New Release: Tor Browser 8.5.1

Tor Browser 8.5.1 is now available from the Tor Browser Download page and also from our distribution directory.

Tor Browser 8.5.1 is the first bugfix release in the 8.5 series and aims at mostly fixing regressions and providing small improvements related to our 8.5 release. Additionally, we disable the WebGL readPixel() fingerprinting vector, realizing, though, that we need a more holistic approach when trying to deal with the fingerprinting potential WebGL comes with.

The full changelog since Tor Browser 8.5 is:

  • All platforms
    • Update Torbutton to 2.1.10
      • Bug 30565: Sync nocertdb with privatebrowsing.autostart at startup
      • Bug 30464: Add WebGL to safer descriptions
      • Translations update
    • Update NoScript to 10.6.2
      • Bug 29969: Remove workaround for Mozilla's bug 1532530
    • Update HTTPS Everywhere to 2019.5.13
    • Bug 30541: Disable WebGL readPixel() for web content
  • Windows + OS X + Linux
    • Bug 30560: Better match actual toolbar in onboarding toolbar graphic
    • Bug 30571: Correct more information URL for security settings
  • Android
    • Bug 30635: Sync mobile default bridges list with desktop one
  • Build System
    • All platforms
      • Bug 30480: Check that signed tag contains expected tag name

The issue is tracked with ticket 23392. It is tagged "needs_information"; if you are interested, you might provide information on Trac to help close the ticket. The pseudonymous account "cypherpunks", password "writecode" is available for all to use.

I would prefer "browser.urlbar.speculativeConnect.enabled" default to false.
Defaults

The issue is tracked with ticket 23392. It is tagged "needs_information"...
Tor Browser user

Ticket 23392 was closed recently, no changes since it was opened; browser.urlbar.speculativeConnect.enabled has an effect only when not in private browsing:

... ![preloading of URLs] is disabled ![anyway] due to Tor Browser being in private browsing mode. (I've not thought about whether it is actually a good thing to do but I think we are good here following Mozilla).
—gk, comment 5

Anonymous

June 10, 2019

Permalink

Hi! Why not put back the security slider and another at the 'advance security setting'(like right now)?

Gmail has disable log in without javascript when accessing with tor now. Other sites include, zalora, qoo10, etc.

Whistleblowers take note:
Used Tor with the standard settings + logging in to criticise goverment and is tracked, still being tracked now. I also installed the same addons consistantly, so please avoid making my mistakes.

I hope you don't mean that you logged in to an account that you created and used in a normal browser. Tor Browser cannot anonymize accounts that are already associated to your personal identity metadata.

Anonymous

June 10, 2019

Permalink

Hello torproject,
where is tor releasenotes ? Site in maintenancemode?
Till now i can click Documentation, Download and find all about.
Now .....it's more like a puzzle and no releasenotes at the logical place. Where?

Honestly, looks like Goofy is working for you.

Not sure what you mean. But as you are commenting on a blog post about Tor Browser I assume you want to see the changes made for the browser. That should be easy. On about:tor in the upper right there is the View Changelog link and additionally, for up-to-date information you get a link to this blog post.

Please I need tor for win 8 now!!!

I need Tor for win 8 now!

Tor Browser should work on Windows 8, too. If not, what error are you getting?

All of a sudden, with this current update, sites seem to be able to detect that I am using Tor for access, such as the New York Times as an example. I used to be treated as a normal visitor, but now as soon as I click on any article it blocks me as being in "Private Mode." This never happened previously, and it sucks. Is there any way to revert to the prior version?

I doubt this is a Tor Browser change. Rather, I suspect this is happening due to changes on those websites. They might just don't like users in private browsing mode anymore. Anyway, you can find older versions in our archive at: https://archive.torproject.org/tor-package-archive/torbrowser.

Thanks for the bug links. It seems https://bugzilla.mozilla.org/show_bug.cgi?id=1506680#c12 is specifically talking about the New York Times even.

New York Times is hypocritical as hell considering they run an onion service.

they track pple thru javascript and user agent also. Take note.

