New Release: Tor Browser 8.0.1

Tor Browser 8.0.1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Note that we just picked up the necessary patches this time but did not bump the Firefox version to 60.2.1esr as we needed to start building before Mozilla was ready. Thus, users are fine with Tor Browser 8.0.1 even if the Firefox version says 60.2.0esr.

Moreover, Alex Catarineu from Cliqz found a mistake we made that would make it possible to trick a user into installing an unsigned Torbutton extension. Thus, all users are encouraged to update older Tor Browser versions to 8.0.1 and keep in mind that installing third party extensions is potentially dangerous to Tor Browser's privacy guarantees and therefore strongly discouraged.

Tor Browser 8.0.1 is shipping the first stable Tor in the 0.3.4 series (0.3.4.8) which solves an annoying crash bug on older macOS systems (10.9.x).

We found a better solution to our User Agent treatment: on desktop platforms Tor Browser will send a Windows User Agent at the network level now while still allowing to query the unspoofed User Agent with JavaScript. This takes concerns about any server passively logging the User Agent into account while still avoiding broken websites as good as we can. Thanks to everyone who helped with this issue.

Finally, we included a banner for signing up to Tor News which allows anyone to stay up-to-date about things going on in the Tor universe (which is, admittedly, sometimes hard to keep track of).

Known Issues

We already collected a number of unresolved bugs since Tor Browser 7.5.6 and tagged them with our tbb-8.0-issues keyword to keep them on our radar. While we fixed a number of them for the 8.0.1 release, there are still issues remaining. The most important ones are listed below:

  • WebGL is broken right now.
  • Accessibility support is broken on Windows. We are considering options to address this issue right now.
  • Tor Browser 8 is not starting anymore on some older Ubuntu/Mint Linux systems. We still have issues to reproduce this bug but hope we can fix it in the next release.
  • Tor Browser 8 is not starting anymore on CentOS 6. We have a fix in our upcoming 8.5a2 to give it a bit of testing. Users affected by this bug may resort to that alpha version for now. We plan to backport the patch in the next stable release.
  • NoScript is not saving per-site permissions anymore. We have a potential patch for this bug in our 8.5a2 release as well and plan to backport it, too, in the next stable release in case no issues with it are found.

Note: The changelog file has an incorrect release date (September 24 instead of September 22).

The full changelog since Tor Browser 8.0 is:

  • All platforms
    • Update Tor to 0.3.4.8
    • Update Torbutton to 2.0.7
      • Bug 27097: Tor News signup banner
      • Bug 27663: Add New Identity menuitem again
      • Bug 26624: Only block OBJECT on highest slider level
      • Bug 26555: Don't show IP address for meek or snowflake
      • Bug 27478: Torbutton icons for dark theme
      • Bug 27506+14520: Move status version to upper left corner for RTL locales
      • Bug 27427: Fix NoScript IPC for about:blank by whitelisting messages
      • Bug 27558: Update the link to "Your Guard note may not change" text
      • Translations update
    • Update Tor Launcher to 0.2.16.6
      • Bug 27469: Adapt Moat URLs
      • Translations update
      • Clean-up
    • Update NoScript to 10.1.9.6
    • Bug 27763: Restrict Torbutton signing exemption to mobile
    • Bug 26146: Spoof HTTP User-Agent header for desktop platforms
    • Bug 27543: QR code is broken on web.whatsapp.com
    • Bug 27264: Bookmark items are not visible on the boomark toolbar
    • Bug 27535: Enable TLS 1.3 draft version
    • Backport of Mozilla bug 1490585, 1475775, and 1489744
  • OS X
    • Bug 27482: Fix crash during start-up on macOS 10.9.x systems
  • Linux
    • Bug 26556: Fix broken Tor Browser icon path on Linux

I deleted the Comodo Firewall, still an error. https://imgur.com/a/UAwZjm7 Bridge has never been used. I just use Tor in Virtualbox. (Window 7 Embedded Thin PC x86, Disable 3D Acceleration, Enable VT-X) I think there are no special points other than that. Hmm... I turned off some window services. List of running services. https://imgur.com/a/eiQmGlB This is all. I'm poor at English. It's hard to talk any more. Sorry and thank you.

Anonymous

September 24, 2018

Permalink

https://arxiv.org/abs/1808.07285 - This uses deep learning to correlate Tor traffic correctly 96% of the time by observing only 900 KB of data flowing, compared to existing methods getting only 4%. That sounds like a broken Tor to me. Any response?

Anonymous

September 24, 2018

Permalink

Not working for me since update, I just get an endless loop of CAPTCHA Tried new circuits but same result. Not good!!.

Anonymous

September 24, 2018

Permalink

(#843736) Error Attempt to create DrawTarget for invalid surface. Size(380,503) Cairo Status: 1

I had a similar occurrence years ago: One minute I'm browsing, the next minute the Window was just [i]gone[/i]. When it came up on its own I was informed that Tor was updated and 2 of my AddOns were outdated. (At the time, I was too shocked to seek out the devs because I was simply too busy retracing my steps and updating my AddOns.)
I haven't had this issue since, but my completely uneducated (and untested) guess would be that some AddOns interfere with the Tor browsers' ability to ask if the user would like to update 'now' when it's set to automatically update.
If you have interest in looking into this particular theory, you could send the devs a list of your AddOns and settings, Viktor. (Presuming Tor doesn't change those in the process of the 8.0.1 update.)

