New Release: Tor Browser 8.5a10

by boklm | March 25, 2019

Tor Browser 8.5a10 is now available from the Tor Browser Project page and also from our distribution directory.

Note: this is an alpha release: an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This release features important security updates to Firefox.

The main change in this new release is the update of Firefox to 60.6.1esr, fixing bugs found during the Pwn2Own contest.

The full changelog since Tor Browser 8.5a9 is:

  • All platforms
    • Update Firefox to 60.6.1esr
    • Update NoScript to 10.2.4
      • Bug 29733: Work around Mozilla's bug 1532530

Comments

Please note that the comment area below has been archived.

March 25, 2019

Permalink

This is your periodic reminder that the new Tor Browser logo sucks unfortunately compared to the previous iterations, please revise their design and have a nice fiscal year!

Give a link to which logo. Or do you mean the TorButton icon in the browser? They all look ok to me. Would you care to contribute your design or one you approve that Tor Project can release under the Creative Commons Attribution 3.0 United States License? You said you prefer previous iterations but want a revision.

If you meant the TorButton icon, I made some mock-ups of it using official images. The first shows the current one for reference. Half show the sprouting stem, and half are the same images but have the stem removed. The link will expire on March 25, 2020.

https://framapic.org/gallery#kkAu6Tz3auMb/7x0iMlwLs6MW.png,ZVX2gSPkPLpu…

The source images I used:
https://media.torproject.org/image/official-images/2011-tor-logo-shaded…
https://media.torproject.org/image/outdated/exonerator.png
https://media.torproject.org/image/official-images/2011-tor-logo-flat.s…
https://media.torproject.org/image/Onion Icon/Onion_Color.png
https://media.torproject.org/image/Onion Icon/Black_Icon.png

March 25, 2019

Permalink

addons.webextension. WARN Loading extension 'null': Reading manifest: Error processing background.persistent: Event pages are not currently supported. This will run as a persistent background page.

Could you please provide some context for this error message? What actions did you complete just before this occurred? Are you using the Tor Browser for Android app, or are you using the desktop version of Tor Browser?

March 25, 2019

In reply to wayward

Permalink

Wow, a new guy in comments!

To reproduce just start the browser with proper logs activated.

March 26, 2019

In reply to gk

Permalink

Yes.

Ok. My first time to comment. Probably last. First. Absolutely love this for many reasons. If i can do anything to help y'all. Hit me up. I'm also a developer. My deal is. On start up page. Where is the start up window. Ok. Ive always heard the only dumb question is the one not asked. Dont laugh at me. Im a green onion. Lol. Have a great day

March 25, 2019

Permalink

Key event not available on GTK2: key=“u” modifiers=“accel shift” id=“torbutton-new-identity-key” browser.xul

Where is the UX team?

I completely agree to Khay's plea to bring back the opportunity to manually select a steady country for Tor Browser for Android. It was possible by Orbot. Since the latest Tor Browser updates for Android you are automatically fixed on one country. Anyway I bet as lang as you use Android, Google is still able to spy you out even through the use of Tor Browser for Android. So why do the Tor developers debate security issues if bringing back the opportunity to change the country manually then? Android spies you out anyway!

March 25, 2019

Permalink

Hello! Please tell me how to configure the excluded tor nodes in the latest versions of Android Android TB alpha? And the second question: Does the latest Android TB Android alpha support "torrc user settings"?

Hello! In the new versions 8.5a.9 - 8.5a.10 is it possible to change the settings of the torrc file? Make additions and changes; ExcludeNodes, ExcludeExitNodes, ORport, ExitRelay, hiddenservice....
Maybe you want to completely deprive Tor Browser for Android of these functions? For many users, these features are very important. If you remove these features will be a very bad browser for Tor.

March 25, 2019

Permalink

Do you plan to enable Tor browser for Android to use other orbot? Or just open in it proxy ports? There's currently no such option and I have to run secondary orbot for other apps.

We plan to get away from shipping an own Orbot (this should happen with the next alpha already, in fact). I am not sure yet how we want to expose Tor Browser's Tor functionality to other apps, so for now I think it's fair to say you need for those apps Orbot.

