New Release: Tor Browser 8.5a5

by boklm | December 3, 2018

Tor Browser 8.5a5 is now available from the Tor Browser Project page and also from our distribution directory.

Starting with this alpha release, we are releasing both the Android and desktop versions on the same day, with similar versioning schemes.

On the desktop side, we included a new Tor alpha version (0.3.5.5-alpha) to help with stabilizing the networking code. Furthermore, we managed to fix two longstanding first party isolation bugs: Both PDF range requests and saving links, images or similar resources using the context menu are now properly isolated to the URL bar domain.

On the Android side, we reached another milestone in our efforts to bring Tor Browser for Android into stable shape. From now on it is not necessary anymore to download Orbot in order to use Tor Browser. We implemented a similar solution to our desktop Tor Browser flavors by shipping and using Orbot in Tor Browser directly. We plan to refine our approach for an even smoother user exprience in the future, so stay tuned. Please note, this release is only supported on armv7 devices (most Android phones and tablets), but x86 devices are not supported (such as Chromebooks).

Additionally, we included the mobile build into our official Tor Browser build infrastructure. The build artifacts are not reproducible yet (although we are pretty close reaching that goal). But fixing that is one of the top priorities for our next big milestone for the Android app.

The full changelog since Tor Browser 8.5a4 is:

  • All Platforms
    • Update Torbutton to 2.1.2
      • Bug 25013: Integrate Torbutton into tor-browser for Android
      • Bug 27111: Update about:tor desktop version to work on mobile
      • Bug 28093: Update donation banner style to make it fit in small screens
      • Bug 28543: about:tor has scroll bar between widths 900px and 1000px
      • Bug 28039: Enable dump() if log method is 0
      • Bug 27701: Don't show App Blocker dialog on Android
      • Bug 28187: Change tor circuit icon to torbutton.svg
      • Bug 28515: Use en-US for english Torbutton strings
      • Translations update
    • Update Tor Launcher to 0.2.18
      • Bug 28039: Enable dump() if log method is 0
      • Translations update
    • Update HTTPS Everywhere to 2018.10.31
    • Update NoScript to 10.2.0
    • Bug 22343: Make 'Save Page As' obey first-party isolation
    • Bug 26540: Enabling pdfjs disableRange option prevents pdfs from loading
  • Windows
    • Update Tor to 0.3.5.5-alpha
    • Bug 28310: Don't build obfs4 with module versioning support
    • Bug 27827: Update Go to 1.11.1
    • Bug 28185: Add smallerRichard to Tor Browser
    • Bug 28657: Remove broken FTE bridge from Tor Browser
  • OS X
    • Update Tor to 0.3.5.5-alpha
    • Bug 28310: Don't build obfs4 with module versioning support
    • Bug 27827: Update Go to 1.11.1
    • Bug 27827: Build snowflake reproducibly
    • Bug 28258: Don't look for webrtc headers under talk/
    • Bug 28185: Add smallerRichard to Tor Browser
  • Linux
    • Update Tor to 0.3.5.5-alpha
    • Bug 28310: Don't build obfs4 with module versioning support
    • Bug 27827: Update Go to 1.11.1
    • Bug 27827: Build snowflake reproducibly
    • Bug 28258: Don't look for webrtc headers under talk/
    • Bug 28185: Add smallerRichard to Tor Browser
    • Bug 28657: Remove broken FTE bridge from Tor Browser
  • Android
    • Bug 28051: Fix up Orbot for inclusion into Tor Browser
    • Bug 26690+25765: Port padlock states for .onion services to mobile
    • Bug 28507: Delete private data in the browser startup
    • Bug 27111+25013: Configure Tor Browser for mobile to load about:tor
    • Bug 27256: Enable TouchEvents on Android
    • Bug 28640: Use system add-on and distributed preferences
  • Build System
    • Bug 27977: Build Orbot inside tor-browser-build
    • Bug 27443: Update Firefox RBM config and build for Android
    • Bug 27439: Add android target for rust compiler
    • Bug 28469: Fix unsupported libbacktrace in Rust 1.26
    • Bug 28468: Modify Android toolchain to support Orbot
    • Bug 28483: Modify Android Toolchain API Version
    • Bug 28472: Add Android Makefile Rules
    • Bug 28470: Add fetch gradle dependency script to common project
    • Bug 28144: Update projects/tor-browser for Android

Comments

Please note that the comment area below has been archived.

