New Release: Tor Browser 8.5.5

Tor Browser 8.5.5 is now available from the Tor Browser Download page and also from our distribution directory.

This release features important security updates to Firefox.

This release is updating Firefox to 60.9.0esr, Tor to 0.4.1.5, and NoScript to 11.0.3. This release also includes various bug fixes. On the Windows side, we should now have support for accessibility tools. On the Android side, we added support for arm64-v8a devices.

This is expected to be the last release in the 8.5 series: on October 22 we will switch to the 9.0 series, based on Firefox 68ESR.

Note 1: Due to a temporary issue with our update infrastructure, we did not enable automatic updates for Windows, Linux and macOS users yet. We hope to be able to fix this issue soon. Update: this issue is now fixed, updates are enabled.

Note 2: Due to some issue with Google Play's new requirement for 64bit versions, we have not yet been able to publish the Android x86 and x86_64 versions on Google Play. We hope to be able to fix this in the next days. In the meantime the x86 version can be downloaded from our website.

Note 3: There is an issue with the aarch64 version on Android 9 causing a crash on every launch. We are working on a fix for this issue.

The full changelog since Tor Browser 8.5.4 is:

  • All platforms
    • Update Firefox to 60.9.0esr
    • Update Torbutton to 2.1.13
      • Bug 31520: Remove monthly giving banner from Tor Browser
      • Bug 31140: Do not enable IonMonkey on aarch64
      • Translations update
    • Update NoScript to 11.0.3
      • Bug 26847: NoScript pops up a full-site window for XSS warning
      • Bug 31287: NoScript leaks browser locale
    • Bug 31357: Retire Tom's default obfs4 bridge
  • Windows + OS X + Linux
    • Update Tor to 0.4.1.5
  • Windows
    • Bug 31547: Back out patch for Mozilla's bug 1574980
    • Bug 27503: Provide full support for accessibility tools
    • Bug 30575: Don't allow enterprise policies in Tor Browser
    • Bug 31141: Fix typo in font.system.whitelist
  • Android
  • Build System
k239

September 03, 2019

Permalink

I am sorry to say that triggering the update on macOS does not work… so, you might like to have a look into this, please.

k239

September 03, 2019

Permalink

hi, i have 2 questions:

1- is it safe to use the updated tor version as my own tor expert bundle? i mean copying the tor folder from the browser and replacing it with my expert bundle folder?

2- tor is blocked in my country and i'm using bridges, how many bridge nodes is enough for me? after how long should i update my list with new bridges and remove older ones?

1. If you're using the expert bundle, then you should already know where to find the documentation of the binary and how to compare the hashes of binaries on your local machine. The expert bundle may not have the same relative directory tree structure as the browser bundle, and it probably doesn't have the same torrc contents. The tor binary in the browser bundle is supposed to be identical to what would be shipped in an expert bundle, but you should compare hashes of the same version anyway. The more you customize your configuration, the more you are on your own to determine if it's safe. Sometimes, better answers can be found if you describe your goal and constraints instead of one step in the path you chose to reach it.

2. I'm only a user, but if I was in your situation, I would keep three or four bridges that only support obfs4 or meek. I wouldn't use at least two of them so that when the bridges I'm using inevitably fail, I could use one of the unused bridges as a spare or a backup to request more bridges (maximum six). My unused bridges would also be unknown to eavesdropping network censors until I use the bridges or until they discover the bridges from someone else. Verify the status of all of your bridges every couple months here: https://metrics.torproject.org/rs.html I wouldn't remove bridges unless they support less trustworthy pluggable transport protocols or they have been removed from that relay search site. Don't treat bridges the same as you treat guard nodes.

Since your country censors the Internet, it may help to bookmark these:
* Open Observatory for Network Interference: https://ooni.torproject.org/
* https://www.censoredplanet.org/
* https://en.wikipedia.org/wiki/Internet_censorship_and_surveillance_by_c…

I assume you already know that you should be careful about your behavior and OpSec as well.

k239

September 03, 2019

Permalink

I installed Android 10 today on a Pixel XL and torbrowser 8.5.4 stopped working. I then saw 8.5.5 armv7-multi was out so I downloaded, verified and installed and it also does not work.

Description:

Name of the affected software
-----------------------------
TorBrowser 8.5.5. & 8.5.4 for Android / Android 10 (Q)

Exact steps to reproduce the error
----------------------------------
Open torbrowser app.

Tap "CONNECT".

Orbot connects to tor network.

Firefox opens.

Actual result and description of the error
------------------------------------------
Firefox opens, about:tor displays nothing, settings are greyed out, there's no security settings slider, no noscript entry. Entering a URL does nothing -- seems like the app is frozen. Selecting Exit in the menu does not close the app.

