New Release: Tor Browser 8.0.9

Tor Browser 8.0.9 is now available from the Tor Browser Download page and also from our distribution directory.

This release fixes the issue which caused NoScript and all other Firefox extensions signed by Mozilla to be disabled.

If you used the workaround mentioned in our previous blog post, don't forget to set the xpinstall.signatures.required entry in about:config back to true after installing this update.

Note: We did not bump the Firefox version number to be able to build faster, thus it will still show 60.6.1esr as the Firefox version.

The full changelog since Tor Browser 8.0.8 is:

  • All platforms
    • Update Torbutton to 2.0.13
      • Bug 30388: Make sure the updated intermediate certificate keeps working
    • Backport fixes for bug 1549010 and bug 1549061
      • Bug 30388: Make sure the updated intermediate certificate keeps working
    • Update NoScript to 10.6.1
      • Bug 29872: XSS popup with DuckDuckGo search on about:tor

There may actually be some good news buried in this messy story.

It seems that the cert which caused the inadvertent (presumably) disabling of NoScript expired late Fri 3 May 2019, and Mozilla apparently became aware of the situation within minutes or hours. They then were able to find a quick fix which was implemented in a few days, which allowed Tor Project and Tails Project to issue emergency bugfix versions in a very short time.

This means that the Tor user community was not affected during May Day, a time when some at risk users are all likely to be attacked by multiple US/EU agents who suspect us of involvement in street protests.

I was alerted to the problem by a popup which everyone who booted TB this weekend should have seen, and knew enough to come to this blog to look for more information. The main worry now seems to be that some at risk users might not have known they should come here and may not have understood the instructions (or rebelled, quite naturally, at instructions telling them to disable sig verification).

Hopefully this incident will serve as wake-up call to Mozilla that they need to work harder to prevent their cert chains from falling over.

ditto!

1. New bridge values is not being issued when "tor is censored in my country" is selected. If I select 'request a bridge from torporject.org" The bridge is always XX.XX.XX.XX:PPPPP etc.. which is not open so will not complete a circuit,

2. I use tor browser for the Mac OS and if I select scramblesuit from https://bridges.torproject.org/ It will work but why doesn't the tor browser itself have the scramblesuit built in to the browser like obs4, obs3 and meek-azure. is scramblesuit deprecated?

Re 1) We are investigating that issue (although it seems I can't find the ticket right now).
Re 2) Yes, scramblesuit is deprecated in favor of obfs4 and other pluggable transports.

Hello! If I want to setup a bridge, should I be only supporting obfs4?

I wondered the same thing. I searched the support site, manuals and trac wiki. The doc page about pluggable transports has the best answer I could find. "obfs4 is currently the most effective transport to bypass censorship. We are asking volunteers to run bridges for it." meek is designed for bridges hosted on a CDN. obfs4 is good for bridges hosted anywhere. The other PT's shown on BridgeDB are not recommended anymore in documentation.

Then fte, scramblesuit, and none should be removed from the selection box on BridgeDB. They are removed from the built in selection box in TBB 8.5 but BridgeDB website continues to offer selecting them.

yes,is ok

Thank You.

Shouldn't blog moderators redact the bridge IP:port from public posts? Less damage is better than more damage.

Yes, I think you are right. I thought, so, this is less problematic in this case as the bridge is non-functional anyway.

You guys ROCK! Thank you.

thank you, guys and girls!

NoScript is BACK! :)

Note: Microsoft Edge does not have the ability to disable scripts, so an XSS exploit can be successful!

Thank you very much for getting this out so fast it has only been a few days.

Thank you sooooooooooooooooooooooooooooooooooooooo much

How about fixing vulnerability that allows for massive DDOS attacks??????
Now THAT would be a real help.

We are working on it, stay tuned.

Hello, is there any ETA on when the DDOS issue will be fixed? Any ETA at all even if its really rough. It would help SO much to have any sort of time frame. Will it be fixed this month do you think?

What vulnerability? Haven't seen anything in the mailing lists.

A single guard entry server for 2-3 months is enough time to capture every user's behavior on the TOR network. I am not satisfied with esoteric arguments and research papers presented, favoring the guard entry server architecture. It seems to me that TOR is totally compromised and there is really no way to escape prying eyes. And the dependency on Google finances that The TOR Project has grown accustomed to, only seals the privacy fate of the TOR user.

That's nice, but not how science works. If you want to prove an opposing hypothesis, you need to present sufficient supporting evidence. Hand wringing does not suffice.

> the dependency on Google finances that The TOR Project has grown accustomed to,

I share your concern but...

> only seals the privacy fate of the TOR user.

I think you are too pessimistic. The solution is to move Tor Project toward a funding model which relies principally on user donations, similar to EFF, rather than corporate/govt largesse.

Please consider making regular donations as I and others here do.

> It seems to me that TOR is totally compromised and there is really no way to escape prying eyes.