December 03, 2018

Permalink

At startup after update:
02:41:23.944 NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIWebNavigation.loadURIWithOptions] 1 browser-child.js:359

December 03, 2018

Permalink

> Bug 27111: Update about:tor desktop version to work on mobile
So that it doesn't work on desktop, hah. (links & search bar focus)

December 07, 2018

In reply to gk

Permalink

The person initiating the comment maybe could watch what the browser logs in Web Console? (in Tools menu, Web Developer)

December 07, 2018

In reply to gk

Permalink

The scripts are on sites which can't be disclosed. But there are some links on NoScript's forum. Of course, this is reproducible.

December 03, 2018

Permalink

save link as... irc:irc.mozilla.org :
03:25:36.089 : Component returned failure code: 0x805e0006 [nsIChannel.asyncOpen2] 1 nsContextMenu.js:1204
saveHelper chrome://browser/content/nsContextMenu.js:1204:5
saveLink chrome://browser/content/nsContextMenu.js:1214:5
oncommand chrome://browser/content/browser.xul:1:1

December 03, 2018

Permalink

FIX IT ASAP! CAUSE WE HAVE NO ACCESS!
[12-04 04:05:44] Torbutton INFO: controlPort >> 650 STREAM 43 FAILED 7 blog.torproject.org:443 REASON=END REMOTE_REASON=CONNECTREFUSED

December 04, 2018

In reply to boklm

Permalink

Your blog is unavailable, and the only way to solve the problem is to restart the browser.

December 04, 2018

Permalink

Some stupid trash remains in GPU process and uses ~20% of CPU for a long time after all tabs are closed on Windows 7.

I would run EventVwr.msc
Look for "suspicious" events by comparing them at times (clock time):
1. when tbb startup,
2. when you close the last tbb tab,
3. and when the "trash" process "dies".

OR (also?)
1. open Task Manager window, Processes tab, before shutting down tbb.
2. when you shutdown tbb, look for werfault to appear in the processes list.

WerFault was the sign of a broken shutdown problem that existed throughout tbb ver 7.x

December 04, 2018

Permalink

Tornetwork

Network is browser related so I am posting a warning question overhere.

Is it really really a very big coincidence today that no matter what kind of webmail service url I choose (after completely renewing te circuits) I over and over and over end up with same country entry node and exitnode, all three nodes from same country and finally endup with variations with two same country nodes + one nabor country node.

Is it possible that on certain very important url's countries and their surveillance services are rederecting traffic in a way that they are able to analyse traffic leading to personal identification?

I tested a whole bunch and I already had a slight suspicion that this behaviour is going on for a while with other kind of technical or privacy related websites and some big countries in Europe.

More and more countries are taking over the local internet by monitoring traffic country wide or even continent wide by well known eyes-cooperations.
Why do you still accept connections like, 3 on a row in the same country, same country entry exit node, or another annoying one : no giving option to refuse an entry connection to certain countries.
The last one is also a big threat because it is a reason, could be a reason for trouble when traveling to that country : 'alarmbells' ringing, torbrowser user in the hall coming to the gates.

Torproject delivers grat product but maybe some thing should change because the world is changing, also called globalism!
Maybe a kind of a system should be thinkable that connections always travel between three continents and or have a minimum avoidance of moere than one hop per country+nabor country.

Metadata network traffic analysis can be a threat to anonymous communications, for instance with anonymous communication to projects like Torproject.

