New Release: Tor Browser 8.5.2

Tor Browser 8.5.2 is now available from the Tor Browser Download page and also from our distribution directory.
This release fixes a critical security update in Firefox. In addition, we update NoScript to 10.6.3, fixing a few issues.
Users of the safer
and safest
security levels were not affected by this security issue.
Note: As part of our team is currently traveling to an event, we are unable to access our Android signing token, therefore the Android release is not yet available. We expect to be able to publish the Android release this weekend. In the meantime, Android users should use the safer
or safest
security levels. The security level on Android can be changed by going in the menu on the right of the URL bar and selecting Security Settings
.
The full changelog since Tor Browser 8.5.1 is:
It looks like nvidia.com is…
It looks like nvidia.com is blocking tor users. We cannot do anything about this on our side, but people can contact them to ask them to remove the blocking.
In a technical level Tor…
In a technical level Tor Project can't do anything, but on a PR level, it can and should. Tor Project could easily approach organizations/corporations like NVidia and explain blocking Tor Users is bad and they should allow it. Of course having other people also contacting and requesting the same is better, but Tor Project can't put itself out of the matter.
Yes, I agree and we do that…
Yes, I agree and we do that from time to time. But our resources are limited here and I think it would greatly help if users would step up here, too, and put pressure on those sites.
Empower with knowledge:https…
Empower with knowledge:
https://support.torproject.org/censorship/censorship-2/
https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlo…
https://2019.www.torproject.org/docs/faq-abuse.html.en
Always find the website's Contact Us page.
More and more websites block…
More and more websites start blocking Tor IP addresses. It's shameful and wrong to be discriminated like this, especially in the age of surveillance capitalism.
I'm taking 8.5.2 for a test…
I'm taking 8.5.2 for a test run now. Thanks to all of you again.
Nice work!
Nice work!
The vulnerability exploits…
The vulnerability exploits JavaScript, so why would `safer` not be affected if it enables JavaScript on HTTPS websites? Does the bug only work if JIT is enabled or something?
Yes, this bug involves JIT.
Yes, this bug involves JIT.
Type Inference part of JIT…
Type Inference part of JIT is always on and cannot be disabled (https://trac.torproject.org/projects/tor/ticket/21865). It has a long history of holes, see https://bugzilla.mozilla.org/show_bug.cgi?id=619415. So, the question is whether JS interpreter + TI are not vulnerable or just the PoC doesn't work on that config?
Looking at the explanation…
Looking at the explanation of the bug in https://bugzilla.mozilla.org/show_bug.cgi?id=1544386 again, I still think that we are good with just disabling JIT as we do on medium security.
Not to say "I told you so",…
Not to say "I told you so", but can I jump in here to say "I told you so"? Not that I was saying anything you didn't already know. To wit: a strong case can be made for making "safest" the default security level and advising users to drop down as needed (choosing new identity each time they change the security level, a habit which should solve the problem that users might easily forget that security level changes affect all open tabs). In this case, at least one of the two critical vulns would have been prevented from affecting most users if this had been the default prior to this latest attack on FF (and TB).
An obvious compromise would be to make the default "safer". It seems Tor Project believes even this default would have prevented most Tor users from becoming easy victims of these FF zero-squared-day exploiting attacks.
Link says "Access Denied"…
Link says "Access Denied" but vulnerability is already public nothing to keep secret here.
When will it be open to everyone?
I think Mozilla usually…
I think Mozilla usually waits for a while before making tickets public, to make sure vulnerable versions are not around anymore.
Works like a charm, better…
Works like a charm, better and better each release ...
Pick up fix for Mozilla's…
Pick up fix for Mozilla's bug 1544386
Why that instead of
* Update Firefox to 60.7.1esr
???
Updating the Firefox version…
Updating the Firefox version number requires that the Firefox langpacks corresponding to this version are available to start building. Taking the patch without updating the Firefox version number allows us to start building earlier.
Are you saying that Mozilla…
Are you saying that Mozilla has non-optimal chemspill release process or you always need to run faster than the train?
https://hacks.mozilla.org/2018/03/shipping-a-security-update-of-firefox…
Maybe, it's possible to workaround that with engineers?
Taking a patch without…
Taking a patch without updating the Firefox version allows us to start a build as soon as the patch is available, we don't need an other workaround.
After doing the last update…
After doing the last Tor update Avast blocked the Firefox.exe telling me it is infected with IPD:Generic ?
anyone else experiencing this?
Windows Defender is a free…
Windows Defender is a free and well embedded alternative to false postives reporting adware.
