New Release: Tor Browser 8.0.8

Tor Browser 8.0.8 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

The main change in this new release is the update of Firefox to 60.6.1esr, fixing bugs found during the Pwn2Own contest.

The full changelog since Tor Browser 8.0.7 is:

  • All platforms
    • Update Firefox to 60.6.1esr
    • Update NoScript to 10.2.4
      • Bug 29733: Work around Mozilla's bug 1532530
Anonymous

March 30, 2019

Permalink

what is the error below describe. It occurs when I try to use a request bridge.

3/30/19, 10:40:12.839 [NOTICE] Application request when we haven't used client functionality lately. Optimistically trying known bridges again.

Anonymous

April 01, 2019

Permalink

Unresponsive script message appears. I get the following more than once a week.

A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.

Script: chrome://torbutton/content/tor-circuit-display.js:145

Anonymous

April 01, 2019

Permalink

Is this a potential information leak ??

Go to a web-site with an embedded video element,

Expected. - black-insert in webpage, Click on the black-insert >>

black-insert & frown-face & Text : ' No video with supported format and MIME type found '

Ctrl+I (page Info) > Media Tab > highlight an embedded video element,

video auto-cues & shows a preview-image > press play, video plays.

This test was conducted with a .mp4 embedded video element.

TBB v808, *nix, NoScript (Security Level : Safest)

Are you saying the video plays in the Page Info > Media window? That would be interesting.... Other things can load in strange tabs. Searches can be done in the Add-ons tab. Some tools in the Web Developer menu can render web content. Probably other places....

ERROR:
win7 32bit + tbb808 : circuits list sometimes disappears from "site information"-popup

Any chance to figure out when this happens?

On a high sierra mac os running 10.13.6 my torbrowser security settings changed from safest to standard.

When did this happen? Do you have steps to reproduce this bug?

circuit shows “--unknown--” as exit node instead of the site you are visiting:

As I've already pointed out here:

https://blog.torproject.org/new-release-tor-browser-806?page=2

(Torlion (not verified) said: - March 01, 2019)

And somebody else with a similar issue pointed out here:

https://blog.torproject.org/new-release-tor-browser-807#comments

(Critial issue/… (not verified) said: – March 21, 2019)

there is an issue concerning the exit node in the circuit.

As I've experienced this issue several times again, I had another try to find out, what causes this problem. I've found a way to reproduce the issue and how to solve the problem. It's a bit difficult to explain, that's why I'll try by giving an example:

Go on Wikipedia (https://en.wikipedia.org/wiki/Main_Page)

Try the following changes concerning third-party cookies. On the left you see the setting, after the dashes you see the result of the exit node shown in the circuit. After changing the settings, you have to refresh the page or click on “New Circuit for this Site”:

Go on “options” - Privacy and Security” - “Accept third-party cookies and site data” and
set the following for third-party cookies:

“Never” – exit node is ok – wikipedia.org
“From visited” – exit node is ok – wikipedia.org
“Always” – exit node is not ok “--unknown--”
“From visited” – exit node is not ok “--unknown--”

If you change the settings from “Never” to “From visited”, the circuit shows the correct exit node. If you change the settings from “Always” back to “From visited” you will get the “--unknown--” issue.

Stay on Wikipedia (wikipedia.org) and try the following. After changing the settings, you have to refresh the page or click on “New Circuit for this Site”:

First Step:

Set the following for third-party cookies:

“Never” – exit node is ok – wikipedia.org

Now, choose “Block cookies and site data (may cause websites to break)”

Go back to wikipedia.org and refresh page or click on “New Circuit for this Site”

Result: exit node in circuit is ok – says “ wikipedia.org”

Second Step:

Go on “options” - Privacy and Security” - “Accept third-party cookies and site data”.

Set the following for third-party cookies:

“Always” – not ok – “--unknown--”

Now, choose “Block cookies and site data (may cause websites to break)”

Go back to wikipedia.org and refresh page or click on “New Circuit for this Site”

Result: exit node in circuit is not ok – says “--unknown--”

In both steps you have “Block cookies and site data (may cause websites to break)” and “Accept third-party cookies and site data Never” (greyed out). So it seems to be identical, however, setting “Always” for third-party cookies and then clicking on “ Block cookies and site data (may cause websites to break)” will cause the “--unknown--” issue, whereas setting “Never” for third-party cookies and then clicking on “Block cookies and site data (may cause websites to break)”will not cause the “--unknown--” issue”, and in the last case you will see the correct exit node in the circuit (which is “wikipedia.org_” in my example).

