Tor Browser 8.5.3 released, fixes another high-rated security vulnerability (CVE-2019-11708)

https://blog.torproject.org/new-release-tor-browser-853

It is still based on FF 60.7.0esr.

2 Likes

I’m a bit confused about TOR browser for Android. The stable version was updated about a week ago but interestingly the alpha version got updated like two days ago. So what’s the story behind this? Why would they update the alpha, if there’s the stable?

From the previous release 8.5.2: https://blog.torproject.org/new-release-tor-browser-852

Note: As part of our team is currently traveling to an event, we are unable to access our Android signing token, therefore the Android release is not yet available. We expect to be able to publish the Android release this weekend. In the meantime, Android users should use the safer or safest security levels. The security level on Android can be changed by going in the menu on the right of the URL bar and selecting Security Settings.

Okkay… But this doesn’t answer why the alpha version was recently updated, while there’s a stable version. Is this something like, they support both for a certain period of time?

1 Like

Could be a different signing process for alpha and release.

1 Like

I stopped using the Alpha version after they released the “official” one. Maybe @Mr_Book is right; it’s a different signing process. I would be concerned about using the previous version if they aren’t doing patches for it anymore.

1 Like

I was confused about android having both an alpha and stable release maintained separately like that (expecting alpha to beta to stable release, with new features showing up in development/experimental/nightly builds for testing)

it looks like they simply always keep both, aligned with desktop and new features/bleeding edge for the bundle stays named alpha continually, while release = stable and, eg. the space for fixing regressions, bugs and vulnerabilities.

basically now i expect to see a beta test period for TB9.0 when current stable is ready to migrate from 8.x to 9 and as it does see a new alpha 10 emerge for testing bleeding edge TBB

current alpha is based on TB 9.0a2:

Before we release a stable version of our software, we release an alpha version to test features and find bugs. Please only download an alpha if you are okay with some things not working properly, want to help us find and report bugs, and are not putting yourself at risk.

blog note:

Tor Browser 9.0a2 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This release is fixing regressions and providing small improvements similarly to our 8.5.1 release. Additionally, we update Tor to 0.4.1.2-alpha, OpenSSL to 1.1.1c, we disable the WebGL readPixel() fingerprinting vector, add the ro locale, and start updating our toolchains in prevision to the planned migration to Firefox 68 ESR.

(this blog comment kinda helped explain it better: https://blog.torproject.org/comment/282477#comment-282477

There is an alpha and a stable version. If you want to help us find bugs in new features use the alpha one and the stable otherwise. The Play Store is getting updates faster as this is a process controlled directly by us. For F-Droid we still need to ask the Guardian Project folks to upload new versions for us which is a manual process and costs time. But we work on fixing that: https://trac.torproject.org/projects/tor/ticket/27539

versus stable release:
https://blog.torproject.org/new-release-tor-browser-85

Tor Browser 8.5 is now available from the Tor Browser download page and also from our distribution directory. The Android version is also available from Google Play and should be available from F-Droid within the next day.
This release features important security updates to Firefox.
After months of work and including feedback from our users, Tor Browser 8.5 includes our first stable release for Android plus many new features across platforms.

It’s Official: Tor Browser is Stable on Android
Tor Browser 8.5 is the first stable release for Android. Since we released the first alpha version in September, we’ve been hard at work making sure we can provide the protections users are already enjoying on desktop to the Android platform.

2 Likes

I see! This makes all clear!
Thank you for this really detalied explanation !
And thank you all for the replies!
This is a great community! :metal:

2 Likes

One more thing I want to mention and kinda shocked me, that the stable version on my android tablet came without duck duck go out of the box. It had the default guugel search engine… I had to add DDGo manually ( I hope that’s not something like adding an addon or changing the config…). Whereas on my phone, the stable version had DDGo included by default. Both were downloaded from F-Droid with the app installed on the devices. :thinking:

this doesn’t sound good. Test if you can reproduce (eg. goog vs ddg default, fresh install from f-droid on android tablet) if same then please consider report it to tor project, that’s a fugly bug you may have found…

1 Like

Great advice! Thank you for the suggestion dude!
I did it and got surprised again!
So, I deleted the TOR browser from my tablet, downloaded again, same as before, search engine gawgel, DDGo not even in the list. But! The default language on my tablet is not English, TOR browser had the table’s default language. So I did the same on my phone, on which English is the default language. The result, DDGo is the default search engine, in fact the list of search engines is quite different from the tablet’s.
Okkay… I started to play around a bit. I set the browser’s language on the tablet to English, then the whole list of search engines changed, DDGo was in the list but not set as default, default was still ggel.
On the phone, I set the browser’s language to the table’s default, tadam! DDGo disappeared, the list was the same like on the tablet with non-English settings, gawgl became the default. I switched back to English, the list switched back to the original English settings list, but the default search engine did not switch back to DDGo, it remained ggl.
My conclusions:

  • the search engine settings depend on the browser’s language
  • the default search engine settings depend on the system’s language, because during installation, the browser automatically alignes itself with the system’s language
  • to have or switch to Ddgo is system / browser language dependent, might be set by default, or requires user efforts, even installing it manually in case of missing from the shown list
  • in case of DDGo was installed manually in a non English browser environment, after switching the browser’s language to English, there will be two DDGosin the list
  • if ddgo was set as default in one language setting, after switching to another and back, ddgo won’t be the default again

Any thoughts?

@lostin
Did you check if changing your device’s language also affects the user agent string/fingerprint of the Tor Browser?

Well, playing around with the system language has no effect on the browser, if it’s already installed. On the other hand, the browser will be installed in the system’s set language, whatever it is and the search engine lists vary by language. As I see, they are even country specific and some contain ddgo, some don’t. In all cases, if the list contains ddgo, it will be set as default, in all other cases, ggl will be the default. I suspect, but didn’t check, that those lists, which don’t contain ddgo are the default firefox lists for that specific language.