Tor Browser 8.0 is a big update

Martin Brinkmann
Sep 5, 2018
Internet
|
68

The Tor Project team has released Tor Browser 8.0, a brand new version of the web browser to the public today.

Tor Browser is based on Mozilla Firefox; more precisely on Mozilla's Extended Support Release version of the Firefox web browser. Tor Browser includes Tor which users of the web browser can use to connect to the Tor network to anonymize their Internet connection and various improvements especially when it comes to online privacy.

Tor Browser 8.0

tor browser 8.0 new onboarding

The new version of Tor Browser is a milestone release for the project and the team highlights this with the move to version 8.0.

Tor Browser 8.0 is based on Firefox 60 ESR, more precisely Firefox 60.2 ESR, and no longer on Firefox 52 ESR. Mozilla modified Firefox since version 52.0 heavily and many of the changes found their way into the Tor browser as well. Note that this changes which extension can be installed in Tor among other things.

You can check out our coverage of Firefox releases for information on these changes.

Tor Browser 8.0 displays the Tor connection dialog on start just like it did before but the browser interface that opens loads a new onboarding experiencing designed to help new users understand better what Tor browser is and how to use the browser.

A click on the "New to Tor Browser? Let's get started" link at the top of the interface opens descriptions and tips that explain core concepts of the browser to new users.

tor browser

The wizard offers information on privacy and the Tor network. Many of the features link to pages or settings. The Circuit Display link shows users how they can check the relays that a connection to a site uses, and the Security link leads to the Tor Browser Security Settings that users may modify to improve security further.

The new onboarding experience assists new users in getting acquainted with the Tor browser. Veteran users may not need it at all but it is just displayed on first launch and can be ignored easily.

Users can open the onboarding page at any time by loading about:tor in the browser.

Bridge Fetching, the process of requesting new bridges, has been optimized in the new version. You had to send an email or visit a website in previous versions to request new bridges; the process changes in Tor Browser 8.0 as it is now possible to request new bridges from within the browser directly.

tor bridge

All that you need to do is the following to do so:

  1. Activate the Tor button in the browser interface and select Tor Network Settings.
  2. Enable the "Tor is censored in my country" checkbox on the page that opens.
  3. Select "Request a bridge from torproject.org".
  4. Solve the captcha that is displayed.

Other changes in Tor Browser 8.0

  • Support for new interface languages added: Catalan, Irish, Indonesian, Icelandic, Norwegian, Danish, Hebrew, Swedish, and Traditional Chinese
  • Component and library upgrades to new versions.
  • Reader View mode enabled again.
  • Blocks navigator.mozAddonManager so that websites can't see it.
  • Updater Telemetry disabled.
  • Hides Firefox Sync.

You can check out the full release announcement on the official Tor Project website.

Summary
software image
Author Rating
1star1star1star1star1star
4 based on 12 votes
Software Name
Tor Browser 8.0
Operating System
Windows
Software Category
Browser
Landing Page
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. nartan said on September 14, 2018 at 4:36 am
    Reply

    All uploads fail with TBB 8.0
    I don’t know why.

    1. owl said on September 14, 2018 at 9:04 am
      Reply

      Overview of “All uploads fail” can not be understood.
      Because circumstances and coping differ depending on the system environment being used, it is better to use official FAQ or official SUPPORT.

      Examples that seem to be relevant (FAQ)
      ・I installed Tor but it’s not working.
      https://www.torproject.org/docs/faq.html.en#DoesntWork
      ・My Tor keeps crashing.
      https://www.torproject.org/docs/faq.html.en#TorCrash
      ・Most users would give up on Tor entirely if a website they want to use requires JavaScript, because they would not know how to allow a website to use JavaScript (or that enabling JavaScript might make a website work).
      https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled

      > Tor FAQ:
      https://www.torproject.org/docs/faq.html.en
      > Tor’s combined bug tracker and wiki website:
      https://trac.torproject.org/projects/tor/wiki
      > If you have questions about using Tor:
      https://www.torproject.org/about/contact.html.en

  2. TelV said on September 9, 2018 at 5:21 pm
    Reply

    This article entitled “The Pros and Cons of Using Tor for Online Privacy” is a couple of years old, but worth a read: https://greycoder.com/how-to-use-tor-safely/

