Tor Browser Changelog

What's new in Tor Browser 13.0.14

Apr 18, 2024

The full changelog since Tor Browser 13.0.13 is:
ALL PLATFORMS:
Updated Tor to 0.4.8.11
Bug tor-browser#41676: Set privacy.resistFingerprinting.testing.setTZtoUTC as a defense-in-depth
Bug tor-browser#42335: Do not localize the order of locales for app lang
Bug tor-browser#42428: Timezone offset leak via document.lastModified
Bug tor-browser#42472: Timezone may leak from XSLT Date function
Bug tor-browser#42508: Rebase Tor Browser stable onto 115.10.0esr
Windows + macOS + Linux:
Updated Firefox to 115.10.0esr
Bug tor-browser#42172: browser.startup.homepage and TOR_DEFAULT_HOMEPAGE are ignored for the new window opened by New Identity
Bug tor-browser#42236: Let users decide whether to load their home page on new identity.
Bug tor-browser#42468: App languages not sorted correctly in stable
Linux:
Bug tor-browser-build#41110: Avoid Fontconfig warning about "ambiguous path"
Android:
Updated GeckoView to 115.10.0esr
Bug tor-browser#42509: Backport Android security fixes from Firefox 125
BUILD SYSTEM:
All Platforms:
Updated Go to 1.21.8
Bug tor-browser-build#41107: Update download-unsigned-sha256sums-gpg-signatures-from-people-tpo for new type of URL
Bug tor-browser-build#41122: Add release date to rbm.conf
Android:
Bug tor-browser-build#40992: Updated torbrowser_version number is not enough to change firefox-android versionCode number

New in Tor Browser 13.5 Alpha 6 (Apr 1, 2024)

Letterboxing Improvements and Configuration Options:
Over the past month we have merged various usability improvements and configuration options for the new letterboxing UX. In about:preferences#general one may now configure some aspects of the letterbox behaviour, including whether the content area floats in the center of the window or is snapped to the browser chrome at the top. We also implemented a somewhat hidden feature which will allow you to remove the extra spacing when you resize the window by double-clicking within the letterbox gutter area. This will snap the whole window down to the size required by the content.
Native Android Connect-Assist:
We have continued improving our connect-assist implementation on Android. This has included backend work continuing to improve and generalise the low-level systems used by both Desktop and Android versions, frontend work re-immplementing the same flow, configuration options, and error handling presently found in the Desktop frontend. We have also started refactoring the various Tor configuration related menus and the Tor Logs are once again accessible using the native ux by navigating to Settings > Connection > Tor Logs
Please give the new systems a go by navigating to Settings > Connection > Enable beta connection features and toggling Enable beta connection features and selecting Native Android UI
Known Issues:
We still have a lot of work to do, bugs to fix, and general polish to apply. We currently have one known issue whereby manually enabling bridges in the Config Bridge menu usually fails to stick after navigating away from that menu. This issue is being tracked in tor-browser#42486
Connect-Assist Backend Work:
As mentioned in the previous section, we have been iteratively improving the connect-assist backend code which is used on both Desktop and Android. If you are Desktop user we would appreciate you verifying that your bootstrapping experience is unchanged between releases, particularly if you have any custom configuration or settings.
Localization Updates:
We have been developing several improvements to our localisation pipelines and we have been merging patches which remove legacy 'dtd'-based translation strings and migrate to the modern 'fluent' system used by modern Firefox. End-users should not see any changes as a result of these changes. Please keep an eye out for for any broken strings or translation regressions and report any issues you may find!
Send us your feedback
If you find a bug or have a suggestion for how we could improve this release, please let us know.
FULL CHANGELOG:
The full changelog since Tor Browser 13.5a5 is:
All Platforms:
Bug tor-browser#41114: Fix no-async-promise-executor on TorConnect
Bug tor-browser#41676: Set privacy.resistFingerprinting.testing.setTZtoUTC as a defense-in-depth
Bug tor-browser#42336: Review the relationship between TorSettings and the TorProvider
Bug tor-browser#42428: Timezone offset leak via document.lastModified
Bug tor-browser#42435: Update moat domain fronting configuration
Bug tor-browser#42437: Drop "torbrowser.version" preference
Bug tor-browser#42444: Remove the "Prioritize .onion sites when known" option
Bug tor-browser#42449: Rebase Tor Browser alpha onto Firefox 115.9.0esr
Bug tor-browser#42459: Add startpage onion service to list of search providers
Bug tor-browser#42466: Drop the "Onion Logo" from trademark statement
Bug tor-browser#42472: Timezone May leak from XSLT Date function
Bug tor-browser#42473: ESR 115.9.1 fixes
Bug tor-browser#42481: Modularize SecurityLevel
Bug tor-browser-build#41105: Bump version of snowflake to v2.9.2
Windows + macOS + Linux:
Updated Firefox to 115.9.0esr
Bug tor-browser#41916: Letterboxing preferences UI
Bug tor-browser#41918: Add option to reuse last window size when letterboxing is enabled
Bug tor-browser#42203: Fluent migration: about dialog
Bug tor-browser#42209: Fluent migration: tor circuit
Bug tor-browser#42211: Fluent migration: new identity
Bug tor-browser#42214: Fluent migration: security level
Bug tor-browser#42236: Let users decide whether to load their home page on new identity.
Bug tor-browser#42443: Shrink the window to match letterboxing size when the emtpy area is doble-clicked
Bug tor-browser#42446: Improve accessible descriptions in built-in dialog
Bug tor-browser#42458: Update the "Submit Feedback" link in "About Tor Browser"
Windows:
Bug tor-browser#42377: Hidden fonts are automatically added to the allow list
Linux:
Bug tor-browser#42438: Adapt the data import wizard to use the original $HOME on
Linux:
Bug tor-browser-build#41110: Avoid Fontconfig warning about "ambiguous path"
Android:
Updated GeckoView to 115.9.0esr
Bug tor-browser#41187: Improve Android's bridge settings UI
Bug tor-browser#42427: Do not ship bridges as prefences anymore
Build System:
All Platforms:
Updated Go to 1.21.8
Bug tor-browser-build#41102: src archive does not match likely due to mismatched xz-utils version
Bug tor-browser-build#41107: Update download-unsigned-sha256sums-gpg-signatures-from-people-tpo for new type of URL
Bug rbm#40073: We should remove ./ when using 7-zip for zip files
Windows + macOS + Linux:
Bug tor-browser#42305: (Semi-)Automatically merge translation resources across tor browser releases (desktop)
Bug tor-browser-build#41088: Remove use of projects/browser/run_scripts
Windows:
Bug tor-browser-build#41097: authenticode-timestamping.sh fails to run again because tmp-timestamp already exists
Android:
Bug tor-browser#40502: Do not recommend addons on Tor Browser
Bug tor-browser-build#41082: Package tor expert bundle on android as .aar that firefox-android can use in lieu of tor-android-service with geckoview bootstrap

New in Tor Browser 13.0.13 (Mar 25, 2024)

New in Tor Browser 13.0.12 (Mar 20, 2024)

New in Tor Browser 13.0.11 (Mar 7, 2024)

New in Tor Browser 13.0.10 (Feb 21, 2024)

New in Tor Browser 13.0.9 (Jan 23, 2024)

New in Tor Browser 13.0.8 (Dec 21, 2023)

New in Tor Browser 13.0.7 (Dec 21, 2023)

New in Tor Browser 13.0.6 (Dec 6, 2023)

New in Tor Browser 13.5 Alpha 2 (Dec 2, 2023)

ALL PLATFORMS:
Updated tor to 0.4.8.9
Bug tor-browser#42153: Drop dom.enable_resource_timing = false preference
Bug tor-browser#42246: Migrate tor connection stuff from browser to toolkit
Bug tor-browser#42261: Update the icon of Startpage search engine
Bug tor-browser#42276: Rebase Browsers Alpha to 115.5.0esr
Bug tor-browser#42277: Enable storage.sync to fix broken webextensions
Bug tor-browser#42288: Allow language spoofing in status messages
Bug tor-browser#42302: The allowed ports string contains a typo
Windows + macOS + Linux:
Updated Firefox to 115.5.0esr
Bug tor-browser#42072: YEC 2023 Takeover for Desktop Stable
Bug tor-browser#42188: Donations are asked repeatedly when I click New identity button
Bug tor-browser#42194: Blank Net Error page on name resolution failure
Linux:
Bug tor-browser#17560: Downloaded URLs disk leak on Linux
Bug tor-browser-build#41017: Disable Nvidia shader cache
Android:
Updated GeckoView to 115.5.0esr
Bug tor-browser#41846: firefox-android esr 115 introduced new nimbus use: they need to be disabled
Bug tor-browser#42074: YEC 2023 Takeover for Android Stable
Bug tor-browser#42258: Replace the current boring "fiery android" icon we use for dev with the cool nightly icon
Bug tor-browser#42259: Remove unused firefox branding from Tor Browser for Android
Bug tor-browser#42260: Add TBB artifacts to .gitignore
Bug tor-browser#42285: Update the gitignore to use the correct paths for tor stuff
Bug tor-browser#42287: Backport security fixes (Android & wontfix) from Firefox 120 to 115.5 - based Tor Browser
BUILD SYSTEMS:
All Platforms:
Update Go to 1.21.4
Bug tor-browser-build#40884: Script to automate uploading sha256s and signatures to location signing/download-unsigned-sha256sums-gpg-signatures-from-people-tpo expects them to be
Bug tor-browser-build#40970: Missing symlink create-blog-post.torbrowser -> create-blog-post symlink
Bug tor-browser-build#41006: Fix typo in finished-signing-clean-linux signer
Bug tor-browser-build#41023: Update lead.png symlink and blog post template in tools/signing/create-blog-post
Bug rbm#40063: RBM's chroot fails in Fedora
Bug rbm#40064: Using exec on project with no git_url/hg_url is causing warning
macOS:
Bug tor-browser-build#41005: Unpack macOS bundle to /var/tmp instead of /tmp in rcodesign-notary-submit step
Bug tor-browser-build#41007: gatekeeper-bundling.sh refers to old .tar.gz archive
Bug tor-browser-build#41014: Update libdmg-hfsplus to drop the OpenSSL patch
Bug tor-browser-build#41020: Opening MacOS dmg file is causing a warning, since 13.0
Android:
Bug tor-browser-build#41024: Fix android filenames in Release Prep issue templates

New in Tor Browser 13.0.5 (Nov 23, 2023)

New in Tor Browser 13.5 Alpha 1 (Nov 4, 2023)

New in Tor Browser 13.0 (Oct 13, 2023)

