New Release: Tor Browser 8.5a3

by gk | October 5, 2018

Tor Browser 8.5a3 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. We picked up the necessary patches, but because we needed to start building before Mozilla was ready with a first candidate build, we did not bump the Firefox version to 60.2.2esr. Thus, users are fine with Tor Browser 8.5a3 even though the Firefox version is 60.2.1esr.

Furthermore, this release fixes Windows startup crashes and makes Tor Browser more compatible with the new macOS 10.14.

Known Issues

We already collected a number of unresolved bugs since Tor Browser 7.5.6 and tagged them with our tbb-8.0-issues keyword to keep them on our radar. The most important current issues are:

The full changelog since Tor Browser 8.5a2 is:

  • All platforms
    • Update Firefox to 60.2.1esr
    • Backport fix for Mozilla bug 1493900 and 1493903
  • Windows
    • Bug 27865: Tor Browser 8.5a2 is crashing on Windows
  • OS X
    • Backport fix for Mozilla bug 1489785 for macOS 10.14 compatibility

Comments

Please note that the comment area below has been archived.

October 05, 2018

Permalink

On the subject of accessibility, the Tor button is black even in high contrast mode, and is thus not visible in high contrast black.

October 05, 2018

Permalink

Please disregard my last message, the Tor button was black on 8.5a1 but once my browser updated to 8.5a3 it became visible on the toolbar.

October 05, 2018

Permalink

have the problem (Windows 10) that I am not able to save any downloads on a netwerkshare (SMB).. simply it doesn't work. also the default downlaod location can't be set to a network-share .. thanks for any hint!!
Mark

October 06, 2018

Permalink

:)

October 07, 2018

Permalink

I started to use tor 8.0.2, and when it starts, my antivirus detected a threat, I do not know what it was, but I'll wait a while, see what people talk about

October 08, 2018

Permalink

For dev interest, seeing this attack with 8.0.2 or 8.5a3:

- Security slider safest position.
- Do normal browsing (no JS).
- Adversary performs attack where JS is suddenly enabled (no change in website required). S symbol becomes open in front of your eyes.
- Have to destroy the VM (Disposable) immediately to limit risk of infection

Obviously there is some gaping hole weakness in NoScript and how it intersects with Tor Browser. Might wanna look into that...

October 08, 2018

In reply to gk

Permalink

Nothing special.

- Fresh Qubes-Whonix DisposableVM
- Browse.

Saw this attack on this website, Whonix v3 onion and Github. Usually appeared within 1-2 minutes of new browser session after previous DispVM destroyed. Appears to have eased, but I wonder whether they can target users of particular destination websites, or whether I'm just on their pet list (probably the latter)

October 08, 2018

Permalink

Guys, please stop to put Google within TOR. Google Safe Browsing for Firefox is still within the package and log users IP!

Secound, This TOR version is too slow and using too much RAM!

The Home Website to check the server TOR IP is gone, why?

October 08, 2018

Permalink

strange i have a lock on my applications folder in mojave and it doesn't allow me to drag/drop tor packet.

also note
any time tor updates i typical lose functionality.
and have to tinker to get it back up.

October 08, 2018

Permalink

“[CloudFlare doesn’t] appear open to working together in open dialog, they actively make it nearly impossible to browse to certain websites, they collude with larger surveillance companies (like Google), their CAPTCHAs are awful, they block members of our community on social media rather than engaging with them and frankly, they run untrusted code in millions of browsers on the web for questionable security gains.”

https://www.makeuseof.com/tag/tor-users-blocked-major-websites/

October 08, 2018

Permalink

hey im trying to get into the forums like the card cracking and nothing will come up it will eventually send me to a page saying the host is taking too long and to retry am i doing something wrong?

October 08, 2018

Permalink

Haha! Stupid tor! It gave me a shitty guard, so I changed it to obfs4 in TL. But that one wasn't good, so I changed back to normal guard and also checked firewall policy to 80, 443. AND:

Tor WARN: Failed to find node for hop #1 of our path. Discarding this circuit.
Tor WARN: Could not choose valid address for abunyasha

is spamming Browser Console until I uncheck firewall policy! Shit!
ADD AN OPTION TO CHANGE SHITTY GUARD TO NORMAL! OR DON'T CONNECT TO IT!

