New Release: Tor Browser 8.0.4

by gk | December 11, 2018

Tor Browser 8.0.4 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Tor Browser 8.0.4 contains updates to Tor (0.3.4.9), OpenSSL (1.0.2q) and other bundle components. Additionally, we backported a number of patches from our alpha series where they got some baking time. The most important ones are

  • a defense against protocol handler enumeration which should enhance our fingerprinting resistance,
  • enabling Stylo for macOS users by bypassing a reproducibility issue caused by Rust compilation and
  • setting back the sandboxing level to 5 on Windows (the Firefox default), after working around some Tor Launcher interference causing a broken Tor Browser experience.

Moreover, we ship an updated donation banner for our year-end donation campaign.

The full changelog since Tor Browser 8.0.3 is:

  • All platforms
    • Update Firefox to 60.4.0esr
    • Update Tor to 0.3.4.9
    • Update OpenSSL to 1.0.2q
    • Update Torbutton to 2.0.9
      • Bug 28540: Use new text for 2018 donation banner
      • Bug 28515: Use en-US for english Torbutton strings
      • Translations update
    • Update HTTPS Everywhere to 2018.10.31
    • Update NoScript to 10.2.0
    • Bug 1623: Block protocol handler enumeration (backport of fix for #680300)
    • Bug 25794: Disable pointer events
    • Bug 28608: Disable background HTTP response throttling
    • Bug 28185: Add smallerRichard to Tor Browser
  • Windows
    • Bug 26381: about:tor page does not load on first start on Windows
    • Bug 28657: Remove broken FTE bridge from Tor Browser
  • OS X
    • Bug 26475: Fix Stylo related reproducibility issue
    • Bug 26263: App icon positioned incorrectly in macOS DMG installer window
  • Linux
    • Bug 26475: Fix Stylo related reproducibility issue
    • Bug 28657: Remove broken FTE bridge from Tor Browser
  • Build System
    • All Platforms
      • Bug 27218: Generate multiple Tor Browser bundles in parallel

Comments

Please note that the comment area below has been archived.

December 12, 2018

In reply to gk

Permalink

I looked into it more. One or several fonts don't work correctly in 8.0.4. It isn't a particular website and not on every website. 8.0.3 works flawlessly. Here are the screenshots to explain better. I don't think it's the tor protocol.

https://postimg.cc/fVYv19s4
https://postimg.cc/jwDn0pfW
https://postimg.cc/1Vc9LBvn
https://postimg.cc/hXhXdFC2
https://postimg.cc/Yvmp7tDB
https://postimg.cc/N5331mDZ

What is the cause for this?

Hard to say. My guess is some software on your system interfering with Tor Browser. Looking at the Changelog for 8.0.4 I somehow doubt this is caused by any of our changes. But maybe that's some weird sandboxing related thing. Does opening about:config and setting security.sandbox.content.level to 2 (and restarting) solve this problem?

December 13, 2018

In reply to gk

Permalink

security.sandbox.content.level is and was set to 2 already for many reboots and TorBrowser restarts as well. I didn't ever change it. My guess is this setting was and is set to 2 all along. After reading the Changelogs i also doubt if those changes could be the cause. Windows can't be the problem. All TorBrowsers since 4.0.0 and all versions before that run very good. It isn't very likely that some software could pose a problem. 8.0.3 runs. It is only 8.0.4 that suddenly has a bit of a difficulty.
Some software interfering with Tor Browser i would have noticed and would have cleared the problem. I would have happened in previous versions, but it did't.

Did the compiler say anything? Perhaps messages different between 8.0.3 and 8.0.4?

But the sandbox level should be on "5" now after the update. So, I wonder what went wrong in your case, or did you set that preference to "2" yourself?

Additionally, it would not be the first time that minor version updates, especially if they contain updates to Tor as well (which this version does), causes issues with installed Antivirus/Firewall software. So, I would not dismiss that option right from the beginning.

December 14, 2018

In reply to gk

Permalink

Found the problem. 8.0.4 works on bare metal but not in Virtualbox. Previous versions work both ways, including 8.0.3.

December 14, 2018

In reply to gk

Permalink

Tried both sandboxing levels 5 and 2. 8.0.4 won't run correctly inside of a VirtualBox VM. Seems sandboxing isn't the problem. No Antivirus. Guest Additions installed. Flashplayer installed, not as plugin or addon.
But aside from that, 8.0.3 and previous versions prevail.
Tried the partial update from 8.0.3 to 8.0.4 and the complete new download of 8.0.4. Doesn't work both ways.
But overwriting the old \Tor directory with the new one, it works with all versions up to 8.0.3.

My issue with fonts is kind of similar but I get a mirror image of the text a lot, even on Torproject.org, this has been happening for a little while not just 8.0.4 maybe since 8.0

imagine the text but when looking in the mirror, it will be upside down and backwards. a lot of time it will refresh by itself and looks fine.

December 12, 2018

In reply to gk

Permalink

OK. so snowflake is not available for Mac OS as the only built in transports are obfs4, obfs3 and meek azure.

December 11, 2018

Permalink

Tor often wont work and is incredibly slow. Has this upgrade addressed these issues - or is it a censorship issue in New Zealand.

Also I understand 'Brave' works with Tor - how can I configure this as preferences greyed out.

