New Release: Tor Browser 8.5.6

by boklm | September 9, 2019

Tor Browser for Android 8.5.6 is now available from the Tor Browser Download page and also from our distribution directory. This version is for Android only, the latest version for Linux, macOS and Windows is still 8.5.5.

This update is fixing an issue with the aarch64 version, mostly on Android 9 which was causing a crash on every launch.

Note: Due to some issue with Google Play's new requirement for 64bit versions, we have not yet been able to publish the Android x86 and x86_64 versions on Google Play. We plan to fix this in the next release. In the meantime the x86 version can be downloaded from our website.

The full changelog since Tor Browser 8.5.5 is:

  • Android
    • Update Torbutton to 2.1.14
      • Bug 31616: Fix JIT related crashes on aarch64

Comments

Please note that the comment area below has been archived.

September 09, 2019

Permalink

Didn't understand about the explanation of x86 or x64. Is there no x64 or aarch64 type still available on playstore, only armv7 ? The problem of aarc64 type crashing got fixed or not ?

Is the below explanation correct ?

1. The problem , the nasty problem of aarch64 type crashing got solved , but it is not being published to playstore.

2. Armv7 types are publishing in playstore. How can that be if google playstore is only allowing aarch64 types. ?

3. Users wanting x86 bit can download from website & dist. repo always.Cause google isn't allowing x86 versions on playstore.

8.5.5 introduced the aarch64 version, causing armv7 users with hardware supporting it to be updated to this version. Unfortunately this aarch64 version was not working correctly, which is fixed by version 8.5.6. So there should now be a working aarch64 version on Google Play.

For x86_64 we don't have a working build yet (we plan to have it with Tor Browser 9.0 on October 22), but we have an x86 one. However Google Play does not allow us to upload a x86 build if we don't provide an x86_64 one at the same time.

September 09, 2019

Permalink

I found a security bug in the Tor Browser Bundle. Is there a way to disclose it without having to use Email?

Kind regards

The best way is to use email with GPG. See "Report a security issue" on the contact page: https://www.torproject.org/contact/

If you don't want to use email, you can encrypt details about the bug using the key from someone in the Tor Browser team (you can find keys on https://www.torproject.org/about/people/), and post the encrypted text as a comment here.

September 09, 2019

In reply to boklm

Permalink

Thank you for offering this alternative!

I am not the O.P. but if I ever (shudder) think I've discovered a serious bug I'll try this method.

Here is an alternative idea I've tried to suggest: follow the lead of Tails Project by adopting Whisperback for security bug reports. This uses an onion send an email, hopefully anonymous, to Tails. It would be very wise to audit Whisperback first, of course.

Here is a third idea which I've tried to suggest previously, so far without success: OnionShare is a very natural tool for sharing anything which needs to be kept private, and also has the potential for communication (e.g. with Tor Project) which is hard for the bad guys to attribute to an individual honest citizen. The roadblock for using OnionShare is safely and anonymously communicating the temporary onion address to the party you wish to communicate with. But surely if tor devs but their minds to it, some good ways tor users would feel comfortable with using can be found.

By default a file shared via OnionShare can only be shared *once*, so the hope is that if you see that someone grabbed the file and then confirm "out of band" that the intended party has it, you can be confident (we hope) that only the intended party has the sensitive information.

One way which is certainly technically possible with minimal effort would be to persuade Tails Project to put the standard accounts back in Tails 4.0 (forthcoming, based on Debian 10 "Buster"), and to create a #tor-vulns chatroom. Then users who have found a sensitive bug can use Tails to send via OTP text message to a special tor user the url of the onion address together with a unique confirmation code. After they see that someone grabbed the file, they can check a page at www.torproject.org to see that their confirmation code is listed as having been received by the tor devs.

(Using OnionShare is easier if you don't need to make the communication anonymous even to spooks, e.g. if you need to share a file with your doctor: you can simply read the onion address over the phone. Once you see that someone took the file, and your party says "got it", you can be confident, we hope, that only the intended party has the sensitive file.)

I want to remind everyone that, quite contrary to widely published reports earlier this year that NSA had allegedly "abandoned" the phone and email dragnet, which were based on an off-the-cuff comment by a staffer for a conservative M.O.C., last month NSA formally demanded that Congress renew these programs, not simply for another "term", but *indefinitely*. And the Snowden leaks confirm that one function of the Utah Data Center (and its backup in San Antonio) is to store *indefinitely* NSA's copies of all the encrypted packets it did not yet try to break, including all encrypted emails as well as all encrypted bitstreams (e.g. tor circuits).

Which poses a dilemma for friends of tor: it would be utterly inappropriate to discuss a new bug in an unencrypted email, but sending an encrypted email raises a red flag. Hence the need to communicate anonymously. But email cannot be anonymized if you are sending from an account you created yourself (even an "anonymous" free account).

