New Release: Tor Browser 8.5.4

Tor Browser 8.5.4 is now available from the Tor Browser Download page and also from our distribution directory.

Tor Browser 8.5.4 contains updates to a number of its components. Above all, we include Firefox 60.8.0esr which contains important security fixes. Moreover, after some testing in the alpha series, we start shipping Tor 0.4.0.5 and update OpenSSL to 1.0.2s for the desktop platforms.

Finally, we add a fundraising banner to help us getting more donations. Please donate if you can!

The full changelog since Tor Browser 8.5.3 is:

  • All platforms
    • Update Firefox to 60.8.0esr
    • Update Torbutton to 2.1.12
      • Bug 30577: Add Fundraising Banner
      • Bug 31041: Stop syncing network.cookie.lifetimePolicy
      • Translations update
    • Update HTTPS Everywhere to 2019.6.27
    • Bug 31055+31058: Remove four default bridges
    • Bug 30712: Backport fix for Mozilla's bug 1552993
    • Bug 30849: Backport fixes for Mozilla's bug 1552627 and 1549833
  • Windows + OS X + Linux
    • Update Tor to 0.4.0.5
    • Update OpenSSL to 1.0.2s
    • Bug 29045: Ensure that tor does not start up in dormant mode
  • OS X
    • Bug 30631: Blurry Tor Browser icon on macOS app switcher
khled.8@hotmai.com

July 09, 2019

Permalink

The obfs4 bridges IP addresses are listed in the file torrc. On my Mac the file produces 13 OBFS4 bridges and there IP addresses. When I deleted the file the same obfs4 files appeared with a change in order. In version 8.53 of Tor comments that this IP address should be hidden. Should I expect different torrc files when reinstalling or opening Tor ?

The IP addresses should not be hidden in your torrc file. They should just not get publicly posted on the Internet. If you are using the default bridges we ship, no, they stay the same within your torrc file (if we don't remove them from the bundle).

On my Mac with Tor configured to "Tor censored in my country" if I open the torrc file it has 11 OBFS4 files starting with "Bridge obfs4" then the IP address of each bridgeis listed. This makes the obfs4 bridges visible. These are the only bridges the Tor browser uses and this occurs on 2 Mac OS's.

If "Tor censored in my country" is not selected the torrc file is bank.

how many obfs4 bridges exist? should the 11 obfs4 bridges in the torrc file change ?

My torrc fle does not match the file you provided. For example there are bridges for "snowflake" I have never seen that bridge even when I go to "https://bridges.torproject.org/" also all the bridges are obfs4 your example also has meek. Since the upgrade to 8.5.4 the bridge list is different.

# Tor Launcher preferences (default bridges):
pref("extensions.torlauncher.default_bridge_recommended_type", "obfs4");

// Default bridges.
pref("extensions.torlauncher.default_bridge.obfs4.1", "obfs4 192.95.36.142:443 CDF2E852BF539B82BD10E27E9115A31734E378C2 cert=qUVQ0srL1JI/vO6V6m/24anYXiJD3QP2HgzUKQtQ7GRqqUvs7P+tG43RtAqdhLOALP7DJQ iat-mode=1");
pref("extensions.torlauncher.default_bridge.obfs4.2", "obfs4 85.17.30.79:443 FC259A04A328A07FED1413E9FC6526530D9FD87A cert=RutxZlu8BtyP+y0NX7bAVD41+J/qXNhHUrKjFkRSdiBAhIHIQLhKQ2HxESAKZprn/lR3KA iat-mode=0");
pref("extensions.torlauncher.default_bridge.obfs4.3", "obfs4 38.229.1.78:80 C8CBDB2464FC9804A69531437BCF2BE31FDD2EE4 cert=Hmyfd2ev46gGY7NoVxA9ngrPF2zCZtzskRTzoWXbxNkzeVnGFPWmrTtILRyqCTjHR+s9dg iat-mode=1");
/**/pref/**/(/**/"extensions.torlauncher.default_bridge.obfs4.4"/**/, /**/"obfs4 38.229.33.83:80 0BAC39417268B96B9F514E7F63FA6FBA1A788955 cert=VwEFpk9F/UN9JED7XpG1XOjm/O8ZCXK80oPecgWnNDZDv5pdkhq1OpbAH0wNqOT6H6BmRQ iat-mode=1");
pref("extensions.torlauncher.default_bridge.obfs4.5", "obfs4 [2001:470:b381:bfff:216:3eff:fe23:d6c3]:443 CDF2E852BF539B82BD10E27E9115A31734E378C2 cert=qUVQ0srL1JI/vO6V6m/24anYXiJD3QP2HgzUKQtQ7GRqqUvs7P+tG43RtAqdhLOALP7DJQ iat-mode=1");
pref("extensions.torlauncher.default_bridge.obfs4.6", "obfs4 37.218.240.34:40035 88CD36D45A35271963EF82E511C8827A24730913 cert=eGXYfWODcgqIdPJ+rRupg4GGvVGfh25FWaIXZkit206OSngsp7GAIiGIXOJJROMxEqFKJg iat-mode=1");
pref("extensions.torlauncher.default_bridge.obfs4.7", "obfs4 37.218.245.14:38224 D9A82D2F9C2F65A18407B1D2B764F130847F8B5D cert=bjRaMrr1BRiAW8IE9U5z27fQaYgOhX1UCmOpg2pFpoMvo6ZgQMzLsaTzzQNTlm7hNcb+Sg iat-mode=0");
pref("extensions.torlauncher.default_bridge.obfs4.8", "obfs4 85.31.186.98:443 011F2599C0E9B27EE74B353155E244813763C3E5 cert=ayq0XzCwhpdysn5o0EyDUbmSOx3X/oTEbzDMvczHOdBJKlvIdHHLJGkZARtT4dcBFArPPg iat-mode=0");
pref("extensions.torlauncher.default_bridge.obfs4.9", "obfs4 85.31.186.26:443 91A6354697E6B02A386312F68D82CF86824D3606 cert=PBwr+S8JTVZo6MPdHnkTwXJPILWADLqfMGoVvhZClMq/Urndyd42BwX9YFJHZnBB3H0XCw iat-mode=0");
pref("extensions.torlauncher.default_bridge.obfs4.10", "obfs4 216.252.162.21:46089 0DB8799466902192B6C7576D58D4F7F714EC87C1 cert=XPUwcQPxEXExHfJYX58gZXN7mYpos7VNAHbkgERNFg+FCVNzuYo1Wp+uMscl3aR9hO2DRQ iat-mode=0");
pref("extensions.torlauncher.default_bridge.obfs4.11", "obfs4 144.217.20.138:80 FB70B257C162BF1038CA669D568D76F5B7F0BABB cert=vYIV5MgrghGQvZPIi1tJwnzorMgqgmlKaB77Y3Z9Q/v94wZBOAXkW+fdx4aSxLVnKO+xNw iat-mode=0");

