New Release: Tor Browser 8.0.3

Tor Browser 8.0.3 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Tor Browser 8.0.3 includes newer NoScript and HTTPS Everywhere versions. Moreover, it ships with a donation banner for our end of the year campaign and includes another round of smaller fixes for Tor Browser 8 issues on Linux systems. We also switched to a newer API for our NoScript <-> Torbutton communication, which we need for the Security Slider.

The full changelog since Tor Browser 8.0.2 is:

  • All platforms
    • Update Firefox to 60.3.0esr
    • Update Torbutton to 2.0.8
      • Bug 23925+27959: Donation banner for year end 2018 campaign
      • Bug 24172: Donation banner clobbers Tor Browser version string
      • Bug 27760: Use new NoScript API for IPC and fix about:blank issue
      • Translations update
    • Update HTTPS Everywhere to 2018.9.19
    • Update NoScript to 10.1.9.9
  • Linux
    • Bug 27546: Fix vertical scrollbar behavior in Tor Browser 8 with Gtk3
    • Bug 27552: Use bundled dir on CentOS/RHEL 6
k239

October 23, 2018

Permalink

yes

Unable to post comment at the ticket (link above), so, posting here:
Gesturefy 2.0.3 (extension enabled)
TBB 8.0.3

dom.w3c_pointer_events.enabled=false **no mouse gestures are seen by the extension, as if it's not even turned on
dom.w3c_pointer_events.enabled=true **mouse gestures are seen by the extension, but no matter what gesture I try, only 'UP' gesture is executed

Unable to post comment at the ticket (link above), so, posting here:
Gesturefy 2.0.3 (extension enabled)
TBB 8.0.3

-- continuation from the last post / dom.w3c_pointer_events.enabled testing --

privacy.resistFingerprinting=true [default] **mouse gestures not seen by the extension
privacy.resistFingerprinting=false **mouse gestures and the extension works properly

As I do not know what this preference does, nor it's impact on privacy/TOR, I have set it back to default. So, once again gestures do not work. If someone can find out what exactly this preference is doing to the extension, that'd be great.

There are several other privacy.resistFingerprinting(.xxx) preferences, all of which were left on default (TRUE) during testing.

k239

October 23, 2018

Permalink

Thank you for everything you do.You are great!

McAfee issues again where the new update gets quarenteed. This has been happening since version 8.0 I believe. Here it shows the current problem and one prior. https://imgur.com/a/wYlrG53

is pingsender.exe safe? after my update, it got quarantined

super

McAfee is a crap. Again.

impossible de s'identifier sur orange (unable to identify on FAI orange with this update

What do you mean?

"Orange" is number one (ISP) in france
ISP = FAI in french
CBF means that he can't log in his ISP mailbox/client service.
afaik, it is not related at tor but it's related at the isp which does not allow anonymous log in (javascript required & cookies maybe) even with a vpn, it could be refused ...
first you must connect at home second allow javascript & cooky third call the client service (or by chat) if you cannot anymore. i mean it is more a server problem than a tor one.
contactez votre service client en cas 'de diffilculté de connection : c'est plus un probleme de serveur côté fai qu'un probleme avec tor (n'oubliez pas d'activez javascript et d'autorisez les cookies).
la surveillance est très forte en france : the update does not block the connection but the government maybe.

32bit Windows7 - ok! Thanks a lot!

why does browser.zoom.siteSpecific ; true not work anymore?

me too. why is it disabled?

My TOR auto-updated. My Anti-virus red flagged PINGSENDER.EXE as malicious. Just letting you know.

Thanks for the free software GK. We appreciate your efforts too.

“The dictionary is the only place that success comes before work. work is the key to success, and hard work can help you accomplish anything.”
― Vince Lombardi

My BIG salute to your hard work. you guys are extraordinary.

keep on moving.................

It appears that twitter is sometimes blocking tor. Do others also see this?

By "blocking", do you mean an almost blank page, with message something like, "bandwidth too high" ? (I don't recall words)
Often refreshing that tab fixes the problem. Other times, need to use "new circuit for this site" (in the left end of the addressbar) to fix.

