New Release: Tor Browser 8.0.5

by boklm | January 29, 2019

Tor Browser 8.0.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This new release updates Firefox to 60.5.0esr and Tor to the first stable release in the 0.3.5 series, 0.3.5.7.

It contains a number of backports from the alpha series, most notably the proper first-party isolation of range requests when loading PDF documents.

We also updated NoScript and HTTPS Everywhere to their latest versions and removed our donation campaign related code.

The full changelog since Tor Browser 8.0.4 is:

  • All platforms
    • Update Firefox to 60.5.0esr
    • Update Tor to 0.3.5.7
    • Update Torbutton to 2.0.10
      • Bug 29035: Clean up our donation campaign and add newsletter sign-up link
      • Bug 27175: Add pref to allow users to persist custom noscript settings
    • Update HTTPS Everywhere to 2019.1.7
    • Update NoScript to 10.2.1
      • Bug 28873: Cascading of permissions is broken
      • Bug 28720: Some videos are blocked outright on higher security levels
    • Bug 26540: Enabling pdfjs disableRange option prevents pdfs from loading
    • Bug 28740: Adapt Windows navigator.platform value on 64-bit systems
    • Bug 28695: Set default security.pki.name_matching_mode to enforce (3)

Comments

Please note that the comment area below has been archived.

January 29, 2019

Permalink

hello

Tor Browser for Android is still an alpha release while this one is a stable release. So, no. But we'll release a new alpha version today which will contain an update to Tor Browser for Android as well.

January 30, 2019

In reply to gk

Permalink

Can you offer any information on Android system requirements for the forthcoming stable release? E.g. you need a model later than a certain model...

January 29, 2019

Permalink

I wonder why I've never seen the "donation campaign". Or does this refer to text on the restart page (after a TBB update)?

a minor 'issue'...

January 29, 2019

Permalink

feature request: please block the "your firefox browser is out of date" tab, since tor has a separate updater system

January 29, 2019

Permalink

It contains a number of backports from the alpha series

Patches from unstable to stable are uplifts (not backports) ;)

According to wikipedia "Backporting is the action of taking parts from a newer version of a software system or software component and porting them to an older version of the same software". So it seems to me backports is the right word here.

January 30, 2019

In reply to boklm

Permalink

Kidding? That's true for released versions, e.g. backporting from stable to oldstable, but not for pre-release/alpha/beta/etc.

February 02, 2019

In reply to boklm

Permalink

Note that

Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable.

January 29, 2019

Permalink

After restarting from 8.0.4 into 8.0.5, "about:tor" and Menu --> Help --> "About Tor Browser" say "8.0.4". Each time I fully close TBB and reopen, a progress bar says, "Tor Browser is installing your updates and will start in a few moments..." before the progress bar for connecting to network.

NoScript says "10.2.1"
HTTPS-Everywhere says "2019.1.7"

January 29, 2019

Permalink

[The post about Tails 3.12 does not allow user comments/queries so I am trying to post my question here.]

Urgent question about Tails 3.12:

Quite suddenly Tails Project introduced a new download procedure which is causing problems; some including me cannot DL the image at all. A few weeks ago Tails offered a testing version and without explanation said "there is no cryptographic signature for this release". The post introducing the production version of Tails 3.12 doesnt even mention cryptographic signatures.

Should we conclude that Tails was suddenly handed an NSL with a gag order saying that they cannot legally offer Tails anymore together with cryptographic authentication? So that Tails USB image is valid when it leaves the DL server but when it arrives, has been altered in transit by NSA?

Please, please, please explain how to cryptographically authenticate this USB image!

Please put the DL explanation in a single html page with no bells and whistles because my Tails 3.l1 (burned from the DVD which I authenticated using the signing key which I believe I have verified is authentic) somehow cannot handle that tutorial.

Thanks, I'll try that! The sig must be different for the USB image and the DVD image, yes?

Fortunately, Tails is still providing ISO images for burning to a DVD with a detached signature which verifies (but I'm having a problem authenticating the subkey used to make the signature).

Another thing which puzzles me is that their description of what appears to be the "standard method" of updating a Tails USB seems to differ from what I have been doing (use Tails Installer to make a USB from Tails booted from a verified DVD), and I suspect this might mean their description is ambiguous, not that I have been doing it wrong all along.

