New Release: Tor Browser 8.0a10

Update (8/21 7:45UTC): We got reports from users facing a weird update behavior: even after successfully applying an update to 8.0a10 the updater keeps downloading and applying updates. This is tracked in bug 27221. As a workaround, please either use a fresh 8.0a10 or go to about:config, search for 8.0a9. browser.startup.homepage_override.torbrowser.version and extensions.lastTorBrowserVersion will show up. Switch their values to 8.0a10. Sorry for the inconvenience.

Update 2 (8/23 16:20UTC): Today NoScript 10.1.8.17 got released which broke the security slider interaction due to a new messaging protocol. We fixed this problem in bug 27276 and the patch will be available in the Tor Browser 8 release. However, there is no alpha release planned to pick up this fix. Users that depend on the security slider functionality are encouraged to use the stable Tor Browser or a nightly version (starting with the one from tomorrow, August 24) until Tor Browser 8 and the next regular alpha release get out. Again, sorry for the inconvenience.

Tor Browser 8.0a10 is now available from the Tor Browser Project page and also from our distribution directory.

It is the second alpha release based on Firefox ESR 60 and contains a number of improvements and bug fixes. The highlights are the following features and major bug fixes:

  1. This alpha includes big changes to the user onboarding experience, and there are more to come.
  2. We included a revamped start page (special thanks to Mark and Kathy for the implementation on short notice).
  3. The meek pluggable transport should be fully functional now.
  4. We audited and enabled HTTP2 which should give performance improvements on many websites.
  5. We added another bunch of locales and ship our bundles now additionally in ca, ga-IE, id, is, and nb-NO.

For Windows users we worked around a bug in mingw-w64 which affected updates on Windows (64bit) resulting in intermittent update failures. Moreover, we finally enabled hardware acceleration for improved browser rendering performance after applying a fix for a long-standing bug, which often caused crashes on Windows systems with graphics cards, e.g. from Nvidia.

The Tor version we ship is now 0.3.4.6-rc and it would be a good time now to report client issues, noticed with this release candidate or previous alpha releases, in case they did not get fixed so far.

Known Issues

We already collected a number of unresolved bugs since Tor Browser 8.0a9 and tagged them with our ff60-esr keyword to keep them on our radar. The most important ones are listed below:

  1. On Windows localized builds on first start the about:tor page is not shown, rather a weird XML error is visible.
  2. Maybe related to the previous item, NoScript does not seem to work properly on Windows builds right now.
  3. We are not done yet with reviewing the network code changes between ESR52 and ESR60. While we don't expect that proxy bypass bugs got introduced between those ESR series, we can't rule it out yet.
  4. We disable Stylo on macOS due to reproducibility issues we need to investigate and fix. This will likely not get fixed for Tor Browser 8, as we need some baking time on our nightly/alpha channel before we are sure there are no reproducibility/stability regressions. The tentative plan is to get it ready for Tor Browser 8.5.

Note: This alpha release is the second one that gets signed with a new Tor Browser subkey, as the currently used one is about to expire. Its fingerprint is: 1107 75B5 D101 FB36 BC6C  911B EB77 4491 D9FF 06E2. We plan to use it for the stable series, too, once Tor Browser 8 gets released.

The full changelog since Tor Browser 8.0a9 is:

