New Release: Tor Browser 8.0.5

Tor Browser 8.0.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This new release updates Firefox to 60.5.0esr and Tor to the first stable release in the 0.3.5 series,

It contains a number of backports from the alpha series, most notably the proper first-party isolation of range requests when loading PDF documents.

We also updated NoScript and HTTPS Everywhere to their latest versions and removed our donation campaign related code.

The full changelog since Tor Browser 8.0.4 is:

  • All platforms
    • Update Firefox to 60.5.0esr
    • Update Tor to
    • Update Torbutton to 2.0.10
      • Bug 29035: Clean up our donation campaign and add newsletter sign-up link
      • Bug 27175: Add pref to allow users to persist custom noscript settings
    • Update HTTPS Everywhere to 2019.1.7
    • Update NoScript to 10.2.1
      • Bug 28873: Cascading of permissions is broken
      • Bug 28720: Some videos are blocked outright on higher security levels
    • Bug 26540: Enabling pdfjs disableRange option prevents pdfs from loading
    • Bug 28740: Adapt Windows navigator.platform value on 64-bit systems
    • Bug 28695: Set default security.pki.name_matching_mode to enforce (3)

January 29, 2019




January 29, 2019


I wonder why I've never seen the "donation campaign". Or does this refer to text on the restart page (after a TBB update)?

a minor 'issue'...


January 29, 2019


feature request: please block the "your firefox browser is out of date" tab, since tor has a separate updater system

Where do you see this?
Tor Browser 7 with native noscript open this page normally

But they are right. Tor Browser 7 is indeed out of date, please upgrade to Tor Browser 8 as soon as possible as there are numerous security holes in Tor Browser 7 which are unfixed.

> But they are right.
TB7 > > normal view
TB8 > > badbrowser view

Aha, I see, I misunderstood you, sorry. What do I need to do to reproduce that? On my Linux box when I just open I don't see this problem.

It contains a number of backports from the alpha series

Patches from unstable to stable are uplifts (not backports) ;)

According to wikipedia "Backporting is the action of taking parts from a newer version of a software system or software component and porting them to an older version of the same software". So it seems to me backports is the right word here.

Kidding? That's true for released versions, e.g. backporting from stable to oldstable, but not for pre-release/alpha/beta/etc.

>>> Kidding? That's true for released versions, e.g. backporting from stable to oldstable, but not for pre-release/alpha/beta/etc.
Аre you from exUSSR probably?

Note that

Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable.

After restarting from 8.0.4 into 8.0.5, "about:tor" and Menu --> Help --> "About Tor Browser" say "8.0.4". Each time I fully close TBB and reopen, a progress bar says, "Tor Browser is installing your updates and will start in a few moments..." before the progress bar for connecting to network.

NoScript says "10.2.1"
HTTPS-Everywhere says "2019.1.7"

Problem was solved by freeing more space on the disk, according to later comment.

[The post about Tails 3.12 does not allow user comments/queries so I am trying to post my question here.]

Urgent question about Tails 3.12:

Quite suddenly Tails Project introduced a new download procedure which is causing problems; some including me cannot DL the image at all. A few weeks ago Tails offered a testing version and without explanation said "there is no cryptographic signature for this release". The post introducing the production version of Tails 3.12 doesnt even mention cryptographic signatures.

Should we conclude that Tails was suddenly handed an NSL with a gag order saying that they cannot legally offer Tails anymore together with cryptographic authentication? So that Tails USB image is valid when it leaves the DL server but when it arrives, has been altered in transit by NSA?

Please, please, please explain how to cryptographically authenticate this USB image!

Please put the DL explanation in a single html page with no bells and whistles because my Tails 3.l1 (burned from the DVD which I authenticated using the signing key which I believe I have verified is authentic) somehow cannot handle that tutorial.

Not sure why they don't seem to be linking to the PGP signature on the download page, but you can get it by appending .sig to the URL of the .img or .iso file.

Thanks, I'll try that! The sig must be different for the USB image and the DVD image, yes?

Fortunately, Tails is still providing ISO images for burning to a DVD with a detached signature which verifies (but I'm having a problem authenticating the subkey used to make the signature).

Another thing which puzzles me is that their description of what appears to be the "standard method" of updating a Tails USB seems to differ from what I have been doing (use Tails Installer to make a USB from Tails booted from a verified DVD), and I suspect this might mean their description is ambiguous, not that I have been doing it wrong all along.

Tested using the verified Tails 3.12 DVD ISO to burn a DVD, boot from that, and then using Tails Installer to make a Tails 3.12 USB stick with Persistent Volume the old way, and it works fine, and IMO is easier than the long method using dd etc. I hope Tails Project does not disable the old download, verification, and authentication methods, or remove Tails Installer.

This page has instructions for downloading and verifying the image with gpg:

Oh my goodness, thank you so much, this link is just what I needed!

The problem was that I somehow could not reach that page from the "step by step tutorial" (?) at If Tails Project had simply given that URL in the announcement post in the Tor Blog, I would have been able to read the instructions without any problems. IMO their tutorial causes more issues than it solves--- sometimes simpler methods of making required information easy to find are better than trying to do something fancy.