Desired result
--------------
Browse the web.

Good question, I opened a ticket for our website: https://trac.torproject.org/projects/tor/ticket/31641. In general it should be available on https://dist.torproject.org/torbrowser/ as well. (Note: the real .apks (not the -qa ones) currently live at https://people.torproject.org/~gk/builds/9.0a6/. They still need to get synced over to dist.torproject.org and then we get the alpha out).

where u go get the alpha? https://www.torproject.org/download/alpha/ = no android

Reporting back on the Pixel XL running Android 10 now with 9.0a6 installed. Everything seems to be working as it should. Problem solved. Thanks very much.

Tor browser force close as soon as you open it

No way to import/export bookmarks yet? I still have a lot of bookmarks in an old version...

Sorry, I meant the mobile version of Tor (on Android).

How old is your "old version"?

the solution i think will work:
1. Install regular esr or portable esr firefox, of the same version of esr that tor used in the "old version" tor browser of your bookmarks.
2. Drag you old places.sqlite (bookmarks file) into the firefox profile (This will replace the new default places.sqlite)
3. a. (if "paranoid", then you could now shut down your internet connection)
3. b. Start up the old esr, open bookmarks manager, then export bookmarks as .html (You could choose to backup as .json, but as far as I know, you cannot *add* that file into your current tor browser profile's bookmarks)
4. Then start current tor browser, open bookmarks manager, then import that .html file. Those bookmarks will show up as a folder *added* at the end of the bookmarks manager tree pane.

Hopefully i am answering the question you asked.

Tor Browser for Android version 60.9.0 is crashing on every launch

Same thing on mobile.
Android updated to most recent
Galaxy s9
Tried reinstall
Previous version worked just fine.

Kindly check comments on Play Store for Tor Browser as there are multiple reports of app crashes. Thank you.

Thanks, I've opened https://trac.torproject.org/projects/tor/ticket/31616, please add device information to it and other helpful steps to reproduce the problem. We thought we found all the crashers by fixing #31140 but it seems we were wrong. Sorry for the inconvenience.

Can someone please update us...

Hey, Tor Browser doesn't work on Android 10. When will it start working?

I think as soon as we switch to Firefox 68 ESR as the underlying Firefox version. We'll release an alpha (9.0a6) based on that probably today (please test it if you can) and will release the final stable on October 22.

Could you please update the RSA key in your instructions for verification?
The instructions for TOR 8.0.8 say:
gpg: using RSA key 0xD1483FA6C3C07136

When verifying 8.5.5 you see:
gpg: using RSA key EB774491D9FF06E2

Thank you

Which instructions? The documentation on this page should be correct:
https://support.torproject.org/tbb/how-to-verify-signature/

Thanks for the info.

I was using the instructions from

https://2019.www.torproject.org/docs/verifying-signatures.html.en

I've now made a note of where to go to get the latest, up-to-date instructions.

Thanks again

I have now followed the instructions at the location you gave (including downloading the latest GPG4win version - 3.1.10) but I am still having trouble.

When I put “gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org” into cmd.exe
All I got was “gpg: error retrieving 'torbrowser@torproject.org' via WKD: No inquire callback i
n IPC
gpg: error reading key: No inquire callback in IPC”

I can’t see what I have done wrong.

Can you pls help?

Thanks

Trisquel 8 x86
gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
gpg: invalid auto-key-locate list
gpg: Invalid option "--locate-keys"

Which version of gpg are you using?

WKD lookup is implemented in GnuPG since v2.1.12. Maybe you are using gpg 1 and need to install the gpg2 package.

gpg2 --version
gpg (GnuPG) 2.1.11
libgcrypt 1.6.5
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

sudo apt-get upgrade gnupg2
Reading package lists... Done
Building dependency tree
Reading state information... Done
gnupg2 is already the newest version (2.1.11-6ubuntu2.1+8.0trisquel1).
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

That's probably why I'm getting the error message. I'll probably try verifying it using TAILS instead. Thanks and more power!

New update not working on android version 9....

Regarding: Editing the Torrc

Somewhere (I cannot remember where) you have said that editing the Torrc (e.g. specifying guard node or exit node countries) affects anonymity in ways that you “do not understand”.

I live in Western Europe. I have reinstalled the TOR program about 100 times to see where the guard node is located. After doing this with 854 and 855 the same four countries (France, Germany, Netherlands, the UK) have appeared as the guard node country well over 90 times.

I do not wish to use these 4 countries for the guard node. How can I avoid them?

Isn’t TOR restricting itself by not choosing guard-node countries at random?
Please advise.