Tested using the verified Tails 3.12 DVD ISO to burn a DVD, boot from that, and then using Tails Installer to make a Tails 3.12 USB stick with Persistent Volume the old way, and it works fine, and IMO is easier than the long method using dd etc. I hope Tails Project does not disable the old download, verification, and authentication methods, or remove Tails Installer.

January 30, 2019

In reply to boklm

Permalink

Oh my goodness, thank you so much, this link is just what I needed!

The problem was that I somehow could not reach that page from the "step by step tutorial" (?) at tails.boum.org. If Tails Project had simply given that URL in the announcement post in the Tor Blog, I would have been able to read the instructions without any problems. IMO their tutorial causes more issues than it solves--- sometimes simpler methods of making required information easy to find are better than trying to do something fancy.

January 30, 2019

In reply to boklm

Permalink

Happy to report everyone can still use the tried and true old procedure to

o download the Tails 3.12 ISO image for a DVD

o verify the detached signature

o verify the signing subkey used to make same

Further, it seems "Tails installer" is still available in Tails 3.12. I hope to confirm that it can be used to upgrade a Tails USB the old easy way and also to try the new hard way to make a Tails USB.

I do not understand why Tails Project apparently deprecates Tails Installer.

January 29, 2019

Permalink

Suggestions:

Optional latency would be an easy way to improve security. Opening pages on new tab (or file downloads) could be set non-urgent. Relays would delay these, especially guard would use "dam" to make traffic to client random or generic. User might hurry up these by activating any (color-marked) "slow tab". For uploads exit node would have a dam as well, or more like cache.

Another improvement, a costly one would be slave ideally for each relay, a small computer in sealed case with electronic antispy protection provided by a different organization. Incoming packages are given to slave which mixes them (and controls dams) before giving back, adding another layer of security without significant slow-down.

Maybe multiple and changing routes could also be considered?

Too bad the makers of the Pi did not adopt Debian for ARM as their OS, thus preventing Tor Project from being able to easily help Tails Project put the forthcoming Tails Server on a Pi.

It would be wonderful if community minded hardware people would try to launch something like the Pi Project, but using Debian for ARM devices, and ideally incorporating security seals (we don't want NSA to "interdict" and mess with shipments from the maker to individual device owners), paying attention to supply-chain concerns (we don't want CN government spooks to mess with the chips before they even reach the maker), etc.

January 29, 2019

Permalink

TypeError: hostName is null[Learn More] security.js:55:9
_getSecurityInfo chrome://browser/content/pageinfo/security.js:55:9
securityOnLoad chrome://browser/content/pageinfo/security.js:179:14
onmessage chrome://browser/content/pageinfo/pageInfo.js:372:5

January 29, 2019

Permalink

05:57:23.786 this.browser is null 1 ext-tabs-base.js:298
get frameLoader chrome://extensions/content/ext-tabs-base.js:298:5
get frameLoader chrome://browser/content/ext-browser.js:605:5
get width chrome://browser/content/ext-browser.js:678:5
convert chrome://extensions/content/ext-tabs-base.js:579:7
get chrome://browser/content/ext-tabs.js:572:18
next self-hosted:1214:9
get self-hosted:977:17
call/result< resource://gre/modules/ExtensionParent.jsm:772:57
withPendingBrowser resource://gre/modules/ExtensionParent.jsm:427:26
next self-hosted:1214:9
call resource://gre/modules/ExtensionParent.jsm:771:20
next self-hosted:1214:9
torbutton_send_ctrl_cmd chrome://torbutton/content/torbutton.js:753:10
torbutton_do_new_identity chrome://torbutton/content/torbutton.js:1126:10
torbutton_new_identity chrome://torbutton/content/torbutton.js:850:9
oncommand chrome://browser/content/browser.xul:1:1

Hm. I tried to reproduce that by doing "New Identity" after I started the browser on the about:tor page but was not able to trigger that exception. What else do I need to do to do so (reliably)?