Thanks a bunch -This crone is not well versed in tech world - but endeavoring to stay ahead of the game.

"... incredibly slow. Has this upgrade addressed these issues - or is it a censorship issue in New Zealand"
Maybe your ISP has implemented a biased policy against Tor users? (an imaginative guess)

"I understand 'Brave' works with Tor - how can I configure this as preferences greyed out"
I've never tried Brave browser. Are you saying that Brave's preferences won't allow you to set proxy connections (to connect through Tor)?

"stay ahead of the game"
reminding me of the joke about needing only to be faster than someone else, when running from a bear.

December 11, 2018

Permalink

Every new open tab freezes the tor browser until it charges. Also, until now, tor browser no integrates with the desktop theme.

Linux

December 11, 2018

Permalink

Tip for everyone:
If you use a bridge, occasionally check which version of tor that the bridge is running, and check whether or not the bridge's version is "Recommended" anymore. Go to the Relay Search on https://metrics.torproject.org/rs.html and paste the bridge's fingerprint into the search box.

For developers:
It would help if bridges in torrc were automatically checked for "Recommended" tor versions and notice was supplied instead of neglectfully assuming they are all updated.

The bridge check should be in Tor Browser? Or is that supposed to be a check in Tor itself? That said: how should the check happen if one is currently using that bridge? And what is supposed to happen in case the bridge is not "Recommended" anymore?

January 01, 2019

In reply to gk

Permalink

The tor binary could check them itself, and then Tor Browser reads a warning from an output of the tor binary so a warning would be sent to the user regardless of their setup. Users explicitly choose bridges and manually edit connection settings for them, so warnings about bridge status or a reminder to check their flags should at least be displayed to the user.

The network can start its part by removing "Not Recommended" bridges from the BridgeDB request services after a reasonable window of time for operators to update their bridges so the DB is sure to give out "Recommended" and recently expired versions from the start. Next, stronger emphasis could be given to bridge operators in the tor console and to their contact addresses to update in a reasonable window after their version becomes "Not Recommended" or possibly face rejection somehow from the network. Lastly, if taking the extreme step of rejecting very old versions is wise (it might not be for some edge cases), the network could somehow disallow "Not Recommended" bridges from connecting to the network after a reasonable window of time for the operators to update or for the users to find another bridge.

If the user is currently using that bridge, the check could be performed through that possibly old version bridge or optionally accepted by the user through a standard Guard node. Or instead of an automatic check, a periodic reminder (the delay of which could be, say, the length of time that standard Guard nodes are changed) could be displayed to the user to manually visit the Relay Search page and explicitly accept whatever the "Recommended" status of their bridges is. The reminder to check or the response from the program to an explicit "No" answer could include a link to the BridgeDB or related help for the user to find a new bridge if they want.

January 05, 2019

In reply to gk

Permalink

Is the version value trivial to edit? Can someone take old, "Not Recommended" code, modify the version data to an arbitrary Recommended value, rebuilt it, and pass as Recommended? For that matter, is it trivial to pass as any other flags?

December 11, 2018

Permalink

On Tor Browser 8.0.4 (Apple MacOS), screen resolution should be 1000 x 1000, but it is 1000 x 0990.

(On Tor Browser 8.0, 8.1, 8.2, and 8.3 (Apple MacOS), screen resolution should have been 1000 x 1000, but it was 1000 x 0998. On Tor Browser 7.5.6 (Apple MacOS), screen resolution was 1000 x 1000.)

Ticket #27845

Really (?),
it seems there never has been a fixed window size in Mac OS X (for except one time the window was always really fixed to the same size and many people objected to that).
The standard size of an opening window seems to depend on your computer size, screen size and resolution setting, but above all it depends on the setting and place of your applications doc, visible or not?

So:
- Doc visible gives a smaller window
- Doc invisible gives a bigger window
- Using Tails on the same monitor gives (almost?) the same size as in mac os x when having the doc collapsed.
- There are also different sizes between historical versions in combination with the doc settings.

A fast look at some previous browser versions gives at least 4 variation sizes, 1080x1080, 1080x1059, 1080x1044, 1080x989, do not know the exact tails version size right now, but seems to be something around 1080x1080 size.

Btw 1) I did not find the right setting to adjust the standard window size to another value in the about config, or xul file. (What is it?).

Btw2) Does anybody know how to make a screenshot in Tails?

December 11, 2018

Permalink

I am having trouble finding the TBB button that normally appears near the URL. Isn't that needed to change the security settings (slider)? I am running in Whonix, if that matters.

December 11, 2018

Permalink

Bug 25794: Disable pointer events

Bye, bye, smooth scrolling/moving :( But it is finger-printable as hell! Why did you forget to disable it?
Mozilla's spoofing doesn't look great: it's easy to detect whether mouse or touch is used. So, spoofing to mouse is not an option, and https://trac.torproject.org/projects/tor/ticket/10286#comment:19
But having Touch and Pointer Events APIs is a must for Android/pads. But now you enabled autodetection (?) for Android only. So, there is a strong need in development of sane fingerprinting protection for those APIs in the next ESR.