pref("extensions.torlauncher.default_bridge.meek-azure.1", "meek 0.0.2.0:2 97700DFE9F483596DDA6264C4D7DF7641E1E39CE url=https://meek.azureedge.net/ front=ajax.aspnetcdn.com");

pref("extensions.torlauncher.default_bridge.snowflake.1", "snowflake 0.0.3.0:1 2B280B23E1107BB62ABFC40DDCC8824814F80A72");

Blog entries looks raw like with no Page Style recently.

Yeah, we have issues with out Drupal setup (if you know someone who could help with that let us know!), which is tracked at https://trac.torproject.org/projects/tor/ticket/31114.

Good to know you know about the blog issue (I noticed it also but didn't report it).

But the allegations that a key Tor Project GPG key has been "poisoned" (see below) seems quite serious.

how close are you to fixing the current DDoS issues? they're very annoying.

hey, for some reason i found obs3 to work faster. i've seen they were removed - is it permanent? thanks

I would like to know the difference between obs3 and os 4

obfs4 > obfs3
obfs3 is deprecated.

If we get new default bridges we might ship them again, not sure. That said, you can still use obfs3 bridges if you get them e.g. from BridgeDB, just the default bridges are gone for now at least.

When Will The new version Come to Android?

8.5.4 is already available on our website, F-Droid, and Google Play.

Anyone else having issues logging in to their YouTube account? Seems stuck in the welcome screen after putting the password. I'm on Trisquel 8 x86 by the way..

FYI, I just downloaded the 8.5.4 release. My current 8.5.3 release also automatically updated to 8.5.4. When I restarted tor, Norton anti-virus threw a firewall error - "tor does not have a valid digital signature". I deleted my current tor installation and installed a new copy from the 8.5.4 release and had no error. Support may encounter this problem.

Thanks for the heads-up!

Hello. First off, thank you for the TOR Browser. :-) This is a much-needed tool in a world which is quickly becoming a surveillance society (why the Hell were we fighting against those like Stalin and Hitler who wanted to place everyone under surveillance if we were just going to allow it to be done to ourselves a few decades later?!). Been using encryption for quite some time, and, in the mid-1990s, used 4,096bit encryption for my e-mails when most of the population believed that governments or corporations would never, ever spy upon people. LOL

However, I'm writing to you today to ask why it is now taking around four to five minutes to load the keyring. Noticed this when typing out "torbrowser-launcher" (without the quotes, naturally) in Terminal and waited . . . and waited . . . until, finally, my patience was rewarded with the launch of the TOR Browser.

Just curious as to why it's now taking longer to load than micro$haft winblows 3.1 did (and, before you ask, I no longer have the (non-)floppy installation disks).

Is there a change to the ExcludeExitNodes directive?
Connection stalled while Tor Browser tried to connect to an exit in the blocked country, according to the Tor Circuit display.

Good question. I *think* nothing changed here. Is this issue reproducible?