January 29, 2019

Permalink

06:08:31.606 [NoScript] Could not run scripts on about:tor: privileged page? Error: Missing host permission for the tab Missing host permission for the tab 1 log.js:12:62
error moz-extension://[NoScript]/lib/log.js:12:62
moz-extension://[NoScript]/ui/popup.js:131:9

How does one trigger that (and the other debug output that got posted here)? Without some context it's not really possible for us to work on those problems and they get ignored rather than fixed or logged in our bug tracker.

January 31, 2019

In reply to gk

Permalink

Oh, I thought they were ignored as you didn't think they were real errors or errors worth fixing. Because if you'd logged them in our bug tracker, cypherpunks'd help you.

Helping is appreciated but a bug logged just with some weird exception without steps to reproduce is not helpful. I'd like to double-check whether I can reproduce those. We might be able to solve them faster that way.

February 01, 2019

In reply to gk

Permalink

It is on Windows with Safest settings: 1) Page Info of about:tor, 2) New Identity, 3) NoScript icon of about:tor.

January 29, 2019

Permalink

06:10:15.298 Error: No handler registered for message "broadcastSettings" in context moz-extension://[NoScript]/ui/options.html 1 Messages.js

January 29, 2019

Permalink

> Bug 27175: Add pref to allow users to persist custom noscript settings
Instead of adding dangerous settings, maybe, you make NI clear the temp trusted domains finally?

January 29, 2019

Permalink

TypeError: win.gBrowser is undefined[Learn More] ProcessHangMonitor.jsm:412:9
Ignoring response to aborted listener for 3509

January 29, 2019

Permalink

Hello, I replied to this blog post a short time ago writing that my restart from 8.0.4 was saying 8.0.5, and the updater progress bar was reappearing. Turns out there was only 60 MB on the partition. When I made space, the "bugs" were gone. My first reply has not been approved by the comment moderator to show up yet, so you don't have to approve it since I guess the problem was resolved and my fault, not yours.

January 30, 2019

In reply to gk

Permalink

Windows 7 Thin PC x86 (VirtualBox 6.0.4 guest OS)
Still crashes. Older version (7.x) has an application error. https://i.imgur.com/LOMmPJo.png
I don't know why this crash is happening. There is no other problem than that test.
I am not good at English so I cannot tell you more. Thank you.

January 29, 2019

Permalink

I liked how per-site settings in NoScript's old architecture were handled but after reading the cons stated in https://trac.torproject.org/projects/tor/ticket/27175 I have decided to embrace NoScript's new architecture and will not enable the pref to persist custom noscript settings.

I think the standard security setting in tor browser is too permissive so I have set the security slider to safest but that got me thinking: If I leave tor browser in its standard configuration and only adjust the security slider does that make me more fingerprintable (and are there actually any guidelines about which settings can be adjusted without making myself more fingerprintable)?

"More fingerprintable" is a tricky concept. The recommended way is as you did to adjust the security slider and leave all the other settings and preferences alone. That gives you the fingerprint of the group of people using the slider level you chose. The idea is that you hide in the crowd that uses that particular level instead of sticking out with your homegrown customizations. The three crowds corresponding to the three security levels might not be equally sized but each particular crowd is very likely still a crowd and thus protecting you from getting singled out.

January 31, 2019

In reply to gk

Permalink

IMO "safest" should be the security slider default, with users advised to drop down a level if they have problems, and to consider dropping to the lowest level only if they have asked themselves whether they really need to look at that video, etc.

> make a safe web

Right, that's what we all want. I was arguing that given the array of technical threats we face, of the following alternatives, the second makes more sense:

o start with slider at "standard" (least protections) and suggest users try increasing the setting whenever they "feel paranoid",

o start with slider at "safest" and suggest users try dropping down as required to make a particular website work, or to consider giving that website a pass.

The choice is between encouraging unthinking unsafe behavior, and encouraging users to make smart choices about how they use TB to surf the web. The second alternative is IMO more consistent with overall Tor Project guidance to users.

January 29, 2019

Permalink

The linux version of the browser regularly freezes (eats up all available CPU and is not responsive) at higher security levels, with longest freezes by far occurring at the highest (safest) security level. The browser startup can also take much longer at higher security levels (about half a minute or more) while eating up all available CPU.
I've tried disabling NoScript to see if that's the source of the problem but the freezes keep occurring.
This issue has been present in previous 8.0.x versions.