> Is it really really a very big coincidence today that no matter what kind of webmail service url I choose (after completely renewing te circuits) I over and over and over end up with same country entry node and exitnode

Is your computer and the webmail server you are trying to reach both in country A? If so, your circuits will probably look like A-X-A because Tor tries to find an entry Node "near" (in Internet geometry terms) your computer and an exit node "near" (in Internet geometry terms) your destination server. If A is in the EU, X might often also be in the EU simply because so many Tor nodes are in either the US or the EU. That could perhaps explain some of what you report seeing.

Tor also tries to avoid choosing two nodes of the three from the same domain or from the same known family, I believe, but I am not familiar with the details.

> Maybe a kind of a system should be thinkable that connections always travel between three continents and or have a minimum avoidance of moere than one hop per country+nabor country.

Over the years such suggestions have often been made (sometimes by me!), but it turns out that such schemes would probably make it *easier*, not harder, for intelligence agencies (especially NSA) to spy on our browsing.

What's needed is the greatest possible diversity of Tor nodes, in terms of legal jurisdictions, geolocations, company ownerships, political allegiances of voting stockholders, etc., etc., which needless to say is hard to measure much less achieve.

But don't forget: NSA has problems of its own (drowning in information, existing variety of software and hardware leading to "fragility" of their latest and bestest spy schemes, etc.), so in the end We the People just might win the War on US.

To provide higher anonymity guarantees than other services (VPNs in particular) Tor routes traffic through server operated by independent organizations and individuals. This makes it harder to deanonymize traffic because an adversary needs to operate in several jurisdictions and has to deal with many operators. Getting a warrant or convincing a single operator to hand over all data simply doesn't work. However, running Tor nodes is only popular in a handful of countries. Check out the by-country bubble map and you'll notice that the majority of server is located in just a handful of countries. Likely, they countries you see most in the circuit display.

The goal is certainly to have relays all around the world. If anyone known how to get people to run relays in other countries, please let me and the Tor team know.

December 04, 2018

Permalink

gk you have led the Tor Browser team so perfectly across all these years without showing any shred of tiredness, May God bless you!

(Signed: a Tor user who can't visit a single website without the Tor Browser lest the privacy be slaughtered)

December 05, 2018

Permalink

No sound in YouTube with this update. I uninstalled the entire browser - the update auto-installed even though I had the 'update' option disabled. I didn't appreciate it.

Also, I recommend that if the 'auto-install' is now to be a default, and the option to choose when to update is now no longer active, that a reverse-update option be available to users.

Why not give users a chance to decide for themselves when to update? It sounds like you are forcing us to update without any choice in the matter.

I was forced to delete the entire version since there was no way to reverse the auto installed update. Again, YouTube, and other sites will not work with the update - there is video but there is absolutely no sound. B'H

We do not force updates on anyone in the sense that you can't disable updates. However, you must disable the updating *before* the update process starts to see any affect. And the update check and download happens *before* you see any window, early on browser start-up.

That said looking over the changelog for Tor Browser 8.5a5 I don't see a fix that should impact your audio. On which platform are you on? A clean Tor Browser 8.5a4 works for you but a clean Tor Browser 8.5a5 does not? (see: https://archive.torproject.org/tor-package-archive/torbrowser for older bundles to test)

December 05, 2018

Permalink

Latest Tor browser (Alpha) crashes on Android when downloading any file. I don't know if it is just me (Android 7.1.1). I've tried manually granting the storage permission from settings but no change.

