New Release: Tor Browser 8.5a10

Tor Browser 8.5a10 is now available from the Tor Browser Project page and also from our distribution directory.

Note: this is an alpha release: an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This release features important security updates to Firefox.

The main change in this new release is the update of Firefox to 60.6.1esr, fixing bugs found during the Pwn2Own contest.

The full changelog since Tor Browser 8.5a9 is:

  • All platforms
    • Update Firefox to 60.6.1esr
    • Update NoScript to 10.2.4
      • Bug 29733: Work around Mozilla's bug 1532530
Anonymous

April 05, 2019

Permalink

Happened when I selected few countries with strict nodes enabled in config. A reinstall solved the issue but still not possible to trace down to the root cause.

Something more. NoScrip's XSS going wild. Even getting DDG search filtering warnings. And it uses a really big pop up to show that Allow or Deny window. Could you please check that one too?

Attached the screenshot on Dropbox this time.

https://www.dropbox.com/s/m8pi98igu48gzys/Tor_Exit_Node_IP_Unknown.png

Anonymous

April 06, 2019

Permalink

Is anyone else reporting problems with obfs4 bridge ? don't no where to report this for the last week or so "obfs4" has failing to connect and still on going , now use meek just to connect

Anonymous

April 06, 2019

Permalink

HTML5 Canvas Image Extraction and Fingerprinting

I know Tor's warning about (and blocking of) sites trying to extract html5 canvas image data is not a new thing but I remembered it just recently when the EU ratified article 13 which is likely to illegalize memes and whatever.
So I wanted to ask if the danger posed by HTML5 Canvas Image Extraction means that in extension any rendered/edited image can be traced back to the graphics card it was made with. The text here https://2019.www.torproject.org/projects/torbrowser/design/#fingerprint… states

'Subtle differences in the video card, font packs, and even font and graphics library versions allow the adversary to produce a stable, simple, high-entropy fingerprint of a computer. In fact, the hash of the rendered image can be used almost identically to a tracking cookie by the web server.'

That sounds pretty scary actually for anyone whoever uploaded an image, even he just shopped a line of text onto it

I think you're confused about the definitions.
https://en.wikipedia.org/wiki/Canvas_fingerprinting
A canvas in this sense is an area defined by the webpage and rendered in the browser's web content display areas where the webpage can use Javascript for graphics, primarily drawing and coloring. The text you cited describes the ability of a webpage to tell the browser's Javascript engine to draw in a canvas area and then extract the image it drew. The abilities and metadata provided by the engine for manipulating a canvas depend on many factors, some of which are listed in your quote. The adversary webpage can tell the browser to draw and extract a canvas image that exposes the limits of the metadata and abilities that are highly unique to each browser+system settings combination. It can be compared to a unique session cookie but circumvents all cookie safeguards. Websites such as panopticlick let you test your browser fingerprint entropy.

Image editing is different. It is usually done in offline image editors and goes through different processes versus rendering or uploading that file in a web browser. Some image file types are saved with metadata inside them that you can read with an EXIF viewer or hex editor. As far as I know, the canvas is not designed to read those. It's possible for editors to save the name of the graphics card model or the model of the camera that took a photo as EXIF data. Uploaded files in general could be traced by time, IP, and file hash. Uploaded images could be analyzed for what they visibly depict. But none of those are how canvas fingerprinting works. File uploads are generally not intended to be processed by canvas Javascript that the webpage may try to run in the browser tab, and I would expect that any attempts to extract the canvas image would trigger the warning regardless of what was drawn. Interfaces for uploading wouldn't really help the goals of canvas fingerprinting. They are generally not silent and hidden every time the page loads and require the user to actively click buttons to begin.

Anonymous

April 07, 2019

Permalink

Sometimes the page of the site blinks, just inside the browser, like a black "25 frame". And it happens quite often 1-2 times per session. What it is? As if some kind of spying. before this was not, it appeared 2-3 updates back. Clean install every time.

I've seen something like that before. The browser stops responding correctly, and black rectangles appear on whatever page is open and on the browser toolbars after I close toolbar menus or click another tab. It's as if the whole browser stops replacing the graphics of the things behind the things I close. I always thought it was a memory or CPU issue. I think it happens on sites that have many entries in NoScript. Other people have reported it in Firefox, Chrome, Edge. Most answers say to disable Hardware Acceleration or GPU. I still think certain heavy webpages are the cause. If I see more, I'll save them.

https://support.mozilla.org/en-US/questions/1006033
https://support.mozilla.org/en-US/questions/925894
https://www.reddit.com/r/firefox/comments/3cl8kk/firefox_39_black_recta…

Anonymous

April 08, 2019

Permalink

imo the new logo is an improvement, but it just seems a bit too simplistic, like 5 minutes in GIMP simplistic...

making logos simple isn't always bad, the EFF logo looks alright, but if you are adding gradients and shadows you should add more detail than a just a circle, something like the firefox quantum logo would be amazing.

tbh the black and white version of the old logo, without any ugly 2005 style gradients looks better than this.

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

4 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.