December 11, 2018

Permalink

Onboarding breaks about:tor after the tour completed and restart:
12:42:09.290 NS_ERROR_UNEXPECTED: Component returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) [nsIPrefBranch.getIntPref] 1 OnboardingTourType.jsm:30

I tried that with a clean, new Tor Browser 8.0.4 (32bit) on a Windows 7 machine and did the full onboarding (until the globe got greyed out), then restarted. I could neither see the error in the browser console, nor links not functioning. So, I am wondering what I am missing in my steps to reproduce your issue. Hrm.

So, some progress here. I can reproduce a bug which might be this one with the alpha. But I don't have to complete the onboarding. The links on about:tor don't work right from the beginning. Is that what you are seeing, too? Where do you see the onboarding related exception? I don't see anything like that in the browser console.

December 13, 2018

In reply to gk

Permalink

Yes. The exception is probably from the corrupted pref file, sorry.

December 11, 2018

Permalink

Hello!
I have some problem with Tor. I up-dated Mozilla Firefox and also Tor.
After this Tor doesn't work and I see this communication:
"Failed to bind one of the listener ports."

Do you know what can I do?
Thanks in advance

12/12/18, 04:09:07.537 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:09:07.541 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/12/18, 04:09:23.768 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:09:23.768 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/12/18, 04:09:23.768 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:09:23.769 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/12/18, 04:09:23.769 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:09:23.769 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/12/18, 04:09:23.770 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:09:23.770 [NOTICE] Opening Socks listener on 92.126.156.60:8800
12/12/18, 04:09:23.771 [WARN] Could not bind to 92.126.156.60:8800: Can't assign requested address
12/12/18, 04:09:23.771 [WARN] Controller gave us config lines that didn't validate:
12/12/18, 04:09:47.232 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:09:47.232 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/12/18, 04:09:47.232 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:09:47.232 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/12/18, 04:09:47.232 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:09:47.232 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/12/18, 04:09:47.232 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:09:47.232 [NOTICE] Opening Socks listener on 92.126.156.60:8800
12/12/18, 04:09:47.232 [WARN] Could not bind to 92.126.156.60:8800: Can't assign requested address
12/12/18, 04:09:47.233 [WARN] Controller gave us config lines that didn't validate: Failed to bind one of the listener ports.
12/12/18, 04:10:06.289 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:10:06.289 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/12/18, 04:10:06.290 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:10:06.290 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/12/18, 04:10:06.290 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:10:06.290 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/12/18, 04:10:06.290 [WARN] You specified a public address '92.126.156.60:8800' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
12/12/18, 04:10:06.290 [NOTICE] Opening Socks listener on 92.126.156.60:8800
12/12/18, 04:10:06.291 [WARN] Could not bind to 92.126.156.60:8800: Can't assign requested address
12/12/18, 04:10:06.291 [WARN] Controller gave us config lines that didn't validate: Failed to bind one of the listener ports.

December 12, 2018

In reply to gk

Permalink

sorry my english is not that well..
Have you uploaded a new version of the Tor Browser? Yesterday? I have been using Tor since July..
Last night my system macOS Mojave 10.14.2 updated Firefox afterward Tor browser stopped working. I downloaded from this page Tor and again I see that information in the Tor browser window.. and on the bottom left in the browser window is also information that for help I can visit this website or contact support...

December 11, 2018

Permalink

Defect seems to be fixed.

Earlier, after installing Tor Browser 8.0.4 (Apple macOS), the browser screen resolution was 1000 Wide x 990 High, with all browser settings affecting screen resolution at their default-standard settings, but with configuration View/Toolbars/✓Bookmarks Toolbar.

Apparently, bokim, gk, and/or the tbb team implemented a fix because now the browser screen resolution is correctly 1000 Wide x 1000 High with all Tor Browser settings affecting screen resolution at their default-standard settings, except for configuration View/Toolbars/✓Bookmarks Toolbar.

Thank you very much for this fix.

Ticket #27845

No, it does not look like it is fixed.
Still counting different sizes, like these on retina screen with different resolution settings possible (dock visible or not does not matter anymore in case of renewing cricuits).
2000 x 1148, 2000 x 1348, 2000 x 1548, 2000 x 1948 (cut them out by hand so maybe one or two pixels difference could be possible.)

Still (at least) 4 different standard windows sizes depending on your resolution settings.
Maybe someone else can test them on a non-retina macbook with all the 5 different standard resolution settings.

December 14, 2018

In reply to gk

Permalink

Hi GK,

Let's take some pictures with it, see this apple reference page (2 images)
https://support.apple.com/en-us/HT202471

Like Torbutton slider, Apple has an easy slider function available to adjust screen settings.
It will give 4 or 5 options.

It'll be usually in the middle 'default' option.
But not everybody will have the eyes of an 'american eagle', so it can be that someone is taking one of the options left for "larger text" while others (with good eyes, or glasses) take the "More space" (higher resolution) on the right.

I tested them all (5) and made many screenshots (forgot to write down which window size was matching witch screen res) and got different size results as reported earlier (with clean 8.04, and in earlier earlier post with a historic torbrowserversion).
Steps: Adjust screen resolution, renew torcircuit (or open new window) in torbrowser after every resolution change (make screenshots " shift cmd 4 spacebar on windows selection and click).
And you will end up with different sizes.

I guess the biggest difference will be in comparison lowest res and highest res.
Lowest res will off course give you less space on the screen (mine were tested on a 15inch retina) but you can imagine that you will get different results on an 11 inch macbook air (or 12 inch) with a 1366 by 768 native resolution.
Or even on a 13 inch macbook with a 1440 by 900 native resolution.

