New Release: Tor Browser 8.5

[Update 5/22/2019 8:18 UTC: Added issue with saved passwords and logins that vanished to Known Issues section.]

Tor Browser 8.5 is now available from the Tor Browser download page and also from our distribution directory. The Android version is also available from Google Play and should be available from F-Droid within the next day.

This release features important security updates to Firefox.

After months of work and including feedback from our users, Tor Browser 8.5 includes our first stable release for Android plus many new features across platforms.

It's Official: Tor Browser is Stable on Android

Tor Browser 8.5 is the first stable release for Android. Since we released the first alpha version in September, we've been hard at work making sure we can provide the protections users are already enjoying on desktop to the Android platform. Mobile browsing is increasing around the world, and in some parts, it is commonly the only way people access the internet. In these same areas, there is often heavy surveillance and censorship online, so we made it a priority to reach these users.

Tor Browser for Android

We made sure there are no proxy bypasses, that first-party isolation is enabled to protect you from cross-site tracking, and that most of the fingerprinting defenses are working. While there are still feature gaps between the desktop and Android Tor Browser, we are confident that Tor Browser for Android provides essentially the same protections that can be found on desktop platforms.

Thanks to everyone working on getting our mobile experience into shape, in particular to Antonela, Matt, Igor, and Shane.

Note: Though we cannot bring an official Tor Browser to iOS due to restrictions by Apple, the only app we recommend is Onion Browser, developed by Mike Tigas with help from the Guardian Project.

Improved Security Slider Accessibility

Our security slider is an important tool for Tor Browser users, especially for those with sensitive security needs. However, its location behind the Torbutton menu made it hard to access.

Tor Browser Security

During the Tor Browser 8.5 development period, we revamped the experience so now the chosen security level appears on the toolbar. You can interact with the slider more easily now. For the fully planned changes check out proposal 101.

A Fresh Look

We made Tor Browser 8.5 compatible with Firefox's Photon UI and redesigned our logos and about:tor page across all the platforms we support to provide the same look and feel and improve accessibility.

Tor Browser icons

The new Tor Browser icon was chosen through a round of voting in our community.

We'd like to give a big thanks to everyone who helped make this release possible, including our users, who gave valuable feedback to our alpha versions.

Known Issues

Tor Browser 8.5 comes with a number of known issues. The most important ones are:

  1. While we improved accessibility support for Windows users during our 8.5 stabilization, it's still not perfect. We are in the process of finishing patches for inclusion in an 8.5 point release. We are close here.
  2. There are bug reports about WebGL related fingerprinting which we are investigating. We are currently testing a fix for the most problematic issue and will ship that in the next point release.
  3. The upgrade to Tor Browser 8.5 broke saved logins and passwords. We are investigating this bug and hope to provide a fix in an upcoming point release.

We already collected a number of unresolved bugs since releasing Tor Browser 8 and tagged them with our tbb-8.0-issues keyword to keep them on our radar. Check them out before reporting if you find a bug.

Give Feedback

In addition to the known issues, we are always looking for feedback about ways we can make our software better for you. If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full Changelog

The full changelog since Tor Browser 8.0.9 is:

  • All platforms
    • Update Firefox to 60.7.0esr
    • Update Torbutton to 2.1.8
      • Bug 25013: Integrate Torbutton into tor-browser for Android
      • Bug 27111: Update about:tor desktop version to work on mobile
      • Bug 22538+22513: Fix new circuit button for error pages
      • Bug 25145: Update circuit display when back button is pressed
      • Bug 27749: Opening about:config shows circuit from previous website
      • Bug 30115: Map browser+domain to credentials to fix circuit display
      • Bug 25702: Update Tor Browser icon to follow design guidelines
      • Bug 21805: Add click-to-play button for WebGL
      • Bug 28836: Links on about:tor are not clickable
      • Bug 30171: Don't sync cookie.cookieBehavior and firstparty.isolate
      • Bug 29825: Intelligently add new Security Level button to taskbar
      • Bug 29903: No WebGL click-to-play on the standard security level
      • Bug 27290: Remove WebGL pref for min capability mode
      • Bug 25658: Replace security slider with security level UI
      • Bug 28628: Change onboarding Security panel to open new Security Level panel
      • Bug 29440: Update about:tor when Tor Browser is updated
      • Bug 27478: Improved Torbutton icons for dark theme
      • Bug 29239: Don't ship the Torbutton .xpi on mobile
      • Bug 27484: Improve navigation within onboarding (strings)
      • Bug 29768: Introduce new features to users (strings)
      • Bug 28093: Update donation banner style to make it fit in small screens
      • Bug 28543: about:tor has scroll bar between widths 900px and 1000px
      • Bug 28039: Enable dump() if log method is 0
      • Bug 27701: Don't show App Blocker dialog on Android
      • Bug 28187: Change tor circuit icon to torbutton.svg
      • Bug 29943: Use locales in AB-CD scheme to match Mozilla
      • Bug 26498: Add locale: es-AR
      • Bug 28082: Add locales cs, el, hu, ka
      • Bug 29973: Remove remaining stopOpenSecuritySettingsObserver() pieces
      • Bug 28075: Tone down missing SOCKS credential warning
      • Bug 30425: Revert armagadd-on-2.0 changes
      • Bug 30497: Add Donate link to about:tor
      • Bug 30069: Use slider and about:tor localizations on mobile
      • Bug 21263: Remove outdated information from the README
      • Bug 28747: Remove NoScript (XPCOM) related unused code
      • Translations update
      • Code clean-up
    • Update HTTPS Everywhere to 2019.5.6.1
    • Bug 27290: Remove WebGL pref for min capability mode
    • Bug 29120: Enable media cache in memory
    • Bug 24622: Proper first-party isolation of
    • Bug 29082: Backport patches for bug 1469916
    • Bug 28711: Backport patches for bug 1474659
    • Bug 27828: "Check for Tor Browser update" doesn't seem to do anything
    • Bug 29028: Auto-decline most canvas warning prompts again
    • Bug 27919: Backport SSL status API
    • Bug 27597: Fix our debug builds
    • Bug 28082: Add locales cs, el, hu, ka
    • Bug 26498: Add locale: es-AR
    • Bug 29916: Make sure enterprise policies are disabled
    • Bug 29349: Remove network.http.spdy.* overrides from meek helper user.js
    • Bug 29327: TypeError: hostName is null on about:tor page
    • Bug 30425: Revert armagadd-on-2.0 changes
  • Windows + OS X + Linux
    • Update OpenSSL to 1.0.2r
    • Update Tor Launcher to
      • Bug 27994+25151: Use the new Tor Browser logo
      • Bug 29328: Account for Tor 0.4.0.x's revised bootstrap status reporting
      • Bug 22402: Improve "For assistance" link
      • Bug 27994: Use the new Tor Browser logo
      • Bug 25405: Cannot use Moat if a meek bridge is configured
      • Bug 27392: Update Moat URLs
      • Bug 28082: Add locales cs, el, hu, ka
      • Bug 26498: Add locale es-AR
      • Bug 28039: Enable dump() if log method is 0
      • Translations update
    • Bug 25702: Activity 1.1 Update Tor Browser icon to follow design guidelines
    • Bug 28111: Use Tor Browser icon in identity box
    • Bug 22343: Make 'Save Page As' obey first-party isolation
    • Bug 29768: Introduce new features to users
    • Bug 27484: Improve navigation within onboarding
    • Bug 25658+29554: Replace security slider with security level UI
    • Bug 25405: Cannot use Moat if a meek bridge is configured
    • Bug 28885: notify users that update is downloading
    • Bug 29180: MAR download stalls when about dialog is opened
    • Bug 27485: Users are not taught how to open security-slider dialog
    • Bug 27486: Avoid about:blank tabs when opening onboarding pages
    • Bug 29440: Update about:tor when Tor Browser is updated
    • Bug 23359: WebExtensions icons are not shown on first start
    • Bug 28628: Change onboarding Security panel to open new Security Level panel
    • Bug 27905: Fix many occurrences of "Firefox" in about:preferences
    • Bug 28369: Stop shipping pingsender executable
    • Bug 30457: Remove defunct default bridges
  • Windows
    • Bug 27503: Improve screen reader accessibility
    • Bug 27865: Tor Browser 8.5a2 is crashing on Windows
    • Bug 22654: Firefox icon is shown for Tor Browser on Windows 10 start menu
    • Bug 28874: Bump mingw-w64 commit to fix WebGL crash
    • Bug 12885: Windows Jump Lists fail for Tor Browser
    • Bug 28618: Set MOZILLA_OFFICIAL for Windows build
    • Bug 21704: Abort install if CPU is missing SSE2 support
  • OS X
    • Bug 27623: Use MOZILLA_OFFICIAL for our builds
  • Linux
    • Bug 28022: Use `/usr/bin/env bash` for bash invocation
    • Bug 27623: Use MOZILLA_OFFICIAL for our builds
  • Android
  • Build System
    • All platforms
      • Bug 25623: Disable network during build
      • Bug 25876: Generate source tarballs during build
      • Bug 28685: Set Build ID based on Tor Browser version
      • Bug 29194: Set DEBIAN_FRONTEND=noninteractive
      • Bug 29167: Upgrade go to 1.11.5
      • Bug 29158: Install updated apt packages (CVE-2019-3462)
      • Bug 29097: Don't try to install python3.6-lxml for HTTPS Everywhere
      • Bug 27061: Enable verification of langpacks checksums
    • Windows
    • OS X
    • Linux
      • Bug 26323+29812: Build 32bit Linux bundles on 64bit Debian Wheezy
      • Bug 26148: Update binutils to 2.31.1
      • Bug 29758: Build firefox debug symbols for linux-i686
      • Bug 29966: Use for Wheezy images
      • Bug 29183: Use linux-x86_64 langpacks on linux-x86_64
    • Android
      • Bug 29981: Add option to build without using containers