Go on options and set “Accept third-party cookies and site data Never”. Close Tor Browser and open again. Go on Wikipedia (https://en.wikipedia.org/wiki/Main_Page). Check circuit. Exit node is ok – says “wikipedia.org”

Go on options and set “Accept third-party cookies and site data Always”. Close Tor Browser and open again. Go on Wikipedia (https://en.wikipedia.org/wiki/Main_Page). Check circuit. Exit node is circuit is not ok – says “--unknown--”

Go on options and set “Accept third-party cookies and site data “Never” and then click on “Block cookies and site data (may cause websites to break)”. Close Tor Browser and open again. Go on Wikipedia (https://en.wikipedia.org/wiki/Main_Page). Check circuit. Exit node is ok – says “wikipedia.org”

Go on options and set “Accept third-party cookies and site data “Always” and then click on “Block cookies and site data (may cause websites to break)”. Close Tor Browser and open again. Go on Wikipedia (https://en.wikipedia.org/wiki/Main_Page). Check circuit. Exit node is not ok – says “--unknown--”

At this point the user gets stucked, because when having a look into the Options now, under “Privacy & Security” and “Cookies and Site Data”, you will see that cookies are blocked, but also the greyed out “Accept third-party cookies and site data “Never”. Now click again on “Accept third-party cookies and site data (recommended)“ and the greyed out “Never” changes into a black “Always”.

Solution:

Go on “Options” - “Privacy & Security” and “Cookies and Site Data”, change the black “Always” into “Never”. Go back to the page, where you have experienced the “--unknown--” issue (in my example “Wikipedia”), refresh the page or click on “New Circuit for this Site” and the “--unknown--” issue is gone. In my example you will see “wikipedia.org” again.

If you now wish to block cookies again, make sure you have set “Accept third-party cookies and site data “Never” and NOT “Always”. Even if you close and reopen Tor Browser you won't get the “--unknown” issue any longer.

I really can't tell you why changing the settings for cookies influences the circuit. Maybe the developers of Tor Browser can find out what is all behind this or maybe one of you computer techies. I'm sorry for not having the technical knowledge to find out what is wrong. The only thing possible for me was to find out that quite obviously the settings for cookies changes something in the circuit. I hope I could help nevertheless.

Wow, thanks for the detailed bug report. I've filed https://trac.torproject.org/projects/tor/ticket/30171 and we'll look into it.

Hello again. I sure wish someone could figure out why the Tor browser bookmark function does not work with Windows 10, which is on my desktop. No blue star, no nothing. It's like the function is deactivated. My laptop runs Windows 7 and bookmarking works with every Tor version. Thanks.

It sounds like a problem in Firefox, not just Tor Browser. It could be that you mistakenly clicked something that removed the icon. Do you see an icon with 3 dots "..." at the end of the address bar? Hover your mouse cursor on it, and a tooltip should say, "Page actions". Click on the icon, and you'll see one of the items in there says, "Bookmark this page". You can click that to add or edit the bookmark. To show the blue star icon, right-click on "Bookmark this page" in that menu, and another popup will say Add to/Remove from Address Bar. Click that.

It's too hidden, and I couldn't find a preference anywhere else to control it. Solutions around the web reference old versions of Firefox that had the star separated from the address bar.

TOR 8.0.8 on diff. Devices and TOR-Installs (Entry Guards - NODES) gives me that (only one Example) - of many Packets like this (Observed from an LAN-LINE)

PAKET 1482

SOURCE 192.168.1.75
DESTIN 192.42.115.102
LENGTH 590
PROTOC TCPROS
INFORM [ROS Msg] [Malformed Packet]

- TCP based Robot Operating System protocol (TCPROS)
- Message Length: 66326

---------------------------------------------------------------------------------

PAKET 2182

SOURCE 192.42.115.102
DESTIN 192.168.1.75
LENGTH 1514
PROTOC TCPROS
INFORM [ROS Conn] Metadata: ........ (Cryptic)

- TCP based Robot Operating System protocol (TCPROS)
- Header Length: 197398
- Header Content: 39 02 00 00 35 .....
- Field: 5\003\003\305A\301 .....
- Field Length: 569
- Field Content: 5\003\003\305A\301\3131Y .....
- Name: 5\003\003\305A\301\3131Y\243>K%W .....
- Value: \355\017\352jKp\366\302\324\301y .....