Too pessimistic. Enemies such as NSA have frightful powers to harm people, but they have problems of their own. Exploits are often frangible (fail when a new version is introduced, even if the devs never knew about the hole), they are drowning in information (much of it duplicated in hard to notice ways), their systems tend to be in a state of near chaos, their own opsec is poor, and their very size and complexity ensures that they suffer from some systemic weaknesses which we can exploit to prevent them from getting too far ahead in the arms race.

Further, we have many enemies, but most of them are far less capable and far more focused on particular populations than NSA.

i got a leakage W32 file in this update which was detected by my antivirus. maybe take a look at that Tor?
what it said exactly :
W32/Malware

but coming from Tor i am also suspecting it to be a false posetive ?
if not. i suspect you work hard on fixing it ASAP.
thanks.

There is nothing we can do about your antivirus. Our updates are signed (otherwise they would not get applied), thus everything we ship comes from us (we make sure we get exactly the same build results on different machines to better guard against build machine compromise). You need to get back to your antivirus vendor or, better, if you really think you need antivirus/firewall software then use Microsoft's own tools and nothing else.

Probably false positive. 8.0.9 was very new when you posted. Wait for a day or two until your vendor updates its virus signature files, and scan again. ("Virus signatures" have nothing to do with cryptographic signatures.)

Meanwhile, you might verify Tor Browser's cryptographic signature in its sig file.
https://support.torproject.org/#how-to-verify-signature
https://2019.www.torproject.org/docs/verifying-signatures.html.en

thanks

What about automatic updates of https everywhere and noscript addons?
Is it recommend to disable automatic updates?

No, it is not. Those automatic updates is the way for you to get timely security updates.

Isn't it strictly forbidden to update the permanent add-ons (HTTPS Everywhere, NoScript, Torbutton and Torlauncher) ?
In fact I have once or twice accidentally updated them. How to cancel it, is it possible without re-installing?
Perhaps they could be protected in future? How about approving some add-ons, if adblocking was done by the exit, loading ads but not sending, there would be no fingerprint problem.

It is important to keep Tor Browser updated, as this ensures that you have the important security updates. Tor Browser currently has automatic updates enabled by default for these add-ons.The add-ons will also be updated whenever you install an update to Tor Browser. You do not need to install other updates to these add-ons, as the updates included in TB are vetted by the development team to ensure compatibility with the browser.

What we don't recommend is installing other add-ons (i.e. any add-ons that don't come pre-installed with Tor Browser).

I'm pretty sure they were asking about the add-ons that are pre-installed with Tor Browser receiving updates that are not included in TB. For example, TB 8.0.9 has NoScript 10.6.1. TB checks addons.mozilla.org and finds NoScript 10.6.2. What happens? Are post-install updates from addons.mozilla.org or eff.org vetted by TB developers? Since automatic third-party updates of pre-installed add-ons are not bundled or signed by TP, vetting of those updates is meaningless. Does TB reject non-vetted automatic third-party updates of vetted pre-installed add-ons?

Currently the https everywhere and noscript add-ons updates are enabled by default, which allows fixing bugs in those add-ons without releasing a new Tor Browser.

However, there are some plans to change that:
https://trac.torproject.org/projects/tor/ticket/10394
https://trac.torproject.org/projects/tor/ticket/22974

Great info. Thank you.

> if adblocking was done by the exit, loading ads but not sending, there would be no fingerprint problem.

Exits can log all your traffic. You want them to control filters on your traffic too? Some exits already try to.

Effective ad-blocking can't be done by routers to end-to-end HTTPS. They can only see IP and domains, so it blocks too little or too much. Filters on the user's machine are the most effective.

But... if every user had the same filters and did not update from the filter publisher, their fingerprints would be identical if everything else in the fingerprints was identical. I think. Comparisons of fingerprints of Tor Browser to regular browsers are not meaningful. Comparisons of fingerprints of Tor Browser to other Tor Browser instances are meaningful. So if all Tor Browsers come with the same things and no leaks from them, they would all look alike. But it's also very hard to review filter lists.

Hey,
this time time span from discovery to 'repair' is great!

All Tor folks (this time with a focus on Tor browser) are doing really great work!!!

Many thanks!

Plus one!

Since 8.0.8 I'm constantly getting NoScript popups, mostly for requests to a very small set of omnipresent domains like twitter. Considering all your efforts in recent months to make TBB more marketable, it seems this salvo of popups does not help you at all at keeping new users.

Is there any plan to block such common requests by default? Each user curating their block list on their own is not good for anonymity.

The problem is an underlying Firefox bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1532530) which caused large uploads to fail which is dangerous for whistleblowsers for instance. The workaround was to tweak NoScript which unfortunately results in more false positive XSS popups delivered by that extension. The Mozilla bug is fixed and we should get back to normal XSS warnings next week with Tor Browser based on ESR 60.7.0. Sorry for the inconvenience.

why not on ESR 60.6.2? ;]

It's an additional fix that would have made that critical release even more complex. Besides that it would not have had immediate effect as we need a new NoScript release afterwards as well, so that the changes can take effect.

Hey! Does `certdb` support FPI that you enabled it?!

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our ​support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

18 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.