New Release: Tor Browser 8.5a1

Tor Browser 8.5a1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Tor Browser 8.5a1 is the first alpha release in the 8.5 series. It contains all the improvements from the new 8.0 release. In addition, we updated Tor to 0.3.4.7-rc and fixed an issue with Moat when a meek bridge has been configured.

The full changelog since Tor Browser 8.0a10 is:

  • All platforms
    • Update Firefox to 60.2.0esr
    • Update Tor to 0.3.4.7-rc
    • Update OpenSSL to 1.0.2p
    • Update Torbutton to 2.0.6
      • Bug 27401: Start listening for NoScript before it loads
      • Bug 27276: Adapt to new NoScript messaging protocol
      • Bug 26884: Use Torbutton to provide security slider on mobile
      • Bug 26962: Circuit display onboarding
      • Bug 26520: Fix sec slider/NoScript for TOR_SKIP_LAUNCH=1
      • Bug 26490: Remove the security slider notification
      • Bug 27301: Improve about:tor behavior and appearance
      • Bug 27097: Add text for Tor News signup widget
      • Bug 27214: Improve the onboarding text
      • Translations update
    • Update Tor Launcher to 0.2.16.4
      • Bug 25405: Cannot use Moat if a meek bridge is configured
      • Bug 27392: Update Moat URLs
      • Translations update
    • Update HTTPS Everywhere to 2018.8.22
    • Update NoScript to 10.1.9.1
    • Bug 26962: New feature onboarding
    • Bug 27403: The onboarding bubble is not always displayed
    • Bug 27283: Fix first-party isolation for UI tour
    • Bug 27213: Update about:tbupdate to new (about:tor) layout
    • Bug 26670: Make canvas permission prompt respect first-party isolation
    • Bug 26561: .onion images are not displayed
    • Bug 21787: Spoof en-US for date picker
    • Bug 21607: Disable WebVR for now until it is properly audited
    • Bug 21549: Disable wasm for now until it is properly audited
    • Bug 26614: Disable Web Authentication API until it is properly audited
    • Bug 27281: Enable Reader View mode again
    • Bug 26114: Don't expose navigator.mozAddonManager to websites
    • Bug 26048: Fix potentially confusing "restart to update" message
    • Bug 27221: Purge startup cache if Tor Browser version changed
    • Bug 26049: Reduce delay for showing update prompt to 1 hour
    • Bug 25405: Cannot use Moat if a meek bridge is configured
    • Bug 27268+27257+27262+26603 : Preferences clean-up
  • Windows
    • Bug 26381: Work around endless loop during page load and about:tor not loading
    • Bug 27411: Fix broken security slider and NoScript interaction on Windows
  • Build System
    • All Platforms
      • Bug 27061: Enable verification of langpacks checksums
      • Bug 27178+27179: Add support for xz compression in mar files
Seth Schoen

September 08, 2018

In reply to by Anonymous (not verified)

Permalink

+1 +1 +1 Please.

It seems to me that such an important, potentially identifying, fault must be rectified asap.
Thank you

Seth Schoen

September 05, 2018

Permalink

How can i enable flash on tor? Some people are telling me it'll lower my privacy quality, but, i don't care. I just want to know if it can be done. With this new browser update, i'm hoping it'll be possible.

Seth Schoen

September 05, 2018

Permalink

If I edited an about:config option to comply with a bug patch before the patch made it into a release, will the option continue to be updated by future automatic updates? Or should I do a fresh install?

Seth Schoen

September 05, 2018

Permalink

TB 8.5a stopped showing my bookmarks on the Bookmarks Toolbar, though they are still accessible from the Bookmarks==>Bookmarks Toolbar menu.
TB8.5a1 did not fix this as I hoped.
Please?

Seth Schoen

September 05, 2018

Permalink

I'm using uMatrix add-on to block the 3-rd party requests that NoScript doesn't show, and recently noticed that uMatrix blocks the CSP requests created by NoScript. Details: https://github.com/gorhill/uBlock/issues/3260

[...] when a site [...] is blocked in NoScript, noscript.net appears as a blocked third-party domain in uBO's panel (and allowing it doesn't do nothing, i.e. still red/blocked).
[...]
NoScript's CSP reports only fire when the first party domain is not whitelisted in NoScript. This might result in fake-domain.noscript.net being able to reconstruct the browsing history
[...]
According to a statement from [NoScript's author] Giorgio Maone there's no privacy issue (browser history leakage):

"fake-domain.noscript.net", as the name implies, is a domain which does not resolve to anything, and since noscript.net is under my control I can make sure nobody makes it real domain. It's used as the report URI for the script-blocking CSP, in order to catch LOCALLY whatever has been blocked by NoScript and show it in the UI. As soon as the request is initiated, is processed LOCALLY by NoScript and blocked, so the information never leaves the browser. If, by accident (e.g. because you disable NoScript while a page with the CSP loaded is still active) the CSP report is fired and not caught, as I said the domain doesn't resolve and the request just times out."

uMatrix shows this well - if you use it, but most users won't see this.

Question: Are TorBrowser users left to trust that NoScript CSP requests will:

  • ALWAYS stay local,
  • their destination site will ALWAYS be unresolvable,
  • the future updates WILL NEVER CHANGE THAT,
  • there will be NO EXPLOITS of these CSP tricks revealing the browsing history,
  • etc., etc.

Is anyone going to verify these statements?
Who's going to (every day) check that the formerly venomous snake released in your house still does not bite?
Perhaps TorBrowser can use a bit more sanity?

