New Release: Tor Browser 8.0.4

Tor Browser 8.0.4 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Tor Browser 8.0.4 contains updates to Tor (0.3.4.9), OpenSSL (1.0.2q) and other bundle components. Additionally, we backported a number of patches from our alpha series where they got some baking time. The most important ones are

  • a defense against protocol handler enumeration which should enhance our fingerprinting resistance,
  • enabling Stylo for macOS users by bypassing a reproducibility issue caused by Rust compilation and
  • setting back the sandboxing level to 5 on Windows (the Firefox default), after working around some Tor Launcher interference causing a broken Tor Browser experience.

Moreover, we ship an updated donation banner for our year-end donation campaign.

The full changelog since Tor Browser 8.0.3 is:

  • All platforms
    • Update Firefox to 60.4.0esr
    • Update Tor to 0.3.4.9
    • Update OpenSSL to 1.0.2q
    • Update Torbutton to 2.0.9
      • Bug 28540: Use new text for 2018 donation banner
      • Bug 28515: Use en-US for english Torbutton strings
      • Translations update
    • Update HTTPS Everywhere to 2018.10.31
    • Update NoScript to 10.2.0
    • Bug 1623: Block protocol handler enumeration (backport of fix for #680300)
    • Bug 25794: Disable pointer events
    • Bug 28608: Disable background HTTP response throttling
    • Bug 28185: Add smallerRichard to Tor Browser
  • Windows
    • Bug 26381: about:tor page does not load on first start on Windows
    • Bug 28657: Remove broken FTE bridge from Tor Browser
  • OS X
    • Bug 26475: Fix Stylo related reproducibility issue
    • Bug 26263: App icon positioned incorrectly in macOS DMG installer window
  • Linux
    • Bug 26475: Fix Stylo related reproducibility issue
    • Bug 28657: Remove broken FTE bridge from Tor Browser
  • Build System
    • All Platforms
      • Bug 27218: Generate multiple Tor Browser bundles in parallel

So, some progress here. I can reproduce a bug which might be this one with the alpha. But I don't have to complete the onboarding. The links on about:tor don't work right from the beginning. Is that what you are seeing, too? Where do you see the onboarding related exception? I don't see anything like that in the browser console.

Anonymous

December 11, 2018

Permalink

Hello!
I have some problem with Tor. I up-dated Mozilla Firefox and also Tor.
After this Tor doesn't work and I see this communication:
"Failed to bind one of the listener ports."

Do you know what can I do?
Thanks in advance

12/12/18, 04:09:07.537 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:09:07.541 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/12/18, 04:09:23.768 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:09:23.768 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/12/18, 04:09:23.768 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:09:23.769 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/12/18, 04:09:23.769 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:09:23.769 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/12/18, 04:09:23.770 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:09:23.770 [NOTICE] Opening Socks listener on 92.126.156.60:8800
12/12/18, 04:09:23.771 [WARN] Could not bind to 92.126.156.60:8800: Can't assign requested address
12/12/18, 04:09:23.771 [WARN] Controller gave us config lines that didn't validate:
12/12/18, 04:09:47.232 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:09:47.232 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/12/18, 04:09:47.232 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:09:47.232 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/12/18, 04:09:47.232 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:09:47.232 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/12/18, 04:09:47.232 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:09:47.232 [NOTICE] Opening Socks listener on 92.126.156.60:8800
12/12/18, 04:09:47.232 [WARN] Could not bind to 92.126.156.60:8800: Can't assign requested address
12/12/18, 04:09:47.233 [WARN] Controller gave us config lines that didn't validate: Failed to bind one of the listener ports.
12/12/18, 04:10:06.289 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:10:06.289 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/12/18, 04:10:06.290 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:10:06.290 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/12/18, 04:10:06.290 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:10:06.290 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/12/18, 04:10:06.290 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:10:06.290 [NOTICE] Opening Socks listener on 92.126.156.60:8800
12/12/18, 04:10:06.291 [WARN] Could not bind to 92.126.156.60:8800: Can't assign requested address
12/12/18, 04:10:06.291 [WARN] Controller gave us config lines that didn't validate: Failed to bind one of the listener ports.