December 08, 2018

In reply to gk

Permalink

Cyren JS/Heuristic-JEX!Eldorado

Basic Properties
MD5 066e29116baad0042fa21c20b32db6af
SHA-1 263900dee6ee2896c7df8a4f13ad3ae52254f796
Authentihash 69742cb82c7f9804de0653eaea09d411429143242b5d3634dccb85937b7f0b9d
Imphash f27c44789c5773d07955d684f2ea3830
File Type Win32 EXE
Magic PE32+ executable for MS Windows (GUI)
SSDeep 1572864:3TE6b9Ki7PCvHM2OPdQmDnuYe6oVRZHfvT3E:3XAuQodjDnuY9oVRZ3jE
TRiD Win64 Executable (generic) (82%)
OS/2 Executable (generic) (6%)
Generic Win/DOS Executable (5.9%)
DOS Executable Generic (5.9%)
File Size 53.99 MB

December 05, 2018

Permalink

I am very new to Tor Browser (the last couple of days) and so apologise if the questions I ask have already been addressed previously

1. it appears to me that the use of Google is rendered impossible because by loggin in from different locations (to protect privacy and avoid tracking - all worth while outcomes). Google notes the activity as different and puts the user through the horribly frustrating Photo ticking exercise...CAPTCHA is there a way around this annoying software?.....Am I correct?

2. As some one wanting to watch a video posted on cricket in Australia, the web sites blocks me because .....they dont allow acess to computers outside Australia....Can I somehow use a default at least temporarily that is based in Australia and specificy this?

Regards

Tony (very new Tor client)

> (very new Tor client)

Or rather, Tor user ("client" and "server" are technical terms).

The two problems you mention are well known and have proven hard to solve.

Generally, trying to log into a social media account you created while not using Tor is problematic because it looks to the provider of the social media service like some crook is trying to impersonate you in order to steal information or money.

More and more countries are trying to block connections from outside their boundaries, whether because they don't want "non-Australians" (if your Tor circuit happens to end with an exit circuit in Germany, the sports video company is likely to assume you are a German) using their "national TV", or because they don't want any news coming into their country from the big bad outside world.

A third problem is that many websites block all Tor exit nodes, just because they don't want to wrestle with any challenging technical issues, such as allowing innocuous Tor traffic while blocking DDOS attacks.

Some Tor users report that hitting "new circuit for this site" a few times sometimes resolves some of these problems. If not you might want to consider replacing using Google with some more Tor-friendly social media company.

Hope this helps.

December 06, 2018

Permalink

No way to block javascript for non-advance user

Provided NoScript is configured in a way, that almost guarantees any script to be run at least once before user can block it. This allows "calling home" attacks, that probably are the only easy way to compromise TOR.

So, as there is no way to block scripts for non-advanced users (advanced can go into NoScript settings and understood settings), and only top-level available options are various releasing event those poor restrictions that may be active, Tor Browser should not be used with TOR network (but otherwise it is very good browser).

Expected solution - add button "block javascript" to make browsing at least theoretically safe.

December 06, 2018

Permalink

On Android, if you select a download link, Android will ask for permission to save, when you hit allow, app crashes. If you try to open app back up, it will tell you over and over that the app suddenly closed. Only way to fix this is to uninstall then reinstall or clear all data on Android. I can verify cut and paste works fine for me. I have Android version 7.0

December 08, 2018

Permalink

03:04:13.436 TypeError: event.originalTarget.getAttribute is not a function 1 tabbrowser.xml:1299:30
onxbldragover chrome://browser/content/tabbrowser.xml:1299:30

December 08, 2018

Permalink

NoScript is still buggy:
06:35:12.485 TypeError: ev.target.closest is not a function 1 PlaceHolder.js:76:29

December 09, 2018

Permalink

can someone help me out, im new to this part and have no clue which file to download for windows. they give you the option of choosing windows (8.0.3) 32/64-bit (sig) or 64-bit (sig) and then the next option is the windows (8.5a5) so how do i know which one to download? id appreciate some help asap

December 09, 2018

Permalink

Comments counter on your blog seems to count and display not only the number of visible comments, but also of some not-yet-approved comments/spam. This has a drawback in case when we see this thread has 60 comments and then 58 comments later that looks like you're censoring/deleting comments.