New Release: Tor Browser 8.5.4

Tor Browser 8.5.4 is now available from the Tor Browser Download page and also from our distribution directory.

Tor Browser 8.5.4 contains updates to a number of its components. Above all, we include Firefox 60.8.0esr which contains important security fixes. Moreover, after some testing in the alpha series, we start shipping Tor 0.4.0.5 and update OpenSSL to 1.0.2s for the desktop platforms.

Finally, we add a fundraising banner to help us getting more donations. Please donate if you can!

The full changelog since Tor Browser 8.5.3 is:

  • All platforms
    • Update Firefox to 60.8.0esr
    • Update Torbutton to 2.1.12
      • Bug 30577: Add Fundraising Banner
      • Bug 31041: Stop syncing network.cookie.lifetimePolicy
      • Translations update
    • Update HTTPS Everywhere to 2019.6.27
    • Bug 31055+31058: Remove four default bridges
    • Bug 30712: Backport fix for Mozilla's bug 1552993
    • Bug 30849: Backport fixes for Mozilla's bug 1552627 and 1549833
  • Windows + OS X + Linux
    • Update Tor to 0.4.0.5
    • Update OpenSSL to 1.0.2s
    • Bug 29045: Ensure that tor does not start up in dormant mode
  • OS X
    • Bug 30631: Blurry Tor Browser icon on macOS app switcher

Anonymous

Thanks for your response.

However, I don’t understand what you mean by “if you exit and open TBB, Remember my browsing and download history is checked.” Please explain.

Also, at the location you state, “Remember my browsing and download history” has always been unchecked, so I don't need to uncheck it now..

I have just (the first time in 2 weeks) opened my Keepvid bookmark and the search box is not empty – It still has the same YT url in it.

Do you, or anyone else, have any other ideas. Thanks

k239

July 21, 2019

Permalink

Under ‘Options’ on the browser, under Privacy & Security there is the option to “Prevent accessibility services from accessing your browser”.
This option is not ticked. When ‘Learn more’ is clicked Mozilla says:
“Firefox Accessibility Service is a technology built into Firefox that provides 3rd party applications running on the same device the ability to inspect, monitor, visualize, and alter web page content hosted within Firefox.”

For greater privacy, wouldn’t it be best to have the box “Prevent accessibility services from accessing your browser” ticked by default?

Please advise.
Thanks

k239

July 22, 2019

Permalink

Is there a way to turn on javascript for each instance that I visit a new website? On my other Mac, an older OS version is running, which limits me to an old version of Tor browser, which has a control at the top left of the browser window to turn javascript on. I don't see this type of control on the current version of Tor browser.

Read the descriptions of each security level in the shield icon --> Advanced Security Settings. "Safer" and "Standard" enable javascript. On "Safest" or to fine-tune javascript access, learn how to configure the NoScript add-on. Change the Security Level again when you start a New Identity to reset NoScript.

k239

July 23, 2019

Permalink

Umm, I don't think you should be fetching keys from keyservers at all unless you intend to verify them through the web of trust. You should get the key from the project's website, over HTTPS, and probably double check the TLS cert, or get them over keybase. The problem is that an 8 digit key ID is not a unique id. Anyone can make a spoofed key with the same key ID, same name and email, and upload it to the keyservers. So maybe all this key poisoning is a good thing, actually?

Also, for now, maybe just pay attention and try not to download any multi-gigabyte keys?

Yes, verifying them through the web of trust is good, but you have to start somehow, which usually means comparing the full 40-digit key fingerprints "out of band" through multiple avenues if you're unable to meet in person to do it and optionally confirm government-issued documents if the key's userIDs include a real name.

> You should get the key from the project's website, over HTTPS... [or keybase].

If the site is hacked and the hacker changed the key, HTTPS won't mean a thing.

> or get them over keybase

In other words, a more cumbersome and commercial server of keys that leverages social pressures on newbies through their interface to link all of their online identities and not explain the privacy consequences. Get keys and verify identities? Sure. Sign up, participate, and legitimize their pressure on newbies to cross-link identities? Only very carefully if at all.

The keys can be anywhere over any protocol as long as the fingerprints are always the same, and at least one of the userIDs is what you're expecting. (And that the crypto algorithms that made the key are in good standing and the private key hasn't been compromised.) Most keyservers, and for that matter, software repositories, don't have encrypted interfaces and don't need them because the cryptographic structure of the key file ensures its integrity.

> The problem is that an 8 digit key ID is not a unique id.

What problem? Tor Project's documentation and support reference them by their long 16-digit keyID and full 40-digit fingerprints. It isn't Tor Project. It's default installations of most PGP programs that display short 8-digit keyIDs. Configure yours to display 16 and/or the fingerprint, and find if it's possible to search your program or keyserver by 16 or by the fingerprint.

> Anyone can make a spoofed key with the same key ID, same name and email, and upload it to the keyservers.

Yes, which is why people and programs should confirm full 40-digit key fingerprints and not simply their 8 or 16-digit keyIDs.

> So maybe all this key poisoning is a good thing, actually?

No, it's catastrophic and has nothing to do with the problems you said.

> try not to download any multi-gigabyte keys?

I haven't ever seen an interface that shows the filesize of keys to be able to know if a key is tens of megabytes or not. PGP doesn't do that. Normally, they're stored on keyrings.

