New Release: Tor Browser 8.5

[Update 5/22/2019 8:18 UTC: Added issue with saved passwords and logins that vanished to Known Issues section.]

Tor Browser 8.5 is now available from the Tor Browser download page and also from our distribution directory. The Android version is also available from Google Play and should be available from F-Droid within the next day.

This release features important security updates to Firefox.

After months of work and including feedback from our users, Tor Browser 8.5 includes our first stable release for Android plus many new features across platforms.

It's Official: Tor Browser is Stable on Android

Tor Browser 8.5 is the first stable release for Android. Since we released the first alpha version in September, we've been hard at work making sure we can provide the protections users are already enjoying on desktop to the Android platform. Mobile browsing is increasing around the world, and in some parts, it is commonly the only way people access the internet. In these same areas, there is often heavy surveillance and censorship online, so we made it a priority to reach these users.

Tor Browser for Android

We made sure there are no proxy bypasses, that first-party isolation is enabled to protect you from cross-site tracking, and that most of the fingerprinting defenses are working. While there are still feature gaps between the desktop and Android Tor Browser, we are confident that Tor Browser for Android provides essentially the same protections that can be found on desktop platforms.

Thanks to everyone working on getting our mobile experience into shape, in particular to Antonela, Matt, Igor, and Shane.

Note: Though we cannot bring an official Tor Browser to iOS due to restrictions by Apple, the only app we recommend is Onion Browser, developed by Mike Tigas with help from the Guardian Project.

Improved Security Slider Accessibility

Our security slider is an important tool for Tor Browser users, especially for those with sensitive security needs. However, its location behind the Torbutton menu made it hard to access.

Tor Browser Security

During the Tor Browser 8.5 development period, we revamped the experience so now the chosen security level appears on the toolbar. You can interact with the slider more easily now. For the fully planned changes check out proposal 101.

A Fresh Look

We made Tor Browser 8.5 compatible with Firefox's Photon UI and redesigned our logos and about:tor page across all the platforms we support to provide the same look and feel and improve accessibility.

Tor Browser icons

The new Tor Browser icon was chosen through a round of voting in our community.

We'd like to give a big thanks to everyone who helped make this release possible, including our users, who gave valuable feedback to our alpha versions.

Known Issues

Tor Browser 8.5 comes with a number of known issues. The most important ones are:

  1. While we improved accessibility support for Windows users during our 8.5 stabilization, it's still not perfect. We are in the process of finishing patches for inclusion in an 8.5 point release. We are close here.
  2. There are bug reports about WebGL related fingerprinting which we are investigating. We are currently testing a fix for the most problematic issue and will ship that in the next point release.
  3. The upgrade to Tor Browser 8.5 broke saved logins and passwords. We are investigating this bug and hope to provide a fix in an upcoming point release.

We already collected a number of unresolved bugs since releasing Tor Browser 8 and tagged them with our tbb-8.0-issues keyword to keep them on our radar. Check them out before reporting if you find a bug.

Give Feedback

In addition to the known issues, we are always looking for feedback about ways we can make our software better for you. If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full Changelog

The full changelog since Tor Browser 8.0.9 is:

  • All platforms
    • Update Firefox to 60.7.0esr
    • Update Torbutton to 2.1.8
      • Bug 25013: Integrate Torbutton into tor-browser for Android
      • Bug 27111: Update about:tor desktop version to work on mobile
      • Bug 22538+22513: Fix new circuit button for error pages
      • Bug 25145: Update circuit display when back button is pressed
      • Bug 27749: Opening about:config shows circuit from previous website
      • Bug 30115: Map browser+domain to credentials to fix circuit display
      • Bug 25702: Update Tor Browser icon to follow design guidelines
      • Bug 21805: Add click-to-play button for WebGL
      • Bug 28836: Links on about:tor are not clickable
      • Bug 30171: Don't sync cookie.cookieBehavior and firstparty.isolate
      • Bug 29825: Intelligently add new Security Level button to taskbar
      • Bug 29903: No WebGL click-to-play on the standard security level
      • Bug 27290: Remove WebGL pref for min capability mode
      • Bug 25658: Replace security slider with security level UI
      • Bug 28628: Change onboarding Security panel to open new Security Level panel
      • Bug 29440: Update about:tor when Tor Browser is updated
      • Bug 27478: Improved Torbutton icons for dark theme
      • Bug 29239: Don't ship the Torbutton .xpi on mobile
      • Bug 27484: Improve navigation within onboarding (strings)
      • Bug 29768: Introduce new features to users (strings)
      • Bug 28093: Update donation banner style to make it fit in small screens
      • Bug 28543: about:tor has scroll bar between widths 900px and 1000px
      • Bug 28039: Enable dump() if log method is 0
      • Bug 27701: Don't show App Blocker dialog on Android
      • Bug 28187: Change tor circuit icon to torbutton.svg
      • Bug 29943: Use locales in AB-CD scheme to match Mozilla
      • Bug 26498: Add locale: es-AR
      • Bug 28082: Add locales cs, el, hu, ka
      • Bug 29973: Remove remaining stopOpenSecuritySettingsObserver() pieces
      • Bug 28075: Tone down missing SOCKS credential warning
      • Bug 30425: Revert armagadd-on-2.0 changes
      • Bug 30497: Add Donate link to about:tor
      • Bug 30069: Use slider and about:tor localizations on mobile
      • Bug 21263: Remove outdated information from the README
      • Bug 28747: Remove NoScript (XPCOM) related unused code
      • Translations update
      • Code clean-up
    • Update HTTPS Everywhere to 2019.5.6.1
    • Bug 27290: Remove WebGL pref for min capability mode
    • Bug 29120: Enable media cache in memory
    • Bug 24622: Proper first-party isolation of s3.amazonaws.com
    • Bug 29082: Backport patches for bug 1469916
    • Bug 28711: Backport patches for bug 1474659
    • Bug 27828: "Check for Tor Browser update" doesn't seem to do anything
    • Bug 29028: Auto-decline most canvas warning prompts again
    • Bug 27919: Backport SSL status API
    • Bug 27597: Fix our debug builds
    • Bug 28082: Add locales cs, el, hu, ka
    • Bug 26498: Add locale: es-AR
    • Bug 29916: Make sure enterprise policies are disabled
    • Bug 29349: Remove network.http.spdy.* overrides from meek helper user.js
    • Bug 29327: TypeError: hostName is null on about:tor page
    • Bug 30425: Revert armagadd-on-2.0 changes
  • Windows + OS X + Linux
    • Update OpenSSL to 1.0.2r
    • Update Tor Launcher to 0.2.18.3
      • Bug 27994+25151: Use the new Tor Browser logo
      • Bug 29328: Account for Tor 0.4.0.x's revised bootstrap status reporting
      • Bug 22402: Improve "For assistance" link
      • Bug 27994: Use the new Tor Browser logo
      • Bug 25405: Cannot use Moat if a meek bridge is configured
      • Bug 27392: Update Moat URLs
      • Bug 28082: Add locales cs, el, hu, ka
      • Bug 26498: Add locale es-AR
      • Bug 28039: Enable dump() if log method is 0
      • Translations update
    • Bug 25702: Activity 1.1 Update Tor Browser icon to follow design guidelines
    • Bug 28111: Use Tor Browser icon in identity box
    • Bug 22343: Make 'Save Page As' obey first-party isolation
    • Bug 29768: Introduce new features to users
    • Bug 27484: Improve navigation within onboarding
    • Bug 25658+29554: Replace security slider with security level UI
    • Bug 25405: Cannot use Moat if a meek bridge is configured
    • Bug 28885: notify users that update is downloading
    • Bug 29180: MAR download stalls when about dialog is opened
    • Bug 27485: Users are not taught how to open security-slider dialog
    • Bug 27486: Avoid about:blank tabs when opening onboarding pages
    • Bug 29440: Update about:tor when Tor Browser is updated
    • Bug 23359: WebExtensions icons are not shown on first start
    • Bug 28628: Change onboarding Security panel to open new Security Level panel
    • Bug 27905: Fix many occurrences of "Firefox" in about:preferences
    • Bug 28369: Stop shipping pingsender executable
    • Bug 30457: Remove defunct default bridges
  • Windows
    • Bug 27503: Improve screen reader accessibility
    • Bug 27865: Tor Browser 8.5a2 is crashing on Windows
    • Bug 22654: Firefox icon is shown for Tor Browser on Windows 10 start menu
    • Bug 28874: Bump mingw-w64 commit to fix WebGL crash
    • Bug 12885: Windows Jump Lists fail for Tor Browser
    • Bug 28618: Set MOZILLA_OFFICIAL for Windows build
    • Bug 21704: Abort install if CPU is missing SSE2 support
  • OS X
    • Bug 27623: Use MOZILLA_OFFICIAL for our builds
  • Linux
    • Bug 28022: Use `/usr/bin/env bash` for bash invocation
    • Bug 27623: Use MOZILLA_OFFICIAL for our builds
  • Android
  • Build System
    • All platforms
      • Bug 25623: Disable network during build
      • Bug 25876: Generate source tarballs during build
      • Bug 28685: Set Build ID based on Tor Browser version
      • Bug 29194: Set DEBIAN_FRONTEND=noninteractive
      • Bug 29167: Upgrade go to 1.11.5
      • Bug 29158: Install updated apt packages (CVE-2019-3462)
      • Bug 29097: Don't try to install python3.6-lxml for HTTPS Everywhere
      • Bug 27061: Enable verification of langpacks checksums
    • Windows
    • OS X
    • Linux
      • Bug 26323+29812: Build 32bit Linux bundles on 64bit Debian Wheezy
      • Bug 26148: Update binutils to 2.31.1
      • Bug 29758: Build firefox debug symbols for linux-i686
      • Bug 29966: Use archive.debian.org for Wheezy images
      • Bug 29183: Use linux-x86_64 langpacks on linux-x86_64
    • Android
      • Bug 29981: Add option to build without using containers

