New Release: Tor Browser 8.5a11

Tor Browser 8.5a11 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: this is an alpha release: an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This new alpha release includes some bug fixes and improvements. Among other things, on the desktop side we improved the browser toolbar layout, replaced the security slider with a toolbar icon and added mechanisms to introduce new features to users. We also improved the screen reader accessibility on Windows and added the es-AR locale.

On the Android side, we started using the Tor Onion Proxy Library.

The full changelog since Tor Browser 8.5a10 is:

  • All platforms
    • Update Torbutton to 2.1.6
      • Bug 22538+22513: Fix new circuit button for error pages
      • Bug 29825: Intelligently add new Security Level button to taskbar
      • Bug 29903: No WebGL click-to-play on the standard security level
      • Bug 27484: Improve navigation within onboarding (strings)
      • Bug 29768: Introduce new features to users (strings)
      • Bug 29943: Use locales in AB-CD scheme to match Mozilla
      • Bug 26498: Add locale: es-AR
      • Bug 29973: Remove remaining stopOpenSecuritySettingsObserver() pieces
      • Translations update
    • Update NoScript to 10.6.1
      • Bug 29872: XSS popup with DuckDuckGo search on about:tor
    • Bug 29916: Make sure enterprise policies are disabled
    • Bug 26498: Add locale: es-AR
  • Windows + OS X + Linux
    • Update Tor to 0.4.0.4-rc
    • Update Tor Launcher to 0.2.18.2
      • Bug 26498: Add locale es-AR
      • Translations update
    • Bug 29768: Introduce new features to users
    • Bug 27484: Improve navigation within onboarding
    • Bug 25658: Improve toolbar layout for new security settings
  • Windows
    • Bug 27503: Improve screen reader accessibility
  • Android
    • Bug 27609 (and child bugs): Use Tor Onion Proxy Library
    • Bug 29312: Bump Tor to 0.3.5.8
    • Bug 29859: Disable HLS support for now
    • Bug 28622: Update Tor Browser icon for mobile
    • Bug 29238: Prevent crash on Android after update
    • Bug 29982: Add additional safe guards against crashes during bootstrap
    • Bug 29906: Fix crash on older devices due to missing API
    • Bug 29858: Load onboarding panels after bootstrapping is done
    • Bug 28329: Improve bootstrapping experience
    • Bug 30016: Localize bootstrap-/bridge-related strings for mobile
  • Build System
    • All platforms
      • Bug 29868: Fix installation of python-future package
      • Bug 25623: Disable network during build
    • Linux
      • Bug 29966: Use archive.debian.org for Wheezy images
    • Android
      • Bug 30089: Use apksigner instead of jarsigner
khled.8@hotmai.com

April 16, 2019

Permalink

Thanks for the great work!

Anonymity protection feature request:
Like with a mixed HTTPS+HTTP content, consider warning the TB user when an Onion site opens a "clearnet" connection in background (onion+clearnet mix).

Example: during a search "DuckDuckGo Onion" [3g2upl4pq6kufc4m.onion] connects to its clearnet version duckduckgo.com (to load the search result document icons, etc.).

(DDG Onion: one might as well just use the clearnet DDG site... What info is transmitted outside of Tor? Possibly a traffic correlation risk for the Tor users?)

> during a search "DuckDuckGo Onion" [3g2upl4pq6kufc4m.onion] connects to its clearnet version duckduckgo.com (to load the search result document icons, etc.).

Can someone verify this behavior, please?

I don't have Wireshark. There is at least one connection when the security slider is on Safer. On the search results page, a complete version of the following tag is in a sidebar module that shows a summary of Wikipedia's page about the search term:
[geshifilter-code]<img class="module--about__img" source="https://duckduckgo.com/...">[/geshifilter-code]

Procedure:
1. Open the page. Right-click on the page -> Inspect Element -> Network tab. Refresh the page. Click the header of the Domain column to sort it. Look for duckduckgo.com.
2. Right-click on the page -> View Page Info -> Media tab. Click the header of the Address column to sort it. Look for duckduckgo.com.
3. Back in Developer Tools, change from the Network tab to the Inspector tab. In the search box of the Inspector tab, search for substrings of the addresses you found. Ignore "a" tags because prefetching is disabled in TBB's default about:config.

