New Release: Tor Browser 8.0

 

Update (09/07 10:15 UTC): We received reports of Tor Browser 8.0 crashing during start-up on older (10.9.x) macOS systems. This is tracked in bug 27482. The current Tor stable version, 0.3.3.9, is missing a patch to make it compatible with that old and unsupported (by Apple) macOS version. This will be fixed in the planned Tor Browser 8.0.1 release. Meanwhile, users affected by this bug can try the almost identical alpha release, 8.5a1, which is shipping a newer Tor version with this bug fixed. Sorry for the inconvenience.

For the past year, we have been collecting feedback on how we can make Tor Browser work better for you.

Tor Browser 8.0, our first stable release based on Firefox 60 ESR, is now available from the Tor Browser Project page and also from our distribution directory. This release is all about users first.

Tor Browser 8.0 comes with a series of user experience improvements that address a set of long-term Tor Browser issues you’ve told us about. To meet our users' needs, Tor Browser has a new user onboarding experience; an updated landing page that follows our styleguide; additional language support; and new behaviors for bridge fetching, displaying a circuit, and visiting .onion sites.

New User Onboarding

For the most part, using Tor is like using any other browser (and it is based on Firefox), but there are some usage differences and cool things happening behind the scenes that users should be aware of. Our new onboarding experience aims to better let you know about unique aspects of Tor Browser and how to maximize those for your best browsing experience.

Improved Bridge Fetching

For users where Tor is blocked, we have previously offered a handful of bridges in the browser to bypass censorship. But to receive additional bridges, you had to send an email or visit a website, which posed a set of problems. To simplify how you request bridges, we now have a new bridge configuration flow when you when you launch Tor. Now all you have to do is solve a captcha in Tor Launcher, and you’ll get a bridge IP. We hope this simplification will allow more people to bypass censorship and browse the internet freely and privately.

Better Language Support

Millions of people around the world use Tor, but not everyone has been able to use Tor in their language. In Tor Browser 8, we’ve added resources and support for nine previously unsupported languages: Catalan, Irish, Indonesian, Icelandic, Norwegian, Danish, Hebrew, Swedish, and Traditional Chinese.

Apart from those highlights, a number of other component and toolchains got an update for this major release. In particular, we now ship Tor 0.3.3.9 with OpenSSL 1.0.2p and Libevent 2.1.8. Moreover, we switched to the pure WebExtension version of NoScript (version 10.1.9.1) which we still need to provide the security slider functionality. Additionally, we start shipping 64bit builds for Windows users which should enhance Tor Browser stability compared to the 32bit bundles.

Providing this many improvements for our users could only be possible with collaboration between the Tor Browser team and Tor's UX team, Community team, Services Admin team, and our volunteers. We would like to thank everyone for working hard over the past year to bring all these new features to our users.

Known Issues

We already collected a number of unresolved bugs since Tor Browser 7.5.6 and tagged them with our ff60-esr keyword to keep them on our radar. The most important ones are listed below:

  • WebGL is broken right now.
  • We disable Stylo on macOS due to reproducibility issues we need to investigate and fix. This will likely not get fixed for Tor Browser 8, as we need some baking time on our nightly/alpha channel before we are sure there are no reproducibility/stability regressions. The tentative plan is to get it ready for Tor Browser 8.5.

 

Note: This release is signed with a new GPG subkey as the old one expired a couple of days ago. You might need to refresh your copy of the public part of the Tor Browser signing key before doing the verification. The fingerprint of the new subkey is 1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2.

Give Feedback

This is only the beginning of our efforts to put users first. If you find a bug or have a suggestion for how we could improve this release, please let us know.

Changelog

The full changelog since Tor Browser 7.5.6 is:

  • All platforms
    • Update Firefox to 60.2.0esr
    • Update Tor to 0.3.3.9
    • Update OpenSSL to 1.0.2p
    • Update Libevent to 2.1.8
    • Update Torbutton to 2.0.6
      • Bug 26960: Implement new about:tor start page
      • Bug 26961: Implement new user onboarding
      • Bug 26962: Circuit display onboarding
      • Bug 27301: Improve about:tor behavior and appearance
      • Bug 27214: Improve the onboarding text
      • Bug 26321: Move 'New Identity', 'New Circuit' to File, hamburger menus
      • Bug 26100: Adapt Torbutton to Firefox 60 ESR
      • Bug 26520: Fix sec slider/NoScript for TOR_SKIP_LAUNCH=1
      • Bug 27401: Start listening for NoScript before it loads
      • Bug 26430: New Torbutton icon
      • Bug 24309: Move circuit display to the identity popup
      • Bug 26884: Use Torbutton to provide security slider on mobile
      • Bug 26128: Adapt security slider to the WebExtensions version of NoScript
      • Bug 27276: Adapt to new NoScript messaging protocol
      • Bug 23247: Show security state of .onions
      • Bug 26129: Show our about:tor page on startup
      • Bug 26235: Hide new unusable items from help menu
      • Bug 26058: Remove workaround for hiding 'sign in to sync' button
      • Bug 26590: Use new svg.disabled pref in security slider
      • Bug 26655: Adjust color and size of onion button
      • Bug 26500: Reposition circuit display relay icon for RTL locales
      • Bug 26409: Remove spoofed locale implementation
      • Bug 26189: Remove content-policy.js
      • Bug 26490: Remove the security slider notification
      • Bug 25126: Make about:tor layout responsive
      • Bug 27097: Add text for Tor News signup widget
      • Bug 21245: Add da translation to Torbutton and keep track of it
      • Bug 27129+20628: Add locales ca, ga, id, is, nb, da, he, sv, and zh-TW
      • Translations update
    • Update Tor Launcher to 0.2.16.3
      • Bug 23136: Moat integration (fetch bridges for the user)
      • Bug 25750: Update Tor Launcher to make it compatible with Firefox 60 ESR
      • Bug 26985: Help button icons missing
      • Bug 25509: Improve the proxy help text
      • Bug 26466: Remove sv-SE from tracking for releases
      • Bug 27129+20628: Add locales ca, ga, id, is, nb, da, he, sv, and zh-TW
      • Translations update
    • Update HTTPS Everywhere to 2018.8.22
    • Update NoScript to 10.1.9.1
    • Update meek to 0.31
      • Bug 26477: Make meek extension compatible with ESR 60
    • Update obfs4proxy to v0.0.7 (bug 25356)
    • Bug 27082: Enable a limited UITour for user onboarding
    • Bug 26961: New user onboarding
    • Bug 26962: New feature onboarding
    • Bug 27403: The onboarding bubble is not always displayed
    • Bug 27283: Fix first-party isolation for UI tour
    • Bug 27213: Update about:tbupdate to new (about:tor) layout
    • Bug 14952+24553: Enable HTTP2 and AltSvc
      • Bug 25735: Tor Browser stalls while loading Facebook login page
    • Bug 17252: Enable TLS session identifiers with first-party isolation
    • Bug 26353: Prevent speculative connects that violate first-party isolation
    • Bug 26670: Make canvas permission prompt respect first-party isolation
    • Bug 24056: Use en-US strings in HTML forms if locale is spoofed to english
    • Bug 26456: HTTP .onion sites inherit previous page's certificate information
    • Bug 26561: .onion images are not displayed
    • Bug 26321: Move 'New Identity', 'New Circuit' to File, hamburger menus
    • Bug 26833: Backport Mozilla's bug 1473247
    • Bug 26628: Backport Mozilla's bug 1470156
    • Bug 26237: Clean up toolbar for ESR60-based Tor Browser
    • Bug 26519: Avoid Firefox icons in ESR60
    • Bug 26039: Load our preferences that modify extensions (fixup)
    • Bug 26515: Update Tor Browser blog post URLs
    • Bug 26216: Fix broken MAR file generation
    • Bug 26409: Remove spoofed locale implementation
    • Bug 25543: Rebase Tor Browser patches for ESR60
    • Bug 23247: Show security state of .onions
    • Bug 26039: Load our preferences that modify extensions
    • Bug 17965: Isolate HPKP and HSTS to URL bar domain
    • Bug 21787: Spoof en-US for date picker
    • Bug 21607: Disable WebVR for now until it is properly audited
    • Bug 21549: Disable wasm for now until it is properly audited
    • Bug 26614: Disable Web Authentication API until it is properly audited
    • Bug 27281: Enable Reader View mode again
    • Bug 26114: Don't expose navigator.mozAddonManager to websites
    • Bug 21850: Update about:tbupdate handling for e10s
    • Bug 26048: Fix potentially confusing "restart to update" message
    • Bug 27221: Purge startup cache if Tor Browser version changed
    • Bug 26049: Reduce delay for showing update prompt to 1 hour
    • Bug 26365: Add potential AltSvc support
    • Bug 9145: Fix broken hardware acceleration on Windows and enable it
    • Bug 26045: Add new MAR signing keys
