New Release: Tor Browser 8.5.2
Tor Browser 8.5.2 is now available from the Tor Browser Download page and also from our distribution directory.
This release fixes a critical security update in Firefox. In addition, we update NoScript to 10.6.3, fixing a few issues.
Users of the safer
and safest
security levels were not affected by this security issue.
Note: As part of our team is currently traveling to an event, we are unable to access our Android signing token, therefore the Android release is not yet available. We expect to be able to publish the Android release this weekend. In the meantime, Android users should use the safer
or safest
security levels. The security level on Android can be changed by going in the menu on the right of the URL bar and selecting Security Settings
.
The full changelog since Tor Browser 8.5.1 is:
Comments
Please note that the comment area below has been archived.
https://www.nvidia.com/page…
https://www.nvidia.com/page/home.html
403 - Forbidden
It looks like nvidia.com is…
It looks like nvidia.com is blocking tor users. We cannot do anything about this on our side, but people can contact them to ask them to remove the blocking.
In a technical level Tor…
In a technical level Tor Project can't do anything, but on a PR level, it can and should. Tor Project could easily approach organizations/corporations like NVidia and explain blocking Tor Users is bad and they should allow it. Of course having other people also contacting and requesting the same is better, but Tor Project can't put itself out of the matter.
Yes, I agree and we do that…
Yes, I agree and we do that from time to time. But our resources are limited here and I think it would greatly help if users would step up here, too, and put pressure on those sites.
Empower with knowledge:https…
Empower with knowledge:
https://ijpaagiacu.tudasnich.de/censorship/censorship-2/
https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlo…
https://2019.sedvblmbog.tudasnich.de/docs/faq-abuse.html.en
Always find the website's Contact Us page.
More and more websites block…
More and more websites start blocking Tor IP addresses. It's shameful and wrong to be discriminated like this, especially in the age of surveillance capitalism.
I'm taking 8.5.2 for a test…
I'm taking 8.5.2 for a test run now. Thanks to all of you again.
Nice work!
Nice work!
The vulnerability exploits…
The vulnerability exploits JavaScript, so why would `safer` not be affected if it enables JavaScript on HTTPS websites? Does the bug only work if JIT is enabled or something?
Yes, this bug involves JIT.
Yes, this bug involves JIT.
Type Inference part of JIT…
Type Inference part of JIT is always on and cannot be disabled (https://trac.torproject.org/projects/tor/ticket/21865). It has a long history of holes, see https://bugzilla.mozilla.org/show_bug.cgi?id=619415. So, the question is whether JS interpreter + TI are not vulnerable or just the PoC doesn't work on that config?
Looking at the explanation…
Looking at the explanation of the bug in https://bugzilla.mozilla.org/show_bug.cgi?id=1544386 again, I still think that we are good with just disabling JIT as we do on medium security.
Not to say "I told you so",…
Not to say "I told you so", but can I jump in here to say "I told you so"? Not that I was saying anything you didn't already know. To wit: a strong case can be made for making "safest" the default security level and advising users to drop down as needed (choosing new identity each time they change the security level, a habit which should solve the problem that users might easily forget that security level changes affect all open tabs). In this case, at least one of the two critical vulns would have been prevented from affecting most users if this had been the default prior to this latest attack on FF (and TB).
An obvious compromise would be to make the default "safer". It seems Tor Project believes even this default would have prevented most Tor users from becoming easy victims of these FF zero-squared-day exploiting attacks.
Link says "Access Denied"…
Link says "Access Denied" but vulnerability is already public nothing to keep secret here.
When will it be open to everyone?
I think Mozilla usually…
I think Mozilla usually waits for a while before making tickets public, to make sure vulnerable versions are not around anymore.
Works like a charm, better…
Works like a charm, better and better each release ...
Pick up fix for Mozilla's…
Why that instead of
* Update Firefox to 60.7.1esr
???
Updating the Firefox version…
Updating the Firefox version number requires that the Firefox langpacks corresponding to this version are available to start building. Taking the patch without updating the Firefox version number allows us to start building earlier.
Are you saying that Mozilla…
Are you saying that Mozilla has non-optimal chemspill release process or you always need to run faster than the train?
https://hacks.mozilla.org/2018/03/shipping-a-security-update-of-firefox…
Maybe, it's possible to workaround that with engineers?