There's more. Single words sometimes display a horizontal bar of tiles above the results. The bar is in this tag:
 <div id="zero_click_wrapper" class="zci-wrap">

Images in the bar are in tags that look like this:
 <img class="tile__icon  js-lazyload" src="<a href="https://duckduckgo.com/i/....jpg&quot" rel="nofollow">https://duckduckgo.com/i/....jpg&quot</a>; data-src="<a href="https://duckduckgo.com/i/....jpg"&gt" rel="nofollow">https://duckduckgo.com/i/....jpg"&gt</a>;

Easy to verify-- temporarily install the Firefox uMatrix and do a search using DDG Onion; watch the uMatrix panel while the DDG Onion results load.
DDG search results now come with their corresponding document type icons. These icons are loaded from DDG clearnet site icons.duckduckgo.com even if .Onion is used.

BTW, uMatrix is an open-source addon that reveals way, way more junk than NoScript.
Also, (optional) you can make it remember your per-site rules.
Finally, its author doesn't have a known "privacy vs. allowed tracking ads" scandal in the past.

khled.8@hotmai.com

April 16, 2019

Permalink

> Bug 29903: No WebGL click-to-play on the standard security level
https://trac.torproject.org/projects/tor/ticket/21805

With the default WebGL 1 Driver Renderer Google Inc. -- ANGLE (Microsoft Basic Render Driver Direct3D11 vs_5_0 ps_5_0) you can see on about:support
15:50:14.841 Error: WebGL warning: Disallowing antialiased backbuffers due to blacklisting. 1 Troubleshoot.jsm:528:18
Does this make me more fingerprintable?

> Update NoScript to 10.6.1 XXX
XXX? Porn version? :)

I fixed it, thanks.

> Bug 29872: XSS popup with DuckDuckGo search on about:tor
It's time to revert it as:
This issue is verified as fixed on Firefox 60.6.2esr (20190416010130) under Win 7 64-bit and Mac OS X 10.14.1.

Yeah, we do that once we get the patch from upstream.

Good Time of day! With installed bridges There is no browser loading. There is Also no image saving. Android 7

How did you install bridges? Oh, and did you get some useful log messages if you swipe from the right side of your phone to see some log messages?

Android

Bug 27609 (and child bugs): Use Tor Onion Proxy Library
Bug 29312: Bump Tor to 0.3.5.8

HEY EVERYBODY! IT'S TIME TO TEST ANDROID VERSION!

Is it safe?

khled.8@hotmai.com

April 18, 2019

In reply to by Doctor (not verified)

Permalink

Please be more specific. Read the changelog. The version in this post is an alpha version, denoted by the "a" in 8.5a11. Most people will want the standard version, 8.0.8, not the alpha development testing version.

I like the new icon on Android. But perhaps the color scheme should be changed to the regular Tor colors?

It will. That's only the logo from the alpha series. Stay tuned. :)

is it possible to make the browser spoof the most common browser fingerprint?

Common browsers tend to have a different fingerprint for each user, so there is not really a "most common browser fingerprint".

Panopticlick suggests otherwise.

Panopticlick is not a God

Strawmen imply nonexistent ridiculous assertions.

Making all users look the same is one of the main goals of Tor Browser, so we try hard to have all users (or at least large groups of users) with the same fingerprint, but this is not the case with other browsers which have other priorities. Firefox has a preference to resist fingerprinting, but it is currently not enabled by default as it has some consequences on usability.

The numbers given by Panopticlick are not really meaningful for Tor Browser users because most Panopticlick users are using other browsers.

But even if there was a "most common browser fingerprint", the fact that a user is connecting through Tor is already obvious by looking at the IP address, so there is not much point in trying to hide that the user is a Tor Browser user.