"Hello! I'm from Russia. There are such programs called "sandboxes", after reset they reset the state of the operating system to the original one - I thought here - maybe in Tor to do something like that? This will be better than the “Do not save history” mechanism since everything that a user has done on the network will be erased after exiting Tor"

(Google translate. I wish there was a good alternative.)

Tails and virtual machines (VM) are sort of like sandboxes....

Thank you for the translation! The OP's report turns out to be a useful question, I think.

I endorse the suggestion to try Tails, which incorporates AppArmor so it has some valuable sandboxing. I was recently told that people in Russia *are* still able to use Tails and hope that information is not out of date.

Tails is a complex Debian-based "amnesiac" and torified operating system which works out of the box on any 64 bit PC or laptop.

You boot it either from a DVD you have burned from the latest ISO image or from a USB. You can enhance a Tails USB by creating an encrypted data partition (by pressing a few buttons which calls their very cool script) and you can install additional software using Synaptic in the usual way (but you should try to limit this to minimize the risk of installing something which has not been vetted for use in Tails).

Tails USBs are supposed to be easier to update because you do not need the full ISO image for the next release, but I find that the best way to update a Tails USB is to obtain the ISO image, verify the detached signature, burn to DVD, boot from that while disconnected from the Internet, and then use the handy script to "clone running Tails" onto the USB as an "update" not "reinstall". This preserves the data and always works.

"Amnesiac" means Tails tries not to leave traces on hardware of your activities. Very important if you are whistleblower or human rights worker or a reporter. The idea is that you boot Tails from a DVD and store any data on a seperate encrypted USB data stick, or boot Tails from a USB with an encrypted volume holding your data. You can use Tails both for websurfing and chatting, or in "off-line mode" for the most dangerous stuff like preparing a leak or writing a news report.

(As we see from the charges the USG has dumped on Assange under the 1917 Espionage Act, one of the worst of all the many horrid laws the US Congress passed during some wartime panic and never repealed, writing the news is now very dangerous "even in the USA".)

Anyone can obtain the current tails ISO image for free at tails.boum.org.

Tails Project is a sister project of both Debian Project and Tor Project and all three projects correlate their releases. All of them have responded quickly to such emergencies as the latest speculative execution attacks and other horror shows.

Anon

May 21, 2019

Permalink

I'm concerned about the new security level button. When you click it, it goes to the settings page and right under that is a bunch of options that look really tempting to enable (who wouldn't want to click a check box that says it "blocks deceptive sites"?). This is exposing millions of users to options that make them easier to track by making them easier to fingerprint.

I think having the slider available directly when you click the icon is better because it doesn't make people think that the slider is just one of many different customizations that you are encouraged to make to the browser.

Also I don't really like the new icon but I guess I'll get used to it. That's just aesthetics.

Thanks for the feedback. We have been thinking a lot about your idea but ultimately decided against it because the risk we saw is that the slider could easily be used for just quickly toggling the slider level as needed for the current site neglecting that it is a browser-wide feature affecting all the other tabs open, too. So, foremost the icon on the toolbar is meant to inform you about your current settings. If you need to change the level (which is meant to not be done very often) then you can do so on the advanced settings.

(Not OP)

> the risk we saw is that the slider could easily be used for just quickly toggling the slider level as needed for the current site

I can kind of understand that. However experienced users know full well that it's a browser-wide setting. You could argue it's a good change because it makes it harder to change the slider mid-session, which isn't really recommended. However this change also makes it harder to change the slider level even after a new-identity restart, too. ('click onion, move slider' vs. 'click shield, click more settings, click security level, close preferences tab')

Personally I think I would have opted to keep the existing slider button and popover dialog, and just made it so the button icon changes with the active security level. However it's not a big deal for me, only because I don't mind using multiple TBB instances/installations at different security levels.

