New Release: Tor Browser 8.5a10
Tor Browser 8.5a10 is now available from the Tor Browser Project page and also from our distribution directory.
Note: this is an alpha release: an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.
This release features important security updates to Firefox.
The main change in this new release is the update of Firefox to 60.6.1esr, fixing bugs found during the Pwn2Own contest.
The full changelog since Tor Browser 8.5a9 is:
- All platforms
- Update Firefox to 60.6.1esr
- Update NoScript to 10.2.4
- Bug 29733: Work around Mozilla's bug 1532530
Comments
Please note that the comment area below has been archived.
Where is Tor 0.4.0.3-alpha?
Where is Tor 0.4.0.3-alpha?
In the next release. This…
In the next release.
This release was made to fix some important security issues in Firefox, and we avoided other changes to publish the release faster.
So last Tails' version isn't…
So last Tails' version isn't secure anymore?
They picked up the security…
They picked up the security fixes as well. Thus, you are fine using Tails.
This is your periodic…
This is your periodic reminder that the new Tor Browser logo sucks unfortunately compared to the previous iterations, please revise their design and have a nice fiscal year!
Hah.
Hah.
I don't agree.
I don't agree.
Give a link to which logo. …
Give a link to which logo. Or do you mean the TorButton icon in the browser? They all look ok to me. Would you care to contribute your design or one you approve that Tor Project can release under the Creative Commons Attribution 3.0 United States License? You said you prefer previous iterations but want a revision.
If you meant the TorButton icon, I made some mock-ups of it using official images. The first shows the current one for reference. Half show the sprouting stem, and half are the same images but have the stem removed. The link will expire on March 25, 2020.
https://framapic.org/gallery#kkAu6Tz3auMb/7x0iMlwLs6MW.png,ZVX2gSPkPLpu…
The source images I used:
https://media.torproject.org/image/official-images/2011-tor-logo-shaded…
https://media.torproject.org/image/outdated/exonerator.png
https://media.torproject.org/image/official-images/2011-tor-logo-flat.s…
https://media.torproject.org/image/Onion Icon/Onion_Color.png
https://media.torproject.org/image/Onion Icon/Black_Icon.png
Are you using the alpha…
Are you using the alpha version? If so then you know exactly what I mean (it's the desktop icon, the other stuff is fine).
addons.webextension. WARN …
addons.webextension. WARN Loading extension 'null': Reading manifest: Error processing background.persistent: Event pages are not currently supported. This will run as a persistent background page.
Could you please provide…
Could you please provide some context for this error message? What actions did you complete just before this occurred? Are you using the Tor Browser for Android app, or are you using the desktop version of Tor Browser?
Wow, a new guy in comments! …
Wow, a new guy in comments!
To reproduce just start the browser with proper logs activated.
Looks like https://trac…
Looks like https://trac.torproject.org/projects/tor/ticket/27608, no?
Yes.
Yes.
Ok. My first time to comment…
Ok. My first time to comment. Probably last. First. Absolutely love this for many reasons. If i can do anything to help y'all. Hit me up. I'm also a developer. My deal is. On start up page. Where is the start up window. Ok. Ive always heard the only dumb question is the one not asked. Dont laugh at me. Im a green onion. Lol. Have a great day
Can U make easy to change…
Can U make easy to change country - with a world map an click
or something better . ?
Key event not available on…
Key event not available on GTK2: key=“u” modifiers=“accel shift” id=“torbutton-new-identity-key” browser.xul
Where is the UX team?
Pls bring back the ability…
Pls bring back the ability for us to select specific country and not Tor auto selecting..
I'm now fixed on the country…
I'm now fixed on the country code I'd picked prior to the option being removed, which is simultaneously sort of amusing yet not.
Are you sure about? How did…
Are you sure about? How did you verify that?
+1 if it's about selecting…
+1 if it's about selecting the country of exit node.
As boklm replied in the 8…
As boklm replied in the 8.5a9 post to someone asking to select the country:
https://ijpaagiacu.tudasnich.de/tbb/tbb-16/
I completely agree to Khay's…
I completely agree to Khay's plea to bring back the opportunity to manually select a steady country for Tor Browser for Android. It was possible by Orbot. Since the latest Tor Browser updates for Android you are automatically fixed on one country. Anyway I bet as lang as you use Android, Google is still able to spy you out even through the use of Tor Browser for Android. So why do the Tor developers debate security issues if bringing back the opportunity to change the country manually then? Android spies you out anyway!
