New Release: Tor Browser 8.0

by boklm | September 5, 2018

 

Update (09/07 10:15 UTC): We received reports of Tor Browser 8.0 crashing during start-up on older (10.9.x) macOS systems. This is tracked in bug 27482. The current Tor stable version, 0.3.3.9, is missing a patch to make it compatible with that old and unsupported (by Apple) macOS version. This will be fixed in the planned Tor Browser 8.0.1 release. Meanwhile, users affected by this bug can try the almost identical alpha release, 8.5a1, which is shipping a newer Tor version with this bug fixed. Sorry for the inconvenience.

For the past year, we have been collecting feedback on how we can make Tor Browser work better for you.

Tor Browser 8.0, our first stable release based on Firefox 60 ESR, is now available from the Tor Browser Project page and also from our distribution directory. This release is all about users first.

Tor Browser 8.0 comes with a series of user experience improvements that address a set of long-term Tor Browser issues you’ve told us about. To meet our users' needs, Tor Browser has a new user onboarding experience; an updated landing page that follows our styleguide; additional language support; and new behaviors for bridge fetching, displaying a circuit, and visiting .onion sites.

New User Onboarding

For the most part, using Tor is like using any other browser (and it is based on Firefox), but there are some usage differences and cool things happening behind the scenes that users should be aware of. Our new onboarding experience aims to better let you know about unique aspects of Tor Browser and how to maximize those for your best browsing experience.

Improved Bridge Fetching

For users where Tor is blocked, we have previously offered a handful of bridges in the browser to bypass censorship. But to receive additional bridges, you had to send an email or visit a website, which posed a set of problems. To simplify how you request bridges, we now have a new bridge configuration flow when you when you launch Tor. Now all you have to do is solve a captcha in Tor Launcher, and you’ll get a bridge IP. We hope this simplification will allow more people to bypass censorship and browse the internet freely and privately.

Better Language Support

Millions of people around the world use Tor, but not everyone has been able to use Tor in their language. In Tor Browser 8, we’ve added resources and support for nine previously unsupported languages: Catalan, Irish, Indonesian, Icelandic, Norwegian, Danish, Hebrew, Swedish, and Traditional Chinese.

Apart from those highlights, a number of other component and toolchains got an update for this major release. In particular, we now ship Tor 0.3.3.9 with OpenSSL 1.0.2p and Libevent 2.1.8. Moreover, we switched to the pure WebExtension version of NoScript (version 10.1.9.1) which we still need to provide the security slider functionality. Additionally, we start shipping 64bit builds for Windows users which should enhance Tor Browser stability compared to the 32bit bundles.

Providing this many improvements for our users could only be possible with collaboration between the Tor Browser team and Tor's UX team, Community team, Services Admin team, and our volunteers. We would like to thank everyone for working hard over the past year to bring all these new features to our users.

Known Issues

We already collected a number of unresolved bugs since Tor Browser 7.5.6 and tagged them with our ff60-esr keyword to keep them on our radar. The most important ones are listed below:

  • WebGL is broken right now.
  • We disable Stylo on macOS due to reproducibility issues we need to investigate and fix. This will likely not get fixed for Tor Browser 8, as we need some baking time on our nightly/alpha channel before we are sure there are no reproducibility/stability regressions. The tentative plan is to get it ready for Tor Browser 8.5.

 

Note: This release is signed with a new GPG subkey as the old one expired a couple of days ago. You might need to refresh your copy of the public part of the Tor Browser signing key before doing the verification. The fingerprint of the new subkey is 1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2.

Give Feedback

This is only the beginning of our efforts to put users first. If you find a bug or have a suggestion for how we could improve this release, please let us know.

Changelog

The full changelog since Tor Browser 7.5.6 is:

  • All platforms
    • Update Firefox to 60.2.0esr
    • Update Tor to 0.3.3.9
    • Update OpenSSL to 1.0.2p
    • Update Libevent to 2.1.8
    • Update Torbutton to 2.0.6
      • Bug 26960: Implement new about:tor start page
      • Bug 26961: Implement new user onboarding
      • Bug 26962: Circuit display onboarding
      • Bug 27301: Improve about:tor behavior and appearance
      • Bug 27214: Improve the onboarding text
      • Bug 26321: Move 'New Identity', 'New Circuit' to File, hamburger menus
      • Bug 26100: Adapt Torbutton to Firefox 60 ESR
      • Bug 26520: Fix sec slider/NoScript for TOR_SKIP_LAUNCH=1
      • Bug 27401: Start listening for NoScript before it loads
      • Bug 26430: New Torbutton icon
      • Bug 24309: Move circuit display to the identity popup
      • Bug 26884: Use Torbutton to provide security slider on mobile
      • Bug 26128: Adapt security slider to the WebExtensions version of NoScript
      • Bug 27276: Adapt to new NoScript messaging protocol
      • Bug 23247: Show security state of .onions
      • Bug 26129: Show our about:tor page on startup
      • Bug 26235: Hide new unusable items from help menu
      • Bug 26058: Remove workaround for hiding 'sign in to sync' button
      • Bug 26590: Use new svg.disabled pref in security slider
      • Bug 26655: Adjust color and size of onion button
      • Bug 26500: Reposition circuit display relay icon for RTL locales
      • Bug 26409: Remove spoofed locale implementation
      • Bug 26189: Remove content-policy.js
      • Bug 26490: Remove the security slider notification
      • Bug 25126: Make about:tor layout responsive
      • Bug 27097: Add text for Tor News signup widget
      • Bug 21245: Add da translation to Torbutton and keep track of it
      • Bug 27129+20628: Add locales ca, ga, id, is, nb, da, he, sv, and zh-TW
      • Translations update
    • Update Tor Launcher to 0.2.16.3
      • Bug 23136: Moat integration (fetch bridges for the user)
      • Bug 25750: Update Tor Launcher to make it compatible with Firefox 60 ESR
      • Bug 26985: Help button icons missing
      • Bug 25509: Improve the proxy help text
      • Bug 26466: Remove sv-SE from tracking for releases
      • Bug 27129+20628: Add locales ca, ga, id, is, nb, da, he, sv, and zh-TW
      • Translations update
    • Update HTTPS Everywhere to 2018.8.22
    • Update NoScript to 10.1.9.1
    • Update meek to 0.31
      • Bug 26477: Make meek extension compatible with ESR 60
    • Update obfs4proxy to v0.0.7 (bug 25356)
    • Bug 27082: Enable a limited UITour for user onboarding
    • Bug 26961: New user onboarding
    • Bug 26962: New feature onboarding
    • Bug 27403: The onboarding bubble is not always displayed
    • Bug 27283: Fix first-party isolation for UI tour
    • Bug 27213: Update about:tbupdate to new (about:tor) layout
    • Bug 14952+24553: Enable HTTP2 and AltSvc
      • Bug 25735: Tor Browser stalls while loading Facebook login page
    • Bug 17252: Enable TLS session identifiers with first-party isolation
    • Bug 26353: Prevent speculative connects that violate first-party isolation
    • Bug 26670: Make canvas permission prompt respect first-party isolation
    • Bug 24056: Use en-US strings in HTML forms if locale is spoofed to english
    • Bug 26456: HTTP .onion sites inherit previous page's certificate information
    • Bug 26561: .onion images are not displayed
    • Bug 26321: Move 'New Identity', 'New Circuit' to File, hamburger menus
    • Bug 26833: Backport Mozilla's bug 1473247
    • Bug 26628: Backport Mozilla's bug 1470156
    • Bug 26237: Clean up toolbar for ESR60-based Tor Browser
    • Bug 26519: Avoid Firefox icons in ESR60
    • Bug 26039: Load our preferences that modify extensions (fixup)
    • Bug 26515: Update Tor Browser blog post URLs
    • Bug 26216: Fix broken MAR file generation
    • Bug 26409: Remove spoofed locale implementation
    • Bug 25543: Rebase Tor Browser patches for ESR60
    • Bug 23247: Show security state of .onions
    • Bug 26039: Load our preferences that modify extensions
    • Bug 17965: Isolate HPKP and HSTS to URL bar domain
    • Bug 21787: Spoof en-US for date picker
    • Bug 21607: Disable WebVR for now until it is properly audited
    • Bug 21549: Disable wasm for now until it is properly audited
    • Bug 26614: Disable Web Authentication API until it is properly audited
    • Bug 27281: Enable Reader View mode again
    • Bug 26114: Don't expose navigator.mozAddonManager to websites
    • Bug 21850: Update about:tbupdate handling for e10s
    • Bug 26048: Fix potentially confusing "restart to update" message
    • Bug 27221: Purge startup cache if Tor Browser version changed
    • Bug 26049: Reduce delay for showing update prompt to 1 hour
    • Bug 26365: Add potential AltSvc support
    • Bug 9145: Fix broken hardware acceleration on Windows and enable it
    • Bug 26045: Add new MAR signing keys
    • Bug 25215: Revert bug 18619 (we are not disabling IndexedDB any longer)
    • Bug 19910: Rip out optimistic data socks handshake variant (#3875)
    • Bug 22564: Hide Firefox Sync
    • Bug 25090: Disable updater telemetry
    • Bug 26127: Make sure Torbutton and Tor Launcher are not treated as legacy extensions
    • Bug 13575: Disable randomised Firefox HTTP cache decay user tests
    • Bug 22548: Firefox downgrades VP9 videos to VP8 for some users
    • Bug 24995: Include git hash in tor --version
    • Bug 27268+27257+27262+26603 : Preferences clean-up
    • Bug 26073: Migrate general.useragent.locale to intl.locale.requested
    • Bug 27129+20628: Make Tor Browser available in ca, ga, id, is, nb, da, he, sv, and zh-TW
      • Bug 12927: Include Hebrew translation into Tor Browser
      • Bug 21245: Add danish (da) translation
  • Windows
    • Bug 20636+10026: Create 64bit Tor Browser for Windows
      • Bug 26239+24197: Enable content sandboxing for 64bit Windows builds
      • Bug 26514: Fix intermittent updater failures on Win64 (Error 19)
      • Bug 26874: Fix UNC path restrictions failure in Tor Browser 8.0a9
      • Bug 12968: Enable HEASLR in Windows x86_64 builds
    • Bug 26381: Work around endless loop during page load and about:tor not loading
    • Bug 27411: Fix broken security slider and NoScript interaction on Windows
    • Bug 22581: Fix shutdown crash
    • Bug 25266: PT config should include full names of executable files
    • Bug 26304: Update zlib to version 1.2.11
    • Update tbb-windows-installer to 0.4
      • Bug 26355: Update tbb-windows-installer to check for Windows7+
    • Bug 26355: Require Windows7+ for updates to Tor Browser 8
  • OS X
    • Bug 24136: After loading file:// URLs clicking on links is broken on OS X
    • Bug 24243: Tor Browser only renders HTML for local pages via file://
    • Bug 24263: Tor Browser does not run extension scripts if loaded via about:debugging
    • Bug 22794: Don't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured
  • Linux
    • Bug 22794: Don't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured
    • Bug 25485: Unbreak Tor Browser on systems with newer libstdc++
    • Bug 20866: Fix OpenGL software rendering on systems with newer libstdc++
    • Bug 26951+18022: Fix execdesktop argument passing
    • Bug 24136: After loading file:// URLs clicking on links is broken on Linux
    • Bug 24243: Tor Browser only renders HTML for local pages via file://
    • Bug 24263: Tor Browser does not run extension scripts if loaded via about:debugging
    • Bug 20283: Tor Browser should run without a `/proc` filesystem.
    • Bug 26354: Set SSE2 support as minimal requirement for Tor Browser 8
  • Build System
    • All
      • Bug 26362+26410: Use old MAR format for first ESR60-based stable
      • Bug 27020: RBM build fails with runc version 1.0.1
      • Bug 26949: Use GitHub repository for STIX
      • Bug 26773: Add --verbose to the ./mach build flag for firefox
      • Bug 26319: Don't package up Tor Browser in the `mach package` step
      • Bug 27178: add support for xz compression in mar files
      • Clean up
    • Windows
      • Bug 26203: Adapt tor-browser-build/tor-browser for Windows
      • Bug 26204: Bundle d3dcompiler_47.dll for Tor Browser 8
      • Bug 26205: Don't build the uninstaller for Windows during Firefox compilation
      • Bug 26206: Ship pthread related dll where needed
      • Bug 26396: Build libwinpthread reproducible
      • Bug 25837: Integrate fxc2 into our build setup for Windows builds
      • Bug 27152: Use mozilla/fxc2.git for the fxc2 repository
      • Bug 25894: Get a rust cross-compiler for Windows
      • Bug 25554: Bump mingw-w64 version for ESR 60
      • Bug 23561: Fix nsis builds for Windows 64
        • Bug 13469: Windows installer is missing many languages from NSIS file
      • Bug 23231: Remove our STL Wrappers workaround for Windows 64bit
      • Bug 26370: Don't copy msvcr100.dll and libssp-0.dll twice
      • Bug 26476: Work around Tor Browser crashes due to fix for bug 1467041
      • Bug 18287: Use SHA-2 signature for Tor Browser setup executables
      • Bug 25420: Update GCC to 6.4.0
      • Bug 16472: Update Binutils to 2.26.1
      • Bug 20302: Fix FTE compilation for Windows with GCC 6.4.0
      • Bug 25111: Don't compile Yasm on our own anymore for Windows Tor Browser
      • Bug 18691: Switch Windows builds from precise to jessie
    • OS X
      • Bug 24632: Update macOS toolchain for ESR 60
      • Bug 9711: Build our own cctools for macOS cross-compilation
      • Bug 25548: Update macOS SDK for Tor Browser builds to 10.11
      • Bug 26003: Clean up our mozconfig-osx-x86_64 file
      • Bug 26195: Use new cctools in our macosx-toolchain project
      • Bug 25975: Get a rust cross-compiler for macOS
      • Bug 26475: Disable Stylo to make macOS build reproducible
      • Bug 26489: Fix .app directory name in tools/dmg2mar
    • Linux

Comments

Please note that the comment area below has been archived.

September 05, 2018

Permalink

I know the User-Agent spoofing is imperfect, but an imperfect mask is better than no mask! The actual OS in the User-Agent string will only further distinguish and deanonymize the user-base.
Otherwise thanks for your work!

I'm glad the first comment notes about the UA change, which is actually a privacy *regression* since for users with JS disabled the real OS will be leaked vs. the situation in the previous Tor releases (7.x). Also not everyone does JS based OS detection (only a few do it) but *most* do log the UA. One can imagine that the UA is all it takes to correlate between two users with similar traits in a low volume site (example writing patterns, social graph, ...) [and even a high volume one like Twitter with some more work].

Please Tor Browser devs fix this issue since it's really the only bad thing in an otherwise almost perfect stable release.

Here's a real life example: Leaker 1 uses securedrop to send a leak from an organization A where he work and his Mac user agent leaks. Organization A finds everyone has access to the leaked docs and finds the ones who have a Mac. Depending on the situation they may actually narrow it down to a few people or just one, all because the browser doesn't even try to spoof the OS.

Hi,
Agree.
In addition: not masking the UA also has big usability implications on sites that mistakenly or over-cautiously believe they only supports Windows, MAC, iOS and Android. On *many* such sites a TorBrowser that pretends it is running on Windows works just fine. If you reveal another rare OS in the UA the site says that it only support iOS and Android or other such nonsense. They just do not know that Firefox on a rare OS is a Firefox.

If one is to enter a fake UA in TorBrowser 8.0 so that the site accepts one as running on a popular Windows OS, which string should one currently use?

Thanx for the great work!

I just checked my UserAgent and it seems fine, the current one is:

Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0

Back in version 7.5.6 it was:

Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0

I believe it shows your system as being Windows NT 6.1 regardless of what system you're using. Correct me if I am wrong.

September 05, 2018

Permalink

Happy to finally see a TAILS announcement on the Blog!

However, unlike most other entries, I notice the TAILS announcements here are not open for comments. Why not? What a shame.

Congrats on Tor Browser 8.0! Thanks for posting the changelog here. <3

> I notice the TAILS announcements here are not open for comments.

Yes.

> Why not?

Speculation:

1. Years ago, Tails, which is mostly based in Western Europe, had its own blog. But Tails Project is a small org and over time the blog became too hard to moderate. It was discontinued when some posters tried to describe specific abuses by intelligence agencies of Western Europe and USA. (Later confirmed in all respects by the Snowden leaks.)

