New Release: Tor Browser 8.0.1

Tor Browser 8.0.1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Note that we just picked up the necessary patches this time but did not bump the Firefox version to 60.2.1esr as we needed to start building before Mozilla was ready. Thus, users are fine with Tor Browser 8.0.1 even if the Firefox version says 60.2.0esr.

Moreover, Alex Catarineu from Cliqz found a mistake we made that would make it possible to trick a user into installing an unsigned Torbutton extension. Thus, all users are encouraged to update older Tor Browser versions to 8.0.1 and keep in mind that installing third party extensions is potentially dangerous to Tor Browser's privacy guarantees and therefore strongly discouraged.

Tor Browser 8.0.1 is shipping the first stable Tor in the 0.3.4 series (0.3.4.8) which solves an annoying crash bug on older macOS systems (10.9.x).

We found a better solution to our User Agent treatment: on desktop platforms Tor Browser will send a Windows User Agent at the network level now while still allowing to query the unspoofed User Agent with JavaScript. This takes concerns about any server passively logging the User Agent into account while still avoiding broken websites as good as we can. Thanks to everyone who helped with this issue.

Finally, we included a banner for signing up to Tor News which allows anyone to stay up-to-date about things going on in the Tor universe (which is, admittedly, sometimes hard to keep track of).

Known Issues

We already collected a number of unresolved bugs since Tor Browser 7.5.6 and tagged them with our tbb-8.0-issues keyword to keep them on our radar. While we fixed a number of them for the 8.0.1 release, there are still issues remaining. The most important ones are listed below:

  • WebGL is broken right now.
  • Accessibility support is broken on Windows. We are considering options to address this issue right now.
  • Tor Browser 8 is not starting anymore on some older Ubuntu/Mint Linux systems. We still have issues to reproduce this bug but hope we can fix it in the next release.
  • Tor Browser 8 is not starting anymore on CentOS 6. We have a fix in our upcoming 8.5a2 to give it a bit of testing. Users affected by this bug may resort to that alpha version for now. We plan to backport the patch in the next stable release.
  • NoScript is not saving per-site permissions anymore. We have a potential patch for this bug in our 8.5a2 release as well and plan to backport it, too, in the next stable release in case no issues with it are found.

Note: The changelog file has an incorrect release date (September 24 instead of September 22).

The full changelog since Tor Browser 8.0 is:

  • All platforms
    • Update Tor to 0.3.4.8
    • Update Torbutton to 2.0.7
      • Bug 27097: Tor News signup banner
      • Bug 27663: Add New Identity menuitem again
      • Bug 26624: Only block OBJECT on highest slider level
      • Bug 26555: Don't show IP address for meek or snowflake
      • Bug 27478: Torbutton icons for dark theme
      • Bug 27506+14520: Move status version to upper left corner for RTL locales
      • Bug 27427: Fix NoScript IPC for about:blank by whitelisting messages
      • Bug 27558: Update the link to "Your Guard note may not change" text
      • Translations update
    • Update Tor Launcher to 0.2.16.6
      • Bug 27469: Adapt Moat URLs
      • Translations update
      • Clean-up
    • Update NoScript to 10.1.9.6
    • Bug 27763: Restrict Torbutton signing exemption to mobile
    • Bug 26146: Spoof HTTP User-Agent header for desktop platforms
    • Bug 27543: QR code is broken on web.whatsapp.com
    • Bug 27264: Bookmark items are not visible on the boomark toolbar
    • Bug 27535: Enable TLS 1.3 draft version
    • Backport of Mozilla bug 1490585, 1475775, and 1489744
  • OS X
    • Bug 27482: Fix crash during start-up on macOS 10.9.x systems
  • Linux
    • Bug 26556: Fix broken Tor Browser icon path on Linux
khled.8@hotmai.com

September 22, 2018

Permalink

We found a better solution to our User Agent treatment: on desktop platforms Tor Browser will send a Windows User Agent at the network level now while still allowing to query the unspoofed User Agent with JavaScript.

"Win64" for 32-bit OS! Epic!

khled.8@hotmai.com

September 22, 2018

Permalink

Bug 26624: Only block OBJECT on highest slider level

WHY?! Where in the Design Guide do you state it should be blocked?

The object tag itself is not an issue. The problem is that it can embed JavaScript and that one do we want to treat correctly on the security slider levels. So, far this worked fine out of the box but we did make a mistake during the esr60 preparation. That's fixed with this release.

Bug 27543: QR code is broken on web.whatsapp.com

What should a user do to reenable canvas after mistakenly disabling it?

Bug 27535: Enable TLS 1.3 draft version

Why do we need it? And why are you experimenting on users?

We are doing the same as default Firefox 60esr.

Are they going to fix it on esr with ff63 release?

TBB updates to 8.0 from 7.5.6 and only then to 8.0.1. Is this intentional?

Yes, this is intentional. With version 8.0 the format of the update MAR files changed, and version 7.5.6 does not support this new format, so you need to update to 8.0 first.
https://trac.torproject.org/projects/tor/ticket/26050

McAfee antivirus has quarantined a file when I tried upgrading Tor Browser to 8.0.1. Why could that be possible?

no

why does browser.zoom.siteSpecific;true not work anymore?
my most used button is the zoom+ . it's annoying.

http://ip-check.info
System
Windows NT 6.1; Win64; x64 Win64 (Sat Sep 22 2018 17:06:11 GMT+0000 (UTC))

> We found a better solution to our User Agent treatment: on desktop platforms Tor Browser will send a Windows User Agent at the network level now while still allowing to query the unspoofed User Agent with JavaScript.