May 22, 2019


CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS

Of course, you can say that you cannot do anything with it, but it is your responsibility to warn users that they should disable HT/SMT on Intel CPUs to use Tor Browser safely.

"Systems affected: Mozilla Firefox versions prior to 67, Mozilla Firefox ESR versions prior to 60.7" (source)
"Fixed in Firefox ESR 60.7" (source)

Tor Browser 8.5 --> hamburger menu --> Help --> About Tor Browser
"8.5 (based on Mozilla Firefox 60.7.0esr)"


May 22, 2019


I'm using what is allegedly the "most secure operating system" - OpenBSD and don't understand this:

"Sometimes the most recent version of Tor Browser on OpenBSD is behind the current release. The available version of TB on OpenBSD should be checked with:

pkg_info -Q tor-browser

That command returns tor-browser-8.0.9 for me on OpenBSD 6.5 -current.

But shows only versions "8.0.8" is available for release on other platforms. Then there's which offers versions "8.5". What version I'm supposed to be using remains a mystery. I have a flashing exclamation mark over the onion icon in Tor Browser, but when I select it, the only options are New Identity or Settings. You need to make this a lot less ambiguous and confusing, please.

2019.www.* is the old site. Don't expect it to be up to date.

pkg_info queries an OpenBSD repository mirror. Mirror servers take time to synchronize with each other. Maintainers of OpenBSD, not Tor Project, prepare packages for those repositories. Tor Project does not manage official OpenBSD OS repositories just like it does not manage official Linux OS repositories. Tor Project manages a Tor Project DEB repository. The most recent release of Tor Browser is 8.5, but the most recent snapshot of tor-browser on OpenBSD mirrors is version 8.0.9. Fortunately, BSDs ship an ABI that can run binary executables that are built for Linux. Download Tor Browser 8.5 from, and search for how to run a Linux binary/program on OpenBSD or FreeBSD. Otherwise, install 8.0.9 from OpenBSD, and wait for their maintainers to update their mirrors to 8.5, the version immediately after 8.0.9.


