New Release: Tor Browser 8.5a6

by gk | December 11, 2018

Tor Browser 8.5a6 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox and updates OpenSSL to 1.0.2q for our desktop platforms.

The most exciting news, however, compared to the alpha release early last week, comes from progress we made on our mobile builds. Tor Browser 8.5a6 is the first version that is built reproducibly for Android devices and is localized in all locales the desktop platforms support.

Moreover, we added an updated donation banner for our year-end donation campaign.

Known Issues:

  1. This release is only supported on armv7 devices (most Android phones and tablets), but x86 devices are not supported yet (such as Chromebooks), even if the Google Playstore is suggesting different things.
  2. Downloading files on newer Android devices crashes Tor Browser. We are currently reviewing a potential fix.

The full changelog since Tor Browser 8.5a5 is:

  • All Platforms
  • Update Firefox to 60.4.0esr
    • Update Torbutton to 2.1.3
      • Bug 28540: Use new text for 2018 donation banner
      • Bug 27290: Remove WebGL pref for min capability mode
      • Bug 28075: Tone down missing SOCKS credential warning
      • Bug 28747: Remove NoScript (XPCOM) related unused code
      • Translations update
    • Bug 28608: Disable background HTTP response throttling
    • Bug 28695: Set default security.pki.name_matching_mode to enforce (3)
    • Bug 27290: Remove WebGL pref for min capability mode
    • Bug 27919: Backport SSL status API
    • Bug 25794: Disable pointer events
  • Windows
    • Update OpenSSL to 1.0.2q
    • Bug 28740: Adapt Windows navigator.platform value on 64-bit systems
  • OS X
    • Update OpenSSL to 1.0.2q
  • Linux
    • Update OpenSSL to 1.0.2q
  • Android
    • Bug 26843: Multi-locale support for Tor Browser on Android
  • Build System
    • Android
      • Bug 25164: Add .apk to our sha256sums unsigned build file
      • Bug 28696: Make path to Gradle dependencies reproducible
      • Bug 28697: Use pregenerated keystore and fix timestamp issues

Comments

Please note that the comment area below has been archived.

Anonymous (not verified) said:

December 11, 2018

Permalink

WebGL 1 Extensions EXT_disjoint_timer_query WEBGL_debug_renderer_info WEBGL_debug_shaders

Is this OK?

Kevin Raines (not verified) said:

January 28, 2019

Permalink

Awesome app

Anonymous (not verified) said:

December 11, 2018

Permalink

pref("dom.maxHardwareConcurrency", 1); // Bug 21675: Spoof single-core cpu
is ignored by MoCo.

Anonymous (not verified) said:

December 11, 2018

Permalink

Your Firefox is out-of-date.

Get the most recent version to keep browsing securely.
Update Firefox

MoCo is still trolling us.
Is it possible to influence on them, so they change their development process to fulfill Tor Browser's high standards on release channel?

Anonymous (not verified) said:

December 11, 2018

Permalink

Mozilla states it can maintain security on rapid release channel only. No guarantees on ESR.

Anonymous (not verified) said:

December 11, 2018

Permalink

CFR is a system that proactively recommends Firefox features and add-ons based on how you use the web.

What about to make something similar in Tor Browser?

Anonymous (not verified) said:

December 12, 2018

Permalink

*** Error in program linking: log.js:69:7
Error: WebGL warning: bufferData: Error from driver: 0x0505 buffers.js:77:3
TypeError: program is null models.js:65:1
Error: WebGL warning: texImage2D: Driver ran out of memory during upload. textures.js:327:3

Anonymous (not verified) said:

December 12, 2018

Permalink

Of course.

Anonymous (not verified) said:

December 12, 2018

Permalink

No.

Anonymous (not verified) said:

December 13, 2018

Permalink

Windows SmartScreen protected you from running unknown executable. Is it safe?
nb. Tab crashes, but there is no error message in Windows, therefore it is not an application crash.
By the way, Tor Browser 32-bit version works!