    1. owl said on September 11, 2018 at 9:14 am
      Reply

      @TelV,
      That information (by Tracy Knauer • December 29, 2015) is way too old.
      Tor Browser 8.0 is “based on Mozilla Firefox 60.2.0 esr”.
      “HTTPS encryption” is implemented in Browser.
      The essence of “Tor” is countermeasures against Fingerprinting.
      It is a specification whose config related to fingerprinting is set to “false”.
      > The Design and Implementation of the Tor Browser [DRAFT] June 15, 2018
      https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability

      1. TelV said on September 11, 2018 at 12:30 pm
        Reply

        @owl,

        My understanding of HTTPS encryption is that it can only be enforced if a site supports it. See: https://www.eff.org/https-everywhere

        My only gripe concerning Tor is that adding additional extensions can break your anonimity: https://www.torproject.org/docs/faq.html.en#TBBOtherExtensions

        In that respect I have difficulty reading sites (including ghacks!) that use pale grey fonts. Therefore it’s essential that I can install Text Legibility to turn those kind of fonts black: https://addons.mozilla.org/en-US/firefox/addon/text-legibility/

        Classic Theme Restorer is also an essential addon I use all the time.

      2. owl said on September 11, 2018 at 2:43 pm
        Reply

        @TelV, I understood the claim.
        Certainly “HTTPS encryption” is, that’s right.
        End-to-end measures, is another means. For example, use of Nord VPN etc.
        Since this TOPIC is about “Tor Browser 8.0 is a big update”
        Issues related to LegacyAddons is “put the cart before the horse”, it seems that personal value judgments.
        At least “Tor Browser 8.0 is” based on Mozilla Firefox 60.2.0 esr “is better than any other Browser.
        By the way, my main Browser is Firefox (ESR, beta, Dev, Tor), but I also use Waterfox, Pale Moon, SeaMonkey, Brave, Iridium, Vivaldi (stable), Otter, Konqueror.
        It is a personal opinion based on those experiences.
        P.S. I was disappointed that Legacyaddons became unavailable. However, now it avoids it by “to use properly.”, and I am satisfied with the newborn Firefox.

  3. Sophie said on September 8, 2018 at 8:42 am
    Reply

    @Clairvaux – thanks for the link. I don’t agree with the commenters assertion that Tor is now “horrible”. In fact, it seems to be working better for me than ever, and I might actually use it for a change, instead of having it sit dormant. Of course, people don’t like change.

    I do think though, that there should be a toggle on the toolbar,menu bar,title bar along the top….provided integrally, to just turn JS on and off, instead of having to click through to a slider. I like to be able to reach that real quick and easy…right in front of me. Just my preference!

    Was not quite sure what you meant about (mild) bug? You might mean that Ghacks comments section was misbehaving again. Sadly something we experience these days, though having an account seems to have fixed that (if that’s what you were referring to).

    1. Clairvaux said on September 8, 2018 at 8:00 pm
      Reply

      @ Sophie

      I was speaking of the bug some Reddit commenters identified : apparently, the upgrade to Tor 8 did not respect previous security settings, and the slider had to be readjusted. Maybe you experienced the same thing.

      I agree Tor has become so reactive now, that we might even experience a shortage of servers, which are already rather thin on the ground.

      Waht are those Ghacks accounts ? I don’t see anything like that.

      1. Sophie said on September 10, 2018 at 9:56 am
        Reply

        @Clairvaux. Thank you for the clarification(s).

        I didn’t have a Reddit problem, but I did read your link. I hope Tor is not taken up in such numbers, that everything grinds to a halt. It really has been faster, and actually usable.

        I found that with a proper Ghacks account, my comments appear immediately. Before, there was often a big lag, causing some issues.

        Thanks!

      2. Clairvaux said on September 10, 2018 at 1:06 pm
        Reply

        Sophie,

        Could you please enlighten me on those “proper Ghacks accounts” ? I can see nothing of the sort on the site. I see a subscription option for newsletters, but that does not seem to be an account proper. I don’t use it, because I have subscribed to the Ghacks RSS feed, which suits me better. I just subscribe to mail alerts when posting a comment, each time.

        I don’t mind that much my comments not appearing immediately. What I do find problematic is receiving mail alerts on comments before they have appeared on the site. You can’t then use the alerts to reply to a comment, unless you’re willing to break the logical layout of the blog, and reply without your comment appearing as a reply. And possibly confusing readers, by replying to something they haven’t yet read.

