxy help text
      • Bug 27129: Add locales ca, ga, id, is, nb
      • Translations update
    • Update NoScript to
    • Update meek to 0.31
      • Bug 26477: Make meek extension compatible with ESR 60
    • Bug 27082: Enable a limited UITour for user onboarding
    • Bug 26961: New user onboarding
    • Bug 14952: Enable HTTP2 and AltSvc
      • Bug 25735: Tor Browser stalls while loading Facebook login page
    • Bug 17252: Enable TLS session identifiers with first-party isolation
    • Bug 26353: Prevent speculative connects that violate first-party isolation
    • Bug 24056: Use en-US strings in HTML forms if locale is spoofed to english
    • Bug 26456: HTTP .onion sites inherit previous page's certificate information
    • Bug 26321: Move 'New Identity', 'New Circuit' to File, hamburger menus
    • Bug 26833: Backport Mozilla's bug 1473247
    • Bug 26628: Backport Mozilla's bug 1470156
    • Bug 26237: Clean up toolbar for ESR60-based Tor Browser
    • Bug 26519: Avoid Firefox icons in ESR60
    • Bug 26039: Load our preferences that modify extensions (fixup)
    • Bug 26515: Update Tor Browser blog post URLs
    • Bug 27129: Add locales ca, ga, id, is, nb
    • Bug 26216: Fix broken MAR file generation
    • Bug 26409: Remove spoofed locale implementation
    • Bug 26603: Remove obsolete HTTP pipelining preferences
  • Windows
    • Bug 26514: Fix intermittent updater failures on Win64 (Error 19)
    • Bug 26874: Fix UNC path restrictions failure in Tor Browser 8.0a9
    • Bug 12968: Enable HEASLR in Windows x86_64 builds
    • Bug 9145: Fix broken hardware acceleration
    • Update tbb-windows-installer to 0.4
      • Bug 26355: Update tbb-windows-installer to check for Windows7+
    • Bug 26355: Require Windows7+ for updates to Tor Browser 8
  • OS X
    • Bug 26795: Bump snowflake to 6077141f4a for bug 25600
  • Linux
    • Bug 25485: Unbreak Tor Browser on systems with newer libstdc++
    • Bug 20866: Fix OpenGL software rendering on systems with newer libstdc++
    • Bug 26951+18022: Fix execdesktop argument passing
    • Bug 26795: Bump snowflake to 6077141f4a for bug 25600
  • Build System
    • All
      • Bug 26410: Stop using old MAR format in the alpha series
      • Bug 27020: RBM build fails with runc version 1.0.1
      • Bug 26949: Use GitHub repository for STIX
      • Bug 26773: Add --verbose to the ./mach build flag for firefox
      • Bug 26569: Redirect pre-8.0a9 alpha users to a separate update directory
      • Bug 26319: Don't package up Tor Browser in the `mach package` step
    • OS X
      • Bug 26489: Fix .app directory name in tools/dmg2mar
    • Windows
      • Bug 27152: Use mozilla/fxc2.git for the fxc2 repository

August 20, 2018


Hello. Tor button Circuit Display is not showing in Windows. Also, there is no drop down menu arrow for the button; nor is Tor button green. "New Identity" and "New Tor Circuit" do show up in the hamburger, though. I just downloaded the 8.0a10 installer, installed TBB and this is what I have discovered so far. Thank you.


August 20, 2018


Hello. I've been giving 8.0a10 a testing on Windows 7. At first things went ok. Then, the same problem that I had with 8.0a9 reappeared with 8.0a10. It may take a few restarts to get to this behavior I am describing. When navigating to any new page (e.g.: from the purple starting page, the TBB 8.0a10 gets stuck in an endless page reloading cycle. The new page keeps flashing and reloading and the browser can't be used. One cannot even type a new URL into the address bar because the address bar clears with each page reload. Also, I notice that the onion button is not green, but charcoal gray. The temporary fix is to reinstall the TBB after deleting the "Tor Browser" folder. However, the problem soon returns. I have done the re-installation with both Windows Defender and Avast turned off, and have left Defender off - no good. The problem comes back even with Defender turned off in the registry. Thank you all for your hard work.

Hm. Is there are way you could make me a bundle available that is causing the problem, so I can inspect it and give it a try? If so, I'd gladly have a look. You can reach me via gk[@]torproject[.]org (without the brackets).

That said I fear that it is still some AV functionality that is interfering with Tor Browser, although I have no good idea how to deal with that. Could you try uninstalling Avast and see if that fixes the problem? (Turning those tools off often does not help).


August 21, 2018


[08-21 08:52:45] Torbutton INFO: This is a Tor Browser's XPCOM
Are you going to phase out XPCOM?