2. Tails Project is separate from Tor Project, although closely allied, and for security reasons it may be best not to try to have them respond to comments on their posts here, whereas for clarity it is clearly best that Tor Project people not try to respond to questions asking about Tails.

> What a shame

Yes.

But compared to USG attempts to "kill" (their word) UNCHR and ICC (and maybe also Riseup, Boum, Tails Project, Tor Project, HRW, Amnesty, RSF, CPJ, ACLU, EFF...) "by any means necessary" (thus the reliably revolting John Bolton), this is a minor issue.

September 05, 2018

Permalink

After applying the update to version 8, the browser will not start anymore...

I was more or less expecting this could happen (same problem with an alpha version; don't remember witch one), so I made a backup of the last version 7.
It is of course unsafe to continue using that one...

System:
Linux Mint 17.3, 64bit
16GB RAM
Kernel 4.4.0.134

September 05, 2018

In reply to boklm

Permalink

I restarted when prompted, and nothing happened after that, not even an error message.

I tried with a new tarball (tor-browser-linux64-8.0_nl.tar.xz); clicked on the setup icon and that changed into an icon named "tor browser" that looked like a sheet of paper...
Clicking on that one did nothing at all.

Short answer: You need to install "libgtk3". Please ask in a Mint forum for exact package name and how to install it.

Long answer: I had the same issue on a different Linux distribution. Starting the embedded Firefox browser manually, I got this error message:

  1. <br />
  2. XPCOMGlueLoad error for file /tmp/ksocket-pepo/Browser/libmozgtk.so:<br />
  3. libgtk-3.so.0: cannot open shared object file: No such file or directory<br />
  4. Couldn't load XPCOM.<br />

After installing the package that offers the libgtk-3.so.0 file, Tor browser worked as expected.

I actually have libgtk-3-0 (3.10.8-0ubuntu1.6) installed...

Could it be that I have a wrong version of libstdc (libstdc++.so.6.0.24)?
(See my other reply, that is still awaiting moderation)

[Edit]
Opening a terminal in the "Browser" directory and give the command:
./start-tor-browser --verbose
throws this error:
./firefox.real: relocation error: ./firefox.real: symbol _ZTTNSt7__cxx1119basic_ostringstreamIcSt11char_traitsIcESaIcEEE, version GLIBCXX_3.4.21 not defined in file libstdc++.so.6 with link time reference

Worked for me in ubuntu 14.
1 open file /Browser/firefox
2 comment line 10,12( if and fi) to use custom libstdc++
#if [ $? -ne 0 ]; then
LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$basedir/TorBrowser/Tor/libstdc++/"
#fi

All should work.

September 06, 2018

In reply to gk

Permalink

Yes, on Ubuntu 14.04.5 LTS same problem.

The problem is in reloc functions. To check use this:
$ ldd -r firefox.real
linux-vdso.so.1 => (0x00007ffe30ffb000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fb7454bb000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fb7452b7000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fb7450af000)
libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007fb744d9b000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fb744a95000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007fb74487e000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fb7444b4000)
/lib64/ld-linux-x86-64.so.2 (0x0000560938ac7000)
symbol _ZTTNSt7__cxx1119basic_ostringstreamIcSt11char_traitsIcESaIcEEE, version GLIBCXX_3.4.21 not defined in file libstdc++.so.6 with link time reference (./firefox.real)
symbol _ZTVNSt7__cxx1119basic_ostringstreamIcSt11char_traitsIcESaIcEEE, version GLIBCXX_3.4.21 not defined in file libstdc++.so.6 with link time reference (./firefox.real)
symbol _ZTVNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEEE, version GLIBCXX_3.4.21 not defined in file libstdc++.so.6 with link time reference (./firefox.real)
symbol _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_createERmm, version GLIBCXX_3.4.21 not defined in file libstdc++.so.6 with link time reference (./firefox.real)
symbol _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_assignERKS4_, version GLIBCXX_3.4.21 not defined in file libstdc++.so.6 with link time reference (./firefox.real)
symbol _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_mutateEmmPKcm, version GLIBCXX_3.4.21 not defined in file libstdc++.so.6 with link time reference (./firefox.real)
symbol _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_appendEPKcm, version GLIBCXX_3.4.21 not defined in file libstdc++.so.6 with link time reference (./firefox.real)
symbol _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9push_backEc, version GLIBCXX_3.4.21 not defined in file libstdc++.so.6 with link time reference (./firefox.real)
symbol _ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE4copyEPcmm, version GLIBCXX_3.4.21 not defined in file libstdc++.so.6 with link time reference (./firefox.real)

September 07, 2018

In reply to sukhbir

Permalink

I presume you asked me?
The layout of this blog makes it rather difficult to see...

The output is :

  1. ~/Downloads/tor-browser_nl/Browser $ ./abicheck<br />
  2. Exception thrown<br />
  3. ~Foo() called during stack unwinding<br />
  4. Exception caught: test exception<br />
  5. ~Foo() called normally

This is the same with or without the unofficial patch of the "firefox" shell script.

September 08, 2018

In reply to sukhbir

Permalink

I have the same problem with Mint 17 (uncommenting those lines solved it). Abicheck says:
Exception thrown
~Foo() called during stack unwinding
Exception caught: test exception
~Foo() called normally

September 08, 2018

In reply to sukhbir

Permalink

  1. <br />
  2. $ ./abicheck<br />
  3. Exception thrown<br />
  4. ~Foo() called during stack unwinding<br />
  5. Exception caught: test exception<br />
  6. ~Foo() called normally</p>
  7. <p>$ ldd ./abicheck<br />
  8. linux-vdso.so.1 => (0x00007ffcf93c3000)<br />
  9. libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f42d4ed1000)<br />
  10. libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f42d4bcb000)<br />
  11. libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f42d49b4000)<br />
  12. libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f42d45ea000)<br />
  13. /lib64/ld-linux-x86-64.so.2 (0x0000563606bef000)<br />

September 05, 2018

Permalink

Questions:

1. NoScript on Tor Browser 7.5.6 can block javascript (and other resources) in "file:" URLs. Can NoScript in Tor Browser 8 do that as well?

2. On Firefox, NoScript 10 treats some Mozilla-owned domains as "privileged" and is unable to disable javascript (or other resources) in those URLs. Firefox ESR 52 and Tor Browser 7.5.6 do not have that problem. What's the status in Tor Browser 8? See "src/noscript/upstream/src/lib/restricted.js" in NoScript's source tree and https://bugzilla.mozilla.org/show_bug.cgi?id=1415644.

3. This is an important regression in Firefox ESR 60: https://bugzilla.mozilla.org/show_bug.cgi?id=1487856. What's the status in Tor Browser 8?

2. On Firefox, NoScript 10 treats some Mozilla-owned domains as "privileged" and is unable to disable javascript (or other resources) in those URLs. Firefox ESR 52 and Tor Browser 7.5.6 do not have that problem. What's the status in Tor Browser 8? See "src/noscript/upstream/src/lib/restricted.js" in NoScript's source tree and https://bugzilla.mozilla.org/show_bug.cgi?id=1415644.

I only went through the bug report superficially but isn't Firefox Account disabled in Tor Browser and thus this doesn't apply?

Nevertheless, I guess it should be made harder to install extension. The FAQ already states that extensions should not be installed but I doubt many read that.

3. This is an important regression in Firefox ESR 60: https://bugzilla.mozilla.org/show_bug.cgi?id=1487856. What's the status in Tor Browser 8?

Looking at the bug report, I don't understand how that's an issue for Tor Browser. Perhaps I just don't get the connection somehow. Does this introduce a privacy or security issue or something like that?

I only went through the bug report superficially but isn't Firefox Account disabled in Tor Browser and thus this doesn't apply?

You're missing the point, which was clearly stated:

...NoScript 10 treats some Mozilla-owned domains as "privileged" and is unable to disable javascript (or other resources) in those URLs.

Does this introduce a privacy or security issue or something like that?

It is an important usability issue, especially for those who disable javascript.

You're missing the point, which was clearly stated:

...NoScript 10 treats some Mozilla-owned domains as "privileged" and is unable to disable javascript (or other resources) in those URLs.

Guess I got a bit distracted by the bug report you linked. Just to clarify, you talking about an arbitrary page being able to execute any JavaScript hosted on these domains, right? I definitely see how that could be an issue.

I recommend you open a ticket on https://ticket.torproject.org (if there is none yet) to have this looked into.

Does this introduce a privacy or security issue or something like that?

It is an important usability issue, especially for those who disable javascript

I see, opening a ticket would seem the right way to go then. Perhaps you could add an example in the ticket that shows how this bug in combination with JS being disabled leads to an unusable page. In my experience bug reports that clearly show that they are a real-world issue are fixed faster.

And NoScript in TBB7.5.6 has had a ....very strange bug, can't block JSON .Bug was sold from zerodium to governments. *WTF*
It's good to have stong nerves and don't believe in conspiracy theories(-:

September 05, 2018

Permalink

thank for this huge update! but how can you see your entry/exit node (IP). before update it was tor button, but now...?

September 05, 2018

Permalink

haven't checked on a non-Linux OS, but the user agent reported by this new Tor Browser is actually Linux, and not Windows, as on previous versions. Is this intended?

So why releasing now? It's months late anyway. If security vulnerabilities were the concern it should have gone out together with ESR 60,

Have ESR 52 vulnerabilities been observed being exploited in the wild now?

Mozilla still backported all security fixes to 52 ESR until now. As of the most recent release (60.2.0 on 2018-09-04) this is no longer the case. Thus, Firefox 60 ESR now contains bugfixes for security issues that won't be fixed in 52 ESR and since the fixes have been released the security vulnerabilities are now known publicly making 52 ESR an easy target.

September 06, 2018

In reply to gk

Permalink

I don't want to tell every website "Hey, look at me, I'm using OS with ~2% market share!", even with disabled JS while using TBB. What I should do? Why you so hate Linux users and make them 30 times more unique than Windows users?

Couldn't agree with you more. What a stupid mistake of TorProject. User Agent/operating system should be spoofed. Even with javascript totally disabled, Tor Browser still shows "linux64". What a mistake to make.

In the Tor Browser 8.0 customize panel, select the "⭑ Bookmarks Toolbar Items" icon and drag/drop it into the horizontal bookmarks toolbar space near the top of the customize panel.

The bookmark bar is not working. It's blank and dragging bookmarks to it only gives you a cross symbol. The bookmark bar is broke. Never had an issue with it before this version.

September 05, 2018

Permalink

Tor browser 8.0 is unavailable for Nvda[screen reader] in windows system. Please fix it.
Previous version works fine.
Blind users they can not use this version.

September 06, 2018

In reply to gk

Permalink

Thank you for your answer. How long does it take to fix this problem?
At once I can not use it tbb.

September 05, 2018

Permalink

The debian package torbrowser-launcher ships an apparmor profile which is incompatible with this version. It prevents the browser to launch because ./firefox is not allowed to access /usr/bin/dirname or ./firefox.real.

Also i think that the window size is not standardized as before (window.geometry says it's 712x900), but it could be a problem with my window manager

September 05, 2018

Permalink

Same issues as Tor 7.

OBS4 sits idle at establishing encrypted connection, all the time... no matter how long you wait?
FTE still does not work. Missing pluggable transport error?

Same as version 7...only OBS3 transport works.

Is there a SIMPLE way that Tor can be configured besides the default download?
Aren't there other transports that you can add to Tor that aren't default???

This browser has not worked well, or very incompletely since around 7.5.

Never ending Cloudfare issues since version 4 of Tor?

Please advise.

The usability and constant blocking of this browser is reaching a point to where I'm ready to switch to a new browser. I've also donated quite a bit of money for about 7 years now which these issues should not continue to deteriorate the browser as it ages. It should be better, not trending in reverse.

Does meek work for you? In case you are living/using Tor in a censored environment it can be that the default obfs4 bridges get blocked. Try getting fresh ones with our new Moat feature (see the above introduction in the blog post).

That said, yes, the censorship arms race is tricky. We need better strategies and newer pluggable transports. We are working on that but it is no easy task. If you are using Linux or macOS you could try the alpha series and check whether the snowflake pluggable transport is working for you.

September 05, 2018

Permalink

where is the circuite info and reconnect option? so the version 8 feels unsecure, switch back to 7 till things get fixed.

As the onboarding, this blog post and a note during the update shows that moved to the identity box (the lock icon) in the URL bar. Once you open a website, click on it and you'll see the circuit and the option to get a new one.

September 05, 2018

Permalink

Any chance we could get an option to revert to the old UI and retain the grannular control we had in previous versions of noscript?

September 05, 2018

Permalink

Looks like DuckDuckGo searches doesn't work if Tor Browser Security Settings is set to Safest. Trisquel 7 Belenos x86 BTW.

https://superuser.com/questions/732513/get-duckduckgo-non-javascript-ve…

this condition isn't new. I added the nojs ddg years ago.

you can add custom search engines. in any ff
1.) delete search.json.mozlz4
2.) ff regenerates search.json.mozlz4 based on your xml in searchplugins folder

the above is true as of esr 52. Did quantum broke the workaround?

replying here, because no form for logged-in cypherpunks on trac.

For TOR team, to throw XP users overboard is not the best decision.

I regret it very much. I can't afford myself to upgrade my XP to any higher release, since (i) my hardware shall not bear newer OS and, (ii) I have a lot of 'old good' software which shall not run even at Windows 7.

So the only choice which remains for me is to wait patiently until TOR shall change its upgrade policy, considering the demands of old people running XP on older HW. I shall not change my operational system -> I shall not upgrade TOR from the current 7.5.6 release, and the last thing remaining for me is to find out, how to switch off all the automatic upgrades to TOR

September 05, 2018

Permalink

It is utterly ridiculous that you've decided to expose your users' OSes in their user agents. As has been pointed out previously, alternative OS detection methods only work with JS on, and some obfuscation is still better than none. Instead of decreasing your users' OS privacy, how about you try to fix any lingering OS fingerprinting issues while leaving the protections that are already there in place?

Coupled with your longstanding insistence on leaving JS on by default and constantly simplifying and "streamlining" Tor to make it more and more difficult for intelligent people who understand its design to use it properly, I am seriously beginning to wonder if the Tor team hasn't been compromised by people who want its users to be exploited. Leave JS on by default and now make sure to expose their OS easily and transparently so that any nefarious actors know exactly which version of which obscure memory exploit and so on to use against them. It's highly suspicious.

Given this issue, I'm seriously wondering what other insanity is lurking in the design of this Tor Browser version and if I should even update.

Can anyone post the Windows UA of Tor Browser 8.0?

Thanks for your post. I'm afraid I get the same feeling about someone or a group trying to undermine the tor project. I have read similar voices as yours on other message boards. I hope there are honest developers left at the tor project. Something is odd.

September 05, 2018

Permalink

My virus program doesn't like your new Tor Update, it gave me a restart the computer. I believe it said xui. was the treat, I restarted the computer Trend Micro had removed Tor Browser. I haven't had this happen before. I reinstalled Tor it seems to be okay. I am using it now. Why would Tor Update scare my virus protection so badly? What is this xui? Why is it a serious virus warning from my virus protection?

September 05, 2018

Permalink

How can I enable flash? please spare me the flash is bad sermon. In the past there used to be a preference option to distinguish tor browser from other users. I can't find this option in this version, what's it about:config value?

September 05, 2018

Permalink

On MacOS 10.9.5 today's update gets me a crashed Tor browser upon startup every time. I had to revert to the previous version.

September 05, 2018

Permalink

Automatic update just updated to this version.

With all the updated features, it looks like alot of heart and soul was put into a major remodeling. The added features are kind of cool.

but...

You can no longer can see circuits you are on :(. Vidalia was the most perfect expression of this, and since it was taken away, at least we could see the circuits. Now we see nothing. Threre are times I do not want a certain country code or tor node in the circuit (i.e. Liberia, Nigeria, Ukraine) and when so, I reset it. Until now.

You can no longer change fingerprint from the onion dropdown :(. I have to restart Tor for that now.

I tried the alpha version before this release and ran back to the 7.56 for the reasons above and because of update issues. Please stop taking away useful functionality when adding new stuff and bring the circuit view and change fingerprint back if only as selectable options.

Hej Ranger,
couldn't say it any better.
I also stepped back to 7.56 because of the missing visibility of circuits and possibility of resetting it.
I absolutely agree.

Yes, you can see your circuits and get a new Tor circuit for a website. As the blog post, the note after the update and the new user onboarding says: it moved to the "identity box" in the URL bar (the "lock" icon). That way it fits much better into the toolbar as it is making site-specific options available for the particular site you currently have open.