        I’m surprised you say your comments appear immediately now. I thought they were moderated as well. If they appear immediately, how come your September 7, 2018 at 9:17 pm
        comment came to me as a mail alert at a time it was not yet visible on the blog — and then I made an exception to my workflow, by “pre-replying” to it per my September 7, 2018 at 9:36 pm comment ?

      3. Martin Brinkmann said on September 10, 2018 at 5:27 pm
        Reply

        Hi, feel free to use the contact form to contact me. I can create a (free of course) account here on this site which does away with the caching. So, anything that gets posted should show up immediately. Content that is in moderation still needs to be moderated before it becomes available though.

        The email for comments before they appear may be a caching issue which should resolve itself when you use the account.

      4. Clairvaux said on September 10, 2018 at 9:52 pm
        Reply

        Message sent, thank you very much.

  4. Clairvaux said on September 7, 2018 at 9:36 pm
    Reply

    Pre-replying to the future answer Sophie is about to publish (that was the blogging problem I was hinting at, with my suggestions that irked so much someone a few hours ago…) :

    Maybe you were disrupted by the (mild) bug described in the comments here (don’t take the title at face value) :

    https://www.reddit.com/r/TOR/comments/9dsb4e/new_tor_is_horrible_how_do_i_get_it_to_run_well/

  5. Sophie said on September 7, 2018 at 9:15 am
    Reply

    I continue to like the new Tor.

    However, don’t know if anyone can answer this?

    – I see that Javascript is turned on by default.
    – I see no settings to be able to turn it off, without going into about:config

    I don’t want to add a “Toggle JS on/off” extension, (though I’m tempted) as they all will undermine Tor, by virtue of “permissions” , and adding extensions to Tor is not recommended.

    Noscript is of course included, but that has no JS toggle, and you have to know the address of the site you want to visit, in order to add it to Noscript, BEFORE you even visit that site….so it can’t be considered as a simple, clear, toggle.

    Why is there no setting in the interface, and how have others managed to use Tor in a complete “no-JS” environment, without undue complications in the process?

    Thanks.

    1. Clairvaux said on September 7, 2018 at 11:12 am
      Reply

      No problem. I don’t think this has changed.

      Onion icon > Security settings > Safer or Safest, according to the level of Javascript suppression you’d like.

      1. Sophie said on September 7, 2018 at 9:17 pm
        Reply

        Ah yes, thank you Clairvaux. I’m aware of that slider, but overlooked it completely in favour of some kind of radio button or switch.

        Many thanks.

  6. Anonymous said on September 7, 2018 at 8:25 am
    Reply

    I tried to fave bookmarks to put them on the bookmarks toolbar, bookmarks toolbar empty. I will go to the official documentation to read if I have done something wrong…

    1. Pants said on September 7, 2018 at 8:40 am
      Reply
      1. Anonymous said on September 7, 2018 at 9:55 am
        Reply

        Thanks. Another big update of a software buggy, so common nowadays.

  7. Cathail said on September 6, 2018 at 8:07 pm
    Reply

    This update is an example of why people turn off auto updates.

    It took all morning but I’ve finally got an older version running that didn’t auto update after being told not to. (took 5 delete/install procedures, disc cleaning in between)

    Just the interface alone made me roll back. seeing all the comments on TOR digging out my personal information .. I’m glad it finally worked

    Tabs on top.. fail
    I change tabs way more than I use menu items.. doesn’t it just make sense to have the closest to the page items be the most used items?

    Menu icons.. not text, fail
    Seriously, if you can’t read, what are you doing with TOR?

    Without text instead of icons (that I can barely see) a browser is useless to me.
    Most of the browsers out there have succumbed to the lowest common denominator of intelligence.. pictures instead of text is childish or for people that cannot read.
    A simple fix is classic theme restorer (add on) but annoyingly, doesn’t work with this update.

    check the box to consent to your data being stored in line with the guidelines set out in our privacy policy.. Riiiight….with this caveat.. the info might not be reliable

    1. A different Martin said on September 7, 2018 at 8:46 pm
      Reply

      I have portable program folders and shortcuts for both the current (Firefox ESR 60.x) and previous (Firefox ESR 52.x) versions of Tor Browser. I attempted to protect my “old” Tor Browser install from being automatically updated by creating a user.js in my profile for it, containing just the line:

      user_pref(“app.update.enabled”, false);

      I have no idea whether it will work long term — meaning however long the previous version of Tor Browser remains safe to use, which may not be all that long — so I created a backup copy of its entire portable program folder, just in case it didn’t. However, I’ve run it briefly a couple/few times, and it hasn’t attempted to auto-update yet.