September 09, 2019

In reply to boklm

Permalink

Here's the report.
I hope I was clear enough, but if there are questions, I will be looking at this thread for replies.
This key has been used to encrypt the report: `8B90 4624 C5A2 8654 E453 9BC2 E135 A8B4 1A7B F184`
-----BEGIN PGP MESSAGE-----

hQIMA0gYQwfACULkAQ//Vy7OeGTFEYHvTiu1XWuhFxHoazDGukaE57V5odzzx0cq
G5gN3i0qpghJBZDyONos2s8Nn2AxQwQBhEN3PH3QBSPTI/0iz3Kju8TyQvHnWtNR
AuoNQtG/d7PKf4a32qdKPR8UFPnee5LXbZrO5axWsi3Qmetro0Uv2xKbZJt3r+ho
7rJ67jRZwlSl2J0FEBOhsWbIodznpn71dabgWxxXnnhPfm1bAC2WQzCUUmZxXrZD
IteZP65UbtaCI44NQ+b0jqrznZ3AC6e46urUmETDcKjmFnVd7LUsNdYbMRbSQ/ej
t4CS7MI9/w1+yuIn5l9wzaCAUE5cx+bPuY8la9kenmNGiWk107N6ihR0Kho+TTZQ
uq07f2xRymFQKRsLmnYzrroB4atjEAxKlnlHVXGbfjMBG81yv/kdIgYYGYY8cPAK
NLd0dpgLzk4z6PJX3pP4FUTdvnIPZlovCN9ornUw2Yy0+yNSCPtT9iFb9v1w4/Je
j9x5PxM8i/BHWDdTAdFKQsN4NLQEJa6/9EBjSdQf04EAjBaHsEx2uqj7slu8FS0h
Yko2NlHVQThMh3NCWd4S+EI3d2RKxD/4c8h/mz2kCXIV3fRQGJnbbhTidPJQUu80
kh21dJBtw5yvdex19MtFIufjSE/Kau8U9wDPYoLoeWCLOTTFrUL/xqtwswrdIuTS
6QE6Tz85yw1cn51nQAXV4zfjOkJCUC0LEm2EDILoAQ2LNpsfGBT+PXG63CaXkZ7V
WlYXeKdpjPCzR/7DhEojHvc8NMaSfAvYWZb731nhF++4nvhRQr+Ulw8vIrrXJVG8
iqfykm++7qy0RDPkP6MrAKZKxYhc/ui4J7AJRDg/DwvF4hS5EHTJrjWyBzqAbYJZ
B63YQtlrFzFd3bM9GuXYRmYeqnWJ1LVkJpFebrN1AMrMQmPAvtGj/nfPd/RKzW9l
c5TGyVwqXz9uHTI/rc/+UxMzYQ6Kzqw0iVDqwQML5occwk4GwGDL85x3+074UU94
Tpbt4d4cqCcD59r9N7pUR8bxeNlA9ww+292o25VQsHgIIRg9trSIG6pqr2WBRkBk
fZWBGrVe3ysnrI0+vWeeRmCEL4ux8KTpjCpPrccZHa/SDFDEe6gC41589RYVHKGU
0HjJV0cb+Fva+HWQ3zmiv/MDa6EUa6kRxFk8foW3pb+VZE7KoefBnohD+/C5UQV2
aboZJz8VW8Mor728+fhvFCcuw28R8cAQp83kf6ANTprYwm+A5Z5CpcBdD/BJli2l
WNtD10MQ0qSzx62QUzSq79LjnekArDZW4B8+R/fAZ+Xx81BEsxiBYtHTSRpqlt/H
OB8WopG0hmXl63Z0Ll207yh1iDo16yCG335UZ/E2wFOuQVYXWWE3Jzl4iN1g7ZHp
2A1G94B5q5ocWTigB9vrZ3EIgCqIzeCKVCoZKxopSUg5NGYcDPCXGvNNQtSWJmyR
Rygw
=th/A
-----END PGP MESSAGE-----

Thanks. Looking at the severity of the issue, I am not sure yet whether we'll fix this up for ESR 60 as there is no further release planned so far. I need to think a bit more about it.

September 10, 2019

Permalink

I seem to keep encountering nodes whose name includes "nifty". How can I check they are a declared family?

Are we confident these are friendly nodes, i.e. not operated by NSA or GRU or some such agency?

September 11, 2019

In reply to boklm

Permalink

Thanks for replying! But...

> Please enable JavaScript to use this service. If you are using Tor Browser on High Security mode, it is possible to enable JavaScript to run only on this page. Click the NoScript icon on your address bar and select "Temporarily allow all on this page". Relay Search only uses JavaScript resources that are hosted by the Tor Metrics team.

