New Release: Tor Browser 8.5.3

Tor Browser 8.5.3 is now available from the Tor Browser Download page and also from our distribution directory.

This release includes an important security update in Firefox, a sandbox escape bug, which combined with additional vulnerabilities could result in executing arbitrary code on the user's computer.

Note: As part of our team is currently traveling to an event, we are unable to access our Android signing token, therefore the Android release is not yet available. We expect to be able to publish the Android release this weekend. In the meantime, Android users should use the safer or safest security levels. The security level on Android can be changed by going in the menu on the right of the URL bar and selecting Security Settings.

Update: The Android version is now available from the download page.

The full changelog since Tor Browser 8.5.2 is:

  • All platforms
    • Pick up fix for Mozilla's bug 1560192

Interestingly enough, Cloudflare was apparently much affected by a BGP foulup a few days ago in which Verizon improperly sent some 20% of Cloudflare traffic though a tiny ISP (associated with USG customers I think) which immediately fell over under the load, so all that traffic was sinkholed. Pretty nifty cyberwar action (IR maybe?) if one suspects that BGP "goofs" are not always goofs.

Please don't use online sources of entropy for anything you want to be secure or private. Regardless of quality and consistency, it lets someone else define and record your bitstream or PRNG seed and send it through any number of potential men-in-the-middle.

Debian does not have imperatives of a company and is spread around the world. Many different governments on different continents have forked Debian into distros for themselves, and there's nothing wrong with that. If we are concerned with good reason about one country's intelligence agencies messing with Debian, we must be concerned about every country's intelligence agencies including those of our present location and those of where we nationalistically feel at home.

Have no fear, I completely agree with all of that.

Good entropy is hard to come by. Right now Tails supports entropy broker but I don't think that will help most users. As of a year or so ago they also supported a particular brand of "entropy stick" (a USB stick which is supposed to provide a steady stream of cryptographic quality random bits), but I haven't checked recently whether they still do. In any case, I have seen papers casting statistical doubt upon the quality of the entropy provided from inexpensive physical devices.


June 21, 2019


I, too, now have to "Customize..." TB each time to return NoScript icon to the tool bar. Without it, relying solely on the 3 offered "levels of safety" is too crude.
That is, to make a website functional, I don't wish to lower the security globally. This would enable ALL junk 3-rd party scripts, but I prefer enabling only the needed elements.
I believe you mentioned some proposed "per-site" solution coming in the future - great, thanks for doing it. Until it comes out, we still need NoScript on the toolbar.

> I, too, now have to "Customize..." TB each time to return NoScript icon to the tool bar. Without it, relying solely on the 3 offered "levels of safety" is too crude.

Since it always bears repeating, I'll repeat it: "customizing" is the enemy of anonymity.

But I think I see a theme developing here: the users who are most concerned by the recent "cosmetic" changes in Tor Browser may be more concerned with obtaining the *cybersecurity* benefits which come from using Tor Browser (or even better, Tails) than with obtaining the "anonymity" benefits.

If anyone thinks this describes their own goals in using TB, please speak up. I hope this might help the TB team figure out a way to keep both the "cybersecurity first" and "anonymity first" user bases happy...ish.

> Since it always bears repeating, I'll repeat it: "customizing" is the enemy of anonymity.

All the more reason for the Tor devs to stop dumbing down the product. We know why they left javascript on by default, but why did they take away the convenient turn off javascript checkbox in the config menus and force us to use about:config? It's not only that the average dumb user should be able to get a Tor experience out of the box. It's also that users who actually have security requirements CAN'T get them out of the box. Why are the UX people allowed to ruin basic functionality?

Next update: a talking paperclip that REQUIRES javascript.

> All the more reason for the Tor devs to stop dumbing down the product

I don't think that's what Tor Project is doing. Rather, they have recognized--- and they are correct--- that in this dangerous world, everyone needs Tor regardless of what government they live under or what their personal political/religious beliefs or social status are, etc., which means that TP must grow its user base. In addition, moving to a user-supported funding model is needed to insulate TP from undue pressure from the spooks of any one government, in particular the USG which has not played a very nice role globally for many decades and which is particularly dangerous to Tor Project and thus to Tor users.

> why did they take away the convenient turn off javascript checkbox

I don't recall a checkbox, but I used the slider (now renamed "security level")

> in the config menus and force us to use about:config?

Well, you can still use the security slider to turn off javascript, AFAIK.

As I understand, the rationale for discouraging users from making lots and lots of "customizations" is that

o customizing makes users less anonymous,

o extensive customizing break things TP has done to enhance both security and anonymity.

I think we all need to recognize that both maintaining/developing Tor products and using Tor products involves constant tradeoffs between usability, security, and anonymity. TP needs to try to make the best decision for the greatest number of Tor users in every case, without keeping the kind of intrusive and dangerous personal data about each user that companies like Google do, so I think we all need to give them more credit than some of us are inclined to do.

> It's also that users who actually have security requirements CAN'T get them out of the box.

