New Release: Tor Browser 8.5a8

Tor Browser 8.5a8 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

The main change in this new release is the update of Firefox to 60.5.1esr, fixing some vulnerabilities in the Skia library.

Note: We usually make sure that the build of each Tor Browser release is reproducible by having two separate people building it before we publish a new release. However, due to some people being unavailable this week, we are having some delays doing this verification for this alpha release. Because this release includes an important security fix that we want to release quickly, we will be checking the reproducibility of the build afterward. If you are interested in reproducing our build, you can find information about that on our wiki page. Update: we have now reproduced the build.

Note 2: The download link for the Android version is still pointing to 8.5a7 as we have not yet signed the 8.5a8 build. We plan to fix this soon. Update: This is now fixed.

The full changelog since Tor Browser 8.5a7 is:

  • All platforms
    • Update Firefox to 60.5.1esr
    • Update HTTPS Everywhere to 2019.1.31
    • Bug 29378: Remove 83.212.101.3 from default bridges
    • Bug 29349: Remove network.http.spdy.* overrides from meek helper user.js
  • Build System
    • All Platforms
      • Bug 29235: Build our own version of python3.6 for HTTPS Everywhere
      • Bug 29167: Upgrade go to 1.11.5
    • Linux
      • Bug 29183: Use linux-x86_64 langpacks on linux-x86_64
Anonymous

February 15, 2019

Permalink

Link on the download page is wrong for Android (or the proper android build is missing). There is no tor-browser-8.5a8-android-armv7-multi.apk in the download directory, only tor-browser-8.5a8-android-armv7-multi-qa.apk. Is this build OK to use?

Anonymous

February 15, 2019

Permalink

I m new

Anonymous

February 16, 2019

Permalink

Hello Tor Project devs!
Thanks for your hard work. I was wondering what happen to Tor Browser 8.5a8 for Android. I can't seem to download it directly from Tor Project website

Anonymous

February 16, 2019

Permalink

na

Anonymous

February 17, 2019

Permalink

This humor is not funny any more:

We've detected that you have connected over Tor. There appears to be an issue with the Tor Exit Node you are currently using. Please recreate your Tor circuit or restart your Tor browser in order to fix this.

If this error persists, please let us know: error-tor@duckduckgo.com

Anonymous

February 18, 2019

Permalink

If Tor is dynamically linked, is that less secure ?

Is it a possibility that someone could introduce a custom library that looks 'binary the same' to one used dynamically by Tor, but calls off into another custom code, by somehow placing it on disk ?

Or is this nonsense ? (quietly hoping so)

Anonymous

February 18, 2019

Permalink

Hi all,
I used to use Tor on my Mac but it doesn't run anymore. As soon as I click on it, it seems it wants to open but the logo disappears and doesn't open. I have tried all different versions but I can not open either of them. Can you help?

Anonymous

February 18, 2019

Permalink

403 ERROR
The request could not be satisfied.
Request blocked.

Generated by cloudfront (CloudFront)
Request ID: HD5uUKwkEb86hGxCv0FDXvEIC6MEVaGyoTW9pCeuXGFvttsbdUqquQ==

I tried many it doesnt even start and if I remove bridges it starts normally

I also have a separate orbot with bridges and vpn mode enabled

do you think this is the reason? maybe only one can run with bridges and the other not? I dont understand what is wrong

I do it manually the same way used in orbot

1- click on use bridges slider button in the main interface
2- go to options and tick the box use bridges (i dont know why you need to enable twice but maybe its another unrelated bug)
3- enter the bridges obtained earlier from bridges site and click ok to save
4- try to start (it doesnt)

Okay, so I looked closer at that. It seems for some reason we a) don't get pluggable transport support stemming from Orbot for free even though we are compiling and using it and b) even if you want to use normal Tor bridges (no pluggable transport) this is only possible if you have PT support available as Orbot checks this case and only proceeds if it finds the obfs4proxy binary, which is rather unfortunate. I am sorry, but for now this is not working (as you found out :) ). I am working on getting this fixed for the next release, though.

Anonymous

February 23, 2019

Permalink

I hope any conflicts with standalone orbot are investigated and resolved, testing all options to see if that breaks anything. There is a wide userbase that still use orbot. I'm interested to see any tickets in that regard. Thank you all.

There should not be any conflicts with the standalone Orbot given that Tor Browser is using differnent SOCKS and Control Ports. Do you have something specific in mind? In general our mobile related tickets are tagged with tbb-mobile, so https://trac.torproject.org/projects/tor/query?status=accepted&status=a… gives you an overview of all the mobile related issues we are currently aware of.

What is the purpose of VPN functionality in Tor Browser if one is already available in Orbot? What happens if both are activated? Can VPN mode in Tor Browser control other apps as well? If it does, what happens after Tor Browser is closed?

Lastly, if VPN mode in Tor Browser's own Orbot has no purpose then why not remove it all together?

This is confusing for the average user and I couldn't find answers in the Documentation Section.

On a side note, the design of having Tor Browser start with its Orbot means it has to connect to Tor all over again each time Tor Browser is started. Before that was introduced, Orbot used to run conveniently in the background and Tor Browser can be opened any number of times without having to reconnect.

There is no VPN functionality in Tor Browser. We have disabled it. We did not remove it yet because we are still changing the underlying architecture to switch to the Tor Onion Proxy Library (https://trac.torproject.org/projects/tor/ticket/27609) and after that is done all the UI is getting cleaned up accordingly.

This is an alpha version and things are still in flux. :)

Tor Browser starting with Orbot establishing a connection first is modeling the desktop Tor Browser because that's the most convenient/secure solution we have found so far: you can be sure to have a Tor/Orbot ready once you want to use the browser and don't have to wait for that getting weird proxy-connection-refused errors or delayed page loading, not knowing why this is happening.

We might be able to do better, in particular on mobile. But the model we have right now will be the baseline we start from exploring things further.

Anonymous

February 24, 2019

Permalink

Tor Browser 8.5a8 is based on Firefox 60.5.1ESR. But when I checked the latest Firefox, it seems like Firefox version is 65.0.1. 60.5.1 = 65.0.1? Outdated or typing error?

Neither! :) Mozilla has two different release trains: the "normal" one and the "enterprise" one. Tor Browser is on the latter and it is based on Firefox 60 (hence, 60.5.1) while the "normal" one is currently 65.0.1.

Anonymous

February 25, 2019

Permalink

Am using Linux, and this is the result:

User-Agent Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0

Passive, SYN Linux 2.2.x-3.x (no timestamps) | Language: Unknown | Link: Ethernet or modem | MTU: 1500 | Distance: 14 Hops

https://browserleaks.com/ip

It has been like this for a few iterations of the Tor browser, will it ever going to be fixed?

That's not a Tor Browser bug (and is likely not a bug at all) and you get it on Windows machines, too. What is happening is that this test is trying to find out the OS of the machine the request came from. But that is not your computer. Rather, it's the exit relay that gets fingerprinted instead. It seems that in your case it is running Linux, which is not much surprising...