sorry my english is not that well..
Have you uploaded a new version of the Tor Browser? Yesterday? I have been using Tor since July..
Last night my system macOS Mojave 10.14.2 updated Firefox afterward Tor browser stopped working. I downloaded from this page Tor and again I see that information in the Tor browser window.. and on the bottom left in the browser window is also information that for help I can visit this website or contact support...

Anonymous

December 11, 2018

Permalink

Defect seems to be fixed.

Earlier, after installing Tor Browser 8.0.4 (Apple macOS), the browser screen resolution was 1000 Wide x 990 High, with all browser settings affecting screen resolution at their default-standard settings, but with configuration View/Toolbars/✓Bookmarks Toolbar.

Apparently, bokim, gk, and/or the tbb team implemented a fix because now the browser screen resolution is correctly 1000 Wide x 1000 High with all Tor Browser settings affecting screen resolution at their default-standard settings, except for configuration View/Toolbars/✓Bookmarks Toolbar.

Thank you very much for this fix.

Ticket #27845

No, it does not look like it is fixed.
Still counting different sizes, like these on retina screen with different resolution settings possible (dock visible or not does not matter anymore in case of renewing cricuits).
2000 x 1148, 2000 x 1348, 2000 x 1548, 2000 x 1948 (cut them out by hand so maybe one or two pixels difference could be possible.)

Still (at least) 4 different standard windows sizes depending on your resolution settings.
Maybe someone else can test them on a non-retina macbook with all the 5 different standard resolution settings.

Hi GK,

Let's take some pictures with it, see this apple reference page (2 images)
https://support.apple.com/en-us/HT202471

Like Torbutton slider, Apple has an easy slider function available to adjust screen settings.
It will give 4 or 5 options.

It'll be usually in the middle 'default' option.
But not everybody will have the eyes of an 'american eagle', so it can be that someone is taking one of the options left for "larger text" while others (with good eyes, or glasses) take the "More space" (higher resolution) on the right.

I tested them all (5) and made many screenshots (forgot to write down which window size was matching witch screen res) and got different size results as reported earlier (with clean 8.04, and in earlier earlier post with a historic torbrowserversion).
Steps: Adjust screen resolution, renew torcircuit (or open new window) in torbrowser after every resolution change (make screenshots " shift cmd 4 spacebar on windows selection and click).
And you will end up with different sizes.

I guess the biggest difference will be in comparison lowest res and highest res.
Lowest res will off course give you less space on the screen (mine were tested on a 15inch retina) but you can imagine that you will get different results on an 11 inch macbook air (or 12 inch) with a 1366 by 768 native resolution.
Or even on a 13 inch macbook with a 1440 by 900 native resolution.

Apple has a lot of (supported) models that are still working , macbook air, macbook, macbook pro, 11inch, 12inch, 13inch, 15inch, and last but at least with or without retina resolutions.

So sometimes the size of the mac does not allow to have a vertical screen resolution of 1000 or even 1080 pixels because it is just not available and you will get a landscape sized torbrowser window.
When you do have enough pixels in the 'macbag' (with retina and highest resolution available) then you will get a portrait mode torbrowser window.

But, yes, it does not matter anymore if you have the dock collapsed or visible.
It'll give the same window size anyway which was not the case with older versions.

Hope you have enough Mac's around, :-)

Other remarks
1) Your security and privacy is not only depending on Torbrowser.
It depends on your system, your behavior and Apple.

The basic one 'everyone always everywhere forgets' (in any situation) is 'the beginning situation' : just starting using that Mac (or any program or app) right out of the box.
Most problems are created by this out-of-the-box behavior instead of this technical torbrowser issues or windows size fingerprinting.

