New Release: Tor Browser 8.0.2

Tor Browser 8.0.2 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. We picked up the necessary patches, but because we needed to start building before Mozilla was ready with a first candidate build, we did not bump the Firefox version to 60.2.2esr. Thus, users are fine with Tor Browser 8.0.2 even though the Firefox version is 60.2.1esr.

Known Issues

We already collected a number of unresolved bugs since Tor Browser 7.5.6 and tagged them with our tbb-8.0-issues keyword to keep them on our radar. The most important current issues are:

The full changelog since Tor Browser 8.0.1 is:

  • All platforms
    • Update Firefox to 60.2.1esr
    • Backport fix for Mozilla bug 1493900 and 1493903
  • OS X
    • Backport fix for Mozilla bug 1489785 for macOS 10.14 compatibility
Anonymous

October 04, 2018

Permalink

how to create a custom .onion domain name . i try a make domain name .onion but its not working :-(

Anonymous

October 05, 2018

Permalink

I Just hate Captcha, but what we do its all about search engine algorithm.some where the main reason is security.

Anonymous

October 05, 2018

Permalink

WTF happened to noscrpt? Now it's on ALLOW ALL by default! Brilliant.

Is there no way to set this back to BLOCK by default? I tried and each time I open the browser, back to ALLOW ALL.

Anonymous

October 06, 2018

Permalink

you added an annoying glowing (!) mark in the onion logo to force the users to update the browser even if my updates are turned off shame on you I switch to epic browser asap. you became worse than the multi national companies with their scams and user hacks

SHAME ON YOU!!!!!!!!!!

Anonymous

October 06, 2018

Permalink

Hello Tor Project Team,
I've had some trouble conserving TBB 8.0.1 as a backup to 8.0.2. After doing several re-installations, TBB 8.0.1 had continued to force an update to TBB 8.0.2 in spite of enabling either:

1. "Check for updates but let you choose to install them", or
2. "Never check for updates (not recommended)" ... using the hamburger stack:
"Options>General>Allow Firefox to".

I have discovered that a file named "active-update.xml" has appeared in v.8.0.1 Tor Browser\Browser\Torbrowser\UpdateInfo. Checking Tor Browser\Browser\Torbrowser\UpdateInfo\updates\0 reveals three more files:

1. "update.mar" (a Microsoft Access Report Shortcut, as per checking file properties)
2. "update.status" (Opening in Notepad shows "pending")
3. "update.version" (Opening in Notepad shows "8.0.2"

Deleting each of these four files, or the entire UpdateInfo folder before exiting TBB 8.0.1 prevents the forced update to TBB 8.0.2 when restarting TBB 8.0.1 . The UpdateInfo folder is regenerated as an empty folder after a restart. So ... I feel better. And you, chupta? Thank you for your dedication, and the good things that you provide us all with.

Anonymous

October 07, 2018

Permalink

noscript does not work correctly:

example:

with the security-slider set on "high"

go on: https://metager.de/

1. noscript is on "standard" - you won't see the icons for "Web", "News/Politik", "Wissenschaft" ... "settings" and so on around the search field are not visible = normal behaviour

2. click on "temp. TRUSTED" and reload the page: icons become visible. This noscript setting alone should not allow icons to be displayed as the security slider is still on "high". Do noscript and the security slider no longer interact correctly???

3. click on "delete temporary permissions" (icon "clock icon" on the rightmost) and reload the page. Now, the icons on the metager.de-site around the search field should not appear - just like in point 1. "standard" as noscript should block the icons. However, the icons around the search field are still displayed.
4. click on "MISSTRUST" in noscript. The icons on metager.de should not be displayed. However, they are definitely displayed.

Am I doing something wrong in noscript? Or is noscript doing something wrong?

Another question concerning noscript:
How can you get directly to noscript.net? In the old versions of TBB you just had to open "addons" and click on the link under "NoScript". This link is missing now. Or is there another way to get to noscript.net now?