I gave you a GPG signature for the .zip file in the comment, so you won't get much stronger insurances that the binary is safe. :)

So, do I understand this right that

1) A vanilla 64bit Tor Browser crashes the tab for you
2) A vanilla 32bit Tor Browser does not crash the tab for you
3) The bundle I gave you crashes the tab as well

?

If that's the case what happens with a 64 and 32 bit Firefox 60.4.0esr in that case for you (see: https://www.mozilla.org/en-US/firefox/organizations/all/ for bundles to test)?

Anonymous (not verified) said:

December 17, 2018

Permalink

It also crashes.
Failure Log
(#0) CP+[GFX1-]: readPixels: Failed to create mResolvedDefaultFB.
StackTraces={"crash_info":{"address":"0x9","crashing_thread":0,"type":"EXCEPTION_ACCESS_VIOLATION_READ"},"main_module":0,"modules":

cypherpunks are still not allowed to write comments.

I am sorry for that. I've posted a link to a debug build which might contain useful information on what is going on. Could you paste relevant things somewhere so I can copy those over to the ticket? Additionally, can you paste the StackTraces you got above somewhere else so I can copy all the information we have to the ticket? Thanks!

fernandex00 (not verified) said:

December 12, 2018

Permalink

Hi, I read that Tor brownser can be used without orbot, but I can get it working, it doesn't work without orbot

Yes, we want to provide a similar experience to Tor Browser, which means not needing an extra application to get Tor Browser running and having an overall smoother experience. That's why we start experimenting with Orbot being included directly into Tor Browser. We have ideas to improve on that, though. See the discussion on our mailing list for that: https://lists.torproject.org/pipermail/tbb-dev/2018-December/000928.html ff.

Anonymous (not verified) said:

December 12, 2018

Permalink

a) should users now remove orbot or keep it for other apps that use tor?

b) how can embedded orbot be set up? does it allow vpn mode/tunneling?

You should keep the separate Orbot for other apps that use Tor right now. We are not exactly sure yet how the final Tor Browser version will look like with respect to Tor integration. The embedded Orbot has VPN mode disabled.

Anonymous (not verified) said:

December 12, 2018

Permalink

I just tried it with orbot kept and torbrowser fails to connect. Looks like two orbots on the same device causes one to crash, maybe because of vpn mode enabled on the other which causes a tor through tor situation? I'm not sure.

I also wonder how to change settings of embedded orbot,as there is no link to access it from torbrowser.

As an orbot user I can say this is so confusing and it seems better for the time being to keep the older package.

Anonymous (not verified) said:

December 22, 2018

Permalink

Hello,

Is it possible to provide future builds of android Tor that do not include the embedded Orbot? There are a couple reasons why this is not a good feature for those of us who already run Orbot 24/7.

1) Battery life - It appears that the need to run two concurrent Orbot connections (one for the system through which I have Netguard proxied, and the other built into Tor Browser) is brutal on battery life.
2) Inconvenient - The previous version of tor browser (no embedded orbot) connected seamlessly with an already running orbot when the browser was opened. This worked great when clicking on external links (ie in an email or messenger). But now, clicking on these links first opens the embedded orbit in the new tor browser, which takes a few seconds to connect, but then doesn't proceed to the website. As a result, users then need to go back to the link in the email or message, reclick it which brings them back to tor browser properly and the website.

I can see how embedding Orbot into the android tor browser is great for users who don't already run orbot full time for their entire system, but for those of us who do, it's a step backwards.

Otherwise, the new updates to tor browser for android are great, but downloads still dont work properly.

Cheers

The downloads issue should be fixed in the next release (assuming you are seeing https://trac.torproject.org/projects/tor/ticket/28705). That said, Orbot is right now just a stop-gap solution to experiment with a desktop-like experience. The plan is to use the Tor Onion Proxy Library in some way in the near and longer term future (see: https://trac.torproject.org/projects/tor/ticket/27609). There are no plans, though, to provide Tor Browser builds for Android without Orbot until that feature lands.

