New Release: Tor Browser 8.0.1

Tor Browser 8.0.1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Note that we just picked up the necessary patches this time but did not bump the Firefox version to 60.2.1esr as we needed to start building before Mozilla was ready. Thus, users are fine with Tor Browser 8.0.1 even if the Firefox version says 60.2.0esr.

Moreover, Alex Catarineu from Cliqz found a mistake we made that would make it possible to trick a user into installing an unsigned Torbutton extension. Thus, all users are encouraged to update older Tor Browser versions to 8.0.1 and keep in mind that installing third party extensions is potentially dangerous to Tor Browser's privacy guarantees and therefore strongly discouraged.

Tor Browser 8.0.1 is shipping the first stable Tor in the 0.3.4 series (0.3.4.8) which solves an annoying crash bug on older macOS systems (10.9.x).

We found a better solution to our User Agent treatment: on desktop platforms Tor Browser will send a Windows User Agent at the network level now while still allowing to query the unspoofed User Agent with JavaScript. This takes concerns about any server passively logging the User Agent into account while still avoiding broken websites as good as we can. Thanks to everyone who helped with this issue.

Finally, we included a banner for signing up to Tor News which allows anyone to stay up-to-date about things going on in the Tor universe (which is, admittedly, sometimes hard to keep track of).

Known Issues

We already collected a number of unresolved bugs since Tor Browser 7.5.6 and tagged them with our tbb-8.0-issues keyword to keep them on our radar. While we fixed a number of them for the 8.0.1 release, there are still issues remaining. The most important ones are listed below:

  • WebGL is broken right now.
  • Accessibility support is broken on Windows. We are considering options to address this issue right now.
  • Tor Browser 8 is not starting anymore on some older Ubuntu/Mint Linux systems. We still have issues to reproduce this bug but hope we can fix it in the next release.
  • Tor Browser 8 is not starting anymore on CentOS 6. We have a fix in our upcoming 8.5a2 to give it a bit of testing. Users affected by this bug may resort to that alpha version for now. We plan to backport the patch in the next stable release.
  • NoScript is not saving per-site permissions anymore. We have a potential patch for this bug in our 8.5a2 release as well and plan to backport it, too, in the next stable release in case no issues with it are found.

Note: The changelog file has an incorrect release date (September 24 instead of September 22).

The full changelog since Tor Browser 8.0 is:

  • All platforms
    • Update Tor to 0.3.4.8
    • Update Torbutton to 2.0.7
      • Bug 27097: Tor News signup banner
      • Bug 27663: Add New Identity menuitem again
      • Bug 26624: Only block OBJECT on highest slider level
      • Bug 26555: Don't show IP address for meek or snowflake
      • Bug 27478: Torbutton icons for dark theme
      • Bug 27506+14520: Move status version to upper left corner for RTL locales
      • Bug 27427: Fix NoScript IPC for about:blank by whitelisting messages
      • Bug 27558: Update the link to "Your Guard note may not change" text
      • Translations update
    • Update Tor Launcher to 0.2.16.6
      • Bug 27469: Adapt Moat URLs
      • Translations update
      • Clean-up
    • Update NoScript to 10.1.9.6
    • Bug 27763: Restrict Torbutton signing exemption to mobile
    • Bug 26146: Spoof HTTP User-Agent header for desktop platforms
    • Bug 27543: QR code is broken on web.whatsapp.com
    • Bug 27264: Bookmark items are not visible on the boomark toolbar
    • Bug 27535: Enable TLS 1.3 draft version
    • Backport of Mozilla bug 1490585, 1475775, and 1489744
  • OS X
    • Bug 27482: Fix crash during start-up on macOS 10.9.x systems
  • Linux
    • Bug 26556: Fix broken Tor Browser icon path on Linux
Anonymous

September 22, 2018

Permalink

Thanks troopers for bringing back the identity change item in Torbutton! Does anyone know that since 8.0.0 bookmarks are unable to dock to the bookmark toolbar? I thought I would have seen that in the known issues as it still is a problem and I was not the first to bring this up.

The following worked for me:
1. Select → View/Toolbars/Bookmarks Toolbar
2. Select → View/Toolbars/Customize, opening the customize menu.
3. In the customize menu, drag/drop '⧆Bookmarks Toolbar Items' to the customize-menu toolbar.
4. Restore or import your bookmarks.

Anonymous

September 22, 2018

Permalink

We found a better solution to our User Agent treatment: on desktop platforms Tor Browser will send a Windows User Agent at the network level now while still allowing to query the unspoofed User Agent with he Tor Browser by design breaks a lot of things so please don't make some people look different just because of a website's problem.JavaScript

Ok, can you use the same fonts later on across Linux, Mac and Windows and then revert this JS related patch in the future (methinks Tor Browser 10)?

