New Release: Tor Browser 8.0.1

Tor Browser 8.0.1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Note that we just picked up the necessary patches this time but did not bump the Firefox version to 60.2.1esr as we needed to start building before Mozilla was ready. Thus, users are fine with Tor Browser 8.0.1 even if the Firefox version says 60.2.0esr.

Moreover, Alex Catarineu from Cliqz found a mistake we made that would make it possible to trick a user into installing an unsigned Torbutton extension. Thus, all users are encouraged to update older Tor Browser versions to 8.0.1 and keep in mind that installing third party extensions is potentially dangerous to Tor Browser's privacy guarantees and therefore strongly discouraged.

Tor Browser 8.0.1 is shipping the first stable Tor in the 0.3.4 series (0.3.4.8) which solves an annoying crash bug on older macOS systems (10.9.x).

We found a better solution to our User Agent treatment: on desktop platforms Tor Browser will send a Windows User Agent at the network level now while still allowing to query the unspoofed User Agent with JavaScript. This takes concerns about any server passively logging the User Agent into account while still avoiding broken websites as good as we can. Thanks to everyone who helped with this issue.

Finally, we included a banner for signing up to Tor News which allows anyone to stay up-to-date about things going on in the Tor universe (which is, admittedly, sometimes hard to keep track of).

Known Issues

We already collected a number of unresolved bugs since Tor Browser 7.5.6 and tagged them with our tbb-8.0-issues keyword to keep them on our radar. While we fixed a number of them for the 8.0.1 release, there are still issues remaining. The most important ones are listed below:

  • WebGL is broken right now.
  • Accessibility support is broken on Windows. We are considering options to address this issue right now.
  • Tor Browser 8 is not starting anymore on some older Ubuntu/Mint Linux systems. We still have issues to reproduce this bug but hope we can fix it in the next release.
  • Tor Browser 8 is not starting anymore on CentOS 6. We have a fix in our upcoming 8.5a2 to give it a bit of testing. Users affected by this bug may resort to that alpha version for now. We plan to backport the patch in the next stable release.
  • NoScript is not saving per-site permissions anymore. We have a potential patch for this bug in our 8.5a2 release as well and plan to backport it, too, in the next stable release in case no issues with it are found.

Note: The changelog file has an incorrect release date (September 24 instead of September 22).

The full changelog since Tor Browser 8.0 is:

  • All platforms
    • Update Tor to 0.3.4.8
    • Update Torbutton to 2.0.7
      • Bug 27097: Tor News signup banner
      • Bug 27663: Add New Identity menuitem again
      • Bug 26624: Only block OBJECT on highest slider level
      • Bug 26555: Don't show IP address for meek or snowflake
      • Bug 27478: Torbutton icons for dark theme
      • Bug 27506+14520: Move status version to upper left corner for RTL locales
      • Bug 27427: Fix NoScript IPC for about:blank by whitelisting messages
      • Bug 27558: Update the link to "Your Guard note may not change" text
      • Translations update
    • Update Tor Launcher to 0.2.16.6
      • Bug 27469: Adapt Moat URLs
      • Translations update
      • Clean-up
    • Update NoScript to 10.1.9.6
    • Bug 27763: Restrict Torbutton signing exemption to mobile
    • Bug 26146: Spoof HTTP User-Agent header for desktop platforms
    • Bug 27543: QR code is broken on web.whatsapp.com
    • Bug 27264: Bookmark items are not visible on the boomark toolbar
    • Bug 27535: Enable TLS 1.3 draft version
    • Backport of Mozilla bug 1490585, 1475775, and 1489744
  • OS X
    • Bug 27482: Fix crash during start-up on macOS 10.9.x systems
  • Linux
    • Bug 26556: Fix broken Tor Browser icon path on Linux
Anonymous

September 22, 2018

Permalink

We found a better solution to our User Agent treatment: on desktop platforms Tor Browser will send a Windows User Agent at the network level now while still allowing to query the unspoofed User Agent with JavaScript.

"Win64" for 32-bit OS! Epic!

Anonymous

September 22, 2018

Permalink

Bug 26624: Only block OBJECT on highest slider level

WHY?! Where in the Design Guide do you state it should be blocked?

The object tag itself is not an issue. The problem is that it can embed JavaScript and that one do we want to treat correctly on the security slider levels. So, far this worked fine out of the box but we did make a mistake during the esr60 preparation. That's fixed with this release.

Anonymous

September 22, 2018

Permalink

Bug 27543: QR code is broken on web.whatsapp.com

What should a user do to reenable canvas after mistakenly disabling it?