Apple has a lot of (supported) models that are still working , macbook air, macbook, macbook pro, 11inch, 12inch, 13inch, 15inch, and last but at least with or without retina resolutions.

So sometimes the size of the mac does not allow to have a vertical screen resolution of 1000 or even 1080 pixels because it is just not available and you will get a landscape sized torbrowser window.
When you do have enough pixels in the 'macbag' (with retina and highest resolution available) then you will get a portrait mode torbrowser window.

But, yes, it does not matter anymore if you have the dock collapsed or visible.
It'll give the same window size anyway which was not the case with older versions.

Hope you have enough Mac's around, :-)

Other remarks
1) Your security and privacy is not only depending on Torbrowser.
It depends on your system, your behavior and Apple.

The basic one 'everyone always everywhere forgets' (in any situation) is 'the beginning situation' : just starting using that Mac (or any program or app) right out of the box.
Most problems are created by this out-of-the-box behavior instead of this technical torbrowser issues or windows size fingerprinting.

Please people : open your system preferences pane and look at all the privacy settings!
It will be good for your privacy and security (if you do something with it).

There is (was) a lot of Bing (Microsoft search on your system), or Google around and on top of it all (!) the real time syncing with the iCloud.
It just does not (totally) make sense to anonymously download or save information with torbrowser and directly/automatically put all these documents and information on apple (icloud)servers and then syncing it with all your other (more insecure?) devices.
The weakest point is not your torbrowser but one of your easier accessible other devices or even some sort access to iCloud or just a copy of the iCloud files ('Hi apple may we have a copy of that iCloud backup?).

I, should say ; leave your privacy important files on your protected mac, disable iCloud syncing and look at all the available privacy and security settings on your mac (they are there and waiting for you to do something useful with it!).

Same story with using other programs : look at the preference settings!
Same story with apps : look at the preference settings and what they are allowed to, otherwise they (maybe) steal that information that you got with torbrowser on the mac and synced with iCloud to that device with all these information stealling apps on it.

Mac's are quite safe but the devil is in the iphone/ipad app's details, or even fake app details.
I think you should worry about this (iCloud syncing and spy-app's stealing) above window-size fingerprinting.

Please : never forget anymore, look at what you are allowing programs and app's by at least looking at the preference settings before use (or otherwise asap afterwards).
I'ts better for your privacy, security and even will save you some money because you do not have to hire someone else to fix things again (but what you have lost cannot be fixed! Gone with the wind).

2) Tails Torbrowser question, does anyone know how to make a screenshot of a torbrowser window in Tails with a mac keyboard?

So, am I understanding you right that non of the 5 Apple settings you choose give you a properly rounded Tor Browser window? Or are there just some of those that behave that way? Like: do the default settings work and just the scaled ones not?

December 13, 2018

In reply to gk

Permalink

After installing the update the Tor Browser did not restart. When I tried to open it via my shortcut, I received a notification that the shortcut no longer exists.
I uninstalled everything and downloaded from the website. I used the "run tor browser" option as the update completed and the browser would again not open.
I restarted my laptop and this time tried the shortcut, and again was told it did not exist.
I reinstalled 8.03 and the shortcut works fine. I again updated and once again the browser would not open.

December 14, 2018

In reply to gk

Permalink

I have the same issue. New install of torbrowser-install-win64-8.0.4_en-US on a Win10 machine.
The error I get is "The item 'firefox.exe' that this shortcut refers to has been changed or moved."
My install folder for Tor Browser does not have firefox.exe.

December 12, 2018

Permalink

There is known issue that tor-browser detects system. E.g. in ip-check.info with JS enabled it is:
Mozilla/5.0 (X11) 20100101 Netscape (en-US)
However, now also 32/64 bit is detectable, localtime is detectable, and, I suspect, also timzone:
Linux x86_64 Linux x86_64 (Wed Dec 12 2018 18:51:57 GMT+0000 (UTC))
Is it a new feature?

Second question: is it safe to disable NS if JS is disabled in about:config and security slider is at safest value?

It does not detect your local time. It always returns UTC (wherever you are). And the difference between 32/64 is not detected by that test. The values are set to always x86_64.

We need NoScript for a bunch of features on the slider. So, no, just disabling JavaScript in about:config and getting rid of NoScript is not a good idea.

December 13, 2018

Permalink

I'm not sure what I'm doing wrong but I can't keep orbot connected it will connect for like a minute then it disconnects I've tried everything I can think of I'm no pro I'm still learning some tricks but I'm all out now I need some pro help

December 13, 2018

Permalink

We need NoScript for a bunch of features on the slider. So, no, just disabling JavaScript in about:config and getting rid of NoScript is not a good idea.

Is it described somewhere? I am shocked. javascript.enabled is about disabling JS on pages loaded from internet. NS is about filtering these JS requests from pages loaded from internet. Why do you use NS for your internal purposes when JS is disabled in the browser completely? I cannot understand your design choice. It breaks natural logic.

Another question: If I put my security slider at "safest", is it ok to set javascript.enabled to false to be sure? Can it be harmful at "safest" setting?

We strongly disencourage flipping javascript.enabled and similar preferences in your about:config as there is the risk that users are ending up with unique preferences combinations that make them stick out for fingerprinting purposes or they forget about those and wonder why the browse is broken.

