New Release: Tor Browser 8.5.5

Tor Browser 8.5.5 is now available from the Tor Browser Download page and also from our distribution directory.

This release features important security updates to Firefox.

This release is updating Firefox to 60.9.0esr, Tor to 0.4.1.5, and NoScript to 11.0.3. This release also includes various bug fixes. On the Windows side, we should now have support for accessibility tools. On the Android side, we added support for arm64-v8a devices.

This is expected to be the last release in the 8.5 series: on October 22 we will switch to the 9.0 series, based on Firefox 68ESR.

Note 1: Due to a temporary issue with our update infrastructure, we did not enable automatic updates for Windows, Linux and macOS users yet. We hope to be able to fix this issue soon. Update: this issue is now fixed, updates are enabled.

Note 2: Due to some issue with Google Play's new requirement for 64bit versions, we have not yet been able to publish the Android x86 and x86_64 versions on Google Play. We hope to be able to fix this in the next days. In the meantime the x86 version can be downloaded from our website.

Note 3: There is an issue with the aarch64 version on Android 9 causing a crash on every launch. We are working on a fix for this issue.

The full changelog since Tor Browser 8.5.4 is:

  • All platforms
    • Update Firefox to 60.9.0esr
    • Update Torbutton to 2.1.13
      • Bug 31520: Remove monthly giving banner from Tor Browser
      • Bug 31140: Do not enable IonMonkey on aarch64
      • Translations update
    • Update NoScript to 11.0.3
      • Bug 26847: NoScript pops up a full-site window for XSS warning
      • Bug 31287: NoScript leaks browser locale
    • Bug 31357: Retire Tom's default obfs4 bridge
  • Windows + OS X + Linux
    • Update Tor to 0.4.1.5
  • Windows
    • Bug 31547: Back out patch for Mozilla's bug 1574980
    • Bug 27503: Provide full support for accessibility tools
    • Bug 30575: Don't allow enterprise policies in Tor Browser
    • Bug 31141: Fix typo in font.system.whitelist
  • Android
  • Build System
Anonymous

September 04, 2019

Permalink

Play Store version crashes a few seconds after launch. F-Droid version will build circuits and launch the browser, but all the menu items under "Settings" are greyed out and non-interactive. Pages won't load at all.

Anonymous

September 04, 2019

Permalink

Здравствуйте.
Жду когда ошибка вылета на android 9 будет исправлена.
Есть вопрос.В Orfox я столкнулся с проблемой долгого (а более точно вообще никогда не подключающегося) соединения к сайтам (onion,ну вы меня поняли).Подскажите пожалуйста в чем проблема соединения?
Заранее,благодарю.

https://support.torproject.org/onionservices/onionservices-3/

Translated to Russian:
"Я не могу связаться с X.onion!
Если вы не можете получить доступ к желаемому луковому сервису, убедитесь, что вы правильно ввели 16-символьный или новейший 56-символьный адрес лука. Даже небольшая ошибка не позволит Tor Browser получить доступ к сайту. Если вы все еще не можете подключиться к луковому сервису, повторите попытку позже. Возможно, возникла временная проблема с подключением, или операторы сайта могли разрешить его отключение без предупреждения.

Вы также можете получить доступ к другим луковым сервисам, подключившись к луковому сервису DuckDuckGo."

Anonymous

September 04, 2019

Permalink

Is there a schedule somewhere for security updates? And is there any evidence of people using up 0-days before they are patched?
Basically I'm asking if there are any time periods when it's more risky than normal to enable javascript.
Also, it would be nice to see a breakdown of which exploits require javascript, and which affect users on each security level.

> is there any evidence of people using up 0-days before they are patched?

Yes, Tor Browser is based on Firefox ESR. Follow Mozilla's bug tracker as well as Tor Project's bug tracker. But your question is worded as if you think developers or white-hats magically know about a 0-day when someone else discovers them. Their very nature means they can be exploited long before someone publicly reports them. Follow exploit databases such as CVE.