September 06, 2018

In reply to gk

Permalink

Well be that way then.... :).
Thanks for the clarification on where and how that can now be done. That will work okay.

September 05, 2018

Permalink

so first firefox fuzzing up all there extensions with quantum. and now you are doing the same. al my fucking extensions has become legacy. sigh im so sick and tired of this shiz

September 05, 2018

Permalink

No more updates on XP and Vista? Are you serious?? Do you know how many people will no longer be able to use Tor at work since many businesses, including government/military/banks, STILL use XP and Vista?? Is there any way to fix this??

September 06, 2018

In reply to gk

Permalink

Will Tor still conceal my IP even if I continue using TBB 7.5.6 on Windows Vista? Vista is what my job uses still and concealing my IP is what I'm more concerned about now until I can think of what to do next.

Tor working in Tor Browser 7.5.6 should still be working as expected. The risk here is that both Firefox and Vista (now) contain known security vulnerabilities that don't get fixed and which probably allow to bypass Tor's protections.

September 14, 2018

In reply to gk

Permalink

Tor Browser 7.5.6 has a big bug in NoScript which makes Javascript-blocking very useless.

September 05, 2018

Permalink

OMG please revert back to old style. Where's the advanced settings to turn off plugins, even the about:config page is different. DuckDuckGo does not work, and of course when you're on full secure lock down, neither does Google.

I used to go security settings, HIGH, advanced, turn off all plugins, then about:config and turn off JAVA proper. Now I'm unsafe.

September 05, 2018

Permalink

The new about:tor page is really nice, but I miss the "am I on tor?" link.
And I agree with the others about the User Agent. If you don't fix this at least give us a tip to fix it in about:config

September 06, 2018

In reply to gk

Permalink

There would be no false negatives with an onion mirror of check.torproject.org.

September 05, 2018

Permalink

No Script has a mind of its own now. New Tor circuit for site is gone too. And know matter how many years go by, no one is going to fix the incessant cloudfare problem? The fact that websites know that an incoming request is from a Tor user is something that should've been solved long ago as well. We aren't free to do simple internet searches anonymously.

I wish all of you the very best! I mean that! But the Tor infrastructure is hand-cuffed somewhere, and the primitive versions of Tor worked the best! Goodbye Tor! Hopefully we can re-enage one day, but this is getting far to fragmented and disorganized for the average user with ambiguous scalability for the ones who support you

No, the New Tor circuit is not gone, it moved where it better belongs to: the URL bar, more specifcially behind the "lock" icon/identity box showing information about the website. See our new onboarding and blog post.

September 06, 2018

In reply to gk

Permalink

"No, the New Tor circuit is not gone, it moved where it better belongs to: the URL bar, more specifcially behind the "lock" icon/identity box showing information about the website."

I'm not bothered by the new icon but I don't know why you think it "belongs" so much to the URL bar. IMO it wasn't worth losing so much time coding and developing a new icon when the Tor Button was doing the job perfectly.

The problem is/was that the icons on the toolbar are not for specific tabs but for the whole browsing session. For instance the update status (the blinking Torbutton icon if you run an outdated version) is not dependent on a particular tab. Yet the circuit display makes only sense with respect to a URL loaded in a particular tab. The mixing of tab-specific/non-tab-specific items in Torbutton was very confusing. We solved that for the circuit display by putting it directly into the identity box which is collecting all the site-specific information anyway.

September 05, 2018

Permalink

Can I remove the "flexible space" on either side of the address+search bar without compromising anonymity? I hate not being able to visually confirm the ends of URLs. Version 8.0 fades and hides the ends from view, so you have to click and scroll sideways each time.

September 05, 2018

Permalink

Tor browser przestał działać z czytnikami ekranu na systemie Windows takimi jak Nvda. Teraz aplikacja jest nie możliwa do używania przez osoby niewidome. Proszę o naprawienie.

September 05, 2018

Permalink

You reveal the IP, port, transport protocol, and most of the fingerprint of a bridge in the large GIF in the post under "Improved Bridge Fetching". Outing that bridge means its metadata is almost as quickly discoverable as those of the bundled bridges unless it was one before. Please consider that.

September 05, 2018

Permalink

All bridges be blocked, need more dostributed, better with everyone could be a entry node, no law issue like exit node.

September 05, 2018

Permalink

My system is Vista and I use chrome+ff. it said I cant get the updates anymore from Tor. I cant afford to buy new system and i still stick to my old fashion one i got used to for up to10 years. please let me know if it is possible. I use Tor to be anonymous for some websites I most visit per day. I really want it back. I am not that young to learn the new thing and new systems :( please help me out of this :( make some exception for those old ones like me who can not change their habits.

September 06, 2018

In reply to boklm

Permalink

"option is to boot on a Tails"

OK, but Tails has no (editable ) persistent Entry Guard?
An essential Tor security standard.

September 05, 2018

Permalink

My initial thoughts:

sandboxed-tor-browser now doesn't work (and I imagine it probably never will again.) That's not unexpected, but it is sad.

I don't like the new about:tor. It feels like an advertisement, and I don't particularly want to be advertised to every time I start my browser. "Explore. Privately." is just plain tacky. As for "the world’s most private browsing experience", it feels like you're trying to draw a comparison to other software - but given that there isn't any other software in Tor's class, all that does is bring you down to their level.

It's hard to explain, but the old about:tor screen was friendly and calming. This one is much less so.

The tutorial obviously isn't meant for me, but I would point out that the word "onboarding" also feels like marketing-speak.

I don't like that the onion icon is not brightly colored. I spend a lot of time using both Tor Browser and Firefox, and I want to have an obvious visual cue to tell them apart. Like about:tor, the bright green onion was comforting. The new onion icon is quite hard to see, at least with the dark desktop theme I'm using.

The new NoScript menu consists entirely of cryptic icons. Well, as wonderful as NoScript is, it's never been a paragon of UI design, but this seems worse than before.

With all that said: *thank you* to everyone working on Tor Browser. I'm only griping because of how well-constructed the old UI was, and I hope and expect that in time, the new UI will be even better.

I agree about the "about:tor" page. It's now like those ridiculous Apple ads full of empty advertising jargon. Anonymity as a consumer good is a trend that Tor project should resist and not follow. It gives a sense of trickery and of constant changes for the sake of increasing market share.
The first page you see should be simple, informative - and as boring as bureaucracy. "You're connected to Tor, you're using this version, here's some links to more info." That gives the user more confidence that the Browser itself is an ordinary and boring (reliable!) tool.

September 05, 2018

Permalink

Just want to say a MASSIVE THANK YOU to everybody who works on these browsers and tor in general, those out front and behind the scenes. The unsung heroes and heroines (and whatever such label a non-binary person might use), you are LOVED. xo

September 05, 2018

Permalink

whoer.net now correctly detects my real OS no matter how many times I choose a New Identity; this never happened before!

We don't have resources to keep supporting it. By the way Vista is not supported by Microsoft anymore, so it is not a good idea to keep using it as it is not receiving security updates.

September 06, 2018

Permalink

hi, can't use it in china, I can't open any dot onion website using 8.0 version, and when I click request a bridge from tor project, it shows unable to obtain a bridge from bridgeBD 0x805a2ff4, does anyone can tell me what to do? Im a little confused, thanks

The bug obtaining a bridge directly from BridgeDB should be fixed by now. Does it work better for you now? That said, dealing with China is tough. Last we heard the meek-azure transport is still working. Maybe that could be an option for you as well?

September 06, 2018

Permalink

All of the functions relating to Tor used to be in one place, the attention-grabbing TorButton icon, but in this version they are scattered in three or more places. It is less intuitive. "New Identity" and "New Circuit" are mixed in with the jumble of Firefox options in the hamburger menu (that we aren't supposed to touch lest our anonymity be jeopardized) and appear as if they have the same worth, i.e. to just ignore them rather than understand their importance and purposely use them.

That's only partly true. Yes, those options are available on the hamburger menu but only as "fallbacks". You have "New Circuit" option with the circuit display on the left site of the URL bar (clicking on the "i" icon) indicating that what you and choose for an option is directly tied to the URL you have open. "New Identity" will get an own button on the toolbar soon, we were not able to finish that item before Tor Browser 8 got out.

September 06, 2018

Permalink

Is the user agent spoofing broken in 8.0? Type user agent into duckduckgo and it is no longer showing Windows NT 6.1 but

Your user agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Other HTTP headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.5
Host: duckduckgo.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Content-Length: 12
Content-Type: application/x-www-form-urlencoded
UPGRADE-INSECURE-REQUESTS: 1

September 06, 2018

Permalink

Too many bugs. I'm listing up all issues, please do something!

1. There's so many "Firefox" word in about:preferences which you failed to replace them properly,
2. You forgot to check "Prevent accessibility service from accesing your browser"(IIRC) by default,
3. You forgot to disable "View Firefox Studies" link and its contents (Firefox Data collection and use section),
4. Just remove "Firefox Data Collection and Use" section because it is creepy,
5. In Permissions, Location/Camera/Microphone should have "Block new requests asking to access" checked-on by default,
6. When the user changed the search engine to other provider, Tor Browser forcefully changed it to DuckDuckgo,
7. When I visit https: .onion, the URL bar shows green onion + pad lock icon, but the browser complain about self-sign certificate. Can't you just ignore this already??
8. And your updater still deliver Windows 32bit version. Why I can't reveive 64-bit of TBB?

That's a long list. Let me answer you in reverse order:
8) Because your Tor Browser is asking for a 32bit update. Once you start with a 64bit Tor Browser that one will ask for a 64bit update. We have https://trac.torproject.org/projects/tor/ticket/24196 for updating 64bit capable Tor Browser users that use a 32bit build to 64bit.
7) Maybe? It seems to be a misconfiguration on the sever-side, though, to me. We have https://trac.torproject.org/projects/tor/ticket/13410 for that.
6) Could you give me steps to reproduce this bug?
5) I think we take care of that by not compiling WebRTC in and flipping related preferences.
re 4)-3) and 1): yes there is clean-up to be done on the about:preferenecs page see: e.g. https://trac.torproject.org/projects/tor/ticket/26504
2) I don't think we want to check that checkbox by default. That leaves users that depend on those tools with a broken Tor Browser.

September 06, 2018

Permalink

Hey, and when I open about:config, I can see many https: link to .mozilla.org.
Why you can't replace them to empty string?

We could. However, some we need and some we don't need. It seems easier to focus on particular features that are harmful and make sure they are disabled than just removing any URL that has "mozilla.org" in it.

September 06, 2018

Permalink

Sorry, though I see the effort you spent, I'm not happy with 8.0

Where is the am I on tor button?
Where is the change channel for this page button?
Where is it displayed which countries are used for my internet access?

My impression is that we loose control and anonymity with the latest version of tor.
I hope you will turn it back.

No. The latter two items moved into the URL bar, behind the "i" icon showing information about the currently visited URL. It feels much more natural having that information there than in a generic Torbutton menu that is for the whole browser and not just a particular tab.

The link to check.torproject.org got removed as in the past we got a bunch of false negative reports that scared users and Torbutton is automatically checking whether you are connected to Tor anyway and indicating if not. Thus, this check is redundant and error-prone.

September 06, 2018

Permalink

The Bing translation tool at https://www.bing.com/translator completely breaks under 8.0. I can get it working by disabling restrictions from the tab. Simply "trusting" each of the referenced domains is NOT enough to restore the function.

What are the additional permissions that disabling restrictions on the tab is enabling that trusting domains alone does not do?

September 08, 2018

In reply to gk

Permalink

For Bing Translator I "Disable Restrictions for This Tab" and then it works. But I don't understand what I need to change permanently.

September 06, 2018

Permalink

in older versions about:config listed 300+ configurable noscript options.
in v8.0 it does not list even one, and the options in in noscript itself have vastly been reduced.
more regression!

September 06, 2018

Permalink

152 bugs!
If the new Firefox looks like as stable and secure as Adobe Flash, what can we expect from Torbrowser then?
I really appreciate the hard work but will it be worth to try fix and fix over and over again this new mozilla colander style browser that is creating problems over and over again with new fashionable unnecessary functionality?
Modifying a bad product costs many ours of people working to make it work with no guarantee because of troublemaker mozilla, and that is sad, because Tordevelopers and their users deserve better.
However, given the situation, thank you for your hard work and efforts and hopefully this fashionable long term damage that mozilla is creating will not cost lives or will unnecessary fill jails with innocent people.

September 06, 2018

Permalink

SEVERE BUG.

about:preferences#privacy
Cookies and Site Data
Selected: "Block cookies and site data"

[ Exceptions... ] -> [https://example.com Allow for session]

But it seems Tor Browser is not eating cookies so I can't login to example.com!

HELP!

I tried to login to https://trac.torproject.org/projects/tor/newticket
with "https://trac.torproject.org Allow for session" settings, SAME RESULT.

WTF is going on!?
I had to use Firefox Extended Support Release version 60 with Tor
to login to example.com. I feel VERY insecure.

I was fine with TBB 52 era, but now this!?
Please fix TBB ASAP!

September 06, 2018

Permalink

It's not possible to start the navigator.
The error message is: "Tor unexpectedly exited.This might be due to a bug in Tor itself, another program on your system, or faulty hardware. Until you restart Tor, the Tor Browser will not able to reach any websites. If the problem persists, please send a copy of your Tor log to the support team"

September 06, 2018

Permalink

No more Vista support ????.
I do not want (or can afford) to upgrade to a more sophisticated version of Windows spyware.
Can I still use the old version of TOR ?
In my opinion you are moving backwards with TOR , too many "features"
But I must thank you whole heartedly for providing this program.

September 06, 2018

Permalink

Thanks for the new release. Apparently it is not compatible with the use of FireJail and Firetools for sandboxing it (always get a message: "Your tab crashed, restart...."). Too bad.

Otherwise, the experience is cool, so far.

Yes, we have https://trac.torproject.org/projects/tor/ticket/27407 for that. We actually think this is a Firefox bug as this got reproduced with a vanilla Firefox, too. Thus, we have https://bugzilla.mozilla.org/show_bug.cgi?id=1488078. They might have problems reproducing the bug. So, if you could help them with that, then that would be the first step getting it properly solved. :)

September 06, 2018

Permalink

Noscript does not save the whitelist settings(in `Per-site Permissions`), they only remain there for as long as the browser is running. If I restart the browser all entries I made there are gone.
Steps to reproduce:
- Download Tor Browser Bundle 8.0
- Run `./start-tor-browser.desktop` in the terminal
- Under `Per-site Permissions` in the noscript options, add any site and set it to trusted
- Close the browser
- Open it
- Go to `Per-site Permissions` in the noscript options
- The entry is not there anymore
I'm on fedora 28, 64 bit.

September 06, 2018

In reply to gk

Permalink

Thanks for the fast reply!
Looks like nothing from noscript will be saved, then. I assume there isn't any workaround to that at the moment?

September 06, 2018

In reply to gk

Permalink

I see, thanks for your time.

Interacting with the new NoScript has been quite... challenging.

Yes.

September 06, 2018

Permalink

First of all, I would encourage every one check Tor Browser "fingerprintability" before updating to 8.0 and after the update. For me, using Panopticlick, it went from non-unique (on 7.5.6) to nearly-unique (on 8.0). oO

Now, I got a couple of issues with 8.0:

  1. What happened to the canvas permissions pop-up? It seems to be gone and canvas access is allowed by default. Is there a way to get the permissions pop-up back and/or deny canvas by default?
  2. NoScript settings (including whitelisted sites) are reset after browser reload. Is it the plugin or browser issue?

Thanks for your efforts in making privacy available!
Thanks, in advance, for your answers!

First of all it's not surprising that Panopticlick is reporting that for you. I mean how many Tor Browser 8 versions does it have seen so far, compared to *all* the browser fingerprintings over the years? Right, essentially none, hence the result: Panopticlick is heavily biased and not a good test for measuring Tor Browser fingerprintability.

Regarding issue 1) canvas extraction is not allowed by default. You can test that on one of our test sites: https://people.torproject.org/~brade/tests/canvasTest.html. What we did though, is greatly reducing the "prompt-fatigue" by using a Mozilla patch https://bugzilla.mozilla.org/show_bug.cgi?id=967895 and sending white noise for all users.

Regarding issue 2) This is https://trac.torproject.org/projects/tor/ticket/27175 and we are looking into it.