Rather we introduced the security slider idea quite a while ago which is using NoScript functionality to provide 3 different levels of security settings to a) provide a more secure environment for users that feel they need that while b) avoiding the fingerprinting risk as good as possible.

Sure, this is documented on our design doc (which we still need to update for 8.0, though :( ): https://decvnxytmk.oedi.net/projects/torbrowser/design/#other-security.

December 14, 2018

In reply to gk

Permalink

Sure, this is documented on our design doc

So, it says:

High: This security level inherits the preferences from the Medium level, and additionally disables remote fonts (noscript.forbidFonts), completely disables JavaScript (by unsetting noscript.globalHttpsWhitelist), and disables SVG images (svg.in-content.enabled).

I'm not so newbie, I know what I'm doing & I will not forget about it. I have separate tor-browser with safest slider value. I wonder what it will change if I additionally also disable javascript.enabled. I shouldn't get any new fingerprinting issues if I disable JS on "JS-disabled" (slider=safest) browser, isn't it? If not, what's the difference?

December 13, 2018

Permalink

8.0.x
Tor Browser does not terminate correctly. After closing the prog RAM consuming is still increasing and finally it crashes with a system message. This happens since 8.0.0, happend on some earlier versions too. Happens in vmware ws and win host, doesn't matter. Have to stick on 7.5.6.

December 14, 2018

In reply to gk

Permalink

Tor Browser is unmodified, no changes in about:config, no add-on. Reproducible ? Of course it is, any time. I just start the browser, wait until it gets connected, then close, wait several seconds and then the unwanted system messages appears.
After termination with process explorer one can see memory is still increasing beyond +250k.
As I said, same problem with some 6.x. and 7.x versions. Cant remember which ones.
7.5.6 works fine.

December 14, 2018

In reply to gk

Permalink

I knew it.

December 13, 2018

Permalink

I've noticed some alarming things about 8.0.4.

I thought TBB shipped with all the settings set to their safest, but I had to change all these:
1. uncheck all Allow boxes on NoScript's Default tab to ensure nothing is allowed. All boxes had been checked.
2. change TBB's Security setting to SAFEST, it had been on the lowest setting.
3. in about:config change javascript.enabled from True to False.

Aside from having three issues, the most alarming aspect is that ALL the Allow boxes were checked on NoScript's default tab when I installed TBB. Clicking on NoScript's Reset (to change it's settings back to their defaults) results in only three boxes being checked (frame, fetch and other) on the Default tab.

So the default for the Default tab is to allow 3 things, but TBB shipped with all boxes checked. This means that it's not like the plain vanilla NoScript just accidentally shipped in TBB, someone had to check all those boxes.

Does anyone else see this as a major issue? Many people could be endangered by this.

The default level in Tor Browser means that it is the most permissive to minimize breakage on the web. Because as a reaction of breakage users typically think that the browser is not working properly and they take a different one, eg. Firefox and that's bad news for them with respect to tracking and anonymity. That's why NoScript on that level is basically doing nothing. We use NoScript however to adjust security settings on the higher levels ("safer" and "safest").

December 14, 2018

Permalink

Since 8.0.x I'm often getting "400 Bad request" when searching with DuckDuckGo (the default search provider in Tor Browser). This usually happens when searching for the first time in a session, or after some time has passed since the last search. I don't know if this is a fault with the DDG search plugin in the Browser (client-side), or with their server. But if my memory is right this issue appeared only with 8.0.x, so I assume something is not "lined up" properly anymore.
Does anyone else experience this?

December 14, 2018

Permalink

In the last few versions Tor Browser (Linux) has performance issues at higher security settings. The problem appears in at least two ways: 1) the browser takes quite longer to start while consuming all of the available CPU resources; 2) while running it randomly freezes for a few or more seconds, also consuming all of the available CPU resources. The issue becomes apparent at the "Safer" setting, and becomes more annoying at the "Safest" setting (much longer starts as well as freezes).

December 14, 2018

Permalink

I am sorry that I have to comment on this matter again but what you say users of 8 0 4 will see when checking according to your own instructions is NOT what I have found.

When I pointed out this phenomenon under 8 0 2 or 8 0 3 I was told that the differences were attributed to my computer (I think). However, to my mind, no matter how my computer is set up I believe that there is certain information that should not vary between what you say I will see and what I do see.

For example, you say:
“After importing the key, you can verify that the fingerprint is correct:
gpg.exe --fingerprint 0x4E2C6E8793298290
You should see:
pub rsa4096/0x4E2C6E8793298290 2014-12-15 [C] [expires: 2020-08-24]
Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid [ unknown] Tor Browser Developers (signing key)
sub rsa4096/0xD1483FA6C3C07136 2016-08-24 [S] [expires: 2018-08-24]
Key fingerprint = A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136
sub rsa4096/0xEB774491D9FF06E2 2018-05-26 [S] [expires: 2020-09-12]
Key fingerprint = 1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2

What I do see is:
pub rsa4096 2014-12-15 [C] [expires: 2020-08-24]
EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid [ unknown] Tor Browser Developers (signing key)
sub rsa4096 2018-05-26 [S] [expires: 2020-09-12]”

In your (above) wording there are two Key Fingerprints which do not appear at all in the text I get.
Why, I downloaded gpg version 3.1.5 from the site you specified?

