New Release: Tor Browser 8.5a6

by gk | December 11, 2018

Tor Browser 8.5a6 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox and updates OpenSSL to 1.0.2q for our desktop platforms.

The most exciting news, however, compared to the alpha release early last week, comes from progress we made on our mobile builds. Tor Browser 8.5a6 is the first version that is built reproducibly for Android devices and is localized in all locales the desktop platforms support.

Moreover, we added an updated donation banner for our year-end donation campaign.

Known Issues:

  1. This release is only supported on armv7 devices (most Android phones and tablets), but x86 devices are not supported yet (such as Chromebooks), even if the Google Playstore is suggesting different things.
  2. Downloading files on newer Android devices crashes Tor Browser. We are currently reviewing a potential fix.

The full changelog since Tor Browser 8.5a5 is:

  • All Platforms
  • Update Firefox to 60.4.0esr
    • Update Torbutton to 2.1.3
      • Bug 28540: Use new text for 2018 donation banner
      • Bug 27290: Remove WebGL pref for min capability mode
      • Bug 28075: Tone down missing SOCKS credential warning
      • Bug 28747: Remove NoScript (XPCOM) related unused code
      • Translations update
    • Bug 28608: Disable background HTTP response throttling
    • Bug 28695: Set default security.pki.name_matching_mode to enforce (3)
    • Bug 27290: Remove WebGL pref for min capability mode
    • Bug 27919: Backport SSL status API
    • Bug 25794: Disable pointer events
  • Windows
    • Update OpenSSL to 1.0.2q
    • Bug 28740: Adapt Windows navigator.platform value on 64-bit systems
  • OS X
    • Update OpenSSL to 1.0.2q
  • Linux
    • Update OpenSSL to 1.0.2q
  • Android
    • Bug 26843: Multi-locale support for Tor Browser on Android
  • Build System
    • Android
      • Bug 25164: Add .apk to our sha256sums unsigned build file
      • Bug 28696: Make path to Gradle dependencies reproducible
      • Bug 28697: Use pregenerated keystore and fix timestamp issues
Tags
tor browser
tbb
tbb-8.5
khled.8@hotmai.com

hassan (not verified) said:

December 11, 2018

Permalink

hello

khled.8@hotmai.com

Anonymous (not verified) said:

December 11, 2018

Permalink

WebGL 1 Extensions EXT_disjoint_timer_query WEBGL_debug_renderer_info WEBGL_debug_shaders

Is this OK?

Awesome app

pref("dom.maxHardwareConcurrency", 1); // Bug 21675: Spoof single-core cpu
is ignored by MoCo.

Your Firefox is out-of-date.

Get the most recent version to keep browsing securely.
Update Firefox

MoCo is still trolling us.
Is it possible to influence on them, so they change their development process to fulfill Tor Browser's high standards on release channel?

I've been confused by this message as well to be honest. Might be worth reaching out to Mozilla to figure out what is going on.

Mozilla states it can maintain security on rapid release channel only. No guarantees on ESR.

CFR is a system that proactively recommends Firefox features and add-ons based on how you use the web.

What about to make something similar in Tor Browser?

What is CFR?

Contextual Feature Recommender
https://blog.mozilla.org/blog/2018/12/11/latest-firefox-release-availab…

I never have heard CFR ,of what we are talking about ,Thx.

The display language for the Firefox application UI is now changeable in the Options page

\o/

http://webglsamples.org/aquarium/aquarium.html doesn't work on Windows.

Which Windows are you on? And what does "doesn't work" mean?

Any Windows. Nothing happens. Almost empty page.

What does "almost empty page" mean? It seems to be running fine on my machine. What is happening for you with a Firefox 60.4.0esr (see: https://www.mozilla.org/en-US/firefox/organizations/all/ for bundles)? Does the demo work then?

*** Error in program linking: log.js:69:7
Error: WebGL warning: bufferData: Error from driver: 0x0505 buffers.js:77:3
TypeError: program is null models.js:65:1
Error: WebGL warning: texImage2D: Driver ran out of memory during upload. textures.js:327:3

I guess there is not much we can do if the driver runs out of memory? Especially if it affects Firefox 60.4.0esr as well...

But 32-bit versions work.

https://browserleaks.com/webgl crashes the tab!

On which system?

Latest Windows.

Is that a 64bit system with a 64bit Tor Browser?

Of course.

Oh, and do the crashes happen with a clean, new Firefox 60.4.0esr as well (see: https://www.mozilla.org/en-US/firefox/organizations/all/ for bundles)?

No.

gk

gk said:

December 12, 2018

Permalink

Does the stripped down bundle in https://trac.torproject.org/projects/tor/ticket/27503#comment:17 work for you? (It gives you essentially a clean-slate Firefox (one without any of the Tor Browser patches) to test whether the "baseline" is working on your system and whether the problem lies in one of our patches)

Windows SmartScreen protected you from running unknown executable. Is it safe?
nb. Tab crashes, but there is no error message in Windows, therefore it is not an application crash.
By the way, Tor Browser 32-bit version works!