How long does a startup take for you on the default level? Do you see anything useful in the terminal if you start Tor Browser with ./start-tor-browser.desktop --debug? Is that 32bit or 64bit? Which locale?

January 30, 2019

In reply to gk

Permalink

I've figured out it's caused by uBlock Origin, my apologies.

For what it's worth, with uBO enabled the startup takes about 4 seconds on the default ("Standard") level, and over 1 minute on the middle and highest security level. With uBO disabled the startup takes about 4 seconds on the lowest level and about 10 seconds on the highest level.

The debug output had the following line only when I ran it at higher security levels ("Safer" and "Safest") with uBO enabled:

JavaScript error: jar:file:///path/to/tor-browser/Browser/omni.ja!/components/nsPrompter.js, line 339: NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDOMWindowUtils.isParentWindowMainWidgetVisible]

This is on a 64bit system.

At least now I know to disable uBO at higher security levels.

January 30, 2019

Permalink

Since I installed this new version (8.0.5), the Telegram application doesn't work and it can not connect to its servers... I get used to use SOCKS when I use Telegram, but it doesn't work at all! So, please check the problem and solve it asap... THIS IS A MAJOR ISSUE!

January 30, 2019

Permalink

Hello there and thanks for this,
this new release works great, no problem for now.

However I have a question. I was wondering if you have any plan to solve the "problem" with screen dimensions fingerprinting. Do you think will ever be possible to surf the web with Tor Browser in full screen mode without being fingerprinted by trackers and third party actors? Many friends and relatives (whom I suggest to use Tor Browser) find this specific aesthetic aspect of TB pretty weird. I am not an expert in design and UX but I have the impression that this is a big hurdle for TB adoption on a mass scale.

Thanks for listening.

Hi there and thanks for your messages.

As you surmise browser fingerprinting by window resolution is a tricky topic. It might be more useful to consider the threat that your friends face, which in this case appears to be about hiding from advertisers and data slurpers. In that case I don't think that browser size poses a huge threat, especially if your friends don't link their true identities to their browsing sessions (like signing into Facebook).

If you think about it, it's more beneficial for them to use Tor and have some of the protection that it can afford, rather than not using it at all. Even if that means sharing a little more info which can be used for fingerprinting.

Thanks for TBB!!

Surfing with regular Firefox sucks with sites showing you being tracked even with privatebrowser enabled through multiple profiles, accounts on same computer. You can clear all your data/cookies etc and this site still tracks whatever name you throw at it. in normal and private mode.
I wonder how many Unique ID method's it uses to continue to track you even after rebooting your PC, clearing all data,cache,cookies,storage etc from browser.

Website can also track you across multiple profiles and across multiple accounts on your computer. Just thought it was pretty crazy bruh.

Before you say, yeah but u allowed javascript to run on that page.. well thats the point. IT shows just how much of what we do is being tracked, imagine when you not on Tor(or on tor with javascript running, alot do that). and you got that itch that u think u safe.

I tested Chrome,Firefox,Safari,MS Edge and they all vulnerable to it.
Website seems to be just a Proof of Concept to show just that.

https://www.nothingprivate.ml

January 30, 2019

Permalink

Could you make it possible for users to anonymize the platform string, e.g. in about:config or in "Security Settings" window? By "platform string" I mean the platform field that panopticlick reports, such as "Linux x86_64".

Looking at the comments for the last few releases it seems that a lot of users prefer smaller fingerprint over the "convenience" of websites automatically recognizing their platform. In most cases this automatic recognition is either insignificant to the user or the user can manually choose the platform (such as on the Tor browser download page). I have never come across a website where at the same time platform recognition would be vital and the user could not manually specify it in some way (whether via some menu or setting or by navigating to the appropriate URL).

January 30, 2019

In reply to boklm

Permalink

I'm not suggesting that you should let users manually enter any platform string whatsoever, but that there could be an option to switch between actual platform (as it is now) and an anonymized one i.e. whatever the Windows 64 bit version has (like the current user agent string).