ALSO

When verifying the package signature, you say that users should see:
“gpg: Signature made Wed 15 Nov 2017 05:52:38 PM CET
gpg: using RSA key 0xD1483FA6C3C07136
gpg: Good signature from "Tor Browser Developers (signing key) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136
Currently valid subkey fingerprints are:
1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2”

What I and no doubt others get is:
“gpg: Signature made 12/10/18 15:19:22 GMT Standard Time
gpg: using RSA key EB774491D9FF06E2
gpg: Good signature from "Tor Browser Developers (signing key) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: 1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2”

In the above even the RSA keys do not tally! Surely, irrespective of a user’s machine, when the user gets the verification software (GPG) from the indicated source, something as basic as the signing key should match what you say it will be.

It is only with Tor 8 that I have seen this problem. Whenever I checked a download of TOR 6 or 7 what I got always tallied exactly with what you said. I have not changed machines between TOR 6 and 7 and TOR 8.

Anyway, thanks for the work done by you and your colleagues in helping internet users.

The subkeys that you don't see printed out, it could be due to how gpg works on different operating systems? (just a guess) You could run the command with --verbose.
In your second problem, there is this part:

Currently valid subkey fingerprints are:
1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2

and that's exactly the key you see being used - you quoted it yourself:

gpg: Signature made 12/10/18 15:19:22 GMT Standard Time
gpg: using RSA key EB774491D9FF06E2

Notice that this is the same key as above, just displayed in shorter form (start comparing them from the end)

Thanks for your guesses but I don't follow what you say or its logic.

In the first part could you pls clarify what you mean by: You could run the command with –verbose?

I was pointing out that in my first part the two Key Fingerprints are missing and in the second part that the RSA keys do not match.

Are you saying (and could GK please confirm this) that the “Key Fingerprints” and the RSA keys are irrelevant and that the Subkey fingerprints matching is the only thing to check for in order to verify that the downloaded package is OK?

Thanks

December 14, 2018

Permalink

hi so i loged on my computer one day and tor refused to work i undownloaded and reinstalled it and then my mcafee says its trying to change something in my computer and it has been quarentened for safety, why is this? it was working perfectly fine not even a week ago

December 15, 2018

Permalink

Security / anonymity bug?
Go to some site with graphics ( I have tested only images on Instagram )
Click "i" icon
Go to "Show connection details" ( right arrow > )
Then click "More Information"
Select "Media" tab
Double click on an image
Standard Firefox runs and starts connection to some service ( google ? ).
This version of TBB on x64 Linux ( with standard Firefox installed as default browser, obviously ).

December 15, 2018

Permalink

Just got the TOR browser updated to 8.0.4 and nothing works and I mean nothing. Get message that there is an error and that is all with the "restart browser" which then just comes back with the same. Windows 8 OS.

December 16, 2018

Permalink

Im sorry to say but i cannot access any website on this new version of tor I've tried the usual uninstall /reinstall but the problem persists. I've been using since 7.5 and have never experienced this issue. Please look into it thanks.

December 20, 2018

In reply to gk

Permalink

I have this issue too when you type a .onion address into duckduckgo it says I'm using a normal firefox browser to access an onion/hidden service
this needs to be fixed

December 16, 2018

Permalink

Why has the Torbrowser project, for several iterations now, deliberately sabotaged their NoScript plugin to automatically forget NoScript settings and subject users to massive script exposure without them being aware of it? By simply reinstalling NoScript from the official NoScipt site, this issue goes away; ergo, this is sabotage coming from within the Tor project itself. We've heard the lame excuses so far (NoScipt settings allow fingerprinting; silly nubes not liking their websites not working out of the box, etc.) and yet the problem persists...

You can test the alpha release where we implemented this option. (You have to flip a pref to activate it, though). It will be available in the next major stable, Tor Browser 8.5, or earlier if we think we should backport it.

Is this new with this version of Tor Browser? If not do you know when this started? On which operating system does this happen (and which version of it)? Do you get an error message when the crash happens? Which language has your Tor Browser you downloaded?

December 16, 2018

Permalink

NoScript is so bad now, and so pointless, I always uninstall it and use ScriptSafe instead. Its the only way to get rid of NoScript's self-defeating settings, which now have all scripts on by default, ignores your own settings, and ignores your own whitelists. What's the point of it anymore. Probably not safe to uninstall, but its soooo bad that it's now useless from a user's point of view. Sort NoScript out. Make it remember settings. Make sure it switches most scripts off by default. Like it was. Otherwise I and many others will keep on uninstalling it and replacing it regardless of the techy consequences.

December 17, 2018

Permalink

after the update no .onion link will work as duckduckgo says "You are trying to reach an onion/hidden service. (link) via web you will have to use the Tor Browser" wheni am using the tor browser this has completely ruined tor for me any suggestions?

December 18, 2018

Permalink

Greetings,

I have recently upgraded my os from windows xp sp3 to windows 7 pro (64). In this process I copied the tor browser directory in its entirety to the windows 7 disk which was the tor build based on firefox 52.9.0. Tor fired up as usual and performed fine. I used it several times and let it upgrade to 8.0.3 (32 bit). Again all was well. A day or so later I updated to 8.0.4 (64)

The first time it ran I got a window about choosing running in a censored area or not. I chose 'continue'. The tor connection screen came up for a time and the firefox window loaded but in a very small size with no tor related buttons. It would not accept text input. I closed it down. After a minute or so a window opened saying tor.exe had stopped. After a time I tried it again. The tor connection screen did not load and again the firefox window was very small. I did a fresh install of 8.0.4 (32) which did the same thing.