... what Noscript button on the address bar (url bar)? I don't see any such. At the moment I am using Tails 3.16 which I believe incorporates the latest version of Tor Browser.

Hi, Tor devs hid the NoScript icon in recent versions of the Tor Browser because they think it confuses new users.

You can restore the NoScript icon by selecting "Customize" from the hamburger menu and then dragging the NoScript icon next to the address bar or wherever you want to place it.

September 10, 2019

In reply to boklm

Permalink

I have android 9 on honor play. Dont know about architecture.

I was working before the update. However, it stopped working before the update after i lowered the security settings from "high" to "low" (i was trying to solve a captcha). After that it kept on crashing. Before this it never crashed. Then i updated and it still wont work

September 10, 2019

In reply to boklm

Permalink

Update: i tried clearing the cache but it didnt help. Then i cleared the data and it works again

September 10, 2019

Permalink

In your distribution directory, what's the difference between multi and multi-qa?

The difference is that the multi-qa .apk is signed with a debug key that allows for testing the .apk (and ensuring that we've built the .apk reproducibly) but that needs to get replaced by a signature done with a key for the Google Play store which is then the multi.apk.

September 11, 2019

Permalink

Hi,
I'm on gnu/linux slackware 14.2 x86_64.
I've downloaded saturday last version of tor browser bundle 8.5.5.
The 8.5.4 version works well.
But 8.5.5 crash at start with this internal error log:

[notice] Tor 0.4.1.5 (git-439ca48989ece545) running on Linux with
Libevent 2.1.8-stable, OpenSSL 1.0.2s, Zlib 1.2.11, Liblzma N/A, and Libzstd N/A.
[notice] Read configuration file "tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc-defaults".
[notice] Read configuration file "tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc".
[notice] Opening Control listener on 127.0.0.1:9151
[notice] Opened Control listener on 127.0.0.1:9151
[notice] DisableNetwork is set. Tor will not make or accept non-control network connections.
Shutting down all existing connections.
[notice] Parsing GEOIP IPv4 file /PATH_TO/tor-browser_en-US/Browser/TorBrowser/Data/Tor/geoip.
[notice] Parsing GEOIP IPv6 file /PATH_TO/tor-browser_en-US/Browser/TorBrowser/Data/Tor/geoip6.
[notice] Bootstrapped 0% (starting): Starting [notice] Starting with guard context "default"
[notice] Delaying directory fetches: DisableNetwork is set.
[notice] New control connection opened from 127.0.0.1.
[notice] DisableNetwork is set. Tor will not make or accept non-control network connections.
Shutting down all existing connections.
[notice] New control connection opened from 127.0.0.1.
[notice] DisableNetwork is set. Tor will not make or accept non-control network connections.
Shutting down all existing connections.
[notice] DisableNetwork is set. Tor will not make or accept non-control network connections.
Shutting down all existing connections.
[notice] DisableNetwork is set. Tor will not make or accept non-control network connections.
Shutting down all existing connections.
[notice] Opening Socks listener on 127.0.0.1:9150
[notice] Opened Socks listener on 127.0.0.1:9150