I gave you a GPG signature for the .zip file in the comment, so you won't get much stronger insurances that the binary is safe. :)

So, do I understand this right that

1) A vanilla 64bit Tor Browser crashes the tab for you
2) A vanilla 32bit Tor Browser does not crash the tab for you
3) The bundle I gave you crashes the tab as well

?

If that's the case what happens with a 64 and 32 bit Firefox 60.4.0esr in that case for you (see: https://www.mozilla.org/en-US/firefox/organizations/all/ for bundles to test)?

Windows SmartScreen doesn't eat GPG signatures, unfortunately :)
Yes.
esrs don't crash.

Okay, I tried to create a debug build for you but that led to sadness (https://trac.torproject.org/projects/tor/ticket/28875). So, I opened https://trac.torproject.org/projects/tor/ticket/28874 to investigate different other options further. Can you join the conversation there?

It also crashes.
Failure Log
(#0) CP+[GFX1-]: readPixels: Failed to create mResolvedDefaultFB.
StackTraces={"crash_info":{"address":"0x9","crashing_thread":0,"type":"EXCEPTION_ACCESS_VIOLATION_READ"},"main_module":0,"modules":

cypherpunks are still not allowed to write comments.

I am sorry for that. I've posted a link to a debug build which might contain useful information on what is going on. Could you paste relevant things somewhere so I can copy those over to the ticket? Additionally, can you paste the StackTraces you got above somewhere else so I can copy all the information we have to the ticket? Thanks!

i would check in eventvwr.msc for messages near the time of the crash

Nothing there.

Hi, I read that Tor brownser can be used without orbot, but I can get it working, it doesn't work without orbot

Yes, we want to provide a similar experience to Tor Browser, which means not needing an extra application to get Tor Browser running and having an overall smoother experience. That's why we start experimenting with Orbot being included directly into Tor Browser. We have ideas to improve on that, though. See the discussion on our mailing list for that: https://lists.torproject.org/pipermail/tbb-dev/2018-December/000928.html ff.

a) should users now remove orbot or keep it for other apps that use tor?

b) how can embedded orbot be set up? does it allow vpn mode/tunneling?

You should keep the separate Orbot for other apps that use Tor right now. We are not exactly sure yet how the final Tor Browser version will look like with respect to Tor integration. The embedded Orbot has VPN mode disabled.

I just tried it with orbot kept and torbrowser fails to connect. Looks like two orbots on the same device causes one to crash, maybe because of vpn mode enabled on the other which causes a tor through tor situation? I'm not sure.

I also wonder how to change settings of embedded orbot,as there is no link to access it from torbrowser.

As an orbot user I can say this is so confusing and it seems better for the time being to keep the older package.

Hello,

Is it possible to provide future builds of android Tor that do not include the embedded Orbot? There are a couple reasons why this is not a good feature for those of us who already run Orbot 24/7.

1) Battery life - It appears that the need to run two concurrent Orbot connections (one for the system through which I have Netguard proxied, and the other built into Tor Browser) is brutal on battery life.
2) Inconvenient - The previous version of tor browser (no embedded orbot) connected seamlessly with an already running orbot when the browser was opened. This worked great when clicking on external links (ie in an email or messenger). But now, clicking on these links first opens the embedded orbit in the new tor browser, which takes a few seconds to connect, but then doesn't proceed to the website. As a result, users then need to go back to the link in the email or message, reclick it which brings them back to tor browser properly and the website.

I can see how embedding Orbot into the android tor browser is great for users who don't already run orbot full time for their entire system, but for those of us who do, it's a step backwards.

Otherwise, the new updates to tor browser for android are great, but downloads still dont work properly.

Cheers

The downloads issue should be fixed in the next release (assuming you are seeing https://trac.torproject.org/projects/tor/ticket/28705). That said, Orbot is right now just a stop-gap solution to experiment with a desktop-like experience. The plan is to use the Tor Onion Proxy Library in some way in the near and longer term future (see: https://trac.torproject.org/projects/tor/ticket/27609). There are no plans, though, to provide Tor Browser builds for Android without Orbot until that feature lands.

I have tried to make running Orbot active in new version of TBFA which has Orbot integrated, in my experience is running Orbot ,but you should keeps setup Orbot integrated ,no running on start and checking in case is not running if there is some others apps that is using same port of Orbot especially on Samsung devices, Then block that or those app /s .A good app check in with it might be any socks app check on playstore. Anyway my suggestions is to use TBFA with its own integrated Orbot. Probably a bit slow than other Orbot ,but if is integrated it should be a reason, I was wondering security, but just my opinion.
Best regards.