Why do exit servers sometimes show as coming from one country when checked at the URL info buttun, but when checked with GeoIP it shows they are from another country?

your first relay shows you the country (guard) where you live, when you check with geoip , it is another relay (third / unknown) ... so another country ... it is like that tor runs

The first relay does not get picked depending on your location but more or less randomly out of the Guard relay pool.

my first relay (picked randomly out of the guard relay pool) is often located where i live ;)

very good

same prob as others. McAfee reports the 64bit ESR Firefox update this installs as a virus. TOR 8.0.3 installs / updates earlier version fine, it updates Firefox to Firefox to 60.3.0 esr and then requests a restart. When you do, McAfee quarantines it. Did clean installs of other earlier 64bit TOR versions, same thing happened ever time after the Firefox upgrade.

Did several new installs of 8.0.3 32bit and NPF.

Does the torbrowser time out if a "tor circuit" cannot be completed?

What do you mean?

Sometimes when I start Tor it shows the progress bar but never seems to complete. Would the tor browser time out if it can't create a circuit?

I have the same problem, no error just wont connect. So far a Tor reboot works. BTW how long does it take before Tor would through an error?

OK, Good job.

This is perhaps not related to TOR per se ...

I had violetmonkey installed. After the 8..0.3 updated, it is disabled. Clicking on the icon, it shows 'scripts disabled'.

I switched to violetmonkey as greasemonkey stopped functioning when TOR 8 was announced.

If you know of any way to get back userscript support, please let know.

Thanks.

GK

Thanks for your response of the 15th re my concerns about the information I got when trying to verify the 8.0.2 bundle signature.

I have just tried to verify 8.0.3. and whilst I understand what you have said regarding 8.0.2 and the GnuPG configuration, there is still one aspect of the divergence that I get versus what your instructions say I should get that still confuses/worries me.

It is in relation to the RSA key. You say that what I should get is:
“using RSA key 0xD1483FA6C3C07136””
Whereas what I do get (again) is:
RSA key EB774491D9FF06E2

I rather thought (assumed) that something as important as the RSA key should not vary, so why does it?

Thanks

have same problem
gpg: Signature made Mon 22 Oct 16:05:52 2018 MSK using RSA key ID D9FF06E2

suggestion : could you add at the standard toolbar the icon "home" & the icon "https everywhere" please ?
i feel it should be better with these 2 icons (https is in blue/red easily and home is helpful).
of course, the option "customize" helps but a toolbar including these ones per default should be nicer.

Not showing the HTTPS-Everywhere icon on first start is actually a bug (https://trac.torproject.org/projects/tor/ticket/23359), but we are in the process of redesigning our security controls and the HTTPS-Everywhere icon will be removed from the toolbar in that process. (see: https://gitweb.torproject.org/tor-browser-spec.git/tree/proposals/101-s…)

For the home button I opened https://blog.torproject.org/comment/278265#comment-278265.

Secure Connection Failed (with a russian exit).
'new circuit for this site' doesn't work.

is there any (some)one who speaks french ?

yes i do but it's better to write in english (russian, spanish, italian, german ... are supported)

Hello torproject
Why the browser directory in the 64bit install.exe(TBB) is an PE+-blob i can't unpack with e.g. 7zip?
Can you change this to a SFX i can handle with e.g. 7zip?

Why do you need that?

Is it safe TBB is opening a circuit with all 3 relays -guard/middle/exit- in 1 country. I haven't seen this before.

gk?

Not sure it is ok but I have had this many times. And from older versions of Tor blogs ive seen posts saying this is safe, albeit a bit unsettling in my view.

Yes, it's the best option. If it refused to build circuits like that, then somebody who knows your exit can narrow out what country your entry guard is in -- and if they see a bunch of connections from you, they would be able to quite quickly learn exactly which country your entry guard is in. That wouldn't be good.

More generally, don't just think of the relay locations, but also think of the network links between the relays. It gets messy quickly:
https://blog.torproject.org/improving-tors-anonymity-changing-guard-par…

Tor automatically avoids using more than one relay in a given network /16 in any circuit. I think there could be a bit more room for complexity in path selection, but complexity is bad news for anonymity (see e.g. the attack at the beginning of this comment) so we need to tread carefully.

When i download Tor Brower in french, he is not in french, but in english, with ALL versions of 8.0.x & 8.5.x

Can fix please

Where did you download it from? What exactly is the filename of the bundle? You need to select the french version of our website.

>75kb download speed? 17 minutes to download???