New Release: Tor Browser 8.5a7

by boklm | January 30, 2019

Tor Browser 8.5a7 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This new Tor Browser version ships the first alpha in Tor's 0.4.0 series, 0.4.0.1-alpha.

This release also features a lot of improvements regarding our branding. We ship our new Tor Browser logo for the first time in a release build on desktop platforms and are eager to learn about bugs and general feedback. Thanks for Antonela and Richard working on this!

Due to a last minute bug making our build non-reproducible, we had to revert the patch rebranding the Windows installer. We plan to have it fixed in the next alpha release.

Additionally, we fixed a number of crashes noticed in previous releases (WebGL crashed on some Windows machines, the print dialog on some Linux systems, and downloading files on some Android devices).

Note: Due to a bug in Tor 0.4.0.1-alpha, the Windows bundles on a new clean install will get stuck during the first start. Restarting the browser should solve the issue.

The full changelog since Tor Browser 8.5a6 is:

  • All Platforms
    • Update Firefox to 60.5.0esr
    • Update Torbutton to 2.1.4
      • Bug 25702: Update Tor Browser icon to follow design guidelines
      • Bug 21805: Add click-to-play button for WebGL
      • Bug 28836: Links on about:tor are not clickable
      • Bug 29035: Clean up our donation campaign and add newsletter sign-up link
      • Translations update
      • Code clean-up
    • Update HTTPS Everywhere to 2019.1.7
    • Update NoScript to 10.2.1
      • Bug 28873: Cascading of permissions is broken
      • Bug 28720: Some videos are blocked outright on higher security levels
    • Bug 29082: Backport patches for bug 1469916
    • Bug 28711: Backport patches for bug 1474659
    • Bug 27828: "Check for Tor Browser update" doesn't seem to do anything
    • Bug 29028: Auto-decline most canvas warning prompts again
    • Bug 27597: Fix our debug builds
  • Windows
    • Update Tor to 0.4.0.1-alpha
    • Bug 25702: Activity 1.1 Update Tor Browser icon to follow design guidelines
    • Bug 28111: Use Tor Browser icon in identity box
    • Bug 22654: Firefox icon is shown for Tor Browser on Windows 10 start menu
    • Bug 27503: Compile with accessibility support
    • Bug 28874: Bump mingw-w64 commit to fix WebGL crash
    • Bug 12885: Windows Jump Lists fail for Tor Browser
    • Bug 28618: Set MOZILLA_OFFICIAL for Windows build
  • OS X
    • Update Tor to 0.4.0.1-alpha
    • Bug 25702: Activity 1.1 Update Tor Browser icon to follow design guidelines
    • Bug 28111: Use Tor Browser icon in identity box
  • Linux
    • Update Tor to 0.4.0.1-alpha
    • Bug 25702: Activity 1.1 Update Tor Browser icon to follow design guidelines
    • Bug 28111: Use Tor Browser icon in identity box
    • Bug 27531: Fix crashing print dialog
  • Android
    • Bug 28705: Fix download crash on newer Android devices
    • Bug 28814: Backport 1480079 to allow installing downloaded apps
  • Build System
    • All Platforms
      • Bug 29158: Install updated apt packages (CVE-2019-3462)
      • Bug 29097: Don't try to install python3.6-lxml for HTTPS Everywhere
    • Windows
    • Linux
    • Android
      • Bug 28752: Don't download tor-android-binary resources during build

Comments

Please note that the comment area below has been archived.

January 30, 2019

Permalink

Tor WARN: Refusing to apply consensus diff because the base consensus doesn't match the digest as found in the consensus diff header.
Tor WARN: Expected: C543926A52B064BBDA1B7D69F8D729BAEAC5BA3CAE4A264BB9B448608FB96A6F; found: 1DCDD2B0E745BDDA51C4EEE0F3A1179D8099BF290600040B7545C43A3C762383
Tor WARN: Could not apply consensus diff received from server 'canpaste?:22'

February 01, 2019

In reply to gk

Permalink

Is it dangerous? What are the consequences of it? The messages seem to disappear over time, and tor continues to work without any visible changes.

January 30, 2019

Permalink

Thank you TP as always. Remember everyone: there's more of 'us' than there is of 'them'. Use your TOR browser for everything so it never looks out of place if your ISP and/or others are watching and recording. The more normalised everyone's TOR use is, the better for all of us. More relays help, even if only for a short while. Get yourself used to setting it up so it becomes easier every time. xo

January 30, 2019

Permalink

What does this browser support?

