New Release: Tor Browser 8.5.1

by boklm | June 4, 2019

Tor Browser 8.5.1 is now available from the Tor Browser Download page and also from our distribution directory.

Tor Browser 8.5.1 is the first bugfix release in the 8.5 series and aims at mostly fixing regressions and providing small improvements related to our 8.5 release. Additionally, we disable the WebGL readPixel() fingerprinting vector, realizing, though, that we need a more holistic approach when trying to deal with the fingerprinting potential WebGL comes with.

The full changelog since Tor Browser 8.5 is:

  • All platforms
    • Update Torbutton to 2.1.10
      • Bug 30565: Sync nocertdb with privatebrowsing.autostart at startup
      • Bug 30464: Add WebGL to safer descriptions
      • Translations update
    • Update NoScript to 10.6.2
      • Bug 29969: Remove workaround for Mozilla's bug 1532530
    • Update HTTPS Everywhere to 2019.5.13
    • Bug 30541: Disable WebGL readPixel() for web content
  • Windows + OS X + Linux
    • Bug 30560: Better match actual toolbar in onboarding toolbar graphic
    • Bug 30571: Correct more information URL for security settings
  • Android
    • Bug 30635: Sync mobile default bridges list with desktop one
  • Build System
    • All platforms
      • Bug 30480: Check that signed tag contains expected tag name

Comments

Please note that the comment area below has been archived.

June 04, 2019

Permalink

Can you please add an advanced button that will enable us to directly select security level, javascript on/off, and images on/off? Just because you want low IQ grandmas to use Tor doesn't mean you should make all security options hidden and hard to use. If you want my opinion, hiding the security levels on the options page doesn't only make for better informed users, the reason given by the Tor developers for this change. It also ensures that the vast majority of users never get off Standard security. In other words, it ensures less security, not more.

Just my 2 cents.

Security level shield -> Advanced Security Settings Is no good? JavaScript on/off and images on/off are no more hidden or visible than they are in normal Firefox about:config. Customizing too much away from the 3 levels makes your fingerprint stand out. NoScript icon is absent. It can be replaced, but the answer is buried in "New to Tor Browser?" walkthrough that advanced users won't think will say so. Tor Browser Security level is no harder or easier to use than before, two clicks from toolbar icon. The wording on first click could be more instructive, imo. I think it does result in many never getting off Standard.

No. Tor Browser is secure out of the box. If you have to tweak settings to make Tor Browser secure then it's a flaw of Tor Browser. Standard security is actually really secure because Firefox is now hardened against exploits. If you can be exploited when you are on Standard then that's because the Tor Browser is broken, not because you fail to pick a higher security level. And exposing the option only creates a false sense of security.

> Just because you want low IQ grandmas to use Tor

Wow, what a mean-minded engine of complaint you are.

> Just my 2 cents.

You know that's not a raise, right? Not from 50 cents its not.

Plus one!

Idea: one way of understanding the shield icon (for security settings) viz the bullseye icon (for Tor Browser versions for major devices and OS's) might be that these serve as visual reminders that while Tor helps keep Tor users safe, everyone is a target, which implies that people who are not using Tor probably should be using Tor.

June 04, 2019

Permalink

Not much to say, but I do want to emphasize on what "qw" and "Thomas Tank engine" mentioned, because these 2 are legit issues.

June 06, 2019

In reply to gk

Permalink

"[...]give dormant mode support in the alpha more testing[...]"

Lack of logic?
4.0.5 is STABLE, torproject is testing in alpha and there are a lot of changes/bugfixes like padding.
Agencies needs no backdoors when torproject isn't introducing real improvements like padding faster.

June 04, 2019

Permalink

i just wanted to comment that i agree with everything Thomas Tank Engine has said. please consider implementing his idea.

June 04, 2019

Permalink

Dah, it is now longer for users to go to temporarily change the security level.
If the bookmarks toolbar is shown, will change the screen size.

Can add the Preferences shortcut icon to nav bar (round gear or "sun" shape).
Two clicks & Preferences > Privacy & Security is open.
Share with comrades. Poka

How did you reach the conclusion that it's longer to click the Security Level shield icon, Advanced Security Settings than it is to open the general Preferences page, click the Privacy page, and manually scroll to find the 3 radio buttons?

Just a reminder that users can open discussion about re-instating the security slider through bug report feedback:

In addition to the known issues, we are always looking for feedback about ways we can make our software better for you. If you find a bug or have a suggestion for how we could improve this release, please let us know.
New Release: Tor Browser 8.5

Information to consider...
Why was it removed in the first place? "[T]o make setting security options accessible and more usable for everyone".