Ubuntu: impossible to install with official instructions. Torproject.org has 2 different sub-websites for instructions to install TOR browser on Ubuntu. Both sub-websites include a signing key 886DDD89. This key has 2 problems:
1) On keyservers, there already exist 2 keys with the same last 8 digits
2) The public TOR signing key has some 1.3 Megabytes as a text file
When you want to install the key with the 8 last digits you might get the wrong key (totally legit signing key - which is from another company).
When you want to install the key with 16 digits or import it as text file then the gpg (gpg2) program refuses the import. The key is too big.
I recommend the following solution:
a) Merge the 2 sub-websites for installation instructions
b) Change the signing key to another key that can be imported into gpg (gpg2, GPA)

I use Debian so can't help with Ubuntu specific issues, but since no else has spoken up I'll try to make a few comments which might be somewhat useful:

> Ubuntu: impossible to install with official instructions.

Am I correct in guessing that you tried to install the Tor Browser 8.5.1 tarball (file.tar.xz) by unpacking it somewhere?

> Torproject.org has 2 different sub-websites for instructions to install TOR browser on Ubuntu

Uh oh... Tor Project recently bungled the rollout of the long awaited new website, which turned out to be a much reduced main page and mostly broken links to the old website. There was quite a strong reaction from the user community as you will recall if you regularly read this blog. I guess the problem you noticed is part of that minor fiasco.

> Both sub-websites include a signing key 886DDD89.

Are you referring to the Tor Project Archive key? Isn't that used to sign debs? Isn't a subkey of another key (the Tor Browser Developer's key) used to sign the Tor Browser bundles?

I understand the issue about code (even GPG related code) not being consistent with using the last two viz the last four groups of hex digits as short references to a complete fingerprint, but I guess you already know about that. In any case, Tor Project needs "upstream" to fix that issue, because TP does not maintain gpg.

1) I find 5 sub-websites (pages) showing 16-bit (long) key ID or 40-bit (full) fingerprint. None of them recommend 8-bit (short) key ID.
https://2019.www.torproject.org/docs/debian.html.en
https://2019.www.torproject.org/docs/signing-keys.html.en
https://support.torproject.org/#operators-4
https://support.torproject.org/tbb/how-to-verify-signature/
https://2019.www.torproject.org/docs/verifying-signatures.html.en
In your gpg.conf file, enter:

  1. <br />
  2. keyid-format 0xlong<br />
  3. with-fingerprint<br />

2) Tor people, key 0xEE8CBC9E886DDD89 has problems! When you go to some HTTP keyserver websites and search for the key, the page of results lags other tabs and shows binary mojibake. The ASCII armored text file is 3.4 MiB. GPG returns:

  1. <br />
  2. $ gpg --import 0xEE8CBC9E886DDD89.key<br />
  3. gpg: packet(13) too large<br />
  4. gpg: read_block: read error: Invalid packet<br />
  5. gpg: no valid OpenPGP data found.<br />
  6. gpg: import from '0xEE8CBC9E886DDD89.key' failed: Invalid keyring<br />
  7. gpg: Total number processed: 0<br />

2) Tor people, key 0xEE8CBC9E886DDD89 has problems! When you go to some HTTP keyserver websites and search for the key, the page of results lags other tabs and shows binary mojibake. The ASCII armored text file is 3.4 MiB. GPG returns...

See https://github.com/Stadicus/RaspiBolt/issues/343, talking about https://dev.gnupg.org/T4022. Workaround in this comment that in turn comes from Tor Project Ubuntu docs:
$ curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
As I understand it, everything's okay: the lag on HTTP keyservers is expected, because the file is huge, and the mojibake is OpenPGP without ASCII armor.

19 KiB. What a difference. It works but is not ideal for there to be a single source for the key. On top of that, its self-signature is in SHA1, and it cannot be updated until clients install gpg 2.2.9. At least GnuPG patched their piece. Very good research. Thank you.

app.normandy.enabled is true?

Yes, we did not modify that preference as it should not take effect, see: https://searchfox.org/mozilla-esr60/search?q=app.normandy.enabled&case=… where it is only used in tests.

Hey, just a thing that I've noticed, ever since the most recent update I've been getting --unknown-- listed as the final part of the Tor circuit every time without fail... Is this something I should be concerned about? I've tried restarting, new identity, new circuit, but I still get that --unkown-- one at the end...

Hm, I think we had a discussion about that on one of our recent-ish blog posts... On which system does that happen? And that started after the update to 8.5.1?

Mac El Capitan, and yes ever since 8.5.1 (still doing it now). I'm hoping it's just a cosmetic error but I'm no IT expert by any means!

> I think we had a discussion about that on one of our recent-ish blog posts...

https://blog.torproject.org/comment/280689#comment-280689
https://trac.torproject.org/projects/tor/ticket/30171

Just tried a clean install and it fixed the problem. Don't know why that didn't come to me earlier.