May 22, 2019


This blog post page is so screwed up in Tor without Javascript enabled. It goes into an insane page reload loop that makes it impossible to scroll/view content. I wonder if any Tor developers actually use Tor browser without Javascript or have done basic QA on this site. Dissapointed.

I've never experienced what you describe.

For a while beginning with when 'installed' its current commenting system, the "Reply" link on each comment disappeared after I had posted *one* comment on a blog post. That strange defect went away one or more years ago.

This may be useful for comparison to your TBB circumstances: I'm using release TBB in Windows 7 with TBB Security Level set at "safest" and NoScript set to rarely allow any domains - and those only temporarily. (I'd like a NoScript timer feature, BTW)

Also, though NoScript's WebExtension rewrite lacks as much control as the pre-Quantum NoScript had, I try to set NoScript "universal" ("permanent") settings to their strictest.
Exception: I had checkboxed allow bookmarklets in pre-Quantum NoScript.

Further off-topic...
Quantum's crippled NoScript forces me to create additional keyword searches ('searchmarks'? 'keymarks'?) as workaround substitutes for *some* bookmarklets. The pragmatic quantity of keyword 'searchmarks' is limited by my memory of the "unusual" keyword that each keyword 'searchmark' requires.

> I've never experienced what you describe.

I can confirm both that this behavior does occur with slider on "Safest" and that it has been discussed in the blog before.

@ the OP:

I have found that setting the slider to "Safer" fixes the problem. If you forget to reset the slider before coming here, just hit "new identity", change the slider, and reenter the URL.

I have just downloaded and installed Tor Browser 8.5 and NoScript extension is missing. So I cannot quickly check (by hovering the mouse over the icon) what is the 'script situation' with the current site. Should I install it?
Plus on the about:preferences#privacy page
Cookies are also enabled by default
Tracking protection: 'never'.
Prevent accessibilitiy services: unckecked ...
All the base settings seem to be risky...

How did you decide the extension is missing? We just don't show it on the toolbar anymore to not confuse user's with NoScript settings. It should show up in `about:addons`, though. And, sure, you can just customize your toolbar and drag the icon back to it if you think that's something you need.

All the settings you mentioned seem to be as they should.

> We just don't show it on the toolbar anymore to not confuse user's with NoScript settings.

Ah. I wish this I had known this before I panicked. I think I agree with the change but the timing (just after the ferocious NoScript disabling fiasco) was unfortunate.

Developers, note that OP's perception of "risky" base settings and wanting to customize them are because they scrolled on the about:preferences#privacy which is opened by the new security shield.

Why does the Tor app for android need permission to access photos, music and documents?

The app doesn't actually need to access these files (photos, music, documents). Unfortunately, this is how Google explains apps requesting access to the external device storage. The device storage is where files are downloaded. Therefore, this permission is not really about accessing these files but being allowed to save files. We opened a ticket for explaining why we request each permission -

Update HTTPS Everywhere to 2019.5.6.1

It updates rulesets to 2019.5.20, and then Firefox updates it to 2019.5.13 version which overwrites rulesets to 2019.5.13. Amazing.

I like the onion logo on the left side of the url bar and I also liked the security slider. Not sure why those needed to be messed with

You can customize your toolbar again and drag the icon back to the left side or, really, wherever you want to have it. We "messed" with the slider to make it easier accessible and more usable for everyone.

The toolbar redesign on desktops is a big disappointment. Confusing the user by removing the noscript button (with a, well, familiar interface) is not the right thing to do, in my opinion. Noscript shouldn't be wrapped into something else. Also, the new security slider(?) button is useless, for it just indicates the current security level (one have to click on the button to just see the level) but doesn't allow to change it. That was the intention, as far as I can see, and this is really odd.

> Noscript shouldn't be wrapped into something else.

It's no more wrapped than it was before. It's just the icon was moved. NoScript is for power users and probably lowers usability for new users. You can drag the icon back to the toolbar, although I sort of agree that a new installation ought to tell users that a NoScript icon is available.

> one have to click on the button to just see the level

The shading on the icon changes. None, half, and totally filled in.

> doesn't allow to change it.