Or what about websites asking the user for permission to read the platform string, like it's done currently with canvas? If the user rejects then the anonymized version is supplied.
It's not ideal since the permission dialog box would probably trigger too frequently, but at least the user would have control over which site/page gets to read the platform string.

January 30, 2019

In reply to boklm

Permalink

If you get a chance, I think there would be community interest in a post describing current thinking inside TP on the problem of making it harder for our enemies to easily differentiate Tor circuits from other TSL bitstreams, and making it harder to differentiate Tor Browser from Firefox. Last I heard, these are unsolved problems.

January 30, 2019

Permalink

"Add pref to allow users to persist custom noscript settings"

Sorry, I'm a bit thick; but just exactly how do we select this NoScript persist pref? I can't find it anywhere...I think I'll go back to using the ScriptSafe addon instead.

BTW All this speculation that NoScript site-persistence gives rise to a usable fingerprinting risk is somewhat dubious and overblown--many easier ways of tracking TorBrowser users--and the risk of script-jacking is much greater and more dangerous, so why not just do away with script altogether if you're just worried about supposed fingerprinting... Has any researcher actually tried/proved tracking/fingerprinting users with their NoScript custom settings yet?

January 30, 2019

Permalink

how to get rid of the "Will you allow *.com to use your HTML5 canvas image data?" - dropdown
menu in urlbar (between i and the green icon)?

There is no permanent way to do that yet in the stable release, alas. We are currently testing a fix in the alpha which should make those doorhangers way less frequent as they are used to be. If this goes well you'll have that improvement in one of the next stable versions.

url is ok, tor blog, a grey icon is visible.
page info - permissions - extract canvas data = always ask.
i tried to find out how to set permissions globally, but about:permissions is gone.
i think the icon appears because of my about:config settings. in another TBB installation it is
not reproducable.
(after posting here your website is in a reload loop.)

January 30, 2019

Permalink

jabber pidgin My jabber client pidgin stopped connecting to the tor network after the last update.

January 30, 2019

Permalink

INSTEAD OF CHANGING THE OS PLATFORM STRING FOR BROWSER WHY NOT JUST CONVERT ALL USERS TO UNKNOWN OS? OR BLANK? OR JUST SOMETHING THAT ANY SERVER CAN RECOGNIZE LIKE DOS? HAHA

January 31, 2019

Permalink

Can't access https://www.torproject.org/ via TOR Browser (previous version) for at least 24 hours. Anyone else having similar issues? (don't have any issues with accessing other sites, including this one)

Looks like some DNS issue, getting error:

"Unable to connect

Firefox can’t establish a connection to the server at www.torproject.org."

February 08, 2019

In reply to gk

Permalink

Thank you for reply!

No update errors there since it downloading update from https://cdn.torproject.org/ and not from https://www.torproject.org/

But I need full new version "torbrowser-install-8.0.5_en-US.exe" and not "tor-browser-win32-8.0.4-8.0.5_en-US.incremental.mar"

I was trying to replace file name in URL to grab it from there, but got Error 404.

Is there any official verified alternative location for full version?

We have the latest bundles at https://dist.torproject.org/torbrowser/ as well, in case just www.torproject.org is blocked. However, if you already have a Tor Browser it should auto-update you to the latest version. Thus, I am a bit confused why you need a new version downloaded from the website to update.

Is www.torproject.org the only website that is blocked for you?

February 14, 2019

In reply to gk

Permalink

> However, if you already have a Tor Browser it should auto-update you to the latest version. Thus, I am a bit confused why you need a new version downloaded from the website to update.

I prefer to have multiple (separate) versions of TOR browser in case something went wrong with latest one or some issues will appear (had such problems in past). In that case I don't have to rollback and can simply run previous version for site which having issues with latest version while it fixed in next version.
Hope I explained clear enough. :)

> Is www.torproject.org the only website that is blocked for you?
Yep don't have any issues with reaching any other sites but still can't reach it through TOR Browser... (so confused why it can happened DNS queries comes through TOR as well).

But link you gave me working without any issues, thank you so much! :)

January 31, 2019

Permalink

https://www.whoishostingthis.com/tools/user-agent/ reports different values for "screen resolution" and "browser window size" (e.g. 1000x700 and 989x700, respectively). I did not resize the browser window prior to this.