---------------------------------------------------------------------------------

hi
since this version, i barely can launch it, it takes forever to connect and open the homepage, than no navigation.
this happens with or without VPN

using Mojave, never had this problem before

Check your Tor log for warnings or errors.
onion icon --> Tor Network Settings --> Copy Tor Log to Clipboard.

Check your guard node (the first node in your circuit) for problems. Search for its IP address or name or fingerprint (long hexadecimal string of characters) in Tor Metrics Relay Search.
https://metrics.torproject.org/rs.html
Try this thread if relay search shows problems:
https://blog.torproject.org/comment/280436#comment-280436

NoScript v10.6 released - https://addons.mozilla.org/en-US/firefox/addon/noscript/

With many-Thanks to Giorgio Maone & the NoScript Team

v10.6

x Limit wrappedJSObject usages to compatible browsers

x [Chromium] Merged chromium branch (unified code base)

x [Locale] Updated Transifex-managed locales

x Updated TLDs

NoScript Change log - https://noscript.net/changelog

TBB error -
https://ibb.co/zs2MM8K
did not observe such errors on previous versions

Do you have steps to reproduce this issue? Does it happen with a clean, new Tor Browser installed to a different location on your computer?

I am always getting the same bridge when I make a request "request a bridge from the torproject.org" it XXX.XX.XX.XX:443. and I now only get one bridge instead of 3. Is this normal?

Well, you should not get different bridges as otherwise an attacker could just try over and over again and enumerate all bridges and block them easily. I am not sure why you get one. It could be that there are not more with your requirements available (currently).

What do you men "not more with your requirments"?

I think gk didn't recognize that when you said, "Request a bridge from torproject.org", you were referencing a radio button in TorButton > Tor Network Settings, not on the BridgeDB website. On the bridge selection page of https://bridges.torproject.org/ are advanced options for you to select the type of pluggable transport and IP version 6. The requirements gk meant are probably those options.

Indeed, thanks.

Just to elaborate the transport issue. With "Tor censored in my country" selected and I choose a "request a bridge from torproject" I always get the same bridge IP and port and since the port is not open I will state IP and port which is XX.XX.XX.XX:PPPPP etc....

this port is closed and will never complete a circuit and this started happening about 1 month ago. I have tried it on different networks and the same bridge appears.

"tormac" has posted at least three bridges in public in different blog posts. Stop. We really need to give people a tool button or guide to convert them to a hashed fingerprint.

If python is installed, type on the command line:
python -c 'import binascii; import hashlib; fingerprint = "0123456789ABCDEF0123456789ABCDEF01234567"; print("Hashed fingerprint: " + hashlib.sha1(binascii.a2b_hex(fingerprint)).hexdigest().upper())'
Replace 0123... with the fingerprint. It would be better if it was built-in TorButton.

The bridges that I am getting from IP XX.XX.XX.XX through https://bridges.torproject.org/ are always providing the same IP and port and the port is not open hence the tor browser is not able to complete a circuit.

> the port is not open

Where? On your local firewalls, or on the bridge server? Ports 80 and 443 on a destination server are the most common ports allowed for outgoing traffic from clients (you) to internet destinations because they are used by HTTP/S website traffic. You said the bridge listens on port 443. Is your local firewall blocking the bridge IP or port? Either reconfigure your firewall, or enable "This computer goes through a firewall", an option under where you set the bridge option. If you are in China, select the "meek-azure" pluggable transport option, not obs4, when you request bridges.

Find out if the bridge is down by going on relay search and pasting the bridge's fingerprint there. For bridges, you can't search by IP, only hashed fingerprint. Searching for a bridge by IP will always return "not found". Other nodes (guard, middle relay, exit) can be searched by IP, but bridges cannot. The fingerprint is a long hexadecimal string in the bridge line. Keep the fingerprint a secret.
https://metrics.torproject.org/rs.html
https://2019.www.torproject.org/docs/bridges.html.en#Understanding

If your firewall is not blocking the IPs or ports, and the bridge is online, then the bridge might be misconfigured or something unknown between you and the bridge might be interfering. First, investigate the options you can control and information that is available.