Thanks

Tor is selecting relays randomly, without taking the country into account. Many of the relays are located in the countries you mentioned, which might explain why you often use relays from those countries.

you can edit torrc-defaults before firstrun by adding ExcludeNodes {fr},{de},{nl},{uk} at the bottom:

...
...
...
## snowflake configuration
ClientTransportPlugin snowflake exec ./TorBrowser/Tor/PluggableTransports/snowflake-client............................
ExcludeNodes {fr},{de},{nl},{uk}

you shouldn't get connected to guards in these countries and none should be selected as guard.
[NOT TESTED] i don't know if ExcludeEntryNodes {fr} command exists and works!

you can preconfigure torrc by editing torrc-defaults before firstrun.
all this should be written into torrc during firstrun:

...
...
...
## snowflake configuration
ClientTransportPlugin snowflake exec ./TorBrowser/Tor/PluggableTransports/snowflake-client............................
EntryNodes yourchoice1,yourchoice2,yourchoice3,yourchoice4,yourchoice5
ExcludeNodes {sy},{cn},badnode1
ExcludeExitNodes {ir},{tr},badnode2

go to https://torstatus.blutmagie.de (or https://torstatus.rueckgr.at) and select some guards
of your choice (nicknames). maybe you specify a bunch of relays because not all of them are fast guards and
not all may work as guard.

you can exclude by nickname, IP and countrycode (lowercase!) e.g. {us}
in tor's documentation you'll find some further information.
countrycodes -> https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2

torrc can look like this (after firstrun) and you can edit whenever you like:
# This file was generated by Tor; if you edit it, comments will not be preserved
# The old torrc file was renamed to torrc.orig.1 or similar, and Tor will ignore it

DataDirectory PATH/tor-browser_en-US/Browser/TorBrowser/Data/Tor
EntryNodes yourchoice1,yourchoice2,yourchoice3,yourchoice4,yourchoice5
ExcludeNodes {sy},{cn},badnode1,{??}
ExcludeExitNodes {ir},{tr},badnode2,{??}
GeoIPFile PATH/tor-browser_en-US/Browser/TorBrowser/Data/Tor/geoip
GeoIPv6File PATH/tor-browser_en-US/Browser/TorBrowser/Data/Tor/geoip6

you can even specify a single or a few exits too (if they are exits):

ExitNodes myfavoriteexit1,myfavoriteexit2,myfavoriteexit3
OR
ExitNodes {us}

take care of brackets, spaces and , !
note: torrc-defaults WILL be overwritten during the next Tor Browser update!

good luck!

Many thanks to everyone for the helpful comments.

The TOR developers (in the information that I can no longer find) had said that TOR users should not edit the torrc for the reason stated above.

Could the TOR developers please advise if is now 'OK' to edit the torrc.

Thank you

No, modifying the way that Tor creates its circuits is strongly discouraged.

https://support.torproject.org/tbb/tbb-16/

it is ok to edit torrc to avoid e.g. 5 eyes {au},{ca},{nz},{uk},{us} or slow/bad exits.

> Somewhere (I cannot remember where)
> (in the information that I can no longer find)
> affects anonymity in ways that you “do not understand”.

It's from the old General FAQ:
Can I control which nodes (or country) are used for entry/exit?

The location of relays depends strongly on the where volunteer operators choose to set them up. The community has set up the majority of relay nodes in Europe and North America, but the distribution can change if volunteers set up relays in other places. (See the new Community site and the old General FAQ.) A comment linked to world maps in the recent blog post about bridges.

Tor Browser on this version on Android 9 Pie (Pixel 2) crashes on launch. Previous version worked.

I am an android 6 user and I was using 8.5.4 version and it was working perfectly after updating to this version it crashed. and I just went through some testing with it. for some reason, the builtin tor within it is still on 0.3.5.8(based on the connection logs) and when it reaches 10% tor browser crashes. also, I tried to use bridges but immediately after entering the bridge settings it crashes.

Yes, tor 0.3.5.8 is within TBB Android from 8.5 up to now, 8.5.6, according to the changelog. That's normal. On Windows + OS X + Linux, tor is 0.4.1.5 starting in TBB 8.5.5.

I also have some problems, when I start TorBrowser, I see button "connect", but it stops to work, my phone just close the app, LG G7 ThinkQ

Hi,
I've updated on Android, It does not work! There is no way to run!!!!!!
Is there a way to downgrade to the previous version?

I restore default bar look (right click - customize - restore default) and now few icons missing:

left side from adress bar: no script + something
right side: HTTPS everywhere + something

You might find any icons missing from your Toolbar if you look in your Customize window.

Tor Browser menu / View / Toolbars / Customize

I know this, but I think everything strange with this crucial software should be reported.

The other missing icon (after default reset) is tor button and security level.

Note 9 app immediately crashes and closes when trying to open it.

Not working on android. Just crashes

Any updates? Solutions?

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our ​support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

9 + 9 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.