There is no real schedule. We mainly follow Mozilla's 6-8 weeks schedule of fixing security bugs found in the browser and then whatever comes up. There are some rare cases where people are using 0-days, yes.

Regarding the breakdown: yes, if someone would dig here and make such an overview that would be great. I could see us doing that but we lack the time. So, if you want to be the one helping out here, please do so.

Anonymous

September 04, 2019

Permalink

Yep, it's a bust with Android 9 and the previous browser is disabled... redirecting us to a broken browser. How about letting us have the last version of the Orfox browser back until you get things sorted. Thanks.

How do i get Tor browser to work when my job blocks p2p through the wifi at work

> my job blocks p2p through the wifi

So do many Tor exit nodes.

To get Tor Browser to work behind a restrictive firewall:

  • Are some outgoing destination ports blocked? Do you know the port numbers? Does your normal traffic go through a proxy? The first time you start Tor Browser, click Configure. There, you can change outgoing proxy and destination ports. Those settings can be accessed when Tor Browser is already open by clicking on the onion icon > Tor Network Settings. Tor can not use a bridge if a proxy is set.
  • Support FAQ: Connecting To Tor

General FAQ (old):

If none of the above solutions are acceptable, then click Configure again, and click "Tor is censored in my country" to enable a bridge relay. Please try to avoid using bridges so they will be available to users in repressive countries.

Just find an older apk online and then turn. Kff auto updates. Back in business

Tor Browser is not opening in my Honor7X phone.
Whenever I open it automatically closes within seconds.

Tor browser keeps crashing on android platform with the new 8.5.5 update

Why you remove GPG subkey's fingerprints from the documentation page, cut the gpg command output and reduce the content of the https://support.torproject.org/tbb/how-to-verify-signature/ ?
Can you restore an older version of this page?

I think we removed it to make the instructions more useful. They where a little overwhelming on the old page and not organized very well.

I don't agree with it, but it is your decision, Ok.
But why you remove GPG subkeys?

What do you mean by "removing subkeys"?

How exactly would one disable a certain proxy? Haven't been able to locate this option for Android.

Please be more specific. Are you talking about Tor or about proxies in general? Use a web search engine to learn about settings for proxies in general on Android.

Does this relese need orbot?

No, Orbot is not needed.

Just updated to 8.5.5 and got an invalid digital signature warning!

How can I be sure its not a compromised download?

What was the error message? Did you use the browser internal updater?

After updating the browser, whenever i start it, it closes on its own. Device oneplus 6 android 9

Ny tor browser craches and turn off for about 2 sekonds now,,
I have Android 8.0.0 i gues,,

I found out this problem to Day 5 september,,

Greats B

Accessibility services

When you say you have fixed “Bug 27503: Provide full support for accessibility tools”

Does this mean that (if users do not need such services) in the browser under Tools / Options / Privacy & Security / Permissions we should put a tick in “Prevent accessibility services from accessing your browser”?

If this is left UNticked does it mean that, e.g., users’ anti-virus programs can spy on them?

Pls advise as a matter of urgency.

Thanks

If you don't need accessibility services, sure, ticking that checkbox should reduce possible attack surface (however, I have not checked what exactly that checkbox is doing).

If it is left un-ticked I am not sure what exactly external programs could do. I guess it would be worth looking deeper here. It ultimately boils down to whether you trust your anti-virus programs. They can easily spy on you even _without_ that checkbox enabled as they are usually pretty deeply embedded into your Windows system. So, if you don't trust them you should consider removing them instead.

I just installed tor_browser 8.5.5 from the apk_file and everything seems to be fine.

Вечер добрый, тор обновился и не работает теперь, до этого все было хорошо, исправьте ошибки, грузит максимум 25%,удалил и установил уже раз 50

hi!
URL bar onion icon color is different from padlock icon color.
i think they should be the same.
thanks!!!