Happy to report everyone can still use the tried and true old procedure to

o download the Tails 3.12 ISO image for a DVD

o verify the detached signature

o verify the signing subkey used to make same

Further, it seems "Tails installer" is still available in Tails 3.12. I hope to confirm that it can be used to upgrade a Tails USB the old easy way and also to try the new hard way to make a Tails USB.

I do not understand why Tails Project apparently deprecates Tails Installer.

PGP verification steps are suggested in multiple places. Plus browser extension is still encouraged as a basic verification step.


Optional latency would be an easy way to improve security. Opening pages on new tab (or file downloads) could be set non-urgent. Relays would delay these, especially guard would use "dam" to make traffic to client random or generic. User might hurry up these by activating any (color-marked) "slow tab". For uploads exit node would have a dam as well, or more like cache.

Another improvement, a costly one would be slave ideally for each relay, a small computer in sealed case with electronic antispy protection provided by a different organization. Incoming packages are given to slave which mixes them (and controls dams) before giving back, adding another layer of security without significant slow-down.

Maybe multiple and changing routes could also be considered?

Too bad the makers of the Pi did not adopt Debian for ARM as their OS, thus preventing Tor Project from being able to easily help Tails Project put the forthcoming Tails Server on a Pi.

It would be wonderful if community minded hardware people would try to launch something like the Pi Project, but using Debian for ARM devices, and ideally incorporating security seals (we don't want NSA to "interdict" and mess with shipments from the maker to individual device owners), paying attention to supply-chain concerns (we don't want CN government spooks to mess with the chips before they even reach the maker), etc.

TypeError: hostName is null[Learn More] security.js:55:9
_getSecurityInfo chrome://browser/content/pageinfo/security.js:55:9
securityOnLoad chrome://browser/content/pageinfo/security.js:179:14
onmessage chrome://browser/content/pageinfo/pageInfo.js:372:5

05:57:23.786 this.browser is null 1 ext-tabs-base.js:298
get frameLoader chrome://extensions/content/ext-tabs-base.js:298:5
get frameLoader chrome://browser/content/ext-browser.js:605:5
get width chrome://browser/content/ext-browser.js:678:5
convert chrome://extensions/content/ext-tabs-base.js:579:7
get chrome://browser/content/ext-tabs.js:572:18
next self-hosted:1214:9
get self-hosted:977:17
call/result< resource://gre/modules/ExtensionParent.jsm:772:57
withPendingBrowser resource://gre/modules/ExtensionParent.jsm:427:26
next self-hosted:1214:9
call resource://gre/modules/ExtensionParent.jsm:771:20
next self-hosted:1214:9
torbutton_send_ctrl_cmd chrome://torbutton/content/torbutton.js:753:10
torbutton_do_new_identity chrome://torbutton/content/torbutton.js:1126:10
torbutton_new_identity chrome://torbutton/content/torbutton.js:850:9
oncommand chrome://browser/content/browser.xul:1:1

Hm. I tried to reproduce that by doing "New Identity" after I started the browser on the about:tor page but was not able to trigger that exception. What else do I need to do to do so (reliably)?

Open 'Get Involved' in a new tab before NI.

06:08:31.606 [NoScript] Could not run scripts on about:tor: privileged page? Error: Missing host permission for the tab Missing host permission for the tab 1 log.js:12:62
error moz-extension://[NoScript]/lib/log.js:12:62

How does one trigger that (and the other debug output that got posted here)? Without some context it's not really possible for us to work on those problems and they get ignored rather than fixed or logged in our bug tracker.

Oh, I thought they were ignored as you didn't think they were real errors or errors worth fixing. Because if you'd logged them in our bug tracker, cypherpunks'd help you.

Helping is appreciated but a bug logged just with some weird exception without steps to reproduce is not helpful. I'd like to double-check whether I can reproduce those. We might be able to solve them faster that way.

It is on Windows with Safest settings: 1) Page Info of about:tor, 2) New Identity, 3) NoScript icon of about:tor.

Thanks. There is probably other browser console output you pasted besides the three examples above. We need more context for them as well to deal with.

Mark those you're interested in.

This does not look like a bug for us. If at all then this is a NoScript issue. Please inform the NoScript author about it. Thanks!

06:10:15.298 Error: No handler registered for message "broadcastSettings" in context moz-extension://[NoScript]/ui/options.html 1 Messages.js

> Bug 27175: Add pref to allow users to persist custom noscript settings
Instead of adding dangerous settings, maybe, you make NI clear the temp trusted domains finally?

TypeError: win.gBrowser is undefined[Learn More] ProcessHangMonitor.jsm:412:9
Ignoring response to aborted listener for 3509

Hello, I replied to this blog post a short time ago writing that my restart from 8.0.4 was saying 8.0.5, and the updater progress bar was reappearing. Turns out there was only 60 MB on the partition. When I made space, the "bugs" were gone. My first reply has not been approved by the comment moderator to show up yet, so you don't have to approve it since I guess the problem was resolved and my fault, not yours.

I watch with this update, TorBrowser is more speed. This is my opinion.