October 09, 2018

Permalink

How to configure Tor for total anonimaty?, please be direct and simple, i dont speak english very well, i dont know how to configure this new tor, the only one thing that i do is put the security bar in safest, dont know fi its enought

October 09, 2018

Permalink

This web site works well with old versions of TBB, and with 8.0, but with 8.5a3 and with 8.0.2 it is broken. Namely, after CloudFlare CAPTCHA is passed, JS is not loaded at the page at all. With NS disabled it doesn't work also. I think something is broken after transition from 8.0.1 to 8.0.2. Could you find the problem?

October 10, 2018

In reply to gk

Permalink

Cat? Not. :) Chat - Yes. Indeed, sometimes CAPTCHA is asked 2nd time just before entering the chat, but this is not the problem. In 8.0.2 I always get the page, where no button is clickable. You can open this site with old TBB version and see the difference. It is just Russian analogue of talkwithstranger.com (chat with randomly selected person, where age and gender can be chosen).

Actually, it is not solved, most of the time it doesn't work. Now it often doesn't work even with older TBB.

However, it works fine with modern TBB if tor's traffic also passes extra (non-tor) proxy. So, Georg was right that it is not an issue of tor browser. Admins (or Google's CAPTCHA?) simply block some JS scripts based on IP address.

October 09, 2018

Permalink

What's the status of encrypted sni support that Cloudflare announced for TLS 1.3?

October 10, 2018

Permalink

Torbutton cannot safely give you a new identity. It does not have access to the Tor Control Port.

Are you running Tor Browser Bundle?

October 16, 2018

In reply to gk

Permalink

Indeed.

gk

October 22, 2018

In reply to by Anonymous (not verified)

Permalink

I tested both 64 and 32bit en-US bundles on a Windows 7 machine and surfing works as expected with sandbox logging enabled. Does the same problem show up for you with a stable Tor Browser? Which Windows system are you on?

Well, if it is then we should figure out whether it's a Tor Browser one. :) I suspect you used the alpha on Windows 10? Does the same happen if you are using a stable Tor Browser version?

Stable does not have level 5 sandbox enabled due to a bug (see: https://trac.torproject.org/projects/tor/ticket/26381). We are testing a fix for that one in the alpha series and I am trying to understand whether that fix is causing your issue or maybe it's just sandboxing level 5 that is causing the problem. Could you double-check with a clean, Firefox ESR 60.3.0 (https://www.mozilla.org/en-US/firefox/organizations/all/)?

October 13, 2018

Permalink

05:21:38.408 Failed to import favicon data:[Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [mozIAsyncFavicons.replaceFaviconDataFromDataURL]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: resource://gre/modules/BookmarkHTMLUtils.jsm :: insertFaviconForNode :: line 1141" data: no] 1 BookmarkHTMLUtils.jsm:1149
insertFaviconForNode resource://gre/modules/BookmarkHTMLUtils.jsm:1149:7
insertFaviconsForTree resource://gre/modules/BookmarkHTMLUtils.jsm:1177:3
insertFaviconsForTree resource://gre/modules/BookmarkHTMLUtils.jsm:1181:7
insertFaviconsForTree resource://gre/modules/BookmarkHTMLUtils.jsm:1181:7
_importBookmarks resource://gre/modules/BookmarkHTMLUtils.jsm:903:7
next self-hosted:1214:9

October 14, 2018

Permalink

When working on THE tor 8.0.2 version of the browser, it is impossible to save the entered list of trusted sites in the NoScript 10.1.9.8 add - on-when you exit and re-enter all the entered data is lost. To view the scripts, I had to turn it off. Is there a problem?

See: https://trac.torproject.org/projects/tor/ticket/27175 where we implemented a fix. Having a custom list of exceptions is generally bad news for you with respect to tracking protection which is why we strongly discourage that and especially if saving those exceptions to disk is concerned. However, we provide a possible way to get this functionality back if one really, really thinks one needs it.

October 14, 2018

Permalink

Tor 8.0 still exposes your OS,and Browser Referrer,the strings no longer take effect when you edit them in about:config/agent etc. Tor needs to fix this issue asap as they say they are? I would revert back to 7.5 version if you are worried about your privacy as it still works as a charm without updating to 8.0.