    • Bug 25215: Revert bug 18619 (we are not disabling IndexedDB any longer)
    • Bug 19910: Rip out optimistic data socks handshake variant (#3875)
    • Bug 22564: Hide Firefox Sync
    • Bug 25090: Disable updater telemetry
    • Bug 26127: Make sure Torbutton and Tor Launcher are not treated as legacy extensions
    • Bug 13575: Disable randomised Firefox HTTP cache decay user tests
    • Bug 22548: Firefox downgrades VP9 videos to VP8 for some users
    • Bug 24995: Include git hash in tor --version
    • Bug 27268+27257+27262+26603 : Preferences clean-up
    • Bug 26073: Migrate general.useragent.locale to intl.locale.requested
    • Bug 27129+20628: Make Tor Browser available in ca, ga, id, is, nb, da, he, sv, and zh-TW
      • Bug 12927: Include Hebrew translation into Tor Browser
      • Bug 21245: Add danish (da) translation
  • Windows
    • Bug 20636+10026: Create 64bit Tor Browser for Windows
      • Bug 26239+24197: Enable content sandboxing for 64bit Windows builds
      • Bug 26514: Fix intermittent updater failures on Win64 (Error 19)
      • Bug 26874: Fix UNC path restrictions failure in Tor Browser 8.0a9
      • Bug 12968: Enable HEASLR in Windows x86_64 builds
    • Bug 26381: Work around endless loop during page load and about:tor not loading
    • Bug 27411: Fix broken security slider and NoScript interaction on Windows
    • Bug 22581: Fix shutdown crash
    • Bug 25266: PT config should include full names of executable files
    • Bug 26304: Update zlib to version 1.2.11
    • Update tbb-windows-installer to 0.4
      • Bug 26355: Update tbb-windows-installer to check for Windows7+
    • Bug 26355: Require Windows7+ for updates to Tor Browser 8
  • OS X
    • Bug 24136: After loading file:// URLs clicking on links is broken on OS X
    • Bug 24243: Tor Browser only renders HTML for local pages via file://
    • Bug 24263: Tor Browser does not run extension scripts if loaded via about:debugging
    • Bug 22794: Don't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured
  • Linux
    • Bug 22794: Don't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured
    • Bug 25485: Unbreak Tor Browser on systems with newer libstdc++
    • Bug 20866: Fix OpenGL software rendering on systems with newer libstdc++
    • Bug 26951+18022: Fix execdesktop argument passing
    • Bug 24136: After loading file:// URLs clicking on links is broken on Linux
    • Bug 24243: Tor Browser only renders HTML for local pages via file://
    • Bug 24263: Tor Browser does not run extension scripts if loaded via about:debugging
    • Bug 20283: Tor Browser should run without a `/proc` filesystem.
    • Bug 26354: Set SSE2 support as minimal requirement for Tor Browser 8
  • Build System
    • All
      • Bug 26362+26410: Use old MAR format for first ESR60-based stable
      • Bug 27020: RBM build fails with runc version 1.0.1
      • Bug 26949: Use GitHub repository for STIX
      • Bug 26773: Add --verbose to the ./mach build flag for firefox
      • Bug 26319: Don't package up Tor Browser in the `mach package` step
      • Bug 27178: add support for xz compression in mar files
      • Clean up
    • Windows
      • Bug 26203: Adapt tor-browser-build/tor-browser for Windows
      • Bug 26204: Bundle d3dcompiler_47.dll for Tor Browser 8
      • Bug 26205: Don't build the uninstaller for Windows during Firefox compilation
      • Bug 26206: Ship pthread related dll where needed
      • Bug 26396: Build libwinpthread reproducible
      • Bug 25837: Integrate fxc2 into our build setup for Windows builds
      • Bug 27152: Use mozilla/fxc2.git for the fxc2 repository
      • Bug 25894: Get a rust cross-compiler for Windows
      • Bug 25554: Bump mingw-w64 version for ESR 60
      • Bug 23561: Fix nsis builds for Windows 64
        • Bug 13469: Windows installer is missing many languages from NSIS file
      • Bug 23231: Remove our STL Wrappers workaround for Windows 64bit
      • Bug 26370: Don't copy msvcr100.dll and libssp-0.dll twice
      • Bug 26476: Work around Tor Browser crashes due to fix for bug 1467041
      • Bug 18287: Use SHA-2 signature for Tor Browser setup executables
      • Bug 25420: Update GCC to 6.4.0
      • Bug 16472: Update Binutils to 2.26.1
      • Bug 20302: Fix FTE compilation for Windows with GCC 6.4.0
      • Bug 25111: Don't compile Yasm on our own anymore for Windows Tor Browser
      • Bug 18691: Switch Windows builds from precise to jessie
    • OS X
      • Bug 24632: Update macOS toolchain for ESR 60
      • Bug 9711: Build our own cctools for macOS cross-compilation
      • Bug 25548: Update macOS SDK for Tor Browser builds to 10.11
      • Bug 26003: Clean up our mozconfig-osx-x86_64 file
      • Bug 26195: Use new cctools in our macosx-toolchain project
      • Bug 25975: Get a rust cross-compiler for macOS
      • Bug 26475: Disable Stylo to make macOS build reproducible
      • Bug 26489: Fix .app directory name in tools/dmg2mar
    • Linux
Anonymous