  • All platforms
    • Update Tor to 0.3.4.6-rc
    • Update Torbutton to 2.0.2
      • Bug 26960: Implement new about:tor start page
      • Bug 26961: Implement new user onboarding
      • Bug 26321: Move 'New Identity', 'New Circuit' to File, hamburger menus
      • Bug 26590: Use new svg.disabled pref in security slider
      • Bug 26655: Adjust color and size of onion button
      • Bug 26500: Reposition circuit display relay icon for RTL locales
      • Bug 26409: Remove spoofed locale implementation
      • Bug 26189: Remove content-policy.js
      • Bug 27129: Add locales ca, ga, id, is, nb
      • Translations update
    • Update Tor Launcher to 0.2.16.2
      • Bug 26985: Help button icons missing
      • Bug 25509: Improve the proxy help text
      • Bug 27129: Add locales ca, ga, id, is, nb
      • Translations update
    • Update NoScript to 10.1.8.16
    • Update meek to 0.31
      • Bug 26477: Make meek extension compatible with ESR 60
    • Bug 27082: Enable a limited UITour for user onboarding
    • Bug 26961: New user onboarding
    • Bug 14952: Enable HTTP2 and AltSvc
      • Bug 25735: Tor Browser stalls while loading Facebook login page
    • Bug 17252: Enable TLS session identifiers with first-party isolation
    • Bug 26353: Prevent speculative connects that violate first-party isolation
    • Bug 24056: Use en-US strings in HTML forms if locale is spoofed to english
    • Bug 26456: HTTP .onion sites inherit previous page's certificate information
    • Bug 26321: Move 'New Identity', 'New Circuit' to File, hamburger menus
    • Bug 26833: Backport Mozilla's bug 1473247
    • Bug 26628: Backport Mozilla's bug 1470156
    • Bug 26237: Clean up toolbar for ESR60-based Tor Browser
    • Bug 26519: Avoid Firefox icons in ESR60
    • Bug 26039: Load our preferences that modify extensions (fixup)
    • Bug 26515: Update Tor Browser blog post URLs
    • Bug 27129: Add locales ca, ga, id, is, nb
    • Bug 26216: Fix broken MAR file generation
    • Bug 26409: Remove spoofed locale implementation
    • Bug 26603: Remove obsolete HTTP pipelining preferences
  • Windows
    • Bug 26514: Fix intermittent updater failures on Win64 (Error 19)
    • Bug 26874: Fix UNC path restrictions failure in Tor Browser 8.0a9
    • Bug 12968: Enable HEASLR in Windows x86_64 builds
    • Bug 9145: Fix broken hardware acceleration
    • Update tbb-windows-installer to 0.4
      • Bug 26355: Update tbb-windows-installer to check for Windows7+
    • Bug 26355: Require Windows7+ for updates to Tor Browser 8
  • OS X
    • Bug 26795: Bump snowflake to 6077141f4a for bug 25600
  • Linux
    • Bug 25485: Unbreak Tor Browser on systems with newer libstdc++
    • Bug 20866: Fix OpenGL software rendering on systems with newer libstdc++
    • Bug 26951+18022: Fix execdesktop argument passing
    • Bug 26795: Bump snowflake to 6077141f4a for bug 25600
  • Build System
    • All
      • Bug 26410: Stop using old MAR format in the alpha series
      • Bug 27020: RBM build fails with runc version 1.0.1
      • Bug 26949: Use GitHub repository for STIX
      • Bug 26773: Add --verbose to the ./mach build flag for firefox
      • Bug 26569: Redirect pre-8.0a9 alpha users to a separate update directory
      • Bug 26319: Don't package up Tor Browser in the `mach package` step
    • OS X
      • Bug 26489: Fix .app directory name in tools/dmg2mar
    • Windows
      • Bug 27152: Use mozilla/fxc2.git for the fxc2 repository
Seth Schoen

August 21, 2018

Permalink

Error: We have already registered a distinct blocker with the same name: Crash Reporter: blocking on minidumpgeneration. nsAsyncShutdown.js:114:11
TypeError: win.gBrowser is undefined[Learn More] ProcessHangMonitor.jsm:412:9
Webconsole context has changed

Seth Schoen

August 21, 2018

Permalink

Sometimes NoScript's menu opens partially with error:
21:58:04.646 TypeError: Argument 1 of PrecompiledScript.executeInGlobal is not an object. 1 ExtensionContent.jsm:489:18

Seth Schoen

August 21, 2018

Permalink

after a few restarts NoScript is still not working on my window7, actually after a few restarts all add-ons stop working

security level is safest, all add-ons in the toolbar ( noscript, https everywhere) stop working, i noticed the bug in the previous version, just after a few restarts noscript stop working i know that because i test it on http://ip-check.info/?lang=en/ and the test says JavaScript is enabled, if i click on the noscript icon it simply doesn't work, it doesn't open any menu, https everywhere shows a blank menu

Seth Schoen

August 21, 2018

Permalink

@Anonymous - August 21, 2018

>WebGL Blocking (NoScript) ✔ not detected
>It was blocked by default in previous versions.

