New Release: Tor Browser 8.5

[Update 5/22/2019 8:18 UTC: Added issue with saved passwords and logins that vanished to Known Issues section.]

Tor Browser 8.5 is now available from the Tor Browser download page and also from our distribution directory. The Android version is also available from Google Play and should be available from F-Droid within the next day.

This release features important security updates to Firefox.

After months of work and including feedback from our users, Tor Browser 8.5 includes our first stable release for Android plus many new features across platforms.

It's Official: Tor Browser is Stable on Android

Tor Browser 8.5 is the first stable release for Android. Since we released the first alpha version in September, we've been hard at work making sure we can provide the protections users are already enjoying on desktop to the Android platform. Mobile browsing is increasing around the world, and in some parts, it is commonly the only way people access the internet. In these same areas, there is often heavy surveillance and censorship online, so we made it a priority to reach these users.

Tor Browser for Android

We made sure there are no proxy bypasses, that first-party isolation is enabled to protect you from cross-site tracking, and that most of the fingerprinting defenses are working. While there are still feature gaps between the desktop and Android Tor Browser, we are confident that Tor Browser for Android provides essentially the same protections that can be found on desktop platforms.

Thanks to everyone working on getting our mobile experience into shape, in particular to Antonela, Matt, Igor, and Shane.

Note: Though we cannot bring an official Tor Browser to iOS due to restrictions by Apple, the only app we recommend is Onion Browser, developed by Mike Tigas with help from the Guardian Project.

Improved Security Slider Accessibility

Our security slider is an important tool for Tor Browser users, especially for those with sensitive security needs. However, its location behind the Torbutton menu made it hard to access.

Tor Browser Security

During the Tor Browser 8.5 development period, we revamped the experience so now the chosen security level appears on the toolbar. You can interact with the slider more easily now. For the fully planned changes check out proposal 101.

A Fresh Look

We made Tor Browser 8.5 compatible with Firefox's Photon UI and redesigned our logos and about:tor page across all the platforms we support to provide the same look and feel and improve accessibility.

Tor Browser icons

The new Tor Browser icon was chosen through a round of voting in our community.

We'd like to give a big thanks to everyone who helped make this release possible, including our users, who gave valuable feedback to our alpha versions.

Known Issues

Tor Browser 8.5 comes with a number of known issues. The most important ones are:

  1. While we improved accessibility support for Windows users during our 8.5 stabilization, it's still not perfect. We are in the process of finishing patches for inclusion in an 8.5 point release. We are close here.
  2. There are bug reports about WebGL related fingerprinting which we are investigating. We are currently testing a fix for the most problematic issue and will ship that in the next point release.
  3. The upgrade to Tor Browser 8.5 broke saved logins and passwords. We are investigating this bug and hope to provide a fix in an upcoming point release.

We already collected a number of unresolved bugs since releasing Tor Browser 8 and tagged them with our tbb-8.0-issues keyword to keep them on our radar. Check them out before reporting if you find a bug.

Give Feedback

In addition to the known issues, we are always looking for feedback about ways we can make our software better for you. If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full Changelog

The full changelog since Tor Browser 8.0.9 is:

