New Release: Tor Browser 8.0.5

Tor Browser 8.0.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This new release updates Firefox to 60.5.0esr and Tor to the first stable release in the 0.3.5 series, 0.3.5.7.

It contains a number of backports from the alpha series, most notably the proper first-party isolation of range requests when loading PDF documents.

We also updated NoScript and HTTPS Everywhere to their latest versions and removed our donation campaign related code.

The full changelog since Tor Browser 8.0.4 is:

  • All platforms
    • Update Firefox to 60.5.0esr
    • Update Tor to 0.3.5.7
    • Update Torbutton to 2.0.10
      • Bug 29035: Clean up our donation campaign and add newsletter sign-up link
      • Bug 27175: Add pref to allow users to persist custom noscript settings
    • Update HTTPS Everywhere to 2019.1.7
    • Update NoScript to 10.2.1
      • Bug 28873: Cascading of permissions is broken
      • Bug 28720: Some videos are blocked outright on higher security levels
    • Bug 26540: Enabling pdfjs disableRange option prevents pdfs from loading
    • Bug 28740: Adapt Windows navigator.platform value on 64-bit systems
    • Bug 28695: Set default security.pki.name_matching_mode to enforce (3)
Anonymous

January 29, 2019

Permalink

hello

Anonymous

January 29, 2019

Permalink

I wonder why I've never seen the "donation campaign". Or does this refer to text on the restart page (after a TBB update)?

a minor 'issue'...

Anonymous

January 29, 2019

Permalink

feature request: please block the "your firefox browser is out of date" tab, since tor has a separate updater system

Anonymous

January 29, 2019

Permalink

It contains a number of backports from the alpha series

Patches from unstable to stable are uplifts (not backports) ;)

According to wikipedia "Backporting is the action of taking parts from a newer version of a software system or software component and porting them to an older version of the same software". So it seems to me backports is the right word here.

Anonymous

January 29, 2019

Permalink

After restarting from 8.0.4 into 8.0.5, "about:tor" and Menu --> Help --> "About Tor Browser" say "8.0.4". Each time I fully close TBB and reopen, a progress bar says, "Tor Browser is installing your updates and will start in a few moments..." before the progress bar for connecting to network.

NoScript says "10.2.1"
HTTPS-Everywhere says "2019.1.7"

Anonymous

January 29, 2019

Permalink

[The post about Tails 3.12 does not allow user comments/queries so I am trying to post my question here.]

Urgent question about Tails 3.12:

Quite suddenly Tails Project introduced a new download procedure which is causing problems; some including me cannot DL the image at all. A few weeks ago Tails offered a testing version and without explanation said "there is no cryptographic signature for this release". The post introducing the production version of Tails 3.12 doesnt even mention cryptographic signatures.

Should we conclude that Tails was suddenly handed an NSL with a gag order saying that they cannot legally offer Tails anymore together with cryptographic authentication? So that Tails USB image is valid when it leaves the DL server but when it arrives, has been altered in transit by NSA?

Please, please, please explain how to cryptographically authenticate this USB image!

Please put the DL explanation in a single html page with no bells and whistles because my Tails 3.l1 (burned from the DVD which I authenticated using the signing key which I believe I have verified is authentic) somehow cannot handle that tutorial.

Thanks, I'll try that! The sig must be different for the USB image and the DVD image, yes?

Fortunately, Tails is still providing ISO images for burning to a DVD with a detached signature which verifies (but I'm having a problem authenticating the subkey used to make the signature).

Another thing which puzzles me is that their description of what appears to be the "standard method" of updating a Tails USB seems to differ from what I have been doing (use Tails Installer to make a USB from Tails booted from a verified DVD), and I suspect this might mean their description is ambiguous, not that I have been doing it wrong all along.

Tested using the verified Tails 3.12 DVD ISO to burn a DVD, boot from that, and then using Tails Installer to make a Tails 3.12 USB stick with Persistent Volume the old way, and it works fine, and IMO is easier than the long method using dd etc. I hope Tails Project does not disable the old download, verification, and authentication methods, or remove Tails Installer.

Oh my goodness, thank you so much, this link is just what I needed!

The problem was that I somehow could not reach that page from the "step by step tutorial" (?) at tails.boum.org. If Tails Project had simply given that URL in the announcement post in the Tor Blog, I would have been able to read the instructions without any problems. IMO their tutorial causes more issues than it solves--- sometimes simpler methods of making required information easy to find are better than trying to do something fancy.