= T= 1567790158 INTERNAL ERROR:
Raw assertion failed at src/lib/malloc/map_anon.c:218:
noinherit_result == tor-browser_en-US/Browser/TorBrowser/Tor/tor(dump_stack_symbols_to_error_fds+0x33)
[0x55ff75f58743] tor-browser_en-US/Browser/TorBrowser/Tor/tor(tor_raw_assertion_failed_msg_+0x86)
[0x55ff75f58e26] tor-browser_en-US/Browser/TorBrowser/Tor/tor(tor_mmap_anonymous+0xca)
[0x55ff75f57f3a] tor-browser_en-US/Browser/TorBrowser/Tor/tor(crypto_fast_rng_new_from_seed+0x35)
[0x55ff75f009f5] tor-browser_en-US/Browser/TorBrowser/Tor/tor(crypto_fast_rng_new+0x2b)
[0x55ff75f00a9b] tor-browser_en-US/Browser/TorBrowser/Tor/tor(get_thread_fast_rng+0x45)
[0x55ff75f00c35] tor-browser_en-US/Browser/TorBrowser/Tor/tor(circuit_reset_sendme_randomness+0x21)[0x55ff75e02fb1] tor-browser_en-US/Browser/TorBrowser/Tor/tor(+0x8342b)
[0x55ff75dd142b] tor-browser_en-US/Browser/TorBrowser/Tor/tor(origin_circuit_new+0x8f)
[0x55ff75dd3aef] tor-browser_en-US/Browser/TorBrowser/Tor/tor(origin_circuit_init+0x22)
[0x55ff75dcceb2] tor-browser_en-US/Browser/TorBrowser/Tor/tor(circuit_establish_circuit+0x37)[0x55ff75dcf877] tor-browser_en-US/Browser/TorBrowser/Tor/tor(circuit_launch_by_extend_info+0x9c)[0x55ff75de6b2c] tor-browser_en-US/Browser/TorBrowser/Tor/tor(+0x99859)
[0x55ff75de7859] tor-browser_en-US/Browser/TorBrowser/Tor/tor(connection_ap_handshake_attach_circuit+0x321)
[0x55ff75de8251] tor-browser_en-US/Browser/TorBrowser/Tor/tor(connection_ap_attach_pending+0x1b0)[0x55ff75dec6b0] ./TorBrowser/Tor/libevent-2.1.so.6(+0x22395)
[0x7fdac04cc395] ./TorBrowser/Tor/libevent-2.1.so.6(event_base_loop+0x55f)
[0x7fdac04ccc6f] tor-browser_en-US/Browser/TorBrowser/Tor/tor(do_main_loop+0xe5)
[0x55ff75dbce95] tor-browser_en-US/Browser/TorBrowser/Tor/tor(tor_run_main+0x1225)
[0x55ff75daa8d5] tor-browser_en-US/Browser/TorBrowser/Tor/tor(tor_main+0x3a)
[0x55ff75da7d5a] tor-browser_en-US/Browser/TorBrowser/Tor/tor(main+0x19)
[0x55ff75da78b9] /lib64/libc.so.6(__libc_start_main+0xf0)
[0x7fdabf6497d0] tor-browser_en-US/Browser/TorBrowser/Tor/tor(+0x59909)
[0x55ff75da7909]

September 14, 2019

Permalink

hello, i dowloaded and verified 8.5.6. from the tor website on September 9th. Filesize 4.47MB. F-Droid now offers me to upgrade to 8.5.6., but shows me 8.5.6. as installed. The difference is in filesize. 4.4MB installed, 4.6MB upgrade. This happens for the first time. What is the difference between the versions. Should there be any? Just downloaded again from tor website, filesize like the allready installed version. Could you please clarify?

September 16, 2019

Permalink

Hi, on Android version on bootup when you swipe right to check logs it says version 0.3.5.8 rc, this should be changed supposedly

September 17, 2019

Permalink

>

gk said:

September 16, 2019

In reply to hello, i dowloaded and… by Anonymous (not verified)
Permalink

Do you have a link to the f-droid version you downloaded?

hello gk, unfortunately no link. i have to admit that i don't really know how to generate a link to the respective file from the fdroid app. I could provide a screenshot out of fdroid-app if that helps

September 17, 2019

Permalink

Hello, any plans in the future to switch the duckduckgo URL used for searches to the onion address ?

September 24, 2019

Permalink

I'm still using Orfox+Orbot. Just to be clear, we're supposed to uninstall Orfox and install Tor Browser for Android, right? Can I still use Orbot, even though TB bundles the tor executable? I have to be able to use Orbot to torrify other apps.

October 01, 2019

Permalink

I have a big issue with captcha because any captcha doesn't appear on tor browser.
You know what can you do for this ?

Are you on "Safest" security level? Try lowering your security level or set "Temp. TRUSTED" for that domain/site in the NoScript icon. Most captchas depend on javascript which is disabled on "Safest" security level.

October 03, 2019

Permalink

First, some context: When I open a youtube link in a new background tab and haven't clicked on it to fully load the tab, the tab has a small "play" circle icon that indicates its page contains a media file that has not started playing. When I click on the tab to bring it forward (make it the active tab), the media file (youtube video) begins playing.

Now, my concern: When I have many background youtube tabs open that I haven't clicked on, and then I click New Identity, the tabs do not all close at once like if I had clicked the X to close the browser. Instead, New Identity closes the tabs one by one in succession very fast, and when each closes, the next background tab becomes the active tab and partially loads the site before its tab closes and moves to the next (background) tab. The browser appears to quickly try to access the media files (and maybe other content files) in the now-active tab before that tab closes.

If connections actually are being attempted, the addresses of content in my whole session of background tabs (or all tabs) may be accessed effectively in bulk all at once to the network, exit eavesdroppers, the sites themselves, and third-parties embedded in the pages.
I expected New Identity to close tabs all at once as the X does without accessing anything else, thus preserving my control and privacy, but it appears that is not what New Identity does.

October 12, 2019

Permalink

Some times when Tor Browser on tablet is restarting, about:tor page comes without address bar and without tabs. This is Android.

Need then stop Tor Browser and start again. (About Tor page does not tell version) about:firefox page tells 60.9.0esr