Our security slider is an important tool for Tor Browser users, especially for those with sensitive security needs. However, its location behind the Torbutton menu made it hard to access.
Tor Browser Security
During the Tor Browser 8.5 development period, we revamped the experience so now the chosen security level appears on the toolbar. You can interact with the slider more easily now. For the fully planned changes check out proposal 101.
New Release: Tor Browser 8.5

The lead developer of Tor Browser, gk, clarifies a limitation not yet in the manual:

The reason for the current design is that the button on the toolbar is not meant to easily toggle the slider state. It's meant to show you your current state and to offer the option to (re-)set the level if you really need to. It's a global feature affecting the whole browser session and could lead to surprises if used to just change the level for site X.
gk

June 05, 2019

Permalink

Thomas the Tank Engine is right. The slider was fine the way it was before.

My recommendations:
a) remove the word "Advanced" from the button "Advanced Security Settings".
b) on the Security setting page under the "Safest" option, append "(editing via NoScript may expose you to fingerprinting)
c) for the "Standard" option please consider having a "No javascript from the FACAAGY corporations" enabled by default", ie. Facebook, Apple, Cloudflare, Amazon, Akamai, Google, Yandex". When a site uses blocked JS, a small speech bubble type element would appear from the NoScript plugin. Informing the person that FACAAGY corporation JS is disabled and how to enable it. The user can click, Go to Security Settings or ignore this message in future.

b) If developers go that route, then Safer rather than Safest. Some sites have trouble on Safer which will cause some users to react by customizing NoScript. And click-to-play media simply adds custom entries to NoScript per-site permissions.
c) I doubt most people will have an idea what you mean by "FACAAGY". It sounds like you want a blocklist built in, but:

June 05, 2019

Permalink

Regarding the Security Level. Why not make something similar to https everywhere? Click on the shield icon (which is a nice choice by the way) to show the three options "standard", "safer" and "safest" and besides those options an on/off button each. This would simplify choosing the security level, would be preferable to "Advanced Settings" and look better then a slider. Furthermore you would just need one click.

(Non English speaker; apologies for strange grammar)

They cannot have on/off buttons because the 3 security levels are "mutually exclusive". Appropriate UI widgets for the security levels are radio buttons, a drop-down list, or a slider. On/off buttons are another form of a checkbox. Checkboxes are not mutually exclusive to other checkboxes.

Beauty is not the only thing to design for. Radio buttons provide the most accessible interface for selecting between paragraph-sized descriptions of the levels. The text stays visible when the selection is changed. To its credit, the vertical slider makes the hierarchy relationship between the levels immediately understood, but its compact form demands for the text to be replaced when the user moves the slider.

Lastly, developers basically said in comments to the blog post for Tor Browser 8.5 that they didn't want the levels to be simpler to choose than the old slider location because the level should really only be chosen at the beginning of the New Identity session. A simpler Security UI might lead newbies to change the level frequently in the middle of a session which would make their browsing activity conspicuous. Experienced users know better how to be careful.

June 05, 2019

Permalink

If there would exist a prize for high quality software protecting privacy on internet,
then tor-browser would get first prize!

Just one little suggestion.
In order to verify the signature of the tor-browser archive one must be used to work with a CLI
like terminal.
Might it be possible to avoid this and (just like Tails) include the verification of the archive automatically?

Best regards

Include the verification? Think hard about what you're asking. Will an unverified program always be honest in verifying itself? The chicken or the egg. Fox guarding hens. Catch 22. Think about the chain of trust for each verification method. Tails' second method, BitTorrent, verifies that the downloaded file hashes agree with the torrent file or magnet link, but who gave you the torrent file or magnet link? Is the hash algorithm and your torrent program secure? Tails' first method is for you to install a browser extension. Was a man-in-the-middle attack possible? Is their extension signed? Is their server located at a third party hosting datacenter or CDN? Who are you trusting in the chains? Etc.

Learn how a certificate authority (CA) works. Learn whose certificates Windows uses to verify signed installers by non-Microsoft developers. For a spice of history, lookup NSAKEY. Next, contrast the public key infrastructure (PKI) to how the PGP web-of-trust works. Then, ask yourself, "How do I verify the GPG program itself if I have to trust it to run on my system and to verify honestly in order for me to verify it?" Figure out several ways. Next, figure out the best compromise for the most trustworthy way that is within your ability and within your acceptable risk threshold (related to what's called the threat model you decide on). Then, figure out the most trustworthy way that someone who is under threat from leaders of the country they are in or from pervasive global adversaries could do it. Compare to what they did to verify communications before mobile phones and then before the telegraph. Next, reassess your top methods for the types and amounts of metadata each method leaks.