Tor Browser 13.0 is now available from the Tor Browser download page and our distribution directory.
This is our first stable release based on Firefox ESR 115, incorporating a year's worth of changes shipped upstream. As part of this process we've also completed our annual ESR transition audit, where we review Firefox's changelog for issues that may negatively affect the privacy and security of Tor Browser users and disable any problematic patches where necessary. Our final reports from this audit are now available in the tor-browser-spec repository on our Gitlab instance.
Particularly notable are the accessibility improvements we've gained as a result of the transition to Firefox ESR 115. While eagle-eyed users may notice small visual changes to the user interface (for example, internal links are now underlined), Tor Browser 13.0 is our first release to inherit the redesigned accessibility engine introduced by Mozilla in Firefox 113. This change promises to improve performance significantly for people who use screen readers and other assistive technology.
WHAT'S NEW?:
Refreshed application icons:
Earlier this year we spent some time artworking the Mullvad Browser logo into the various assets needed to support its release – including application, installer and document icons that conform to each platform's conventions. While getting up to speed with the current requirements for each platform, we identified a number of gaps with Tor Browser too, and started working on new icons for Tor Browser in parallel.
For context, Tor Browser's current icon (sometimes referred to as the "onion logo") was selected by community poll over four years ago to succeed the older purple and green globe in Tor Browser 8.5. Given the community's involvement in its selection, its recognizability by netizens, and the simple fact that we still love the existing icon, we chose to focus on refining rather than replacing it entirely.
One of the motivations behind work like this is our philosophy that privacy-preserving products shouldn't be purely utilitarian, but can also spark joy. However there are practical benefits too: adhering to platform conventions provides better consistency, discernible application and installer icons help prevent user error, and attracting new users benefits everyone because anonymity loves company.
New homepage:
For the past year we've been working on a significant rewrite of Tor Browser's back-end, which recently provided us with the opportunity to rebuild one of the few internal pages that hasn't changed in a while: the homepage (often referred to by its internal reference, "about:tor"). Tor Browser 13.0's homepage now features the new application icons, a simplified design, and the ability to "onionize" your DuckDuckGo searches by switching to the DuckDuckGo onion site. Continuing the work that began in Tor Browser 12.5 to improve the browser's accessibility, the redesigned homepage also offers better support for users of screen readers and other assistive technology too.
Existing Tor Browser users can rejoice that the "red screen of death" – an infamous error state that the previous homepage would occasionally trip itself into – is long gone. As part of the back-end rewrite we've removed the automatic Tor network connectivity check that was a hold-over from the legacy tor-launcher, where bootstrapping was handled by an extension that ran before the browser interface appeared. As a result of the tighter tor integration and in-browser bootstrapping experience introduced in Tor Browser 10.5, the old logic behind this check would often fail and present some users with the red screen of death, even if their connection was fine.
In fact, all of the reports we've received of users hitting this screen with the default tor configuration since Tor Browser 10.5 have proven to be false positives, causing undue alarm. Although the check is arguably still useful for users running non-default configurations, neither of the main environments which do so – Tails and Whonix – use about:tor as their default new-tab or home pages. For everyone else, we've added a new banner to the redesigned homepage in place of the red screen of death to check that tor is connected and working as expected.
Bigger new windows:
The explanation for how and why Tor Browser works this way is going to get into the weeds a little, so be warned. However the main thing to take away is that new windows should be bigger by default and present themselves in a more useful landscape aspect-ratio for the majority of desktop users in Tor Browser 13.0. Now, about those weeds...
Letterboxing was introduced in Tor Browser 9.0 to allow users to resize their browser window without fear of being fingerprinted by rounding the inner content window (sometimes referred to as the "viewport") down to multiples of 200 x 100 pixels. This technique works by grouping the window sizes of most users into a series of common "buckets", protecting individual users within those buckets from being singled-out based on their window or screen size.
In order to preserve these protections when opening new windows, Tor Browser overrides platform defaults and will instead select a size that conforms to our letterboxing steps up to a maximum of 1000 x 1000 pixels. However, while that may have been fine in the past, a max width of 1000px is no longer suitable for the modern web. For example, on many newer websites the first responsive break point lies somewhere in the range of 1000 – 1200px, meaning by default Tor Browser users would receive website menus and layouts intended for tablet and mobile devices. Alternatively, on certain websites, users would receive the desktop version but with the annoyance of a horizontal scroll bar instead. This, naturally, would lead to users of these websites needing to expand each new window manually before it's usable.
In response we've bumped up the max size of new windows up to 1400 x 900 pixels and amended the letterboxing steps to match. Thanks to the increase in width, Tor Browser for desktop should no longer trigger responsive break points on larger screens and the vast majority of our desktop users will see a familiar landscape aspect-ratio more in-keeping with modern browsers. This particular size was chosen by crunching the numbers to offer greater real estate for new windows without increasing the number of buckets past the point of their usefulness. As an added bonus, we also expect that Tor Browser users will not feel the need to manually change their window size as frequently as before – thereby keeping more users aligned to the default buckets.
Technical notes:
We're pleased to report that we've made the naming scheme for all our build outputs mutually consistent. Essentially, this means that going forward the names of all our build artifacts should follow the format ${ARTIFACT}-${OS}-${ARCH}-${VERSION}.${EXT}. For example, the macOS .dmg package for 12.5 was named TorBrowser-12.5-macos_ALL.dmg, whereas for 13.0 it's named tor-browser-macos-13.0.dmg.
If you are a downstream packager or download Tor Browser artifacts using scripts or automation, you'll need to do a little more work beyond just bumping the version number to support this and future releases.
Contributions:
Thanks to all of the teams across Tor, and the wider community, who contributed to this release. In particular we'd like to extend our gratitude to the following volunteers who have contributed their expertise, labour, and time to this release:
anonym
cypherpunks1
Fabrizio
FlexFoot
guest475646844
honorton
ilf
JeremyRand
nervuri
Rusty Bird
shanzhanz
thorin
trinity-1686a
FULL CHANGELOG:
The full changelog since Tor Browser 12.5.6 is:
All Platforms:
Updated tor to 0.4.8.7
Updated OpenSSL to 3.0.11
Bug tor-browser-spec#40050: FF103 Audit
Bug tor-browser-spec#40051: FF104 Audit
Bug tor-browser-spec#40052: FF105 Audit
Bug tor-browser-spec#40053: FF106 Audit
Bug tor-browser-spec#40054: FF107 Audit
Bug tor-browser-spec#40055: FF108 Audit
Bug tor-browser-spec#40056: FF109 Audit
Bug tor-browser-spec#40057: FF110 Audit
Bug tor-browser-spec#40058: FF111 Audit
Bug tor-browser-spec#40059: FF112 Audit
Bug tor-browser-spec#40060: FF113 Audit
Bug tor-browser-spec#40061: FF114 Audit
Bug tor-browser-spec#40062: FF115 Audit
Bug tor-browser#26277: When "Safest" setting is enabled searching using duckduckgo should always use the Non-Javascript site for searches
Bug tor-browser#40577: Add "suggest url" in DDG onion's manifest
Bug tor-browser#40938: Migrate remaining torbutton functionality to tor-browser
Bug tor-browser#41092: Enable tracking query parameters stripping
Bug tor-browser#41327: Disable UrlbarProviderInterventions
Bug tor-browser#41399: Update Mozilla's patch for Bug 1675054 to enable brotli encoding for HTTP onions as well
Bug tor-browser#41477: Review some extensions.* preferences
Bug tor-browser#41496: Review 000-tor-browser.js and 001-base-profile.js for 115
Bug tor-browser#41576: ESR115: ensure no remote calls for weather & addon suggestions
Bug tor-browser#41605: Remove unused assets from torbutton (preferences-mobile.css)
Bug tor-browser#41675: Remove javascript.options.large_arraybuffers
Bug tor-browser#41727: WebRTC privacy-hardening settings
Bug tor-browser#41740: ESR115: change devicePixelRatio spoof to 2 in alpha for testing
Bug tor-browser#41752: Review changes done by Bug 41565
Bug tor-browser#41796: Rebase Tor Browser to Firefox 115
Bug tor-browser#41797: Lock RFP in release builds
Bug tor-browser#41934: Websocket raises DOMException on http onions in 13.0a1
Bug tor-browser#41936: Review Mozilla 1770158: Use double-conversion library instead of dtoa for string-to-double conversion
Bug tor-browser#41937: Review Mozilla 1780014: Add specific telemetry for conservative and first-try handshakes
Bug tor-browser#41938: Review Mozilla 1769994: On systems with IPv6 preferred DNS resolution clients will fail to connect when "localhost" is used as host for the WebSocket server
Bug tor-browser#41939: Review Mozilla 1728871: Support fetching data from Remote Setting
Bug tor-browser#41941: Review Mozilla 1775254: Improve Math.pow accuracy for large exponents
Bug tor-browser#41943: Lock javascript.options.spectre.disable_for_isolated_content to false
Bug tor-browser#41945: Review Mozilla 1783019: Add a cookie banner service to automatically handle website cookie banners
Bug tor-browser#41946: Review Mozilla 1782579: Add a locale parameter to the text recognition API
Bug tor-browser#41947: Review Mozilla 1779005: Broken since Firefox 102.0: no instant fallback to direct connection when proxy became unreachable while runtime
Bug tor-browser#41950: Review Mozilla 1788668: Add the possibility to check that the clipboard contains some pdfjs stuff
Bug tor-browser#41951: Review Mozilla 1790681: Enable separatePrivateDefault by default
Bug tor-browser#41959: Review Mozilla 1795944: Remove descriptionheightworkaround
Bug tor-browser#41960: Review Mozilla 1797896: Proxy environment variables should be upper case / case insensitive
Bug tor-browser#41961: Review Mozilla 1798868: Hide cookie banner handling UI by default
Bug tor-browser#41969: Review Mozilla 1746983: Re-enable pingsender2
Bug tor-browser#41970: Review Mozilla 17909270: WebRTC bypasses Network settings & proxy.onRequest
Bug tor-browser#41984: Rename languageNotification.ftl to base-browser.ftl
Bug tor-browser#42013: Review Mozilla 1834374: Do not call EmptyClipboard() in nsBaseClipboard destructor
Bug tor-browser#42014: Review Mozilla 1832791: Implement a Remote Settings for the Quarantined Domains pref
Bug tor-browser#42015: Review Mozilla 1830890: Keep a history window of WebRTC stats for about:webrtc
Bug tor-browser#42019: Empty browser's clipboard on browser shutdown
Bug tor-browser#42026: Disable cookie banner service and UI.
Bug tor-browser#42029: Defense-in-depth: disable non-proxied UDP WebRTC
Bug tor-browser#42034: aboutTBUpdate.dtd is duplicated
Bug tor-browser#42043: Disable gUM: media.devices.enumerate.legacy.enabled
Bug tor-browser#42061: Move the alpha update channel creation to a commit on its own
Bug tor-browser#42084: Race condition with language preferences may make spoof_english ineffective
Bug tor-browser#42085: NEWNYM signal missing on Whonix
Bug tor-browser#42094: Disable media.aboutwebrtc.hist.enabled as security in-depth
Bug tor-browser#42120: Use foursquare as domain front for snowflake
Bug tor-browser-build#40887: Update Webtunnel version to 38eb5505
Windows + macOS + Linux
Updated Firefox to 115.3.1esr
Bug tor-browser#30556: Re-evaluate letterboxing dimension choices
Bug tor-browser#32328: Improve error recovery from the red screen of death
Bug tor-browser#33282: Increase the max width of new windows
Bug tor-browser#33955: Selecting "Copy image" from menu leaks the source URL to the clipboard. This data is often dereferenced by other applications.
Bug tor-browser#40175: Connections in reader mode are not FPI
Bug tor-browser#40982: Cleanup maps in tor-circuit-display
Bug tor-browser#40983: Move not UI-related torbutton.js code to modules
Bug tor-browser#41165: Crash with debug assertions enabled
Bug tor-browser#41333: Modernize Tor Browser's new-tab page (about:tor)
Bug tor-browser#41423: about:tor semantic and accessibility problems
Bug tor-browser#41528: Hard-coded English "based on Mozilla Firefox" appears in version in "About" dialog
Bug tor-browser#41581: ESR115: figure out extension pinning / unified Extensions
Bug tor-browser#41639: Fix the wordmark (title and background) of the "About Tor Browser" window
Bug tor-browser#41642: Do not hide new PBM in the hamburger menu if auto PBM is not enabled
Bug tor-browser#41651: Use moz-toggle in connection preferences
Bug tor-browser#41691: "Firefox Suggest" text appearing in UI
Bug tor-browser#41717: Bookmark toolbar visibility on new tabs is not honored when new tab page is not about:blank
Bug tor-browser#41739: Remove "Website appearance"
Bug tor-browser#41741: Refactor the domain isolator and new circuit
Bug tor-browser#41765: TTP-02-006 WP1: Information leaks via custom homepage (Low)
Bug tor-browser#41766: TTP-02-001 WP1: XSS in TorConnect's captive portal (Info)
Bug tor-browser#41771: Decide what to do for firefoxview
Bug tor-browser#41774: Hide the new "Switching to a new device" help menu item
Bug tor-browser#41791: Copying page contents also puts the source URL on the clipboard
Bug tor-browser#41812: Review layout for XUL elements
Bug tor-browser#41813: Look out for links missing underlines in ESR 115-based alphas
Bug tor-browser#41821: Fix the proxy type in the proxy modal of about:preferences in 13.0
Bug tor-browser#41822: The default browser button came back on 115
Bug tor-browser#41833: Reload extensions on new identity
Bug tor-browser#41834: Hide "Can't Be Removed - learn more" menu line for uninstallable add-ons
Bug tor-browser#41842: Remove the old removal logics from Torbutton
Bug tor-browser#41844: Stop using the control port directly