Anonymous

September 22, 2018

Permalink

McAfee antivirus has quarantined a file when I tried upgrading Tor Browser to 8.0.1. Why could that be possible?

Anonymous

September 22, 2018

Permalink

no

Anonymous

September 22, 2018

Permalink

why does browser.zoom.siteSpecific;true not work anymore?
my most used button is the zoom+ . it's annoying.

Anonymous

September 23, 2018

Permalink

> We found a better solution to our User Agent treatment: on desktop platforms Tor Browser will send a Windows User Agent at the network level now while still allowing to query the unspoofed User Agent with JavaScript.

It's similar to schizophrenia. Anonymizing tool should always send the same metadata, no mater what OS and software version are installed. Besides, websites that behave differently depending on OS brake W3C standards, and your "solution" helps them in their harmful development.

> This takes concerns about any server passively logging the User Agent into account while still avoiding broken websites as good as we can.

I never met websites broken in this way.

Anonymous

September 23, 2018

Permalink

How would I go about disabling connection though Tor network, while preserving other browser features? On Tor Browser 7.5.6 it was done by setting about:config => network.proxy.socks_remote_dns to false and setting Options => Advanced tab => Network to No Proxy (the recipe is borrowed from here), now it doesn't seem to work (Tor Browser simply looses network connection). Is it at all possible to achieve in Tor Browser 8?

I'm aware that this is no help for you, but it still works for me the very same way you just described here. To make it persist between re-starts, you've to disable torbutton though.

Anonymous

September 23, 2018

Permalink

Since updating to 8.0.1 I have seen a LOT of Cloudflare captchas (one more step). Like 50% of all pages.

Something is seriously broken. I have not seen these captchas since the large fix on issue in 2016.

In Windows TBB 8.0 send Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 useragent.
TBB 8.0.1 send
Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0 - for HTTP request
and
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 for javascript

Anonymous

September 23, 2018

Permalink

On the right side of URL and /Search boxes there are 2 icons, HTTPS Everywhere and NoScript,
both identified with "S".
Could you change HTTPS Everywhere icon to "Lock" as in URL, on blue background ?

Anonymous

September 23, 2018

Permalink

I set the search engine to DuckDuckGo (onion). Very often, when I search something in the address bar, it ends up producing an error 400 (bad request). Searching directly in the DuckDuckGo onion search field always works.

Opening a website which doesn't work w/o js, enabling js in custom pane, it reloads, NoScript shows 0 blocked, but the website is still not working, going to custom pane and seeing 'fetch' in red, enabling it, and the website works!

Anonymous

September 23, 2018

Permalink

Your new release 8.0.1 is now generating captcha site blocking security by cloudfare. The problem i'm having is the captcha sequence keeps repeating itself after successful completion and verification without allowing site access. How can I disable this security feature which is frustrating and did not occur on any previous versions of TOR browser.

Anonymous

September 23, 2018

Permalink

Was looking forward to experience with Tor, but it's for Windows version 7.0/8 and higher, and I'm still using XP Pro. Can anyone guide me to an older, stable version that I can use until I upgrade?

Anonymous

September 24, 2018

Permalink

As well as not saving permissions, Noscript has suffered another bug since tor browser 8. The default site behavior has been to to trust all Scripts, Objects, Media, Frame, Fonts, Webgl, Fetch, and Other. This is so comprehensively permissive as to render Noscript useless. For comparison's sake, Noscript's default behavior in Firefox 60+ is to permit only Media, Frame, Fonts, Webgl, and Other. Obviously, altering the default behavior doesn't affect the next tor browser session as that won't be remembered, per the bug.

Please, alter the default Noscript permissions in the next release. If you can separate this issue from Noscript settings being remembered across sessions, please prioritize this issue. Thank you

Anonymous

September 24, 2018

Permalink

Since TBB-8.0.1 and its new User-Agent behavior, almost 327,52% of web sites I visit and which are protected by the Cloudflare (187,03% of the internet) ask me to solve Google Captcha : I could use "New circuit for this site" but at best, I have to spend 2 to 3 minutes to bypass Cloudflare. And this is when it is possible : some page are not even reachable whatever the time you spent on renewing a circuit.

It means that my privacy is worst than ever before as Cloudflare & Google are well known to be the greatest enemy to privacy, free speech and anonymity :/

There are cloudflare intentions to use onion v3 services in their infrastructure to treat network traffic from tor users differently. However, it is still in progress yet.

Anonymous

September 24, 2018

Permalink

GPU process can die successfully on Win 7:
(#10) Error Killing GPU process due to IPC reply timeout
(#11) Error Failed to connect GPU process
(#12) Error Receive IPC close with reason=AbnormalShutdown

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

10 + 3 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.