Two examples of point-and-click interfaces for GPG are GPA and Kleopatra. For Windows, they are in the Gpg4win bundle. For Linux, they are in official repositories for most distros. For macOS, GPGTools integrates with the macOS services context menu. Those interfaces were made to manage keys and process e-mail messages. When you verify files, you can import and manage keys in those interfaces, but it might not be possible to verify files except by typing that one "verify" command in a terminal command prompt.

In order to verify the signature of the tor-browser archive one must be used to work with a CLI
like terminal.
Might it be possible to avoid this and (just like Tails) include the verification of the archive automatically?

You only have to verify it manually the first time. You can update automatically after.

You can use graphical programs to verify signatures from the start: Gpg4win for Windows and GnuPG for macOS and Linux. After you install them, you can right-click and verify that two long sets of numbers match. No terminals necessary.

Replying to Mlders:

Question (German):

Seit wann wird die extra App Orbot nicht mehr benötigt?

Question (English):

Since when is the extra Orbot app no longer needed?

Comments from New Release: Tor Browser 8.5:

Hello I'm kind of confused with this stable alpha version of tor browser out do I still need orbot and orfox it seems to run fine when i dont have either installed ?
Anonymous

Orfox is the older version of Tor Browser. In the near future, Orfox users will receive an update pointing them to Tor Browser.

Regarding Orbot, it app is not needed if you only use Tor Browser (because Tor Browser includes its own tor, and it doesn't need an additional app). If you use other apps that need Orbot or if you use other features of Orbot (like the VPN mode), then you still need Orbot for this (Tor Browser does not replace Orbot).
sysrqb (developer)

Answer (German):
Anscheinend wird es noch gebraucht.
Answer (English):
Apparently it is still needed.

June 05, 2019

Permalink

First off, will you guys please add the HTTPS-EVERYWHERE and NOSCRIPT icons on the top bar by default (next to the Tor Button)? Those are important enough that they should be there by default without having to add it in customize.

Second, what was the point in changing the security settings UI from the old TorButton way of doing it? It's just adding an extra icon for no reason and less intuitive than the old settings. Also we should really have an an/tracking blocker like uBlock Origin added to TorBrowser by default as well.

You should NOT be changing any settings within these extensions on Tor Browser. They're hidden for the exact reason you want them to be there (people with no clue customizing things on a browser that's supposed to make you look the same as everyone else). If you want to use Tor Browser for anonymity, do not customize it. It very clearly says so.

About ad blocking: It's explained in the Tor documentary, why Tor Browser does not come with ad blocking. There are no "tracking blockers" that work, even if amateurs in forums may have convinced you otherwise. The fact that blacklisting of URLs doesn't work against tracking is why Tor Browser does not implement it and instead tries to solve the problem of tracking by creating separate circuits for different URLs and by making every Tor Browser user look about the same (excluding people like you, who change random settings because they think they know better, and who in turn stand out from the masses).

Your Logic is flawed, tell that to many people who have had their identity revealed trusting default settings in the TBB. Educate yourself and stop believing you are safe cause your using a privacy browser and thinking default settings are good enough.

P.S. Thanks Tor Developers and those who donate, You guys are helping everyone keep their information private. It isn't perfect, but Tor is the best we got for now.

It's not that ad blocking doesn't work against tracking. It works well for certain threat models and configurations, but present implementations are not yet adapted well for the high bar threat model and low false-positives Tor Browser is designed for. A normal browser's fingerprint entropy compared to other normal browsers is drastically reduced by disabling javascript for instance. Populations of Tor Browser users installing different varieties of add-ons compared to most Tor Browser users is yet another issue. Imagine another situation: a normal browser on a free wifi access point that is configured to share one external IP address along with a restaurant or lobby full of other patrons who may or may not agree to synchronize their browsers.

Also we should really have an an/tracking blocker like uBlock Origin added to TorBrowser by default as well.

Technically there is a ticket to add uBlock Origin to Tor Browser. uBlock Origin is a general-purpose blocker (also included with Tails) that can prevent WebRTC from leaking local IP addresses.

Anonymous is right: whitelist security is better than blacklist security.

This is important to mention:
The HTTPS EVERYWHERE icon on the top bar is MISSING SINCE A LONG TIME!

In the older releases it only appeared after some very long delay, but now it does not appear at all.

Even though I agree with removing the NoScript icon, I can not agree with removing the HTTPS EVERYWHERE icon, because it is absolutely needed for turning on HTTPS only mode, what is very very important because exit nodes can not and should not be trusted at all.