I'm all for making TB easier for new users. But remember that, I'm quite sure, the majority of your userbase is existing users. It's important to think about them too.

Didn't know this, but, as long as it works and nothing breaks, is there still any risk? It works fine for me. Anonymity-wise, I think it would be a good thing, because it encourages more isolation and more frequent new identity clicks. If you use the same instance and keep it open a long time, you're dirtying up its fingerprint/cookies/etc. It also because they're separate processes it might reduce damage of certain attacks. The only downside I see, other than something breaking, is extra resource usage. Am I missing something?

Even better is to use qubes and open each TB instance in its own whonix VM. (I use qubes but my PC doesn't have enough RAM for a lot of VMs at the moment, so I run several TBs in one VM)

I don't know. I think we accommodated your concern by making the toolbar icon mainly an icon to *show* the current state. Having "Adavanced Security Settings" is IMO already an implicit warning for users who do not know what they are doing.

I would support a dedicated page and a floating warning on the other pages because the other pages are accessible from that page in the sidebar for navigation. A pop-up would make it like the old icon that developers seem to want to move away from. They want to publicize its current status and integrate the buttons into the browser but don't favor making the security level easier to change. But learning how to properly use "Safest" should not be hidden but encouraged. There is a link in the shield button to Learn More, but it should be prefaced by informing the user there are levels of higher security than the one in play out of the box, "Standard", and three levels in all. Encourage them to Learn More; don't frighten them by saying "Advanced Settings".

"because the risk we saw is that the slider could easily be used for just quickly toggling the slider level as needed for the current site neglecting that it is a browser-wide feature"

May you are right with "could easily be used",in general i don't think so, but the trend from the (Big)Soft business to hide settings deep in menus or mostly cut control is really annoying.
Please make this hide and cut game with this wonderfull soft(TBB), too.

Not sure what you mean, but: we made the slider more accessible for *both* advanced users and less advanced ones and got it out from being buried somewhere in Torbutton's settings to make it easier to use. So, no, we did not bury it anywhere in the browser, quite to the contrary. Seems to me like a win-win actually. :)

Anon

May 21, 2019

Permalink

What I absolutely miss in TBB is the ability to lock the browser with a password when minimized. Do you plan to implement such a function?

Anon

May 21, 2019

Permalink

I think the new icon and layout is great.
But after the update, my saved password was lost.
I'm in big trouble now.
And when can the settings of the noscript be saved?

Anon

May 22, 2019

Permalink

Hello!
Thanks for your efforts!

Tor browser is now showing up on the Google Play Store.

But, I have seeing something unusual or questionable.

It is showing that Released on May 21, 2019.
Updated on May 19, 2019.

How about it!?

How can an app get updated before it is released???

Is there something went wrong?

It's not clear to me what Google is tracking here. We probably have uploaded the .apk on May 19th already and made some last tests and pressed the "Release" button on May 21st. Not sure whether there is anything we can do to improve the situation.

So, to sum up, I don't think there is anything wrong here in the sense of someone tampering with Tor Browser.

Ha. Yes, indeed. It's a little funny Google is leaking this information. For this release, we used Google Play's "Internal Testing" channel before we released it publicly, so first we uploaded it on May 19 and after testing it we released it for everyone (coordinated with the desktop release) on May 21.

Anon

May 22, 2019

Permalink

1. What happened with fonts in TB for Android? Latin characters are ugly and cyrillic characters are extremely ugly.
2. I use Orbot for some other applications and don't want to delete it. However I don't want to keep multiple tor instances in my phone memory. This forces me to use this workflow: When I need TB, I run it, it connects to the network (while Orbot is running to serve another apps) and after I done something with it I should explicitly quit and disconnect.
3. Part 2 leads to another thing that I liked in separate Orbot/Orfox: Orfox is instantly ready to go due to Orbot is running as a service for all apps. With TB for Android I forced to wait while it connects to network.

Regarding to 1. is that new in the stable version or does that show up in alpha versions as well? It's not exactly clear to me whether you tried the alphas before and are now suddenly seeing issues with the stable release.

Regarding 2. and 3.: Yes, there are trade-offs here. It's a very awkward user experience to download an app and then when starting it you got told "Oh, by the way you need another app installed in the first place to run your app". That's pretty confusing to new users while old Orfox users would be totally fine with that. We opted for following the desktop approach to provide a unified experience across all the platforms we support and making sure you have a running Tor before you start browsing. What happened in the Orfox case when Orbot was installed but currently not connected to the Tor network was that you would get weird proxy connection errors with no further explanation about what is going on which is very confusing as well.