For the benefit of newcomers, I add this: not only does using Tor Browser benefit the individual user, but the more people who use Tor Browser, the more the entire world benefits, because it becomes harder for adversaries to identify more and more people, which might eventually make "surveillance capitalism" and "dragnet surveillance" (by governments) uneconomic.

As a long series of troubling news stories since 2013 or so suggests (e.g. Snowden leaks, Facebook scandals, etc), this would probably be a good thing.

Growing the Tor userbase (and geographic/device diversity) will no doubt continue to be a major goal of Tor Project over the next decade. Assuming NSA/FSB/FBI/GCHQ/etc do not succeed in making Tor effectively illegal for everyone everywhere, that is.

Realistically speaking, how different are fingerprints no the desktop version of Tor Browser on the standard security setting, across different operating systems and hardware? Can anonymity in the face of modern tracking techniques at all be expected on this setting?

Your questions and a comment in the v8.0.8 post would be great to turn into research projects based on data sets from fingerprint leak sites like EFF's panopticlick and others in replies to that comment. Those sites, themselves, are in the best position to find the answers and add those details and more relevancy to their sites. Anyone could work on it if the data sets are open. Your questions about Tor could be studied and placed on the metrics website.

Most of these sites show a very incomplete picture of what is really possible in terms of tracking and are quite outdated. Panopticlick's results are not meaningful in any way. They look at maybe 20 randomly chosen parameters, out of literally thousands of possible ways of tracking users.

See if it's possible to build from their underlying data sets, not from their results. Starting by foregoing others' work and gathering from scratch is wasteful.

If your goal is to blend in with everyone else, Tor Browser is one of the best tools. Exit nodes, like public proxies, mark your internet traffic with an IP address that's shared by many people simultaneously unlike your home or mobile IP address. The Tor Browser is set up to mark your browser traffic with one of three selectable configurations, so at the start of your session, you look like other people using Tor Browser on Tor.

Since your normal browser traffic is marked by your home or mobile IP that immediately makes your traffic stand out regardless of whether you're using a browser, and since Tor Browser is designed for its traffic never to be marked by your home or mobile IP, then the only way to compare the realistic significance of the fingerprints of Tor Browser versus normal browsers is for you to configure your normal browser to proxy as Tor Browser does. But setting a normal browser to use Tor is not recommended at all.

A user can modify their Tor Browser and make its fingerprint stand out, but many things they don't modify are reset by the security slider and New Identity functions. Some of the security choices made by developers of Tor Browser are passed back to developers of Mozilla Firefox. It definitely helps a general-purpose browser like Firefox to receive development feedback from security-privacy projects like this, and some of it pushes Firefox to look a little bit more like Tor Browser.

How do I download the standalone tor only (non-browser bundle)? Can't find anything after the site redesign.

You guys do wonderful (hard) work, and I am grateful to each and every one who works on Tor products.

How does one download this program and get it to work? I’ve had a brain injury and am not able to understand what I need to do. Thank you.

You can download Tor Browser from this page:
https://www.torproject.org/download/

The Tor Browser manual also has some information:
https://tb-manual.torproject.org/

@ Nancey:

I thought you might appreciate more detailed instructions:

1. Point your browser at https://www.torproject.org/download/ by clicking on a link if this sentence contains one or by typing that URL into the "location pane" of your browser. You should see a green lock icon indicating that your connection is "secured" by TLS, i.e. you have reason to think your browser will receive files from the real torproject.org not a malicious imitator.

2. Once the download page loads you should see a row of four icons standing for four types of operating systems: Microsoft (Windows), Apple (MacOS), Linux, Google (Android). Below each of these is a smaller link marked "sig".

3. Click on the "sig" for your operating system. After a few minutes you should see that you have downloaded a file with a name like 8.0.8/tor-browser-linux64-8.0.8_en-US.tar.xz.asc

4. Click on the big icon for your operating system. After 5-30 minutes depending on your internet connection speed, you should see that you have downloaded a second file with a name like https://www.torproject.org/dist/torbrowser/8.0.8/tor-browser-linux64-8….