Another problem:
https-everywhere:
When installing TBB, the https-everywhere-icon does not appear, you have to click on "customize" in the browser menu and drag and drop the https-everywhere-icon manually - just like in many versions of TBB before. For some versions this problem was solved, but now it reoccurs.

And finally, another point:
In the German version of TBB, on the introductory page, there are three different translations for the English "circuit". There is: 1. Circuit-Ansicht (which is no translation!). 2. In the explanatory text there is "Zeige deinen Pfad" - here "circuit" becomes "Pfad" (= "path") and users are told to "choose"( = "wählen", which should be "click on" = "klicken auf" - not "choose") "Neuer Pfad für diese Seite". 3. If you do so and click on the "Informations-Symbol" which is the padlock, you will not get "Neuer Pfad für diese Seite", but "Neuen Kanal für diese Seite". (By the way: this should be: "NeueR Pfad" (nominative) instead of "NeueN Pfad" (accusative) - but this is only a minor mistake.)

So you have three names for the English word "circuit": 1. circuit, 2. Pfad, 3. Kanal

On the right, at the bottom of the introduction. you will read "Pfad" again. If you click on that field, you will get to Duck Duck Go and you will read "Circuits" again, and:"Relays". In the old version of TBB you used "Relais" as translation for "relay". And if you click on the green padlock, "relay" is translated as "Verteiler".

First and foremost, this is not a question of translation, but a question of logical thinking. Even with not knowing German at all, you can easily realise that there must be something wrong with so many different tranlations for one thing. And the correct translations had been available from older versions of TBB.

This is not explanatory at all, on the contrary - it is confusing.

On the introductory page you have a link "FAQ", and there you will find a link "NoScript FAQ", which will open the FAQ for the old noscript version(s). There is no official documentation for noscript. All you can get is a link to a blog writer giving "basic" information about the new noscript. This is very basic indeed and not an official documentation.
Another link will redirect you to a page inteding to give an overview of the new noscript in a nutshell. A nutshell is not enough for understanding the new noscript - as you can see from the "226 Responses to “NoScript, "Quantum" vs "Legacy" in a nutshell”.

You have to provide a clear official guide to the new version of noscript.

Everything has become difficult enough. But do we really have to plough through a white text on a black background? Do you really want us to spoil our eyes?
Has everything to be put upside down now?

For me, all that is a complete mess. Sorry, but I really tried to give my very best to come to grips with all the novelties and tried to find information, read and understand. But now I'
ve come to the conclusion that any effort will always lead to the point that there is no clear information.

Please, do your homework and make things clear and understandable

Anonymous

October 07, 2018

Permalink

Hi, would someone mind to explain what EXACTLY the "Safest" option adds over the "Safer" one ?

In complete technical terms. What is blocked that wasn't previously, when you go from Safer to Safest ?

For example, at same NoScript configuration, Safest doesn't play videos on YouTube or PornHub, but Safer does. For this particular case, what is being blocked ? It doesn't seem to be Mediasource, from a quick look at about:config.

I would rather downgrade Safest a little through NoScript than upgrade Safer, if possible, because I want to be..safest, while watching a video.

For example, at same NoScript configuration, Safest doesn't play videos on YouTube or PornHub, but Safer does.

No guarantees at all.
As an example of taken over exit nodes. Several exit nodes from indonesia will prevent you from accessing certain sites anyway. If you are lucky you will be redirected to a page that is telling you why access is blocked, a legal notice page telling you that what you are doing is forbidden.
NoScript will not help you with this.

Beside this kind of governmental educating interferences, maybe you should consider other technical solutions for your certain needs, like using VPN.
Using VPN for your happy video consuming needs will be faster and will not be unnecessary heavy using Tor network that is essentially mend for serious exchange of information.

In other words, don't block people that need Tor network for their human existence in places where there is lack of sufficient human rights with happy over consuming video downloading, file sharing etc.
Be social and consider using VPN solutions for that.

At first I thought you were trying to reply but didn't understand the question. Then I got that you wanted to just bar video from Tor.

Hopefully someone else knows the difference between Safer and Safest: It appears that with identical NoScript configurations, videos only work on the former.