Bug tor-browser#41845: Stop forcing (bad) pref values for non-PBM users
Bug tor-browser#41852: Review the Tor Check Service UX
Bug tor-browser#41864: TOR_CONTROL_HOST and TOR_SOCKS_HOST do not work as expected when the browser launches tor
Bug tor-browser#41865: Use --text-color-deemphasized rather than --panel-description-color
Bug tor-browser#41874: Visual & A11 regressions in add-on badges
Bug tor-browser#41876: Remove Firefox View from title bar
Bug tor-browser#41877: NoScript seems to be blocking by default in the first 115-based testbuild
Bug tor-browser#41881: Developer tools/Network/New Request remembers requests
Bug tor-browser#41886: Downloads drop-down panel has new-line/line-break between every word in the 'Be careful opening downloads' warning
Bug tor-browser#41904: The log textarea doesn't resize anymore
Bug tor-browser#41906: Hide about:preferences#privacy > DNS over HTTPS section
Bug tor-browser#41907: The bootstrap is interrupted without any errors if the process becomes ready when already bootstrapping
Bug tor-browser#41912: "Use Current Bridges" is shown for users even when there aren't any current bridges
Bug tor-browser#41922: Unify the bridge line parsers
Bug tor-browser#41923: The path normalization results in warnings
Bug tor-browser#41924: Small refactors for TorProcess
Bug tor-browser#41925: Remove the torbutton startup observer
Bug tor-browser#41926: Refactor the control port client implementation
Bug tor-browser#41931: Regression: new window leaks outer window
Bug tor-browser#41935: Improve new window & letterboxing dimensions
Bug tor-browser#41940: Review Mozilla 1739348: When a filetype is set to "always ask" and the user makes a save/open choice in the dialog, we should not also open the downloads panel
Bug tor-browser#41949: Review Mozilla 1782578: Implement a context menu modal for text recognition
Bug tor-browser#41954: Inputs in the request a bridge dialog are cut-off in 13.0 alpha
Bug tor-browser#41957: Revert to Fx's default identity block style for internal pages
Bug tor-browser#41958: Console error when closing tor browser with about:preferences open
Bug tor-browser#41964: emojiAnnotations not defined in time in connection preferences
Bug tor-browser#41965: TorConnect error when opening browser tools
Bug tor-browser#41971: Update Tails URL in downloads warning
Bug tor-browser#41973: Custom wingpanels don't line up with their toolbar icons in 13.0 alpha
Bug tor-browser#41974: De-emphasized text in custom components is no longer gray in 13.0 alpha
Bug tor-browser#41975: Downloads warning text too narrow in 13.0 alpha
Bug tor-browser#41976: Bottom padding on collapsed bridge cards has increased in 13.0 alpha
Bug tor-browser#41977: Hide the "Learn more" link in bridge cards
Bug tor-browser#41980: Circuit display headline is misaligned in 13.0 alpha
Bug tor-browser#41981: Review Mozilla 1800675: Add about:preferences entry for cookie banner handling
Bug tor-browser#41983: Review Mozilla 1770447: Create a reusable "support-link" widget
Bug tor-browser#41986: Fix the control port password handling
Bug tor-browser#41994: CSS (and other assets) of some websites blocked in 13.0 alpha
Bug tor-browser#42022: Prevent extension search engines from breaking the whole search system
Bug tor-browser#42027: Create a Base Browser version of migrateUI
Bug tor-browser#42037: Disable about:firefoxview
Bug tor-browser#42041: TBB --allow-remote mixes up with plain Firefox
Bug tor-browser#42045: Circuit panel overflows with long ipv6 addresses
Bug tor-browser#42046: Remove XUL layout hacks from base browser
Bug tor-browser#42047: Remove layout hacks from tor browser preferences
Bug tor-browser#42050: Bring back Save As... dialog as default
Bug tor-browser#42073: Add simplified onion pattern to the new homepage
Bug tor-browser#42075: Fix link spacing and underline on new homepage
Bug tor-browser#42079: TorConnect: handle switching from Bootstrapped to Configuring state
Bug tor-browser#42083: RemoteSecuritySettings.init throws error in console
Bug tor-browser#42091: Onion authorization prompt overflows
Bug tor-browser#42092: Onion services key table display problems.
Bug tor-browser#42098: Implement Windows installer icons
Bug tor-browser#42100: Connect Assist dropdown text not centered
Bug tor-browser#42102: TorProcess says the SOCKS port is not valid even though it is
Bug tor-browser#42109: Onion services keys table has empty column headers.
Bug tor-browser#42110: Add a utility module for shared UI methods needed for several tor browser components
Bug tor-browser#42126: moat and connect assist broken for people who can't reach domain front
Bug tor-browser#42129: Disable the Tor restart prompt if shouldStartAndOwnTor is false
Bug tor-browser#42131: Tor Browser 13.0a5 does not track circuits created before Tor Browser started
Bug tor-browser#42132: The new control port handling in Tor Browser 13 breaks a Tails security feature
Bug tor-browser#42138: Disable apz.overscroll.enabled pref
Bug tor-browser#42155: Drop the unused code for the old bridge removal warning
Bug tor-browser#42159: Responsive Design Mode not working correctly
Bug tor-browser#42160: Allow specifying a TOR_PROVIDER=none to configure only the proxy settings during the TorProviderBuilder initialization
Bug tor-browser#42166: New identity dialog missing accessible name
Bug tor-browser#42167: Make the preference auto-focus more reliable
Bug tor-browser-build#40821: The update details URL is wrong in alphas
Bug tor-browser-build#40893: Update (Noto) fonts for 13.0
Bug tor-browser-build#40924: Customize MOZ_APP_REMOTINGNAME instead of passing --name and --class
Bug tor-browser-build#40938: Copy the new tor-browser.ftl file to the appropriate directory
Windows + Android:
Bug tor-browser-build#40930: Upate zlib to 1.3 after 13.0a3
Windows
Bug tor-browser#40737: Revert backout of Mozilla's fix for bug 1724777
Bug tor-browser#41658: Create new installer icons for Windows
Bug tor-browser#41798: Stop building private_browsing.exe on Windows
Bug tor-browser#41806: Prevent Private Browsing start menu item to be added automatically
Bug tor-browser#41942: Review Mozilla 1682520: Use the WER runtime exception module to catch early crashes
Bug tor-browser#41944: Review Mozilla 1774083: Add Surrogate COM Server to handle native Windows notifications when Firefox is closed.
Bug tor-browser#42008: Review Mozilla 1808146: Copying images from Pixiv and pasting them in certain programs is broken
Bug tor-browser#42010: Review Mozilla 1810641: Enable overscroll on Windows on all channels
Bug tor-browser#42087: Implement Windows application icons
Bug tor-browser-build#40954: Implement Windows installer icons
macOS:
Bug tor-browser#41948: Review Mozilla 1782981: Hide the text recognition context menu if the macOS version doesn't support APIs
Bug tor-browser#41955: Update macOS volume window background
Bug tor-browser#41982: Review Mozilla 1762392: Add Cocoa platform support for paste files
Bug tor-browser#42057: Disable Platform text-recognition functionality
Bug tor-browser#42078: Implement MacOS application icons
Bug tor-browser#42147: Add browser.helperApps.deleteTempFileOnExit to our profile
Linux:
Bug tor-browser#41509: After update, KDE Plasma identifies Tor Browser Nightly window group as "firefox-nightly"
Bug tor-browser#41884: Linux: set browser.tabs.searchclipboardfor.middleclick to false
Bug tor-browser#42088: Implement Linux application icons
Bug tor-browser-build#40576: Fontconfig warning: remove 'blank' configuration
Android
Updated GeckoView to 115.3.1esr
Bug tor-browser#41878: firefox-mobile: refactor tor bootstrap off deleted onboarding path
Bug tor-browser#41882: Update DuckDuckGo icons
Bug tor-browser#41911: Firefox-Android tor bootstrap connect button css broken
Bug tor-browser#41928: Backport Android-specific security fixes from Firefox 116 to ESR 102.14 / 115.1 - based Tor Browser
Bug tor-browser#41972: Disable Firefox onboarding in 13.0
Bug tor-browser#41990: Review Mozilla 1811531: Add 'site' query parameter to Pocket sponsored stories request
Bug tor-browser#41991: Review Mozilla 1812518: Allow a custom View for 3rd party downloads
Bug tor-browser#41993: Review Mozilla 1810761: Add API for saving a PDF
Bug tor-browser#41996: App includes com.google.android.gms.permission.AD_ID permission
Bug tor-browser#41997: com.adjust.sdk.Adjust library enables AD_ID permission even though we aren't using it
Bug tor-browser#41999: TB13.0a2 android: center text on connect button
Bug tor-browser#42001: Hide 'Open links in external app' settings option and force defaults
Bug tor-browser#42002: Review Mozilla 1809305: Allow user to copy an image to the clipboard
Bug tor-browser#42003: Review Mozilla 1819431: Reimplement default browser notification with Nimbus Messaging equivalent
Bug tor-browser#42004: Review Mozilla 1818015: Use a custom tab or the view we use for Sync onboarding for the Privacy button
Bug tor-browser#42005: Review Mozilla 1816932: Add Maps to app links common sub domains
Bug tor-browser#42006: Review Mozilla 1817726: Allow sharing current tab URL from Android's Recents (App Overview) screen.
Bug tor-browser#42007: Review Mozilla 1805450: Allow users to submit site support requests in Fenix
Bug tor-browser#42012: Review Mozilla 1810629: add an Android shortcut to go straight to the login and passwords page
Bug tor-browser#42016: Review Mozilla 1832069: Implement Google Play Referrer Library to fetch referrer URL
Bug tor-browser#42018: Rebase Firefox for Android to 115.2.1
Bug tor-browser#42023: Remove FF what's new from Android
Bug tor-browser#42038: TBA Alpha - inscriptions Tor Browser Alpha and FireFox Browser simultaneously on the start screen
Bug tor-browser#42074: YEC 2023 Takeover for Android Stable
Bug tor-browser#42076: Theme is visible in options, but shouldn't be
Bug tor-browser#42089: Disable the Cookie Banner Reduction site support requests (Mozilla 1805450)
Bug tor-browser#42114: Disable Allow sharing current tab URL from Android's Recents screen in private browsing mode
Bug tor-browser#42115: Enhanced Tracking Protection can still be enabled
Bug tor-browser#42122: playstore console crashes: java.lang.NoSuchMethodError
Bug tor-browser#42133: Remove "Total Cookie Protection" popup
Bug tor-browser#42134: Remove Android icon shortcuts
Bug tor-browser#42156: Screenshot allowing still blocks homescreen (android)
Bug tor-browser#42157: Fix Help button URL
Bug tor-browser#42165: Remove "Add to shortcuts" and "Remove from shortcuts" buttons
Bug tor-browser#42158: Remove "Customize Homepage" button
Bug tor-browser-build#40740: Tor Browser for Android's snowflake ClientTransportPlugin seems to be out of date
Bug tor-browser-build#40919: Fix nimbus-fml reproducibility of 13.0a2-build1
Bug tor-browser-build#40941: Remove PT process options on Android
Build System:
All Platforms:
Updated Go to 1.21.1
Bug tor-browser#42130: Add support for specifying the branch in tb-dev rebase-on-default
Bug tor-browser-build#31588: Be smarter about vendoring for Rust projects
Bug tor-browser-build#40089: Clean up usage of get-moz-build-date script
Bug tor-browser-build#40410: Get rid of python2
Bug tor-browser-build#40487: Bump Python version
Bug tor-browser-build#40741: Update browser and tor-android-service projects to pull data from pt_config.json
Bug tor-browser-build#40802: Drop the patch for making WASI reproducible
Bug tor-browser-build#40829: Review and standardize naming scheme for browser installer/package artifacts
Bug tor-browser-build#40854: Update to OpenSSL 3.0
Bug tor-browser-build#40855: Update toolchains for Mozilla 115
Bug tor-browser-build#40868: Bump Rust to 1.69.0
Bug tor-browser-build#40880: The README doesn't include some dependencies needed for building incrementals
Bug tor-browser-build#40886: Update README with instructions for Arch linux
Bug tor-browser-build#40898: Add doc from tor-browser-spec/processes/ReleaseProcess to gitlab issue templates
Bug tor-browser-build#40908: Enable the --enable-gpl config flag in tor to bring in PoW functionality
Bug tor-browser-build#40929: Update go to 1.21 series after 13.0a3
Bug tor-browser-build#40932: Remove appname_bundle_android, appname_bundle_macos, appname_bundle_linux, appname_bundle_win32, appname_bundle_win64 from projects/release/update_responses_config.yml
Bug tor-browser-build#40935: Fix fallout from build target rename in signing scripts
Bug tor-browser-build#40948: Remove lyrebird-vendor sha256sum in nightly
Bug tor-browser-build#40957: Expired subkey warning on Tor Browser GPG verification
Bug tor-browser-build#40972: Handle Mullvad Browser in the changelog script and group entries by project
Windows + macOS + Linux
Bug tor-browser#41967: Add a Makefile recipe to create multi-lingual dev builds
Bug tor-browser-build#40149: Remove patching of nightly update URL
Bug tor-browser-build#40615: Consider adding a readme to the fonts directory
Bug tor-browser-build#40907: Sometimes debug information are not deterministic with Clang 16.0.4
Bug tor-browser-build#40922: Use base-browser.ftl instead of languageNotification.ftl
Bug tor-browser-build#40931: Fix incrementals after tor-browser-build#40829
Bug tor-browser-build#40933: Fix generating incrementals between 12.5.x and 13.0
Bug tor-browser-build#40942: Use the branch to build Base Browser
Bug tor-browser-build#40944: After #40931, updates_responses is using incremental.mar files as if they were non-incremental mar files
Bug tor-browser-build#40947: Remove migrate_langs from tools/signing/nightly/update-responses-base-config.yml
Bug tor-browser-build#40956: Allow testing the updater also with release and alpha channel
Windows
Bug tor-browser#41995: Generated headers on Windows aren't reproducible
Bug tor-browser-build#40832: Unify mingw-w64-clang 32+64 bits
Bug tor-browser-build#40940: Change position of the install|portable in the builds filenames
macOS
Bug tor-browser#42035: Update tools/torbrowser/ scripts to support macOS dev environment
Bug tor-browser-build#40943: Update libdmg-hfsplus to include our uplifted patch
Bug tor-browser-build#40951: Firefox fails to build for macOS after tor-browser-build#40938
Linux
Bug tor-browser#42071: tor-browser deployed format changed breaking fetch.sh
Bug tor-browser-build#40102: Move from Debian Jessie to Debian Stretch for our Linux builds
Bug tor-browser-build#40971: Stop shipping Linux i686 debug archive until we actually produce the symbols
Android
Bug tor-browser#41899: Use LLD for Android
Bug tor-browser-build#40867: Create a RBM project for the unified Android repository
Bug tor-browser-build#40917: Remove the uniffi-rs project
Bug tor-browser-build#40918: The commit hash is still not displayed about:buildconfig on Android
Bug tor-browser-build#40920: Non-deterministic generation of baseline.profm file in Android apks
Bug tor-browser-build#40963: Tor Browesr 13.0 torbrowser-testbuild-android* targets fail to build
Bug tor-browser-build#40974: firefox-android fails to build in release