(By the way, I hope you have already solved the infinite loop problem what happens when posting here in high security mode, but anyway I posted here now, because the thing about HTTPS EVERYWHERE is very important)

If you're worried about data you send being sniffed by a man in the middle and the site's owners don't enforce HTTPS, then why do you trust the site to protect your data in the first place? If you're worried that exits are logging the full http URL, not just https domain.xyz, ads log the full URL anyway regardless of HTTPS. In that case, start a new identity in the onion icon after you finish using the site.

June 05, 2019

Permalink

After update to newest version on iMac Pro Mojave, Tor crashes, cannot roll back to older version, dead in the water, any advice?

June 05, 2019

Permalink

I am running Tor Browser 8.5.1. When I try to set the Master Password, I get an error message that says "Password change failed', and "Unable to change master password".

June 05, 2019

Permalink

to the point: how do you update tor within tails? i have looked but cannot find an answer that is clear enough..a step by step would be very nice..

June 08, 2019

In reply to boklm

Permalink

A bit more on why it's best to wait for the next Tails: if you try to install something fairly complicated like a Tor Browser bundle in Tails you might easily break some of the carefully tweaked configurations which Tails team put in to keep you safe(r). The risks of the consequences of something like that probably outweigh the possible benefit of replacing TB 8.5 with the current TB 8.5.1.

June 05, 2019

Permalink

Please, listen to users and remove the extra and scary sounding Advanced Settings prompt. I only clicked on it after reading the comments here. Tiananmen Massacre's birthday was 2 days ago and China is getting more sophisticated.

June 05, 2019

Permalink

Hi, I can not connect. It shows me the following message on my MacbookPRo:
"Tor exited during startup. This might be due to an error in your torrc file, a bug in Tor or another program on your system, or faulty hardware. Until you fix the underlying problem and restart Tor, Tor Browser will not start."
I downloaded the last version tried to restart TOR but the problem persists.

Please try running the application from a shell prompt and let us know what messages you see. Open Terminal and type this: /Applications/TorBrowser.app/Contents/MacOS/firefox (assuming you have installed Tor Browser into /Applications).

June 06, 2019

Permalink

You have javascript enabled in your browser! Disable this for your own safety!

we want javascript plz i dont see it

June 12, 2019

In reply to gk

Permalink

Yes, it looks the same. In general, it is intermittent browser bug, because I checked the headers, and they were correct. Also it seems to happen when you access some site for the first time only.

June 13, 2019

In reply to gk

Permalink

you can get even:
09:09:23.060 TypeError: this._callback is null /Tor Browser/Browser/omni.ja!/components/nsUpdateService.js:3092:7

June 06, 2019

Permalink

Perhaps a better way would be to give the user the option for the 3 security levels directly in the menu of the shield icon, but add a warning that changing this will change it for ALL tabs, not just the currently active one.

The regular Firefox settings should probably not be accessible through the UI at all. Same goes for the extensions settings. Making these accessible is a trap for people who don't know what they're doing and who think they can just switch stuff around like in a regular browser. If anyone wants to change a setting on Tor browser, for example a person who wants to test something and who doesn't need to be anonymous, they could still access the settings through the about:preferences page.

> add a warning that changing this will change it for ALL tabs

And that they should change it only when starting or ending a New Identity. What if a modal popup to change the security level displayed after a New Identity so you couldn't browse until you set or canceled it? Or the radio buttons were displayed on about:tor until HTTP activity? Would it dampen the effect of impulsive behavior? Would it link them to learn more?

> And that they should change it only when starting or ending a New Identity.

I think this is good advice. Indeed I think somewhere TP offers the same advice. Possibly this injunction (choose New Identity whenever you move the security settings) should be more prominent?

June 06, 2019

Permalink

For how long have the 64-bit version of TBB for windows been available?
Just noticed I was running 32-bit version which i installed long ago when 64-bit wasn't available and it seems 32-bit users are not auto-upgraded to 64-bit so I had to re-install with the 64-bit TBB....

June 07, 2019

Permalink

If the bridge type scramblesuit is deprecated should it be removed from the documentation for bridges?

I guess it depends on where the documentation is? It might still help people but, yes, we should make it in general explicit which pluggable transports we still support and which not.

June 07, 2019

Permalink

Ever since the previous update I've been having problems with downloading files, it's added to the download list, but on occasions it gets stuck starting the download, the bar is flashing blue and remains as in "unknown time left", is not a problem with the file or site, since if I try again it may then download normally, although it could happen for the new download to get stuck as well.
Another symptom of the issue is that the failed download cannot be cancelled or removed from the list, the entry would just remain there till the end of the session, while downloads that succeeded would behave just normal.
Now, this in on itself was not a problem(but quite annoying), I'll just try a new download and let the other one hanging there for hours until I was done using Tor, but now if I want to retry the download I'll be meet by a window stating that "the download cannot be completed for unknown reasons", and won't let me try for a new one unless I restart the browser, worse is some other downloads will be affected as well, some will show that window, others will download fine.