      In the real long term, however, it probably safer for those of us who prefer browsers that support XUL/XPCOM extensions — Pale Moon and (for now) Waterfox — to run Tor as a standalone and then run the latest version of our favorite browser on top of that. Unfortunately, that seems to require a lot more work to set up than it used to.

      1. ULBoom said on September 7, 2018 at 10:52 pm
        Reply

        I think it will eventually. I increased all the numerical values to the highest they would go in about:config app.update.xxxx settings, removed all the links and it still updated after some time.

        Then I went to Tor Browser\Browser update-settings.ini and changed the one line in it to
        ACCEPTED_MAR_CHANNEL_IDS=0

        Then removed the downloaded update in
        Tor Browser\Browser\Tor Browser\updateInfo\updates
        (just delete any subfolders, files in updates).

        Now I’m back to 7.5.6 with the gray title bar, etc. No updates after a day open, works fine.

        Tor’s so simple, experimentation is without all the potential Firefox pitfalls, just delete the folder (keep the downloaded installer) and reinstall. Tor saves temp files somewhere, Disc Cleanup between installs kept immediate updates from occurring during experimentation.

  8. Gerard said on September 6, 2018 at 5:20 pm
    Reply

    “Users can open the onboarding page at any time by loading about:tor in the browser.”
    Really?

    I get:
    “Hmm. That address doesn’t look right.
    Please check that the URL is correct and try again.”

    1. Martin Brinkmann said on September 6, 2018 at 5:27 pm
      Reply

      Hm, works fine on my end. Can you post a screenshot that shows the address and error?

      1. Gerard said on September 7, 2018 at 12:40 pm
        Reply

        The “problem” mysteriously disappeared. Not sure what caused it.
        BTW, I didn’t like the default settings of NoScript, too much was allowed. That wasn’t the case with previous versions of the Tor browser iirc.
        There are a few interface issues a wel. Not all change is progress…

  9. knjgifiygf said on September 6, 2018 at 5:14 pm
    Reply

    TB8 is very strange. I don’t see tor circuit. I don’t know if the JS are turned on or off.

    1. D. said on September 6, 2018 at 5:32 pm
      Reply

      Press “i” from address bar, (look second image from above)…

  10. ULBoom said on September 6, 2018 at 4:14 pm
    Reply

    I’m guessing Martin’s using Windows Dark theme. Don’t like the fact that Tor 8.0 copies your Windows title bar and (tiny)border color. Ver. 7.5.6 kept the generic gray color.

    My Windows title bar color is something I selected from the palette, just a color that looks nice to me, should be close to unique. Whether changing the title bar color is a privacy concern, IDK, seems like it could be. Hardware acceleration can be a privacy issue also.

    Tor isn’t intended to be a VPN replacement; I hope the new more mainstream look (at least as far as FF is mainstream) doesn’t attract a lot of new privacy seeking users and bog down the network to the point where it’s as slow as it was years ago.

    I’ll continue using ver 7.5.6 for now with the updater disabled.

    https://www.torproject.org/download/download-easy.html.en#warning

  11. D. said on September 6, 2018 at 3:58 pm
    Reply

    I noticed “guard node” (first node) that can’t be changed (look second image from above). Whats this all about, does anyone knows?

    1. Clairvaux said on September 6, 2018 at 4:38 pm
      Reply

      It’s nothing new. Just that they made it more visible, and added the word “guard”, which wasn’t there before. But the concept hasn’t changed. Technically, it has always been the first of three nodes. It does not change for a given user for 2 to 3 months (and then it might), in order to prevent some de-anonymising attacks.

  12. Sophie said on September 6, 2018 at 11:10 am
    Reply

    Just my take on it : for some reason, this update has suddenly made Tor “spring to life” and work better than it ever has done. It doesn’t feel sluggish and more, and some HTML5 speed tests look better than ever. It almost feels like its not Tor.

    I’ve never much used Tor, as it just seemed to slow. But it feels like its been really turbo boosted for me, right now, and after this update.

    If this continues, I might just use it more. I’m amazed, quite frankly!!

    1. Anonymous said on September 7, 2018 at 10:15 am
      Reply

      I agree. The interface is modern and more faster. It’s cleaner now.

    2. Clairvaux said on September 6, 2018 at 3:34 pm
      Reply

      I agree. It’s faster now. And the interface is cleaner, more modern.