Update your virus definition…
Update your virus definition files. Virus scanners take time to release updates that recognize new programs. Or you could whitelist the exe.
Couldn't start the latest…
Couldn't start the latest version on beta 2 of macOS Catalina. There is an error that "updater.app is from an unidentified developer". I was not able to get the usual dialog to get an exemption by starting updater.app on it's own. After moving "updater.app" to the trash Tor is now starting.
Don't do that as you don't…
Don't do that as you don't get updates anymore that way. See: https://blog.torproject.org/comment/282621#comment-282621 for a current workaround, even though that one is awkward.
In the long run, a better…
In the long run, a better solution might be to use Tails instead of the Mac OS installed on your machine. Tails is free open-source software from a sister project of Tor Project; tails.boum.org. It attempts to provide an "amnesiac" system which boots from a DVD (or USB stick), which means that Tails tries not to leave any hardware traces. Very useful if you are working on human rights issues or as a reporter or children's social worker or municipal employee or telecom engineer or nurse in any other job where you may need to carry sensitive information on a portable device. The general idea is to keep all the information on a LUKS encrypted data stick which you mount and use with Tails booted in off-line mode, and when you need to access the internet, you remove the data stick and reboot Tails in on-line mode. Takes getting used to but it is much more practical than might sound once you get into the rhythm.
And what with Tor Browser on…
And what with Tor Browser on Android?
We'll ship an update as soon…
We'll ship an update as soon as we can, probably on the weekend as the blog post says.
Time to update again: https:…
Time to update again: https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/
Yes, we're planning to…
Yes, we're planning to publish a new release tomorrow.
i can't access reddit
i can't access reddit
Reddit is blocking exit…
Reddit is blocking exit nodes from Germany. The only thing you can do is to find new circuit.
Message reddit's…
Message reddit's administrators.
https://support.torproject.org/censorship/censorship-2/
https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlo…
https://2019.www.torproject.org/docs/faq-abuse.html.en
https://ooni.torproject.org/
Always find the website's Contact Us page.
Please bring back the option…
Please bring back the option to change the exit node without resetting all pages.
The option is still there…
The option is still there. You have to click on the left of the URL bar, to see the circuit for the current site, then there is a button to change it.
or ctrl+shift-L
or ctrl+shift-L
Hi, speed and loading pages…
Hi, speed and loading pages on the tour in my area is papin. Please solve the problem barely loading webpages.
Yup, I am having the exact…
Yup, I am having the exact same problems. TOR keeps timing out
I'll test this browser…
I'll test this browser. Thank you
Please don't forget to…
Please don't forget to update the alpha series ASAP as well, especially after mfsa2019-19
Yes, as soon as 8.5.3 is out…
Yes, as soon as 8.5.3 is out we'll push a new release for alpha users.
yay thanks
yay thanks
When deb packets for 4.0.5.x…
When deb packets for 4.0.5.x will appear in tor project debian repo?
I believe you meant 0.4.0.x …
I believe you meant 0.4.0.x While you wait for it to appear in the release repos, you can edit the suite in your deb line to say one of the "experimental" folder names here: https://deb.torproject.org/torproject.org/dists/
Example for Debian testing (Buster as of this date):
deb <a href="https://deb.torproject.org/torproject.org" rel="nofollow">https://deb.torproject.org/torproject.org</a> tor-experimental-0.4.0.x-buster main
Peter Palfrader manages Tor Project's Debian packages.
It looks like the blog didn…
It looks like the blog didn't display the line correctly. Plaintext URL addresses in a "code" block are not supposed to be wrapped in plaintext HTML "a" tags.
Thank you! But tor 0.4.0.x …
Thank you! But tor 0.4.0.x is no longer in experimental stage, its stable release appeared long time ago. I wonder why it is not in standard tor debian repos yet...
Why is noscript no longer…
Why is noscript no longer accesible via the address bar? This was far easier to click to temp allow certain domains. I cannot find any other way to see the list of domains to block or unblock each webpage loaded.
Have to manually type the url/domain by going to addons -> no script preferences
you can also customize the…
you can also customize the tor browser to put it back into the adress bar
Ok thanks. Very easy to do…
Ok thanks. Very easy to do. Overlooked it because there's hardly any space to right click on the toolbar in firefox and there appears to be no "customize" option in "preferences".
For any one else who needs to know how to add the addon widgets back in the toolbar:
https://trac.torproject.org/projects/tor/ticket/30600
It can manually be re-added by right-clicking the toolbar, selecting "Customize..." and dragging the NoScript icon back to the toolbar.
https://www.nvidia.com/page…
https://www.nvidia.com/page/home.html
403 - Forbidden