For anyone forced to migrate to a broken version of Tor Browser by the OrfoxRIP auto update, you can download the last working version of Orfox here:
https://github.com/guardianproject/Orfox/releases/download/Fennec-52.9.0esr%2FTorBrowser-7.5-1%2FOrfox-1.5.4-RC-1/Orfox-Fennec-52.9.0esr-TorBrowser-7.5-1-Orfox-1.5.4-RC-1.apk
Just be sure to back up your /data/data/info.guardianproject.orfox and /data/media/0/Android/data/info.guardianproject.orfox folders to a safe location first if you want to have any hope of recovering your bookmarks, tabs, preferences, etc. at some future time. Uninstalling OrfoxRIP and then downgrading to Orfox-1.5.4 will wipe out all those settings.

A few of the problems with Tor
1) There may be a problem with bridges being a valid brige. Thee tracker reported several bridges not responding. "https://trac.torproject.org/projects/tor/ticket/30441" and this was going on for some time as I reported the error.

2) You no longer support many bridges and it appears only obfs4 and meek-azure are valid. The more bridge types the better but you have deprecated a few bridges like scramblesuit and I don't know why.

3) Android version of tor gives the ability to chooses your guard node (which country you connect) this option does not exist on the Mac. I have noticed that my guard node is almost always the same even when forcing a new circuit several times. Giving the ability to choose a guard node gives greater stealth. Why can't a Mac choose its guard node?

Yes, bridges can be offline. We try to make sure only valid and working bridges are given out by BridgeDB and the default bridges shipped in Tor Browser should be available.

There is nothing that prevents you from finding e.g. scamblesuit bridges and using them in Tor Browser. It's just that we don't ship default ones anymore because the single one we shipped was overloaded AND scramblesuit does not offer better protections than, say, obfs4.

Tor Browser for Android does not let you choose the guard node country. That is deliberately done so as choosing that may seriously harm your anonymity. You should let pick Tor the proper path.

release the old version again please, the latest version can not work, release a new version only if it's a real stable version please

There are problems with Google Maps, it can be in French if the exit is in France and maps show only after using the new circuit function. Other sites like Youtube have the same language issue.

Intern updater just don't update the browser. It downloads the new version and asks for a restart to update, it restarts, show the update progression, starts the browser and it just didn't update and keep asking for a restart and says it's not updated, no matter how many times i try to restart the browser it just don't update even though it completes the update bar when starting the browser, its so frustating and annoying, is there any way i can delete the downloaded update from the internal updater so i can try again? I really don't want to have to download and install from zero the new version. I'm on linux. I've never had this problem before.

Hm, so this happened for the first time? What does the update log show if you flip app.update.log to true and look at the debug output in the browser console (you open that one with Ctrl+Shift+J)? Any errors you get?

Additionally, after the update failed you should have a update.log file in your Tor Browser directory in Browser/TorBrowser/UpdateInfo/updates/0/ what does it contain?

Per Note 3: the crash issue is also resident in Android 10 as well as 9.

also crashing every launch on Lenovo Tab 4 Plus 10" Android 7.1.1

Still having problems with tor sometimes crashing when i open it :/

Which operating system + version is that?

hello, thank you for the great work you do!
I have noticed a new issue with both system Tor version 4.1.5 and in Tor Browser 8.5.5 as follows: when using either obfs4 bridges or entry guards, i (sometimes) receive a message in the connection logs about the large number of circuits that have failed. i opened onion circuits to see and sure enough, it appears as if circuits try to form and are destroyed very quickly. i can use the browser fine, and i only notice the issue upon inspection of the logs.