1. That was in alpha versions too. I haven't used it too much, I've installed some builds. So when the stable release came out I installed it, but the fonts issue remains.
2 and 3. Generally I agree with you that it is better for newcomers. I just described my experience with that.

Anyway, thanks for all that, good work!

Didn't you guys agree the bundled Tor use will be made optional so power users can toggle it off if they've got Orbot? Can you please reconsider? I've been waiting for the stable version for that to materialize. The bundled Tor isn't working for me so I need this urgently to upgrade.

We agreed that we remove Orbot, which we did. I don't think we want to go back to a browser that needs an additional app to be usable at all. Imagine the situation for someone who just learned about Tor Browser. It sounds exciting, right? But suddenly when run you get told "Hey, in order to run this awesome up you actually need to install first another awesome app". That's an awful user experience we don't want to have. Rather, we want to provide the same flow across all platforms we have.

Why is the bundled Tor not working for you?

Anon

May 22, 2019

Permalink

what happended to the idea of a user months ago to make securityslider icon colorful? red-yellow-green like a traffic light.

Colors may be ambiguous. Which level will be red? What does it intend to mean versus what users think it means? Also, some countries may have different meanings for colors.

I have no slider. regular mouse click on the new black shield icon shows the current setting "safest" with a little text information and 'advanced settings at bottom. advanced setting goes to options/preferences. There are only radio dots for each of the three "slider" settings.

using tbb 8.5 (based on 60.7.0esr)

Anon

May 22, 2019

Permalink

tbb 8.0.9: browser.safebrowsing.id ; Firefox
tbb 8.5: browser.safebrowsing.id ; navclient-auto-ffox
if somebody enables safebrowsing navclient might be no good choice.

Anon

May 22, 2019

Permalink

Thank you for the new stable version. However, I expected to control which kind of JavaScript I could block, XSS attacks and so on with No Script and, because of the new layers of security, I only have two options: blocking all JavaScript, which doesn't seem me very useful in some pages, or blocking JavaScript in only pages which aren't HTTPS. Is there any kind of solution?

You can customize NoScript blocks in the NoScript icon as before. NoScript is reset when you click New Identity, change the Security Level shield, or close Tor Browser. When you begin a New Identity session, set your Security Level. As you browse, allow what you need temporarily in NoScript. Reset NoScript when you don't need it. The longer you browse with NoScript customized, the more your activity can be identified as the same person.

Anon

May 22, 2019

Permalink

Russian version on Android: Browser uses Yandex Search (Duckduckgo not selectable) and pages are in Russian instead of English.

Anon

May 22, 2019

Permalink

I think the Tor Project should discourage downloading the Android app from F-Droid unless it is through an official repository, and should also request F-Droid to take down the versions of the app from their main repository. As you know, the main F-Droid repository apps are signed with an F-Droid key not from the Tor Project (as is all other apps in the repository). This should make the app not considered an official release and should be considered a security risk. What makes it worse, as far as I know, these apps are signed with a private key that resides on the F-Droid server. And on top of all that, you then have people with Tor Browser for Android apps signed with different keys making them incompatible for updates depending on what source they originally downloaded from.

I haven't tried checking yet, but I assumed the app on the official Guardian Project repository is signed with the same keys as the app on Play or the one that can be downloaded from the Tor Project site. If so, this should be become the Tor Project's official repository to obtain the app and all apps signed with unofficial keys be removed. (And of course, the Tor Project can have their own official repository, which should be the only means anyone obtains the app on F-Droid.)

The Tor Project (as on the Tails site) promote and have well-documented pages rightly telling people they should verify their downloads and showing them the steps to take to do so. So there should be no encouragement for people to download apps from a repository signed with keys that are not official from the Tor Project developers. I would also bet many people don't even know the apps on the main F-Droid repository are not officially signed by the apps' developers. Many probably think the apps are uploaded by developers like they are on Play, and F-Droid has no indication the app they are installing are not officially signed by the app's developers. All of this this is very misleading and heightens security risks.

The Tor Project should either make their own official F-Droid repository or make the Guardian Project's repository official, and then have instructions on torproject.org on how to add the repository to F-Droid, and then request that all other apps not officially signed by Tor developers be taken down.

Indeed, currently we provide Tor Browser on F-Droid through our partners at the Guardian Project. They run their own F-Droid repository and they upload the apk we build (the same one available on our website and on Google Play). Hopefully, in the near future, we'll upload the apk we build directly to F-Droid (we're making progress on this, see https://trac.torproject.org/projects/tor/ticket/27539) and F-Droid will distribute our signed apk after it reproducibly builds it.