I have country Z under ExcludeExitNodes. One established circuit had: Guard - Z - Z.

¯\_(ツ)_/¯

I thought the idea was NOT to keep track of what you do. If so, please explain what is under

.../tor-browser_en-US/Browser/.local

The file recently-used.xbel is particularly troubling, though some of the others are, too.

Can someone answer this please?

Running strings on /tor-browser_en-US/Browser/.local/share/gvfs-metadata/home reveals all Downloads (including URL) I ever made made with Tor Browser.

Is this intended behaviour? Looking at https://2019.www.torproject.org/projects/torbrowser/design/#disk-avoida… implies it should not?

It's not intended but a bug. See: https://trac.torproject.org/projects/tor/ticket/17560. We are happy to take contributions and to review patches, so you are more than welcome to help fixing this problem. Thanks!

i double this. there are downloads, file-paths (local), last visited (web), last used (local) etc. inside.

Is their a bug ?
Tor Browser 8.5.4 updated July 9 2019
Every time i visit ' YouTube ' In the address bar, i have grey lock with an orange triangle. Mixed content is not blocked not secure. I have to reload each page to have HTTPS Green Secure Connection. Before this latest update, their was always a green lock for a fully secure page. I never had to keep reloading the same page.

Tor Help Please

I seem to be having a problem with the new update. I am timed out most of my attempts to navigate to a website. I have tried several times with each url alternating them.

I reinstalled an older version of Tor and I am able to open the web pages without difficultly.

I am using Windows 10 64bit OS. What am I doing wrong?

Thank you in advance.

Update related to https://blog.torproject.org/comment/282424#comment-282424

Also Tor Browser 8.5.4

Unable to retrieve settinngs.

and immediately replaced with

Tor unexpectly exited.

------------------

Jul 11 08:42:06.000 [notice] New control connection opened from 127.0.0.1.
Jul 11 08:42:07.000 [notice] Owning controller connection has closed -- exiting now.
Jul 11 08:42:07.000 [notice] Catching signal TERM, exiting cleanly.

Problem with tor launcer first message is that it is not possible
to read all text because closing of controller connection causes
message that Tor unexpectly exited.

Ubuntu 16.04.6 LTS

with small memory

MemTotal: 1013216 kB
MemFree: 95716 kB
MemAvailable: 378772 kB
Buffers: 189616 kB
Cached: 243924 kB
SwapCached: 6868 kB
Active: 406268 kB
Inactive: 384508 kB

I suspect that this error is timing related.

cannot connect to Topic Links since upgrade to Tor 8.5.4 ???

Since downloading this Tor update I am unable to connect to Topic Links 2.0...also none of my bookmarks work ????

What does "none of my bookmarks work" mean? On which operating system are you? Do you have any antivirus/firewall software installed that could be responsible for this problem?

Hi guys,

you have removed some bridges and the current bridges available obsf4 and meek-azure have slowed the browser it a lot, until I have got this update the speed was totally fine even for Tor but now I had to switch to VPN, I hope these circumstances are just temporarily and that we will get improved bridges with good speed

For Your interest: The Tor project Developers PGP key is poisoned. I was unable to verify the downloaded
tor browser because the key contains more then 100000 signatures which makes pgp inoperable.
Please do something, e.g. upload the key to hkps://keys.openpgp.org or make it available via some other means
then the keyservers. For details see for example https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f

Are you talking about one of the keys listed here and if so which one?

https://2019.www.torproject.org/docs/signing-keys

If not, can you give the fingerprint of the "poisoned" key?

I tried to look up the key with short name 0x4E2C6E8793298290 at pgp.mit.edu and got a timeout which might be consistent with the claim that 10^4 signatures have been maliciously added to this key in order to make it unusable. If that is true, presumably Tor Project can get the problem fixed?

Is this kind of presumed attack (adding a huge number of signatures in hope of making the key unusable) known to the tech world? If so, does anyone know when the malicious signatures were added? Any idea who the possible actors might be? It seems rather unsubtle but we know that in recent months of a number of presumed state-sponsored cyberwar groups have been acting very aggressively.

please addition translation tools for Android Tor Browser. thanks!

Ever since the update, Tor is somehow defaulting to "Remember browsing and download history". (IE: I have to go into preferences every time I restart tor to turn it off.) This seems counter-intuitive to how tor is supposed to function. Is there some setting in config that got bricked during the update that I can fix by hand? It's really annoying to have to change that setting every time. I'm on OSX 10.14.5, tor 8.5.4.

Thanks in advanced.

What is your "Always use private browsing mode" setting? It should be on if you don't want to remember history.

Can anyone confirm that all Tor exit relays in Russia have been shut down?

after i make update to 8.5.4 , the Topic Links 2.0 dont work and some onions links i cant to open

Keyserver Problem: gpg --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290
does not work. Terminal continues to try but not response. What is the problem?

what´s this chrome.manifesto file that has appeared after the most recent update?

Appeared where?

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our ​support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

5 + 9 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.