New Release: Tor Browser 8.5a8

by boklm | February 15, 2019

Tor Browser 8.5a8 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

The main change in this new release is the update of Firefox to 60.5.1esr, fixing some vulnerabilities in the Skia library.

Note: We usually make sure that the build of each Tor Browser release is reproducible by having two separate people building it before we publish a new release. However, due to some people being unavailable this week, we are having some delays doing this verification for this alpha release. Because this release includes an important security fix that we want to release quickly, we will be checking the reproducibility of the build afterward. If you are interested in reproducing our build, you can find information about that on our wiki page. Update: we have now reproduced the build.

Note 2: The download link for the Android version is still pointing to 8.5a7 as we have not yet signed the 8.5a8 build. We plan to fix this soon. Update: This is now fixed.

The full changelog since Tor Browser 8.5a7 is:

  • All platforms
    • Update Firefox to 60.5.1esr
    • Update HTTPS Everywhere to 2019.1.31
    • Bug 29378: Remove 83.212.101.3 from default bridges
    • Bug 29349: Remove network.http.spdy.* overrides from meek helper user.js
  • Build System
    • All Platforms
      • Bug 29235: Build our own version of python3.6 for HTTPS Everywhere
      • Bug 29167: Upgrade go to 1.11.5
    • Linux
      • Bug 29183: Use linux-x86_64 langpacks on linux-x86_64

Comments

Please note that the comment area below has been archived.

February 15, 2019

Permalink

Link on the download page is wrong for Android (or the proper android build is missing). There is no tor-browser-8.5a8-android-armv7-multi.apk in the download directory, only tor-browser-8.5a8-android-armv7-multi-qa.apk. Is this build OK to use?

Thanks for the report. tor-browser-8.5a8-android-armv7-multi-qa.apk should be good, however it is not signed. I updated the android download link to point to 8.5a7 until we have signed the 8.5a8 build.

February 16, 2019

Permalink

Hello Tor Project devs!
Thanks for your hard work. I was wondering what happen to Tor Browser 8.5a8 for Android. I can't seem to download it directly from Tor Project website

February 16, 2019

Permalink

na

February 17, 2019

Permalink

This humor is not funny any more:

We've detected that you have connected over Tor. There appears to be an issue with the Tor Exit Node you are currently using. Please recreate your Tor circuit or restart your Tor browser in order to fix this.

If this error persists, please let us know: error-tor@duckduckgo.com

February 18, 2019

Permalink

If Tor is dynamically linked, is that less secure ?

Is it a possibility that someone could introduce a custom library that looks 'binary the same' to one used dynamically by Tor, but calls off into another custom code, by somehow placing it on disk ?

Or is this nonsense ? (quietly hoping so)

February 18, 2019

Permalink

Hi all,
I used to use Tor on my Mac but it doesn't run anymore. As soon as I click on it, it seems it wants to open but the logo disappears and doesn't open. I have tried all different versions but I can not open either of them. Can you help?

February 18, 2019

Permalink

403 ERROR
The request could not be satisfied.
Request blocked.

Generated by cloudfront (CloudFront)
Request ID: HD5uUKwkEb86hGxCv0FDXvEIC6MEVaGyoTW9pCeuXGFvttsbdUqquQ==

February 22, 2019

In reply to boklm

Permalink

I tried many it doesnt even start and if I remove bridges it starts normally

I also have a separate orbot with bridges and vpn mode enabled

do you think this is the reason? maybe only one can run with bridges and the other not? I dont understand what is wrong

February 25, 2019

In reply to gk

Permalink

I do it manually the same way used in orbot

1- click on use bridges slider button in the main interface
2- go to options and tick the box use bridges (i dont know why you need to enable twice but maybe its another unrelated bug)
3- enter the bridges obtained earlier from bridges site and click ok to save
4- try to start (it doesnt)

gk

February 28, 2019

In reply to gk

Permalink

Okay, so I looked closer at that. It seems for some reason we a) don't get pluggable transport support stemming from Orbot for free even though we are compiling and using it and b) even if you want to use normal Tor bridges (no pluggable transport) this is only possible if you have PT support available as Orbot checks this case and only proceeds if it finds the obfs4proxy binary, which is rather unfortunate. I am sorry, but for now this is not working (as you found out :) ). I am working on getting this fixed for the next release, though.

March 01, 2019

In reply to gk

Permalink

the strange thing is bridges work just fine with normal orbot, so I hope in the next release both could work with bridges

do you have a ticket for this and when is the next release?

February 23, 2019

Permalink

I hope any conflicts with standalone orbot are investigated and resolved, testing all options to see if that breaks anything. There is a wide userbase that still use orbot. I'm interested to see any tickets in that regard. Thank you all.

There should not be any conflicts with the standalone Orbot given that Tor Browser is using differnent SOCKS and Control Ports. Do you have something specific in mind? In general our mobile related tickets are tagged with tbb-mobile, so https://trac.torproject.org/projects/tor/query?status=accepted&status=a… gives you an overview of all the mobile related issues we are currently aware of.

February 25, 2019

In reply to gk

Permalink

What is the purpose of VPN functionality in Tor Browser if one is already available in Orbot? What happens if both are activated? Can VPN mode in Tor Browser control other apps as well? If it does, what happens after Tor Browser is closed?

Lastly, if VPN mode in Tor Browser's own Orbot has no purpose then why not remove it all together?

This is confusing for the average user and I couldn't find answers in the Documentation Section.