September 07, 2018

In reply to gk

Permalink

Thanks for your answers, I've got a couple new questions though:

  1. How would I enable canvas extraction if it is needed by some site functionality (e.g. avatar uploading)?
  2. Which tools would you advise as a replacement of Panopticlick for measuring Tor Browser fingerprintability?

You should get a popup (see the tests I linked above) which should allow you to enable canvas.
Regarding 2) there are, alas, no good tools for that yet. We try to make our FPCentral Google Summer of Code project into such one (a beta can be found at: http://ngp5wfw5z6ms3ynx.onion/) but we did not have as much time to maintain and develop it as necessary yet. :(

September 10, 2018

In reply to gk

Permalink

— Platform macOS, Tor Browser 8.0 —
Regarding 2)...In Tor Browser 7.5.6 and earlier versions, fingerprint tests consistently revealed screen resolution '1000X1000'. FPCentral Google Summer of Code project: http://ngp5wfw5z6ms3ynx.onion/tor shows 'SCREEN RESOLUTION 1000X998. Your Tor browser is not at the recommended size. It should be either at 1000x1000 or at a multiple of 200x100.' With Tor Browser 8.0, this issue, '1000X998', or '1000x998x24' persists in all other fingerprint test results, including Panopticlick, whoer.net, amiunique.org, more... Please fix this issue so that when Tor Browser opens, the screen resolution is 1000x1000, and not 1000X998. Thanks

September 06, 2018

Permalink

1) Can you please add an extension to the Tor browser that has the same features as Self-Destructing Cookies with it enabled by default on all sites. This would go a long way to prevent unintentional tracking along with it being officially added to the browser we don't have to worry about the extension suddenly becoming malicious, harvesting user data or making people less anonymous by having to install it themselves.

2) Please put a priority on fixing User Agent issue this can have detrimental consequences for people who need it.

I'm glad the first comment notes about the UA change, which is actually a privacy *regression* since for users with JS disabled the real OS will be leaked vs. the situation in the previous Tor releases (7.x). Also not everyone does JS based OS detection (only a few do it) but *most* do log the UA. One can imagine that the UA is all it takes to correlate between two users with similar traits in a low volume site (example writing patterns, social graph, ...) [and even a high volume one like Twitter with some more work].

Please Tor Browser devs fix this issue since it's really the only bad thing in an otherwise almost perfect stable release.

September 06, 2018

Permalink

On Linux, the "see my path" button in the new onboarding wizard opens a new tab with the ddg onion, and then opens the box that normally opens when the site name is clicked on (the box that says "secure connection" and "permissions" etc). I assume it is trying to open the Tor Button circuit display but finding the wrong ui element? I thought it was because i'd reordered my toolbar, but changing the order of the widgets doesn't seem to change the behavior: i always get to the site info box from the wizard's "see my path" button.

September 06, 2018

Permalink

Bedroom Chinese users, built-in meek-azure has been blocked by China, the next is the log

9/6/18, 14:51:02.531 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
9/6/18, 14:51:02.531 [NOTICE] Opening Socks listener on 127.0.0.1:9150
9/6/18, 14:51:04.743 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
9/6/18, 14:51:04.743 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
9/6/18, 14:51:04.743 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
9/6/18, 14:51:22.314 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
9/6/18, 14:51:22.315 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
9/6/18, 14:51:22.315 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
9/6/18, 14:51:22.315 [NOTICE] Opening Socks listener on 127.0.0.1:9150
9/6/18, 14:51:26.127 [NOTICE] Bootstrapped 5%: Connecting to directory server
9/6/18, 14:51:26.129 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server
9/6/18, 14:52:26.148 [WARN] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (DONE; DONE; count 1; recommendation warn; host 97700DFE9F483596DDA6264C4D7DF7641E1E39CE at 0.0.2.0:2)
9/6/18, 14:52:26.149 [WARN] 1 connections have failed:
9/6/18, 14:52:26.151 [WARN] 1 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE
9/6/18, 14:52:26.191 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
9/6/18, 14:52:26.191 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
9/6/18, 14:52:26.191 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
9/6/18, 14:52:27.111 [NOTICE] Delaying directory fetches: DisableNetwork is set.

September 06, 2018

Permalink

Hello, i have a question regarding the renaming of the Tor Browser folder.

I like to have older TBB versions and i rename the folders with an added version number. Before this new version 8.0, i was able to rename the folders after each update (for example from "Tor Browser 7.2" to "Tor Browser 7.3" and then after starting the shortcut "Start Tor Browser", it still worked.

Now after i updated to 8.0 and then changing my folder name from "Tor Browser 7.5" to "Tor Browser 8.0" it doesn't work anymore. After clicking the shortcut "Start Tor Browser", it opens the firefox.exe, but Tor itself is not loaded before that and also the onion symbol in the toolbar is not there. Also no site seems to work. Renaming it back to "Tor Browser 7.5" is making it work again.

Is there a workaround to rename the folder while functionality is still given? Thanks in advance.

September 06, 2018

Permalink

Hi,

is it only me or is NoScript no longer saving any changed presets? I normally start with "Default - everything off (nothing is allowed)". But the changes made in the add-on setting page is gone after every start of the browser.

September 06, 2018

Permalink

With the release of 8.0 i have issues with HTML5 video playback. To reproduce the issue and rule out an error in the settings, i used a fresh install, with default settings.

Videos are no longer click-to-play. With Security Level on Standard videos automatically start to play. With Security Levels on Safer and Safest videos don't play at all. To play videos with the higher Security Levels the site needs to be trusted in NoScript. Trusted sites however play videos automatically.

This should not happen, especially since Safer and Safest clearly say "Audio and video (HTML5 media) are click-to-play."

I just tried with Youtube on a Linux system and it worked for me as expected (the video is click to play on the safer level). Could you give me a link that worked previously but does not in Tor Browser 8 anymore?

September 06, 2018

Permalink

In 8.0 new version..
Where is java button enable/disable?? diaspear?? It was very useful.

Why there is no ne Tor for Windows Xp and vista..still many using!!
also 32 bit version is necessery too.

September 06, 2018

Permalink

HOW CAN I DOWNGRADE TO 7 PLEASE ?
THE 8 DESTROYED MY CLASSIC DISPLAY, MY FLASH, MY DOWNLOADS FROM YOUTUBE, EVERYTHING

I HATE THIS INTERMINABLE COURSE TO FALSE IMPROVING'S, AGAINST FALSE ENEMY'S, ETC.,
AFTER SO MANY YEARS WHEN WILL YOU UNDERSTAND THAT YOUR EXTRAORDINARY WORK, UNFORTUNATELY REMAINS A TOOL FOR US HELPING FOR SOME OTHER ACTIVITY
ITS A TOOL FOR US, NOT A MUST BE "IN", A LETS CHANGE THE TOOLBAR IN AN INAPPROPRIATE PLACE :

EXAMPLE OF STUPIDITY :
1)
THE NAVIGATION BAR IS STATIC, DOES NOT CONTAIN THE INFORMATION WE USE TOR FOR. WE DON'T EAT ADRESSES, BUT CONTENTS.
2)
THE BOOKMARKS EITHER. THOSE ARE STATIC THINGS WE DO NOT USE TOT TO READ BOOKMARKS BUT CONTENTS
3)
THE ONLY THING IN TOUCH WITH THE CONTENTS IS THE TAB CONTAINING THE NECESSARY, THE GOAL OF TOR, THE CONTENT.

OR, SOME IDIOT HAS SEPARATE THE TAB FROM THE CONTENT. INCREDIBLE. STUPID.
ITS COMPLETELY CRAZY

THE REALTIME WORK

September 06, 2018

Permalink

I stopped using Firefox because the new version had a lot of addons-related efficiency problems. Now I see this Tor is the same but I can't stop it from updating, I try to install the older version without any success.
I wish you could let the user decide which version they want to use at their own risk. For some of us, this update means we have to stop using Tor altogether.

September 06, 2018

Permalink

Hi,
Tor Browser 8.0 is not usable by a user who is blind. I'm using NVDA screen reader on Windows 10, and I cannot use Tor Browser at all. Please test by installing NVDA and then running Tor Browser.
Thanks.

September 06, 2018

Permalink

Is it safe to set 'dom.ipc.processCount' to '-1'? It would be really nice to have one process per tab, providing more isolation between different sites.

September 06, 2018

Permalink

first you took away the option to choose the country of the exit node when phasing out vidalia. now you take out even the option to SEE which exit country you are using with version 8. why do tor developers need to hide important information from users like in which countries the tor nodes are you are connecting to? is it because lately all tor nodes happen to be on the same country which is a huge security risk? is the tor browser no longer secure? i'll not donate any more money to the tor project until i see a change to transparency and give the users back the control and information we always had before. and i'm rolling back to version 7 obviously since i want to see if i'm using a node in the USA or in my own country. SHAME ON YOU. really. i'm speechless....

Please calm down. We have announced the changes on our blog post to this release (just scroll above and read it), we gave an explanation you would get after starting the new version after the update and we included an onboarding (upper left corner) that is explaining the (new) features. In short: the circuit display and other related functionality moved to the "i" (identity) box to the left in your URL bar as it is site-specific. We think if fits there way better than in the Torbutton menu.

September 06, 2018

Permalink

Thanks for this stable release! All working fine. Must have been a tremendous job to get all to work properly.

One question: Will adding some minor cosmetic changes using a userChrome.css script compromise anonymity?

September 07, 2018

In reply to gk

Permalink

Like replacing the tab throbber and changing colors of bookmark folders. Understand this is not high priority to say the least, but would anyway be interesting to know.

Thanks for your time.

September 06, 2018

Permalink

Why TLS 1.3 still disabled? 000-tor-browser.js pref security.tls.version.max;3 contains legacy description ("Enable TLS 1.1 and 1.2")

September 06, 2018

Permalink

Ditto, leaking OS information in UA when JS is disabled is not nice.

What is the JavaScript argument here? You leak OS information as well if you have JS disabled, even if the UA is the same as the font whitelist we ship is OS specific.

September 06, 2018

Permalink

When previewing/submitting a comment here with security settings set to safest, TB8.0 started to reload continuously and memory usage increased until my virtual memory was all used. If stopping the repeated loading, the site was broken. In Windows event log there was an error message of some program specific local authorization problem DistributedCOM.

Tested again with security settings set to safer and the problem is now gone.

September 06, 2018

Permalink

As expected, Quantum era FX has disabled security and usage features.

Specifically, pre-Quantum noscript addon (by Maone at informaction) had options/prefs that chose whether to show or disable noscript elements in html.

For example of usage on the web, twitter shows no content except a notice "We've detected that JavaScript is disabled in your browser. Would you like to proceed to legacy Twitter?" with a "Yes" button.
Clicking the "Yes" button sends page to the same content but on mobile.twitter.com/ instead of on twitter.com/
This is "Yes" button is useless, because the mobile.twitter.com/ page also shows the same ".. JavaScript is disabled.. proceed to legacy Twitter" message.

Workaround:
via Firefox's text menu, "Page Style", "No style" will show Twitter page content.

Long-term "hack" is to edit userContent.css:
I haven't reviewed userContent.css syntax but Developer Mode and view-source of a twitter page should rapidly find the css that needs editing.
I assume userContent.css can apply these styles of noscript elements to all web domains. Must find regarding userContent.css, whether styles applied generally precede or if they follow styles restricted to domains.

Relevance to Firefox and Tor Browser:
This confirms the value of pre-quantum noscript addon's options/prefs

If someone (?) eventually restores lost addon functionality, I foresee further divergence of tor browser from Firefox, but expect that will require an increase in coding workload     )*:

I wonder how I missed your reply two days later... (according to dates shown here)

Your css rule worked.
I first only added your rule to my rules, but that had no effect.
I then removed all other rules in
@-moz-document domain("twitter.com")
and your rule worked.
I also had somehow lost the initial
@namespace url(http://www.w3.org/1999/xhtml);
line.

So my userContent file had been ****ed up
Sometime in the future, I'll add my other twitter fixes back into userContent (one of my rules had been very close to yours... possibly a child element of yours)

Thanks

Also for lurkers, this is the 'traditional' way to write the rule:
form.NoScriptForm{display:none!important;}

Reading Twitter in tbb8 is 'incurable' mess. I have returned to tbb7 (for.... how long?)

Problem: Copying tbb8 bookmarks to tbb7 isn't straightforward.
Quantum (Firefox in tbb8) uses a different places.sqlite, and pre-quantum (Firefox in tbb7) rejects my attempt to copy places.sqlite from tbb8. Instead, tbb7 renames places.sqlite to places.sqlite.corrupt, then loads its automatic backup into its bookmarks.

Background:
My Options/Preferences>Advanced>Update is
(.) "Check for updates, but let choose whether to install them"
I saved a copy of tbb7 folder before tbb's upgrade to tbb8

__Workaround:__
Start tbb8.
Open bookmarks manager.
Backup to .json file.
Shutdown tbb8
Start tbb7.
Open bookmarks manager.
(Choose whether to manually delete everything in bookmarks menu and in bookmarks toolbar. I did.)
Restore, select the .json file created by Backup in tbb8.
2 or 3 "unresponsive script... Continue" popups. Procedure consumed (guess) 4 minutes on 2012 i5 PC running Windows 7 Pro x64

Result:
Bookmarklets and creating new bookmarks appear to be working during about 15 minutes of using tbb7 with the .json "restored" from tbb8 backup.

Notes:
tbb = tor browser bundle
I intend to report anything else that seems related to this 'workaround'.
I hope to experiment with "fixing" Quantum using a "throwaway install" of PortableApps Firefox.

What is the issue for you here? Regarding bookmarks, can't you export the bookmarks in Tor Browser 7 with the bookmarks menu and import them in Tor Browser 8 the same way (in the latter with Ctrl + Shift + O and there Import and Backup)?

October 04, 2018

In reply to gk

Permalink

sorry for late revisit.

Web searches found people using regular non-tbb firefox who fell into the same predicament. They disliked quantum after trying, then wanted to use their newest bookmarks in (pre-quantum) ESR.

------

Overview of predicament:
tbb7 updated to tbb8, which changed something in the sqlite file.
I used tbb8 for a while, accumulating additional bookmarks.
I then decided to return to tbb7.
I wanted tbb7 to use my most recent bookmarks
tbb7 couldn't accept the places.sqlite file that I dragged from tbb8 profile.

Thus the need for a workaround.

tl;dr workaround:
In tbb8, "backup" to .json file
In tbb7, restore from same .json file
During restoring, click "Continue" button in "unresponsive script..." alerts

-------
Almost 4 weeks (more than 30 accumulated hours) since this json workaround, nothing odd has occurred in tbb7.

------
about Ctrl + Shift + O - for the lurkers:
While in normal window of Firefox:
ctrl+shift+o opens bookmarks manager in Linux.
ctrl+shift+b opens bookmarks manager in Windows.

NoScript Extension:
I noticed in tbb8 that noscript has very few options, and none are the "Hide noscript elements" or "Forbid meta redirections.." options as in pre-Quantum NoScript extension.

September 06, 2018

Permalink

I keep setting NEVER CHECK FOR UPDATES but you keep updating to 8.0 Why? I don't want that update cause it disables 2 important add ons making TOR useless to me

September 06, 2018

Permalink

Why new Tor isn't working on Win Vista anymore? It is possible to make version of new TBB for Vista? Please help me in this if You can, Thanks.

September 06, 2018

Permalink

System: Tor Browser 8.0 using obfs4 bridge on macOS. Please implement the following modifications: (1) In the Circuit Display, replace the word 'Bridge' with an actual country name. (2) Move 'Show history', 'Toggle reader view', and 'Page actions' from the address bar to the Toolbar. (3) Include the 'New Identity' toolbutton in the Toolbar, Circuit Display, or Torbutton. (4) Implement a common User Agent string uniformly across all platforms so that the UA string will reveal 'Windows NT 6.1' (or another os). Tor Browser, the teams, and the volunteers are outstanding! Thank you.

If you update to Tor Browser 8 you'll stand out because you don't use a mainstream OS.
If you proceed to use the previous version you'll stand out because you'll be one of the few that keep using an outdated version of Firefox.

Pick your poison.

September 06, 2018

Permalink

Please support Vista users again, I know that Microsoft left supporting it but still many of us using this system.
Maybe some special edition of new TBB with a little bit older Firefox?