Strange behavior using obsf4 XX.XX.XX.XX when I go to https://shop.bmw.ca it says the site is not secure when it is when locally connected outside of Tor.

I don't think this is obfs4 related. I have trouble connecting to that website as well without using any bridges or pluggable transports.

I find using Tor prevents me from making comments on news articles that use Disqus to make comments, on their article and you can't open a Facebook account. It does the same as you do asks a question to make sure whether you are a human or not and no matter how many times you answer the question it asks you another one. Is this because Tor believes these are bad places to visit for safety reasons?

The Captcha problem is many years old. Some types of Captchas do not work and may conflict with settings in browsers. Tor Browser does not block particular places but does block particular functions. Since most Captchas work fine, I put the blame on those not working Captchas rather than Tor Browser.

Reading all these comments I am starting to believe that Tor is for people who are way ahead of what I am when it comes to computer knowledge.

It's made by people who are way ahead of most people, but I don't believe it's only for people who are. The interface was redesigned over the years for simplicity and to reduce dangerous actions.
https://2019.www.torproject.org/about/torusers.html.en

Hi Yall, Love Tor Browser. Love my privacy. Thank you

Small but very annoying problem. I use dark themes everywhere. However when opening a "new tab" I get a blinding white screen. I can't find a solution or a workaround. Can anyone help? Thanking you in advance.

PS: when i use a standard Firefox browser i have the option to set "new tabs" to a page. I use Duck Duck Go, and the dark theme applies. Can't do it in Tor...

Try these steps.
Click The Firefox menu button, select "Customize" (screenshot and button image from Firefox help):
Customize menu
Click the "Themes" button near the bottom. Under the heading "My Themes" click "Dark" (not shown in this old screenshot):
Theme selection
It should then look like this:
Screenshot of dark theme

Just update

Jun 17 16:47:39.000 [notice] New control connection opened from 127.0.0.1.
Jun 17 16:47:39.000 [notice] Owning controller connection has closed -- exiting now.
Jun 17 16:47:39.000 [notice] Catching signal TERM, exiting cleanly.

seen now on Tor Browser 8.5.1 on startup.

( This is same than what I have seen Tor Browser 8.5 earlier.
Mostly occurs when Tor Browser is started quite soon after boot.
I suspect that somewhere is short timeout or something like that.
)

Here is another problem. When I go to the site "https://www.asus.com/Phone/ZenFone-4-Pro-ZS551KL/HelpDesk_Manual/"
it gives a access error "Access Denied" but if I continue to to get new circuits for the site it finally works.

That's one type of message returned by websites that means the website decided to block Tor exit nodes. The site checks if your exit node is on a list of exit nodes. The site blocks your exit node if it's on the list they check. Tor Project also has a FAQ for site admins.

Mozilla releases Firefox 67.0.3 to fix actively exploited zero-day.

https://www.zdnet.com/article/mozilla-patches-firefox-zero-day-abused-i…

How do you back up Bookmarks on TorBrowser for Android? New app installed but bookmarks stayed in old app.

"We're still considering the best solution here because Firefox Sync is not available on Android." [1] [2]

I have the Android version of TBB, I get this error when trying to make a screenshot.
"Screenshot disabled for security reasons"

I tried to "save image as" but doesn't work either and shows no error message,

I set Tor browser will Use custom settings for history, tick off Remember my browsing and download history, then restart Tor browser, the settings seemed to be restored.

It's strongly discouraged to install new add-ons in Tor Browser, because they can compromise your privacy and security. Tor Browser already comes installed with two add-ons — HTTPS Everywhere and NoScript — and adding anything else could deanonymize you.
Is it realy true?
1. I has ran Tor Browser/security level Safest/ without Ublock origin on the portal http://ip-check.info/index.php?jsID=16958488abc&auth=352833557&15610391….
And there is :Java script is activated .see picture 1.
2.I has ran Tor Browser/security level Safest/ with Ublock origin on the portal http://ip-check.info/index.php?
Andd ther is :Java script is currently off.
stevetoll

Yes, that's really true as one does not know what those extensions are doing unless one keeps auditing the code.

am i the only one that is bothered by tor now collecting my info and store it and calling me by my real name isnt that how google started telling you its for our own records well i no it botheres me and i looked to try and opt out but was never able to find where to opt out hum sounds like google to me im not sure i will be useing tor anymore myself dont like the idea of someone tracking what i do on the net so much for being annomus i guess