Anonymous

September 22, 2018

Permalink

WOW :) Nice work Tor! This new Stable release is absolutely Superb, super slick. A big thank you to everyone at Tor Project :D

Anonymous

September 22, 2018

Permalink

Thanks for fixing the widely debated user agent issue so quickly, well and thanks for your work anyway. One question though: Are there plans to restore the old New Identity behaviour to clear NoScript's temporary permissions, or is this impossible to do with the new No Script web extension?

Anonymous

September 22, 2018

Permalink

OBS4 still doesn't load on Windows?
I don't know if TOR can't do anything about incessant blocking of websites (cloudfare), is there a solution so I don't have to find a new circuit to get a site to work?

Too much time is lost! Some sites won't let you in no matter how many circuits get changed.
I use this browser for general browsing, am I better off using a mainstream browser?

Again, sites don't let you in, and what sites that do let you in, can take several minutes?

Anonymous

September 22, 2018

Permalink

Version 8 has been a nightmare. Onion sites rarely work with this version now.
This version is way slower than 7? Sites stall out all of the time? Pages rarely load?

Using windows version of TOR.

Anonymous

September 22, 2018

Permalink

— The Tor Browser 8.0.1 default browser-window size on MacOS, Linux, and Windows desktop computers must be identical across all three platforms to help preserve the anonymity of Tor Browser users, but, apparently, the Tor Browser 8.0.1 default browser-window size varies, depending on whether the desktop platform is MacOS, Linux, or Windows. For example:

1000 Width x 0998 Height on MacOS desktop
1000 Width x 1000 Height on Linux desktop
1000 Width x 1000 Height on Windows desktop

— In order to preserve the anonymity of Tor Browser users on MacOS, Linux, and Windows desktop computers, the Tor Browser default browser-window size must not vary and must be identical in size on MacOS, Linux, and Windows desktop computers. For example:

1000 Width x 1000 Height on MacOS desktop
1000 Width x 1000 Height on Linux desktop
1000 Width x 1000 Height on Windows desktop

— In Tor Browser 8.0.1, the default browser-window size on MacOS desktop is 1000 Width x 998 Height.

— In Tor Browser 8.0, the default browser-window size on MacOS desktop is 1000 Width x 998 Height.

— In Tor Browser 7.5.6, the default browser-window size on MacOS desktop is 1000 Width x 1000 Height.

— In Tor Browser versions prior to version 7.5.6, the Tor Browser default browser-window size on MacOS desktop computers is 1000 Width x 1000 Height.

Anonymous

September 22, 2018

Permalink

Thank you for fixing the user agent issue!!!

Have there been any thoughts about replacing NoScript with uMatrix? uMatrix allows for more granular JS, cross-site-request, and cookie blocking on a per-site or global basis. It can also block/allow "behind-the-scenes" requests made by SharedWorkers or browser extensions. Now that the WebExtensions version of NoScript lacks features like ABE and ClearClick, it is strictly inferior to feature set of uMatrix. uMatrix is not an adblocker (uBlock Origin is the adblocker).

Anonymous

September 22, 2018

Permalink

Gesturefy 2.x add-on still doesn't work, as reported earlier

Add-on installs and configures just fine, but the mouse gestures do not work. No matter which mouse gesture I try, there's always a diagonal line (starting from the upper left corner to the center of the browser window) and then nothing happens.

Anonymous

September 22, 2018

Permalink

since today's update, noscript refuses to save any settings and loads with no whitelist at all until the reset button is used

Anonymous

September 22, 2018

Permalink

I just got a new computer this week (Windows 10 Home 64-bit). I downloaded TBB 8.0. and everything worked fine. I just tried updating the new TBB update and McAfee quaranteed it. I restored the quarenteed item and restarted my computer. I tried opening the Tor browser again and McAfee once again quaranteed it. I've now downloaded the last known TBB version 8.0 in order to come here to leave this comment.

http://imageupper.com/g/?S120001001Z15376635621365637

Anonymous

September 22, 2018

Permalink

Hello Tor team!

Big thank's for this release, glad to see the identity changer is back again.
However I do miss to see countries!

Would be greatly appreciated if you guys could add that feature back again.

//Best regards

Anonymous

September 22, 2018

Permalink

Note that we just picked up the necessary patches this time

You mean all or just https://hg.mozilla.org/releases/mozilla-esr60/pushloghtml?changeset=654…

but did not bump the Firefox version to 60.2.1esr as we needed to start building before Mozilla was ready.

Why didn't you bump the Firefox to its revision 6546ee839d30 on 11 Sep from https://hg.mozilla.org/releases/mozilla-esr60/shortlog

Thus, users are fine with Tor Browser 8.0.1 even if the Firefox version says 60.2.0esr.

Hmm, but why does it say 60.2.0.6609?

Anonymous

September 22, 2018

Permalink

Moreover, Alex Catarineu from Cliqz found a mistake we made that would make it possible to trick a user into installing an unsigned Torbutton extension.

Huh? We have
xpinstall.whitelist.required;true
to prevent installations from anything except TestPilot & AMO.
But what are you going to do with
extensions.langpacks.signatures.required;false

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

19 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.