On a side note, the design of having Tor Browser start with its Orbot means it has to connect to Tor all over again each time Tor Browser is started. Before that was introduced, Orbot used to run conveniently in the background and Tor Browser can be opened any number of times without having to reconnect.

There is no VPN functionality in Tor Browser. We have disabled it. We did not remove it yet because we are still changing the underlying architecture to switch to the Tor Onion Proxy Library (https://trac.torproject.org/projects/tor/ticket/27609) and after that is done all the UI is getting cleaned up accordingly.

This is an alpha version and things are still in flux. :)

Tor Browser starting with Orbot establishing a connection first is modeling the desktop Tor Browser because that's the most convenient/secure solution we have found so far: you can be sure to have a Tor/Orbot ready once you want to use the browser and don't have to wait for that getting weird proxy-connection-refused errors or delayed page loading, not knowing why this is happening.

We might be able to do better, in particular on mobile. But the model we have right now will be the baseline we start from exploring things further.

February 24, 2019

Permalink

Tor Browser 8.5a8 is based on Firefox 60.5.1ESR. But when I checked the latest Firefox, it seems like Firefox version is 65.0.1. 60.5.1 = 65.0.1? Outdated or typing error?

Neither! :) Mozilla has two different release trains: the "normal" one and the "enterprise" one. Tor Browser is on the latter and it is based on Firefox 60 (hence, 60.5.1) while the "normal" one is currently 65.0.1.

February 25, 2019

Permalink

Am using Linux, and this is the result:

User-Agent Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0

Passive, SYN Linux 2.2.x-3.x (no timestamps) | Language: Unknown | Link: Ethernet or modem | MTU: 1500 | Distance: 14 Hops

https://browserleaks.com/ip

It has been like this for a few iterations of the Tor browser, will it ever going to be fixed?

That's not a Tor Browser bug (and is likely not a bug at all) and you get it on Windows machines, too. What is happening is that this test is trying to find out the OS of the machine the request came from. But that is not your computer. Rather, it's the exit relay that gets fingerprinted instead. It seems that in your case it is running Linux, which is not much surprising...

February 27, 2019

In reply to gk

Permalink

can you please check my answer on bridges above? sorry I dont mean to hijack this but it seams you overlooked the answer and I still dont know

March 04, 2019

Permalink

Hi ! Can somebody tell me when Tor Browser will support TLS 1.3 ? Firefox does, Tor Browser doesn't. Knowing that using Tor means going through exit nodes which can easily be in government or hacker hands, the higher version of TLS would be appreciate. Thanks for your great job ;)

Tor Browser currently supports TLS 1.3, kind of. But for supporting the final specification version we'd need to have a backport from Firefox code. This is tracked in https://trac.torproject.org/projects/tor/ticket/27141. Not sure when this will happen. Chances are high that you'll get proper TLS 1.3 support with Tor Browser 9, though, which we plan to get out later this year.

March 04, 2019

Permalink

opened tor checked which update it is on mac, says 8.0.6. your site says should be, Tor Browser 8.5a8, correct or is it safe to use?

March 05, 2019

Permalink

Look at the times:
Tor NOTICE: Bootstrapped 30% (loading_status): Loading networkstatus consensus
[03-05 09:42:22] Torbutton INFO: tor SOCKS: https://www.https-rulesets.org/v1//latest-rulesets-timestamp via
--unknown--:87480448065ca417db2a73c5a773970b
[03-05 09:42:25] Torbutton INFO: Message received from NoScript: [{"__meta":{"name":"started","recipientInfo":null},"_messageName":"started"},{"id":"{uuid}","url":"moz-extension://uuid/_generated_background_page.html","envType":"addon_child","extensionId":"{uuid}","contextId":4},null]
[03-05 09:42:59] TorLauncher INFO: NOTICE CONSENSUS_ARRIVED
Tor NOTICE: I learned some more directory information, but not enough to build a circuit: We're missing descriptors for 1/2 of our primary entry guards (total microdescriptors: 6383/6549).
Tor NOTICE: Bootstrapped 50% (loading_descriptors): Loading relay descriptors
[03-05 09:43:01] TorLauncher INFO: NOTICE ENOUGH_DIR_INFO
Tor NOTICE: Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits

March 06, 2019

Permalink

A suggestion for future alpha release posts, please could you start the post with a warning that this is a build for testers and include a link to download the latest stable (i.e. non-alpha) build? Something like

Note this is an experimental build for testing new features. For normal users please download the browser here [link].

It seems these alpha announcements always get a lot of newbie questions, so I wouldn't be surprised if some were downloading the alpha thinking it was stable. Especially considering there is no mention of alpha in the main text, newbies won't know what the "a" in the version number means and if they're not software developers they may not know what "alpha build" even means.

March 07, 2019

Permalink

Android Version:

Could you please provide a separate APK for Tor Browser only? In this new bundle, when a user exits the Tor Browser, the Orbot client too closes with it and this also turns off VPN and results in a connection drop.

Plus the new Tor Browser/Orbot does not support Android's "Alwasy-on" VPN feature which helps keep the connection alive in case of a drop from network and stops data leak. This increases privacy and security as well.

I found a Reddit post very similar to my request and I request you to provide a separate APK for Tor Browser.

Ref.: https://www.reddit.com/r/TOR/comments/af9brd/separate_apk_for_torbrowse…

Yes. We might get this squeezed into the next alpha but if not then the one after it. The current solution is just a stopgap to give a "Tor Browser desktop like"-feel to mobile users.