New in Tor Browser 13.0 Alpha 6 (Oct 1, 2023)

MAJOR CHANGES:
This is our sixth alpha release in the 13.0 series which represents a transition from Firefox 102-esr to Firefox 115-esr. It is also our first release-candidate build for 13.0 stable. If you find any issues, please report them on our gitlab or on the Tor Project forum.
We have completed our annual esr transition audit, and the final reports should be available in our tor-browser-spec repository in the audits directory. All of the interesting upstream patches have either been disabled or found to not be a problem for us on closer inspection.
BUILD OUTPUT NAMING UPDATES:
As a reminder from the 13.0a3 release post, we have made the naming scheme for all of our build outputs mutually consistent. If you are a downstream packager or in some other way download Tor Browser artifacts in scripts or automation, you will have a bit more work to do beyond bumping the version number once the 13.0 alpha stabilizes. All of our current build outputs can be found in the distribution directory
FULL CHANGELOG:
We would like to thank volunteer contributor guest475646844 for their fix for tor-browser#41165. If you would like to contribute, our issue tracker can be found here.
The full changelog since Tor Browser 13.0a5 is:
All Platforms:
Updated tor to 0.4.8.7
Updated Translations
Bug tor-browser#42139: Backport security fixes from Firefox 115.3.1 to 115.3.0
Windows + macOS + Linux:
Bug tor-browser#40899: Fix all of our usage of app.support.baseURL
Bug tor-browser#41165: Crash with debug assertions enabled
Bug tor-browser#41910: Support link regression in 115.1.0esr
Bug tor-browser#42100: Connect Assist dropdown text not centered
Bug tor-browser#42129: Disable the Tor restart prompt if shouldStartAndOwnTor is falses
Bug tor-browser#42131: Tor Browser 13.0a5 does not track circuits created before Tor Browser started
Bug tor-browser#42132: The new control port handling in Tor Browser 13 breaks a Tails security feature
Windows:
Bug tor-browser-build#40954: Implement Windows installer icons
Bug tor-browser#42087: Implement Windows application icons
Android:
Bug tor-browser#42023: TB13.0a2 android: remove FF what's new
Bug tor-browser#42114: Disable Allow sharing current tab URL from Android's Recents screen in private browsing mode
Bug tor-browser#42115: Enhanced Tracking Protection can still be enabled
Bug tor-browser#42133: Remove "Total Cookie Protection" popup
Bug tor-browser#42134: Remove Android icon shortcuts
Build System:
All Platforms:
Bug tor-browser-build#40741: Update browser and tor-android-service projects to pull data from pt_config.json
Bug tor-browser-build#40957: Expired subkey warning on Tor Browser GPG verification
Bug tor-browser#42130: Add support for specifying the branch in tb-dev rebase-on-default
Android:
Bug tor-browser-build#40963: Tor Browesr 13.0 torbrowser-testbuild-android* targets fail to build

New in Tor Browser 13.0 Alpha 5 (Sep 25, 2023)

MAJOR CHANGES:
This is our fifth alpha release in the 13.0 series which represents a transition from Firefox 102-esr to Firefox 115-esr. This builds on a year's worth of upstream Firefox changes, so alpha-testers should expect to run into issues. If you find any issues, please report them on our gitlab or on the Tor Project forum.
We are in the middle of our annual esr transition audit, where we review Mozilla's year's worth of work with an eye for privacy and security issues that would negatively affect Tor Browser users. This will be completed before we transition the 13.0 alpha series to stable. At-risk users should remain on the 102-esr based 12.5 stable series which will continue to receive security updates until 13.0 alpha is promoted to stable.
Build Output Naming Updates:
As a reminder from the 13.0a3 release post, we have made the naming scheme for all of our build outputs mutually consistent. If you are a downstream packager or in some other way download Tor Browser artifacts in scripts or automation, you will have a bit more work to do beyond bumping the version number once the 13.0 alpha stabilizes. All of our current build outputs can be found in the distribution directory
KNOWN ISSUES:
All Platforms:
The Snowflake pluggable-transport is no longer working for some users due to cdn.sstatic.net resolving to a Cloudflare IP rather than a Fastly one. As a result, the domain fronting functionality required by the Snowflake pluggable-transport no longer works and users will not be able to use it to connect to tor on versions of Tor Browser older than 13.0a5.
For now, this can be worked around by using custom Snowflake bridge lines with an updated fronting domain. Directions on how to do this can be found on this post on the tor forum:
https://forum.torproject.org/t/temporary-fix-for-moat-and-connection-assist/9385
This issue is being tracked here and is fixed in 13.0a5 and will also be fixed in the next stable release. Users who rely on Snowflake for Tor connectivity will not be able to bootstrap and update their Tor Browser instance without the aforementioned manual workaround.
Desktop:
The automatic censorship circumvention system is also currently failing due to the same domain-fronting issue affecting snowflake. As a workaround, users can set the extensions.torlauncher.bridgedb_front preference to foursquare.com in Tor Browser's about:config page.
This issue is being tracked here and will be fixed in the next stable and alpha releases.
FULL CHANGELOG:
The full changelog since Tor Browser 13.0a4 is:
All Platforms
Updated Translations
Updated OpenSSL to 3.0.11
Updated tor to 0.4.8.6
Bug tor-browser#40938: Migrate remaining torbutton functionality to tor-browser
Bug tor-browser#41327: Disable UrlbarProviderInterventions
Bug tor-browser#42026: Disable cookie banner service and UI.
Bug tor-browser#42094: Disable media.aboutwebrtc.hist.enabled as security in-depth
Bug tor-browser#42112: Rebase alpha to 115.3.0esr
Bug tor-browser#42120: Use foursquare as domain front for snowflake
Windows + macOS + Linux
Updated Firefox to 115.3.0esr
Bug tor-browser-build#40893: Update (Noto) fonts for 13.0
Bug tor-browser#41639: Fix the wordmark (title and background) of the "About Tor Browser" window
Bug tor-browser#41822: The default browser button came back on 115
Bug tor-browser#41864: TOR_CONTROL_HOST and TOR_SOCKS_HOST do not work as expected when the browser launches tor
Bug tor-browser#41903: The info icon on the language change prompt is not shown
Bug tor-browser#41957: Revert to Fx's default identity block style for internal pages
Bug tor-browser#41958: Console error when closing tor browser with about:preferences open
Bug tor-browser#41986: Fix the control port password handling
Bug tor-browser#42037: Disable about:firefoxview
Bug tor-browser#42073: Add simplified onion pattern to the new homepage
Bug tor-browser#42079: TorConnect: handle switching from Bootstrapped to Configuring state
Bug tor-browser#42083: RemoteSecuritySettings.init throws error in console
Bug tor-browser#42091: Onion authorization prompt overflows
Bug tor-browser#42092: Onion services key table display problems.
Bug tor-browser#42102: TorProcess says the SOCKS port is not valid even though it is
Bug tor-browser#42110: Add a utility module for shared UI methods needed for several tor browser components
Windows
Bug tor-browser#41798: Stop building private_browsing.exe on Windows
macOS
Bug tor-browser#42078: Implement MacOS application icons
Linux
Bug tor-browser#42088: Implement Linux application icons
Android
Updated GeckoView to 115.3.0esr
Bug tor-browser#42089: Disable Mozilla 1805450
Bug tor-browser#42122: Fix crash due to bad android deprecation and APIs
Build System
Windows + macOS + Linux
Bug tor-browser-build#40956: Allow testing the updater also with release and alpha channel
Windows
Bug tor-browser#41995: Generated headers on Windows aren't reproducible