Please people : open your system preferences pane and look at all the privacy settings!
It will be good for your privacy and security (if you do something with it).

There is (was) a lot of Bing (Microsoft search on your system), or Google around and on top of it all (!) the real time syncing with the iCloud.
It just does not (totally) make sense to anonymously download or save information with torbrowser and directly/automatically put all these documents and information on apple (icloud)servers and then syncing it with all your other (more insecure?) devices.
The weakest point is not your torbrowser but one of your easier accessible other devices or even some sort access to iCloud or just a copy of the iCloud files ('Hi apple may we have a copy of that iCloud backup?).

I, should say ; leave your privacy important files on your protected mac, disable iCloud syncing and look at all the available privacy and security settings on your mac (they are there and waiting for you to do something useful with it!).

Same story with using other programs : look at the preference settings!
Same story with apps : look at the preference settings and what they are allowed to, otherwise they (maybe) steal that information that you got with torbrowser on the mac and synced with iCloud to that device with all these information stealling apps on it.

Mac's are quite safe but the devil is in the iphone/ipad app's details, or even fake app details.
I think you should worry about this (iCloud syncing and spy-app's stealing) above window-size fingerprinting.

Please : never forget anymore, look at what you are allowing programs and app's by at least looking at the preference settings before use (or otherwise asap afterwards).
I'ts better for your privacy, security and even will save you some money because you do not have to hire someone else to fix things again (but what you have lost cannot be fixed! Gone with the wind).

2) Tails Torbrowser question, does anyone know how to make a screenshot of a torbrowser window in Tails with a mac keyboard?

So, am I understanding you right that non of the 5 Apple settings you choose give you a properly rounded Tor Browser window? Or are there just some of those that behave that way? Like: do the default settings work and just the scaled ones not?

After installing the update the Tor Browser did not restart. When I tried to open it via my shortcut, I received a notification that the shortcut no longer exists.
I uninstalled everything and downloaded from the website. I used the "run tor browser" option as the update completed and the browser would again not open.
I restarted my laptop and this time tried the shortcut, and again was told it did not exist.
I reinstalled 8.03 and the shortcut works fine. I again updated and once again the browser would not open.

I have the same issue. New install of torbrowser-install-win64-8.0.4_en-US on a Win10 machine.
The error I get is "The item 'firefox.exe' that this shortcut refers to has been changed or moved."
My install folder for Tor Browser does not have firefox.exe.

Anonymous

December 12, 2018

Permalink

There is known issue that tor-browser detects system. E.g. in ip-check.info with JS enabled it is:
Mozilla/5.0 (X11) 20100101 Netscape (en-US)
However, now also 32/64 bit is detectable, localtime is detectable, and, I suspect, also timzone:
Linux x86_64 Linux x86_64 (Wed Dec 12 2018 18:51:57 GMT+0000 (UTC))
Is it a new feature?

Second question: is it safe to disable NS if JS is disabled in about:config and security slider is at safest value?

It does not detect your local time. It always returns UTC (wherever you are). And the difference between 32/64 is not detected by that test. The values are set to always x86_64.

We need NoScript for a bunch of features on the slider. So, no, just disabling JavaScript in about:config and getting rid of NoScript is not a good idea.

Anonymous

December 13, 2018

Permalink

I'm not sure what I'm doing wrong but I can't keep orbot connected it will connect for like a minute then it disconnects I've tried everything I can think of I'm no pro I'm still learning some tricks but I'm all out now I need some pro help

Anonymous

December 13, 2018

Permalink

We need NoScript for a bunch of features on the slider. So, no, just disabling JavaScript in about:config and getting rid of NoScript is not a good idea.

Is it described somewhere? I am shocked. javascript.enabled is about disabling JS on pages loaded from internet. NS is about filtering these JS requests from pages loaded from internet. Why do you use NS for your internal purposes when JS is disabled in the browser completely? I cannot understand your design choice. It breaks natural logic.