September 06, 2018

Permalink

In the previous version of Tor I could set my scripts to block globally now with the new NoScript I go into settings set the default to uncheck everything so nothing is allowed, but when I restart Tor the settings are forgotten so the Default goes back to allowing almost everything. Very disappointing that it wont remember my settings on something as important as this, I want to go back to my old Tor version. Please fix Tor land.

September 06, 2018

Permalink

Thanks to Tor devs for all their hard work.

I do have an issue with TBB 8.0 but it is likely to be Mozilla that are to blame for this frustration..

TBB8 is the first to be based on a version of FF which disables 'legacy addons'. Which would be fine if they put as much effort into getting the various WebExt APIs working and supported as they've put into forcing everyone onto WebExts.

Unfortunately the API I will need to get my 'legacy' addon working isn't in FF60, and it will be a long while until we see a TBB based on the next FF ESR.

In the meantime, my heart leapt to see there is are 'extensions.legacy.enabled' and 'extensions.legacy.exceptions' prefs.

However, though it seemed the nightmare was over, in fact neither of these prefs seems to get my addon working; it is still listed as 'disabled'.

I will do some testing to determine whether there is particular functionality that is causing that addon to be disabled in spite of the prefs, or whether those prefs are a tantalising lie.

In the meantime, what experiences have others had with this so far?

(And before anyone starts with well-meaning warnings about the security risks of using addons in TBB, I wrote it myself, it's a relatively simple addon, I understand what it does, I need this functionality and I accept the calculated risk).

September 06, 2018

Permalink

Hello Tor developers,

Firstly, I would like to thank you for your hard work for making this excellent anonymity & anti-censorship tools for everyone. I'm relatively new to Tor Browser & Tor in general nor am I a tech savvy person. I've been using Tor Browser since TB 7.5.4 and this new release TB 8.0 is rock solid. However I'd like to express a concern about User Agent Spoofing (which other people have already said).

I've tested my fingerprint in Panopticlick and Whoer. Panopticlick shows that I have strong protection against fingerprinting (I usually use "Safer" on security slider), but it shows my operating system which is Linux x86_64, same with whoer.net.

I read your explanation as to why Tor developers decided to ditch UA Spoofing as there are many variables that webmasters can detect users' OS by other means, not to mention mobile users which can give negative impact to their browsing experience (i.e. getting desktop site instead of mobile version). I usually browse normal clearnet, nothing shady or illegal. However my concerns lie on the mindset of this decision.

While I can understand a lot of web technologies can break users' anonymity, I fear if this "the web standards mandate this new/old tech that can break anonymity, obfuscating it will result in little impact on users' anonymity while heavily impacting user experience, we might as well give up" mentality, this will result in weaker tools such as Tor & Tor Browser. I'm even disappointed when Mozilla started to add "features" that may lessen users privacy such as Pocket and other stuff.

As other users have suggested, maybe it would be better to enforce UA Spoofing to Windows UA regardless of their Desktop OS only, while keeping mobile to their UA. If you fear new users will likely quit using TBB altogether just because one of their favourite sites give them bad UX, maybe you can educate these users in Tor Browser User Manual when they first fired up TBB. I feel like educating users and giving them understanding and the solutions are much better than unmasking everyone. These days and age, people just don't like to learn nor do their research beforehand and if we keep following these people, it will weaken the only tools that us normal people have to having basic privacy & anonymity.

This is just my opinion & criticism and by no means an attack to Tor devs, so I hope you take it as such. Once again thank you to all Tor devs and congrats on the new TB 8.0 release :)

September 07, 2018

In reply to gk

Permalink

Then give users a choice to select the user agent. You can show an icon having a drop down menu to select the user agent. If the user goes on one of such websites that you mention the user can switch to the appropriate user agent. You are compromising security for convenience. Give us a choice.

September 09, 2018

In reply to gk

Permalink

Are you serious?

First, no websites should never do any "OS specific functionality" or "Browser specific functionality" for that matter. Don't you remember why the W3C was created for ?

Second, we're talking about TBB, a browser meant to be used without JS. People who care about "specific functionality" shouldn't use TBB, that's all.

What is your goal? Are you seriously trying to increase the TBB user base? What's your point?

September 06, 2018

Permalink

Noticed differences between Tor v7.5.6 and Tor v8.0
1) Tor v8.0 win 32bit from Torproject, the Tor button options new identity and new Tor circuit for this site is unavailable, not listed as an option.
2)Do not track option shoud be a separate check box
3)Using same settings on Tor v7.5.6 and Tor 8.0 security safest, no cookies, do not track strict protection my signiture revealed firefox version tested using http://ip-check.info/?lang=en/

Yes, that's https://trac.torproject.org/projects/tor/ticket/27482 and cause by a missing patch in the tor version we ship. This will be fixed in the 8.0.1 point release. Meanwhile you could use the recent alpha version, 8.5a1 (https://archive.torproject.org/tor-package-archive/torbrowser/8.5a1/) which ships a tor version that contains the fix. Sorry for the inconvenience.

September 07, 2018

Permalink

Is that
network.ftp.enabled;true
network.http.altsvc.enabled;true
network.http.altsvc.oe;true
network.http.spdy.enabled;true
network.http.spdy.enabled.http2;true
really save?

September 07, 2018

Permalink

unfortunately my computer is always freezing with the new update.
but it installs itself again and again.
so it has become worthless. sorry

September 11, 2018

In reply to gk

Permalink

Unfortunately it's going on and on.
Every day again.
I don't think my computer likes this way to be switched off and on again. Py poor harddisks.

I use windows 7 and I'm satisfied with it.

There may be nice new features in tor 8, but it depends on the point of view.
For you as developer the features may be great. For me as a user it's just horrible.

And my previous version is "stolen".

I'm absolutely disappointed.

September 11, 2018

In reply to gk

Permalink

During the last hours my computer crashed FOUR times.

I'm sure it'll be dangerously damaged with using tor 8.

Please let me know how I can get the previous version back.

Are those crashes reproducible? Did you get an error message or what does "crashing" mean? Did you try with a clean, new Tor Browser bundle (64bit) extracted to a different location?

September 14, 2018

In reply to gk

Permalink

The "crashes" are NOT reproducible. I don't know when it happens next or why. And on different websites. "Crash" means. Computer is freezing - can't move mouse anymore, no keyboard, just nothing. The only thing I can do then is: Pushing the switchoff-button. All non saved data is gone etc. And, the worst thing: I'm sure I will destroy my computer with this.
And: After two crashes this morning I installed tor 8 again on another location. Please guess: Same happened again.
So, please: Give me my old tor-version back. Tor 8 is just crap.

September 23, 2018

In reply to gk

Permalink

I've tried the 64bit version. Computer is freezing.
I've installed the new update (from yesterday or so). Computer is freezing.
I've installed Tor on another HD. Computer is freezing.

It does NOT happen with other programmes. It never happened before. Not with Tor7.

Only with Tor8.

I'm sure my computer won't freeze in future. Because it has been destroyed by Tor8 then.

Please give me an answer: What do I have to do to get Tor7 back ???!!!

> During the last hours my computer crashed FOUR times.

> I'm sure I will destroy my computer with this.

Are you seeing crashes when you try non-Tor browsing, or doing something offline on your computer? One possible cause for multiple crashes requiring reboots is that some hardware is failing.

September 07, 2018

Permalink

I need to sync between two Tors.
Is it possible to re-enable firefox sync menu/button/about: in TOR 8?
Thanks a lot.
(I understand it's a security risk but I need to sync bookmarks)

Based on ticket 26058, setting the pref identity.fxaccounts.enabled to true should do the trick.

Instructions:

  1. visit the url about:config
  2. search for identity.fxaccounts.enabled
  3. double click to enable
  4. restart browser

September 07, 2018

Permalink

Is there an IDM alternative you can suggest I can use? Or a way to make it work? Cause its not working anymore

September 07, 2018

Permalink

Just thought I'll mention, but after updating to the latest version I'm unable to get the QR Code from the http://web.whatsapp.com link. It briefly appears then disappears.

Not sure if that option got disabled in the new version.

September 07, 2018

Permalink

Switched OFF automatic Update doesn't work

- Tor Browser 8.0 doesn't work with DisQus
- Tor Browser 7 does work well with DisQus

If i install previous version i set NEVER UPDATE, then few minutes later Tor Browser update itself to 8 ... :'-(

You should check why DisQus doesn't work on 8 and check the problem why doesn't care Tor Browser about its automatic update settings.

Thanks

September 07, 2018

Permalink

At least on Linux the .tar.xz packages are missing the TBB icon (Browser/browser/icons/mozicon128.png) which means no icon in various menus, panels, window lists, etc.

Simply extracting the Browser/browser/icons folder from an older (7.5.6) package over the 8.0 files fixes the issue.

September 07, 2018

Permalink

Is there any advantage of using the browser instead of using the Tor Expert Bundle? Im using both for crawling some Google results and it seems to me that using TOR Browser is easier/faster to find a functional IP for this purpose

September 07, 2018

Permalink

I recently updated my TB & here's my problems

1. User-agent is not manually spoofable
2. Cannot Run in a Sanbox Mode, using the latest firejail.

The UI is not interesting to me but the anonymity is very important. fix this dev's on your next update

September 07, 2018

Permalink

You now have to go to custom menu to add the upper right search bar? And when you do it is too wide so you have to add almost 16 flexible space objects from the same custom menu to the left of the search bar to get it like it was in all previous versions.

Looks like someone is intentionally trying to make it complicated by design for anyone, especially the "new onboarded" users to use anything but Duck Duck Go as their Tor search tool (the only one permitted in the only provided central search bar), possibly arising out of some direct or indirect sponsor relationship with Tor. I use StartPage as default because its servers are not in US jurisdiction and you can secondary proxy from it so requiring it to be manually dropped was a dimly viewed tactic. Downside is that it only uses Google which censors anything so will give only Google results.

The 1/2 inch tabs are not very user friendly either.

September 08, 2018

In reply to gk

Permalink

I have always gone into about:config and disabled keyword searches from URL bar which I am going to do that also with this release as it seems very unnatural for PC users that have plenty of real-estate on their browsers.

September 07, 2018

Permalink

How do I block all Javascript globally with the new NoScript version?

September 07, 2018

Permalink

Why are you calling that spoofing ?

  1. <br />
  2. -const SPOOFED_APPNAME = "Netscape";<br />
  3. -const SPOOFED_APPVERSION = "5.0 (Windows)";<br />
  4. -const SPOOFED_PLATFORM = "Win64";<br />
  5. -const SPOOFED_OSCPU = "Windows NT 6.1; Win64; x64";<br />
  6. +const SPOOFED_APPNAME = "Netscape";<br />
  7. +<br />
  8. +const SPOOFED_APPVERSION = {<br />
  9. + linux: "5.0 (X11)",<br />
  10. + win: "5.0 (Windows)",<br />
  11. + macosx: "5.0 (Macintosh)",<br />
  12. + android: "5.0 (Android 6.0)",<br />
  13. + other: "5.0 (X11)",<br />
  14. +};<br />
  15. +const SPOOFED_PLATFORM = {<br />
  16. + linux: "Linux x86_64",<br />
  17. + win: "Win64",<br />
  18. + macosx: "MacIntel",<br />
  19. + android: "Linux armv7l",<br />
  20. + other: "Linux x86_64",<br />
  21. +};<br />
  22. +const SPOOFED_OSCPU = {<br />
  23. + linux: "Linux x86_64",<br />
  24. + win: "Windows NT 6.1; Win64; x64",<br />
  25. + macosx: "Intel Mac OS X 10.13",<br />
  26. + android: "Linux armv7l",<br />
  27. + other: "Linux x86_64",<br />
  28. +};<br />
  29. +const SPOOFED_UA_OS = {<br />
  30. + linux: "X11; Linux x86_64",<br />
  31. + win: "Windows NT 6.1; Win64; x64",<br />
  32. + macosx: "Macintosh; Intel Mac OS X 10.13",<br />
  33. + android: "Android 6.0; Mobile",<br />
  34. + other: "X11; Linux x86_64",<br />
  35. +};<br />

September 07, 2018

Permalink

Thank you for all of your hard work tor devs!

I know the FF60 migration is a doozy. Kudos for handling in a relatively smooth manner.
Everyone: There will be a bit of pain, but you will settle into the new UX after a short time.

A question about noscript:
The transition to FF quantum and webextensions add-ons seems to have neutered much of noscript's other features such as ABE and ClearClick. As is, noscript is strictly inferior to uMatrix.
uMatrix allows users to trust or deny cookies, css, scripts, http-requests, and more globally or on a per-site basis. (https://github.com/gorhill/uMatrix/wiki/The-popup-panel)

Would the developers be interested in replacing NoScript with uMatrix, now that we must use the trimmed-down WebExtension version?

There seems to be an issue open already for uMatrix and uBlock Origin, but it appears to be dead (I understand why the TBB devs don't want to ship an adblocker. uBlock is an adblocker, but uMatrix is not).

There are only two issues that I can anticipate:
1. I don't know how easily uMatrix can be scripted to interface with tor browser button.
2. From a UX perspective, uMatrix has a lot of knobs. That said, NoScript of yesterday had a lot of knobs as well (they were just hidden behind the settings dialogue). That said, the documentation for uMatrix is great (see the link above), and it can be customized to be disabled by default (permitting all JS, that is).

Again, thank you for all that you do! Much love!

I don't anything about uMatrix but having knobs for things seems rather dangerous. Wouldn't you risk being easier to fingerprint by having a unique set of allowed CSS, scripts, cookies, etc.?

September 07, 2018

Permalink

Soo much new nice stuff, BUT: for me, every next torbrowser update seems to add a bit of weight, making it ever heavier and slower over time...

Isn't there stuff thta can be easily thrown away, making torbrowser both safer and lighter?

Agree that TBB8 seems noticably slower than TBB7, presumably because the underlying FF has gotten much slower.

Anyone (devs or users) have any ideas for ways to speed it up (eg conf tweaks) to make it more usable, without compromising security?

September 07, 2018

Permalink

CrashHang
On this particular 'new-release-tor-browser-80'-page my new Tails system (with this new mzzlah kind of a prod) is completely freezing over and over again while I can browse other large websites (like Nyt.com) without any problem.
So there must be something serious code going on this website.
Are you hacked?
Very annoying to start Tails over and over again.

September 09, 2018

In reply to gk

Permalink

Please, don't blame Tails to quickly :)

I bet that's the exact same bug I'm seeing here right now, on Stretch/Xfce if that matters (with Tor Browser 7.x or 8.0, same thing). And for the records I remember this bug in the past, also on Tor Blog, exclusively! But then I had no time to even start looking at the issue.

So. It's the damn GIFs!

Memory leaks at a rate of 200 MB/sec, soon bringing the OS to swap, until tab is closed. With (much) time, Tor Browser eventually releases up to a third of the wasted memory. Closing the app releases it entirely.

And it's probably not Tor Browser's fault: at least Thunar thumbnailer (tumblerd) has the issue with the same files saved locally.

Within Tor Browser, there's apparently no way to right-click these GIFs, for example to 'Inspect Element" directly, but with such a memory leak speed, there would be no time to load these tool anyway. If the OS starts to swap "too far", there's no escape from limbo.

Even more interesting in my view, while Tor Browser honors site (no) permission for still images, it does not affect these GIF, so they are still rendered.

"Of course" I spent much time trying to figure if NoScipt could be any useful for this (or at all ?). May I join the immense flows of those hoping to see it recovering in a near future :)

"Nuke Anything" addon works for me, selecting text around all 3 GIF at once and right-clicking to remove the selection.

Browsing all comments pages until here was sport, since the whole article is rendered on each comment page, including the GIF which I had to remove each time, growing the memory leak up to new limits :)

This statement of mine:

Within Tor Browser, there's apparently no way to right-click these GIFs,

is now false, I can right-click these GIFs. Not sure exacty which release/component update made a difference but I'm certain I could not before the upgrade to Tor Browser 8.0.

Like I wrote, memory leak is too fast anyway so there is no time to nuke each GIF one after another and nuking the selection remains the only solution I found to date. Everything else also stands true.

Site preference to block images (and which is not applied to GIFs), is not saved, just the same as all NoScript site preferences.

So, lots of steps are necessary to follow this comments thread. More than ever before, I wish there were some way to follow it as easily as mailing lists archives, or tickets (with some summary or a clear chronology, to find new comments easily).

Agree this is not likely to be an issue with Tails, since I am using Tails 3.9 and haven't noticed anything strange on this blog.