New in Tor Browser 13.0 Alpha 4 (Sep 17, 2023)

Major Changes:
This is our fourth alpha release in the 13.0 series which represents a transition from Firefox 102-esr to Firefox 115-esr. This builds on a year's worth of upstream Firefox changes, so alpha-testers should expect to run into issues. If you find any issues, please report them on our gitlab or on the Tor Project forum.
We are in the middle of our annual esr transition audit, where we review Mozilla's year's worth of work with an eye for privacy and security issues that would negatively affect Tor Browser users. This will be completed before we transition the 13.0 alpha series to stable. At-risk users should remain on the 102-esr based 12.5 stable series which will continue to receive security updates until 13.0 alpha is promoted to stable.
Build Output Naming Updates:
As a reminder from the 13.0a3 release post, we have made the naming scheme for all of our build outputs mutually consistent. If you are a downstream packager or in some other way download Tor Browser artifacts in scripts or automation, you will have a bit more work to do beyond bumping the version number once the 13.0 alpha stabilizes. All of our current build outputs can be found in the distribution directory
UX Refresh of about:
The about:tor page you land on after bootstrapping has been rewritten for our Desktop platforms. As part of this process, and as part of the tor integration back-end rewrite, we have removed the automatic tor network connectivity check ( https://check.torproject.org ) which occurred in the about:tor page.
This check was a hold-over from the tor-launcher days when launching and bootstrapping the tor daemon was handled by an extension which ran before the Firefox browser interface was presented to the user. As a result of the tighter tor integration and in-browser bootstrapping experience in about:connection, the legacy logic behind this check would sometimes fail and present some users with the infamous 'red screen of death', even if their tor connection was fine.
That is to say, all of the reports we have received of users hitting this screen were false-positives when using the default configuration. The conditions for which the check on this page made sense no longer exist and now only serve to confuse users. On top of that, the two main environments where Tor Browser is used in a non-default configuration where the check is arguably useful (Tails and Whonix) do not use the built-in about:tor page for home or new-tab.
Tor Browser users with the default configuration who successfully go through the bootstrapping process essentially cannot get into a situation where they are able to load about:tor while not being connected to the process-owned tor daemon. If they are connected to the tor daemon, then the check will either succeed or timeout if the connection to the Tor Network fails after bootstrapping. If the tor daemon has crashed or failed to launch, then the browser's proxy settings prevent web traffic from going anywhere outside the users system
In the short term, we will be adding some ux to the about:tor page for users who are not using a default configuration to easily check that their configuration is correct and using tor as expected.
Longer-term (in the 13.5 time-frame) we plan on integrating this tor check directly into the about:connection state-machine so we can avoid false-positives in the default configuration while also providing peace-of-mind that web traffic is being routed correctly. We will also likely iterate on the about:tor ux for users in non-default configurations.
Android:
Our Tor Browser Android release should be pretty close to final in terms of changes, apart from bug fixes or tweaks required by our annual ESR code-audit. The rendering+branding errors from 13.0a3 have been resolved. If you are able, please be sure to take the Tor Browser Android alpha for a spin, and especially try using bridges!
Known Issues:
Desktop:
Build to build incremental updates are currently failing for some users if you are starting at a version older than 13.0a3. Users on 13.0a2 and 13.0a1 will first download the small incremental update, fail to apply it after a re-launch, and then download the full large update. This should not result in losing anything of value apart from your precious time.
It is being tracked in tor-browser#42101.
Windows:
Building generated debug headers are not currently reproducible. This only affects debug info and does not affect users. This issue is being tracked here. It will either be fixed before the 13.0 alpha series transitions to stable later this year, or we will disable this developer feature by default to ensure fully matching builds.
All Platforms:
Updated Translations
Updated NoScript to 11.4.27
Updated tor to 0.4.8.5
Updated Snowflake to 2.6.1
Bug tor-browser-build#40951: Firefox fails to build for macos after #40938
Bug tor-browser#41675: ESR115: decide on large array buffers
Bug tor-browser#41740: ESR115: change devicePixelRatio spoof to 2 in alpha for testing
Bug tor-browser#41797: Lock RFP in release builds
Bug tor-browser#41934: Websocket raises DOMException on http onions in 13.0a1
Bug tor-browser#42034: aboutTBUpdate.dtd is duplicated
Bug tor-browser#42043: Disable gUM: media.devices.enumerate.legacy.enabled
Bug tor-browser#42061: Move the alpha update channel creation to a commit on its own
Bug tor-browser#42084: Race condition with language preferences may make spoof_english ineffective
Bug tor-browser#42093: Rebase alpha onto 115.2.1esr
Windows + macOS + Linux
Updated Firefox to 115.2.1esr
Bug tor-browser-build#40149: Remove patching of nightly update URL
Bug tor-browser-build#40821: The update details URL is wrong in alphas
Bug tor-browser-build#40938: Copy the new tor-browser.ftl file to the appropriate directory
Bug tor-browser#41333: Modernize Tor Browser's new-tab page (about:tor)
Bug tor-browser#41528: Hard-coded English "based on Mozilla Firefox" appears in version in "About" dialog
Bug tor-browser#41651: Use moz-toggle in connection preferences
Bug tor-browser#41739: Remove "Website appearance"
Bug tor-browser#41774: Hide the new "Switching to a new device" help menu item
Bug tor-browser#41821: Fix the proxy type in the proxy modal of about:preferences in 13.0
Bug tor-browser#41865: Use --text-color-deemphasized rather than --panel-description-color
Bug tor-browser#41876: Remove firefox view from title bar
Bug tor-browser#41881: Developer tools/Network/New Request remembers requests
Bug tor-browser#41886: Downloads drop-down panel has new-line/line-break between every word in the 'Be careful opening downloads' warning
Bug tor-browser#41904: The log textarea doesn't resize anymore
BUg 41906: hide about:preferences#privacy > DNS over HTTPS section [tor-browser]
Bug tor-browser#41971: Update Tails URL in downloads warning
Bug tor-browser#41974: De-emphasized text in custom components is no longer gray in 13.0 alpha
Bug tor-browser#41977: Hide the "Learn more" link in bridge cards
Bug tor-browser#41980: Circuit display headline is misaligned in 13.0 alpha
Bug tor-browser#42027: Create a Base Browser version of migrateUI
Bug tor-browser#42045: Circuit panel overflows with long ipv6 addresses
Bug tor-browser#42046: Remove XUL layout hacks from base browser
Bug tor-browser#42047: Remove layout hacks from tor browser preferences
Bug tor-browser#42050: Bring back Save As... dialog as default
Bug tor-browser#42075: Fix link spacing and underline on new homepage
Windows + Android
Updated zlib to 1.3
Bug tor-browser-build#40930: Update zlib to 1.3 after 13.0a3
macOS
Bug tor-browser#42057: Disable Platform text-recognition functionality
Linux
Bug tor-browser#41509: After update, KDE Plasma identifies Tor Browser Nightly window group as "firefox-nightly"
Android
Updated GeckoView to 115.2.1esr
Bug tor-browser-build#40941: Remove PT process options on Android
Bug tor-browser#41878: firefox-mobile: refactor tor bootstrap off deleted onboarding path
Bug tor-browser#41879: firefox-android: Add Tor integration and UI commit is too big, needs to be split up
Bug tor-browser#41882: Update DuckDuckGo icons
Bug tor-browser#41987: Tor Browser Android Onboarding Plan
Bug tor-browser#42001: Hide 'Open links in external app' settings option and force defaults
Bug tor-browser#42038: TBA Alpha - inscriptions Tor Browser Alpha and FireFox Browser simultaneously on the start screen
Bug tor-browser#42076: Theme is visable in options, but shouldn't be
Build System
All Platforms
Updated Go to 1.21.1
Bug tor-browser-build#40929: Update go to 1.21 series after 13.0a3
Bug tor-browser-build#40932: Remove appname_bundle_android, appname_bundle_macos, appname_bundle_linux, appname_bundle_win32, appname_bundle_win64 from projects/release/update_responses_config.yml
Bug tor-browser-build#40935: Fix fallout from build target rename in signing scripts
Bug tor-browser-build#40948: Remove lyrebird-vendor sha256sum in nightly
Windows + macOS + Linux
Bug tor-browser-build#40786: deploy_update_responses-*.sh requires +r permissions to run
Bug tor-browser-build#40931: Fix incrementals after tor-browser-build#40829
Bug tor-browser-build#40933: Fix generating incrementals between 12.5.x and 13.0
Bug tor-browser-build#40942: Use the branch to build Base Browser
Bug tor-browser-build#40944: After #40931, updates_responses is using incremental.mar files as if they were non-incremental mar files
Bug tor-browser-build#40946: override_updater_url does not work for Mullvad Browser
Bug tor-browser-build#40947: Remove migrate_langs from tools/signing/nightly/update-responses-base-config.yml
macOS
Bug tor-browser-build#40943: Update libdmg-hfsplus to include our uplifted patch
Bug tor-browser#42035: Update tools/torbrowser/ scripts to support macOS dev environment
Linux
Bug tor-browser#42071: tor-browser deployed format changed breaking fetch.sh