  • All platforms
    • Update Firefox to 60.7.0esr
    • Update Torbutton to 2.1.8
      • Bug 25013: Integrate Torbutton into tor-browser for Android
      • Bug 27111: Update about:tor desktop version to work on mobile
      • Bug 22538+22513: Fix new circuit button for error pages
      • Bug 25145: Update circuit display when back button is pressed
      • Bug 27749: Opening about:config shows circuit from previous website
      • Bug 30115: Map browser+domain to credentials to fix circuit display
      • Bug 25702: Update Tor Browser icon to follow design guidelines
      • Bug 21805: Add click-to-play button for WebGL
      • Bug 28836: Links on about:tor are not clickable
      • Bug 30171: Don't sync cookie.cookieBehavior and firstparty.isolate
      • Bug 29825: Intelligently add new Security Level button to taskbar
      • Bug 29903: No WebGL click-to-play on the standard security level
      • Bug 27290: Remove WebGL pref for min capability mode
      • Bug 25658: Replace security slider with security level UI
      • Bug 28628: Change onboarding Security panel to open new Security Level panel
      • Bug 29440: Update about:tor when Tor Browser is updated
      • Bug 27478: Improved Torbutton icons for dark theme
      • Bug 29239: Don't ship the Torbutton .xpi on mobile
      • Bug 27484: Improve navigation within onboarding (strings)
      • Bug 29768: Introduce new features to users (strings)
      • Bug 28093: Update donation banner style to make it fit in small screens
      • Bug 28543: about:tor has scroll bar between widths 900px and 1000px
      • Bug 28039: Enable dump() if log method is 0
      • Bug 27701: Don't show App Blocker dialog on Android
      • Bug 28187: Change tor circuit icon to torbutton.svg
      • Bug 29943: Use locales in AB-CD scheme to match Mozilla
      • Bug 26498: Add locale: es-AR
      • Bug 28082: Add locales cs, el, hu, ka
      • Bug 29973: Remove remaining stopOpenSecuritySettingsObserver() pieces
      • Bug 28075: Tone down missing SOCKS credential warning
      • Bug 30425: Revert armagadd-on-2.0 changes
      • Bug 30497: Add Donate link to about:tor
      • Bug 30069: Use slider and about:tor localizations on mobile
      • Bug 21263: Remove outdated information from the README
      • Bug 28747: Remove NoScript (XPCOM) related unused code
      • Translations update
      • Code clean-up
    • Update HTTPS Everywhere to 2019.5.6.1
    • Bug 27290: Remove WebGL pref for min capability mode
    • Bug 29120: Enable media cache in memory
    • Bug 24622: Proper first-party isolation of s3.amazonaws.com
    • Bug 29082: Backport patches for bug 1469916
    • Bug 28711: Backport patches for bug 1474659
    • Bug 27828: "Check for Tor Browser update" doesn't seem to do anything
    • Bug 29028: Auto-decline most canvas warning prompts again
    • Bug 27919: Backport SSL status API
    • Bug 27597: Fix our debug builds
    • Bug 28082: Add locales cs, el, hu, ka
    • Bug 26498: Add locale: es-AR
    • Bug 29916: Make sure enterprise policies are disabled
    • Bug 29349: Remove network.http.spdy.* overrides from meek helper user.js
    • Bug 29327: TypeError: hostName is null on about:tor page
    • Bug 30425: Revert armagadd-on-2.0 changes
  • Windows + OS X + Linux
    • Update OpenSSL to 1.0.2r
    • Update Tor Launcher to 0.2.18.3
      • Bug 27994+25151: Use the new Tor Browser logo
      • Bug 29328: Account for Tor 0.4.0.x's revised bootstrap status reporting
      • Bug 22402: Improve "For assistance" link
      • Bug 27994: Use the new Tor Browser logo
      • Bug 25405: Cannot use Moat if a meek bridge is configured
      • Bug 27392: Update Moat URLs
      • Bug 28082: Add locales cs, el, hu, ka
      • Bug 26498: Add locale es-AR
      • Bug 28039: Enable dump() if log method is 0
      • Translations update
    • Bug 25702: Activity 1.1 Update Tor Browser icon to follow design guidelines
    • Bug 28111: Use Tor Browser icon in identity box
    • Bug 22343: Make 'Save Page As' obey first-party isolation
    • Bug 29768: Introduce new features to users
    • Bug 27484: Improve navigation within onboarding
    • Bug 25658+29554: Replace security slider with security level UI
    • Bug 25405: Cannot use Moat if a meek bridge is configured
    • Bug 28885: notify users that update is downloading
    • Bug 29180: MAR download stalls when about dialog is opened
    • Bug 27485: Users are not taught how to open security-slider dialog
    • Bug 27486: Avoid about:blank tabs when opening onboarding pages
    • Bug 29440: Update about:tor when Tor Browser is updated
    • Bug 23359: WebExtensions icons are not shown on first start
    • Bug 28628: Change onboarding Security panel to open new Security Level panel
    • Bug 27905: Fix many occurrences of "Firefox" in about:preferences
    • Bug 28369: Stop shipping pingsender executable
    • Bug 30457: Remove defunct default bridges
  • Windows
    • Bug 27503: Improve screen reader accessibility
    • Bug 27865: Tor Browser 8.5a2 is crashing on Windows
    • Bug 22654: Firefox icon is shown for Tor Browser on Windows 10 start menu
    • Bug 28874: Bump mingw-w64 commit to fix WebGL crash
    • Bug 12885: Windows Jump Lists fail for Tor Browser
    • Bug 28618: Set MOZILLA_OFFICIAL for Windows build
    • Bug 21704: Abort install if CPU is missing SSE2 support
  • OS X
    • Bug 27623: Use MOZILLA_OFFICIAL for our builds
  • Linux
    • Bug 28022: Use `/usr/bin/env bash` for bash invocation
    • Bug 27623: Use MOZILLA_OFFICIAL for our builds
  • Android
  • Build System
    • All platforms
      • Bug 25623: Disable network during build
      • Bug 25876: Generate source tarballs during build
      • Bug 28685: Set Build ID based on Tor Browser version
      • Bug 29194: Set DEBIAN_FRONTEND=noninteractive
      • Bug 29167: Upgrade go to 1.11.5
      • Bug 29158: Install updated apt packages (CVE-2019-3462)
      • Bug 29097: Don't try to install python3.6-lxml for HTTPS Everywhere
      • Bug 27061: Enable verification of langpacks checksums
    • Windows
    • OS X
    • Linux
      • Bug 26323+29812: Build 32bit Linux bundles on 64bit Debian Wheezy
      • Bug 26148: Update binutils to 2.31.1
      • Bug 29758: Build firefox debug symbols for linux-i686
      • Bug 29966: Use archive.debian.org for Wheezy images
      • Bug 29183: Use linux-x86_64 langpacks on linux-x86_64
    • Android
      • Bug 29981: Add option to build without using containers