I don't understand what personal security requirements you desire which you feel Tor is not enabling you to easily obtain, or why you think you need these particular security requirements. Your requirements might well appear legitimate, at least to me, maybe not to some government, if you explained. Some governments might be tempted to assume that any Tor user who wants good security must be working for some "opposition entity" about which said government is feeling particularly paranoid.

For example, currently USG is feeling paranoid (probably with justification) about ransomware targeting more or less hapless US city governments. Tor users who would be adversely affected by a successful ransomware attack on their own municipal government would probably find themselves in rare agreement with USG on that point.

So we certainly don't want to encourage Tor users to be manipulated into taking a position supporting anything done by the USG or any other government. We need to see ourselves rather as a virtual nation comprised of good citizens whose legitimate needs are very evidently not being met but are rather being crushed by our bricks and mortar governments (and by corporations such as Amazon/Google/Microsoft/Facebook/Twitter). C.f. the huge study which showed that the opinions and expressed desire of ordinary US citizens has had no visible effect whatever on US federal government policies over the past sixty odd years; rather, government reliably follows the advice of corporate lobbyists who often write the new laws which are then passed by their politicians who effectively represent the billionaires, the big banks, and international conglomerates, but certainly do not represent The People. No doubt similar studies in other supposed "representative democracies" would reach the same conclusion.

Jared Diamond, Noam Chomsky, Ralph Nader, and other figures have made similar points for many years.


June 21, 2019


I'm not sure what you mean by "it THINKS I'm connecting through."
The country of the exit node shown *IS* the exit from Tor network and the entry node (guard) *IS* the country you're entering the network through.

You don't say what your objective is, but you need to read the Editing the torrc file (which is empty). You can do things like list countries that you want to use for nodes, or exclude countries you don't want to use.
Don't make the list too short of acceptable countries to use, or you may see big slow downs or connection problems.
Don't make a list of countries to exclude too large, or you may have the same problems. Tor might override your torrc settings to make viable connections.
This is how you list countries to use:
ExitNodes {an},{at}...
ExcludeExitNodes {au},{ca}...
StrictNodes 1
Capitalization matters. There's a space between ExitNodes & the 1st country, but no spaces between country codes - just a comma separator.

Using StrictNodes with a value =1 (enabled) tries to force it to use the countries listed.
If you have too few listed, it may use others to maintain a connection (I'm not positive & still investigating.


June 21, 2019


Since the last 3 upgrades i'm finding that my Tor browser is no longer changing sites. Why i run it only shows an address in France, Iran and the Ukraine. How do i get back the function of the URL changing on a regular address to more than just 3 url's?

I think you mean to say that your circuits only include exit nodes in FR, IR, UA. That does seem strange. Did you verify the detached signature of the Tor Browser tarball before you unpacked it?

I'll assume you meant the IP addresses of your Tor exit nodes because your choice of words is unusual. The website you wrote tells you the IP address it sees, which belongs to the exit node (third, final node) of the relay circuit that Tor Browser used to access the website. Your exit node IP address normally changes every 10 minutes if idle and when you visit different domains (website.tld). You can force it to change by clicking "New Circuit for this Site" (tb-manual). Tor Project operates a similar site

Did you edit your torrc file by accident? What operating system?


June 22, 2019


I set Tor browser will Use custom settings for history, tick off Remember my browsing and download history, then restart Tor browser, the settings seemed to be restored.

There is, assuming you regard two clicks as quick: click on the shield icon, which pulls up a page with buttons; click on the button corresponding to the desired security level.

One click would be better for those who avoid tabs, but I think Tor Project devs were concerned that most TB users may not realize that downgrading security level (e.g. "safer" to "standard") applies to all open tabs, which could lead to disaster if one tab is associated with sensitive information another with a login to an untrusted site.


June 22, 2019


Just wanted to say 8.5.3 seems to be working for me, and thanks for the rapid response to this instance of critical zero-squared-days in FF.

Regarding tor for mobile phones and smart phones: does anyone know whether Microsoft has expressed an interest in funding development by TP of a version of Tor Browser for Microsoft branded phones? How about Apple? Seems like this would be a smart move on the part of any phone maker.


June 22, 2019


Why Tor Project is ignoring .onion DDOS issue?
It's almost like if (((you))) are not interested in fixing it.
I am waiting for Tor Project to announce that .onion sites will be phased out.

I have no reason to think the OP actually has any reason to think Tor Project will "phase out onions", but... you aren't actually about to do any such thing, right?

In a somewhat related development, "Tor panels" are being blamed in the news for the rash of ransomware attacks which have crippled Baltimore, MD and caused numerous other US cities to pay ransom monies. (In electronic currency one presumes, so if it's true that NSA is enriching itself by stealing electronic currency, the ransomware plague may represent a further transfer of wealth from cities to the federal government.) See for example the article in Arstechnica featuring the grim prediction that this will only get worse.