Taking a patch without…
Taking a patch without updating the Firefox version allows us to start a build as soon as the patch is available, we don't need an other workaround.
After doing the last update…
After doing the last Tor update Avast blocked the Firefox.exe telling me it is infected with IPD:Generic ?
anyone else experiencing this?
Windows Defender is a free…
Windows Defender is a free and well embedded alternative to false postives reporting adware.
Update your virus definition…
Update your virus definition files. Virus scanners take time to release updates that recognize new programs. Or you could whitelist the exe.
Couldn't start the latest…
Couldn't start the latest version on beta 2 of macOS Catalina. There is an error that "updater.app is from an unidentified developer". I was not able to get the usual dialog to get an exemption by starting updater.app on it's own. After moving "updater.app" to the trash Tor is now starting.
Don't do that as you don't…
Don't do that as you don't get updates anymore that way. See: https://ocewjwkdco.tudasnich.de/comment/282621#comment-282621 for a current workaround, even though that one is awkward.
In the long run, a better…
In the long run, a better solution might be to use Tails instead of the Mac OS installed on your machine. Tails is free open-source software from a sister project of Tor Project; tails.boum.org. It attempts to provide an "amnesiac" system which boots from a DVD (or USB stick), which means that Tails tries not to leave any hardware traces. Very useful if you are working on human rights issues or as a reporter or children's social worker or municipal employee or telecom engineer or nurse in any other job where you may need to carry sensitive information on a portable device. The general idea is to keep all the information on a LUKS encrypted data stick which you mount and use with Tails booted in off-line mode, and when you need to access the internet, you remove the data stick and reboot Tails in on-line mode. Takes getting used to but it is much more practical than might sound once you get into the rhythm.
And what with Tor Browser on…
And what with Tor Browser on Android?
We'll ship an update as soon…
We'll ship an update as soon as we can, probably on the weekend as the blog post says.
Time to update again: https:…
Time to update again: https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/
Yes, we're planning to…
Yes, we're planning to publish a new release tomorrow.
i can't access reddit
i can't access reddit
Reddit is blocking exit…
Reddit is blocking exit nodes from Germany. The only thing you can do is to find new circuit.
Message reddit's…
Message reddit's administrators.
https://ijpaagiacu.tudasnich.de/censorship/censorship-2/
https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlo…
https://2019.sedvblmbog.tudasnich.de/docs/faq-abuse.html.en
https://ooni.torproject.org/
Always find the website's Contact Us page.
Please bring back the option…
Please bring back the option to change the exit node without resetting all pages.
The option is still there…
The option is still there. You have to click on the left of the URL bar, to see the circuit for the current site, then there is a button to change it.
or ctrl+shift-L
or ctrl+shift-L
Click "New Circuit for this…
Click "New Circuit for this Site"
Hi, speed and loading pages…
Hi, speed and loading pages on the tour in my area is papin. Please solve the problem barely loading webpages.
Yup, I am having the exact…
Yup, I am having the exact same problems. TOR keeps timing out
I'll test this browser…
I'll test this browser. Thank you
Please don't forget to…
Please don't forget to update the alpha series ASAP as well, especially after mfsa2019-19
Yes, as soon as 8.5.3 is out…
Yes, as soon as 8.5.3 is out we'll push a new release for alpha users.
yay thanks
yay thanks
When deb packets for 4.0.5.x…
When deb packets for 4.0.5.x will appear in tor project debian repo?
I believe you meant 0.4.0.x …
I believe you meant 0.4.0.x While you wait for it to appear in the release repos, you can edit the suite in your deb line to say one of the "experimental" folder names here: https://deb.torproject.org/torproject.org/dists/
Example for Debian testing (Buster as of this date):
deb <a href="https://deb.torproject.org/torproject.org" rel="nofollow">https://deb.torproject.org/torproject.org</a> tor-experimental-0.4.0.x-buster main
Peter Palfrader manages Tor Project's Debian packages.
It looks like the blog didn…
It looks like the blog didn't display the line correctly. Plaintext URL addresses in a "code" block are not supposed to be wrapped in plaintext HTML "a" tags.