September 06, 2018

Permalink

Hi,
Tor Browser 8.0 is not usable by a user who is blind. I'm using NVDA screen reader on Windows 10, and I cannot use Tor Browser at all. Please test by installing NVDA and then running Tor Browser.
Thanks.

Anonymous

September 06, 2018

Permalink

Is it safe to set 'dom.ipc.processCount' to '-1'? It would be really nice to have one process per tab, providing more isolation between different sites.

Anonymous

September 06, 2018

Permalink

first you took away the option to choose the country of the exit node when phasing out vidalia. now you take out even the option to SEE which exit country you are using with version 8. why do tor developers need to hide important information from users like in which countries the tor nodes are you are connecting to? is it because lately all tor nodes happen to be on the same country which is a huge security risk? is the tor browser no longer secure? i'll not donate any more money to the tor project until i see a change to transparency and give the users back the control and information we always had before. and i'm rolling back to version 7 obviously since i want to see if i'm using a node in the USA or in my own country. SHAME ON YOU. really. i'm speechless....

Please calm down. We have announced the changes on our blog post to this release (just scroll above and read it), we gave an explanation you would get after starting the new version after the update and we included an onboarding (upper left corner) that is explaining the (new) features. In short: the circuit display and other related functionality moved to the "i" (identity) box to the left in your URL bar as it is site-specific. We think if fits there way better than in the Torbutton menu.

Anonymous

September 06, 2018

Permalink

Thanks for this stable release! All working fine. Must have been a tremendous job to get all to work properly.

One question: Will adding some minor cosmetic changes using a userChrome.css script compromise anonymity?

Like replacing the tab throbber and changing colors of bookmark folders. Understand this is not high priority to say the least, but would anyway be interesting to know.

Thanks for your time.

Anonymous

September 06, 2018

Permalink

Why TLS 1.3 still disabled? 000-tor-browser.js pref security.tls.version.max;3 contains legacy description ("Enable TLS 1.1 and 1.2")

Anonymous

September 06, 2018

Permalink

Ditto, leaking OS information in UA when JS is disabled is not nice.

What is the JavaScript argument here? You leak OS information as well if you have JS disabled, even if the UA is the same as the font whitelist we ship is OS specific.

Anonymous

September 06, 2018

Permalink

When previewing/submitting a comment here with security settings set to safest, TB8.0 started to reload continuously and memory usage increased until my virtual memory was all used. If stopping the repeated loading, the site was broken. In Windows event log there was an error message of some program specific local authorization problem DistributedCOM.

Tested again with security settings set to safer and the problem is now gone.

Anonymous

September 06, 2018

Permalink

As expected, Quantum era FX has disabled security and usage features.

Specifically, pre-Quantum noscript addon (by Maone at informaction) had options/prefs that chose whether to show or disable noscript elements in html.