      First noticeable improvement. (I’m not saying the previous ones were unnecessary. Obviously, not everything anonymity-related is visible.)

  13. John Smith said on September 6, 2018 at 8:25 am
    Reply

    whoer.net now correctly detects my real OS no matter how many times I choose a New Identity; this never happened before!

    1. Pants said on September 6, 2018 at 12:28 pm
      Reply

      They haven’t decided what to do with the UA spoofing yet. In FF they spoof the OS as one of four (Windows, OSX, Android, Linux) with Linux being the fallback. The reasons (in Firefox) are twofold: 1. site breakage, lots of quirks and bugs (eg desktop pages served on mobile, keyboard issues) and 2. there are many other ways to determine the OS (*one* example is tcp/ip packet characteristics). The *main* reason is point 1 – FF needs to work for people (for uptake).

      Note that the UA string is sent in headers, so JS doesn’t really play a role here (except to limit exposure of lying).

      FF and TBB have different threat models. For FF, sites need to work, and for reason 1 above, that is enough justification to limit OS to 4 variants. TBB on the other hand can break things and people will expect this given the browser’s mission. JS is disabled by default (so this limits exposure of OS via other means) .. in fact the TCP/IP fingerprinting thing isn’t even an issue via Tor, and other tightened areas also limit OS FP’ing (eg font sets). Another thing to consider for TBB, is that most sites would not dig this deep to detect the real OS, so why offer more entropy when you don’t “have” to. For those 1% or 0.1% of sites that do, big deal – they didn’t gain any more data than if you had given them the real OS anyway. So for TBB there is a real net benefit to spoofing the OS to windows only.

      See https://trac.torproject.org/projects/tor/ticket/26146

      1. Anonymous said on September 6, 2018 at 9:52 pm
        Reply
      2. Pants said on September 7, 2018 at 8:37 am
        Reply

        @Anonymous – that is not a good idea (maybe* dependent on how you implement it). You would no longer have the same fingerprint. You could easily be tracked by the simple fact that you are now always unique

        * if you ONLY changed the platform (to windows 64bit) then you might get away with it, but not always (but again, personally, I think TBB should do this). But until TBB do this, you can easily get caught out – and this will make you unique. Randomizing the UA in TBB is definitely not recommended – go read r/tor

  14. Anonymous said on September 6, 2018 at 8:03 am
    Reply

    Is it possible to replace Firefox by Pale Moon with Tor browser?

    1. Anonymous said on September 7, 2018 at 8:38 am
      Reply

      Ok thanks. I understand if I want to use Tor with another browser I have to be a geek.

      1. A different Martin said on September 7, 2018 at 7:19 pm
        Reply

        @Anonymous: Yes. Because who wants to spend all of their time browsing when they can instead spend all of it making sure their browsing is secure? ;-) But seriously, I welcome this development with the same disappointment and resignation I welcomed the replacement of Classic Theme Restorer with CSS tweaking in Firefox … except that it may actually be worth doing, now that American ISPs are allowed to sell their customers’ Internet activity. The silver lining, I guess, is that when I migrate to Linux, using standalone Tor might actually be easier, if SelekTOR lives up to its claims.

    2. John Fenderson said on September 6, 2018 at 6:10 pm
      Reply

      You can use Tor itself, rather than the Tor browser. If you do that, then all your internet activity (regardless of which browser you use) is covered.

      1. A different Martin said on September 7, 2018 at 1:11 am
        Reply

        It looks like standalone Tor is now called the Tor “Expert Bundle”. Unlike Tor Browser, the only official documentation for it is “Tor -stable manual”. (Of course, there’s the Tor Wiki and third-party sites like Reddit and StackExchange, but apparently no handy guides.)

        Searching the Net for info on standalone Tor, I came across Vidalia, a cross-platform graphical frontend for Tor that I *think* I used to use in Windows XP, but I see on Wikipedia that it’s been discontinued. (I vaguely recall that the EFF used to offer a “Vidalia Bundle” that included Tor, Privoxy, and Vidalia.) I see there’s a new graphical frontend called SelekTOR that’s just for Linux, but I don’t know anything about it.

    3. A different Martin said on September 6, 2018 at 9:31 am
      Reply

      That’s *exactly* the question I asked myself within a minute or so of updating and restarting. Mind you, I *did* take care to preserve a Pre-Quantum “install” of Tor Browser 52.9, but who knows how long *that’s* going to remain secure? I think there’s room for a “Pale Tor” Browser Bundle in the future. (I used to know how to run Tor separately and make a browser use it, but I’ve completely forgotten what’s involved. Maybe it’s time to refresh my recollection.)