The behavior is random as far I can tell, but is almost always certain that the first download I try, whatever it is, will be stuck there for the rest of the session, along with any other that happens along the way.

Had these same problems many times, a new circuit has helped me with downloads. Also can help alot with the speed of the downloads. Have had no luck at canceling stuck downloads, sometimes they cancel sometimes they don't.

June 08, 2019

Permalink

I've read so much about TOR since i've been using it these last three and a bit years and i am basically no wiser than i was 1st time i used it. I had, and still have absolutely no idea how to change or even locate security settings before this latest change or since this latest change. Moreover even if i was able to locate security settings i do not know what security settings are the safest.
And as for downloading /uploading content???
winzip? or 7? or about 5 other free unpackers or whatever the hell they are called i have at various points downloaded them all but could i understand even 1% of how to use them? NOPE!

What infuriates me also is that i have CONTENT that i would happily share - but again ... i'd firstly need to know how to share beforedoing that.

Just my two cents worth also!

> I've read so much about TOR since i've been using it these last three and a bit years and i am basically no wiser than i was 1st time i used it. I had, and still have absolutely no idea how to change or even locate security settings before this latest change or since this latest change.

That's disheartening but let me try to help.

> Moreover even if i was able to locate security settings

Look at the right side of the menu bar at the top of your Tor Browser 8.5.1 window. Click on the shield icon between the onion icon and the red UBlock icon.

> i do not know what security settings are the safest.

Unfortunately as a general rule we should expect to risk trading some usability (and maybe some anonymity) for better cybersecurity. And what works better for most might work not so well for you. All that said, the settings are "Standard", "Safer", and "Safest".

When you clicked the shield icon you should see a page with brief explanations of what additional security features are added by "safer" and "safest".

I always try to use the safest setting at every site I visit which does not entirely prevent me from using the site at all. For example, many sites work with "safest", but to play a video you may need to drop down to "safer" and reload (curly arrow icon at top left of menu bar).

I generally avoid sites which do not work at all except at "standard", and the number of blocked scripts I see tend to confirm that this is a wise practice.

> And as for downloading /uploading content??? winzip? or 7?

7zip, maybe?

> or about 5 other free unpackers or whatever the hell they are called i have at various points downloaded them all but could i understand even 1% of how to use them? NOPE!

I use Linux so I can't help you with Windows. Maybe someone else will address your question about using compression utilities on Windows?

> What infuriates me also is that i have CONTENT that i would happily share - but again ... i'd firstly need to know how to share beforedoing that.

Content (blog posts? videos of a street protest?) to share on... popular social media sites? This is a tricker subject I think and I have to agree that instructions seem to be hard to find, but I know people do this successfully all the time. The type of content and where you want to upload the content probably matters. I guess it is more likely you will be required to register an account (and to give a valid email) if you want to upload content. I hear good things about protonmail as an email provider which won't sell out their own users.

Maybe someone else can suggest a video tutorial?

https://tb-manual.torproject.org/security-settings/

As for downloading/uploading content, I can't recommend appropriate things without knowing the kind of content and by what method or where you want to send it. 7-zip and others in general are called file archivers. You said Winzip, which is proprietary shareware for Windows, so I will assume you are using Windows. 7-zip is free/libre open-source software and is the one, single, archive program I recommend on Windows. Sometimes, however, it is not necessary to compress files.

There are many possible methods to share content, and there are positives and negatives for each method. Tor Project recommends OnionShare. https://support.torproject.org/misc/misc-12/

June 08, 2019

Permalink

Suck off, fuckers! Fuck your tiny updates and you yourself too. From yesterday I was not able to connect to my favorite site. Today, the tor browser said that it does not support the tor. Why? Were your invisible changes so important to reduce people in using their favorite browsers? Burn in hell, you and 'I added a space in my code, but million people will be required to update my software right now" people

> From yesterday I was not able to connect to my favorite site

Using Tor Browser? No doubt the unnamed site has blocked Tor exit nodes from connecting. You cannot expect Tor Project to fix that, but you might try emailing the site owner yourself to ask that Tor be unblocked.

I have no idea what you might have been raging about in the rest of your comment.

By the way, how about a thank you to TP for providing Tor in the first place? Or at least a donation?

> Suck off, fuckers! Fuck your tiny updates and you yourself too.

In future please bear in mind the self-evident wisdom of an earlier comment from a more positive minded user:

> To all complainers - please be grateful, we are very fortunate to have tor

> Burn in hell, you and "I added a space in my code, but million people will be required to update my software right now" people

You seem to be terribly unhappy that the Tor Project developers are working hard to fix bugs and to introduce necessary new anonymity and security enhancing features---- an attitude which frankly appears to be counter productive.