It's similar to schizophrenia. Anonymizing tool should always send the same metadata, no mater what OS and software version are installed. Besides, websites that behave differently depending on OS brake W3C standards, and your "solution" helps them in their harmful development.

> This takes concerns about any server passively logging the User Agent into account while still avoiding broken websites as good as we can.

I never met websites broken in this way.

Please fix Accessibility support in tor browser in windows.

How would I go about disabling connection though Tor network, while preserving other browser features? On Tor Browser 7.5.6 it was done by setting about:config => network.proxy.socks_remote_dns to false and setting Options => Advanced tab => Network to No Proxy (the recipe is borrowed from here), now it doesn't seem to work (Tor Browser simply looses network connection). Is it at all possible to achieve in Tor Browser 8?

I'm aware that this is no help for you, but it still works for me the very same way you just described here. To make it persist between re-starts, you've to disable torbutton though.

Since updating to 8.0.1 I have seen a LOT of Cloudflare captchas (one more step). Like 50% of all pages.

Something is seriously broken. I have not seen these captchas since the large fix on issue in 2016.

In Windows TBB 8.0 send Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 useragent.
TBB 8.0.1 send
Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0 - for HTTP request
and
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 for javascript

I guess that's https://trac.torproject.org/projects/tor/ticket/27848. We are investigating. Oh, and, yes, I agree that Cloudflare is breaking Tor Browser and that it is not good for a healthy Internet.

privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts ; false
who wants to be identified uniquely?

Get rid of Noscript asap.

On the right side of URL and /Search boxes there are 2 icons, HTTPS Everywhere and NoScript,
both identified with "S".
Could you change HTTPS Everywhere icon to "Lock" as in URL, on blue background ?

Would be a good feature request to file at the HTTPS Everywhere project. We don't maintain that one and just take the final version and ship it in Tor Browser.

I set the search engine to DuckDuckGo (onion). Very often, when I search something in the address bar, it ends up producing an error 400 (bad request). Searching directly in the DuckDuckGo onion search field always works.

I experience the same. Just press ctrl+shift+L, and that's all.

NoScript's icon doesn't show it is blocking 'fetch' on a website.

How are you testing that?

Opening a website which doesn't work w/o js, enabling js in custom pane, it reloads, NoScript shows 0 blocked, but the website is still not working, going to custom pane and seeing 'fetch' in red, enabling it, and the website works!

You are starting with the security slider set to "safest"? It seems like this is a NoScript bug. Could you file one in the NoScript forum(https://forums.informaction.com/viewforum.php?f=3)?

Your new release 8.0.1 is now generating captcha site blocking security by cloudfare. The problem i'm having is the captcha sequence keeps repeating itself after successful completion and verification without allowing site access. How can I disable this security feature which is frustrating and did not occur on any previous versions of TOR browser.

Depending on tor exit this existed in older versions of TBB too. It is not TBB issue. If I see this, I change tor chain. It is cloudflare or target website which blocks tor exit.

Was looking forward to experience with Tor, but it's for Windows version 7.0/8 and higher, and I'm still using XP Pro. Can anyone guide me to an older, stable version that I can use until I upgrade?

The last version with XP support was 7.5.6 (based on the last supported version of Firefox). However it has known vulnerabilities, so using it is not recommended.

Until your system is upgraded, an alternative is to boot on a Tails usb stick when you need to use Tor Browser:
https://tails.boum.org/

As well as not saving permissions, Noscript has suffered another bug since tor browser 8. The default site behavior has been to to trust all Scripts, Objects, Media, Frame, Fonts, Webgl, Fetch, and Other. This is so comprehensively permissive as to render Noscript useless. For comparison's sake, Noscript's default behavior in Firefox 60+ is to permit only Media, Frame, Fonts, Webgl, and Other. Obviously, altering the default behavior doesn't affect the next tor browser session as that won't be remembered, per the bug.

Please, alter the default Noscript permissions in the next release. If you can separate this issue from Noscript settings being remembered across sessions, please prioritize this issue. Thank you

Since TBB-8.0.1 and its new User-Agent behavior, almost 327,52% of web sites I visit and which are protected by the Cloudflare (187,03% of the internet) ask me to solve Google Captcha : I could use "New circuit for this site" but at best, I have to spend 2 to 3 minutes to bypass Cloudflare. And this is when it is possible : some page are not even reachable whatever the time you spent on renewing a circuit.

It means that my privacy is worst than ever before as Cloudflare & Google are well known to be the greatest enemy to privacy, free speech and anonymity :/

There are cloudflare intentions to use onion v3 services in their infrastructure to treat network traffic from tor users differently. However, it is still in progress yet.

GPU process can die successfully on Win 7:
(#10) Error Killing GPU process due to IPC reply timeout
(#11) Error Failed to connect GPU process
(#12) Error Receive IPC close with reason=AbnormalShutdown

Noscript config not saved.
Crash detected on doileak.com test.
https://imgur.com/LOMmPJo

Win 7 Thin PC x86

Is that crash reproducible with a clean Tor Browser? (Both with a 64bit/32bit one?)

torbrowser-install-8.0.1_en-US.exe
I installed it and immediately went to the website.
And I pressed the test button.
Still crash occurred.

https://imgur.com/WsOj81F
https://imgur.com/HywdPyD

Win7 Thin PC x86 (VitualBox)

Is there some Antivirus/Firewall software running on that system? Did you change the security slider to "safer"/"safest" or did you let it at the default level?