Hello! Please tell me how to…
Hello! Please tell me how to configure the excluded tor nodes in the latest versions of Android Android TB alpha? And the second question: Does the latest Android TB Android alpha support "torrc user settings"?
Hello! In the new versions 8…
Hello! In the new versions 8.5a.9 - 8.5a.10 is it possible to change the settings of the torrc file? Make additions and changes; ExcludeNodes, ExcludeExitNodes, ORport, ExitRelay, hiddenservice....
Maybe you want to completely deprive Tor Browser for Android of these functions? For many users, these features are very important. If you remove these features will be a very bad browser for Tor.
We don't have this exposed…
We don't have this exposed yet, but have https://trac.torproject.org/projects/tor/ticket/29031 to think about on how to do that. I am not convinced we should make it easy to exclude nodes etc. because that has serious anonymity implications and we recommend against that.
Do you plan to enable Tor…
Do you plan to enable Tor browser for Android to use other orbot? Or just open in it proxy ports? There's currently no such option and I have to run secondary orbot for other apps.
We plan to get away from…
We plan to get away from shipping an own Orbot (this should happen with the next alpha already, in fact). I am not sure yet how we want to expose Tor Browser's Tor functionality to other apps, so for now I think it's fair to say you need for those apps Orbot.
Thanks gk. Yes, I need an…
Thanks gk. Yes, I need an access to orbot settings, i.e. to set it open for other apps which I like to run through Tor as well :)
Now I have two orbots running: one built-in in Tor browser, the second for my other apps. I think the option like "Advanced settings, beware" opening old functionality might be very helpful.
Anyway your work is outstanding, thanks :)
CAPTCHA on google.com no…
CAPTCHA on google.com no longer loads the page when it's solved!
go to https://notabug.org…
go to https://notabug.org/themusicgod1/cloudflare-tor
Hello! In the new versions 8…
Hello! In the new versions 8.5a.9 - 8.5a.10 is it possible to change the settings of the torrc file? Make additions and changes; ExcludeNodes, ExcludeExitNodes, ORport, ExitRelay, hiddenservice....
Maybe you want to completely deprive Tor Browser for Android of these functions? For many users, these features are very important. If you remove these features will be a very bad browser for Tor.
I don't think we want to…
I don't think we want to deprive users of specifying a custom torrc. We have https://trac.torproject.org/projects/tor/ticket/29031 for that. However, it's not clear yet how we want to expose customizing one's `torrc` file.
Agree with you! Access to…
Agree with you! Access to the torrc settings is required! Thank you for mutual understanding. :-)
https://sedvblmbog.tudasnich.de…
https://sedvblmbog.tudasnich.de/download/
1. "Get Tor Browser for Android." > "Download APK" button does not start APK download (JS disabled).
2. Where can I download TOR only? Not browser.
3. How can I detect Tor Browser on WebExtensions side so I could use .onion?
browser.getversion() == "torbrowser"
What is the official way to…
What is the official way to use browser without tor?
https://notabug.org/themusicgod1/cloudflare-tor/src/master/what-to-do.md -> "Software user" area
Is this correct?
i think you should test tor…
i think you should test tor with y8.com because some of the games on the website are not working on tor
some of the games Tor…
Tor Browser doesn't ship with Adobe Flash. Some games on that site run from swf Flash files. Right-click on the box where the game would play, and click Inspect Element. See if it says swf somewhere in there. Some other games say html5, and those don't use Flash, so they probably work.
https://ijpaagiacu.tudasnich.de/tbb/tbb-12/
If Flash isn't the issue: There are thousands of games. Please provide links to a few that definitely aren't working for you. Are you using the Tor Browser version announced in this post or something else? Have you tried lowering the security level slider? Did you leave NoScript and about:config at their defaults? Do those games work in a different browser? Bug reports can't be solved without suitably specific data or reproducible test cases.
Obsf4 breaks tot connection…
Obsf4 breaks tor connection under whonix
Will you fix the image big…
Will you fix the image bug on mobile where you can't download images it'll ask for permission but it just ends there :\
Could you give us a link to…
Could you give us a link to an image where this is happening for you? Did you modify Tor Browser somehow or are you using it as we ship it?