I hope someone at Tor Project has asked the media team to try to combat this latest round of reporters who ought to know better failing to mention any of the ways Tor can improve cybersecurity for everyone including local governments whenever they mention that cybercriminals (or state-sponsored cyberwarriors masquerading as such) as well as spooks use Tor for crime. Case in point: Sen. Wyden (D-OR) just stated that US government employees (at all levels) still often transfer unencrypted zip files which contain sensitive data. But we know OnionShare is a much smarter and more secure way to transfer sensitive data. Venues such as Wired often mention the cyberinsecurities associated with unencrypted DNS lookups, but never mention that onions can apparently circumvent some of the most fundamental of these vulns.

> "Tor panels" are being blamed in the news for the rash of ransomware attacks... I hope someone at Tor Project has asked the media team to try to combat this latest round of reporters who ought to know better failing to mention any of the ways Tor can improve cybersecurity for everyone

Support FAQ: The files on my computer have been locked, and someone is demanding I download Tor Browser to pay a ransom for my files!

Yes, but it is obviously in our best interests not to fall prey to ransomware in the first place. So all Tor users need to try to behave in cybesecure fashion as far as possible.

However, individuals can do little if anything about ransomware attacks on their city governments. (Right now the attacks seem to focus on US cities, but no doubt this plague will soon become a global pandemic. Thank you NSA.)

How does this solution solve anything? So we limit the number of connection requests reaching the hidden service from the intro point. The attacker can still fill those up and lock out legitimate users.

Establishing a connection costs the attacker the same as the service. As long as you don't solve that, your solution only pushes the problem around.


June 22, 2019


Why is "block dangerous and deceptive content" off??

I switched to higher security settings but it didn't turn on that option do I have to do it manually?

Why is it not enabled at highest security settings?

1) Block dangerous and deceptive content is not part of Tracking Protection settings as in that ticket. It's further down the preferences page under Deceptive Content and Dangerous Software Protection.
2) It sends browsing data to Google. Next to Block dangerous and deceptive content, click Learn More. "If the site is found on that list (of malware sites), Firefox blocks the file immediately, otherwise it asks Google’s Safe Browsing service if the software is safe by sending it some of the download’s metadata." "when using Malware Protection to protect downloaded files, Firefox may... submit some information about the file, including the name, origin, size and a cryptographic hash of the contents, to the Google Safe Browsing service which helps Firefox determine whether or not the file should be blocked."

UX team, recognize that OP's setting is the first option visible below the security level radio buttons. OP glanced under "Safest", saw it was unchecked, thought it was faulty, and wanted to enable it. Other users may change preferences on that page out of reflex and not come here to find out.


June 23, 2019


Whenever I search for something the result is always links. The image tab and others are lost. Can someone help me.

I think you are saying that you are trying to search (using DuckDuckGo, the default search engine) by typing a query in the "location pane" in the Tor Browser window. which doubles for both URL entry and for search query entries, and that Tor Browser always interprets your attempt to enter a search query as an attempt to visit some website.

Do I understand the problem correctly?

If so, try adding a space before you enter your search query in the location pane.

The notion of a location pane doubling for entering URLs and search queries is IMO too tricky, but I should point out that AFAIK it is inherited from Firefox.

"location pane"?
And Mozilla's Quantum for whatever reasons mimicked it from Chrome.

I just hope users don't paste anything in it by accident. (passwords, tax data, medical, etc.) Before, it went to DNS servers. Now, it goes to a search website. Either is dangerous.

Dunno know about image searches, but just to be clear: while I find it tricky to enter " Dog shows in Cleveland" for example into the the location pane, and then to click on the DuckDuckGo onion icon rather than hitting return, it is certainly possible to perform text searches with the slider on "Safest". You might get redirected to a non-Javascript page for presentation of the search results however. That is probably why I don't get (actually I don't want) images in my search results.

Yes, and good for you, but OP is looking for "the image tab and others". The image tab isn't on duckduckgo's non-Javascript page.

To your problem of finding it tricky, you can change your default search engine. Click on the gear icon at the end of the bar of search icons, and that will open about:preferences#search. Some other settings on that page affect your privacy, so be careful. Change your default search engine to DuckDuckGo onion. Then, you don't have to click the icon anymore to search and can simply press Enter.


June 23, 2019


I use kali linux and I have downloaded TB 8.5.2, extract that in to download folder and every time i am clicking on to start.torbrowser.desktop is it opening note script. I did create a new user and download it over there....i did not download in to root user. what should i do? please help me.

Don't know what file manager you're using, but there should be a setting how to handle executable text files in its preferences. The default here might be to display them, which will open the .desktop file in text editor, which is what you're encountering right now, if I got you right, so just change the preference. Alternatively right-click the file > open with > run or something around these lines.

In case your file manager doesn't allow to execute text files, cd in the directory and run ./start-tor-browser.desktop from the terminal. Afterwards you can add a Tor Browser launcher to your menu by opening the desktop file in a text editor again and following the instructions in there.

it is opening by using terminal cd in the directory and then ./start-tor-browser.desktop and it is opening but when ever i am clicking on to start-tor-browser.desktop icon in the folder without using terminal it is only opening in text editor. is there any way i could start TB just by going into the folder and click on to the icon rather than using terminal to open TB all the time.