10:53:22.607 [NoScript] Cannot collect noscript activity data Could not establish connection. Receiving end does not exist. collectSeen@moz-extension://%uuid%/bg/main.js:252:38
1 log.js:12:62
What does it try to collect about users?!
(It also reveals local time in logs)

This is NoScript in the parent process trying to check what NoScript in the child process have detected/blocked, all inside the (multi-process) TorBrowser, in order to display this data in the popup UI when it's needed. The timestamp is automatically logged by the browser's console on each printed message. Nothing leaves your browser or is written on the disk.

Hi, Giorgio! We are pleased to see you here!
Can we report NoScript issues here in the future?
Why does it log that and other noise with just a New Tab opening?

[08-21 09:03:34] Torbutton INFO: tor SOCKS:… via
"alpha", "Windows_NT 10.0" - could we send less info to mozilla?

> Update (8/21 7:45UTC): We got reports from users facing a weird update behavior: even after successfully applying an update to 8.0a10 the updater keeps downloading and applying updates.

successfully? It's entirely missing from Update History! 8.0a9-8.0a10.mar downloaded, restarted, and:
[08-21 09:15:43] Torbutton INFO: tor SOCKS:… via
Now Full update. Restarting...

It looks like we still need 5 cycles of partial/full updates on win64 to update...

You might have hit ? Otherwise, yes, the intermittent update failure will be gone when updating from 8.0a10 to the next alpha.

I mean, if you use Wind0wz, you get what you get.

Try Tails Linux. It's easy, it's fun, and you might learn a valuable skill or two.

It's an alpha test. Relax.
Also look into TBB userbase ;)

Build System
Bug 26410: Stop using old MAR format in the alpha series
Bug 26569: Redirect pre-8.0a9 alpha users to a separate update directory

It is 'Updater', not 'Build System' ;)

Hey! It didn't show about:tbupdate on update!

Yes, that's due a bug we have during update (see the update in the blog post at the top) which causes an ongoing update redownload. See the possible workarounds in that blog update for a solution.

> Bug 26237: Clean up toolbar for ESR60-based Tor Browser
It doesn't work for updated from 8.0a9 browsers :(

Yes, but that's more or less on purpose as we don't want to mess with user customizations. So, you just need to customize it once and then you are set.

7.5.6 -> 8.0?

10:15:04.554 NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIWebNavigation.loadURIWithOptions] 1 browser-child.js:359

Menu/Options triggers
[08-21 10:15:05] Torbutton INFO: tor SOCKS:… via
fun, fun...

What's the problem? That an update request gets issued? Or that it's not isolated to the first party domain? The letter is to be expected given that the Menu/Options trigger it (how exactly gets that triggered?).

No problems (given that the Menu/Options trigger it).

10:15:05.995 Public-Key-Pins: An unknown error occurred processing the header specified by the site. 1 en-US…

Still intermittent unknown errors while processing HPKP...

Seems to be reproducible when opening 'About Tor Browser' and seeing in Browser Console!

Alright, filed for further investigation, thanks! (And by no means feel free to help with this or any other bug, we have more than we can squash :( ).

I see. It can be HTTPS-E, again :( Don't want to look at it. You asked for more bugs - now you have them :)

Opening menu/options makes current update downloading process hang on windows.

You mean about:preferences or just some menuitem on the titlebar? Or the security slider settings?


Perhaps you could start by using something other than Windows?

It's proprietary, a black box. Don't trust your privacy/security with such an ugly thing.

Tor Browser should still work properly on it.

> Bug 26603: Remove obsolete HTTP pipelining preferences
You forgot:

BTW, Mozilla forgot:

Thanks, filed for the prefs on our side. Mozilla would be happy to see a bug filed about the preferences they forgot to remove. *hint* *hint* :)

They should be more friendly to anonymous bug submission. *hint* ;)

Oh, no! They implemented h2 only, not http/2! So, we still need http/1.1 for plain http connections and HTTP pipelining for performance!

The User Agent leaks more entropy than the previous releases, please fix this (I visit one website safest security setting = they can't know my OS, but now they can thanks to user agent)

It's a Mozilla led wreckage, even the original bug report on bugzilla doesn't make sense ("Because the network fingerprint leaks OS" BUT WHAT IF IT IS USED WITH A PROXY!)

This situation is literally unbelievable.

("Because the network fingerprint leaks OS" BUT WHAT IF IT IS USED WITH A PROXY!)

Yeah, especially considering that Linux and Mac OS users are a minority so the entropy is actually higher when you don't fit the Redmond norm. We should never keep quiet about this otherwise it will get ignored as a non-issue when it's a very big issue.

The general.useragent.override pref is Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0 even for the Linux version, but the browser sends Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0.
Not a big deal, but confusing anyway ...