Happy to report everyone can still use the tried and true old procedure to

o download the Tails 3.12 ISO image for a DVD

o verify the detached signature

o verify the signing subkey used to make same

Further, it seems "Tails installer" is still available in Tails 3.12. I hope to confirm that it can be used to upgrade a Tails USB the old easy way and also to try the new hard way to make a Tails USB.

I do not understand why Tails Project apparently deprecates Tails Installer.

Anonymous

January 29, 2019

Permalink

Suggestions:

Optional latency would be an easy way to improve security. Opening pages on new tab (or file downloads) could be set non-urgent. Relays would delay these, especially guard would use "dam" to make traffic to client random or generic. User might hurry up these by activating any (color-marked) "slow tab". For uploads exit node would have a dam as well, or more like cache.

Another improvement, a costly one would be slave ideally for each relay, a small computer in sealed case with electronic antispy protection provided by a different organization. Incoming packages are given to slave which mixes them (and controls dams) before giving back, adding another layer of security without significant slow-down.

Maybe multiple and changing routes could also be considered?

Too bad the makers of the Pi did not adopt Debian for ARM as their OS, thus preventing Tor Project from being able to easily help Tails Project put the forthcoming Tails Server on a Pi.

It would be wonderful if community minded hardware people would try to launch something like the Pi Project, but using Debian for ARM devices, and ideally incorporating security seals (we don't want NSA to "interdict" and mess with shipments from the maker to individual device owners), paying attention to supply-chain concerns (we don't want CN government spooks to mess with the chips before they even reach the maker), etc.

Anonymous

January 29, 2019

Permalink

TypeError: hostName is null[Learn More] security.js:55:9
_getSecurityInfo chrome://browser/content/pageinfo/security.js:55:9
securityOnLoad chrome://browser/content/pageinfo/security.js:179:14
onmessage chrome://browser/content/pageinfo/pageInfo.js:372:5

Anonymous

January 29, 2019

Permalink

05:57:23.786 this.browser is null 1 ext-tabs-base.js:298
get frameLoader chrome://extensions/content/ext-tabs-base.js:298:5
get frameLoader chrome://browser/content/ext-browser.js:605:5
get width chrome://browser/content/ext-browser.js:678:5
convert chrome://extensions/content/ext-tabs-base.js:579:7
get chrome://browser/content/ext-tabs.js:572:18
next self-hosted:1214:9
get self-hosted:977:17
call/result< resource://gre/modules/ExtensionParent.jsm:772:57
withPendingBrowser resource://gre/modules/ExtensionParent.jsm:427:26
next self-hosted:1214:9
call resource://gre/modules/ExtensionParent.jsm:771:20
next self-hosted:1214:9
torbutton_send_ctrl_cmd chrome://torbutton/content/torbutton.js:753:10
torbutton_do_new_identity chrome://torbutton/content/torbutton.js:1126:10
torbutton_new_identity chrome://torbutton/content/torbutton.js:850:9
oncommand chrome://browser/content/browser.xul:1:1

Anonymous

January 29, 2019

Permalink

06:08:31.606 [NoScript] Could not run scripts on about:tor: privileged page? Error: Missing host permission for the tab Missing host permission for the tab 1 log.js:12:62
error moz-extension://[NoScript]/lib/log.js:12:62
moz-extension://[NoScript]/ui/popup.js:131:9

How does one trigger that (and the other debug output that got posted here)? Without some context it's not really possible for us to work on those problems and they get ignored rather than fixed or logged in our bug tracker.

Anonymous

January 29, 2019

Permalink

06:10:15.298 Error: No handler registered for message "broadcastSettings" in context moz-extension://[NoScript]/ui/options.html 1 Messages.js

Anonymous

January 29, 2019

Permalink

> Bug 27175: Add pref to allow users to persist custom noscript settings
Instead of adding dangerous settings, maybe, you make NI clear the temp trusted domains finally?

Anonymous

January 29, 2019

Permalink

TypeError: win.gBrowser is undefined[Learn More] ProcessHangMonitor.jsm:412:9
Ignoring response to aborted listener for 3509

Anonymous

January 29, 2019

Permalink

Hello, I replied to this blog post a short time ago writing that my restart from 8.0.4 was saying 8.0.5, and the updater progress bar was reappearing. Turns out there was only 60 MB on the partition. When I made space, the "bugs" were gone. My first reply has not been approved by the comment moderator to show up yet, so you don't have to approve it since I guess the problem was resolved and my fault, not yours.

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

9 + 0 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.