October 15, 2018

Permalink

Why does tor fix the first node where I enter the internet ?
It made me easy to be traced by malious forces and persons!!!
what the fuck are you doing?
Have you tor organization compromised the whole tor project to USA government ?

October 16, 2018

Permalink

Tor NOTICE: Tor has been idle for 64185 seconds; assuming established circuits no longer work.
Tor NOTICE: Heartbeat: Tor's uptime is 1 day 2:48 hours, with 0 circuits open. I've sent 102.09 MB and received 2.54 GB.
Tor NOTICE: Average packaged cell fullness: 51.691%. TLS write overhead: 5%
Tor WARN: Failed to find node for hop #1 of our path. Discarding this circuit.
Tor NOTICE: Our circuit 0 (id: 570) died due to an invalid selected path, purpose General-purpose client. This may be a torrc configuration issue, or a bug.
Tor WARN: Failed to find node for hop #1 of our path. Discarding this circuit. Tor NOTICE: Tor has successfully opened a circuit. Looks like client functionality is working.

This is a default config of torrc in TBB => this is a bug.

October 17, 2018

Permalink

13:14:41.919 TypeError: aOldNode is undefined 1 treeView.js:459:9
PTV__getNewRowForRemovedNode chrome://browser/content/places/treeView.js:459:9
PTV__restoreSelection chrome://browser/content/places/treeView.js:510:17
PTV_invalidateContainer chrome://browser/content/places/treeView.js:1106:5
notify resource://gre/modules/Bookmarks.jsm:1289:30
insertTree/< resource://gre/modules/Bookmarks.jsm:561:9
next self-hosted:1214:9
showBookmarkDialog resource:///modules/PlacesUIUtils.jsm:294:5
PCH_bookmarkCurrentPages chrome://browser/content/browser-places.js:527:5
oncommand chrome://browser/content/browser.xul:1:1

October 17, 2018

Permalink

13:22:51.996 [Exception... "Component returned failure code: 0xc1f30001 (NS_ERROR_NOT_INITIALIZED) [nsIMessageSender.sendAsyncMessage]" nsresult: "0xc1f30001 (NS_ERROR_NOT_INITIALIZED)" location: "JS frame :: resource://gre/modules/ExtensionUtils.jsm :: sendAsyncMessage :: line 533" data: no] 1 (unknown)
sendAsyncMessage resource://gre/modules/ExtensionUtils.jsm:533:51
_handleMessage/deferred.promise< resource://gre/modules/MessageChannel.jsm:984:9

October 24, 2018

In reply to gk

Permalink

Hah. But it doesn't mean NoScript shouldn't be fixed. :) How are you going to provide UI for temp. enabling Script/Media/etc here and there (on higher security levels) if you hide NoScript?

October 25, 2018

In reply to gk

Permalink

It would be better to add all the features (SVG, etc) to NoScript and remove Torbutton altogether as it is the only thing (except weird size) that distinguishes Tor Browser from Firefox (visually).

October 21, 2018

Permalink

09:57:51.101 Error requesting favicon URL for about:reader content: favicon not found for uri 1 ReaderParent.jsm:33
onRejection resource:///modules/ReaderParent.jsm:33:13

October 22, 2018

Permalink

Am I here on the right place for my question?

I have 2 Acer laptops. ES-11. ES1-132-C5XN and Aspire E11 ES3-111-C7Q5. With latest TOR browser updated.

With the last one, I can easily log under TOR in at all websites. With the first one it gives many problems. May be the provider blocks it in Malaysia? Before I also had some problems with bridges connection on the first computer. Meek Azure works the best. But not anymore on computer 1.

Please advise. Should I a clean install ? How do I do so?

November 10, 2018

Permalink

I am very disappointed, because there are thousands of links but almost nothing is working. Each time a get the message about a timeout.
Am I doing something wrong? There was already somebody else raising this question some weeks ago but I saw no answer.
Thanks for any hint.

December 01, 2018

Permalink

We picked up the necessary patches, but because we needed to start building before Mozilla was ready with a first candidate build, we did not bump the Firefox version to 60.2.2esr.

Mozilla versions nightly by appending “beta”
Tor could version the browser with “patched”, like 60.2.1patched.
Otherwise this isn’t a proper version scheme.