There are more differences obviously, and I'm looking for a full technical list of them.

(Disclaimer: I'm not trying to ignore or marginalize the bigger problem here, but I thought I could help at least a little.)
You can remove Indonesia from the list of nodes chosen for you by editing the "torrc" file with a text editor and adding the line "ExcludeNodes {ID}" at the end. It's absolutely not recommended by the Tor project to do so because it will make it very slightly easier to track users that way. Personally, I'm not too keen on using nodes in countries that might confiscate or add trackers to their Tor nodes at any time.

Anonymous

October 08, 2018

Permalink

Can not move torbrowser directory. When I move the torbrowser directory it stops working. Is this normal behavior?

Not a solution, but a workaround: Disabling and enabling torbutton and torlauncher again solves this issue for me after moving or renaming the Tor Browser directory. Also, other than your ticket implies, copying instead of moving works for me on Debian testing, at least as long as the directory of origin is not removed. After doing so, the torbutton and torlauncher problem turns up again for some reason..

And while I'm already here: Thank you very much for your work!

Not familiar with that site, but FWIW I often visit sites which show up as blank pages. In such cases I usually assume that the problem is that the site assumes every visitor's browser has Javascript enabled, but with the security slider set to "safest" (or even "safer"?) that's not true about Tor Browser.

Someone please correct me if that's not correct!

Same with Tor 7.5.6 set to safest - but the safer setting seems to work fine. I guess that's yidio's "This page requires JavaScript to work properly, because we want it to look fancy." message... You should consider writing them an email and ask them what the hell they were thinking.

Not familiar with that site, but FWIW I often see such messages, and generally assume that the problem is that some website operators (or more likely a third party CDN) simply block all traffic from the (known) list of Tor exit nodes.

A related possibility is that CDNs may run software which rather stupidly expects to track any browser as it the owner surfs from site to site, but TB resists that, so the software "fails bad" and we see a blank page. For example, the operators might intend to let visitors see a few pages or videos for free, but after that tries to ask them to register an account. But if your requests come through a Tor exit node, others have exhausted the software's patience before you came along. Possibly.

Anonymous

October 09, 2018

Permalink

I tried the "request a bridge from torproject.org" and received a group of bridges however I was not able to connect through any of the proxies. Does it work? below is the log which the ports of all the proxies I tried where not open.

Well, it's hard to say what the issue is as there are multiple pieces involved here. First, all of the bridges you got could be down. Second, they could be up and running but a censor could have blocked them.

Does the meek pluggable transport work for you?

I think I found the problem. On my Mac when the new bridges did not work I closed Tor to reopen the app but it would not reopen. I noticed 2 running tor process (even though thelaunchpad show the process closed). I closed the 2 tor process and the bridges worked. There appears to be a problem with "tor browser" process when switching to the newly acquired bridges continuing to run..

Anonymous

October 10, 2018

Permalink

Getting a boat load of messages

"Bad Request

Your browser sent a request that this server could not understand."

from Startpage and DuckDuckGo when searching using normal keywords like "running shorts" using the searchbar.

Search process seems to be breaking for some reason.

This just happens part of the time, probably more than thirty percent though.

Anonymous

October 10, 2018

Permalink

Hi, it seems that 8.0.2 is signed with a newly created subkey, but I'm having a hard time finding it in key servers. Did you forget to upload the modified public key with the new subkey attached?

Anonymous

October 12, 2018

Permalink

Since updating to Tor v. 8.0.2, the "suggest" feature of the address bar no longer works. When I type characters into the address bar, no suggestions appear. In the options, I have "bookmarks" and "open tabs" checked as the sources for the suggestions. This feature worked right up until I updated the browser. If anyone knows how to fix this problem, please let me know. If not, I will assume that it is a bug and will hope that it is fixed soon, as browsing without it is slow and tedious.

