New Release: Tor Browser 8.5a1

Tor Browser 8.5a1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Tor Browser 8.5a1 is the first alpha release in the 8.5 series. It contains all the improvements from the new 8.0 release. In addition, we updated Tor to 0.3.4.7-rc and fixed an issue with Moat when a meek bridge has been configured.

The full changelog since Tor Browser 8.0a10 is:

  • All platforms
    • Update Firefox to 60.2.0esr
    • Update Tor to 0.3.4.7-rc
    • Update OpenSSL to 1.0.2p
    • Update Torbutton to 2.0.6
      • Bug 27401: Start listening for NoScript before it loads
      • Bug 27276: Adapt to new NoScript messaging protocol
      • Bug 26884: Use Torbutton to provide security slider on mobile
      • Bug 26962: Circuit display onboarding
      • Bug 26520: Fix sec slider/NoScript for TOR_SKIP_LAUNCH=1
      • Bug 26490: Remove the security slider notification
      • Bug 27301: Improve about:tor behavior and appearance
      • Bug 27097: Add text for Tor News signup widget
      • Bug 27214: Improve the onboarding text
      • Translations update
    • Update Tor Launcher to 0.2.16.4
      • Bug 25405: Cannot use Moat if a meek bridge is configured
      • Bug 27392: Update Moat URLs
      • Translations update
    • Update HTTPS Everywhere to 2018.8.22
    • Update NoScript to 10.1.9.1
    • Bug 26962: New feature onboarding
    • Bug 27403: The onboarding bubble is not always displayed
    • Bug 27283: Fix first-party isolation for UI tour
    • Bug 27213: Update about:tbupdate to new (about:tor) layout
    • Bug 26670: Make canvas permission prompt respect first-party isolation
    • Bug 26561: .onion images are not displayed
    • Bug 21787: Spoof en-US for date picker
    • Bug 21607: Disable WebVR for now until it is properly audited
    • Bug 21549: Disable wasm for now until it is properly audited
    • Bug 26614: Disable Web Authentication API until it is properly audited
    • Bug 27281: Enable Reader View mode again
    • Bug 26114: Don't expose navigator.mozAddonManager to websites
    • Bug 26048: Fix potentially confusing "restart to update" message
    • Bug 27221: Purge startup cache if Tor Browser version changed
    • Bug 26049: Reduce delay for showing update prompt to 1 hour
    • Bug 25405: Cannot use Moat if a meek bridge is configured
    • Bug 27268+27257+27262+26603 : Preferences clean-up
  • Windows
    • Bug 26381: Work around endless loop during page load and about:tor not loading
    • Bug 27411: Fix broken security slider and NoScript interaction on Windows
  • Build System
    • All Platforms
      • Bug 27061: Enable verification of langpacks checksums
      • Bug 27178+27179: Add support for xz compression in mar files
Anonymous

September 10, 2018

Permalink

Hi Tor team, after update to version 8 the tor icon is not available. here is the icon path in desktop file:
Icon=/opt/tor-browser-linux64-7.5.3_en-US/tor-browser_en-US/Browser/browser/icons/mozicon128.png

could you please let me know the new image path in this version?

note: I realize that after last update the folder Icon=/opt/tor-browser-linux64-7.5.3_en-US/tor-browser_en-US/Browser/browser/icons/ is not longer available

thanks in advance

Anonymous

September 11, 2018

Permalink

What I'm seeing with this user agent issue is that Mac users seemed to be the ones that had the compatibility issues and Linux users want the user agent changed back. I'm on Linux, and I've never had any OS compatibility issues with a spoofed Windows UA (probably because Linux is better about interoperability and sticking to standards than any proprietary OS). And even if I did, I would investigate it myself, like most Linux users. The "User will get frustrated and immediately cease usage of the program upon encountering any issues" problem may apply to Mac users, but it doesn't apply to most Linux users (otherwise they wouldn't be using Linux).

There are no downsides to changing it back either; yes, maybe in some cases websites will still be able to detect that you're using Linux, but some won't and even when they do spoofing a Windows UA won't be an issue since every other Tor Browser installation would be doing it too. Meanwhile, as it stands now the anonymity set is split between Linux users not spoofing a Windows UA and the (I assume considerably large) number of Linux users choosing to spoof it (as Linux users tend to be on the tech-savvier side and thus I imagine would have no problem installing an extension). So the problem was made worse and not better by this change, while ignoring the fact that there never was a problem in no-JS contexts.

Overall this change is eroding the trust many of your users have in you to make the most sensible default decisions. And people not trusting Tor Browser and rolling their own to whatever degree is a much bigger threat to its design than whatever esoteric OS fingerprinting issues you're worried about invalidating UA spoofing (which, like I said before, makes no sense anyway as even if your real OS is detected, them knowing you have a spoofed UA means nothing if every other Tor Browser is spoofing it too, just as it was in 7.x), even ignoring the fact that it's just not an issue in most no-JS contexts.

As for me I now have an extension installed to spoof my UA. It's open source but is it trustworthy? Hopefully it is. I gladly uninstalled my last UA spoofing extension years ago and now it feels like a major regression that I feel that I have no choice but to install another one.

Just giving into Mozilla's decision making on this issue is a lame excuse too. Has the Tor Browser team forgotten how to code? What's the point of a browser fork if it's not actually, you know, forked?