Seth Schoen

September 06, 2018

Permalink

Can't open certain pages with the new Tor 8.0. Can't change channels nor see which countries I'm using to access the internet anymore. Can't stay downgraded 'cause of automatic updates. It gets more complicated. Don't like these changes.

Which pages do not work? Could you give me an example? The circuit display moved to the "lock" icon in your URL bar to give you the circuit for that particular site. What do you mean with "Can't change channels"?

"Can't open certain pages" is vague.
Do you see error messages?
If tab shows only what looks like blank white space without any messages, try looking for indications of the problem by using "view page source" (view-source) command.

Hej Jack, you can monitor the countries "you're using" by clicking site information. It's just relocated. Automatic updates can be deactivated in "Preferences". In the end it's not more complicated just a bit new. try it.

"you can monitor the countries "you're using" by clicking site information"

Site information???? Where the hell is that??? There is no "site information" aviable in the menues I've seen

One location for both is the hamburger menu. You get the circuit as well by clicking on the "lock" icon in the URL bar (see the user onboarding on the about:tor page for an introduction). We'll add a dedicated "New Identity" button to the toolbar soon, we just did not get the time to finish that before Tor Browser 8 needed to get out.

Is there any chance that the security levels could also be moved to the hamburger menu? E.g. in the form of a submenu with 3 items for each level and a checkmark next to the current one. That would require one less click and no subwindows to get to the security settings.

Some kind of clear indicator of the current security level (maybe as an emblem over the torbutton icon?) would also make the use of this feature easier. As it is now the user has to spend a few clicks just to learn the current level, not to mention the possibility of loading a page with wrong knowledge of the current level (happens easily when you have to constantly switch between them for different sites).

I find the option of multiple security levels extremely useful in itself, it's just a shame that its UI is not very handy.

Seth Schoen

September 06, 2018

Permalink

Why no Windows Vista compatible version , (I still use Windows Vista) , will this mean that I cannot continue using the old TOR , I really WANT TOR protection.

How should I proceed from here as I do not want to upgrade to the newest version of Windows spyware.

Advice (pretty please).

Thanks.

Firefox, on which Tor Broswer is based, no longer support Vista. Thus, Tor Browser doesn't either.

Please note that Vista no longer receives security updates. I strongly encourage you to update.

Tor Browser has recently upgraded to Firefox ESR 60, which requires at least Windows 7 to run.

If you are concerned the telemetry in Windows 7 and greater could compromise your security, then consider making a Tails live DVD or USB.

Seth Schoen

September 06, 2018

Permalink

security.sandbox.content.level on windows system is on 2 and not on 5 and now tor browser doesn't work with any another sand-boxing software

You mean having the level set to 5 works but 2 not? Which other sandboxing software are you talking about? FWIW: we think we have a fix for the issue that made sandboxing level 2 necessary for us. Should be released with Tor Browser 8.0.1.

Seth Schoen

September 06, 2018

Permalink

New Tor Browser doesn't allow / blocks(?) Google Captcha, it loads forever and doesn't show the images.

Seth Schoen

September 06, 2018

Permalink

Problem after log in with facebook.com or facebookcorewwwi.onion. Pops dialog box Firefox.exe - Application error, The execption unknown software exception (0x400......) occured in the application at location 0x......, Click on ok to terminate the program. Won't work after reinstall tor or anything and same problem with friend who update his browser today.

Windows 7 and tor just updated few days ago, with latest new release and tor is up to date. You just need to login facebook and after few seconds when it opens your main page it pops the same dialog box with application error, then clicking ok and it says Gah - Your tab just crashed, when restore this tab this same application error box instantly pops out and it happens over and over again. Other web pages working fine with new tor browser release, but only this facebook page error.

I just tested it on a Windows 7 machine and it is working fine for me. Can you try a clean, new Tor Browser in a different location? Do you see the same problem? Is that a 32bit or a 64bit Tor Browser? (We offer now 64bit versions which might solve your problem in case it is related to limited memory available)

It was tor stable 8.0 version problem, it is latest automatic update version? Now I manually downloading tor 8.5a1 64-bit experimental and everything working fine. Thank you for responding and sorry for confusing wrong topic, was thinking it was updating to 8.5a1.

Seth Schoen

September 06, 2018

Permalink

this new version refuses to honor my configuration; to wit, colors. I have it set to use system colors, I also tried changing background/text colors, nothing has been affected by any changes. The background is white and the text is black and I repeatedly told it not to do that. As TOR is too painful to look at as of today, I personally consider this a critical bug.

Seth Schoen

September 06, 2018

Permalink

Just wrote about color UI, finally fixed it -- it's not in the settings menu, but requires making changes in the about:config page

Search for 'color', leave ui.use_native_colors alone ('true') but set
ui.use_standins_for_native_colors : false
*then* in options, set colors to 'use system' and override: always
( browser.display.document_color_use;2 )

Seth Schoen

September 06, 2018

Permalink

Freaking people out by hiding so many essential details in the "Lock" and "Customize" areas was a bad idea. Late newsflash - most people despise the new Firefox design, they are calling for a return to the simpler more user-friendly version

Seth Schoen

September 06, 2018

Permalink

It used to be that if you left clicked on a page you would have the option with noscript to either allow or disallow scripts on the page you are on. That option has disappeared now if you left click there is just a symbol for noscript but no options like before. It seems much more confusing now, and I have found even without granting permissions media is playing on pages now. Why the change?

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

1 + 16 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.