I have tried to make running Orbot active in new version of TBFA which has Orbot integrated, in my experience is running Orbot ,but you should keeps setup Orbot integrated ,no running on start and checking in case is not running if there is some others apps that is using same port of Orbot especially on Samsung devices, Then block that or those app /s .A good app check in with it might be any socks app check on playstore. Anyway my suggestions is to use TBFA with its own integrated Orbot. Probably a bit slow than other Orbot ,but if is integrated it should be a reason, I was wondering security, but just my opinion.
Best regards.

Micio (not verified) said:

December 12, 2018

Permalink

Is stilling Orbot integrated no showing expand menu no ips etc.The rest is working well.

fg (not verified) said:

December 12, 2018

Permalink

I've downloaded Tor Browser 64b, for windows 10, and my Mcafee Total Protection keeps telling me that has blocked a virus detected in it, called Real.Protection. Is that normal or could this be effectively a virus? Could this problem be a consequence of a man in the middle or something like this? How can i download a secure file from Tor to install? It seems that the virus is associated with the file firefox.exe . But is activated just when I reinstall Tor. Thank you very much.

Anonymous (not verified) said:

December 14, 2018

Permalink

Of course.

gk

gk said:

December 17, 2018

Permalink

Actually, this seems to work for me now as expected. I could have sworn I saw your bug. So, I am closing that ticket again. Do you have steps to reproduce on a clean, new Tor Browser?

Anonymous (not verified) said:

December 13, 2018

Permalink

https-everywhere:
03:20:37.883 gBrowser.getTabForBrowser is not a function 1 ext-browser.js:74
chrome://browser/content/ext-browser.js:74:23
emit resource://gre/modules/ExtensionUtils.jsm:227:40
shutdown resource://gre/modules/ExtensionParent.jsm:545:5
shutdownExtension resource://gre/modules/ExtensionParent.jsm:664:9
_shutdown resource://gre/modules/Extension.jsm:1855:5
next self-hosted:1214:9
shutdown resource://gre/modules/Extension.jsm:1776:19
next self-hosted:1214:9
shutdown resource://gre/modules/Extension.jsm:1178:5
callBootstrapMethod resource://gre/modules/addons/XPIProvider.jsm:4521:20
updateAddonDisabledState resource://gre/modules/addons/XPIProvider.jsm:4661:13
set userDisabled resource://gre/modules/addons/XPIProvider.jsm:5659:9
doCommand chrome://mozapps/content/extensions/extensions.js:1280:9
doCommand chrome://mozapps/content/extensions/extensions.js:1546:5
initialize/< chrome://mozapps/content/extensions/extensions.js:132:5

Anonymous (not verified) said:

December 13, 2018

Permalink

Stupid HTTPSE doesn't update its rulesets on browser update, but updates the last update date, thus delaying further updates.

Anonymous (not verified) said:

December 13, 2018

Permalink

Tor Browser is still sometimes hangs at exit on Windows 7 (32-bit) and then suicides in a minute with 0xC0000005 error.

Anonymous (not verified) said:

December 15, 2018

Permalink

reCAPTCHA protected sites are failing in an infinite loop of "you are wrong!" lately

I guess tor is getting too good at preventing tracking

Anonymous (not verified) said:

December 18, 2018

Permalink

Ask Tom.

Dirk (not verified) said:

December 18, 2018

Permalink

Boy, you've gotta come up with a simpler way of verifying file signatures. None of the methods work for me. Always get "Data not verified" message no matter what I try or what instructions I follow, which means that, as far as I'm concerned, I got a dodgy file, even if I ain't. I have no idea how the damn things work. What's wrong with a simple Torbrowser plugin that verifies downloaded file signatures automatically? No non-nerdy tech dude has ever verified a file signature except by fluke! And even then, they've no idea whether it's worked or not. That means there are a hell of a lot of unverified Torbrowsers out there, coz nobody can be figure out how to verify them properly...