Another question: If I put my security slider at "safest", is it ok to set javascript.enabled to false to be sure? Can it be harmful at "safest" setting?

We strongly disencourage flipping javascript.enabled and similar preferences in your about:config as there is the risk that users are ending up with unique preferences combinations that make them stick out for fingerprinting purposes or they forget about those and wonder why the browse is broken.

Rather we introduced the security slider idea quite a while ago which is using NoScript functionality to provide 3 different levels of security settings to a) provide a more secure environment for users that feel they need that while b) avoiding the fingerprinting risk as good as possible.

Sure, this is documented on our design doc (which we still need to update for 8.0, though :( ): https://www.torproject.org/projects/torbrowser/design/#other-security.

Sure, this is documented on our design doc

So, it says:

High: This security level inherits the preferences from the Medium level, and additionally disables remote fonts (noscript.forbidFonts), completely disables JavaScript (by unsetting noscript.globalHttpsWhitelist), and disables SVG images (svg.in-content.enabled).

I'm not so newbie, I know what I'm doing & I will not forget about it. I have separate tor-browser with safest slider value. I wonder what it will change if I additionally also disable javascript.enabled. I shouldn't get any new fingerprinting issues if I disable JS on "JS-disabled" (slider=safest) browser, isn't it? If not, what's the difference?

Anonymous

December 13, 2018

Permalink

8.0.x
Tor Browser does not terminate correctly. After closing the prog RAM consuming is still increasing and finally it crashes with a system message. This happens since 8.0.0, happend on some earlier versions too. Happens in vmware ws and win host, doesn't matter. Have to stick on 7.5.6.

Tor Browser is unmodified, no changes in about:config, no add-on. Reproducible ? Of course it is, any time. I just start the browser, wait until it gets connected, then close, wait several seconds and then the unwanted system messages appears.
After termination with process explorer one can see memory is still increasing beyond +250k.
As I said, same problem with some 6.x. and 7.x versions. Cant remember which ones.
7.5.6 works fine.

Anonymous

December 13, 2018

Permalink

I've noticed some alarming things about 8.0.4.

I thought TBB shipped with all the settings set to their safest, but I had to change all these:
1. uncheck all Allow boxes on NoScript's Default tab to ensure nothing is allowed. All boxes had been checked.
2. change TBB's Security setting to SAFEST, it had been on the lowest setting.
3. in about:config change javascript.enabled from True to False.

Aside from having three issues, the most alarming aspect is that ALL the Allow boxes were checked on NoScript's default tab when I installed TBB. Clicking on NoScript's Reset (to change it's settings back to their defaults) results in only three boxes being checked (frame, fetch and other) on the Default tab.

So the default for the Default tab is to allow 3 things, but TBB shipped with all boxes checked. This means that it's not like the plain vanilla NoScript just accidentally shipped in TBB, someone had to check all those boxes.

Does anyone else see this as a major issue? Many people could be endangered by this.

The default level in Tor Browser means that it is the most permissive to minimize breakage on the web. Because as a reaction of breakage users typically think that the browser is not working properly and they take a different one, eg. Firefox and that's bad news for them with respect to tracking and anonymity. That's why NoScript on that level is basically doing nothing. We use NoScript however to adjust security settings on the higher levels ("safer" and "safest").

Anonymous

December 14, 2018

Permalink

Since 8.0.x I'm often getting "400 Bad request" when searching with DuckDuckGo (the default search provider in Tor Browser). This usually happens when searching for the first time in a session, or after some time has passed since the last search. I don't know if this is a fault with the DDG search plugin in the Browser (client-side), or with their server. But if my memory is right this issue appeared only with 8.0.x, so I assume something is not "lined up" properly anymore.
Does anyone else experience this?