I downloaded tor browser for…
I downloaded tor browser for windows 10 but it does not work it shows me a notification that the software can not be run on the pc what i should do????
Where did you download from?…
Where did you download from? And what exactly does the notification say?
When I click on "copy link"…
When I click on "copy link" is this information saved or where does it go. Copied a bunch but have no idea where they are. Thanks
"Copy Link Location" copies…
"Copy Link Location" copies the link to your system-wide clipboard. Click anywhere that you can paste text, and paste it.
I'm confused, the latest…
I'm confused, the latest entry in the block is for 8.5.a10, but the download page shows only 8.0.8. What's going on ?
8.0.8 is the stable version,…
8.0.8 is the stable version, which we recommend by default. 8.5a10 is the alpha version which you find under the advanced installation options. That one is for users that can live with a more experimental version to help us finding bugs.
Please find the image…
Please find the image attached. As can be seen, the exit node says "Unknown" at the very end. Tor nodes IPs are redacted in the screenshot.
That link gave a 404 which…
That link gave a 404 which is why I removed it from your comment. That said, it would be really helpful to find steps to reproduce your problem. So far, we did not have any luck which makes it hard to investigate and fix the underlying bug.
I've seen that gardian…
I've seen that gardian project are still distributing old and tracker addled versions of orfox for mobile. They were not capable of purging the code inherrited from firefox yet still distributed it. Quite alarming..
what's the story presently regarding the ever flowing stream of Firefox antifeatures? and specifically inbuilt google tracking?
Orfox is deprecated, don't…
Orfox is deprecated, don't use it anymore. I guess they'll take it down pretty soon once we get Tor Browser 8.5 out.
can i get a copy of the code…
can i get a copy of the code that,s not install
What do you mean?
What do you mean?
Happened when I selected few…
Happened when I selected few countries with strict nodes enabled in config. A reinstall solved the issue but still not possible to trace down to the root cause.
Something more. NoScrip's XSS going wild. Even getting DDG search filtering warnings. And it uses a really big pop up to show that Allow or Deny window. Could you please check that one too?
Attached the screenshot on Dropbox this time.
https://www.dropbox.com/s/m8pi98igu48gzys/Tor_Exit_Node_IP_Unknown.png
Related? Another comment…
Related? Another comment about --unknown-- exit nodes:
https://ocewjwkdco.tudasnich.de/comment/280689#comment-280689
For XSS on DDG, what level is your security slider? It doesn't sound like a problem with Tor. You might be able to solve it by comparing the URLs in the XSS popups.
Is anyone else reporting…
Is anyone else reporting problems with obfs4 bridge ? don't no where to report this for the last week or so "obfs4" has failing to connect and still on going , now use meek just to connect
HTML5 Canvas Image…
HTML5 Canvas Image Extraction and Fingerprinting
I know Tor's warning about (and blocking of) sites trying to extract html5 canvas image data is not a new thing but I remembered it just recently when the EU ratified article 13 which is likely to illegalize memes and whatever.
So I wanted to ask if the danger posed by HTML5 Canvas Image Extraction means that in extension any rendered/edited image can be traced back to the graphics card it was made with. The text here https://2019.sedvblmbog.tudasnich.de/projects/torbrowser/design/#fingerprint… states
'Subtle differences in the video card, font packs, and even font and graphics library versions allow the adversary to produce a stable, simple, high-entropy fingerprint of a computer. In fact, the hash of the rendered image can be used almost identically to a tracking cookie by the web server.'
That sounds pretty scary actually for anyone whoever uploaded an image, even he just shopped a line of text onto it
I think you're confused…
I think you're confused about the definitions.
https://en.wikipedia.org/wiki/Canvas_fingerprinting
A canvas in this sense is an area defined by the webpage and rendered in the browser's web content display areas where the webpage can use Javascript for graphics, primarily drawing and coloring. The text you cited describes the ability of a webpage to tell the browser's Javascript engine to draw in a canvas area and then extract the image it drew. The abilities and metadata provided by the engine for manipulating a canvas depend on many factors, some of which are listed in your quote. The adversary webpage can tell the browser to draw and extract a canvas image that exposes the limits of the metadata and abilities that are highly unique to each browser+system settings combination. It can be compared to a unique session cookie but circumvents all cookie safeguards. Websites such as panopticlick let you test your browser fingerprint entropy.