New in Tor Browser 12.5.4 (Sep 14, 2023)

New in Tor Browser 12.5.3 (Sep 1, 2023)

New in Tor Browser 13.0 Alpha 3 (Aug 25, 2023)

MAJOR CHANGES:
This is our third alpha release in the 13.0 series which represents a transition from Firefox 102-esr to Firefox 115-esr. This builds on a year's worth of upstream Firefox changes, so alpha-testers should expect to run into issues. If you find any issues, please report them on our gitlab or on the Tor Project forum.
We are in the middle of our annual esr transition audit, where we review Mozilla's year's worth of work with an eye for privacy and security issues that would negatively affect Tor Browser users. This will be completed before we transition the 13.0 alpha series to stable. At-risk users should remain on the 102-esr based 12.5 stable series which will continue to receive security updates until 13.0 alpha is promoted to stable.
BUILD SYSTEM:
We have made the naming scheme for all of our build outputs mutually consistent! This basically means that going forward all our build artifacts will have a name following the form ${ARTIFACT}-${OS}-${ARCH}-${VERSION}.${EXT}. For example, in 13.0a2 the macOS .dmg pakage was named TorBrowser-13.0a2-macos_ALL.dmg whereas in 13.0a3 it is named tor-browser-macos-13.0a3.dmg.
If you are a downstream packager or in some other way download Tor Browser artifacts in scripts or automation, you will have a bit more work to do beyond bumping the version number once the 13.0 alpha stabilizes.
FULL CHANGELOG:
We would like to thank volunteer contributor cypherpunks1 for their fixes for tor-browser#40175, and tor-browser#41642. If you would like to contribute, our issue tracker can be found here.
The full changelog since Tor Browser 13.0a2 is:
All Platforms:
Updated Translations
Bug tor-browser#41943: Lock javascript.options.spectre.disable_for_isolated_content to false
Bug tor-browser#41984: Rename languageNotification.ftl to base-browser.ftl
Bug tor-browser#42019: Empty browser's clipboard on browser shutdown
Bug tor-browser#42030: Rebase the browsers to 115.2.0esr
Windows + macOS + Linux
Updated Firefox to 115.2.0esr
Bug tor-browser#40175: Connections in reader mode are not FPI
Bug tor-browser-build#40924: Customize MOZ_APP_REMOTINGNAME instead of passing --name and --class
Bug tor-browser#41691: "Firefox Suggest" text appearing in UI
Bug tor-browser#41833: Reload extensions on new identiy
Bug tor-browser#42022: Prevent extension search engines from breaking the whole search system
Bug tor-browser#42031: TBB 13.0a2: TypeError: channel.loadInfo.browsingContext.topChromeWindow.gBrowser is undefined
Linux:
Bug tor-browser-build#40576: Fontconfig warning: remove 'blank' configuration
Android:
Updated GeckoView to 115.2.0esr
Bug tor-browser#42018: Rebase Firefox for Android to 115.2.1
BUILD SYSTEM:
All Platforms:
Bug tor-browser-build#40829: Review and standardize naming scheme for browser installer/package artifacts
Bug tor-browser-build#40921: staticiforme-prepare-cdn-dist-upload uses hardcoded torbrowser path for .htacess file generation
Windows + macOS + Linux:
Bug tor-browser-build#40922: Use base-browser.ftl instead of languageNotification.ftl
Linux:
Bug tor-browser#41967: Add a Makefile recipe to create multi-lingual dev builds

New in Tor Browser 13.0 Alpha 2 (Aug 14, 2023)

PLATFORMS:
Updated Translations
Updated NoScript to 11.4.26
Updated OpenSSL to 3.0.10
Updated tor to 0.4.8.3-rc
Bug tor-browser#41909: Rebase 13.0 alpha to 115.1.0 esr
Windows + macOS + Linux:
Updated Firefox to 115.1.0esr
Bug tor-browser#30556: Re-evaluate letterboxing dimension choices
Bug tor-browser#33282: Increase the max width of new windows
Bug tor-browser#40982: Cleanup maps in tor-circuit-display
Bug tor-browser#40983: Move not UI-related torbutton.js code to modules
Bug tor-browser#41844: Stop using the control port directly
Bug tor-browser#41907: The bootstrap is interrupted without any errors if the process becomes ready when already bootstrapping
Bug tor-browser#41922: Unify the bridge line parsers
Bug tor-browser#41923: The path normalization results in warnings
Bug tor-browser#41924: Small refactors for TorProcess
Bug tor-browser#41925: Remove the torbutton startup process
Bug tor-browser#41926: Refactor the control port client implementation
Bug tor-browser#41964: 'emojiAnnotations' not defined in time in connection preferences
Android:
Updated GeckoView to 115.1.0esr
Bug tor-browser-build#40919: Fix nimbus-fml reproducibility of 13.0a2-build1
Bug tor-browser#41928: Backport Android-specific security fixes from Firefox 116 to ESR 102.14 / 115.1 - based Tor Browser
Bug tor-browser#41972: Disable Firefox onboarding in 13.0
Bug tor-browser#41997: Remove all use and reference to com.adjust.sdk.Adjust which now uses AD_ID
Build System:
All Platforms
Updated Go to 1.20.7
Bug tor-browser-build#31588: Be smarter about vendoring for Rust projects
Bug tor-browser-build#40855: Update toolchains for Mozilla 115
Bug tor-browser-build#40880: The README doesn't include some dependencies needed for building incrementals
Bug tor-browser-build#40905: Go vendor archives ignore the nightly version override on testbuilds
Bug tor-browser-build#40908: Enable the --enable-gpl config flag in tor to bring in PoW functionality
Bug tor-browser-build#40909: Add dan_b and ma1 to list of taggers in relevant projects
Bug tor-browser-build#40913: add boklm back to list of taggers in relevant projects
Windows + macOS + Linux
Bug tor-browser-build#40615: Consider adding a readme to the fonts directory
Bug tor-browser-build#40907: Mar-tools aren't deterministic on 13.0a1
Windows
Bug tor-browser-build#31546: Create and expose PDB files for Tor Browser debugging on Windows
Android
Bug tor-browser-build#40867: Create a RBM project for the unified Android repository
Bug tor-browser-build#40917: Remove the uniffi-rs project
Bug tor-browser#41899: Use LLD for Android
Bug tor-browser-build#40920: Non-deterministic generation of baseline.profm file in Android apkS

New in Tor Browser 12.5.2 (Aug 7, 2023)

New in Tor Browser 13.0 Alpha 1 (Jul 28, 2023)

ALL PLATFORMS:
Updated Translations
Updated NoScript to 11.4.25
Updated OpenSSL to 3.0.9
Updated Go to 1.20.6
Updated tor to 0.4.8.2-alpha
Bug tor-browser#40577: Add "suggest url" in DDG onion's manifest
Bug tor-browser-build#40885: Bump version of snowflake to v2.6.0
Bug tor-browser-build#40887: Update Webtunnel version to 38eb5505
Bug tor-browser#41092: Enable tracking query parameters stripping
Bug tor-browser#41399: Update Mozilla's patch for Bug 1675054 to enable brotli encoding for HTTP onions as well
Bug tor-browser#41759: Rebase Base Browser to 115 nightly
Bug tor-browser#41796: Rebase Tor Browser to Firefox 115
Windows + macOS + Linux:
Updated Firefox to 115.0.2esr
Bug tor-browser#26277: When "Safest" setting is enabled searching using duckduckgo should always use the Non-Javascript site for searches
Bug tor-browser#33955: Selecting "Copy image" from menu leaks the source URL to the clipboard. This data is often dereferenced by other applications.
Bug tor-browser#41741: Refactor the domain isolator and new circuit
Bug tor-browser#41834: Hide "Can't Be Removed - learn more" menu line for uninstallable add-ons
Bug tor-browser#41842: Remove the old removal logics from Torbutton
Bug tor-browser#41845: Stop forcing (bad) pref values for non-PBM users
Bug tor-browser#41854: Download Spam Protection cannot be overridden to allow legitimate downloads
Bug tor-browser#41874: Visual & A11 regressions in add-on badges
BUILD SYSTEM:
All Platforms:
Bug tor-browser-build#40089: Clean up usage of get-moz-build-date script
Bug tor-browser-build#40410: Get rid of python2
Bug tor-browser-build#40487: Bump Python version
Bug tor-browser-build#40802: Drop the patch for making WASI reproducible
Bug tor-browser-build#40854: Update to OpenSSL 3.0
Bug tor-browser-build#40855: Update toolchains for Mozilla 115
Bug tor-browser-build#40868: Bump Rust to 1.69.0
Bug tor-browser-build#40886: Update README with instructions for Arch linux
Bug tor-browser-build#40889: Add mullvad sha256sums URL to tools/signing/download-unsigned-sha256sums-gpg-signatures-from-people-tpo
Bug tor-browser-build#40894: Fix format of keyring/boklm.gpg
Bug tor-browser-build#40898: Add doc from tor-browser-spec/processes/ReleaseProcess to gitlab issue templates
Windows:
Bug tor-browser-build#40832: Unify mingw-w64-clang 32+64 bits
Linux:
Bug tor-browser-build#40102: Move from Debian Jessie to Debian Stretch for our Linux builds

New in Tor Browser 12.5.1 (Jul 6, 2023)

New in Tor Browser 12.5 (Jun 25, 2023)