What I think I'm seeing is that the tor related modules are not loading or are damaged. The following are the windows error messages I'm seeing:

[TORBROWSER-INSTALL-WIN64-8.0.4_EN-US.EXE]
Problem signature:
Problem Event Name: APPCRASH
Application Name: firefox.exe
Application Version: 60.4.0.6609
Application Timestamp: 00000000
Fault Module Name: xul.dll
Fault Module Version: 60.4.0.6609
Fault Module Timestamp: 00000000
Exception Code: c0000005
Exception Offset: 00000000029efb10
OS Version: 6.1.7601.2.1.0.256.48
Locale ID: 1033
Additional Information 1: e41f
Additional Information 2: e41fefa4070dd5768c6bd4c2e727562d
Additional Information 3: 01dd
Additional Information 4: 01dd2105e69f9c2f62c308c990b32510

Running depends gives me this:
"System can not these files on the system"
API-MS-WIN-CORE-WINRT-ERROR-L1-1-0.DLL
API-MS-WIN-CORE-WINRT-L1-1-0.DLL
API-MS-WIN-CORE-WINRT-ROBUFFER-L1-1-0.DLL
API-MS-WIN-CORE-WINRT-STRING-L1-1-0.DLL
DCOMP.DLL
IESHIMS.DLL

I can confirm that these files are not on the win 7 os disk. I've googled this and found several 'solutions' (which did not work) but no definition as to why this situation should exist. Oh, and the three files listed in the dependicies.txt are all the same build as the firefox.exe.

So, I have a tor setup that does not work. I'd appreciate some thoughts. I'm going to go back to a 32 bit setup before 8.0.3 until it will work again.

TIA

Okay, so 8.0.3 32bit and 64bit are working on your computer but 8.0.4 is crashing? Have you tried installing a fresh 8.0.4 on a different location, not using your old profile to check whether the issue might be located there?

December 19, 2018

In reply to gk

Permalink

8.0.3 is not working on this machine, it crashes also. And, yes I did a clean install of 8.0.4. I haven't had a chance yet to go backwards through the older installs. Thanks for the reply.

Well I'm not going to get very far with this! I can not find tor browser 7.6. It is not in the archive directories. I need to get back to the older firefox esr. Do you have any old installers online before 8.? Need some help here.

December 22, 2018

Permalink

Hello. First time here (and first time joining a blog). So the question may be far too simple for the experts. I've just installed this release. Once clicking on the Tor onion allowed to see the circuit/relays. Is that feature still available? If positive where is it now? thanks

December 23, 2018

Permalink

I have a new MacBook Pro, and I had Tor up and running, but after the new software update and the the tor update, it will no longer run. I have tried uninstalling and reinstalling Tor on my computer to no avail. What am I doing wrong?

December 24, 2018

Permalink

Strange thing happened. When on vbdvexcmqi.oedi.net, NoScript switched ITSELF from default/blocked to (temporarily) trusted.

December 28, 2018

Permalink

Beginning with upgrading to tor browser 8.0, a warning about having javascript enabled flashes up for a brief moment when visiting http://dreadditevelidot.onion, despite having the security slider set to safest. Is this a general bug in Tor Browser/NoScript, like having javascript enabled for a short time before being blocked (couldn't find anything related to this on your bug tracker, or better: Nothing I could relate to this, which is not necessarily the same), or just a problem with the website itself?

Implementation of the warning:

Warning!
You have JavaScript enabled, you are putting yourself at risk!
Please disable it immediately!

.jsWarning { display: none !important; }

January 09, 2019

In reply to gk

Permalink

Yes, every time straight after bypassing the chapter, same when clicking on a thread there, visiting a different sub, changing to the next site or whatever..

It's not my personal problem either, and I'm flat out stunned that it worked for you, there are several threads about this issue over there:
http://dreadditevelidot.onion/post/1def1de2bdde152b2a0d
http://dreadditevelidot.onion/post/da8125d0bb936e7e6b7a
http://dreadditevelidot.onion/post/70cd3127de06e831e179
http://dreadditevelidot.onion/post/5c1fcd0539a3a5484eb3
http://dreadditevelidot.onion/post/4be277ae5aa98048062d
to name just a few of them.

I don't care too much about the forum itself, I'm more interested to know whether this is a bug in noscript/tor browser which should be addressed.

I'm on linux as well and run tor browser without any modification.

Also, sorry for not using codeblocks in my previous comment, the formatting got messed up completely - that's definitely not the way the warning is implemented as you might have guessed.

January 10, 2019

In reply to gk

Permalink

Thank you!
For what it's worth it: The issue stays the same when using regular Firefox routed through tor with noscript enabled. Disabling javascript in about:config however will get rid of the warning, in Tor Browser as much as in regular Firefox.

January 11, 2019

In reply to gk

Permalink

Final note: Retesting with tor browser 7.5.6 gives the expected result: The warning shows up as intended when the security slider is set to standard or safer, no warning on the safest level.