The devs cannot and clearly do not expect all users to understand all the changes introduced in each new version, but in the announcements they do list them for those with the background to personally study the changes in detail. Users should for the most part be happy, I think, that they do not need to understand the reasoning behind changes in the code in order to keep using Tor Browser.

For my part, I am full of gratitude to everyone who is working hard to keep Tor users safe(r) in an increasingly dangerous world.

June 08, 2019

Permalink

Hi. I decided to remove Orbot + Orfox and installed latest version of Tor Browser (from Google Play store) on my Samsung Galaxy Tab A 2016 (Android 8.1), but now all web pages have a truly disturbing fixed-width font appearence.

June 08, 2019

Permalink

Hello Tor developers & users!

How can I easily know and understand the differences
between the various Tor Browser (TB) versions
(for example current v8.0.9, v8.5.1 and v9.0a1)?

Which preferences and about:config settings values is common
and which is vary in all these TB variants?

Where can I read about this more, in clearly explained form?

(I'm unexperienced TB user, began using it this New Year.)

Thanks in advance.

June 08, 2019

Permalink

Tor Browser 8.5.1 seems to be working fine for me under Debian stable (currently Debian 9.9).

Regarding the question above from Mac users: I seem to recall that years ago, Apple computers were said to be harder to use with Tor Browser. Assuming I remember correctly, is that still the case?

More generally, I think it would be very useful for Tor Project to ask someone like Micah Lee to write a blog post offering up to date advice on how Tor users can improve their cybersecurity and privacy, beginning I suppose with constructing a threat model (this is the place where "up to date" is so important because several recent major revelations imply that many with an online life should revise their threat model to increase the likelihood that they will become particular if possibly automated targets of state-sponsored cyberespionage campaigns). Another basic point would probably be that there is litte point in using Tor if you never install security patches for your system.

The issue is tracked with ticket 23392. It is tagged "needs_information"; if you are interested, you might provide information on Trac to help close the ticket. The pseudonymous account "cypherpunks", password "writecode" is available for all to use.

I would prefer "browser.urlbar.speculativeConnect.enabled" default to false.
Defaults

The issue is tracked with ticket 23392. It is tagged "needs_information"...
Tor Browser user

Ticket 23392 was closed recently, no changes since it was opened; browser.urlbar.speculativeConnect.enabled has an effect only when not in private browsing:

... ![preloading of URLs] is disabled ![anyway] due to Tor Browser being in private browsing mode. (I've not thought about whether it is actually a good thing to do but I think we are good here following Mozilla).
—gk, comment 5

June 10, 2019

Permalink

Hi! Why not put back the security slider and another at the 'advance security setting'(like right now)?

Gmail has disable log in without javascript when accessing with tor now. Other sites include, zalora, qoo10, etc.

Whistleblowers take note:
Used Tor with the standard settings + logging in to criticise goverment and is tracked, still being tracked now. I also installed the same addons consistantly, so please avoid making my mistakes.

I hope you don't mean that you logged in to an account that you created and used in a normal browser. Tor Browser cannot anonymize accounts that are already associated to your personal identity metadata.

June 10, 2019

Permalink

Hello torproject,
where is tor releasenotes ? Site in maintenancemode?
Till now i can click Documentation, Download and find all about.
Now .....it's more like a puzzle and no releasenotes at the logical place. Where?

Honestly, looks like Goofy is working for you.

Not sure what you mean. But as you are commenting on a blog post about Tor Browser I assume you want to see the changes made for the browser. That should be easy. On about:tor in the upper right there is the View Changelog link and additionally, for up-to-date information you get a link to this blog post.

June 10, 2019

Permalink

All of a sudden, with this current update, sites seem to be able to detect that I am using Tor for access, such as the New York Times as an example. I used to be treated as a normal visitor, but now as soon as I click on any article it blocks me as being in "Private Mode." This never happened previously, and it sucks. Is there any way to revert to the prior version?

June 11, 2019

Permalink

Ubuntu: impossible to install with official instructions. Torproject.org has 2 different sub-websites for instructions to install TOR browser on Ubuntu. Both sub-websites include a signing key 886DDD89. This key has 2 problems:
1) On keyservers, there already exist 2 keys with the same last 8 digits
2) The public TOR signing key has some 1.3 Megabytes as a text file
When you want to install the key with the 8 last digits you might get the wrong key (totally legit signing key - which is from another company).
When you want to install the key with 16 digits or import it as text file then the gpg (gpg2) program refuses the import. The key is too big.
I recommend the following solution:
a) Merge the 2 sub-websites for installation instructions
b) Change the signing key to another key that can be imported into gpg (gpg2, GPA)

I use Debian so can't help with Ubuntu specific issues, but since no else has spoken up I'll try to make a few comments which might be somewhat useful:

> Ubuntu: impossible to install with official instructions.