Tor Browser > about:config > webgl.disabled - true

One and done. Next?

Seth Schoen

August 21, 2018

Permalink

I surf via Tor with a full screen.

I'm not about to struggle squinting in some stupid low-res mode of the browser because it makes me fit in with other Tor users. Sure, the maxed out browser window is against the recommendations of some, but seriously? There has to be a better way to deal with CSS bullshit and the browser, something better than leaving your browser open as a tiny window on a large screen!

While we're at it, I also disable favicons. The downsides of leaving them enabled is well documented.

Tor Browser > about:config > browser.chrome

and

browser.chrome.favicons;false
browser.chrome.image_icons.max_size;0
browser.chrome.site_icons;false

Seth Schoen

August 21, 2018

Permalink

Great.

So now we get the "new" NoScript add-on? It's dumbed down to nothing! The old version of NoScript (which continues to function well with the old FF ESR) was/is kickass!

I wonder - does the author of NoScript plan on rebuilding the NoScript add-on to contain features it now lacks? Gone are all the options to tighten up your browser. Now it's just some point and click nonsense for sites. IMO, it's little more than a steaming pile of cow dung.

What a shame.

I disagree. Users should not need to get in touch with NoScript and its settings at all. We plan to redo our security related settings after we get Tor Browser 8 out and we'll point to those then in the onboarding.

Seth Schoen

August 21, 2018

Permalink

I open TBB 8.0a10 to a white browser page that says "The proxy server is refusing connections". Checking connections with "about:preferences" shows:
1. Manual proxy connections - check
2. SOCKS Host 127.0.0.1 ... Port 9150
3. SOCKS v5 - check
4. Proxy DNS when using SOCKS v5 - check
I did try running 8.0a10 in Safe Mode on Windows 7 x64bit FIRST to bork the antivirus and Windows Defender. Reason: trying to grapple with the endless browser reload loop without uninstalling Avast antivirus. That's when I got "The proxy server is refusing connections" originally. After rebooting into a normal Windows session, the problem persisted. However, TBB 7.5.6 opened and functioned normally in Safe Mode. I don't what's the difference, but that's what happened. Imma gonna go hide now before the Tor Project Team mushroom cloud nukes me.

There may be a Security Slider problem. First, thank you for pointing out ticket #27261. I read the comments, noting comments #8, #14 and #15. Then I deleted my Tor Browser folder for TBB 8.0a10_64bit. A fresh re-installation of the TBB opened to a blank white browser, but using either "New Window" or "New Identity" in the hamburger menu took me right to the purple start page. Add-ons Manager in about:addons allowed me to disable NoScript. 8.0a10_64bit has been stabile, meaning no endless reload cycling (after numerous TBB re-boots). NoScript remains disabled. I can use Library>Bookmarks>https://www.torproject.org/ to navigate away from the starting page - no problem. Now then ... I notice that twitter[.]com requires the slider to be set at mid-range in TBB 7.5.6, or twitter doesn't work well (e.g.: threads won't open). However, twitter[.]com is completely permissive to TBB 8.0a10_64bit with the slider set to "safest". If I use about:config to set javascript enabled to false, I will get the same impaired function on twitter with TBB 8.0a10 that I would get with TBB 7.5.6's slider set to "safest". So ... the TBB 8.0a10 security slider may not be protecting (fully?) in the safest position. Best wishes, and thanks again. I know all of you are pushing hard to release a stabile TBB 8.0

Seth Schoen

August 21, 2018

Permalink

Is there a reason "Bookmark Toolbar" dose not show the items? Selecting the option adds the space for it to the toolbar but the items do not display.

Or am I doing something wrong?