5. Verifying the authenaticity of code before you install is especially important for security critical applications like Tor, but if you can't make steps 6-8 work you can still install Tor Browser; see https://support.torproject.org/tbb/how-to-verify-signature/ for how to obtain the signing key and use GPG to verify the "detached" signature of the "tarball" ***.tar.xz

6. Once you have verified the tarball, make a directory, AKA folder, and move the tarball file ***.tar.xz there. Unpack it (this may be as simple as clicking on it). This will take a minute.

7. Once the tarball is unpacked, you should be ready to start launching Tor Browser, which will painlessly connect your computer to the worldwide Tor network. This will take a few minutes because the Tor "client" on your computer needs to download current information (up the the hour) about all the Tor nodes currently available, so it can start building Tor "circuits". When this is done the browser should launch itself and you can start surfing.

Hope this is all helpful. It's not as complicated as I am probably making it sound. If run into trouble, try asking a friend you trust to help you get TB installed.

They didn't hint what their OS is, so don't assume Linux. If you have to assume, assume the one with the most market share: Windows. Tar.xz will confuse most newbies. GPG is good to encourage but will definitely confuse and put off most newbies. Your file names aren't file names; they have slashes which denote folders, a path or a URL. Don't invent jargon like "location pane" when the overwhelming majority of people and help documents call it the "address bar". Include GetTor as an alternative. The rest looks good to me.

first time commenter....been playing with TOR for a short time and i like it. seems to have a nitch for what it does. one thing i have a hard time with as i am older, is the font sizes in the firefox url and tool bar areas. In the past i have used theme font and size changer and it really did the job for us vision-impaired folks. i hate to make system wide changes to fix this as i use other browsers also and dont want to change them...they use easy add-on fixes.
So is there any reasonably easy fix for this firefox problem or are we just left out.

Easy? Yes, the Theme Font & Size Changer is in the present. But I don't know if doing it will maintain privacy. Changing the browser's UI widgets can sometimes change values that are in your browser fingerprint. Tor Project cautions users who want to customize the browser and install other add-ons. There may be other ways of doing it, and the add-on may not affect privacy, but I personally don't know.

> one thing i have a hard time with as i am older, is the font sizes in the firefox url and tool bar areas.

You are not alone! I seem to have grown old using Tor :-) so I have similar issues.

Because Tor Browser is modified Firefox you can easily install Mozilla add-ons or plug-ins just like you would do with Firefox, and these will probably "work" like they do with Firefox. But there is a problem: installing plug-ins can make your Tor Browser more distinguishable from other Tor Browsers, i.e. you can become less anonymous.

I sometimes wish the TB team had the time and resources to test TB for usability with users who have some vision/hearing impairment, but at a time when Tor Project is fighting an existential battle with FBI/NSA/GCHQ/etc ("Going Dark"), we should probably accept that TP needs to have other priorities right now.

كيف استخدم التور

I'm getting an error when trying to connect to Tor on this Android app release on Android 4.4.4

  1. <br />
  2. - Set background service to FOREGROUND<br />
  3. - updating settings in Tor service<br />
  4. - updating torrc custom configuration...<br />
  5. - success.<br />
  6. - checking binary version: 0.3.5.8-rc-openssl1.0.2p<br />
  7. - Orbot is starting…<br />
  8. - Tor control port file not created<br />
  9. - Unable to start Tor: java.io.IOException: Control port file not created: /data/data/org.torproject.torbrowser_alpha/app_torservice/lib/tor/control.txt, len = 0<br />

I tried to navigate to this location manually with a terminal emulator but I did not have permission to enter the final part of the path. I could cd up to /data/data/org.torproject.torbrowser_alpha/app_torservice/ only. I suspect any attempt to create this file in the Java code might also be failing?

That ticket appears to be for a different symptom.

Try https://trac.torproject.org/projects/tor/ticket/30284

Does DuckDuckGo not show a logo now to anyone anymore, or is it just me?

No logo for me, security set to high, all noscript disabled, :config java disabled.

The DuckDuckGo logo is an SVG image. Is your security slider set to Safest? Safest blocks SVG images.