New Release: Tor Browser 8.0.8

Tor Browser 8.0.8 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

The main change in this new release is the update of Firefox to 60.6.1esr, fixing bugs found during the Pwn2Own contest.

The full changelog since Tor Browser 8.0.7 is:

  • All platforms
    • Update Firefox to 60.6.1esr
    • Update NoScript to 10.2.4
      • Bug 29733: Work around Mozilla's bug 1532530

No. We are currently testing the new OpenSSL version in the alpha series. The main reason this got not included immediately in stable is that the fixed issues in OpenSSL are not affecting Tor.

Anonymous

March 23, 2019

Permalink

Every time i start Tor it just says its waiting for Tor to start but after a few minutes it says it cant connect to the Tor control port. I have this issue since a few days ago. Anybody knows whats going on? What can i do?

I got a similar problem. Since the weekend it takes much longer then normal to connect to the Tor-Network. If the browser finally is connected, it takes forever to download a website. I didn't changed a bit on my system. So whats the problem?

Anonymous

March 23, 2019

Permalink

I'm moving the entire internet to Tor. I don't work on Sunday's but I'll start my duty on Monday morning.

Could you please provide more information about the issue you're experiencing? What is the specific problem you're running into? What actions did you complete before the issue occurred? Are you using Tor Browser for desktop, or are you using Tor Browser for Android? Do you see any error messages?

Anonymous

March 23, 2019

Permalink

Just updated Tor. I use DuckDuckGo within Tor. With update, every web search requires a Noscript verification for trust. Is that expected or did the Noscript update that came with the Tor update automatically set that? I didn’t use to get that previously.

Anonymous

March 23, 2019

Permalink

First off, thanks for the great work that enables people around the world to evade censorship and surveillance.

Now, a question: is it possible to permanently disable or block NoScript's XSS warnings by default?

Anonymous

March 24, 2019

Permalink

boklm & gk, et' al , Thank you for your fast work !

Does this update include Firefox fixes for the security-holes exposed in Pwn-2Own-2019 ??

The security issues disclosed during Pwn2Own were two JavaScript bugs, and two sandbox escape bugs. The JavaScript issues have been fixed by this release, but the sandbox escape bugs will require more work from Mozilla and will be fixed in one of the following releases.

Many thanks to the Tor Browser team (and even Mozilla and Pwn2Own) for addressing this issue!

Given that the sandboxing issue is not yet fixed, how vulnerable do you assess TB users to be when they set the security slider to "Safer" until Mozilla fixes that issue?

Anonymous

March 24, 2019

Permalink

my 360 total security detected a trojan on start up when using 8a58 . it tried to auto update on start up to 8a59. jut thought i would warn people

Has that happened for you with previous alpha versions? Heuristics of scanners sometimes alert on bleeding-edge software if those scanners haven't received updates to recognize them. Alpha versions are more likely to be unrecognized. Scan it again in another week or so after updating your scanner's definitions. Or if you don't need the alpha, just use the standard release.

Remember to verify PGP signatures by downloading the sig file from the link under the button on the download page. https://www.torproject.org/docs/verifying-signatures.html.en Also search the web for PGP or GnuPG guides to verify signature files. Many open-source projects ship sig files with their programs, so verifying them is a good skill to learn and to practice.

I was worried when I saw 3 new options in NoScript's settings after the addon updated, but then I was relieved to find that the NoScript change log contains many changes made for Tor and says those new settings are set to defaults specially for Tor. I am happy Giorgio and Tor Project are partnered closely so the asynchronous updates of NoScript don't harm Tor Browser's privacy. Thank you, Giorgio and Tor Project.

Anonymous

March 25, 2019

Permalink

Tor been acting odd for months so today on a whim I stoped by ip-check.info an what I saw was, well, not what I would have expected. RED, everywhere it was RED. Funny thing is after going back again and again all is green, almost. It seems Tor is working better as well, why is that?

Windows 32 bit, updated 4 maybe 5 times.

Hard to say. Is that bad behavior reproducible on your system? If so, could you give us steps to do so? What do you mean by "after going back again and again all is green"? What exactly did you do?

I ment after restarting Tor again an again to see if I could reproduce the same outcome. Next time I will be sure to get a screen shot. As of right now ip-check.info says I am using Tor in green instead of red.

Anonymous

March 25, 2019

Permalink

I am using an old Tor Browser Version becaus of my old Windows version. Since this weekend the browser is basiclly useless. I can start it, but the connection to the Tor Network takes much longer than normal. After the connection is etablished, it takes forever to load any website. The Protokoll says:

25.03.2019 09:35:46.600 [NOTICE] Bootstrapped 85%: Finishing handshake with first hop
25.03.2019 09:36:22.000 [NOTICE] Bootstrapped 90%: Establishing a Tor circuit
25.03.2019 09:37:09.200 [WARN] Your Guard bonjour1 ($D80EA21626BFAE8044E4037FE765252E157E3586) is failing a very large amount of circuits. Most likely this means the Tor network is overloaded, but it could also mean an attack against you or potentially the guard itself. Success counts are 110/226. Use counts are 85/85. 113 circuits completed, 0 were unusable, 2 collapsed, and 121 timed out. For reference, your timeout cutoff is 60 seconds.
25.03.2019 09:37:22.200 [NOTICE] No circuits are opened. Relaxed timeout for circuit 1 (a General-purpose client 3-hop circuit in state doing handshakes with channel state open) to 60000ms. However, it appears the circuit has timed out anyway.

Whats the problem?

https://metrics.torproject.org/rs.html#details/D80EA21626BFAE8044E4037F…
In the log you pasted, your first node (Guard) is named bonjour1, and its fingerprint is the capital hexadecimal string. Enter either of those in the Relay Search or click my link. Look at the "6 Months" history graph at the bottom. The bytes-per-second lines fell sharply after March 22. Something is affecting that guard node. I don't know how to change your guard node except by reinstalling Tor Browser or setting the Bridge options.

> I am using an old Tor Browser Version becaus of my old Windows version.
If Windows 7+ is not possible or wanted, try writing a Live USB or a Live DVD of a Linux distribution such as Tails or another listed in the right-side ranking column on distrowatch.com or search for one by attributes: https://distrowatch.com/search.php A Live distribution runs totally in RAM and will not write or change your hard drives or SSD. You can boot into the Live distro, try it out, shut down, remove the USB or DVD, and boot again to return to your original OS. It won't write or install itself to your HDD or SSD unless you tell it to. Machines exposed to the internet should not be running an outdated OS.

Solution found (at least a little workaround): start your tor browser, Tor sais "Tor-Kanal wird hergestellt/Tor channel...." (I use the german version), wait a few seconds, disable your internetconnection but keep your Tor-browserwindow on screen, enable your internetconnection, press the "verbinden/connect" button in your tor-browser. It seems Tor will now use a diffenernt node. Unfortunately this only works ones. If you close and start your Tor-Browser again, you have still the same problem and you have to do the same procedure again.

Sorry for my bad english :-)

On the one hand, I want to say it shouldn't be allowed to fail hard -- that it should lookup a new guard if it can't connect to the one it used the previous time. But on the other hand, what if you're up against a state adversary who wants you to connect to guards deployed by the state? If it automatically looks up another, it would keep trying until it chooses one the state allows you to connect to, and you wouldn't have a clue of the difference from looking at the connection progress bar except that it took a little longer. It should not be easy to get a different guard node. If it was made easy, there should be a massive warning message.