For example of usage on the web, twitter shows no content except a notice "We've detected that JavaScript is disabled in your browser. Would you like to proceed to legacy Twitter?" with a "Yes" button.
Clicking the "Yes" button sends page to the same content but on mobile.twitter.com/ instead of on twitter.com/
This is "Yes" button is useless, because the mobile.twitter.com/ page also shows the same ".. JavaScript is disabled.. proceed to legacy Twitter" message.

Workaround:
via Firefox's text menu, "Page Style", "No style" will show Twitter page content.

Long-term "hack" is to edit userContent.css:
I haven't reviewed userContent.css syntax but Developer Mode and view-source of a twitter page should rapidly find the css that needs editing.
I assume userContent.css can apply these styles of noscript elements to all web domains. Must find regarding userContent.css, whether styles applied generally precede or if they follow styles restricted to domains.

Relevance to Firefox and Tor Browser:
This confirms the value of pre-quantum noscript addon's options/prefs

If someone (?) eventually restores lost addon functionality, I foresee further divergence of tor browser from Firefox, but expect that will require an increase in coding workload     )*:

I wonder how I missed your reply two days later... (according to dates shown here)

Your css rule worked.
I first only added your rule to my rules, but that had no effect.
I then removed all other rules in
@-moz-document domain("twitter.com")
and your rule worked.
I also had somehow lost the initial
@namespace url(http://www.w3.org/1999/xhtml);
line.

So my userContent file had been ****ed up
Sometime in the future, I'll add my other twitter fixes back into userContent (one of my rules had been very close to yours... possibly a child element of yours)

Thanks

Also for lurkers, this is the 'traditional' way to write the rule:
form.NoScriptForm{display:none!important;}

Reading Twitter in tbb8 is 'incurable' mess. I have returned to tbb7 (for.... how long?)

Problem: Copying tbb8 bookmarks to tbb7 isn't straightforward.
Quantum (Firefox in tbb8) uses a different places.sqlite, and pre-quantum (Firefox in tbb7) rejects my attempt to copy places.sqlite from tbb8. Instead, tbb7 renames places.sqlite to places.sqlite.corrupt, then loads its automatic backup into its bookmarks.

Background:
My Options/Preferences>Advanced>Update is
(.) "Check for updates, but let choose whether to install them"
I saved a copy of tbb7 folder before tbb's upgrade to tbb8

__Workaround:__
Start tbb8.
Open bookmarks manager.
Backup to .json file.
Shutdown tbb8
Start tbb7.
Open bookmarks manager.
(Choose whether to manually delete everything in bookmarks menu and in bookmarks toolbar. I did.)
Restore, select the .json file created by Backup in tbb8.
2 or 3 "unresponsive script... Continue" popups. Procedure consumed (guess) 4 minutes on 2012 i5 PC running Windows 7 Pro x64

Result:
Bookmarklets and creating new bookmarks appear to be working during about 15 minutes of using tbb7 with the .json "restored" from tbb8 backup.

Notes:
tbb = tor browser bundle
I intend to report anything else that seems related to this 'workaround'.
I hope to experiment with "fixing" Quantum using a "throwaway install" of PortableApps Firefox.

What is the issue for you here? Regarding bookmarks, can't you export the bookmarks in Tor Browser 7 with the bookmarks menu and import them in Tor Browser 8 the same way (in the latter with Ctrl + Shift + O and there Import and Backup)?

sorry for late revisit.

Web searches found people using regular non-tbb firefox who fell into the same predicament. They disliked quantum after trying, then wanted to use their newest bookmarks in (pre-quantum) ESR.

------

Overview of predicament:
tbb7 updated to tbb8, which changed something in the sqlite file.
I used tbb8 for a while, accumulating additional bookmarks.
I then decided to return to tbb7.
I wanted tbb7 to use my most recent bookmarks
tbb7 couldn't accept the places.sqlite file that I dragged from tbb8 profile.

Thus the need for a workaround.

tl;dr workaround:
In tbb8, "backup" to .json file
In tbb7, restore from same .json file
During restoring, click "Continue" button in "unresponsive script..." alerts

-------
Almost 4 weeks (more than 30 accumulated hours) since this json workaround, nothing odd has occurred in tbb7.

------
about Ctrl + Shift + O - for the lurkers:
While in normal window of Firefox:
ctrl+shift+o opens bookmarks manager in Linux.
ctrl+shift+b opens bookmarks manager in Windows.