Anonymous (not verified) said:

December 18, 2018

Permalink

fuckingfox attacks my gpu! and this is a one tab only! why the fuck it has access to gpu when it was moved to gpu process?! stop this crap! it drains my new laptop's batteries in an hour!

Anonymous (not verified) said:

December 18, 2018

Permalink

Lags, 100% gpu for one content process. No. win 10 x64. one shitty site.

Anonymous (not verified) said:

December 19, 2018

Permalink

it appears to be a fucking animation banner! one banner fucks everything! nonsense!

logs have only that
Got a mutation for an unexpected actor: server1.conn1.child1/domnode80, please file a bug on bugzilla.mozilla.org! inspector.js:307:11
console.trace(): inspector.js:309
WalkerFront<.getMutations

Anonymous (not verified) said:

December 19, 2018

Permalink

When I saved a webpage and then clicked it in Downloads tab, it opened in system web browser, and my link leaked!!!

Anon (not verified) said:

December 20, 2018

Permalink

Integrating Tor core (Orbot) and browser (Orfox) into one Tor Browser .apk is completely unsecure feauture! I use Tor with AFwall+ on Android and I only allow Tor Core (Orbot) and block Orfox so if there is a leak in the browser, then firewall won't let leaked trafiic go.

Can I download a Tor Browser (without tor core) as a separate .apk like it was before? https://archive.torproject.org/tor-package-archive/torbrowser/mobile/ - here I found only old versions.

Nope, the plan is to provide a desktop-like experience which will include some kind of Tor bundled. Orbot was easiest for now but won't be the final solution. However, we won't go back to a non-bundled version until that future arrives (which will be soon anyway, hopefully).

Anonymous (not verified) said:

December 21, 2018

Permalink

I recently got a new computer with Windows 10. I downloaded the newest Tor about 2-3 weeks ago. It did not open. It downloaded fine, but when I went to launch (either by shortcut or manually by looking through the folder) the round blue circle on my cursor lit up as if something was being executed, but then ... nothing. My task manager did not show Tor running or stalling or anything. I tried a bunch of things, but eventually found Tor 6.6 online. I downloaded that, and it opened fine. I used that for about two days, and then it kept giving me a message to update to Tor 8, which I did. It still continued to work on the updated one.

I didn't use Tor for about a week and a half. Then today I went to launch, and ... nothing, just like before. So I deleted it and reinstalled Tor 6.6, 8.4, and 8.4 with 32bits. For all of these, I received a message that "Tor failed to launch", which would then open a window that said "Tor unexpectedly quit. This may be due to blah blah..." I've googled it, and many people online have had the same problem, but have fixed it in various ways. I've tried opening Tor manually, checking my app security, doing a compatibility troubleshooting and turning off my virus protection. It still shows the same message.

Please may I have some advice to launch Tor?

gk

gk said:

January 11, 2019

Permalink

Another idea I have: What happens if you run the debug build in https://trac.torproject.org/projects/tor/ticket/28823#comment:31? (Note it crashes on first start, that's kind of expected due to https://trac.torproject.org/projects/tor/ticket/28875) Interesting things to look for are any Assertions you see in the debug output or `MOZ_CRASH` lines. (The bundles might require a second/third start due to a bug in Tor dev code (see: https://trac.torproject.org/projects/tor/ticket/28405).

Does that happen on every shutdown? What Windows version are you using? What happens if you run the debug build in https://trac.torproject.org/projects/tor/ticket/28823#comment:31? (Note it crashes on first start, that's kind of expected due to https://trac.torproject.org/projects/tor/ticket/28875) Interesting things to look for are any Assertions you see in the debug output or `MOZ_CRASH` lines. (The bundles might require a second/third start due to a bug in Tor dev code (see: https://trac.torproject.org/projects/tor/ticket/28405).

Anonymous (not verified) said:

January 30, 2019

Permalink

It would be the risk only for machines without SSE2 which is rare. And such logic didn't prevent you from shipping essentially untested Mozilla code for Windows and Android. One of the goals of Tor Project was to diverge even more from Mozilla code towards saner code, wasn't it?