March 27, 2019

In reply to gk

Permalink

Thanks gk. Yes, I need an access to orbot settings, i.e. to set it open for other apps which I like to run through Tor as well :)
Now I have two orbots running: one built-in in Tor browser, the second for my other apps. I think the option like "Advanced settings, beware" opening old functionality might be very helpful.
Anyway your work is outstanding, thanks :)

March 26, 2019

Permalink

Hello! In the new versions 8.5a.9 - 8.5a.10 is it possible to change the settings of the torrc file? Make additions and changes; ExcludeNodes, ExcludeExitNodes, ORport, ExitRelay, hiddenservice....
Maybe you want to completely deprive Tor Browser for Android of these functions? For many users, these features are very important. If you remove these features will be a very bad browser for Tor.

March 26, 2019

In reply to gk

Permalink

Agree with you! Access to the torrc settings is required! Thank you for mutual understanding. :-)

March 26, 2019

Permalink

https://www.torproject.org/download/
1. "Get Tor Browser for Android." > "Download APK" button does not start APK download (JS disabled).

2. Where can I download TOR only? Not browser.

3. How can I detect Tor Browser on WebExtensions side so I could use .onion?
browser.getversion() == "torbrowser"

some of the games

Tor Browser doesn't ship with Adobe Flash. Some games on that site run from swf Flash files. Right-click on the box where the game would play, and click Inspect Element. See if it says swf somewhere in there. Some other games say html5, and those don't use Flash, so they probably work.
https://support.torproject.org/tbb/tbb-12/

If Flash isn't the issue: There are thousands of games. Please provide links to a few that definitely aren't working for you. Are you using the Tor Browser version announced in this post or something else? Have you tried lowering the security level slider? Did you leave NoScript and about:config at their defaults? Do those games work in a different browser? Bug reports can't be solved without suitably specific data or reproducible test cases.

March 27, 2019

Permalink

Will you fix the image bug on mobile where you can't download images it'll ask for permission but it just ends there :\

March 30, 2019

Permalink

I downloaded tor browser for windows 10 but it does not work it shows me a notification that the software can not be run on the pc what i should do????

March 31, 2019

Permalink

When I click on "copy link" is this information saved or where does it go. Copied a bunch but have no idea where they are. Thanks

March 31, 2019

Permalink

I'm confused, the latest entry in the block is for 8.5.a10, but the download page shows only 8.0.8. What's going on ?

8.0.8 is the stable version, which we recommend by default. 8.5a10 is the alpha version which you find under the advanced installation options. That one is for users that can live with a more experimental version to help us finding bugs.

March 31, 2019

Permalink

Please find the image attached. As can be seen, the exit node says "Unknown" at the very end. Tor nodes IPs are redacted in the screenshot.

That link gave a 404 which is why I removed it from your comment. That said, it would be really helpful to find steps to reproduce your problem. So far, we did not have any luck which makes it hard to investigate and fix the underlying bug.

April 03, 2019

Permalink

I've seen that gardian project are still distributing old and tracker addled versions of orfox for mobile. They were not capable of purging the code inherrited from firefox yet still distributed it. Quite alarming..

what's the story presently regarding the ever flowing stream of Firefox antifeatures? and specifically inbuilt google tracking?

April 05, 2019

Permalink

Happened when I selected few countries with strict nodes enabled in config. A reinstall solved the issue but still not possible to trace down to the root cause.

Something more. NoScrip's XSS going wild. Even getting DDG search filtering warnings. And it uses a really big pop up to show that Allow or Deny window. Could you please check that one too?