January 12, 2019

In reply to gk

Permalink

Disregard my last two comments, I saw the outcome on trac.

Thank you very much for reassuring that this is purely a cosmetic thing rather than a weakness in NoScript/Torbutton! Also thanks to ma1 for the detailed explanation.

December 30, 2018

Permalink

Windows 10, Tor Browser 8.04, I get no bookmarks toolbar visible. I can add bookmarks and go to them by clicking on bookmarks and then navigating to my favorites folder.

January 10, 2019

In reply to gk

Permalink

No.

January 05, 2019

Permalink

It would be nice to end this problem of every time I start Microsoft Windows 7 again, connect using OpenVPN (doesn't matter the service provider, happens with all) I always get, the first time I try to connect, the error window explaining that TorBrowser is not properly protecting the session. The only way to bypass the error is to close, and execute TorBrowser all over again. The second time I can always connect without problems.

This is happening at least since these new 8 version based on Firefox 60, in previous version I never had any problem.

I've read the same problem from other users in the past here in the Blog so I'm sure I'm not the only one having these problem.

But I don't know it they were connecting to normal Internet or to a OpenVPN service provider first like I'm doing it, to conceal the use of TorBrowser/ Onion use from the ISP (they don't have any problem with the use of ONION, they don't attempt to block it, but one can only guess that should the local government changes their mind in the future I would be immediately in their gray/ red/ black list for using Onion network).

January 05, 2019

Permalink

Why does the TorBrowser seems to only connect to EUA, Canada, Russia and European country's? There aren't any Onion servers on South and Central America country's? And also none in Africa?
It seems that almost all Onion servers are located in country's in 14 eyes (EUA promoted spying network) or with strong bonds with these country's.
It is very strange!

14 eyes and very closed friends: Australia, Canada, New Zealand, United States of America, Denmark, France, Netherlands, Norway, Germany, Belgium, Italy, Sweden, Spain, Israel, Singapore, South Korea, Japan, United Kingdom (including: Akrotiri and Dhekelia, Anguilla, Bermuda, British Antarctic Territory, British Indian Ocean Territory, British Virgin Islands, Cayman Islands, Falkland Islands, Gibraltar, Montserrat, Pitcairn, Henderson, Ducie and Oeno Islands, Saint Helena, Ascension and Tristan da Cunha, South Georgia and the South Sandwich Islands, Turks and Caicos Islands)

Tier B countries with which the Five Eyes have “focused cooperation” on computer network exploitation, including:
Austria, Belgium, Czech Republic, Denmark, Germany, Greece, Hungry, Iceland, Italy, Japan, Luxembourg, Netherland, Norway, Poland, Portugal, South Korea, Spain, Sweden, Switzerland and Turkey.

January 12, 2019

Permalink

I really don't get this aversion to adblockers! The "concept" of not wanting to break websites would suggest that all websites could be trusted equally. They fucking can't and the only two things achieved with dropping Ublock is that websites take longer to load and my anonymity gets broken because I'll have to install it myself for a proper browsing experience.
But hey, I shouldn't be surprised, after all the most secure tor browser setting still allows frames of untrusted sites in noscript instead of fully blocking them and deprecating any such objects. Hence the connections to the sites still appear in https everywhere.

To my mind, you should really put umatrix in here instead of noscript with a proper setting that only allows the bare minimum like text, frame and css by standard in safe mode.

January 13, 2019

Permalink

HELP NEEDED!!! VERY URGENT!!!

keeps on loading. and when finally in only half of each page visible. I AM EXTREMELY AGITATED ABOUT THIS!!!

January 17, 2019

Permalink

Are there any good search engines for Tor Browser?
SP and DDD suck, anyone knows ifGibiru is good?

Since Startpage changed their whole look, they are just inferior, results are just not what it used to be not displaying anything or slow, etc. etc...
DuckDuck is so slow, even their Onion version is even slower and buggy, all the time I get Error 400 or 500. and the CEO is all over the news, with BS, not sure if thats a good thing. THey are not saying they dont use supercookies for tracking, or scripts, fingerprints etc...

I have been searching for a while, and found 1 or 2
what do you guys think of this one www.gibiru.com ? seems fast, and claim the same as DDD or Startpage
no IP tracking no cookies. I wonder about supercookies, scripts etc.

another decent one is https://www.discretesearch.com/
any thoughts?

https://www.qwant.com is kind of slow and they are throttling traffic from TOR "too many searches from same IP"

January 23, 2019

Permalink

I use 8.0.4.

I faced an error in mega.nz. My setting is that security setting is safer and script is enabled in NoScript.
The error is that
MEGA failed to load because of

The file "lang/en_foo.json" could not be loaded.

Please click OK to refresh and try again.

If the problem persists, please try disabling all third-party browser extensions, update your browser and MEGA browser extension to the latest version.If that does not help, contact support@mega.nz

BrowserID: mozilla/5.0 (macintosh; intel mac os x 10.13; rv:60.0) gecko/20100101 firefox/60.0

Static server: https://eu.static.mega.co.nz/3/

OS was not Windows but intel mac os x 10.13. My OS was revealed. Is this a bug or not?

January 25, 2019

In reply to gk

Permalink

"MEGA failed to load because of"

The same with k2s.cc, too?
This site isn't working with NoScript.