Anonymous

December 14, 2018

Permalink

In the last few versions Tor Browser (Linux) has performance issues at higher security settings. The problem appears in at least two ways: 1) the browser takes quite longer to start while consuming all of the available CPU resources; 2) while running it randomly freezes for a few or more seconds, also consuming all of the available CPU resources. The issue becomes apparent at the "Safer" setting, and becomes more annoying at the "Safest" setting (much longer starts as well as freezes).

Anonymous

December 14, 2018

Permalink

I am sorry that I have to comment on this matter again but what you say users of 8 0 4 will see when checking according to your own instructions is NOT what I have found.

When I pointed out this phenomenon under 8 0 2 or 8 0 3 I was told that the differences were attributed to my computer (I think). However, to my mind, no matter how my computer is set up I believe that there is certain information that should not vary between what you say I will see and what I do see.

For example, you say:
“After importing the key, you can verify that the fingerprint is correct:
gpg.exe --fingerprint 0x4E2C6E8793298290
You should see:
pub rsa4096/0x4E2C6E8793298290 2014-12-15 [C] [expires: 2020-08-24]
Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid [ unknown] Tor Browser Developers (signing key)
sub rsa4096/0xD1483FA6C3C07136 2016-08-24 [S] [expires: 2018-08-24]
Key fingerprint = A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136
sub rsa4096/0xEB774491D9FF06E2 2018-05-26 [S] [expires: 2020-09-12]
Key fingerprint = 1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2

What I do see is:
pub rsa4096 2014-12-15 [C] [expires: 2020-08-24]
EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid [ unknown] Tor Browser Developers (signing key)
sub rsa4096 2018-05-26 [S] [expires: 2020-09-12]”

In your (above) wording there are two Key Fingerprints which do not appear at all in the text I get.
Why, I downloaded gpg version 3.1.5 from the site you specified?

ALSO

When verifying the package signature, you say that users should see:
“gpg: Signature made Wed 15 Nov 2017 05:52:38 PM CET
gpg: using RSA key 0xD1483FA6C3C07136
gpg: Good signature from "Tor Browser Developers (signing key) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136
Currently valid subkey fingerprints are:
1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2”

What I and no doubt others get is:
“gpg: Signature made 12/10/18 15:19:22 GMT Standard Time
gpg: using RSA key EB774491D9FF06E2
gpg: Good signature from "Tor Browser Developers (signing key) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: 1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2”

In the above even the RSA keys do not tally! Surely, irrespective of a user’s machine, when the user gets the verification software (GPG) from the indicated source, something as basic as the signing key should match what you say it will be.

It is only with Tor 8 that I have seen this problem. Whenever I checked a download of TOR 6 or 7 what I got always tallied exactly with what you said. I have not changed machines between TOR 6 and 7 and TOR 8.

Anyway, thanks for the work done by you and your colleagues in helping internet users.

The subkeys that you don't see printed out, it could be due to how gpg works on different operating systems? (just a guess) You could run the command with --verbose.
In your second problem, there is this part:

Currently valid subkey fingerprints are:
1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2

and that's exactly the key you see being used - you quoted it yourself:

gpg: Signature made 12/10/18 15:19:22 GMT Standard Time
gpg: using RSA key EB774491D9FF06E2

Notice that this is the same key as above, just displayed in shorter form (start comparing them from the end)

Thanks for your guesses but I don't follow what you say or its logic.

In the first part could you pls clarify what you mean by: You could run the command with –verbose?

I was pointing out that in my first part the two Key Fingerprints are missing and in the second part that the RSA keys do not match.

Are you saying (and could GK please confirm this) that the “Key Fingerprints” and the RSA keys are irrelevant and that the Subkey fingerprints matching is the only thing to check for in order to verify that the downloaded package is OK?

Thanks

Anonymous

December 14, 2018

Permalink

hi so i loged on my computer one day and tor refused to work i undownloaded and reinstalled it and then my mcafee says its trying to change something in my computer and it has been quarentened for safety, why is this? it was working perfectly fine not even a week ago

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

15 + 0 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.