Am I correct in guessing that you tried to install the Tor Browser 8.5.1 tarball (file.tar.xz) by unpacking it somewhere?

> Torproject.org has 2 different sub-websites for instructions to install TOR browser on Ubuntu

Uh oh... Tor Project recently bungled the rollout of the long awaited new website, which turned out to be a much reduced main page and mostly broken links to the old website. There was quite a strong reaction from the user community as you will recall if you regularly read this blog. I guess the problem you noticed is part of that minor fiasco.

> Both sub-websites include a signing key 886DDD89.

Are you referring to the Tor Project Archive key? Isn't that used to sign debs? Isn't a subkey of another key (the Tor Browser Developer's key) used to sign the Tor Browser bundles?

I understand the issue about code (even GPG related code) not being consistent with using the last two viz the last four groups of hex digits as short references to a complete fingerprint, but I guess you already know about that. In any case, Tor Project needs "upstream" to fix that issue, because TP does not maintain gpg.

1) I find 5 sub-websites (pages) showing 16-bit (long) key ID or 40-bit (full) fingerprint. None of them recommend 8-bit (short) key ID.
https://2019.www.torproject.org/docs/debian.html.en
https://2019.www.torproject.org/docs/signing-keys.html.en
https://support.torproject.org/#operators-4
https://support.torproject.org/tbb/how-to-verify-signature/
https://2019.www.torproject.org/docs/verifying-signatures.html.en
In your gpg.conf file, enter:

  1. <br />
  2. keyid-format 0xlong<br />
  3. with-fingerprint<br />

2) Tor people, key 0xEE8CBC9E886DDD89 has problems! When you go to some HTTP keyserver websites and search for the key, the page of results lags other tabs and shows binary mojibake. The ASCII armored text file is 3.4 MiB. GPG returns:

  1. <br />
  2. $ gpg --import 0xEE8CBC9E886DDD89.key<br />
  3. gpg: packet(13) too large<br />
  4. gpg: read_block: read error: Invalid packet<br />
  5. gpg: no valid OpenPGP data found.<br />
  6. gpg: import from '0xEE8CBC9E886DDD89.key' failed: Invalid keyring<br />
  7. gpg: Total number processed: 0<br />

2) Tor people, key 0xEE8CBC9E886DDD89 has problems! When you go to some HTTP keyserver websites and search for the key, the page of results lags other tabs and shows binary mojibake. The ASCII armored text file is 3.4 MiB. GPG returns...

See https://github.com/Stadicus/RaspiBolt/issues/343, talking about https://dev.gnupg.org/T4022. Workaround in this comment that in turn comes from Tor Project Ubuntu docs:
$ curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
As I understand it, everything's okay: the lag on HTTP keyservers is expected, because the file is huge, and the mojibake is OpenPGP without ASCII armor.

19 KiB. What a difference. It works but is not ideal for there to be a single source for the key. On top of that, its self-signature is in SHA1, and it cannot be updated until clients install gpg 2.2.9. At least GnuPG patched their piece. Very good research. Thank you.

June 12, 2019

Permalink

Hey, just a thing that I've noticed, ever since the most recent update I've been getting --unknown-- listed as the final part of the Tor circuit every time without fail... Is this something I should be concerned about? I've tried restarting, new identity, new circuit, but I still get that --unkown-- one at the end...

June 17, 2019

In reply to gk

Permalink

Mac El Capitan, and yes ever since 8.5.1 (still doing it now). I'm hoping it's just a cosmetic error but I'm no IT expert by any means!

June 14, 2019

Permalink

I find using Tor prevents me from making comments on news articles that use Disqus to make comments, on their article and you can't open a Facebook account. It does the same as you do asks a question to make sure whether you are a human or not and no matter how many times you answer the question it asks you another one. Is this because Tor believes these are bad places to visit for safety reasons?

The Captcha problem is many years old. Some types of Captchas do not work and may conflict with settings in browsers. Tor Browser does not block particular places but does block particular functions. Since most Captchas work fine, I put the blame on those not working Captchas rather than Tor Browser.

June 14, 2019

Permalink

Reading all these comments I am starting to believe that Tor is for people who are way ahead of what I am when it comes to computer knowledge.

June 14, 2019

Permalink

Hi Yall, Love Tor Browser. Love my privacy. Thank you

Small but very annoying problem. I use dark themes everywhere. However when opening a "new tab" I get a blinding white screen. I can't find a solution or a workaround. Can anyone help? Thanking you in advance.

