New Release: Tor Browser 8.0.5

Tor Browser 8.0.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This new release updates Firefox to 60.5.0esr and Tor to the first stable release in the 0.3.5 series, 0.3.5.7.

It contains a number of backports from the alpha series, most notably the proper first-party isolation of range requests when loading PDF documents.

We also updated NoScript and HTTPS Everywhere to their latest versions and removed our donation campaign related code.

The full changelog since Tor Browser 8.0.4 is:

  • All platforms
    • Update Firefox to 60.5.0esr
    • Update Tor to 0.3.5.7
    • Update Torbutton to 2.0.10
      • Bug 29035: Clean up our donation campaign and add newsletter sign-up link
      • Bug 27175: Add pref to allow users to persist custom noscript settings
    • Update HTTPS Everywhere to 2019.1.7
    • Update NoScript to 10.2.1
      • Bug 28873: Cascading of permissions is broken
      • Bug 28720: Some videos are blocked outright on higher security levels
    • Bug 26540: Enabling pdfjs disableRange option prevents pdfs from loading
    • Bug 28740: Adapt Windows navigator.platform value on 64-bit systems
    • Bug 28695: Set default security.pki.name_matching_mode to enforce (3)
Anonymous

January 29, 2019

Permalink

I liked how per-site settings in NoScript's old architecture were handled but after reading the cons stated in https://trac.torproject.org/projects/tor/ticket/27175 I have decided to embrace NoScript's new architecture and will not enable the pref to persist custom noscript settings.

I think the standard security setting in tor browser is too permissive so I have set the security slider to safest but that got me thinking: If I leave tor browser in its standard configuration and only adjust the security slider does that make me more fingerprintable (and are there actually any guidelines about which settings can be adjusted without making myself more fingerprintable)?

"More fingerprintable" is a tricky concept. The recommended way is as you did to adjust the security slider and leave all the other settings and preferences alone. That gives you the fingerprint of the group of people using the slider level you chose. The idea is that you hide in the crowd that uses that particular level instead of sticking out with your homegrown customizations. The three crowds corresponding to the three security levels might not be equally sized but each particular crowd is very likely still a crowd and thus protecting you from getting singled out.

IMO "safest" should be the security slider default, with users advised to drop down a level if they have problems, and to consider dropping to the lowest level only if they have asked themselves whether they really need to look at that video, etc.

> make a safe web

Right, that's what we all want. I was arguing that given the array of technical threats we face, of the following alternatives, the second makes more sense:

o start with slider at "standard" (least protections) and suggest users try increasing the setting whenever they "feel paranoid",

o start with slider at "safest" and suggest users try dropping down as required to make a particular website work, or to consider giving that website a pass.

The choice is between encouraging unthinking unsafe behavior, and encouraging users to make smart choices about how they use TB to surf the web. The second alternative is IMO more consistent with overall Tor Project guidance to users.

Anonymous

January 29, 2019

Permalink

The linux version of the browser regularly freezes (eats up all available CPU and is not responsive) at higher security levels, with longest freezes by far occurring at the highest (safest) security level. The browser startup can also take much longer at higher security levels (about half a minute or more) while eating up all available CPU.
I've tried disabling NoScript to see if that's the source of the problem but the freezes keep occurring.
This issue has been present in previous 8.0.x versions.

How long does a startup take for you on the default level? Do you see anything useful in the terminal if you start Tor Browser with ./start-tor-browser.desktop --debug? Is that 32bit or 64bit? Which locale?

I've figured out it's caused by uBlock Origin, my apologies.

For what it's worth, with uBO enabled the startup takes about 4 seconds on the default ("Standard") level, and over 1 minute on the middle and highest security level. With uBO disabled the startup takes about 4 seconds on the lowest level and about 10 seconds on the highest level.

The debug output had the following line only when I ran it at higher security levels ("Safer" and "Safest") with uBO enabled:

JavaScript error: jar:file:///path/to/tor-browser/Browser/omni.ja!/components/nsPrompter.js, line 339: NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDOMWindowUtils.isParentWindowMainWidgetVisible]

This is on a 64bit system.

At least now I know to disable uBO at higher security levels.

Anonymous

January 30, 2019

Permalink

Since I installed this new version (8.0.5), the Telegram application doesn't work and it can not connect to its servers... I get used to use SOCKS when I use Telegram, but it doesn't work at all! So, please check the problem and solve it asap... THIS IS A MAJOR ISSUE!

Anonymous

January 30, 2019

Permalink

Hello there and thanks for this,
this new release works great, no problem for now.

However I have a question. I was wondering if you have any plan to solve the "problem" with screen dimensions fingerprinting. Do you think will ever be possible to surf the web with Tor Browser in full screen mode without being fingerprinted by trackers and third party actors? Many friends and relatives (whom I suggest to use Tor Browser) find this specific aesthetic aspect of TB pretty weird. I am not an expert in design and UX but I have the impression that this is a big hurdle for TB adoption on a mass scale.

Thanks for listening.

Hi there and thanks for your messages.

As you surmise browser fingerprinting by window resolution is a tricky topic. It might be more useful to consider the threat that your friends face, which in this case appears to be about hiding from advertisers and data slurpers. In that case I don't think that browser size poses a huge threat, especially if your friends don't link their true identities to their browsing sessions (like signing into Facebook).

If you think about it, it's more beneficial for them to use Tor and have some of the protection that it can afford, rather than not using it at all. Even if that means sharing a little more info which can be used for fingerprinting.

Thanks for TBB!!