  15. Ray said on September 6, 2018 at 6:26 am
    Reply

    Tor Browser 8 looks pretty good.

    One thing I don’t like is how it starts up in Private Browsing mode. This is okay if you are browsing for short sessions and you close your browser. But if you leave your browser open all the time, it would be better to use Multi-Account Containers (or better yet, use MAC in conjunction with the Temporary Containers addon). This is so when you close a tab, cookies and local storage are cleared for that tab.

    1. Pants said on September 7, 2018 at 2:17 am
      Reply

      AFAIK, TBB used to change it’s circuits every 10 minutes. When a circuit changed (new identity) all persistent data is wiped (I am not 100% sure on this – but it certainly used to do so when you manually requested a new identity).

      Circuits get created on start-up and whenever Tor thinks it might need more in the future or right now. Once a circuit is actually used for the first time, it’ll be marked dirty. Dirty circuits are used for new connections for 10 minutes by default. After those 10 minutes, a dirty circuit will stick around for as long as connections are still going over it. If you’re just web browsing that might not be the case for long. However, if you are connected to IRC for instance it might be days. So, to summarize: a circuit lives for some amount of time before you use it, then for 10 minutes for new connections, and then for however long it takes for these connections to finish.

      also see [1] https://www.torproject.org/docs/faq.html.en#ChangePaths

      This of course may/probably has changed. So if anyone can enlighten Ray and I, that would be cool :)


      But yeah, certainly would be nice if repeat first party visits (i.e when all tabs of the domain have been closed and you go to that domain again) would be protected (by clearing all persistent data including SSL session tickets etc). Although the threat model between Firefox and TBB is very different, so I’m not entirely sure of the actual gain in privacy here – probably some edge cases for sure.

  16. gh said on September 6, 2018 at 5:55 am
    Reply

    Frankly, no, I no longer trust torproject

    On Windows O/S, when you create a system user account, various fields are provided for: username, account type, department… FirstName, LastName

    Each time you launch firefox (codebase upon which TorBrowser is based), firefox — the browser that “respecks yer privacy” — queries the O/S attempting to read/load FirstName, LastName from your useraccount data. It assigns this email address to a variable and retains it in memory throughout your browsing sessions. Why should my frickin’ WEB BROWSER have access to details associated with my WINDOWS LOGIN USER ACCOUNT ?!?

    note: this ff behavior isn’t restricted to Windows. The codebase contains similar, conditional, sniffing tailored to Mac and Unix OSes.

    I reported this issue to TorProject in 2014:
    (https) trac.torproject.org/projects/tor/ticket/13398
    It sat, unaddressed, until 2017 when some kind soul (NOT one of the torproject devs) submitted a code patch…

    …and the devs hem-hawed, kicked the can, and FINALLY merged the patch a few months ago (May 2018)
    (https) gitweb.torproject.org/tor-browser.git/commit/toolkit/components/startup?h=tor-browser-52.8.0esr-8.0-1&id=b826168f2617cc543a3183974d3aaa9e8016ca9b

    I checked the mozilla xhr within the past year and confirmed that patch by torproject hasn’t been merged upstream ~~ firefox still reads/stores the user’s FIRSTNAME LASTNAME during each startup.

    Has the patch (and myriad others, submitted by the frightenly few folks who bother to pore through the “opensource” code, in search of bugs/problems) even survived the transition to “based on the more gooder ff version 60”? I doubt it has, but at this point I’m too tired (disillusioned, fed up) to bother re-checking.

    1. Pants said on September 6, 2018 at 11:58 am
      Reply

      Obviously with the change from 52 to 60.2, there are a lot of changes, especially given the move to deprecate XUL – let alone all the new features/standards and big projects like all the quantum parts (stylo, webrender, photon, etc). I have no real idea of how they “merged” the 52 into 60.2 or vice-versa, but when doing all the diff between stable versions since 52 ( see https://github.com/ghacksuserjs/ghacks-user.js/issues?q=is%3Aissue+label%3Adiffs ), I can tell you that as quantum neared and for a few versions afterwards, the workload/changes was enormous. It’s only just starting to quieten back down to “normal” levels.