Overall I'm just annoyed because the logic behind this decision is so transparently flawed and people trust you to make better decisions than this. People shouldn't have to be investing their time in explaining the obvious to you but apparently they do now. I'm sorry for being snippy but this is a major violation of your mission.

I was already annoyed with you constantly dumbing down things UX-wise for the benefit of people who can't be bothered to read a single full sentence about a system that they're expecting to protect their anonymity (which is pointless as they will invariably find some way to screw things up due to their lack of knowledge no matter how many "dangerous" options you remove), but when it's gotten to the point of actually sacrificing privacy/anonymity because some random bozos report "I can't use my google docs!" (which they're probably signed into with an entirely identifiable account) to you (or some other stupid BS about corporate apps that probably can't even be used anonymously no matter what anyway as they all ask for phone numbers) then it's gone too far.

Maybe you can release two versions of Tor Browser? One for people who know what they're doing, are willing to read, and understand that everything might not work automaticaly, and one that's just Firefox with a pretty shade of green paint over it (which is what Tor Browser is trending toward)? Either way you need to do something to fix this because if you don't, you will eventually end up with the situation I just stated as a de facto reality due to a fork, at which point you will split the anonymity set of Tor users further and lose control over what that new team does. You need to make the right decision now before it's too late.

Anonymous

September 12, 2018

Permalink

it is open very fast but some web site

littel slow also movies or video slow.

Tor 9 new upgrade coming soon :)

Anonymous

September 12, 2018

Permalink

The new NoScript is HORRIBLE, absolutely terrible. Unusable, the program is basically dead, as must be the brains of the developers. This was known already from the "normal" version, but is all the more apparent now that Tor uses it too.
Tor does not work now with this prorgram, which is a kind of bug and certainly a liability.

Anonymous

September 13, 2018

Permalink

08:25:22.894 Error: No handler registered for message "updateSettings" in context moz-extension://%noscript%/ui/options.html#;tab-main-tabs=3 1 Messages.js:422:12

Anonymous

September 13, 2018

Permalink

Dear and beloved Tor devs, please fix the user-agent issue! Using Tor Browser on Linux really really stands us out from the crowd! Please at least give us the ability to still enable classical Windows user-agent if we want! Or do you know of any workaround regarding this issue?

As of now, my user-agent header is

  1. <br />
  2. Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Really, really bad! Progress should be toward more anonymity, not less! This is a really scary regression!

Thanks a lot for your work!

Anonymous

September 14, 2018

Permalink

18:15:35.134 Loading failed for the with source “chrome://global/content/TopLevelVideoDocument.js”. 1 269.mp4:1

Anonymous

September 14, 2018

Permalink

NI:
18:32:26.005 this.browser is null 1 ext-tabs-base.js:298
get frameLoader chrome://extensions/content/ext-tabs-base.js:298:5
get frameLoader chrome://browser/content/ext-browser.js:605:5
get width chrome://browser/content/ext-browser.js:678:5
convert chrome://extensions/content/ext-tabs-base.js:579:7
get chrome://browser/content/ext-tabs.js:572:18
InterpretGeneratorResume self-hosted:1259:8
next self-hosted:1214:9
get self-hosted:977:17
call/result< resource://gre/modules/ExtensionParent.jsm:772:57
withPendingBrowser resource://gre/modules/ExtensionParent.jsm:427:26
next self-hosted:1214:9
call resource://gre/modules/ExtensionParent.jsm:771:20
next self-hosted:1214:9
torbutton_send_ctrl_cmd chrome://torbutton/content/torbutton.js:753:10
torbutton_do_new_identity chrome://torbutton/content/torbutton.js:1117:10
torbutton_new_identity chrome://torbutton/content/torbutton.js:847:9
oncommand chrome://browser/content/browser.xul:1:1

Anonymous

September 15, 2018

Permalink

I do not possess the technical knowledge many here do, but the new browser just doesn't seem to work well. Pages don't load, timeouts for well known sites (yes, I get that they could be down), I don't get the Tor landing page confirming Tor loaded fine and is secure, NoScript configuration is what, super-automatic and perfect now...it just seems off. For those of us that have come to rely on it for privacy with the older config options, I don't feel like I have control or knowledge that I am as secure as I used to be. Something just feels off.

Anonymous

September 15, 2018

Permalink

The new version 8 is very bad...
There's no option to change the ip-address.
Script handling is complicated. The old version is better
Now I only get message 'Your IP Address is banned' everywhere.

Anonymous

September 17, 2018

Permalink

TBB-Firefox sends Linux kernel version in extensions blocklist update queries to Mozilla. 6 years old ticket closed https://trac.torproject.org/projects/tor/ticket/6734 without fix this privacy issue.

From Ubuntu 18.04.1 LiveCD
/v1/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/60.2.0/Firefox/20180204030101/Linux_x86_64-gcc3/en-US/release/Linux 4.15.0-29-generic (GTK 3.22.30 libpulse 11.1.0)/default/default/1/1/new/

about:config
extensions.blocklist.url:
https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID…

Also it send TOTAL_PING_COUNT to tell mozilla how many days you use TBB.

Anonymous

September 17, 2018

Permalink

I allowed Tor to update itself on Mac 10.9.5 system and now it doesn't run at all. Instantly goes to a crash window. Deleted everything from application support folder and the app itself, downloaded from this website, same exact effect.

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

3 + 6 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.