HTMLVideoElement
H.264
WebM VP8

Media Source Extensions
MSE & H.264
x MSE & WebM VP9

media.benchmark.vp9.fps 139
media.benchmark.vp9.versioncheck 4

This update disabled VP9 on my i7 notebook!

January 31, 2019

In reply to gk

Permalink

Exactly.

February 01, 2019

In reply to gk

Permalink

Hm, now it's working again. That means something during update turns off VP9 until the test is rerun.

February 04, 2019

In reply to gk

Permalink

Not me. It is automatic bench:
media.benchmark.vp9.fps 139
media.benchmark.vp9.versioncheck 4
These prefs in config mean that it was run.

January 30, 2019

Permalink

Going on five months or more, when I click to search by DuckDuckGoOnion on first starting Tor Browser or a New Identity, I usually receive "400 Bad Request nginx". When I click a second time, it always goes through ok from that point forward until I reopen Tor Browser or make a New Identity. When the error shows up, it's always on the first try of the session. DuckDuckGo knows about it but hasn't said anything. Why is it only on the first attempt? Does it indicate eavesdropping? You might not want to display my comment, then.

January 31, 2019

In reply to gk

Permalink

Yes, there is absolutely nothing in logs. So, gk, give him/her a debug build ;)

January 30, 2019

Permalink

HTTPSE is spamming the console when you hover over its icon:

Warning: no handler for message Object { tabId: 2, __meta: Object, _messageName: "broadcastSettings" } in context moz-extension://uuid/ui/options.html Messages.js:34:5
Error: No handler registered for message "broadcastSettings" in context moz-extension://uuid/ui/options.html Messages.js
Warning: no handler for message Object { policy: Object, xssUserChoices: undefined, unrestrictedTab: undefined, local: undefined, sync: undefined, reloadAffected: undefined, tabId: 2, __meta: Object, _messageName: "updateSettings" } in context moz-extension://uuid/ui/options.html Messages.js:34:5
Error: No handler registered for message "updateSettings" in context moz-extension://uuid/ui/options.html Messages.js
Promise rejected after context unloaded: sender.tab is undefined
Messages.js:68
Promise rejected after context unloaded: Message manager disconnected
Messages.js:68

January 30, 2019

Permalink

Firefox is not so compatible with Remote Desktop as it states. Therefore, with the latest Windows 10 host and
WebGL 1 Driver Renderer Google Inc. -- ANGLE (Microsoft Basic Render Driver Direct3D11 vs_5_0 ps_5_0)
it has an issue that may affect fingerprinting:
06:04:33.674 Error: WebGL warning: Disallowing antialiased backbuffers due to blacklisting. 1 webgl.js:159:17

January 30, 2019

Permalink

Hah, not only fingerprinting... https://demo.marpi.pl/biomes/ doesnt' work at all:
Error: WebGL warning: Disallowing antialiased backbuffers due to blacklisting. echarts-gl.min.js:1:173816
Error: WebGL warning: texImage2D: Invalid unpack format/type: 0x1908/0x1406 echarts-gl.min.js:1:44545
Error: WebGL warning: texImage2D: Invalid unpack format/type: 0x1902/0x1405 echarts-gl.min.js:1:44545
Error: WebGL warning: clear: Framebuffer not complete. (status: 0x8cd6) COLOR_ATTACHMENT0's image is not defined echarts-gl.min.js:1:395878
Error: WebGL warning: clear: Framebuffer must be complete. echarts-gl.min.js:1:395878
Error: WebGL warning: texImage2D: Alpha-premult and y-flip are deprecated for non-DOM-Element uploads. echarts-gl.min.js:1:44545
Error: WebGL warning: texImage2D: Invalid unpack format/type: 0x1908/0x1406 echarts-gl.min.js:1:44545
Error: WebGL warning: texImage2D: Invalid unpack format/type: 0x1902/0x1405 echarts-gl.min.js:1:44545
Error: WebGL warning: clear: Framebuffer not complete. (status: 0x8cd6) COLOR_ATTACHMENT0's image is not defined echarts-gl.min.js:1:111563
Error: WebGL warning: clear: Framebuffer must be complete. echarts-gl.min.js:1:111563
Error: WARNING: 0:1: 'GL_OES_standard_derivatives' : extension is not supported
WARNING: 0:2: 'GL_EXT_shader_texture_lod' : extension is not supported
ERROR: 0:31: 'GL_OES_standard_derivatives' : extension is not supported