My guess is that it's because of the scrollbar, meaning that the website can detect the width of user's scroll bar. This width might be different on different systems, graphical toolkits, desktop environments, etc., increasing the fingerprint.

January 31, 2019

Permalink

Ooops!

No 'Site Identity button' on the left side of the URL bar and nothing in 'customize' either. I haven't seen it it the last few iterations of the TBB and I thus thought it had been eliminated.

Please help...

February 01, 2019

Permalink

I recently updated from Tor 8.0.4 to 8.0.5 and can no longer add or delete bookmarks. I have been unable to restore html format or backups or json format bookmarks. This seems to be a bug in the 8.0.5 update.

February 02, 2019

Permalink

Tor doesn't start after pressing 'Restart Tor' button on Windows (no AV/FW, just Tor Launcher bug):

[02-02 11:32:32] TorLauncher NOTE: _startTor error: [scrubbed]
[02-02 11:32:39] TorLauncher NOTE: failed to open authenticated connection: [scrubbed]
[02-02 11:34:48] TorLauncher NOTE: Event monitor read error [scrubbed]
[02-02 11:34:48] TorLauncher NOTE: Tor unexpectedly exited. This might be due to a bug in Tor itself, another program on your system, or faulty hardware. Until you restart Tor, the Tor Browser will not able to reach any websites. If the problem persists, please send a copy of your Tor Log to the support team.

Restarting Tor will not close your browser tabs.
[02-02 11:34:54] TorLauncher NOTE: failed to open authenticated connection: [scrubbed]

I tried that but Tor still gets restarted and boostraps correctly. Here is what I did:

1) I launched Tor Browser
2) During the bootstrap process I clicked on "Cancel" to halt it and to have time to kill the Tor process
3) I killed the process and the restart button appeared
4) I clicked the button and Tor bootstrapped properly after a while.

February 05, 2019

In reply to gk

Permalink

If you can't kill tor during tbb launch, try:
kill tor after tbb launch,
small window will appear with restart/OK, press restart and
during restart tor press Cancel,
kill tor again,
then press restart tor in a big window.

February 02, 2019

Permalink

I get an error message. The site doesn't allow me to view it. (purplebricks.ca). What is the use of your browner if sites don't allow me to view them?

If sites don't allow access with Tor there is not much we can do besides asking/pressuring them in doing so, alas. But you can use Tor Browser for getting its privacy and security features on sites that *do* allow it. And those are the vast majority on the web.

February 09, 2019

In reply to gk

Permalink

And if you really really need to visit that particular site, you might consider buying a Raspberry Pi, a very inexpensive computer (the size of a package of cigarettes) which doesn't work with Tor but can be used to surf to the few places where Tor can't take you. You ISP and all the spooks will know where you surf with the Pi, but if you don't use it too much it might be safe.

February 03, 2019

Permalink

Why is the default for NoScript allowing all options?.. that's now more relaxed than trusted!!
Switching from off by default to on by default is dangerous.. and resets to that each time tor is started; surely this is not intentional by those with Tor's core interest at heart.
=> Linux: Tor 8.0.5 + NoScript 10.2.1 => Tools.Add-ons.NoScript[Preferences]

February 03, 2019

Permalink

Good!

February 03, 2019

Permalink

HTTPSE doesn't update its rulesets during update. Now it is of version 2019.1.7, but rulesets are from 2018.9.19.

February 04, 2019

In reply to gk

Permalink

It was an outdated Tor Browser 8.0.1 which updated automatically except rulesets.

February 04, 2019

In reply to gk

Permalink

No. It doesn't depend on restarts or add-ons' updates. You even can't force it to update. But, yes, I got rulesets updates the next time its check happened.

How do you check that the rulesets are not updated during the browser update? The UI in HTTPS-Everywhere seems only to indicate when the last update via the HTTPS-Everywhere *built-in* functionality happened. At least that's how I would read it.

Yes, we are aware of that shortcoming and are working on that. Stay tuned and sorry for the inconvenience of an update to the latest version after having downloaded this outdated one.

If you mean "how to disable javascript in Tor Browser", left click on the onion icon (top left corner of TorBrowser window), choose "Security Settings", then choose "Safest".