PS: when i use a standard Firefox browser i have the option to set "new tabs" to a page. I use Duck Duck Go, and the dark theme applies. Can't do it in Tor...

Try these steps.
Click The Firefox menu button, select "Customize" (screenshot and button image from Firefox help):
Customize menu
Click the "Themes" button near the bottom. Under the heading "My Themes" click "Dark" (not shown in this old screenshot):
Theme selection
It should then look like this:
Screenshot of dark theme

June 17, 2019

Permalink

Just update

Jun 17 16:47:39.000 [notice] New control connection opened from 127.0.0.1.
Jun 17 16:47:39.000 [notice] Owning controller connection has closed -- exiting now.
Jun 17 16:47:39.000 [notice] Catching signal TERM, exiting cleanly.

seen now on Tor Browser 8.5.1 on startup.

( This is same than what I have seen Tor Browser 8.5 earlier.
Mostly occurs when Tor Browser is started quite soon after boot.
I suspect that somewhere is short timeout or something like that.
)

June 18, 2019

Permalink

I have the Android version of TBB, I get this error when trying to make a screenshot.
"Screenshot disabled for security reasons"

I tried to "save image as" but doesn't work either and shows no error message,

June 19, 2019

Permalink

I set Tor browser will Use custom settings for history, tick off Remember my browsing and download history, then restart Tor browser, the settings seemed to be restored.

June 20, 2019

Permalink

It's strongly discouraged to install new add-ons in Tor Browser, because they can compromise your privacy and security. Tor Browser already comes installed with two add-ons — HTTPS Everywhere and NoScript — and adding anything else could deanonymize you.
Is it realy true?
1. I has ran Tor Browser/security level Safest/ without Ublock origin on the portal http://ip-check.info/index.php?jsID=16958488abc&auth=352833557&15610391….
And there is :Java script is activated .see picture 1.
2.I has ran Tor Browser/security level Safest/ with Ublock origin on the portal http://ip-check.info/index.php?
Andd ther is :Java script is currently off.
stevetoll

June 23, 2019

Permalink

am i the only one that is bothered by tor now collecting my info and store it and calling me by my real name isnt that how google started telling you its for our own records well i no it botheres me and i looked to try and opt out but was never able to find where to opt out hum sounds like google to me im not sure i will be useing tor anymore myself dont like the idea of someone tracking what i do on the net so much for being annomus i guess

am i the only one that is bothered by tor now collecting my info and store it and calling me by my real name
tuffy333294

Chances are it has nothing to do with Tor because Tor would not know your name.Tor collects privacy-aware logs for download statistics but does not collect or publish your real name (or much else about users). Either you've given your real name to a site in the past, or they're sharing your information.
Suggestions:

i looked to try and opt out but was never able to find where to opt out

There does not seem to be any opt-out, but you don't need to opt-out to remain anonymous. The Tor Metrics logging improves privacy and security, as security expert Bruce Schneier explains: "...With good network metrics, you can look back for indicators and anomalies at the time a privacy issue was reported. You can also extrapolate and look forward to prevent related issues in the future..."

hum sounds like google to me im not sure i will be useing tor anymore myself dont like the idea of someone tracking what i do on the net so much for being annomus i guess

The nice thing about Tor technology is that you can benefit from its security even when you don't trust the Tor Project, because the Tor Project itself cannot read your Tor traffic.In the end it's your decision to use or not to use Tor. EFF maintains a privacy section and tool guides. In addition, there are other dark web technologies, like I2P.

July 05, 2019

Permalink

Am using the latest Tor version in Windows 10 op sys with lots of disk and memory capacity. Noticed that when Win 10 is in high contrast custom color mode in desktop view, web mail and other email utilities entry fields turn BLACK with BLACK text. Also, many web pages get re-formatted where HTML details and graphics are lost and only skinny looking web pages appear . Please analyze this situation with Win 10 h/c desktop color schemes so Tor will display web and app pages properly, thanks! 05-Jul-2019, 0954AM PST

August 21, 2019

Permalink

Can't download the dev key on windows...

  1. >gpg -vvv --auto-key-locate nodefault,wkd --locate-keys torbrowser@<br />
  2. torproject.org<br />
  3. gpg: using character set 'CP437'<br />
  4. gpg: using pgp trust model<br />
  5. gpg: error retrieving '<a href="mailto:torbrowser@torproject.org" rel="nofollow">torbrowser@torproject.org</a>' via WKD: Server indicated a fa<br />
  6. ilure<br />
  7. gpg: error reading key: Server indicated a failure