@OP: did you try moving the security slider to "medium" or "high"?
Another possibility, perhaps, is that you are suddenly seeing issues suggesting your machine is low on memory because one of your memory cards (if you have several) is failing.

> So there must be something serious code going on this website.

I am using Tails 3.9 (the latest, released same time as Tor Browser 8.0) and haven't noticed anything strange here or at other sites. A little slower, but that is likely due to the critical security fixes which help keep Tails safe from speculative execution attacks.

September 07, 2018

Permalink

Torbutton functionality ???

You just removed two of the most important functions (well 4 actually) from Torbutton.
I just cannot believe it and it is just a disaster!

1) New identity was very useful, used it all the time when browsing
2) As well as new circuit because not all circuits are working as well, and some exit-nodes give trouble.

Now I have to completely close the whole browser in Tails and lose my other settings!

3) Privacy and security settings & 4) Network setting also just removed?!!

Why why why do products always have to change change change meaning loosing functionality!
This is really making me go back to the old ESR / using an older Tails version again.

The forget button is not an alternative because it is not, I repeat, not resetting / clearing history : it is not clearing the caches and you cannot enter a website from an other exit-node without closing the browser which has nothing to do with protecting privacy (au contraire).

This is not userfriendly.

Please calm down. We just moved the functionality out of the Torbutton menu. For the circuit display/new circuit for this site. We tried three times to inform you about it. First on this very blog post. Please read about the changes above. Second on the first page loaded after the update and third on our new onboarding showing the new features in the upper left corner. It moved to the "i" (identity) box on the left of the URL bar. And into the hamburger menu together with the "New Identity" button. That one will be available as a standalone button on the toolbar soon, as it is important, as you say.

September 07, 2018

In reply to gk

Permalink

Thanks missed it tree times
- enourmous blog post with enroumous much information that especially visual handicapped will not all catch but thats is not your fault.
- ther eis no update torbrowser message on tails when installing a fresh new copy of tails
- I am sorry I do not understand unboarding in this context, in the upper left the totbutton only gives two options.

Now for the use ot the other places, the regular browser, firefox uses it in another way so it is not to expect to find the functions there, but thank you for answering and pointing out at the i-button place.
Again, for for visual handicapped poeple (dislexia and son) these big interface changes where everything is different and lots of functionalitity is removed (like in noscript), this is a real hard time especially in combination with frustration about mozilla policies.

thank you for you efforts and hard work.

September 07, 2018

In reply to gk

Permalink

Correct, the poster is not calm. He has a poorly presented point. The transition launch was slightly botched. Your team provided no transition guide to show your existing users where you hid key functions you used to. How is the average user suppose to notice where you secretly hid the new identity feature? You do great work. We love the torproject. New languages support are great, but not very useful to the million existing users you have. What is more useful is a concise transition guide showing where you hid features like new identity to make the 8.0 transition smoother. A blog post "3 things you need to know when transitioning to Tor Browser Bundle 8.0" would have served all sides better.

1) Click on the icon left of http in the URL bar to create a new circuit
2) We hid new identity under the top right menu that looks like three parallel lines
3) Holding Control and Shift while pressing the L key also gives you a new circuit. Holding Control and Shift while pressing the U key also gives you a new identity.

Clear, concise. What every regular tor browser user does all the time. People tune out the other corporate marketing intern type speak. Keep up the good work, we love it.

September 16, 2018

In reply to gk

Permalink

Reviewing the comments, some (one from me) are slightly frenzied. It occurred to me that one way to think about this is that it shows how much so many people rely on Tor Browser, and also that they are used to it "just working" and are unnerved when suddenly something stops working.

We appreciate all your work, and we really really need Tor to survive FBI's "Going Dark" monomania.

September 10, 2018

In reply to gk

Permalink

Not the same user here, but I'd like to point out that that fuctionality is 'kind of' important for Tor users. Having to look for it in a frantic search was... 'quite the experience' for me. Maybe the update-list should mention 'where' the functionality was 'moved to'.
There's still time. ;)

September 07, 2018

Permalink

torbrowser-install-8.0_en-US.exe is signed with key ID D9FF06E2. This ID is NOT listed on your page of keys. Hence I need to assume you have been hacked and your servers are compromised.

September 07, 2018

Permalink

macOS 10.13.6

Whatever I try, the (growl a-like) browser notifications are no longer working.
Kinda sucks when using webmail :/

September 07, 2018

Permalink

Thank you again for all your hard work Tor devs, impressive Quantum migration very smooth.

Is all the previous hard work on ASLR applicable in these new releases code-base?

Sandboxed-tor-browser is better than nothing as you note, alas it no longer functions.
Key is hard-coded and update fails, when key-check successful other fatal errors are reported.

Segmentation of users via OS user-agent string splits all users into obvious separate groups defeating the point of Tor.
Passively reveals data on user for exploits whereby active detectable measures were previously used by remote site to find angles of attack.

Standardized post-quantum crypto has not been mentioned in a while.

Love+Fishes

September 07, 2018

Permalink

Hi.

I don't know if this has been discussed before, but is there a reason why DDG is the default search engine?
Apparently, DDG has trackers on their homepage, they track the ads you click and it has a few other issues in terms of privacy. At least according to the developer of the Privacy Browser for android (https://www.stoutner.com/new-default-homepage-and-search-engine/)

For privacy concerned users, these are pretty much red flags which would prompt a reconsideration and search for alternatives.

September 07, 2018

Permalink

My virus program doesn't like your xul. I myself love the new Tor. My virus program is now quarantining Tor while I am using it. It just told me it has now quarantined the Tor exe. I have had to run the Tor exe every time I used it, since your new Update. I am here again to get a new copy of the Tor exe.

September 07, 2018

Permalink

No matter how you slice it, the math behind this user agent decision just makes no sense. Let's run through the scenarios:

JS disabled - User's anonymity is diminished even though it's completely avoidable.

JS enabled, site doesn't use OS detection methods - User's anonymity is diminished even though it's completely avoidable.

JS enabled, site does use OS detection methods - The user's anonymity is diminished and in this case it's not avoidable, but how does it make sense to reduce it in two cases where it is entirely avoidable just because of one case where it's not? Furthermore, since you will now have users of other OSes spoofing the Windows UA to protect their anonymity in the two cases where leaking their OS is entirely avoidable, in this case where it's not avoidable you're going to split the anonymity sets even further, into people who use Linux (as detected by non-UA methods) vs. people who use Linux (as detected by non-UA methods) but spoof a Windows UA, people who use Android (as detected by non-UA methods) vs. people who use Android (as detected by non-UA methods) but spoof a Windows UA. That is, this "update" to the way user agents are handled not only capitulates to non-UA OS fingerprinting but actually makes the problem even worse.

So basically it sacrifices your anonymity in two entirely avoidable ways to make the one scenario in which it's not avoidable even worse. Seriously guys, people trust you not to make blatantly boneheaded decisions like this.

If the Tor team can't come up with a better rationale for this change than what they have then they need to revert it.

I agree with you, but please note that (if I understand correctly) it was Mozilla's stupid decision, not Tor devs.

I am not hopeful about persuading Mozilla devs to make sane decisions, but I am hopeful that Tor devs will produce a workaround for TBB.

Like Tor Project, Mozilla faces threats from USG to legally mandate "backdoors", i.e. breakage by design. I suspect otherwise incomprehensible decisions which reduce security may represent some kind of compromise with FBI. But once the camel puts his toe inside our tent, he'll keep pushing further and further in, until he owns the damn tent. So I agree, no compromise! No backdoors!

September 07, 2018

Permalink

Congratulations for the new way to get bridges, this is a real innovation ! It perfectly works !

You rule guys !

All the best !

September 08, 2018

Permalink

I am sorry to be stupid about this, but where did you put the list of websites that was previously maintained manually as a list of Trusted Sites? You have some kind of mini-gadget in the top right corner that now deals with trust on the current tab only, but I don't see any way from that UI to get to a list of all trusted websites.

September 16, 2018

In reply to gk

Permalink

I think the OP is referring to the bookmarks which came bundled with previous TB editions.

October 01, 2018

In reply to gk

Permalink

I am sorry but how can anyone who has used Tor be asking me what I mean by "Trusted" sites? Depending on the version, NoScript has an Advanced tab. Under the Advanced tab, there is a subtab named "Trusted" that has on it a list of all the sites you have chosen to permanently trust.

I had 200+ websites on that Trusted list. When I installed Tor 8.0, it looks like it wiped out all of those Trusted sites and now I have to regenerate that from scratch using an entirely different user interface.

September 08, 2018

Permalink

With the version of NoScript available with TOR 7.5.6 I could access, check and (if necessary) amend the settings under Whitelist, Embeddings and Advanced.

How do I access these settings with the current version of NoScript under TOR 8?

Please let me and others know.

Thanks

September 10, 2018

In reply to gk

Permalink

It's not, it's still in a tab under NoScript global preferences.

In Tor Browser 7.x, NoScript global preferences were persistent. Content types default restrictions could also be more finely tuned. There was a global per-site list in there also, but I never used it in Tor Browser, so I don't know if it was working. Either way, Javascript could then be allowed on-demand while browsing, on a per-site basis. And NoScript button menu could include options to make such permissions, permanent.

In Tor Browser 8, NoScript global preferences are no longer persistent (this is a temporary bug, I hope? see https://trac.torproject.org/projects/tor/ticket/27175). Currently, it's like if all preferences were wiped at each application start (maybe even at each new identity?). I can see this includes the list of per-site permissions, since for the first time in Tor Browser, I tried to set a permamnent restriction (cf. GIF issue on this blog).

What I can tell is that on Stretch, Firefox+NoScript were also upgraded. NoScript global preferences were not lost (including my per-site list) and NoScript content-types preferences are still persistent, as expected.

So, if some of Tor Browser Users were relying on such a list in 7.x, my guess is that the current bug wiped it indeed. But it might not be lost? And it might even be possible to re-import it again in a near future?

NoScript "Export" button is also broken here, nothing happens after accepting to download the file. But there is a "debug" frame under the last tab of NoScript global options, which produces some json. Haven't tried to play with it as yet, don't know if the "Import" button would work, either.

September 08, 2018

Permalink

I've run into two problems with the new tor browser update for Linux.
1. Tor no longer remembers window size. Every time I open a new window, It is very small and I have to resize it.

2. Tor does not respect previous gtk3 settings. I previously used dconf-editor to make the file browser (that appears when saving files) always show directories first. Tor browser ignores my settings and jumbles the files and folders together. What's worse is that Tor Browser also changes the global setting, so it messes up all programs that use those gtk3 settings. I'm getting tired of constantly having to reset my option to sort directories first in dconf-editor after every time I use the Tor browser.

Hm. No, Tor Browser is not messing with GTK3 settings, at least not intentionally. Could you check whether Firefox 60.2.0esr does the same on your machine? (You'll find bundles here: https://www.mozilla.org/en-US/firefox/organizations/all/)

Could you check your first issue with this downloaded Firefox version as well? You need to set privacy.resistFingerprinting in your about:config to true. We use essentially the same patch as Firefox for the window size, so let's see whether that's a Firefox bug.

September 08, 2018

Permalink

Hello Tor developers. Tor Browser 8 does not support the IDM (internet download manager) integration add-on that I always download and install from:
https://getidmcc.com/
It is not integrated in the browser at all even though it says the add-on is enabled and when I restart the Tor Browser, Windows 10 shows Tor browser running in the task manager, but the Tor browser window is invisible, so I have to End Task from task manager and reinstall Tor. I tried it several times with new installations and the problem occurs every time. Whenever I install the IDM add-on for "Firefox 53 and newer" Tor 8 window no longer appears on the Desktop or even in the taskbar or with Alt+Tabing, not to mention the fact that the IDM add-on is not even integrated into the browser. I'm using Internet Download Manager version 6.31, which is the latest version, so the problem is with Tor 8.

I downloaded and installed Tor 7.5.6 and was able to again integrate IDM add-on for "Firefox 52 and older" from the above mentioned website and IDM integration worked like before, but Tor browser is automatically updated to Tor 8 and the same problem occurs even though I disabled automatic update from the Options. Please make Tor 8 work with IDM integration, otherwise we won't be able to download any videos from blocked websites. Thank you. I will check back to see if you have looked into the problem and if there is a way around this problem.

September 08, 2018

Permalink

The Tor Browser Bundle does not start, if it's folder is moved to another machine. Running ./start-tor-browser --verbose(in the Browser directory) gives me this Segmentation fault: ./Browser/start-tor-browser: line 373:  1236 Segmentation fault      (core dumped) TOR_CONTROL_PASSWD=${TOR_CONTROL_PASSWD} ./firefox --class "Tor Browser" -profile TorBrowser/Data/Browser/profile.default "${@}" < /dev/null.
Both machines run fedora 28.
Steps to reproduce:
- Download Tor Browser Bundle version 8.0
- Unpack and run it in terminal with ./start-tor-browser.desktop
- Click connect and close it, once it has successfully started.
- Copy the directory containing 'Browser/' and 'start-tor-browser.desktop' over to another machine(also running fedora 28).
- If you now try to run the Tor Browser with ./start-tor-browser.desktop it doesn't do anything and doing ./start-tor-browser --verbose yields the Segmentation fault above.

September 08, 2018

Permalink

In "preferences" menu I have choice with 2 buttons: "Use the address bar for search and navigation" and "Add search bar in toolbar". When choose the 2nd, I expect that input of address bar will no longer be sent to search engines, i.e. it will always be interpreted as address. However, its behavior is the same as without separate search bar. It is confusing.

Another problem: "about:tor" page suggests me a help link, where "new identity" is still located in old place. You should update that manual.

Have you checked whether Firefox has the same problem (re address bar)? I doubt this is a thing Tor Browser is doing. Regarding your second point, yes, we are a bit late on updating our user manual but should have fixed that soon.

September 11, 2018

In reply to gk

Permalink

Have you checked whether Firefox has the same problem (re address bar)? I doubt this is a thing Tor Browser is doing.
I can test only my old firefox 52.9.0 on Linux. You are right, that version does the same thing (however, it doesn't yet have an option to hide/show search box).

I think in Mozilla's firefox they have this behavior for a long time now. Blocking of sending anything to search engines (that cannot be parsed as address) may be good for security. Maybe it should be fixed in upstream.

September 08, 2018

Permalink

In preferences in "privacy & security" there is a new option "location" (with microphone, camera, etc). How it is related to anonymity, etc? What does this option mean? I understand that tor browser may be used as normal browser too, so may be in some cases this options can be used with some sites, but still it is hard to imagine. Should this option be removed from menu as privacy unfriendly and confusing?

September 08, 2018

Permalink

A Privacy Product designed for deployment on affordable laptop computers
Typical for the underprivaleged and economically excluded, such as disabled and low income
Older midrange general purpose laptoos, such as Dell 3GiB memory default.

A Whonix VM variant with 1215MiB memory worked Fine. It updated from tb7.5 to this HORRIBLE 8.0
To those here complaining about updates never completing: Patience and Vigilance! :-
Observe the disk *writes* as it sorts itself out. WAIT TILL DONE. Then ( and only then ) restart

Did it work? Yeah. *BADLY*. No chance of multiple tabs, one of which was this very Blog.
The complicated moving images built into this blog is a MISTAKE. On a low bandwidth (Mobile)
saving pages EATS egregious amounts of bandwidth, just to get the extra comments as I save
each page. A mode to have ONE page with ALL the coments would be very much appreciated.

Its eaten huge gobs of time - like hours - instead of an expected 20+ mins on a high resource
machine.

Needs WORK people. And a Focus on KISS. Eliminate all of the fancy stuff back to a FAST classic
menu system that is NOT contect sensitive.

I wont comment on teh UX changes, but they are NOT good, when compared with my own main
Workstation. That will be staying with tb7 while I figure out how to Migrate away from this mess.

CRUCIAL to me is the ability to manage and observe What SSL certs and connections get made
Certificate Patrol is HISTORY thanks to this mess.

Suggestions on alternative extensions to effect the same controls are invited.

Posting this - on a Development Worktstation - From tb7 Final. Damn screen keeps jumping around
as the pagelength changes.

There is NO way I'll ever convince anyone to use such a system to preserve critical privacy
( such as challenging illegal surveillance and looking up stuff when fighting some state (under)funded
service that decides to screw them. Without giving away all their plans ( for legal support etc ) to the
Government Dept that REALLY wants to win a case...

LOCKUP and Swapfest when trying to SAVE pages or content for later processing.