Updated circuit display:
In Tor Browser for desktop, the Tor circuit for each of your tabs can be found in the circuit display. Up until this release the circuit display lived in the site information panel – meaning you'd have to click the padlock icon (or onion icon, in the case of onion sites) to the left of the address bar to access it. Usability testing participants often struggled to find the circuit display when asked, and users generally needed to be taught where it lived.
To fix this, we've moved the circuit display behind a colorful new icon that sits beside the padlock. In addition, relays now have flags to help make their locations easier to identify at a glance; the design of onion site circuits has been made more concise; SecureDrop users who visit a human-readable onion name can now see and switch back to the underlying V3 onion address; and the panel as a whole has been rebuilt from scratch for better compatibility with screen readers.
New onion site icons:
Previously, onion sites were represented by the onion-glyph – a tiny, flat version of Tor Browser's onion logo. Now, when you visit an onion site in Tor Browser 12.5 on either desktop or Android you'll notice something new.
It's important to recognize that onion services are not exclusive to Tor Browser, and are a product in their own right. As onion service adoption has grown among civil society groups, human rights organizations, and news media outlets, so too has support for visiting onion services by third-party apps. Today, in addition to Tor Browser, you can also access onion services in compatible apps like Orbot, Onion Browser and Brave, to name a few. Given that, it no longer makes sense to continue to represent onion sites with an icon so closely associated with Tor Browser, and we're excited to introduce their new identity today.
Improved connection experience:
In Tor Browser 10.5 for desktop we retired the Tor Launcher in favor of a new interface that allows users to connect to Tor from the browser window itself. This feature unlocked the added benefit of being able to access Tor Browser's other menus while offline, including Connection settings, which offers greater functionality than the equivalent Tor Launcher settings page ever did.
Since that release, usability testing participants have sometimes had difficulty figuring out how to connect after navigating away from the Connect to Tor tab. To remedy this, we've made the Connect button accessible in the address bar of any page you visit while offline, and Tor Browser will connect automatically after you've configured a bridge in Connection settings. We've also improved the visibility of the browser's connection status, which can now be found in the top-right of the browser window, and you'll notice a new connection icon appear throughout the browser too.
Better accessibility:
As Tor Browser is based on the Extended Support Release of Firefox, we reuse as much of Firefox's front-end user experience as possible so that we can concentrate our resources on privacy and security issues. However Tor Browser also includes many custom pages and components on top of Firefox.
In parallel with longstanding efforts by Mozilla to improve Firefox's accessibility, we began an accessibility review of our own to document issues with Tor Browser for desktop's custom features. This review has now been completed, and we're beginning to deploy the first fixes in what will be a multi-release effort to improve Tor Browser's accessibility.
Since Tor Browser 11.5 we've refactored several components including bundled changelogs (about:tbupdate), the circuit display, the security level panel, miscellaneous dialogs and other parts of the browser chrome. If you use a screen reader or any other assistive technology, we'd love to get your help testing past and future fixes by volunteering as an alpha tester and feeding back to our developers on the Tor forum.
Finnish language support:
In Tor Browser 12.0 we added support for Albanian and Ukrainian. Now, thanks to the incredible work of our volunteer translators and partners at the Localization Lab, we're delighted to include Finnish (Suomi) as a language option on both desktop and Android too. If you spot an error in Finnish or any other language, you can learn more about how to contribute to the translation of Tor Browser, its documentation and our websites on our localization portal.
FULL CHANGELOG:
The full changelog since Tor Browser 12.0.7 is:
All Platforms:
Updated Translations:
Bug tor-browser-build#40353: Re-enable rlbox
Bug tor-browser-build#40810: Add Finnish (fi) language support
Bug tor-browser#41066: Circuit Isolation should take containers into account
Bug tor-browser#41428: Check if we can create our own directories for branding
Bug tor-browser#41514: eslint broken since migrating torbutton
Bug tor-browser#41568: Disable LaterRun
Bug tor-browser#41599: about:networking#networkid should be normalized
Bug tor-browser#41624: Disable unused about: pages
Bug tor-browser#41635: Disable the Normandy component at compile time
Bug tor-browser#41636: Disable back webextension.storage.sync after ensuring NoScript settings won't be lost
Bug tor-browser#41647: Turn --enable-base-browser in --with-base-browser-version
Bug tor-browser#41662: Disable about:sync-logs
Bug tor-browser#41671: Turn media.peerconnection.ice.relay_only to true as defense in depth against WebRTC ICE leaks
Bug tor-browser#41689: Remove startup.homepage_override_url from Base Browser
Bug tor-browser#41704: Immediately return on remoteSettings.pollChanges
Bug tor-browser#41738: Replace the patch to disable live reload with its preference
Bug tor-browser#41763: TTP-02-003 WP1: Data URI allows JS execution despite safest security level (Low)
Bug tor-browser#41775: Avoid re-defining some macros in nsUpdateDriver.cpp
Bug tor-browser#41818: Remove YEC 2022 strings
Windows + macOS + Linux:
Bug mullvad-browser#165: Fix maximization warning x button and preference
Bug tor-browser#20497: Improve support for non-portable mode
Bug tor-browser#33298: HTTP onion sites do not give a popup warning when submitting form data to non-onion HTTP sites
Bug tor-browser#40144: about:privatebrowsing Firefox branding
Bug tor-browser#40347: URL bar lock icon says connection is not secure when on "view-source:.onion" URLs [tor-browser]
Bug tor-browser#40552: New texts for the add a bridge manually modal
Bug tor-browser#40701: Improve security warning when downloading a file
Bug tor-browser-build#40711: Review and expand the stakeholders we communicate major changes to
Bug tor-browser-build#40733: Use the new branding directories
Bug tor-browser-build#40745: Allow customizing MOZ_APP_BASENAME
Bug tor-browser-build#40773: Copy some documentation files only on Tor Browser
Bug tor-browser-build#40781: Move translations to new paths
Bug tor-browser#40788: Tor Browser 11.0.4-11.0.6 phoning home
Bug tor-browser-build#40808: Set update URL for nightly base-browser
Bug tor-browser-build#40811: Make testing the updater easier
Bug tor-browser-build#40817: Add basebrowser-incrementals-nightly makefile target
Bug tor-browser-build#40833: base-browser nightly is using the default channel instead of nightly
Bug tor-browser#40958: The number of relays displayed for an onion site can be misleading
Bug tor-browser#41038: Update "Click to Copy" button label in circuit display
Bug tor-browser#41080: Some users are choosing an adjacent country for circumvention settings
Bug tor-browser#41084: Reserve red as a button color for dangerous actions
Bug tor-browser#41085: Refactor the UI to remove all bridges
Bug tor-browser#41093: Users don't understand the purpose of bridge-moji
Bug tor-browser#41109: "New circuit..." button gets cut-off when onion name wraps
Bug tor-browser#41350: Move the implementation of Bug 19273 out of Torbutton
Bug tor-browser#41351: Move the crypto protection patch earlier in the patchset
Bug tor-browser#41363: Crypto warning popup is not screen reader accessible
Bug tor-browser#41448: User 'danger' style for primary button in new identity modal
Bug tor-browser#41483: Tor Browser says Firefox timed out, confusing users
Bug tor-browser#41503: Disable restart in case of reboot and restore in case of crash
Bug tor-browser#41521: Improve localization notes
Bug tor-browser#41533: Page Info window for view-source:http://...onion addresses says Connection Not Encrypted
Bug tor-browser#41540: Confusing build-id date in about:preferences in alphas
Bug tor-browser#41562: API-triggered fullscreen after F11 causes letterboxing to crop the page
Bug tor-browser#41577: Disable profile migration
Bug tor-browser#41587: Disable the updater for Base Browser
Bug tor-browser#41595: Disable pagethumbnails capturing
Bug tor-browser#41600: Some users have difficulty finding the circuit display
Bug tor-browser#41607: Update "New Circuit" icon
Bug tor-browser#41608: Improve the UX of the location bar's connection status
Bug tor-browser#41609: Move the disabling of Firefox Home (Activity Stream) to base-browser
Bug tor-browser#41613: Skip Drang & Drop filtering for DNS-safe URLs (no hostname, e.g. RFC3966 tel:)
Bug tor-browser#41617: Improve the UX of the built-in bridges dialog
Bug tor-browser#41618: Update the iconography used in the status strip in connection settings
Bug tor-browser#41623: Update connection assist's iconography
Bug tor-browser#41633: Updating from 12.0.2 to 12.0.3 resets NoScript settings
Bug tor-browser#41657: Remove --enable-tor-browser-data-outside-app-dir
Bug tor-browser#41668: Move part of the updater patches to base browser
Bug tor-browser#41686: Move the 'Bug 11641: Disable remoting by default' commit from base-browser to tor-browser
Bug tor-browser#41695: Port warning on maximized windows without letterboxing from torbutton
Bug tor-browser#41699: Tighten up the tor onion alias regular expression
Bug tor-browser#41701: Reporting an extension does not work
Bug tor-browser#41702: The connection pill needs to be centered vertically
Bug tor-browser#41709: sendCommand should not try to send a command forever
Bug tor-browser#41711: Race condition when opening a new window in New Identity
Bug tor-browser#41718: Add the external filetype warning to about:downloads
Bug tor-browser#41719: Update title and button strings in the new circuit display to sentence case
Bug tor-browser#41725: Stray connectionPane.xhtml patch
Bug tor-browser#41726: Animate the torconnect icon to transition between connected states
Bug tor-browser#41734: Add a 'Connected' flag to indicate which built-in bridge option Tor Browser is currently using
Bug tor-browser#41736: Customize the default CustomizableUI toolbar using CustomizableUI.jsm
Bug tor-browser#41749: Replace the onion-glyph with dedicated icon for onion services
Bug tor-browser#41770: Keyboard navigation broken leaving the toolbar tor circuit button
Bug tor-browser#41775: Avoid re-defining some macros in nsUpdateDriver.cpp
Bug tor-browser#41785: Network monitor in developer tools shows HTTP onion resources as insecure
Bug tor-browser#41792: Drag and Drop protection prevents dragging downloads
Bug tor-browser#41800: Add the external filetype warning to Library / Manage Bookmarks
Bug tor-browser#41801: Fix handleProcessReady in TorSettings.init
Bug tor-browser#41802: Bad regex used to extract transport from bridgeline
Bug tor-browser#41810: Add "Connect" buttons to Request Bridge and Provide Bridge modals
Bug tor-browser#41816: The top navigation in about:torconnect isn't updated correctly
Bug tor-browser#41841: Use the new onion-site.svg icon in the onion-location pill
Windows + Linux:
Bug tor-browser-build#40714: Ship NoScript in the distribution directory also for
Windows and Linux:
Bug tor-browser#41654: UpdateInfo jumped into Data
Windows
Bug tor-browser-build#40772: Check and fix HiDPI issues in the NSIS installer
Bug tor-browser-build#40793: Add some metadata also to the Windows installer
Bug tor-browser-build#40801: Correct the ExecShell for system-wide installs in the NSIS script
Bug tor-browser#41459: WebRTC fails to build under mingw
Bug tor-browser#41678: WebRTC build fix patches incorrectly defining pid_t
macOS:
Bug tor-browser-build#40719: Allow non-universal macOS builds also on base-browser
Bug tor-browser#41535: Remove the old, unused and undocumented "-invisible" macOS CLI flag
Linux:
Bug tor-browser-build#40830: The fontconfig directory is missing in Base Browser
Bug tor-browser-build#40860: Improve the transition from the old fontconfig file to the new one
Bug tor-browser#41163: Many bundled fonts are blocked in Ubuntu/Fedora because of RFP
Bug tor-browser#41732: implement linux font whitelist as defense-in-depth
Android
Bug tor-browser#41001: Remove remaining security slider code
Bug tor-browser#41185: Hide learn more about sync
Bug tor-browser#41634: Google Play incorrectly detects that libTor.so is built with OpenSSL 1.1.1b
Bug tor-browser#41667: Enable media.peerconnection.ice.obfuscate_host_addresses on Android for defense-in-depth
Bug tor-browser#41677: Remove the --disable-tor-browser-update flag on Android
Build System:
All Platforms:
Updated Go to 1.20.5
Bug tor-browser-build#40673: Avoid building each go module separately
Bug tor-browser-build#40679: Use the latest translations for nightly builds
Bug tor-browser-build#40689: Update Ubuntu version from projects/mmdebstrap-image/config to 22.04.1
Bug tor-browser-build#40717: Create a script to prepare changelogs
Bug tor-browser-build#40720: Update fetch-changelogs.py scripts to support new Build System label
Bug tor-browser-build#40750: Find why rlbox hurts reproducibility
Bug tor-browser-build#40751: make signtag-* needs to take project name into account
Bug tor-browser-build#40753: We should not copy mar tools when the updater is disabled
Bug tor-browser-build#40760: Add BSD packager contacts to release prep templates
Bug tor-browser-build#40763: Add support for signing multiple browsers in tools/signing/nightly
Bug tor-browser-build#40783: Update download-unsigned-sha256sums-gpg-signatures-from-people-tpo to use $projectname prefix directory
Bug tor-browser-build#40784: Fix var_p/nightly_torbrowser_incremental_from after #40737
Bug tor-browser-build#40794: Include the build-id in firefox-l10n output name
Bug tor-browser-build#40795: Trim down tor-browser-build release prep issue templates
Bug tor-browser-build#40796: Bad UX for the changelogs script when using the issue number
Bug tor-browser-build#40805: Define the version flag for all browsers
Bug tor-browser-build#40807: Add config for signing base-browser nightly in tools/signing/nightly
Bug tor-browser-build#40812: Make var/rezip in projects/firefox/config quiet
Bug tor-browser-build#40818: Enable wasm target for rust compiler
Bug tor-browser-build#40828: Use http://archive.debian.org/debian-archive/ for jessie
Bug tor-browser-build#40837: Rebase mullvad-browser build changes onto main
Bug tor-browser-build#40870: Remove url without browser name from tools/signing/download-unsigned-sha256sums-gpg-signatures-from-people-tpo
Bug tor-browser#41649: Create rebase and security backport gitlab issue templates
Bug tor-browser#41682: Add base-browser nightly mar signing key
Windows + macOS + Linux:
Bug tor-browser-build#33953: Provide a way for easily updating Go dependencies of projects
Bug tor-browser-build#40713: Use the new tor-browser l10n branch in Firefox
Bug tor-browser-build#40777: Create a Go bootstrap project
Bug tor-browser-build#40778: Disable all translations with testbuilds in Firefox
Bug tor-browser-build#40788: Remove all languages but en-US for privacy-browser build target
Bug tor-browser-build#40809: Remove --enable-tor-browser-update and --enable-verify-mar from projects/firefox/mozconfig
Bug tor-browser-build#40813: Enable var/updater_enabled for basebrowser nightly
Bug tor-browser-build#40823: Update appname_* variables in projects/release/update_responses_config.yml
Bug tor-browser-build#40826: Correctly set appname_marfile for basebrowser in tools/signing/nightly/update-responses-base-config.yml
Bug tor-browser-build#40827: MAR generation uses (mostly) hard-coded MAR update channel
Bug tor-browser-build#40841: Adapt signing scripts to new signing machines
Bug tor-browser-build#40849: Move Go dependencies to the projects dependent on them, not as a standalone projects
Bug tor-browser-build#40866: Remove Using ansible to set up a nightly build machine from README
Bug tor-browser-build#40869: obfs4 is renamed to lyrebird
Windows:
Bug tor-browser-build#29185: NSIS Installer not reproducible when icon has an alpha channel
Bug tor-browser-build#40757: Change projects/browser/windows-installer/torbrowser.nsi to a template file
Windows + macOS + Linux:
Bug tor-browser-build#40732: Review Bundle-Data and try not to ship the default profile in base browser
Linux + Android:
Bug tor-browser-build#40653: Build compiler-rt with runtimes instead of the main LLVM build
macOS:
Bug tor-browser-build#40792: signing scripts missing project name prefix to make rule
Bug tor-browser-build#40798: dmg2mar step also takes care of copying the signed+stabled dmg to the signed directory
Bug tor-browser-build#40806: Update the reference to the macOS mozconfig
Bug tor-browser-build#40824: dmg2mar script using hardcoded project names for paths
Bug tor-browser-build#40847: Build filesystem influences the DMG creation
Bug tor-browser-build#40858: Create script to assist testers self sign Mac builds to allow running on Arm processors
Bug tor-browser#41453: Rename mozconfig-macos-x86_64 to mozconfig-macos
Android:
Bug tor-browser-build#40738: Update Android git hashes templates
Bug tor-browser-build#40874: Add commit information also to GV
Bug tor-browser#41684: Android improvements for local dev builds