1: #extension GL_OES_standard_derivatives : enable
2: #extension GL_EXT_shader_texture_lod : enable
3: precision highp float;
4: precision highp int;
5: precision highp sampler2D;
6: #define DIRECTIONAL_LIGHT_COUNT 1
7: #define AMBIENT_LIGHT_COUNT 1
8: #define AMBIENT_SH_LIGHT_COUNT 1
9: #define AMBIENT_CUBEMAP_LIGHT_COUNT 1
10: #define DIFFUSEMAP_ENABLED
11: #define ALPHA_TEST_THRESHOLD 0.5
12: #define SRGB_DECODE
13: varying vec2 v_Texcoord;
14: uniform sampler2D diffuseMap ;
15:
16: uniform vec3 color ;
17:
18: uniform vec3 emission ;
19:
20: uniform float alpha ;
21:
22:
23: uniform float lineWidth ;
24:
25: uniform vec3 lineColor ;
26:
27: varying vec3 v_Barycentric;
28:
29: float edgeFactor(float width)
30: {
31: vec3 d = fwidth(v_Barycentric);
32: v echarts-gl.min.js:1:179544
Error: WebGL warning: clear: Framebuffer not complete. (status: 0x8cd6) COLOR_ATTACHMENT0's image is not defined echarts-gl.min.js:1:375984
Error: WebGL warning: clear: Framebuffer must be complete. echarts-gl.min.js:1:375984
Error: WebGL warning: clear: Framebuffer not complete. (status: 0x8cd6) COLOR_ATTACHMENT0's image is not defined echarts-gl.min.js:1:395878
Error: WebGL warning: clear: Framebuffer must be complete. echarts-gl.min.js:1:395878
Error: WebGL warning: clear: Framebuffer not complete. (status: 0x8cd6) COLOR_ATTACHMENT0's image is not defined echarts-gl.min.js:1:111563
Error: WebGL warning: clear: Framebuffer must be complete. echarts-gl.min.js:1:111563
TypeError: Argument 1 of WebGLRenderingContext.getAttribLocation is not an object. echarts-gl.min.js:1:57060

February 04, 2019

In reply to gk

Permalink

And where is my answer to your question? That you can enable it in NoScript settings.

January 31, 2019

Permalink

[01-31 08:28:51] Torbutton INFO: Component Load 0: New ExternalAppBlocker.
http channel Listener OnDataAvailable contract violation

January 31, 2019

Permalink

pdf is broken?
Attempting to post a message to window with url "resource://pdf.js/web/viewer.html" and origin "resource://pdf.js^privateBrowsingId=1&firstPartyDomain=color.org" from a system principal scope with mismatched origin "[System Principal]".

January 31, 2019

Permalink

07:12:06.361 TypeError: event.originalTarget.getAttribute is not a function 1 tabbrowser.xml:1977:13
onxblmouseout chrome://browser/content/tabbrowser.xml:1977:13

January 31, 2019

Permalink

Bug 29081: Harden libwinpthread

Security is not one of your strong points :(

January 31, 2019

Permalink

That 'Liberia' exit node becomes annoying with its 'Secure Connection Failed' jokes for e.g. this blog.

January 31, 2019

Permalink

Often, directly after my Tor browser has done an auto-upgrade, every time I start it I get a 'please wait while Tor Browser installs the updates' message. The only way I can stop it happening is to download Tor manually and install it manually, then it's fine.

Might this be my computer? Or does it happen with other users?

That's normal as Tor Browser is not applying the update in the background anymore and has it then ready if you restart. Now, it will apply the update after you restart, hence the dialog to inform you what is going on.

January 31, 2019

Permalink

15:29:19.237 TypeError: hostName is null 1 security.js:55:9
_getSecurityInfo chrome://browser/content/pageinfo/security.js:55:9
securityOnLoad chrome://browser/content/pageinfo/security.js:179:14
onmessage chrome://browser/content/pageinfo/pageInfo.js:372:5