Is there ANY WAY of simplifying the GUI to eliminate all this Good look but otherwise HORRIBLY
resource consuming Sh*t? To make the core firefox resource demands Sane Again?

Do Tell!

September 08, 2018

Permalink

Where on earth is the "Take Screenshot" function??? Firefox 60.2.0esr on Debian (recently updated) has it right there under "..." next to the browser bar, while missing from Tor Browser 8.

This is driving me bonkers because the "screenshot --fullpage" console option is gone too.

Also, when I go to "Customize" and "Reset Defaults" for the toolbar, it resets to FF defaults, not TB defaults.

It does work overall, but goddamnit.

September 08, 2018

Permalink

I love the new update but the noscript settings aren't saved so I cannot whitelist sites.

Also, the website notifications are no longer working in OSX. Setting permissions have no effect. They just don't show anymore.

September 08, 2018

Permalink

Note: This release is signed with a new GPG subkey as the old one expired a couple of days ago. You might need to refresh your copy of the public part of the Tor Browser signing key before doing the verification. The fingerprint of the new subkey is 1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2.
> it was not possible (no server available with hkps and other server : bug in gpg ?), i used curl (D9FF06E2) then gpg --refresh and all is fine : version 8 runs like a charm (no error).

September 08, 2018

Permalink

Hey,

I just wanted to say that one bug seems fixed. I've posted in here that EMET crashed TBB when "remote.autostart" was on.
With TBB 8 everything works fine.

So thank you.

September 08, 2018

Permalink

is it just my machine or is noscript 10.1.9.1 not working

default for all sites is to allow scripts and options changed cannot be saved - any whitelisted site is gone on next session - settings cannot be exported

September 09, 2018

Permalink

I used to handle with torcheck.xenobite.eu. It was easy to change the IP address (bad exit nodes and so on). Why does the site torcheck xenobite not function anymore? There come maybe 3 addresses and then no connection.
With duckduckgo and the tor circuit it is more difficult. Why don't you set torcheck xenobite in action again????
greetings

September 09, 2018

Permalink

Why did you release Tor Browser 8.0? It is far from ready to be released.
People may be hurt because you have exposed their identity!
Tor Network may also be affected as a result.
Let's face it, since certain purges and certain changes to the internal structure of tor staff it is no longer looking like a project worthy of my money.

September 09, 2018

Permalink

hey, there's something wrong with the javascript.enabled config setting. I disabled it through the about config settings, now I can't turn it back on. Webpage says javascript disabled, even though the setting has been set back to true.

September 09, 2018

Permalink

By using tor 8.o my computer (windows 7) is freezing again and again must must be restarted. What's the problem with it. Unfortunatley I can't get back to the previous tor version.

Not sure. Maybe some Antivirus/Firewall software on your computer is causing that? You could try to uninstall it for testing purposes (disabling is often not enough). Another issue could be that you are using the 32bit Tor Browser. We have a 64bit version on our download page now and it is said that Firefox on Windows is runner much more stable with that one. Could you try that out?

September 09, 2018

Permalink

No XP support, and Intel's 8th generation drivers don't support Windows 7 or 8. Thanks for forcing me to soon move to Win10.

September 10, 2018

Permalink

In Firefox-TBB i see "Cookies and Site Data" in about:preferences#privacy, in vanilla Firefox i don't.
Is that normal or have it misconfigured? When, how?

September 10, 2018

Permalink

no fixes work, waiting for new version. meanwhile force upgrade kills my tor every day, and for that reason i unpack older version over it each day.

What is your issue? And the problem with disabling the updater is that you need to do that before it is checking/starting the update. Thus, you need to modify a preferences file in your Tor Browser profile (I think prefs.js should suffice) setting the app.update.enabled preference to false. I guess you could as well set the preference to false in your about:config but make sure you download the updated files before the update got applied. I have not tried the latter, though.

September 10, 2018

Permalink

How do I force Tor Browser 8.0 to use the local system installed tor instead of the bundled one? Previous versions of Tor Browser, it was possible to set the preferences of extensions.torlauncher.start_tor and extensions.torlauncher.prompt_at_startup to false, but I am unsure if that works here as well.

September 10, 2018

Permalink

JavaScript error: jar:file:///home/****/T%C3%A9l%C3%A9*****/tor-browser_en-US/Browser/omni.ja!/components/FeedProcessor.js, line 1274: NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIChannel.contentType]

getting this error on rss feeds surprisingly only through http://www.lemonde.fr/rss/une.xml and http://www.aljazeera.com/xml/rss/all.xml in my feeds.

By the way, how do i know, not related to this release, witch circuits those rss are connected to,
i mean if the sense of the "show site information" button ?

Keep on rocking Tor, cause we like it !

Hm. I am not exactly sure how feeds are working here. But I guess feed updates go over the "catch-all" circuit given that there is no URL bar domain attached to them anymore once they are subscribed to. If that's the case we probably should be smarter than that and load the updates of different feeds over different circuits. You could check the behavior by looking at the Torbutton log output after setting extensions.torbutton.loglevel to 3 (it should be visible in the browser console; if you want to have the output in your terminal flip extensions.torbutton.logmethod to 0).

Okay, I opened https://trac.torproject.org/projects/tor/ticket/27633 for further investigation.

September 10, 2018

Permalink

How can we now prevent pages to reload themselves? This preference was removed with this release and I failed to find any about:config setting that would do the job, is there any?

When posting a comment, the page gets reloaded in a loop every couple of seconds, forever. Stopping and reloading manually does not help. I deleted the set of cookies, cache, active connexions and offline data, only then I could load the page normally again. Not sure if the comment was submitted, so I repeated, also after a fresh application restart and this appears reproducible (third time in two comments). This might be yet-another-unrelated-bug, but not being able to prevent automatic reloading is an issue (also) in this case.

I would regard this as a massive user experience regression, especially for with few hardware resources or little/unreliable bandwitch. Quite a few sites are abusing this "feature", e.g. to update the set of adverts they serve, or whatever other reason.

Same stand for NoScript automatic reloading after amending site preferences one way or another: until this release, it was possible to change them and not reload the page automatically, until we (the User) decided to reload the page whenever we see fit. This was also precious while disabling some permissions after contents had been fetched: terminating javascript execution, without loosing the resulting rendering.

This alone gives me a very frustrating UX on this release. :/

September 11, 2018

In reply to gk

Permalink

Thanks for forcing me to complete my homework :)

For NoScript itself, we had a clear option in the GUI and I think the preference was noscript.autoReload (default: true), I had that orphan setting in my profiles after upgrading. That functionality seems to have been entirely dropped: no GUI option, reload are now automatic when exiting the dynamic menu, if any permission was changed (no matter if added or removed).

For site refreshes on the Mozilla side, GUI option was under Accesibility and named "Warn me when websites try to redirect or reload the page". This one has been removed but the preference is still there and active, sorry: accessibility.blockautorefresh (default: false).

What happens is that it is less effective as the time goes. Feature itself may (?) have been limited to accomodate Google Translate or others, and/or more and more sites apparently use other techniques, even without javascript. Still effective with e.g. OpenWRT landings with luci-ssl, see also the test page linked below. Now helpless with e.g. Panopticlick redirects, your Drupal comment post bug here on Tor Blog, and too many sites to my taste.

Mozillazine: http://kb.mozillazine.org/Accessibility.blockautorefresh
GTranslate: https://bugzilla.mozilla.org/show_bug.cgi?id=1386910
Test page: http://www.searchtools.com/test/redirect/
Tutorial: https://techdows.com/2017/10/firefox-56-warn-me-when-websites-try-to-re…
Genesis: https://bugzilla.mozilla.org/show_bug.cgi?id=465303

I had tested various redirect blockers from AMO, had most of them disabled in one of my Firefox profiles, but they all appear obsolete since the WebExtensions move (didn't search again, just yet).

September 10, 2018

Permalink

no more search field and sites preview when open new tab.
search in config but cant find. no way to back it anymore?it was very useful..im cry..

September 10, 2018

Permalink

Good

September 10, 2018

Permalink

also i put browser.zoom.siteSpecific;true but it still reset sites zoom on shutdown...it very annoing.
so many new crazy settings, stay on ver7.5

September 10, 2018

Permalink

In Tor Browser 7.5.6, in the NoScript Options menu, when connected with vbdvexcmqi.oedi.net, several options were available, including the following two options: (1) 'temporarily allow vbdvexcmqi.oedi.net', (2) 'allow all on this page vbdvexcmqi.oedi.net'. In Tor Browser 8.0, in the NoScript Options menu, (1) is no longer available; only (2) is available. Please restore (1) in NoScript options so I can select the option: 'temporarily allow vbdvexcmqi.oedi.net'. I do not want to select 'allow all on this page vbdvexcmqi.oedi.net'. I want to be able to select the option: 'temporarily allow vbdvexcmqi.oedi.net'. Thanks

September 11, 2018

Permalink

Why the operating system is changing the user-agent in TBB8.0

Is this a Open Survey for which OS surfers use or to hard to programm a static user agent?

September 11, 2018

In reply to gk

Permalink

Add-on installs and configures just fine, but the mouse gestures do not work. No matter which mouse gesture I try, there's always a diagonal line (starting from the upper left corner to the center of the browser window) and then nothing happens.

September 11, 2018

Permalink

The TorBrowser team should look into replacing NoScript with ScriptSafe. It is basically feature equivalent to pre-webex NoScript and, I would say, even more user friendly (in comparison to Noscript's new textless interface which I found rather confusing). It is GPLv3. uMatrix is too finicky.

September 11, 2018

Permalink

How do you make NoScript disable JS by default like it was in the previous versions? Now it's allowed by default so I have to change it every time I start Tor, because the NoScript settings are reseted each time.

September 12, 2018

In reply to gk

Permalink

I remember it being disabled every time I launched it. Anyways, didn't notice the security slider, that's what I was looking for, thanks.

September 11, 2018

Permalink

The New Tor Browser 8 couldn't open the amazon.com website. The earlier version has no this problem, but it always forced my earlier version updated to new version which is pain in the ass.

September 11, 2018

Permalink

WTF men. I can't just see the pictures from the sankaku website! I think TOR now downloads pictures directly, that's the reason!

September 12, 2018

Permalink

The User Agent saga

I think I’ll abandon using Tor 8 and hope that when 8.0.1 is released the problem has been fixed.
After all, in your information about Tor 8 you say:

“For the past year, we have been collecting feedback on how we can make Tor Browser work better for you.” (Question. Who asked for the cessation of UA spoofing?)

“This release is all about users first.”

and

“This is only the beginning of our efforts to put users first (my italics). If you find a bug or have a suggestion for how we could improve this release, please let us know.

In view of the above and the comments on this blog, when is spoofing going to be put back, or is the comment made by one of the contributors of internal efforts to undermine the Tor project itself near the mark?

Thanks

September 12, 2018

Permalink

after sending a message to this blog TBB doesn't stop to reload.
new identity doesn't work:
Torbutton: Unexpected error on new identity: TypeError: m_tb_prefs is undefined

September 12, 2018

Permalink

Tbb is new installed, I want to import my bookmark backup file in .json formatted, after importing the Bookmark Toolbar showing in main window is still empty, but I can see every iterm from menu, why?

...it remembers allowed scripts after new identity...

THIS +1000

Also there's no way to limit the scope of a js to a site. Like if I enable google captcha on one site it is allowed everywhere. You should have invested the manpower that went into "interacting with the new noscript has been challenging" into replacing it with uMatrix.

Could someone from the Tor team comment on this please?

I enabled javascript for the hosts google captcha needs for some site.

After "the session" I revoked all temporary permissions in noscript (top right button in noscript menu", used "new identity" and on the first cloudflare site I hit after that google captchas were still working.

September 12, 2018

Permalink

What is default for cookies(Cookies and Site Data)?
Never/From visited/Always ?

There is no reset-to-default option in TBB8.0. Security slider don't set it to default.

September 12, 2018

Permalink

Hello, Thanks to all you guys developing this software and continue to support it. God Bless You.

I am trying to verify the signature for Tor Browser 8.0 but the signatures I am receiving do not match the signature output from your website.

https://decvnxytmk.oedi.net/docs/verifying-signatures.html
lists:
gpg: assuming signed data in 'torbrowser-install-8.0_en-US.exe'
gpg: Signature made Wed 15 Nov 2017 05:52:38 PM CET
gpg: using RSA key 0xD1483FA6C3C07136
gpg: Good signature from "Tor Browser Developers (signing key) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136

Currently valid subkey fingerprints are:

5242 013F 02AF C851 B1C7 36B8 7017 ADCE F65C 2036
BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0
A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136

I downloaded and verified the new keys from your keyserver and it listed pubkey correct in terminal but not subkey, im on linux fyi.
I downloaded your tor browser 8.0 file and the .asc sig.
My problem is when I verify:
gpg --verify tor-browser-linux64-8.0_en-US.tar.xz.asc
the output for the pub key is correct
but no valid sub key is found ( its not matching) based on your info on the website
https://decvnxytmk.oedi.net/docs/verifying-signatures.html
Any info would be helpful Thank you guys.

-MAGA

September 12, 2018

Permalink

The new NoScript is HORRIBLE, absolutely terrible. Unusable, the program is basically dead, as must be the brains of the developers. This was known already from the "normal" version, but is all the more apparent now that Tor uses it too.
Tor does not work now with this prorgram, which is a kind of bug and certainly a liability.

September 12, 2018

Permalink

Hello, your .asc sig file for linux tor browser 8.0 isnt matching the subkey when I verify
the package.
https://decvnxytmk.oedi.net/docs/verifying-signatures.html

gpg --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290 -check
gpg --fingerprint 0x4E2C6E8793298290 -check
pub rsa4096/0x4E2C6E8793298290 2014-12-15 [C] [expires: 2020-08-24]
Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290 -check
gpg --verify tor-browser-linux64-8.0_en-US.tar.xz.asc -check
gpg: assuming signed data in 'tor-browser-linux64-8.0_en-US.tar.xz'
gpg: Signature made Wed 15 Nov 2017 05:52:38 PM CET
gpg: using RSA key 0xD1483FA6C3C07136 -Don't Match
gpg: Good signature from "Tor Browser Developers (signing key) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290 -check
Subkey fingerprint: A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136 -Dont Match
Currently valid subkey fingerprints are:

5242 013F 02AF C851 B1C7 36B8 7017 ADCE F65C 2036 -Don't Match
BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0 -Don't Match
A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136 -Don't Match

TorBrowser 8.0 Linux Downloaded from torproject.org
TorBrowser 8.0 asc file Downloaded from torproject.org

any reason why they dont match?

September 13, 2018

In reply to gk

Permalink

@gk
Tor's website @ https://decvnxytmk.oedi.net/docs/verifying-signatures.html
shows this:
" For Linux users (change 64 to 32 if you have the 32-bit package):

gpg --verify tor-browser-linux64-8.0_en-US.tar.xz.asc

The output should say "Good signature":

gpg: assuming signed data in 'tor-browser-linux64-8.0_en-US.tar.xz'
gpg: Signature made Wed 15 Nov 2017 05:52:38 PM CET
gpg: using RSA key 0xD1483FA6C3C07136
gpg: Good signature from "Tor Browser Developers (signing key) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136

Currently valid subkey fingerprints are:

5242 013F 02AF C851 B1C7 36B8 7017 ADCE F65C 2036
BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0
A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136 "

When I open Terminal and verify the package tor browser 8.0 linux along with the
tor browser 8.0 .asc file, the subkey fingerprints are not matching in my
terminal from what is listed @ Tor's website. None of the 3 valid subkey
fingerprints listed @ Tor's website is matching the output I get in Terminal.

example:(cant show you what key it lists or the rsa key( privacy concerns).

but I am giving you enough info for you to understand whats going on.

My Terminal info example:
gpg --verify tor-browser-linux64-8.0_en-US.tar.xz.asc
gpg: assuming signed data in 'tor-browser-linux64-8.0_en-US.tar.xz'
gpg: Signature made Wed 15 Nov 2017 05:52:38 PM CET (replace wed 15 nov 2017 with sep 2018 obviously)
gpg: using RSA key 0xD1483FA6C3C07136 (This RSAKEY Doesnt match mine)
gpg: Good signature from "Tor Browser Developers (signing key) " [unknown] (Matches mine)
gpg: WARNING: This key is not certified with a trusted signature! (Matches mine)
gpg: There is no indication that the signature belongs to the owner.(Matches Mine)
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290 (Maches Mine)
Subkey fingerprint: A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136 ( Doesnt match my subkey)

Currently valid subkey fingerprints are:

5242 013F 02AF C851 B1C7 36B8 7017 ADCE F65C 2036 (Doesnt Match my subkey)
BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0 (Doesnt Match my subkey)
A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136 (Doesnt Match my subkey)

So either tor's webmaster @ https://decvnxytmk.oedi.net/docs/verifying-signatures.html
has not updated for the new keys tor released for tor browser 8.0 from this:

Quote from Tor release notes @ https://vbdvexcmqi.oedi.net/new-release-tor-browser-80 below:

"Note: This release is signed with a new GPG subkey as the old one expired a couple of days ago. You might need to refresh your copy of the public part of the Tor Browser signing key before doing the verification. The fingerprint of the new subkey is 1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2."