Seth Schoen

August 22, 2018

Permalink

On shutdown:

JavaScript error: chrome://torbutton/content/tor-circuit-display.js, line 466: TypeError: myController is null

Seth Schoen

August 22, 2018

Permalink

On Linux the User Agent is: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
So it will leak, that you are using Linux, instead of being the same user agent for all OS

Also I don't get why the compact theme isn't standard.
You want to waste as little space as possible.

Seth Schoen

August 23, 2018

Permalink

Update (8/21 7:45UTC): We got reports from users facing a weird update behavior: even after successfully applying an update to 8.0a10 the updater keeps downloading and applying updates. This is tracked in bug 27221. As a workaround, please either use a fresh 8.0a10 or go to about:config, search for 8.0a9. browser.startup.homepage_override.torbrowser.version and extensions.lastTorBrowserVersion will show up. Switch their values to 8.0a10. Sorry for the inconvenience.

Update 2 (8/23 16:20UTC): Today NoScript 10.1.8.17 got released which broke the security slider interaction due to a new messaging protocol. We fixed this problem in bug 27276 and the patch will be available in the Tor Browser 8 release. However, there is no alpha release planned to pick up this fix. Users that depend on the security slider functionality are encouraged to use the stable Tor Browser or a nightly version (starting with the one from tomorrow, August 24) until Tor Browser 8 and the next regular alpha release get out. Again, sorry for the inconvenience.

Real alpha! (Most alphas were too boring :) ) Only versions with such bugs can be called alpha!

Everything they set seems to be " ../gcc-$gcc_version/configure --prefix=${prefix-/tools/gcc} --enable-languages=c,c++ --disable-nls --disable-gnu-unique-object --enable-__cxa_atexit --with-arch-32=pentiumpro --with-sysroot=/" in /build/unix/build-gcc/build-gcc.sh

Seth Schoen

August 23, 2018

Permalink

The 9 and 10 alphas I have the same issue: My network connection test is not 100% stable. With ff DE and stable tor I have a flat line of 3.3 Mbps when doing network download test at testmy.net site. I have the tor proxy disabled for all tests. The alpha releases show a wobbly line varying between 3.0 and 3.8 mbps. This only happens with the alpha versions. Could you please investigate.

Seth Schoen

August 24, 2018

Permalink

According to ghacks-user.js sections 4500 and 4600, with Firefox 55 and later the following prefs should be left at their Firefox default values if privacy.resistFingerprinting is enabled:

dom.maxHardwareConcurrency,dom.enable_resource_timing,dom.enable_performance,device.sensors.enabled,browser.zoom.siteSpecific,dom.gamepad.enabled,dom.netinfo.enabled,media.webspeech.synth.enabled,media.video_stats.enabled,dom.w3c_touch_events.enabled,media.ondevicechange.enabled,webgl.enable-debug-renderer-info.

However, 000-tor-browser.js still changes them, except dom.netinfo.enabled (setting the obsolete dom.network.enabled pref instead), media.ondevicechange.enabled, and webgl.enable-debug-renderer-info. Is this done on purpose or just an ESR52 leftover?

More probably dead prefs:
app.update.badge,
browser.download.manager.scanWhenDone,
browser.syncPromoViewsLeftMap,
devtools.appmanager.enabled,
dom.enable_user_timing (maybe replaced by dom.performance.enable_user_timing_logging and covered by privacy.resistFingerprinting?),
extensions.checkCompatibility.4.*,
extensions.enabledItems,
font.default.lo,
font.default.my,
font.name.fantasy.*,
font.name.*.my,
general.productSub.override,
general.useragent.vendor,
general.useragent.vendorSub,
intl.charset.default,
media.audio_data.enabled,
media.eme.apiVisible,
network.http.pipelining.*,
privacy.suppressModifierKeyEvents (covered by privacy.resistFingerprinting?),
privacy.use_utc_timezone (covered by privacy.resistFingerprinting?)

Also, security.tls.version.max is 4 (which means TLS 1.3 support) in FF ESR 60, but 3 in Tor Browser (TLS 1.2 supported but not 1.3). Any reason for not allowing TLS 1.3 yet?

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

15 + 5 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.