I'm on Android Q Beta 4 and both the alpha and stable branches fail at various points. If I use bridges, it fails at the 10% consensus stage. If I don't use bridges, it gets 100% consensus, but no webpages ever load.

There are degrees of privacy and security, but everyone should expect minimum degree.

Tor should be everyone's browser instead of Firefox since it is minimum. But it is broken.

Anonymous

May 21, 2019

Permalink

What happened to Saved Logins? It is now empty although the file logins.json still is there

Anonymous

May 21, 2019

Permalink

Awesome update for Android.
I have been having all kinds of trouble with it on my phone but everything I looked up was already known and being worked on.
Glad to finally have a stable version for my mobile devices thank you very much for all that you do.

I myself do not use Android but find it very encouraging that 8.5 is working well on Android phones.

One question: does the Huawei-USG catfight impact Tor users in CN who own Huawei branded phones? I suspect the answer is likely "Yes", and that underscores the importance of finding a donor eager to fund a Tor version for a brand of phone popular in CN. Or am I being unrealistic about Tor Project's chances of helping people in CN?

Anonymous

May 21, 2019

Permalink

As a matter of preference I prefer to have all my icons on the left side of the search bar like it used to be. Is it safe to manually move them back on the left or does that affect the browser fingerprint?

Thanks

I think simply moving them does not affect the fingerprint. To a similar question about flexible space that is horizontal, gk replied, "Yes, that should be fine."

However, I don't know about removing or adding the title bar, menu bar, or bookmarks toolbar. I don't know about changing the icon size "density" or themes. Those things possibly affect vertical height.

My own question:
Does keeping open the Find bar (Ctrl+F) along the bottom of the window affect my fingerprint? Because I keep it open most of the time.

Anonymous

May 23, 2019

In reply to by gk

Permalink

so to use bookmarks much, keep the bookmarks manager window squeezed to the side of the screen?

Anonymous

May 21, 2019

Permalink

I'm still getting NoScript popups constantly, and it seems any settings to "always block such and such request" are reset after closing down the browser.

Are there any plans to block all XSS requests by default or otherwise improve this?