So When Tor is telling you to update your key ( yes Tor does infact have keys which u claimed u did not)
@ https://decvnxytmk.oedi.net/docs/verifying-signatures.html
Here is what that part of tor's website is telling you to do.

"The next step is to use GnuPG to import the key that signed
your package. The Tor Browser team signs Tor Browser releases. Import its
key (0x4E2C6E8793298290) by starting the terminal (under "Applications
in Mac OS X or Linux) and typing:

gpg --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290"

Why are the keys not matching? RSA key and the 3 valid subkeys listed @
https://decvnxytmk.oedi.net/docs/verifying-signatures.html are not matching
the release of Tor Browser 8.0 Linux package downloaded from https://decvnxytmk.oedi.net

I hope that helps you understand more clearly @gk

September 16, 2018

In reply to gk

Permalink

I suggest that the Exec Director assign someone to update anything having to do with signing keys used by users to verify the latest release of TB, including

o checking certificates used at TP websites and generating new ones before they expire

o extending lifetime of signing subkeys or generating new subkeys

o updating the webpage listing the signing keys used by TP

o sending latest key information to keyservers (recommended keyservers would be a good item to add to the webpage, but might need to be updated regularly).

TP should not perform these critical tasks in such a haphazard manner, which tends to suggest TP doesn't think it matters because TP knows something users do not (yet), probably related to FBI's "Going Dark" monomania.

September 12, 2018

Permalink

How would I go about disabling connection though Tor network, while preserving other browser features? On Tor Browser 7.5.6 it was done by setting about:config => network.proxy.socks_remote_dns to false and setting Options => Advanced tab => Network to No Proxy (the recipe is borrowed from here), now it doesn't seem to work (Tor Browser simply looses network connection). Is it at all possible to achieve in Tor Browser 8?

Hm, this works for me. Just loading that page should trigger the problem, right? Which exact Windows bundle are you using (32bit? 64bit? locale?)? Does it work for you if you install the 64bit version of Tor Browser downloaded from our website to a different location?

September 14, 2018

In reply to gk

Permalink

Yeah, trying to load the page and the error pop-up. Iam using Windows 7/ 32 bit. Tried to install the 64 bit version as for tor........not possible, wont let me do that since i have a 32bit operating system.....unless there is a way to do that, which i dont know..............thanks in advance

Hm. Do you have some Antivirus/Firewall software installed that could be interfering here? If so, which and could you uninstall it for the time being to test whether that solves your problem? (disabling is often not enough)

September 20, 2018

In reply to gk

Permalink

Antivirus/Firewall unistalled, and iam still getting the same error

September 12, 2018

Permalink

someone stated it clearly, so i'm only going to echo his words. this version of Tor should have never been released yet, it's just not ready at all. you're putting a lot of users at risk for no good reason

September 12, 2018

Permalink

NoScript has an icon for 'Reload' but NoScript does this
automatically!
How can one prevent this?

September 13, 2018

Permalink

I'm unable to run TBB 8.0 on my system apparently because it's based on FF Quantum. Is there a way to at least update only Tor in TBB 7.5.6? Simply overwriting the files from unzipped 8.0 didn't work.

September 13, 2018

Permalink

Nem jó! Remeg a képernyő! Ledobál email írásnál, összeömlik, újraindul!
Gmail.hu nem jó! És ugyna olyan lassú!

September 14, 2018

Permalink

Bug 26321: Move 'New Identity', 'New Circuit' to File, hamburger menus....

No, it looks like sandwich not hamburger at first glance at the icon, it's the main menu of FireFox.

September 14, 2018

Permalink

Is browserleaks dot com a useful website to check how your browser performs in terms of privacy and security?

when I click on the HTML5 Canvas Fingerprinting it knows I am using Torbrowser?

Uniqueness × False (Tor Browser signature)

We don't hide the fact that Tor Browser users are Tor Browser users. So, it's okay if any site is saying "You are a Tor Browser user". I don't think that website is a good one regarding the security track record of your browser. Nor do I think it is a good one for showing how you fare with respect to your privacy. I don't have a good one for recommendation right now, though, alas.

September 14, 2018

Permalink

I am sad that you no longer support windows XP. After years of using it I know where every storage file is located which I can wipe after use. I find linux a pain up the butt to setup due to its constant need for your setup passwords. Now it seems I can't use any onion sites and I am not going to pay all that money for a new windows OS. So good luck and farewell.

September 14, 2018

Permalink

I suspect the developers are using the latest computers and software and have forgotten half the world are still using older stuff. I just got an error message "your system is short on virtual memory please shut down and restart". I keep the paging file disabled and never have problems as I have at least 2gb RAM. Seems like many are having problems with this newest version.

September 15, 2018

Permalink

Previously I was able to comment on news websites using my fake Facebook account if I allowed third party cookies in the Tor browser but now even if I allow third party cookies websites don't know I am logged in to Facebook and I am not able to comment on the news articles.

September 15, 2018

Permalink

Warning:
For me the recent upgrade from TB7.x to 8.0 broke noscript.
Noscript says it was working but it clearly was not when a (luckily non malicious) website managed to run a jacascript.
I looked and the default setting in Noscript was Trust All
Check your settings and visit a safe site to test them.
Developers: Please make sure the package installs without compromising security.

September 15, 2018

Permalink

20180915

Tor Browser 8.0 issue report:
don't wanna all blahs? go to "The issue" bellow

Had just downloaded and used today.

DISTRO: torbrowser-install-8.0_en-US.exe win32
MD5: acb44ca853c1c4a7359a53e6486cf723
TARGET PLAT: a very dodgy[1] windows 7 install

======

The issue:

It's openning SOME pdf files with the internal pdf
applet instead of downloading it - EVEN AFTER manually
configuring the Options-Apps-PDF-download option.

Dunno if it's FF or TB issue. PLS let FF team know!

I'm guessing it's failing when the target file have
a dodgy fname extension on it.
Those "fname templates" used to be downloaded normally
in the previous version.

======

[1] everybody putting their hands on, leaking through all
it's pores - evil forces sanctuary - (but TOR networking
seemed fine - no leaks).

September 15, 2018

Permalink

The internal Tor Browser circuit viewer has never worked for me. I assume it has something to do with my usage of Qubes-Whonix (and perhaps it doesn't work on regular Whonix either). Is this a Tor Browser bug or a Whonix bug most likely? Exactly how does the circuit viewer work? Getting a new circuit works fine so it has some access.

I am inclined to say this is a Whonix bug but I am not very familiar with it, so it is hard to say. The circuit display works by keeping track of circuits per domain: Tor in Tor Browser uses different circuits for different domains and is asking via the control port about their status. On getting that back from Tor it constructs the display for the currently visible domain in the URL bar.

September 16, 2018

Permalink

I tried to get my higih sierra mac to send data through the TOR browser. I used sock proxy server with 127.0.0.1 with port 9150. It works but the DNS used is the DNS picked up from my computer or entered manually on my computer. Can I use the TOR browser to sent my DNS request through.

September 17, 2018

Permalink

I'm sorry but the new UI is really bad. I have no idea how to do anything now. And now I'm afraid I'm going to end up messing up something. However, I'm very pleased that Tor Browser is based on a newer and more secure Firefox base but I highly recommend that newer Tor Browser versions go through more rigorous UI review to prevent users from inadvertendly hurting themselves due to infamiliarity with the UI.

September 18, 2018

Permalink

Usually Tor browser blocked the images, but you could allow them ("allow in the future") clicking in the "palette" icon in the left of the navigation bar which appears when some image was first blocked.
Now I dont find this option anymore, and sites like whatsapp.web cant load the QR code image...
Like in my office where I need Tor to access this sites for proxy blocking reasons, I cant find a solution for this issue.
Someone?

September 18, 2018

Permalink

До обновления было всё хорошо, работало без нареканий. После обновы стал висеть как фанера над парижем. Как откатить обнову? Бесит. Работала в 8-11 вкладках, сейчас тянет только 1 и то со скрипом!

September 19, 2018

Permalink

Can you please push my most dearest Mozilla Inc. to set
media.gmp-eme-adobe.enabled;false
media.gmp-manager.updateEnabled;false
in Firefox, too?
Would be very very nice.

I don't like ...unasked phone-home.

September 19, 2018

Permalink

I only use Relays and Guards that run current version of Tor and do not have the flag "Not Recommended". New version 8.0 allows for a new circuit but binds you to the same guard...that often is "Not Recommended". You guys don't need me to tell you that ALL things must be correct when establishing a secure connection. If we can not change the Guard when necessary it renders Tor useless as a (best of) security option. ----- hate to say this but the new design makes it difficult for new users to get Relay Information and as someone who pays attention to UI it seems intentional! Hard to check relay, no way to change Guard...this could conjure up conspiracy theories or resurrect old established ones. PLEASE advise as best way to change a complete circuit, including the Guard. -- Thank you

go to this page: https://decvnxytmk.oedi.net/docs/signing-keys.html.en
click on this link (open in new tab): 0x4E2C6E8793298290.
click the first certificate on the page that opens: pub 4096R/93298290 2014-12-15. save the certificate as a text file.

for further instructions go to https://decvnxytmk.oedi.net/docs/verifying-signatures.html.en

September 20, 2018

Permalink

I'm kind of lost. I have to keep reinstalling Tor every time I want to use it now... It just goes straight to the browser when I open it without trying to connect to anything and it says the proxy is refusing all connections. I do a new install in a new folder each time... this is getting old. I've used Tor for years and this started with 8.0. Also, the NoScripts extension has all types of scripts enabled by default... why? Only "object" scripts were not checked for "allowed" - everything else was.

September 20, 2018

Permalink

I'm using Windows 10 and downloaded TBB 8.0. The Tor button at the top left is missing the option to start a new identity. Unless it's somewhere else now I don't know. I now close the entire browser and reopen it to start new.

Thank you.

https://postimg.cc/tZqdDDGz

September 20, 2018

Permalink

tor 8.0 is not loading any pages and doesn't open any new tabs it just seems frozen on windows 7 why ?

September 21, 2018

Permalink

I am using torbrowser in chroot environment under CentOS 6.5 Desktop. I think it's the worst release from 3.x until now because of many unnecessary and destructive changes. Each of them brakes the existing script and force to edit it. For example, executable firefox changed to firefox.real, libmozgtk requires libgtk-3, libgdk-2, which in turn have other dependencies. So other software upgrade is needed.

May be other changes are needed and they can be done of course, but after reading this blog I stopped fixing the upgrade on my machine when learned that User-Agent header doesn't spoof OS any more. I think it's a critical degradation and witnesses that developers making decisions became inadequate.

Another huge degradation is abandoning old OS such as Windows XP. Now torbrowser can't be installed on old hardware under Windows. I have several computers and the most modern of them produced in 2007. I don't see any reason to upgrade my hardware, it absolutely meets my needs. It tends to that only rich people will be able to use torbrowser who can afford modern computers with fashionable OSes. So I decided not to upgrade yet and will see how things will happen.

The best solution, in my opinion, is to support a simple web browser for people who don't need modern software and just want to do their work. I think that such a solution wouldn't be so expensive as fixing permanent firefox updates.

Do you have steps for reproducing the error? Something that could help us debugging the problem. For what it is worth: loading the flashback website works for me. What error do you get?

September 21, 2018

Permalink

TOR 8.5a1 on Linux doesn't work with Disqus. It hasn't since adopting FF Quantum. As a troubleshooting step I tried rebooting with all add-ons disabled, but then it couldn't connect to the Onion network: "The proxy server is refusing connections."

This is precisely why I'm still running TOR Tor Browser 7.5.4 on my Win7 machine.

September 22, 2018

Permalink

the TOR browser is showing me a flaw, when I open the TOR browser it appears as a blank page and it does not load any page and it does not open any other tab, it just does not do anything. I would like to know how to solve this problem.
Attached I leave the reference image.

September 26, 2018

Permalink

***********I tried establishing a circuit but no success as see error message*****
9/27/18, 06:45:48.918 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
9/27/18, 06:45:48.918 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
9/27/18, 06:45:48.919 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
9/27/18, 06:45:48.919 [NOTICE] Opening Socks listener on 127.0.0.1:9150
9/27/18, 06:45:48.919 [NOTICE] Renaming old configuration file to "C:\Users\GEORGE\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc.orig.1"
9/27/18, 06:45:48.919 [NOTICE] Bootstrapped 5%: Connecting to directory server
9/27/18, 06:45:48.998 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server
9/27/18, 06:45:49.465 [NOTICE] Bootstrapped 15%: Establishing an encrypted directory connection
9/27/18, 06:45:49.623 [NOTICE] Bootstrapped 20%: Asking for networkstatus consensus
9/27/18, 06:45:49.775 [NOTICE] Bootstrapped 25%: Loading networkstatus consensus
9/27/18, 06:46:18.711 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
9/27/18, 06:46:18.865 [NOTICE] Bootstrapped 40%: Loading authority key certs
9/27/18, 06:46:22.339 [NOTICE] Bootstrapped 45%: Asking for relay descriptors
9/27/18, 06:46:22.341 [NOTICE] I learned some more directory information, but not enough to build a circuit: We need more microdescriptors: we have 0/6356, and can only build 0% of likely paths. (We have 0% of guards bw, 0% of midpoint bw, and 0% of exit bw = 0% of path bw.)
9/27/18, 06:46:22.875 [NOTICE] I learned some more directory information, but not enough to build a circuit: We need more microdescriptors: we have 0/6356, and can only build 0% of likely paths. (We have 0% of guards bw, 0% of midpoint bw, and 0% of exit bw = 0% of path bw.)
9/27/18, 06:46:23.245 [NOTICE] Bootstrapped 50%: Loading relay descriptors
9/27/18, 06:46:26.346 [NOTICE] Bootstrapped 57%: Loading relay descriptors
9/27/18, 06:46:29.444 [NOTICE] Bootstrapped 65%: Loading relay descriptors
9/27/18, 06:46:29.563 [NOTICE] Bootstrapped 71%: Loading relay descriptors
9/27/18, 06:46:29.934 [NOTICE] Bootstrapped 80%: Connecting to the Tor network
9/27/18, 06:46:30.342 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:30.342 [NOTICE] Our circuit 0 (id: 17) died due to an invalid selected path, purpose General-purpose client. This may be a torrc configuration issue, or a bug.
9/27/18, 06:46:31.326 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:32.321 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:33.329 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:34.353 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:35.340 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:36.324 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:37.336 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:38.335 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:39.343 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:40.317 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:41.324 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:42.316 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:43.338 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:44.344 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:45.344 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:46.350 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:47.351 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:48.345 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:49.333 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:50.339 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:51.329 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:52.340 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:53.477 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:54.343 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:55.339 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.
9/27/18, 06:46:56.313 [WARN] Failed to find node for hop #1 of our path. Discarding this circuit.

September 27, 2018

Permalink

Hi,
I use windows 7 SP1, i update for last version the TOR but i have a problem, when i try start my TOR now return an error say

the file can't be found or you not have permission to open this file.

i try again and nothing...

Sorry my ingles.

October 06, 2018

Permalink

I have an older Mac: iMac "Core 2 Duo" 2.0 (T7300), model: A1224 (EMC 2133), ID: iMac7,1 RAM: 1 GB VRAM: 128MB, 259 GB HDD.

I have a 5T solid state HD external and a 500 GB HD external for TimeMachine.
I am using Mozilla Firefox 47.

My question is what Tor release would be best for me to use? I want to use Tor 6.5.1 (based on Mozilla Firefox 45.8.0) now, but just starting. I downloaded it a while ago.

October 15, 2018

Permalink

Buenos días.
perdón por hacerle este pregunta.
quisiera abrir un correo anonimo, pero no encuentro el enlace para hacerlo.
¿me podría ayudar?. gracias