Thanks for your reply. I finally fixed this problem, but not without a lot of struggling. I believe that my bookmark file got corrupted when the Tor update took place.To correct the problem, I closed the browser. Then, I renamed the bookmark file (places.sqlite). Afterwards, I attempted to create a new bookmark file by reopening the browser. After repeated attempts, I managed to import one of my backup bookmark files into the new bookmark file and now everything is working properly. I hope that this experience was just a fluke and that I will not have to repeat the above steps each time I update the Tor browser. I guess I'll find out whether this will be an ongoing problem when the next update becomes available.

Anonymous

October 12, 2018

Permalink

I use Windows 7 64.

So that I could verify the signatures for the latest package (8 0 2) I copied the information shown on https://www.torproject.org/docs/verifying-signatures.html.en and after installing GnuPG, I followed the instructions given. Since the present TOR package is specifically mentioned within those instructions I thought everything I saw would match exactly what appears in your instructions.

However, I got widely differing results.

You say:

“You should see:
pub rsa4096/0x4E2C6E8793298290 2014-12-15 [C] [expires: 2020-08-24]
Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid [ unknown] Tor Browser Developers (signing key)
sub rsa4096/0xD1483FA6C3C07136 2016-08-24 [S] [expires: 2018-08-24]
Key fingerprint = A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136
sub rsa4096/0xEB774491D9FF06E2 2018-05-26 [S] [expires: 2020-09-12]
Key fingerprint = 1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2”

What I did see:

“pub rsa4096 2014-12-15 [C] [expires: 2020-08-24]
EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid [ unknown] Tor Browser Developers (signing key)
sub rsa4096 2018-05-26 [S] [expires: 2020-09-12]”

AND

“The output should say "Good signature":

gpg: assuming signed data in 'torbrowser-install-8.0.2_en-US.exe'
gpg: Signature made Wed 15 Nov 2017 05:52:38 PM CET
gpg: using RSA key 0xD1483FA6C3C07136
gpg: Good signature from "Tor Browser Developers (signing key) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136
Currently valid subkey fingerprints are:
1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2”

What the output DID say:

“gpg: assuming signed data in 'C:\Users\MYNAME\Desktop\torbrowser-install-win64-8.0.2_en-US.exe'
gpg: Signature made 10/03/18 00:24:04 GMT Daylight Time
gpg: using RSA key EB774491D9FF06E2
gpg: Good signature from "Tor Browser Developers (signing key) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: 1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2”

I realise that you are all very busy but you can judge when a divergence in information matters and when it doesn’t. Most of us users cannot, therefore we are reliant on the information you give us being accurate and up-to-date.

Please reissue the instructions for verification.

Thank you.

The problem here is that the output depends on the particular GnuPG configuration on your system (among other things). We only have space to give output for one possible configuration but not for all of them. That said, the output you got seems fine.

Why the duckduckgo people thought any particular Tor exit node was "doing something wrong", I can only speculate, but did you try following their advice by pressing "New Circuit" or "New Identity" (i.e. "restart your Tor browser")?

I've seen a similar message a few times, and choosing a new identity seemed to fix the problem.

Anonymous

October 14, 2018

Permalink

Hi,

is it possible to download an installer for the last 7.x version of the tor browser? I know that i should always use the newest version but i would like to compare some behavior i have remarked to an older version.

Anonymous

October 16, 2018

Permalink

Tor 8.0.2
Windows 7 Ultimate

I installed updates to NoScript and HTTPS Everywhere manually.

NoScript overwrote the old version but HTTPS Everywhere did not.

I now have two versions of HTTPS Everywhere installed.

Version HTTPS Everywhere 2018.8.22 (the one that came with Tor 8.0.2) and HTTPS Everywhere 2018.9.18
Why did it not overwrite the older version?.

If you updated from Tor 8.0.1 to Tor 8.0.2 I have no idea.
If you updated from Tor 7.x to Tor 8.0.2 my [b]guess[/b] would be that it's because of the leap in Firefox versions/editions ("Mozilla Firefox - The next version is always the worst...").

As for fixing this, you should backup/export your settings for HTTPS Everywhere (the one that has your actual settings and preferences) remove both versions, install a fresh version of HTTPS Everywhere and import your settings.
I hope this helps.

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

14 + 2 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.