@ gk:

Many thanks for all your work but PUH-LEEZ explain to me (no doubt I am an idiot but I truly do not find it easy to guess how to get this done) how to check that NoScript is even working in my TB 8.,5 (currently running in Tails 3.14 but I also use Debian). I cannot see a NoScript icon and as far as I can tell from checking add-ons, NoScript should be present but has not been updated since 1 Jan 2019. That sounds bad. Has NoScript been disabled in my TB and if so how can I get it back?

What NoScript version is shown? If it is not 10.6.2 what happens if you click on the gear icon on about:addons and do a manual check? If you did not mess with Tor Browser but just set the slider to a non-default level you can easily check whether NoScript is working by trying to watch a video on Youtube. That should not be possible out-of-the-box then. Otherwise, if you feel cautious and feel you need a NoScript icon somewhere then it's perfectly fine to customize your toolbar by dragging that icon onto it.

Oh no, I see 10.6.1. Maybe that is because I am using Tor Browser 8.5 shipped with Tails 3.14?

What worries me is that I do not see a NoScript icon in the bar at upper right near the UBlock and Tor icons. However, I tired what you suggested and with "Safer" setting it seems my attempt to watch a Youtube video failed, so NoScript probably IS installed and working.

In the past NoScript showed a fearsome monster icon announcing it was blocking 3 out of 5 scripts or something like that. Which people I know hate but I liked to see it. So the vanishing of this is a feature not a bug?

By the way:

Apologies for panicking when I first tried 8.5. I was in a rush and completely misunderstood that the new icons were supposed to be there and that the security slider had moved. I think the new way is better than the old way.

Also, while the onion mirrors appear to be working for Buster can you try to liase with Debian Project to make sure nothing breaks when Buster becomes new stable? Also, can you ask them to look into possibly making popcon torified via Whisperback or something like that. Some things I use all the time vanished from Buster, possibly because privacy minded Debian users fear what an attacker with near global access could learn about our system from an unencrypted popcon report.

The vanishing of the NoScript icon is a feature. You should not need to mess with NoScript's settings at all. That's been part of our security slider redesign, see: https://gitweb.torproject.org/tor-browser-spec.git/tree/proposals/101-s….

Of course, if you want to see the status output NoScript gives you (or want to deal with per-site permissions which is not implemented at the moment), just customize your toolbar and put the icon back.

Anonymous

May 21, 2019

Permalink

The security levels are listed in reverse order from before on the slider. I almost started browsing in Standard mode when I meant to be in Safest (now on bottom). Users have been trained for many years to expect Safest on top/highest. Sudden reverse order is somewhat disorienting.

Anonymous

May 21, 2019

Permalink

I am unable to install this update the usual way and Tor Browser is asking me to download a fresh copy. Is this going to be fixed?

On what operating system are you on? If you set app.update.log to true and then open the browser console with Ctrl + Shift + J and then perform the update check by clicking on the hamburger menu -> Help -> About Tor Browser do you get some error messages that could explain what is going on?

Anonymous

May 21, 2019

Permalink

You say "Though we cannot bring an official Tor Browser to iOS due to restrictions by Apple, the only app we recommend is Onion Browser, developed by Mike Tigas with help from the Guardian Project."

What restrictions prevent you from bringing an official Tor Browser to iOS? I imagine there would be differences between your ideal iOS Tor Browser and what Onion Browser does. Can you talk about that?

Anonymous

May 21, 2019

Permalink

Android package don't work - never installs. Latest LineageOS on angler:

$ adb install -r tor-browser-8.5-android-x86-multi.apk
Performing Streamed Install
[waited > 5 minutes]
^C

Thank you

Anonymous

May 21, 2019

Permalink

there is still a problem in getting a new "request a bridge from torproject.org" when i request it using my Mac OS running high sierra. the same brige is continually provided.
XX.XX.XX.XX:PPPPP etc..

Anonymous

May 21, 2019

Permalink

Здравствуйте! Я из России. Есть такие программы, называемые "песочницами", они после перезагрузки сбрасывают состояние операционной системы к изначальному - я тут подумал - может быть в Тор сделать нечто подобное? Это будет получше чем механизм "Не сохранять историю" так как всё что делал пользователь в сети будет стёрто после выхода из Тор