Security level icon -> Advanced Security Settings...

what prefs in Tor Browser for Android can I set to stop the Orbot connect screen? on desktop I can disable Tor Launcher, but I can't do it here.

Without a new identity button I have to quit and restart Tor Browser every time I want to cleanup after a session.

Yes, we don't have the option yet to not use the Tor shipped with Tor Browser for connecting to the Tor network. is for this task. And, yes, we did not get to implement a New Identity option either, alas. is for that.

Icon looks like half-covered target.

Did Tails fork its version of Tor Browser 8.5 from the Tor Project version?

In Tails 3.14 (current version of Tails), Tor Browser icon is purple (Tails themed) not green (Tor themed) and Noscript icon does not appear. Further, the security slider is disguised in a new icon in TB. Further checking add-ons in TB shows that the version of Noscript was last updated on 1 Jan 2000 which cannot be right. Further, Noscript appears to be disabled in all security slider settings.

Anyone know what is going on? I cannot find an explanation at so I ask here.

Sorry, sorry, sorry, I was in a rush and did not even realize that the blog was not one I had read before. Reading it solved my confusion except for the missing NoScript icon in the toolbar, but in another comment above gk explained that too.

After using TB 8.5 for an hour I decided I like the new slider, the new icons, the purple, and all is right with the world again. Except for what governments are doing to reporters and dissidents and Muslims and human rights workers of course (vomit).

@ gk:

I am using the version of Tor Browser 8.5 included in Tails 3.14 (the current version).

Apologies for not understanding that the security slider move is intentional. I think I agree with the objections raised by two posters. Understand what you said about why you made the change but it seems education is the answer not creating new potential for goofs.

I have a more serious issue: I am not seeing the Noscript icon at all. Further, checking add-ons seems to show that NoScript has not been updated since 1 Jan 2000. That cannot be right. (Ublock origin seems sensible in comparison.) As far as I can see Noscript has been disabled in TB 8.5 as included in Tails 3.14. Surely that is not intentional? Or am I missing something?

gk said in another reply above that the nonappearance of the NoScript icon where it used to be is intentional, so never mind.

With all the issues last month with NoScript suddenly disappearing due to an expired certificate, why on earth would this new release drop the NoScript Icon from the visible menu. Shouldn't this icon be prominently displayed in plain view, so we can at least feel comfortable that it is present and active?

That's because the NoScript UI in itself is confusing (we have even bug reports in our own bug tracker about it) and there are risks that you make changes in its settings that make you stand out of Tor Browser users. Tor Browser users should not need to mess with NoScript at all. But you are of course free to add it back to your toolbar if you feel more comfortable that way. (FWIW: you got a big yellow warning that the extension got disabled with a link to learn more (I think) that you would get even if the NoScript icon is not visible on the toolbar anymore).

I was one of those who panicked (embarrased) but now I think I agree with the change. The timing was unfortunate but I think we're all good now.

> Tor Browser users should not need to mess with NoScript at all.

Many users don't want ads or scripts that cripple responsiveness, so they have to mess with NoScript. All or nothing is not feasible all the time.

That's a big fingerprinting risk for what it is worth. But, yes, *if* one really feels okay with that risk there is always the option to customize the toolbar and get the NoScript icon to appear again.

Noice. Thanks.

How to enable copy pasting of text in the Tor Browser for Android?

Does long-pressing on the text highlight part of it? If you select the text you want to copy, then you remove your finger the browser should show you an options menu with options for "copy". When you want to paste the text, long-pressing in a text box should show an options menu with "paste".

Why do "improvements in UX" always mean hiding user security choices behind menus?

Some time ago, turning images/javascript on and off disappeared from the options into the about:config.

Now the security settings slider has disappeared into the options,

Could you please give an option that makes...

1. images on/off
2. javascript on/off
3. security slider

...available through some option?

In other words, please stop making security choices a pain in the ass. This is not Internet Explorer.

You needed two clicks for setting the slider deep down in the Torbutton menu and had no clue afterwards which security state you are actually in because there was no hint in the browser UI about that. Now, you need two clicks to set the slider and see your security level prominently in the UI. So, I don't see how we regressed here in the sense that we suddenly started hiding things in menus?