Attached the screenshot on Dropbox this time.

https://www.dropbox.com/s/m8pi98igu48gzys/Tor_Exit_Node_IP_Unknown.png

April 06, 2019

Permalink

Is anyone else reporting problems with obfs4 bridge ? don't no where to report this for the last week or so "obfs4" has failing to connect and still on going , now use meek just to connect

April 06, 2019

Permalink

HTML5 Canvas Image Extraction and Fingerprinting

I know Tor's warning about (and blocking of) sites trying to extract html5 canvas image data is not a new thing but I remembered it just recently when the EU ratified article 13 which is likely to illegalize memes and whatever.
So I wanted to ask if the danger posed by HTML5 Canvas Image Extraction means that in extension any rendered/edited image can be traced back to the graphics card it was made with. The text here https://2019.www.torproject.org/projects/torbrowser/design/#fingerprint… states

'Subtle differences in the video card, font packs, and even font and graphics library versions allow the adversary to produce a stable, simple, high-entropy fingerprint of a computer. In fact, the hash of the rendered image can be used almost identically to a tracking cookie by the web server.'

That sounds pretty scary actually for anyone whoever uploaded an image, even he just shopped a line of text onto it

I think you're confused about the definitions.
https://en.wikipedia.org/wiki/Canvas_fingerprinting
A canvas in this sense is an area defined by the webpage and rendered in the browser's web content display areas where the webpage can use Javascript for graphics, primarily drawing and coloring. The text you cited describes the ability of a webpage to tell the browser's Javascript engine to draw in a canvas area and then extract the image it drew. The abilities and metadata provided by the engine for manipulating a canvas depend on many factors, some of which are listed in your quote. The adversary webpage can tell the browser to draw and extract a canvas image that exposes the limits of the metadata and abilities that are highly unique to each browser+system settings combination. It can be compared to a unique session cookie but circumvents all cookie safeguards. Websites such as panopticlick let you test your browser fingerprint entropy.

Image editing is different. It is usually done in offline image editors and goes through different processes versus rendering or uploading that file in a web browser. Some image file types are saved with metadata inside them that you can read with an EXIF viewer or hex editor. As far as I know, the canvas is not designed to read those. It's possible for editors to save the name of the graphics card model or the model of the camera that took a photo as EXIF data. Uploaded files in general could be traced by time, IP, and file hash. Uploaded images could be analyzed for what they visibly depict. But none of those are how canvas fingerprinting works. File uploads are generally not intended to be processed by canvas Javascript that the webpage may try to run in the browser tab, and I would expect that any attempts to extract the canvas image would trigger the warning regardless of what was drawn. Interfaces for uploading wouldn't really help the goals of canvas fingerprinting. They are generally not silent and hidden every time the page loads and require the user to actively click buttons to begin.

April 07, 2019

Permalink

Sometimes the page of the site blinks, just inside the browser, like a black "25 frame". And it happens quite often 1-2 times per session. What it is? As if some kind of spying. before this was not, it appeared 2-3 updates back. Clean install every time.

April 11, 2019

In reply to gk

Permalink

the space inside the browser - inside its contours, which is not clear? How to repeat - it happens by itself, wait.

I've seen something like that before. The browser stops responding correctly, and black rectangles appear on whatever page is open and on the browser toolbars after I close toolbar menus or click another tab. It's as if the whole browser stops replacing the graphics of the things behind the things I close. I always thought it was a memory or CPU issue. I think it happens on sites that have many entries in NoScript. Other people have reported it in Firefox, Chrome, Edge. Most answers say to disable Hardware Acceleration or GPU. I still think certain heavy webpages are the cause. If I see more, I'll save them.

https://support.mozilla.org/en-US/questions/1006033
https://support.mozilla.org/en-US/questions/925894
https://www.reddit.com/r/firefox/comments/3cl8kk/firefox_39_black_recta…

I double-checked and the signature is fine for me. Do you still have the .asc file that your GPG tool does not like? Could you give us the full error you get when verifying the download and the command you used to do so?

April 08, 2019

Permalink

imo the new logo is an improvement, but it just seems a bit too simplistic, like 5 minutes in GIMP simplistic...

making logos simple isn't always bad, the EFF logo looks alright, but if you are adding gradients and shadows you should add more detail than a just a circle, something like the firefox quantum logo would be amazing.

tbh the black and white version of the old logo, without any ugly 2005 style gradients looks better than this.