NoScript Extension:
I noticed in tbb8 that noscript has very few options, and none are the "Hide noscript elements" or "Forbid meta redirections.." options as in pre-Quantum NoScript extension.

Anonymous

September 06, 2018

Permalink

I keep setting NEVER CHECK FOR UPDATES but you keep updating to 8.0 Why? I don't want that update cause it disables 2 important add ons making TOR useless to me

Anonymous

September 06, 2018

Permalink

Why new Tor isn't working on Win Vista anymore? It is possible to make version of new TBB for Vista? Please help me in this if You can, Thanks.

Anonymous

September 06, 2018

Permalink

System: Tor Browser 8.0 using obfs4 bridge on macOS. Please implement the following modifications: (1) In the Circuit Display, replace the word 'Bridge' with an actual country name. (2) Move 'Show history', 'Toggle reader view', and 'Page actions' from the address bar to the Toolbar. (3) Include the 'New Identity' toolbutton in the Toolbar, Circuit Display, or Torbutton. (4) Implement a common User Agent string uniformly across all platforms so that the UA string will reveal 'Windows NT 6.1' (or another os). Tor Browser, the teams, and the volunteers are outstanding! Thank you.

If you update to Tor Browser 8 you'll stand out because you don't use a mainstream OS.
If you proceed to use the previous version you'll stand out because you'll be one of the few that keep using an outdated version of Firefox.

Pick your poison.

Anonymous

September 06, 2018

Permalink

Please support Vista users again, I know that Microsoft left supporting it but still many of us using this system.
Maybe some special edition of new TBB with a little bit older Firefox?

Anonymous

September 06, 2018

Permalink

In the previous version of Tor I could set my scripts to block globally now with the new NoScript I go into settings set the default to uncheck everything so nothing is allowed, but when I restart Tor the settings are forgotten so the Default goes back to allowing almost everything. Very disappointing that it wont remember my settings on something as important as this, I want to go back to my old Tor version. Please fix Tor land.

Anonymous

September 06, 2018

Permalink

How can i UNPACK

torbrowser-install-win64-8.0_en-US.exe

manually?
Unpacker says "[0] no archive".

Anonymous

September 06, 2018

Permalink

Thanks to Tor devs for all their hard work.

I do have an issue with TBB 8.0 but it is likely to be Mozilla that are to blame for this frustration..

TBB8 is the first to be based on a version of FF which disables 'legacy addons'. Which would be fine if they put as much effort into getting the various WebExt APIs working and supported as they've put into forcing everyone onto WebExts.

Unfortunately the API I will need to get my 'legacy' addon working isn't in FF60, and it will be a long while until we see a TBB based on the next FF ESR.

In the meantime, my heart leapt to see there is are 'extensions.legacy.enabled' and 'extensions.legacy.exceptions' prefs.

However, though it seemed the nightmare was over, in fact neither of these prefs seems to get my addon working; it is still listed as 'disabled'.

I will do some testing to determine whether there is particular functionality that is causing that addon to be disabled in spite of the prefs, or whether those prefs are a tantalising lie.

In the meantime, what experiences have others had with this so far?

(And before anyone starts with well-meaning warnings about the security risks of using addons in TBB, I wrote it myself, it's a relatively simple addon, I understand what it does, I need this functionality and I accept the calculated risk).

Anonymous

September 06, 2018

Permalink

Hello Tor developers,

Firstly, I would like to thank you for your hard work for making this excellent anonymity & anti-censorship tools for everyone. I'm relatively new to Tor Browser & Tor in general nor am I a tech savvy person. I've been using Tor Browser since TB 7.5.4 and this new release TB 8.0 is rock solid. However I'd like to express a concern about User Agent Spoofing (which other people have already said).

I've tested my fingerprint in Panopticlick and Whoer. Panopticlick shows that I have strong protection against fingerprinting (I usually use "Safer" on security slider), but it shows my operating system which is Linux x86_64, same with whoer.net.

I read your explanation as to why Tor developers decided to ditch UA Spoofing as there are many variables that webmasters can detect users' OS by other means, not to mention mobile users which can give negative impact to their browsing experience (i.e. getting desktop site instead of mobile version). I usually browse normal clearnet, nothing shady or illegal. However my concerns lie on the mindset of this decision.

