New Release: Tor Browser 8.0a10

Update (8/21 7:45UTC): We got reports from users facing a weird update behavior: even after successfully applying an update to 8.0a10 the updater keeps downloading and applying updates. This is tracked in bug 27221. As a workaround, please either use a fresh 8.0a10 or go to about:config, search for 8.0a9. browser.startup.homepage_override.torbrowser.version and extensions.lastTorBrowserVersion will show up. Switch their values to 8.0a10. Sorry for the inconvenience.

Update 2 (8/23 16:20UTC): Today NoScript 10.1.8.17 got released which broke the security slider interaction due to a new messaging protocol. We fixed this problem in bug 27276 and the patch will be available in the Tor Browser 8 release. However, there is no alpha release planned to pick up this fix. Users that depend on the security slider functionality are encouraged to use the stable Tor Browser or a nightly version (starting with the one from tomorrow, August 24) until Tor Browser 8 and the next regular alpha release get out. Again, sorry for the inconvenience.

Tor Browser 8.0a10 is now available from the Tor Browser Project page and also from our distribution directory.

It is the second alpha release based on Firefox ESR 60 and contains a number of improvements and bug fixes. The highlights are the following features and major bug fixes:

  1. This alpha includes big changes to the user onboarding experience, and there are more to come.
  2. We included a revamped start page (special thanks to Mark and Kathy for the implementation on short notice).
  3. The meek pluggable transport should be fully functional now.
  4. We audited and enabled HTTP2 which should give performance improvements on many websites.
  5. We added another bunch of locales and ship our bundles now additionally in ca, ga-IE, id, is, and nb-NO.

For Windows users we worked around a bug in mingw-w64 which affected updates on Windows (64bit) resulting in intermittent update failures. Moreover, we finally enabled hardware acceleration for improved browser rendering performance after applying a fix for a long-standing bug, which often caused crashes on Windows systems with graphics cards, e.g. from Nvidia.

The Tor version we ship is now 0.3.4.6-rc and it would be a good time now to report client issues, noticed with this release candidate or previous alpha releases, in case they did not get fixed so far.

Known Issues

We already collected a number of unresolved bugs since Tor Browser 8.0a9 and tagged them with our ff60-esr keyword to keep them on our radar. The most important ones are listed below:

  1. On Windows localized builds on first start the about:tor page is not shown, rather a weird XML error is visible.
  2. Maybe related to the previous item, NoScript does not seem to work properly on Windows builds right now.
  3. We are not done yet with reviewing the network code changes between ESR52 and ESR60. While we don't expect that proxy bypass bugs got introduced between those ESR series, we can't rule it out yet.
  4. We disable Stylo on macOS due to reproducibility issues we need to investigate and fix. This will likely not get fixed for Tor Browser 8, as we need some baking time on our nightly/alpha channel before we are sure there are no reproducibility/stability regressions. The tentative plan is to get it ready for Tor Browser 8.5.

Note: This alpha release is the second one that gets signed with a new Tor Browser subkey, as the currently used one is about to expire. Its fingerprint is: 1107 75B5 D101 FB36 BC6C  911B EB77 4491 D9FF 06E2. We plan to use it for the stable series, too, once Tor Browser 8 gets released.

The full changelog since Tor Browser 8.0a9 is:

  • All platforms
    • Update Tor to 0.3.4.6-rc
    • Update Torbutton to 2.0.2
      • Bug 26960: Implement new about:tor start page
      • Bug 26961: Implement new user onboarding
      • Bug 26321: Move 'New Identity', 'New Circuit' to File, hamburger menus
      • Bug 26590: Use new svg.disabled pref in security slider
      • Bug 26655: Adjust color and size of onion button
      • Bug 26500: Reposition circuit display relay icon for RTL locales
      • Bug 26409: Remove spoofed locale implementation
      • Bug 26189: Remove content-policy.js
      • Bug 27129: Add locales ca, ga, id, is, nb
      • Translations update
    • Update Tor Launcher to 0.2.16.2
      • Bug 26985: Help button icons missing
      • Bug 25509: Improve the proxy help text
      • Bug 27129: Add locales ca, ga, id, is, nb
      • Translations update
    • Update NoScript to 10.1.8.16
    • Update meek to 0.31
      • Bug 26477: Make meek extension compatible with ESR 60
    • Bug 27082: Enable a limited UITour for user onboarding
    • Bug 26961: New user onboarding
    • Bug 14952: Enable HTTP2 and AltSvc
      • Bug 25735: Tor Browser stalls while loading Facebook login page
    • Bug 17252: Enable TLS session identifiers with first-party isolation
    • Bug 26353: Prevent speculative connects that violate first-party isolation
    • Bug 24056: Use en-US strings in HTML forms if locale is spoofed to english
    • Bug 26456: HTTP .onion sites inherit previous page's certificate information
    • Bug 26321: Move 'New Identity', 'New Circuit' to File, hamburger menus
    • Bug 26833: Backport Mozilla's bug 1473247
    • Bug 26628: Backport Mozilla's bug 1470156
    • Bug 26237: Clean up toolbar for ESR60-based Tor Browser
    • Bug 26519: Avoid Firefox icons in ESR60
    • Bug 26039: Load our preferences that modify extensions (fixup)
    • Bug 26515: Update Tor Browser blog post URLs
    • Bug 27129: Add locales ca, ga, id, is, nb
    • Bug 26216: Fix broken MAR file generation
    • Bug 26409: Remove spoofed locale implementation
    • Bug 26603: Remove obsolete HTTP pipelining preferences
  • Windows
    • Bug 26514: Fix intermittent updater failures on Win64 (Error 19)
    • Bug 26874: Fix UNC path restrictions failure in Tor Browser 8.0a9
    • Bug 12968: Enable HEASLR in Windows x86_64 builds
    • Bug 9145: Fix broken hardware acceleration
    • Update tbb-windows-installer to 0.4
      • Bug 26355: Update tbb-windows-installer to check for Windows7+
    • Bug 26355: Require Windows7+ for updates to Tor Browser 8
  • OS X
    • Bug 26795: Bump snowflake to 6077141f4a for bug 25600
  • Linux
    • Bug 25485: Unbreak Tor Browser on systems with newer libstdc++
    • Bug 20866: Fix OpenGL software rendering on systems with newer libstdc++
    • Bug 26951+18022: Fix execdesktop argument passing
    • Bug 26795: Bump snowflake to 6077141f4a for bug 25600
  • Build System
    • All
      • Bug 26410: Stop using old MAR format in the alpha series
      • Bug 27020: RBM build fails with runc version 1.0.1
      • Bug 26949: Use GitHub repository for STIX
      • Bug 26773: Add --verbose to the ./mach build flag for firefox
      • Bug 26569: Redirect pre-8.0a9 alpha users to a separate update directory
      • Bug 26319: Don't package up Tor Browser in the `mach package` step
    • OS X
      • Bug 26489: Fix .app directory name in tools/dmg2mar
    • Windows
      • Bug 27152: Use mozilla/fxc2.git for the fxc2 repository

I'm not sure if this works with new versions or whether this is exactly what you're looking for, but try this and determine whether it works for you:

Tor Browser > about:config > right click/add string:

general.useragent.override
Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0

And to finish the job:

about:config > add new string:

general.platform.override
Win32

Now visit https://panopticlick.eff.org/ and see if this gets you some better results!

Anonymous

August 21, 2018

Permalink

about:tor needs to be made dynamic so that it displays correctly on 1000x600 and similar low res windows. Now I get a scrollbar with it!

Anonymous

August 21, 2018

Permalink

Hi,
I have a question, there is a project called https://joinpeertube.org and they usen the BitTorrent protocol to share bandwidth between users. It implies that your public IP address is stored in the public BitTorrent tracker of the video PeerTube instance as long as you're watching the video. As they mention privacy can be compromised with this protocol and recommend to solve this situation using VPN or TOR.

Is this true? I have read so much on the TOR website that it is not safe to use p2p, webRTC.

