New Release: Tor Browser 8.0.9

by boklm | May 06, 2019

Tor Browser 8.0.9 is now available from the Tor Browser Download page and also from our distribution directory.

This release fixes the issue which caused NoScript and all other Firefox extensions signed by Mozilla to be disabled.

If you used the workaround mentioned in our previous blog post, don't forget to set the xpinstall.signatures.required entry in about:config back to true after installing this update.

Note: We did not bump the Firefox version number to be able to build faster, thus it will still show 60.6.1esr as the Firefox version.

The full changelog since Tor Browser 8.0.8 is:

  • All platforms
    • Update Torbutton to 2.0.13
      • Bug 30388: Make sure the updated intermediate certificate keeps working
    • Backport fixes for bug 1549010 and bug 1549061
      • Bug 30388: Make sure the updated intermediate certificate keeps working
    • Update NoScript to 10.6.1
      • Bug 29872: XSS popup with DuckDuckGo search on about:tor
Tags
tor browser
tbb
tbb-8.0
Anonymous

Noah (not verified) said:

May 08, 2019

Permalink

I just installed the new Tor browser yesterday, but every time I try to open it, it says, "Tor browser is already running, but not responding." I have tried completely removing all the old Tor info and cleaned up my computer of "Tor" stuff. I then redownloaded Tor (8.0.9) and tried a "fresh" install but still get that screen, any ideas?

Anonymous

Mozilla has ju… (not verified) said:

May 08, 2019

Permalink

On May 8, 2019 Mozilla released a patch for the above bug. The version of the non-ESR browser stands at 66.0.5. Mozilla plans to release a patch for the ESR browser by May 9.

Tor users should expect an update to Tor Browser Bundle. The updated Tor Browser Bundle's version should be 8.0.10.

Anonymous

anonymous (not verified) said:

May 08, 2019

Permalink

ALERT!!!!!

Check NoScript default Per-site-permissions!!! My default "trusted" websites: google.com bootstrapcdn.com gstatic.com hotmail.com neflix.com paypal.com yahoo.com youtube.com and 30-40 more

Security slider "safest". Update/install yesterday, version 8.0.9.
Yet they have full permissions by default (trusted). Had to remove manually.
Behavior different than before Mozilla muckup. Please investigate!

PS, Noscript “General” tab default setting allows “fetch” and “other”
IIRC those should not be enabled.

PPS, Loaded this page without scripts infinite loop reloading. Stopped when turn on scripts.
Have seen other weird behavior from TOR since Mozilla muckup. Stay safe everyone.

> PPS, Loaded this page without scripts infinite loop reloading. Stopped when turn on scripts.

Your final point is a long-standing bug, not new. The blog expects JavaScript enabled. It loads well on "safest", but it reloads infinitely if you load/refresh on "safer" and then go to "safest" and refresh.

> PS, Noscript “General” tab default setting allows “fetch” and “other” IIRC those should not be enabled.

"fetch" and "other" are enabled for Default in the older 8.0.8. All are except "media". You say "should not". I do not know if they were meant to be or not.

Anonymous

Anonymous (not verified) said:

May 09, 2019

Permalink

I have a question for Tor developers.

For 99% of the time that I use TBB, my security level is set to Safest.

During the time when NoScript and all other Firefox extensions signed by Mozilla were disabled, I did the following:

I typed about:config in the address bar.
I toggled javascript.enabled to false.

What I did achieved the same result as using the NoScript add-on, right??

According to my understanding the answer is "No", since NoScript provides protections other than simply disabling Javacript in some situations. Also, rolling your own fix to the issue (now fixed in TB 8.0.9) is likely to make you more individually recognizable to web trackers.

"According to my understanding the answer is "No""

Your understanding is based on the other protections that you claim NoScript provides.

"....since NoScript provides protections other than simply disabling Javacript in some situations"

What are these other protections that NoScript provides?

They have been mentioned in blog posts but I never claimed to undrestand the details. For those I must refer you to the Tor team. Please bear in mind that they are busy people.

Anonymous

Anonymous (not verified) said:

May 09, 2019

Permalink

For users of very old versions who don't upgrade and accept the risk, "Someone pointed me to a fix for older FF's and it seems to work! reddit.com/r/firefox/comments/bkspmk/addons_fix_for_5602_older/ " Found on Mozilla Firefox bug tracker, #1549078.

Anonymous

Anonymous (not verified) said:

May 09, 2019

Permalink

TB 8.0.9 seems to be working fine for me both under Debian 9.9 and in Tails 3-13-2.

Thanks again to Tor and Tails team for your rapid and effective response to the NoScript debacle.

Anonymous

Anonymous (not verified) said:

May 09, 2019

Permalink

Thanks again for fixing the NoScript problem.

Just wanted to warn that TP should make ready for possible state-sponsored cyberassaults on Tor coming up in a few weeks:

theguardian.com
Tiananmen Square: China steps up curbs on activists for 30th anniversary
Government’s critics say controls are more severe: ‘They know the 30th anniversary means a lot’
Lily Kuo in Beijing
9 May 2019

wired.com
Inside China's Massive Surveillance Operation
Isobel Cockerell
9 May 2019

(For example, having people on standby to deal with a new crisis.)

Anonymous

Anonymous (not verified) said:

May 10, 2019

Permalink

don't forget to

For mission-critical commands like this, say "remember to," or start with the command word: "Set the..."