I thought that tor was a background app and I could run safari, Apple mail and Verizon outlook on it.
Please some fill me in

Well, the Tor daemon is a background app which you can use. However the Tor Project does not provide binaries for those. However, I assume there are some available for macOS. You then need to configure the apps that you want to use Tor with, so they start sending the traffic over it instead of connecting directly.

The Tor Browser Bundle is what most people use. It's a specially configured Firefox that comes with the tor daemon. To the apps you run, the tor daemon that runs in the background looks like a SOCKS5 proxy but without UDP. As for Tor Browser, you can think of Tor Browser like an extremely secure and private Safari.

For Safari, first review warnings. To browse websites over Tor, it's better to use Tor Browser than Safari over Tor.

The idea is to torify the apps you want to use over tor. The main thing is to change the proxy settings in the app to point to the tor daemon's listening address:port which is 127.0.0.1:9050 in the standalone daemon or 127.0.0.1:9150 in the Tor Browser Bundle. Read the torify documentation because most apps are not configured securely, and some cannot be configured to be secure.

After you read the general torify introduction, read the warning that some mail services lock out Tor users. You can start to torify Apple Mail and Outlook on the Tor and Email page. Make sure client-server traffic is encrypted by StartTLS (STLS), POP3S, or IMAPS on ports 993 or 995. To use POP3 or IMAP over Tor, it's better to use Thunderbird than closed-source proprietary apps over Tor. It's easier to use a mail website in Tor Browser than POP3 or IMAP apps over Tor.

How do you persist noscript settings? There are quite a number of links I would like to remain untrusted.

NOT WORCK for W10

Do you have more details about what is not working?

I need your help

Please describe your problem, and ask your question. Don't ask to ask.

Thanks for the browser

Launching tor now (8.0.8)
has broken link to manual, under the search bar in a new window:

Questions? Check our Tor Browser Manual »

The link is:
https://tb-manual.torproject.org/srv/static.torproject.org/mirrors/tb-m…

which gives
The requested URL /srv/static.torproject.org/mirrors/tb-manual.torproject.org/cur/ was not found on this server.

Thanks for the report.

We have this ticket for this issue:
https://trac.torproject.org/projects/tor/ticket/30207

I cannot update to 8.0.8 on Windows Vista, it always says you need Windows 7 !! So just carry on using 7.5.6 !

Yes, security support for Windows Vista is long gone and Mozilla therefore does not support it anymore either which is why we followed them along. Please update your operating system as Tor Browser might not be of much help in protecting you otherwise.

8.0.x
Until version 7.5.6 it was possible to install Tor browser on Win81 (64bit) host and run it OR
run the same installation from a VMware Ws Win81 guest via a win share.
Like a portable installation one could run from client or from host.
From Tor browser 8.0 on this is no longer possible.

Running Tor browser installed in a Win81 VMware guest OR running Tor browser in a Win81 guest with host-installed files:
When closing the prog RAM consuming is increasing and finally Torbrowser crashes. Same problems with some 7.x versions.

No problems with Tor browser version 7.5.6 (32bit).
It works installed on a host, installed on a guest or it works from Ws Win81 guest with an installation on a host. Without any problems.

The tested Tor browser were unmodified, no changes in about:config, no add-ons.

Apart from that problem, the size of 'place.sqlite' has decreased.
Are there any changes in the db structure?

I have not checked whether Mozilla changed anything in their database scheme, maybe.

You said that some 7.x versions were affected by a similar issue in your setup. Could you figure out which version was the last one that has that problem for you? Maybe that could give us some clue as to what is happening with Tor Browser 8 for you (see https://archive.torproject.org/tor-package-archive/torbrowser/ for older bundles).

Are you able to run 64bit Windows bundles? If so, does the same happen with those bundles or is that a 32bit problem?

#define Delta(value, base_multiplier, time_elapsed) ((++value * base_multiplier) / time_elapsed)

JK amateurish folly,

Was wondering if you wonderful concerned humanitarians would update your web-servers' security to transport layer security version 1.3, with SHA384, and a 256 bit key?

What do you mean with the #define line? I heard they are supporting TLS 1.3. What makes you believe they don't?

fwiw, the #define line is not in tor-0.3.5.8 source code. As for TLS, click the green padlock, ">" button, "More Information" brings up the Page Info window that contains the tabs: General, Media, Permissions, Security. On www. and blog. the Security tab bottom heading Technical Details are (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 128 bit keys, TLS 1.2). I don't know if they were talking about those servers or others.