Thanks, I hope you can help me with the question.

Anonymous

August 21, 2018

Permalink

> even after successfully applying an update to 8.0a10 the updater keeps downloading and applying updates.
It can update a10 to a10 with full update. Is it intentional and secure?

Anonymous

August 21, 2018

Permalink

* Bug 26655: Adjust color and size of onion button
Is it useful? Sec Settings -> hamb menu, Tor Net Settings -> Options, Check upd -> null.

"This browser supports WebGL ×False (supported, but disabled in browser settings, or blocked by extensions)" is what I get when going to browserleaks.com and doing the WebGL test. That's with a Linux bundle. How can I reproduce your issue?

No, I disabled NoScript manually to check if it was blocking WebGL. But even without NS, WebGL demos don't play. E.g., displays the error message "It does not appear your computer supports WebGL", and the browser console shows

  1. Error: WebGL warning: Failed to create WebGL context: WebGL creation failed:<br />
  2. * Error during native OpenGL init.<br />
  3. * Exhausted GL driver caps.<br />
  4. * Exhausted GL driver options.

@Anonymous - August 21, 2018

>The opening pdfs online issue hasn't been solved yet right?

Why would you want to open pdfs online while using Tor? That's probably not a good idea.

Also, I recommend:

Tor Browser > about:conifg > pdfjs.disabled - true

So, the opening pdfs online should work again

Well that's not even working for me, here's the crazy error that I get in the console:

Attempting to post a message to window with url "resource://pdf.js/web/viewer.html" and origin "resource://pdf.js^privateBrowsingId=1&firstPartyDomain=torproject.org" from a system principal scope with mismatched origin "[System Principal]".

Crazy error repeated itself 271 times.

That's the problem, see: https://trac.torproject.org/projects/tor/ticket/26540. However, I am not sure why it's not set to false in your case. We fixed that with https://trac.torproject.org/projects/tor/ticket/26039 in the sense that we don't set pdfjs.disableRange to true anymore and noticed previously that pdfjs would blow away non-user prefs. Probably that's because we originally set it as a user pref.

in the sense that we don't set pdfjs.disableRange to true

That explains why it works on clean builds and not updated ones, it needs to be reverted for everyone though. And yes setting pdfjs.disableRange to false fixes the issue for me. Thanks a lot Georg!

Anonymous

August 21, 2018

Permalink

Update (8/21 7:45UTC): We got reports from users facing a weird update behavior: even after successfully applying an update to 8.0a10 the updater keeps downloading and applying updates. This is tracked in bug 27221. As a workaround, please either use a fresh 8.0a10 or go to about:config, search for 8.0a9. browser.startup.homepage_override.torbrowser.version and extensions.lastTorBrowserVersion will show up. Switch their values to 8.0a10. Sorry for the inconvenience.

Setting extensions.lastTorBrowserVersion to 8.0a10 is enough to fix this issue. But what's the weird pref it is? Did somebody miss `.torbutton.` in some patch? Also, it's entirely Torbutton's bug which triggers Updater to update (and it unfortunately has no protections from updates to the same version).

Anonymous

August 21, 2018

Permalink

Moreover, we finally enabled hardware acceleration for improved browser rendering performance

Doesn't this add new fingerprinting attack vectors?

Are you saying it was enabled by default and by design on all platforms except windows, and all threats were analyzed?
Don't you know that:
- D2D renders fonts differently?
- only WebGL has a so-so sanitizer (ANGLE), other calls are direct?
- DXVA has different versions and no sanitization of videos?

Also, what's up with SVG sanitizing instead of blocking?

You've only set the bit in executables, but it's possible to force heaslr flag (but not heaslr) on the app even without it. However, you should know it is opt-in only. So, no heaslr for now.
Also, you missed libssp-0.dll.

Anonymous

August 21, 2018

Permalink

Use new svg.disabled pref in security slider

But still using the long-gone media.webaudio.enabled</code pref instead of the correct <code>dom.webaudio.enabled preference ...

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

12 + 5 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.