"Warning statements should be written in the active voice, not the passive voice, and, when possible, using affirmative statements instead of negative statements. In several studies, active sentences were found to be verified faster than passive sentences, affirmative faster than negative, and true faster than false. The exception is a common warning instruction where a prohibition is required, such as “No Smoking.”

Negative and passive words in warning statements require more effort to interpret correctly. Statements having these features require a larger capacity of immediate memory than do otherwise identical statements lacking these negative and passive features."

Affirmative Warnings (Do This) May Be Better Understood Than Negative Warnings (Do Not Do That)
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3989081/

Anonymous

basicallyInvisible (not verified) said:

May 10, 2019

Permalink

thank you all for your efforts!

hope you get the ddos situation under control soon

Yes, about:tbupdate, Learn More opens "How do circuits work?", a guide in the browser about the circuit display in the padlock icon. I don't know if it is a good idea to open DuckDuckGo suddenly from clicking to Learn More. Tor Project also runs many onions.

Anonymous

Anonymous (not verified) said:

May 11, 2019

Permalink

@ Tails users:

I tried to use the auto upgrade to upgrade two USB sticks to Tails 3.13.2 but the upgrade failed for one of them. But an alternative procedure works and is more efficient if you have several Tails USB sticks: use wget to obtain the ISO image (yes, this is in itself an issue since wget had a bug in Tails 3.13.1), verify it, burn it to a DVD, boot laptop with DVD, once Tails is entirely ready, insert USB stick, choose Tails -> Tails Installer. The location of the USB stick should appear and you should use the default "clone running Tails". Click "Upgrade". This preserves the persistent volume and installs new Tails OS over old one in the unencrypted boot area of USB.

If you have trouble with wget read the man page for some helpful options. If your computer lacks memory you can call wget from a directory on a data USB stick (assuming you have enough space and at least two USB ports and a DVD drive).

Anonymous

John Smith (not verified) said:

May 11, 2019

Permalink

Let me start by saying that i have been a massive supporter of the tor network for many of years.

But its becoming impossible to use due to the constant DDoS attacks. The bug in the Tor software needs to be fixed and it needs to be fixed quickly.

The bug also potentially opens up possibility for large hidden services to be deanonymized too.

This is a serious problem which needs the Tor developers undivided attention.

> But its becoming impossible to use due to the constant DDoS attacks. The bug in the Tor software needs to be fixed and it needs to be fixed quickly.

I think you are talking about onion sites, yes?

I have been able to use TB to surf to clearnet sites without any problems, but I sometimes notice problems with the Debian onion mirrors. Speaking of which, these include Buster for those who want to get ahead of the curve on the rollover from Stretch to Buster as the new Debian stable.

Anonymous

Anonymous (not verified) said:

May 11, 2019

Permalink

I am using TB 8.0.9 in Tails 3.13.2 but I just got the "all extensions have been disabled" yellow bar when I tried to surf to this duckduckgo.com

Toggling xpinstall.signatures.required to FALSE appears to fix this but I am sure what is the best way to disable unsigned autoupdates. In particular, can't find the option to prevent unsigned NoScript updates.

F/U: the problem only happened once and has not recurred since (a day later). Noscript and Ublock have been working again for me. I boot Tails from a DVD burned from the current ISO (verifed sig) which includes TBB 8.0.9 which should fix the expired cert issue. Maybe a sig check simply took longer than expected which temporarily disabled my add-ons? If that is possible, that would not be good.

On the bright side, at least I can confirm that users are alerted by a message in a yellow bar in TB that add-ons have been disabled.

> what is the best way to disable unsigned autoupdates. In particular, can't find the option to prevent unsigned NoScript updates.

Read this comment thread on page 1. To prevent add-on autoupdates, https://support.mozilla.org/en-US/kb/how-update-add-ons The only way to prevent only unsigned add-on updates is to toggle xpinstall.signatures.required back to true.

Anonymous

Edward Stephan (not verified) said:

May 14, 2019

Permalink

HI,
Few minutes ago I downloaded a file from a website in our country that is 24/7 under surveillance by the Government,
Mistakenly It was not the latest version of TOR. Means after updating, I didn't restart the browser and I enter and downloaded the file from the previous version of TOR
I entered from the laptop.
After downloading the file, I immediately restarted and updated my Tor browser.
Can they trace me? or will i face any problem?

Download Tor Browser from torproject.org, not from other websites. Tor Browser downloads updates when it finds them and notifies you to restart, but Tor Browser does not install the update until you restart the browser. Tor Browser installs the update when you fully close the browser and open it again, not before. Thus, you could not have updated it if you didn't restart the browser.

I think you are as safe as you normally are if you downloaded the files through Tor Browser, used sig files to verify signatures, and (if the file was a document) did not open documents downloaded through Tor while online. But I cannot answer confidently because I don't fully understand your English.

Anonymous

J@biLinuX (not verified) said:

May 16, 2019

Permalink

I haven't got any problem with and without this update. I am disabled and I just find normal things but around the world. Please, don't laught about me but I usually use Duckduckgo Browser and I don't found any difference and I know it must exist.

P.D. Sorry, if my english is not too correct but I'm spanish... ;-|

Anonymous

Anon (not verified) said:

May 16, 2019

Permalink

I will use torbrowser as long doesn't add nodejs or add any supplementary dependency ... But I have the feeling it will follow the madness of Firefox.

Anonymous

The far right … (not verified) said:

May 19, 2019

Permalink

Tor is basically unusable to a big numb r r of us . We have a political Web site and the GOP activist are ddosing our anti trump page. We had to take it down. Can you olea as e fix this? It hold be your #1 priority