      This first version also still has old prefs being set in it that have been deprecated (but they make no difference) – but they’re aware of it. They also have prefs being set that change your FP (i.e they need to undo some pref flipping from the past in order for privacy.resistFingerprinting to be consistent) – but again, it makes no difference for now (because all TBB users are the same).

      https://bugzilla.mozilla.org/show_bug.cgi?id=1433350 – The code is a remnant used (or was used) in Thunderbird. It is not used in Firefox at all, and in time will be removed – meanwhile, if you follow the code, it doesn’t actually do anything. It’s all about priorities. This is extremely low priority, poses zero privacy/security risks, and given it has an upstream ticket via the Tor Uplift for Mozilla to handle, there’s nothing more to do (except monitor via Tor Uplift).

      That said, I think v8 will be short lived and it will take a number of dot releases before I feel that it’s ready

      1. gh said on September 6, 2018 at 7:29 pm
        Reply

        The code does nothing and poses no risk? Gee, your dismissive reply reads like the words of an apologist. The issue ticket wasn’t marked “wontfix” and, ultimately, the torbrowser code was patched to resolve the issue.

        “I have no real idea of how they merged the 52 into 60.2”

        So, rather than dismissing, investigate determine the facts of the matter.

        “the workload/changes was enormous”

        It is lipservice, darling — a smoke and mirrors performance. Neither mozilla nor torproject are fully committed to protecting, and respecting, user privacy. Ultimately, they are $$$ engaged in perpetuating a big con, creating a “illusion of choice” by shipping alternative (yet thoroughly backdoored, e.g. targeted injection/exfiltration via maintenanceservice.exe) desktop-resident “agents of the same unseen master”.

      2. Pants said on September 7, 2018 at 2:01 am
        Reply

        > Gee, your dismissive reply

        It wasn’t meant to be dismissive. Just because a ticket wasn’t marked wontfix, doesn’t mean it carries serious weight. It was probably kept open because it’s always nice to clean up code like that (and of course, when the ticket was opened, the Firefox code was different to now, so I do not know if it was a bigger issue then than now). But given it took 4 years to be closed, and the original patch created by a volunteer, should indicate to you that your concern was/is blown out of proportion. And no one said it wasn’t a good idea – Arthur even added it to the Tor Uplift so it could be patched at Mozilla’s end.

        > I have no real idea of how they merged the 52 into 60.2

        I mentioned this, because it would be interesting to know. And that the dropping of previous patches is not a glitch in the system/methodology. Either it’s a mistake (to drop that patch) or done deliberately since they know it’s not serious and there is an upstream Mozilla ticket. Maybe they have it on a list, IDK. If you’re concerned about it, open a new tor ticket.

        > It is lipservice, darling

        Aww, you had me at “darling” :) Then you lost me with the conspiracy BS.

        > Why should my frickin’ WEB BROWSER have access to details associated with my WINDOWS LOGIN USER ACCOUNT ?!?

        I’ll answer your question AGAIN because it’s clearly not getting through to you: because it is code used by Thunderbird. Firefox itself does not use it. Did you actually read the bugzilla comments?

        – this patch is not as important now that extensions can’t instantiate it anymore. The only value would be defense against a future internal use of nsIUserInfo
        – So given that this component is unused in Firefox I think we should actually just remove it entirely from mozilla-central
        – the nsIUserInfo component is used in Thunderbird but I’d expect it to be easy to move into comm-central
        – In Firefox, there is no downside to removing the code, and a modest reduction of risk to privacy by ensuring no future mozilla-central code calls these functions.

        So there are currently no issues with ESR60 and this code, and removing it from FF but leaving it in for Thunderbird (moving it from mozilla-central to comm-central) will probably no doubt happen. The change is a “defense in depth” as Arthur puts it, I call it future proofing. You’re blowing this out of all proportion. Chill out bro :)

  17. XenoSilvano said on September 6, 2018 at 4:08 am
    Reply

    square tabs, whow!
    that Australis #### is finally gone with

  18. Anonymous said on September 6, 2018 at 3:58 am
    Reply

    I use tor as portable standlone, not bundled.
    super duper better than any vpn!

  19. WorknMan said on September 6, 2018 at 1:26 am
    Reply

    Does anybody really trust TOR anymore? I don’t mean just for private browsing, but ya know… for patronizing drug markets and doing stuff you REALLY don’t want anyone finding out about. I read stories about the FBI hiring some university to crack the network, perhaps temporarily. But after that, it didn’t seem worth the risk anymore.