Thank you! But tor 0.4.0.x …
Thank you! But tor 0.4.0.x is no longer in experimental stage, its stable release appeared long time ago. I wonder why it is not in standard tor debian repos yet...
Why is noscript no longer…
Why is noscript no longer accesible via the address bar? This was far easier to click to temp allow certain domains. I cannot find any other way to see the list of domains to block or unblock each webpage loaded.
Have to manually type the url/domain by going to addons -> no script preferences
you can also customize the…
you can also customize the tor browser to put it back into the adress bar
Ok thanks. Very easy to do…
Ok thanks. Very easy to do. Overlooked it because there's hardly any space to right click on the toolbar in firefox and there appears to be no "customize" option in "preferences".
For any one else who needs to know how to add the addon widgets back in the toolbar:
https://trac.torproject.org/projects/tor/ticket/30600
https://ocewjwkdco.tudasnich.de…
https://ocewjwkdco.tudasnich.de/comment/282381#comment-282381
Does not launch on macOS…
Does not launch on macOS Catalina 10.15b2. Followed Security and Privacy steps to allow the app to launch, still no joy.
To get Tor to launch on…
To get Tor to launch on macOS Catalina 10.15b2 run the following command to restore the "anywhere" Security and Privacy option.
sudo spctl --master-disable
The option will not persist.
Does this happen with a…
Does this happen with a freshly download bundle or is that with an already existing one? If the former, what happens with an older bundle, say, 8.5.1 or 8.5 (just for testing purposes)? See: https://archive.torproject.org/tor-package-archive/torbrowser/
Okay, I looked around a bit…
Okay, I looked around a bit and I think that's https://bugzilla.mozilla.org/show_bug.cgi?id=1556733. So, it should also affect older versions of Tor Browser.
Tried the 'spctl' fix,…
Tried the 'spctl' fix, begins execution then fails with a segmentation fault: 11
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: EXC_I386_GPFLT
Exception Note: EXC_CORPSE_NOTIFY
Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [1748]
tor is not accessible with…
tor is not accessible with visual impaired when we use keyboard to navigate
Hello, there is a problem,…
Hello, there is a problem, TOR on Windows is not compatible with the use of visual disabilities when using the keyboard to surf the Internet I mean shortcuts to navigate through the links and headers and lists ... Please find a solution to this problem quickly The program used with it is NVDA
We are working on a fix for…
We are working on a fix for this:
https://trac.torproject.org/projects/tor/ticket/27503
have the default bridges…
have the default bridges been changed to working ones with this release?
also download page still has 8.5.1 for android
finally, about >> torbrowser from settings does not report torbrowser version but firefox instead
guys can someone please…
guys can someone please address this
I guess that's all for…
I guess that's all for mobile?
Yes, we updated our default bridges on Android. Additionally, we plan to release the new Android stable versions as soon as we can, probably on the weekend (see the above blog post you are commenting to). Finally, yes, we don't have a way to report the Tor Browser version yet. We should fix that, though. I've opened: https://trac.torproject.org/projects/tor/ticket/30943.
I am having a ton of…
I am having a ton of problems loading any pages. I just received the latest update to TOR the other evening, so it should be up to day. When I launch TOR, it works great for about 5 minutes and then it starts timing out on any page I attempt to go to. Any tips?
Assigned defect # 30441…
Assigned defect # 30441"https://trac.torproject.org/projects/tor/ticket/30441"
The issue still continues with operating bridges not being handed out.
Should the circuit Bridge obfs4 IP change occasionally ?
example Tor circuit
this browser
bridge: obfs4:XX.XX.XX.XX
Unites states 75.34.64.170
Unites states 209.95.51.11
torproject.org
Stop writing bridge IP…
Stop writing bridge IP addresses. You are putting yourself and other Tor users at risk. The only way you should reference a bridge is by its hashed_fingerprint. Not its fingerprint in the bridge line. The hashed fingerprint seen on the bridge's Metrics page.
My TBB ignores "Never check…
My TBB ignores "Never check for updates" option I selected. Why?
about:config > extensions…
about:config > extensions.torbutton.versioncheck_enabled ; false
Thanks!
Thanks!