Surfing with regular Firefox sucks with sites showing you being tracked even with privatebrowser enabled through multiple profiles, accounts on same computer. You can clear all your data/cookies etc and this site still tracks whatever name you throw at it. in normal and private mode.
I wonder how many Unique ID method's it uses to continue to track you even after rebooting your PC, clearing all data,cache,cookies,storage etc from browser.

Website can also track you across multiple profiles and across multiple accounts on your computer. Just thought it was pretty crazy bruh.

Before you say, yeah but u allowed javascript to run on that page.. well thats the point. IT shows just how much of what we do is being tracked, imagine when you not on Tor(or on tor with javascript running, alot do that). and you got that itch that u think u safe.

I tested Chrome,Firefox,Safari,MS Edge and they all vulnerable to it.
Website seems to be just a Proof of Concept to show just that.

https://www.nothingprivate.ml

Anonymous

January 30, 2019

Permalink

Could you make it possible for users to anonymize the platform string, e.g. in about:config or in "Security Settings" window? By "platform string" I mean the platform field that panopticlick reports, such as "Linux x86_64".

Looking at the comments for the last few releases it seems that a lot of users prefer smaller fingerprint over the "convenience" of websites automatically recognizing their platform. In most cases this automatic recognition is either insignificant to the user or the user can manually choose the platform (such as on the Tor browser download page). I have never come across a website where at the same time platform recognition would be vital and the user could not manually specify it in some way (whether via some menu or setting or by navigating to the appropriate URL).

I'm not suggesting that you should let users manually enter any platform string whatsoever, but that there could be an option to switch between actual platform (as it is now) and an anonymized one i.e. whatever the Windows 64 bit version has (like the current user agent string).

Or what about websites asking the user for permission to read the platform string, like it's done currently with canvas? If the user rejects then the anonymized version is supplied.
It's not ideal since the permission dialog box would probably trigger too frequently, but at least the user would have control over which site/page gets to read the platform string.

If you get a chance, I think there would be community interest in a post describing current thinking inside TP on the problem of making it harder for our enemies to easily differentiate Tor circuits from other TSL bitstreams, and making it harder to differentiate Tor Browser from Firefox. Last I heard, these are unsolved problems.

Anonymous

January 30, 2019

Permalink

"Add pref to allow users to persist custom noscript settings"

Sorry, I'm a bit thick; but just exactly how do we select this NoScript persist pref? I can't find it anywhere...I think I'll go back to using the ScriptSafe addon instead.

BTW All this speculation that NoScript site-persistence gives rise to a usable fingerprinting risk is somewhat dubious and overblown--many easier ways of tracking TorBrowser users--and the risk of script-jacking is much greater and more dangerous, so why not just do away with script altogether if you're just worried about supposed fingerprinting... Has any researcher actually tried/proved tracking/fingerprinting users with their NoScript custom settings yet?

Anonymous

January 30, 2019

Permalink

how to get rid of the "Will you allow *.com to use your HTML5 canvas image data?" - dropdown
menu in urlbar (between i and the green icon)?

There is no permanent way to do that yet in the stable release, alas. We are currently testing a fix in the alpha which should make those doorhangers way less frequent as they are used to be. If this goes well you'll have that improvement in one of the next stable versions.

url is ok, tor blog, a grey icon is visible.
page info - permissions - extract canvas data = always ask.
i tried to find out how to set permissions globally, but about:permissions is gone.
i think the icon appears because of my about:config settings. in another TBB installation it is
not reproducable.
(after posting here your website is in a reload loop.)

SOLVED - it seems to be Video DownloadHelper extension:
Behavior tab --- Network probe - Scan network traffic to detect hits
it's my fault, sorry for any inconvenience.

Anonymous

January 30, 2019

Permalink

jabber pidgin My jabber client pidgin stopped connecting to the tor network after the last update.

Anonymous

January 30, 2019

Permalink

INSTEAD OF CHANGING THE OS PLATFORM STRING FOR BROWSER WHY NOT JUST CONVERT ALL USERS TO UNKNOWN OS? OR BLANK? OR JUST SOMETHING THAT ANY SERVER CAN RECOGNIZE LIKE DOS? HAHA

Anonymous

January 31, 2019

Permalink

Can't access https://www.torproject.org/ via TOR Browser (previous version) for at least 24 hours. Anyone else having similar issues? (don't have any issues with accessing other sites, including this one)

Looks like some DNS issue, getting error:

"Unable to connect

Firefox can’t establish a connection to the server at www.torproject.org."

Thank you for reply!

No update errors there since it downloading update from https://cdn.torproject.org/ and not from https://www.torproject.org/

But I need full new version "torbrowser-install-8.0.5_en-US.exe" and not "tor-browser-win32-8.0.4-8.0.5_en-US.incremental.mar"

I was trying to replace file name in URL to grab it from there, but got Error 404.

Is there any official verified alternative location for full version?

We have the latest bundles at https://dist.torproject.org/torbrowser/ as well, in case just www.torproject.org is blocked. However, if you already have a Tor Browser it should auto-update you to the latest version. Thus, I am a bit confused why you need a new version downloaded from the website to update.

Is www.torproject.org the only website that is blocked for you?

> However, if you already have a Tor Browser it should auto-update you to the latest version. Thus, I am a bit confused why you need a new version downloaded from the website to update.

I prefer to have multiple (separate) versions of TOR browser in case something went wrong with latest one or some issues will appear (had such problems in past). In that case I don't have to rollback and can simply run previous version for site which having issues with latest version while it fixed in next version.
Hope I explained clear enough. :)

> Is www.torproject.org the only website that is blocked for you?
Yep don't have any issues with reaching any other sites but still can't reach it through TOR Browser... (so confused why it can happened DNS queries comes through TOR as well).

But link you gave me working without any issues, thank you so much! :)