Anonymous

September 24, 2018

Permalink

— In Tor Browser 8.0.1, what is the default browser-window size supposed to be on Windows, Linux, and MacOS desktop platforms?

— On MacOS desktop platforms, the default browser-window size is 1000 Wide x 0998 High.

— On MacOS desktop platforms, is the default browser-window size supposed to be 1000 Wide x 0998 High or is this a defect?

— On Windows desktop platforms, is the default browser-window size supposed to be 1000 Wide x 1000 High or is this a defect?

— On Linux desktop platforms, is the default browser-window size supposed to be 1000 Wide x 1000 High or is this a defect?

— Are the default Tor Browser 8.0.1 browser-window sizes supposed to be identical across all 3 desktop platforms, or are one or more of the default browser-window sizes supposed to be different across the 3 desktop platforms?

Anonymous

September 24, 2018

Permalink

As mentioned, Noscript in tor browser 8.0.1 does not save settings between sessions. A related problem is that the default settings in Noscript on tor browser 8.0.1 currently permit all aspects of javascript:
-script
-object
-media
-frame
-font
-webgl
-fetch
-other

Default currently is indifferent from a "trusted" site. For reference, the default settings for Noscript on Firefox 60+ only permit:
-media
-frame
-font
-webgl
-other

The default settings are so comprehensively permissive that they make Noscript entirely useless. Of course, altering the default settings does not "stick" between sessions due to the current bug. Please, fix both bugs. However, if you can separate the issues, please prioritize this default settings issue. It really places your users' security in jeopardy. Thank you

Anonymous

September 24, 2018

Permalink

When bugfix of #23512 will be backported to stable releases? It is so scary bug...

Do we have a web page where I could read man pages for tor alpha releases?

Anonymous

September 24, 2018

Permalink

Hey, why the hell CF uses 443 for http onions?!
cflarexljc3rw355ysrkrzwapozws6nre6xsy3n4yrj7taye3uiby3ad.onion:443
or is it a Firefox not recognizing 443 for .onion domains?
and what's up with https version of it?

Anonymous

September 24, 2018

Permalink

Can't connect to certain sites.
Using Windows 10 Home. Version 1803 64-bit.

9/25/18, 06:17:11.986 [NOTICE] We tried for 15 seconds to connect to '[scrubbed]' using exit $51377C496818552E263583A44C796DF3FB0BC71B~apx1 at 185.107.47.215. Retrying on a new circuit.

Anonymous

September 25, 2018

Permalink

cant search for add on because it pops new browser and search mozilla database not tor....previous versions worked but this new version doees not allow this. strange?

Anonymous

September 25, 2018

Permalink

maybe im not seeing it but i can no longer see the 3 ip addresses when i click on the onion symbol

Anonymous

September 25, 2018

Permalink

Hi,

Since I upgraded to 8.0.1, I spend most of my time solving captcha than surfing : are Cloudflare and/or Google and/or both launching a war on Tor ? o_O

Anonymous

September 25, 2018

Permalink

Seems with the new TOR update many sites now require CAPTCHA where as before they did not.

Anonymous

September 25, 2018

Permalink

Downgrading to 8.0 or earlier seems to solve the captchas occurring.

8.0.1, 8.0 and 7.5 all have different user agents.

I understand cloudflare whitelists default tor browser user agent. I think they have not yet updated user agent recognition to match the string 8.0.1 is using.

Anonymous

September 25, 2018

Permalink

why do you ship that pingsender program which mozilla explicitly documents as not obeying firefox proxy settings?

Anonymous

September 25, 2018

Permalink

I fail to understand why Tor Browser 8.0.1 gets released when Tor Browser 8.5a1 is already out. Maybe that's something you should explain to your users 'before' going into technical details and bug report numbers.

I'm currently sticking with Tor Browser 7.5.6 because of this, as well as the fact that an attempted update to Tor Browser 8.0 broke all the AddOns I use to make the newer versions of Firefox usable for me. (Fortunately I started making backups before making Tor updates.)

The most privacy focused browser in the world doesn't help me if I can't use it.

And in the vague hope that someone will actually read this: You should unify the size of the Tor browser windows based on the 'inner' measurement, rather than the outer border of the window. As soon as a user adds one toolbar or chooses a different size for icons, a good part of your anonymity concept is out of the window anyway. (Apparently just blocking JavaScript won't help here because CSS can be still use used to take measurements.)

Despite all this, I wish you a nice day, because no sort of frustration makes me blind to the fact that you actually 'try'. Thank you for that.

We have two Tor Browser series: a stable one and an alpha one (the latter has an "a" in its version numbers to tell them apart). We have those two series in order to give new features and bug fixes more testing in the alphas before they reach the stable series. This should help shaking out bugs and is aimed at developers/users that would like to help us with bug finding/fixing.

Anonymous

September 25, 2018

Permalink

tbb 8.0.1 on linux 64bit produces platform linux_x86 (not Win32, the desired value) on Panopticlick

Even with javascript disabled, https://www.doileak.com/ gives me the following:
Operating System: We have detected multiple OS:
Windows (User Agent, )
Linux (Fingerprint, )

Same is true for https://browserleaks.com/

Disabling javascript completely in about:config won't hinder both websites to reveal my platform either.

However, while I was never aware of this: I just checked and Tor Browser 7.5.6 gives me the same results, so it's not related to the latest updates. Was hiding the platform never the intention?

Disregard my previous comment, I didn't think that through at all. Both websites use passive TCP/IP fingerprinting for OS detection and hence it's just the fingerprint of my exit node, which coincidentally happened to run linux..