While I can understand a lot of web technologies can break users' anonymity, I fear if this "the web standards mandate this new/old tech that can break anonymity, obfuscating it will result in little impact on users' anonymity while heavily impacting user experience, we might as well give up" mentality, this will result in weaker tools such as Tor & Tor Browser. I'm even disappointed when Mozilla started to add "features" that may lessen users privacy such as Pocket and other stuff.

As other users have suggested, maybe it would be better to enforce UA Spoofing to Windows UA regardless of their Desktop OS only, while keeping mobile to their UA. If you fear new users will likely quit using TBB altogether just because one of their favourite sites give them bad UX, maybe you can educate these users in Tor Browser User Manual when they first fired up TBB. I feel like educating users and giving them understanding and the solutions are much better than unmasking everyone. These days and age, people just don't like to learn nor do their research beforehand and if we keep following these people, it will weaken the only tools that us normal people have to having basic privacy & anonymity.

This is just my opinion & criticism and by no means an attack to Tor devs, so I hope you take it as such. Once again thank you to all Tor devs and congrats on the new TB 8.0 release :)

Then give users a choice to select the user agent. You can show an icon having a drop down menu to select the user agent. If the user goes on one of such websites that you mention the user can switch to the appropriate user agent. You are compromising security for convenience. Give us a choice.

Are you serious?

First, no websites should never do any "OS specific functionality" or "Browser specific functionality" for that matter. Don't you remember why the W3C was created for ?

Second, we're talking about TBB, a browser meant to be used without JS. People who care about "specific functionality" shouldn't use TBB, that's all.

What is your goal? Are you seriously trying to increase the TBB user base? What's your point?

Anonymous

September 06, 2018

Permalink

Noticed differences between Tor v7.5.6 and Tor v8.0
1) Tor v8.0 win 32bit from Torproject, the Tor button options new identity and new Tor circuit for this site is unavailable, not listed as an option.
2)Do not track option shoud be a separate check box
3)Using same settings on Tor v7.5.6 and Tor 8.0 security safest, no cookies, do not track strict protection my signiture revealed firefox version tested using http://ip-check.info/?lang=en/

Yes, that's https://trac.torproject.org/projects/tor/ticket/27482 and cause by a missing patch in the tor version we ship. This will be fixed in the 8.0.1 point release. Meanwhile you could use the recent alpha version, 8.5a1 (https://archive.torproject.org/tor-package-archive/torbrowser/8.5a1/) which ships a tor version that contains the fix. Sorry for the inconvenience.

Anonymous

September 07, 2018

Permalink

Is that
network.ftp.enabled;true
network.http.altsvc.enabled;true
network.http.altsvc.oe;true
network.http.spdy.enabled;true
network.http.spdy.enabled.http2;true
really save?

Anonymous

September 07, 2018

Permalink

unfortunately my computer is always freezing with the new update.
but it installs itself again and again.
so it has become worthless. sorry

Unfortunately it's going on and on.
Every day again.
I don't think my computer likes this way to be switched off and on again. Py poor harddisks.

I use windows 7 and I'm satisfied with it.

There may be nice new features in tor 8, but it depends on the point of view.
For you as developer the features may be great. For me as a user it's just horrible.

And my previous version is "stolen".

I'm absolutely disappointed.

Are those crashes reproducible? Did you get an error message or what does "crashing" mean? Did you try with a clean, new Tor Browser bundle (64bit) extracted to a different location?

The "crashes" are NOT reproducible. I don't know when it happens next or why. And on different websites. "Crash" means. Computer is freezing - can't move mouse anymore, no keyboard, just nothing. The only thing I can do then is: Pushing the switchoff-button. All non saved data is gone etc. And, the worst thing: I'm sure I will destroy my computer with this.
And: After two crashes this morning I installed tor 8 again on another location. Please guess: Same happened again.
So, please: Give me my old tor-version back. Tor 8 is just crap.

I've tried the 64bit version. Computer is freezing.
I've installed the new update (from yesterday or so). Computer is freezing.
I've installed Tor on another HD. Computer is freezing.

It does NOT happen with other programmes. It never happened before. Not with Tor7.

Only with Tor8.

I'm sure my computer won't freeze in future. Because it has been destroyed by Tor8 then.

Please give me an answer: What do I have to do to get Tor7 back ???!!!