wireshark shows many "Fin,Ack" disconnections immediately followed by a fresh "Syn" and the corresponding "Syn, Ack" on a fresh port each time on localhost. The packets look normal other than that (no duplicate ACKs or re-transmissions, and the packet sizes are consistent with how Tor behaves). It is a strange issue because if you do not pay attention, you may not notice. I have not seen any excess cpu use for example. The client hello's are fine, handshakes are normal and intact and from the packet analyzer's point of view, the only clue of something going on is the constant disconnections and re-connections (from localhost:9050 or 9051 respectively). There have not been any interruptions in the actual browsing experience though and no browser crashes. System Tor works fine too and you only notice an issue upon examining the circuits; no obvious crashes with system Tor either.

i experience this issue on debian buster (host) as well as in virtualbox machines and also on whonix. i have tried several different bridges and entry guards to no avail. Other than the circuits building and almost immediately being torn down, i can see no other problems. i tested on both a wired and a wifi vanilla connection (vanilla meaning no vpn or proxy or ssh etc.) and the issue was present on each try. I used a freshly downloaded/verified tar.gz for each trial.

I have an updated Firefox esr on the host system as well which showed no such activity from wireshark; obviously Nyx/onion circuits don't apply :)

when inspecting the Tor Browser connection with Nyx, i see that the tor percentage is jumping around alot. usually, it will stay at 0% if i am idle. on Nyx's connections page you can see the circuits building and then being destroyed in real time. It will build 4 or so and then they disappear and it says "Building.." This continues for as long as the app is open and you are using the browser.

i am pretty stumped on this one; i am not sure what would cause continual circuit building issues? thank you for anything you can think of. i will continue to debug this. thanks for reading

Hi,
I'm from Iran, a dictator regime with worst filtered internet. After update to this new version(tor-browser-855) on my Android(v.7), I can't open tor-browser.
It just crashed!
I use desktop tor browser now.
I Know many Iranian that use tor have this problem.
Thank you so much for help freedom all over the world.

Just downloaded 8.5.5 from Tor page and installed the .apk. working so far

Is there a Tor related FAQ regarding NoScript addon or don't Tor users have concerns regarding NoScript to warrent a FAQ page? cheers

There is no FAQ entry. Users should not be concerned with NoScript at all which is one reason why we moved it out of the toolbar in Tor Browser 8.5.

Thank you for your reply.

The reason I asked was the reply to the following question

Can noScript addon details be read in Tor? If you whitelist a site with the noScript settings so that you do not have to repeatedly input them, can these be read in Tor and thus identify the user or use these settings to follow the user?

As far as we know, the settings can't be read unless there is a major bug that hasn't been reported, but they can identify you. There is a traffic pattern of which URLs your browser accesses when it loads a webpage and an availability pattern of which features in the page's code become enabled when the set of accessed things are loaded. If the URLs your browser accesses are different from the URLs accessed under normal configuration, that difference can single you out to people logging your traffic or to scripts on the webpage. So your NoScript settings under the Per-Site Permissions tab can indirectly be determined or reverse-engineered.

Cheers I don't understand it all but going by your reply it means that it is best not to whitelist any sites I hope I have understood this I also understand that it is still ok to use NoScript thanks again

Thus, as the settings 'can identify you' and 'can single you out to people logging your traffic or to scripts on the webpage'. Thus, 'your NoScript settings under the Per-Site Permissions tab can indirectly be determined or reverse-engineered'. Why do you say, 'Users should not be concerned with NoScript at all'. Thanks in advance for a reply. NB I am not a technician in my understanding of answers.

Yes, the particular whitelist can identify users which is why we don't recommend doing that. The user can be identified by websites embedding particular sites and then seeing who is requesting contents and who not and how the pattern looks like.

Users should not be concerned with NoScript at all in the sense that they should not need to dig into its settings to do something they want. We should provide a simpler interface as we only use a tiny fraction of NoScript's functionality.

Can't download any files, it keeps failing. It doesn't even ask where you want to download the file to. Using TorBrowser-8.5.5osx64

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our ​support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

10 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.