Regarding your other points: I am not convinced we should have an option to disable images. There might even be some obscure about:config setting supporting that already. I don't know. JavaScript is best disabled with the security settings by choosing the highest level.

In about:config, set permissions.default.image to 2 which allows you to manually choose to load an image from some page, but images will not be loaded by default. This behavior will be noticed by the webserver at the other end of your Tor circuit and will make you stand out way out. But sometimes there might be good reason to take the risk of deanonymization to an attacker with near global presence.


Isn't there the option to view circuits in Tor browser for Android?

I can't finding that. :-(

When will the point release be issued that fixes the rest of the accessibility bugs on Windows?

In June. The exact date is not set yet. We still need to polish our patches and test them properly. I know this takes long but the work is not trivial. :(

Have you considered that exposing about:preferences every time someone changes the security level may encourage them to believe that changing other settings listed on that page is equally okay? Why are "Safer" and "Safest" now called "Advanced" settings which newbies are trained in most other contexts to interpret as to avoid changing them from their default "Standard"?

Yes, we did. There is earlier in this blog an explanation of our reasoning by me. I hope it makes some sense.

I've been using Tor long enough to have some appreciation of how difficult it is to design a user interface which confuses no-one given the technical threats Tor users face, the enormous linguistic diversity of Tor user base, the technical knowledge diversity of the Tor user base, all on top of the fact that TP must build TB on top of FF, NoScript, etc., which are made by others who design their own interfaces to meet their own criteria. It is inevitable that there be some back and forth as we search for the current optimum UI.

Hi there,

The app seems to have a problem with connecting to Bridges? I run a bridge (obfs4) and am trying to connect using my known good (work just fine in desktop TBB) Bridge config line. Unfortunately in the app it doesn't work at all.
Any chance bridge connections will get some love soon?


Are you entering the bridge details the same way on desktop as on mobile? Which parts do you add? type ip:port fingerprint cert=... iat-mode=...?

NoScript v10.6.2 released - (May 22, 2019)

NoScript - Mozilla-Extension - Firefox (en-US)


NoScript - ChangeLog :

NoScript - FAQ :

NoScript - Forum :

NoScript - Redit :

> It's Official: Tor Browser is Stable on Android
> Tor Browser 8.5 is the first stable release for Android. Since we released the first alpha version in September, we've been hard at work making sure we can provide the protections users are already enjoying on desktop to the Android platform. Mobile browsing is increasing around the world, and in some parts, it is commonly the only way people access the internet. In these same areas, there is often heavy surveillance and censorship online, so we made it a priority to reach these users.

This is a huge milestone for our community! Even though I avoid using smart phones (which renders me suspicious according to the IJOP app categories just revealed at US does like CN, only with great secrecy while CN wants their citizens to know they will suffer govt reprisals for "social deviance" or failure to follow the state religion (CCP), or political dissidence) I am greatly heartened.

Thanks also to the media outreach team for some all too rare positive mentions in some tech publications; see in particular
First official version of Tor Browser for Android released on the Play Store
After eight months of alpha testing, Tor Browser for Android is now ready for rollout.
Catalin Cimpanu for Zero Day
21 May 2019

> Today, the Tor Project released on the Google Play Store the first stable version of the Tor Browser for Android. This new mobile browser integrates the Tor protocol stack into a standalone browser and replaces Orfox as the main way to navigate the Tor network from an Android device. Tor Project developers have been working on this browser for eight months now, since September 2018, when they first released an alpha version for public testing. "We made it a priority to reach the rising number of users who only browse the web with a mobile device," said Isabela Bagueros, Executive Director of the Tor Project. "These users often face heavy surveillance and censorship online, so it is critical for us to reach them." "We made sure there are no proxy bypasses, that first-party isolation is enabled to protect you from cross-site tracking, and that most of the fingerprinting defenses are working," the Tor team added.

And it continues in that positive vein. Wow, how nice to see a reporter saying nice things about Tor Project! :-)