January 31, 2019

Permalink

Reloading https://hg.mozilla.org/releases/mozilla-esr60/rev/fe547fe73bba
[01-31 15:55:12] Torbutton INFO: tor SOCKS: https://hg.mozilla.org/static/3b362b7a9144/style-gitweb.css via
mozilla.org:d0148e6f3897997e603b597862d8ec9a
[01-31 15:55:12] Torbutton INFO: tor SOCKS: https://hg.mozilla.org/static/3b362b7a9144/mercurial.js via
mozilla.org:d0148e6f3897997e603b597862d8ec9a
[01-31 15:55:12] Torbutton INFO: tor catchall circuit has been dirty for over 10 minutes. Rotating.
[01-31 15:55:12] Torbutton INFO: New domain isolation for --unknown--: 0740d7fdd958dd54f49a14cf90c77785
[01-31 15:55:12] Torbutton INFO: tor SOCKS: https://hg.mozilla.org/static/3b362b7a9144/mercurial.js via
--unknown--:0740d7fdd958dd54f49a14cf90c77785[01-31 15:55:12] Torbutton INFO: tor SOCKS: https://hg.mozilla.org/static/3b362b7a9144/moz-logo-bw-rgb.svg via
mozilla.org:d0148e6f3897997e603b597862d8ec9a
[01-31 15:55:12] Torbutton INFO: tor SOCKS: https://hg.mozilla.org/static/3b362b7a9144/hgicon.png via
mozilla.org:d0148e6f3897997e603b597862d8ec9a
So, what's wrong with that cached js? Other cached items work properly. No OA saved for cached js?

Because the log indicates that the js file is requested once over the mozilla circuit and once over the catch-all circuit. Thus, if you only see indeed one request it seems to me this is actually the same bug.

February 01, 2019

Permalink

Unbelievable the number of people that complain "opengl don't work" "pdf is broken"... If you want all those feature but just use google chrome idiots !

Thanks Tb team for you work, just finish to emerge it

February 01, 2019

Permalink

Would really like to see uMatrix replace noScript. Smart HTTPS replace HTTPS Everywhere. A decent cookie manager. No big deal since we can reconfigure extensions ourselves.

Also, detailed about:config modifications should be part of an html-based page (part of the install). This way we can see the modifications. Included are recommended modifications that haven't been made for reasons of stability. Things like telemetry, clipboard, Service Workers, Push Notifications, Studies, Pocket, etc... Even Wifi Location Tracking (Google APIs) can all be added to your about:config changes/recommendations.

February 03, 2019

Permalink

Im using orbot to control other apps that use tor. The new torbrowser for android breaks it. what is the solution?

February 09, 2019

In reply to gk

Permalink

torbrowser does not start because it has its own orbot I assume. so now there are 2 orbots on the same device and this is why I think torbrowser stops working.

to reproduce install orbot first (latest version) then torbrowser then try to start torbrowser it will not work.

as I mentioned in the first comment I need the separate orbot to use vpn mode for other apps.

what to do now?

February 03, 2019

Permalink

Tor NOTICE: No circuits are opened. Relaxed timeout for circuit 118 (a Measuring circuit timeout 3-hop circuit in state doing handshakes with channel state open) to 60000ms. However, it appears the circuit has timed out anyway.

February 04, 2019

Permalink

Tor NOTICE: Our directory information is no longer up-to-date enough to build circuits: We're missing descriptors for 1/2 of our primary entry guards (total microdescriptors: 6563/6619).
Tor NOTICE: I learned some more directory information, but not enough to build a circuit: We're missing descriptors for 1/2 of our primary entry guards (total microdescriptors: 6563/6619).

February 05, 2019

Permalink

For many days now a cannot update my tor install in ubuntu trusty i386, I also had to remove source from list because of update errors. I followed the instructions on tor site. Is there a problem for Ubuntu 14.04.5 i386 repository/ppa ?

Is that a Tor Browse question? I think you are referring to Tor? We stopped providing .deb files for Trusty IIRC as it is soon an unsupported Ubuntu and there were errors during test runs I think.

February 06, 2019

Permalink

Tor android is as safe as the pc?

And about the update android, it can not download images yet and the vpn is not activated.

Which Tor Browser version are you on and what Android version? We had issues with downloading things on Android 7+ phones (the browser would crash), but that should be fixed now in 8.5a7. Do you have an example image/website where a download is not working for you?

Yes, we don't support VPN mode with Tor Browser, this is expected.

Whether the browser for Android is as safe as the one for the PC is hard to tell. We hope so but security among desktop platforms is even varying, so it is hard to compare. At any rate, if you need to have Tor Browser on your Android device Tor Browser as we have it right now should be your first choice.

February 06, 2019

Permalink

If you rename the browser folder, you'll get a broken browser with
Could not read chrome manifest 'jar:file:///%CHANGED_PATH%/Browser/TorBrowser/Data/Browser/profile.default/extensions/tor-launcher@torproject.org.xpi!/chrome.manifest'.
Could not read chrome manifest 'jar:file:///%CHANGED_PATH%/Browser/TorBrowser/Data/Browser/profile.default/extensions/torbutton@torproject.org.xpi!/chrome.manifest'.
Could not read chrome manifest 'jar:file:///%CHANGED_PATH%/Browser/browser/extensions/%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D.xpi!/chrome.manifest'.