* "tens of megabytes" is closer to the size of keys attacked by certificate flooding than "multi-gigabyte." For now anyway.

Just noticed today the some bookmarks are gone. The two I am currently aware of have been on the system for at least three years. I will have to do more research. Has anyone noticed bookmarks disappearing?

hello guys i have been trying downloading 32bit for windows but it always keep downloading me the 64 bit. Please any one can put me a link to download 32 bit, thanks in advance.

Tor is not opening on my mac

Do you get an error? If so, which one?

Where is my TLS 1.3 protocol support? I editted about:config but no luck!

Firefox ESR 60 which Tor Browser is based on only supports a draft version which might actually be the reason for the experience you have.

I just got this while trying to sign into youtube NoScript detected a potential Cross-Site Scripting attack

from https://accounts.google.com to https://accounts.youtube.com. and had to go to noscript to allow google and youtube temp permission to sign into their sites and still tor freezes up and then unfreezes and it takes a while to sign in and then up pops something that says you computer has been detected as having too much traffic and try again later to sign in...google is not wanting any tor users in...

Suspicious data:

I am getting this message on both of your new tor browser NoScript detected a potential Cross-Site Scripting attack

from https://accounts.google.com to https://accounts.youtube.com.

Suspicious data: and this is at the bottom of message
Block this request
Always block document requests from https://accounts.google.com to https://accounts.youtube.com
Allow this request
Always allow document requests from https://accounts.google.com to https://accounts.youtube.com

I have allowed google and youtube temp permission and still I get these messages..am using a USB stick free of viruses each time and this has never happened before this new browser release so something is wrong here or with google??

Tor won't open. It says Tor is already running and I should restart, I try everything but same always. I close Tor, even uninstall and download a new one. Same thing. I even think Microsoft has hijacked your download page because a new window now comes up saying try a Microsoft App instead! The only way so far to use Tor has been to download a very old version, then let it update and then it sometimes works, but the next day when I want to use it again, it is the same problem? There seems to be no help to solve this problem and I see others have it as well. Frustrating!!!!

great

I am a relatively new user of TOR and have just downloaded 8.4.5. I also downloaded and installed GPG.

In order to check the signatures I followed the instructions at
https://support.torproject.org/tbb/how-to-verify-signature/

However when I followed the first instruction and went to cmd and input
gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org

all I got was
“C:\Users\my name>gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@tor
project.org
gpg: error retrieving 'torbrowser@torproject.org' via WKD: No inquire callback i
n IPC
gpg: error reading key: No inquire callback in IPC”

Can we not have instructions as full and clear as found at:
https://2019.www.torproject.org/docs/verifying-signatures.html.en
which does not appear to have been updated since TOR 8.0.8

Many users of TOR are not computer experts or geeks and need step by step instructions to use it.

Thank you

I've checked my connection through TOR with ip-check.info and I've got Delaware 169.197.97.34 ExitNode but torrc was restricted not taking US and forced CH and CH was declared in (i) as the ExitNode. Then I blocked 169.197.97.34 as ExitNode and after that ip-check.info declared the same IP as shown inside (i). What's going on? How can the ExitNode be changed to Delaware without taking {us} restriction into account and declaring CH as ExitNode?

8.5.4 reproducibly crashes on MacOS Catalina beta 5. I'll file a bug report too but thought I'd post it here as well.

I registered and tried to login so I could file a bug report (see my previous post on 8.5.4 crashing on MacOS Catalina beta 5) but the captcha kept failing to let me in after several attempts so I'm giving up on that.

Sorry for that. This should have been a macOS bug and fixed in a newer 10.15 beta.

Some captchas might break on Safest. Try lower security levels if you're comfortable doing so.

I have been blocked from downloading your browser by the DISGUSTING internet police I have circumvented their nonsense AGAIN. I truly would like to run a relay but due to "persons unknown" blocking my download facility I'm trying to find out if it's still at all possible?

From the support FAQ: How do I download Tor Browser if the torproject.org is blocked? GetTor is one method.

Tor Browser is not meant for running a relay. Use the tor binary to run a relay. Read about relays on Support FAQ: Operators, Community site: Relay Operations, and the old General FAQ. From the download page, click "Download Tor Source Code" to find the expert bundle, or if you use Linux, add Tor Project's repository as instructed in the FAQ guides.

ja, schön - aber was nutzt mir das wenn das hier alles in Kinesisch geschrieben wird ... - ich bin leider ein Deutscher ...

This blog post is in English, but the website has a menu at the top for you to select a language.

Dieser Blog-Beitrag ist auf Englisch, aber auf der Website befindet sich oben ein Menü, in dem Sie eine Sprache auswählen können.
https://www.torproject.org/de/

I have downloaded the installer, but when I click on Sig to download the signature, it just opens in a new page and displays the physical signature, instead of downloading the .asc file. Is there something I'm missing here?

Just right-click on the page and save it as a file might work?

We were advised against MAC iOS 12.2, insecure. Is the present update, 12.4.1, still to be avoided?

Could you elaborate? Advised by what source? Tor Browser does not support iOS. Tor Project recommends Onion Browser for iOS in a small font under the downloads for Android.

I am experiencing a constant crash on open. Is this a known bug? Galaxy s7

Yes, we are working on fixing it over at https://trac.torproject.org/projects/tor/ticket/31616. We'll release an update as soon as we have sorted out the details.

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our ​support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

1 + 13 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.