    1. John Fenderson said on September 6, 2018 at 6:08 pm
      Reply

      Tor is trustworthy, but it’s not a panacea and you need to keep in mind what the limits and risks of it are (just as with anything else).

      The Tor browser is a different matter that I know nothing about. I use Tor systemwide (so it covers all internet activity, not just web browsing), I don’t use the Tor browser.

      1. NotMe said on September 8, 2018 at 9:29 pm
        Reply

        How you can set the computer for systemwide usage? Is it on Windows or must be Linux?

    2. TelV said on September 6, 2018 at 3:19 pm
      Reply

      @WorknMan,

      As Alex suggested, use a VPN. I use Mullvad myself which is based in Sweden. You don’t need an email account or username and they don’t want to know who you really are. Here’s the feature list: https://mullvad.net/en/features/

      You can also combine your VPN connection with a non-logging SOCKS5 proxy to give you additional protection.

      Check what you’re revealing about yourself without a VPN at: https://whoer.net/#extended

      1. Anonymous said on September 7, 2018 at 8:33 pm
        Reply

        Mullvad accepts cash payments. A nice touch.

      2. A different Martin said on September 7, 2018 at 8:07 pm
        Reply

        @TelV: I compared my Whoer.net “anonymity” results on various browsers, with scripting and ads temporarily allowed for the Whoer.net domain in browsers that have script and/or ad blockers installed:

        * Firefox (latest) on open connection: 100%
        * Firefox ESR (52.9.0) on open connection: 90%
        * Google Chrome (latest) on open connection: 70%
        * Pale Moon (latest) on open connection: 64%
        * Internet Explorer (security-patched 11) on open connection: 60%
        * Tor Browser (previous, based on Firefox 52.9) on Tor connection: 55%
        * Tor Browser (latest, based on Firefox 60.x) on Tor connection: 52%

        Do these results seem a little *fishy* to you?

      3. TelV said on September 9, 2018 at 5:05 pm
        Reply

        @A different Martin,

        Well I don’t have any addons that block scripting installed so I don’t have anything to unblock although I have configured various prefs to enhance my privacy, but these are the results with Mullvad’s VPN running:

        * Waterfox 100% anonimity
        * Firefox ESR (52.9.0) 100%
        * Basilisk (Pale Moon fork) 100%
        * Internet Explorer (security-patched 11) 55%

        However, Mullvad states on their site that they don’t support IE, so the lower rating is understandable. I don’t have Tor installed at all.

    3. alex said on September 6, 2018 at 9:39 am
      Reply

      I do, but I use it within whonix for extra security. If you’re really concerned, you should consider a VPN.

  20. naming said on September 6, 2018 at 1:15 am
    Reply

    Unfortunately the User-Agent is no longer spoofed (which is a bbig trouble for JS disabled users who want to hide their OS), I hope they fix it

  21. Q said on September 5, 2018 at 9:51 pm
    Reply

    Tor 8.0 appears to now require Windows 7 or greater.

    1. Anonymous said on September 26, 2018 at 11:04 am
      Reply

      8.1 now doesn’t work on any system

      1. Clairvaux said on September 26, 2018 at 6:43 pm
        Reply

        Works on mine, and there’s no 8.1. The last non-alpha release is 8.0.1.

      2. owl said on September 26, 2018 at 2:20 pm
        Reply

        @Anonymous said, 8.1 now doesn’t work on any system

        Although it is used everyday from the release of v8.0, it is comfortably working and functioning.
        usage environment:
        8.0.1 (based on Mozilla Firefox 60.2.0esr) (64-bit)
        Microsoft Windows 10 Home 64-Bit 1803 (Build:17134.228)

    2. Jody Thornton said on September 5, 2018 at 10:25 pm
      Reply

      @Q – well yes, because it’s based on Quantum. No more XP or Vista. I like Vista, though I’m perfectly OK seeing XP get buried.

    3. Yuliya said on September 5, 2018 at 10:12 pm
      Reply

      Because Firefox 57+ requires Windows 7+. Afaik, Firefox 57 works on XP and Vista, so Fx 60 might work on systems lower than 7 as well. You might have to extract the “installer” with 7-zip though.

      1. Chronius said on September 6, 2018 at 11:21 am
        Reply

        @Yuliya No, since Firefox 53, it no longer works on anything lower than W7 sadly.

  22. Yuliya said on September 5, 2018 at 9:51 pm
    Reply

    Hardware acceleration works again on Windows. Finally. No more software video decoding, horrible scrolling and screen tearing.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.