Image editing is different. It is usually done in offline image editors and goes through different processes versus rendering or uploading that file in a web browser. Some image file types are saved with metadata inside them that you can read with an EXIF viewer or hex editor. As far as I know, the canvas is not designed to read those. It's possible for editors to save the name of the graphics card model or the model of the camera that took a photo as EXIF data. Uploaded files in general could be traced by time, IP, and file hash. Uploaded images could be analyzed for what they visibly depict. But none of those are how canvas fingerprinting works. File uploads are generally not intended to be processed by canvas Javascript that the webpage may try to run in the browser tab, and I would expect that any attempts to extract the canvas image would trigger the warning regardless of what was drawn. Interfaces for uploading wouldn't really help the goals of canvas fingerprinting. They are generally not silent and hidden every time the page loads and require the user to actively click buttons to begin.
Sometimes the page of the…
Sometimes the page of the site blinks, just inside the browser, like a black "25 frame". And it happens quite often 1-2 times per session. What it is? As if some kind of spying. before this was not, it appeared 2-3 updates back. Clean install every time.
What do you mean by "page of…
What do you mean by "page of the site"? Does this happen on other websites as well? How can one reproduce that problem?
the space inside the browser…
the space inside the browser - inside its contours, which is not clear? How to repeat - it happens by itself, wait.
I've seen something like…
I've seen something like that before. The browser stops responding correctly, and black rectangles appear on whatever page is open and on the browser toolbars after I close toolbar menus or click another tab. It's as if the whole browser stops replacing the graphics of the things behind the things I close. I always thought it was a memory or CPU issue. I think it happens on sites that have many entries in NoScript. Other people have reported it in Firefox, Chrome, Edge. Most answers say to disable Hardware Acceleration or GPU. I still think certain heavy webpages are the cause. If I see more, I'll save them.
https://support.mozilla.org/en-US/questions/1006033
https://support.mozilla.org/en-US/questions/925894
https://www.reddit.com/r/firefox/comments/3cl8kk/firefox_39_black_recta…
GPU, you say? Other comments…
GPU, you say?
Other comments in New Release: Tor Browser 8.0.8 speculate whether GPU might be related to browser fingerprinting leaks:
https://ocewjwkdco.tudasnich.de/comment/280511#comment-280511
https://ocewjwkdco.tudasnich.de/comment/280549#comment-280549
with the version 8.0.8 https…
with the version 8.0.8 https://sedvblmbog.tudasnich.de/dist/torbrowser/8.0.8/tor-browser-linux64-8…
my Tor browser say: SIGNATURE VERIFICATION FAILED
Please check the sign
I double-checked and the…
I double-checked and the signature is fine for me. Do you still have the .asc file that your GPG tool does not like? Could you give us the full error you get when verifying the download and the command you used to do so?
8.0.8 is the stable version,…
8.0.8 is the stable version, which we get but we r not getting the updated version
What do you mean by "updated…
What do you mean by "updated version"? Which one are you expecting to get?
imo the new logo is an…
imo the new logo is an improvement, but it just seems a bit too simplistic, like 5 minutes in GIMP simplistic...
making logos simple isn't always bad, the EFF logo looks alright, but if you are adding gradients and shadows you should add more detail than a just a circle, something like the firefox quantum logo would be amazing.
tbh the black and white version of the old logo, without any ugly 2005 style gradients looks better than this.
Where is download for…
Where is download for oldschool tor?
I dont want the browser bundle.
You mean the Windows expert…
You mean the Windows expert bundle. That's currently tricky and we have a ticket to fix our website https://trac.torproject.org/projects/tor/ticket/29991. That said, you can always get if from
https://oiyfgiixvl.tudasnich.de/torbrowser/. Look at the latest stable release folder there and check out the respective tor-win*zip file you need.
Cannot play media. No…
Cannot play media. No decoders for requested formats: application/x-mpegURL
https://www.youtube.com/watch?v=dp8PhLsUcFE
On which platform does this…
On which platform does this happen?
Windows 7.
Windows 7.