New in Tor Browser 12.5 Alpha 7 (Jun 10, 2023)

Tor Browser 12.5a7 is now available from the Tor Browser download page and also from our distribution directory.
This release updates Firefox to 102.12.0esr, including bug fixes, stability improvements and important security updates. We also backported the Android-specific security updates from Firefox 114.
We would like to thank volunteer contributor cypherpunks1 for their fixes for tor-browser#33298, tor-browser#41792, and tor-browser#41785. If you would like to contribute, our issue tracker can be found here.
This should be the last alpha in the 12.5 series, so this release should be considered a release candidate for 12.5.0 which will be released in the coming weeks. If you find any issues, please report them on our gitlab or on the Tor Project forum.
FULL CHANGELOG:
The full changelog since Tor Browser 12.5a6 is:
All Platforms:
Updated Translations
Updated NoScript to 11.4.22
Updated OpenSSL to 1.1.1u
Bug tor-browser#41795: Rebase Tor Browser and Base Browser alpha to 102.12esr
Bug tor-browser#41818: Remove YEC 2022 strings
Windows + macOS + Linux
Updated Firefox to 102.12esr
Bug tor-browser#33298: HTTP onion sites do not give a popup warning when submitting form data to non-onion HTTP sites
Bug tor-browser#40552: New texts for the add a bridge manually modal
Bug tor-browser#41608: Improve the UX of the location bar's connection status
Bug tor-browser#41618: Update the iconography used in the status strip in connection settings
Bug tor-browser#41623: Update connection assist's iconography
Bug tor-browser#41718: Add the external filetype warning to about:downloads
Bug tor-browser#41726: Animate the torconnect icon to transition between connected states
Bug tor-browser#41734: Add a Connected flag to indicate which built-in bridge option Tor Browser is currently using
Bug tor-browser#41749: Replace the onion-glyph with dedicated icon for onion services
Bug tor-browser#41785: Network monitor in developer tools shows HTTP onion resources as insecure
Bug tor-browser#41792: Drag and Drop protection prevents dragging downloads
Bug tor-browser#41800: Add the external filetype warning to Library / Manage Bookmarks
Bug tor-browser#41801: Fix handleProcessReady in TorSettings.init
Bug tor-browser#41802: Conjure bridge cards are mislabeled as vanilla bridges in alpha
Bug tor-browser#41809: Wrong icon in the bridge QR code
Bug tor-browser#41810: Add "Connect" buttons to Request Bridge and Provide Bridge modals
Bug tor-browser#41815: wrong connect icons
Bug tor-browser#41816: The top navigation in about:torconnect isn't updated correctly
Android:
Updated GeckoView to 102.12esr
Build System:
All Platforms:
Bug tor-browser-build#40777: Create a Go bootstrap project
Bug tor-browser-build#40850: Tor Browser nightly fails to build obfs4
Bug tor-browser-build#40866: Remove Using ansible to set up a nightly build machine from README
Bug tor-browser-build#40869: obfs4 is renamed to lyrebird
Bug tor-browser-build#40870: Remove url without browser name from tools/signing/download-unsigned-sha256sums-gpg-signatures-from-people-tpo
Bug tor-browser-build#40871: Update keyring/boklm.gpg for new subkeys
Windows + macOS + Linux:
Bug tor-browser-build#40864: Make a script to update the manual artifact
macOS:
Bug tor-browser-build#40847: Build filesystem influences the DMG creation
Bug tor-browser-build#40858: Create script to assist testers self sign Mac builds to allow running on Arm processors
Android:
Bug tor-browser-build#40874: Add commit information also to GV

New in Tor Browser 12.0.7 (Jun 8, 2023)

New in Tor Browser 12.5 Alpha 6 (May 25, 2023)

New in Tor Browser 12.0.6 (May 14, 2023)

New in Tor Browser 12.5 Alpha 5 (Apr 23, 2023)

ALL PLATFORMS:
Updated Translations
Updated NoScript to 11.4.21
Updated Go to 11.9.8
Bug tor-browser-build#40833: base-browser nightly is using the default channel instead of nightly
Bug tor-browser#41687: Rebase Tor Browser Alpha to 102.10.0esr
Bug tor-browser#41689: Remove startup.homepage_override_url from Base Browser
Bug tor-browser#41704: Immediately return on remoteSettings.pollChanges
Windows + macOS + Linux:
Updated Firefox to 102.10esr
Bug mullvad-browser#165: Fix maximization warning x button and preference
Bug tor-browser#40501: High CPU load after tor exits unexpectedly
Bug tor-browser#40701: Improve security warning when downloading a file
Bug tor-browser#40788: Tor Browser 11.0.4-11.0.6 phoning home
Bug tor-browser-build#40811: Make testing the updater easier
Bug tor-browser-build#40831: Fix update URL for base-browser nightly
Bug tor-browser#40958: The number of relays displayed for an onion site can be misleading
Bug tor-browser#41038: Update "Click to Copy" button label in circuit display
Bug tor-browser#41109: "New circuit..." button gets cut-off when onion name wraps
Bug tor-browser#41350: Move the implementation of Bug 19273 out of Torbutton
Bug tor-browser#41521: Improve localization notes
Bug tor-browser#41533: Page Info window for view-source:http://...onion addresses says Connection Not Encrypted
Bug tor-browser#41600: Some users have difficulty finding the circuit display
Bug tor-browser#41617: Improve the UX of the built-in bridges dialog
Bug tor-browser#41668: Move part of the updater patches to base browser
Bug tor-browser#41686: Move the 'Bug 11641: Disable remoting by default' commit from base-browser to tor-browser
Bug tor-browser#41695: Port warning on maximized windows without letterboxing from torbutton
Bug tor-browser#41699: Tighten up the tor onion alias regular expression
Bug tor-browser#41701: Reporting an extension does not work
Bug tor-browser#41702: The connection pill needs to be centered vertically
Bug tor-browser#41709: sendCommand should not try to send a command forever
Bug tor-browser#41711: Race condition when opening a new window in New Identity
Bug tor-browser#41713: “Remove All Bridges” button only appears after hitting “Show All Bridges"
Bug tor-browser#41714: “Show Fewer Bridges” button missing from refactored remove all bridges UI
Bug tor-browser#41719: Update title and button strings in the new circuit display to sentence case
Bug tor-browser#41722: Regression: window maximization warning cannot be closed by the X button
Bug tor-browser#41725: Stray connectionPane.xhtml patch
Windows:
Bug tor-browser#41459: WebRTC fails to build under mingw
Bug tor-browser#41678: WebRTC build fix patches incorrectly defining pid_t
Bug tor-browser#41683: Disable the network process on Windows
Linux:
Bug tor-browser-build#40830: The fontconfig directory is missing in Base Browser
Bug tor-browser#41163: Many bundled fonts are blocked in Ubuntu/Fedora because of RFP
Android:
Updated GeckoView to 102.10esr
Bug tor-browser#41724: Backport Android-specific security fixes from Firefox 112 to
ESR 102.10-based Tor Browser:
Build System:
All Platforms:
Bug tor-browser-build#40828: Use http://archive.debian.org/debian-archive/ for jessie
Bug tor-browser-build#40837: Rebase mullvad-browser build changes onto main
Windows + macOS + Linux
Bug tor-browser-build#40823: Update appname_* variables in projects/release/update_responses_config.yml
Bug tor-browser-build#40826: Correctly set appname_marfile for basebrowser in tools/signing/nightly/update-responses-base-config.yml
Bug tor-browser-build#40827: MAR generation uses (mostly) hard-coded MAR update channel
Bug tor-browser#41730: Bridge lines in tools/torbrowser/bridges.js out of date
Windows:
Bug tor-browser-build#40822: The Tor Browser installer doesn't run with mandatory ASLR on (0xc000007b)
macOS:
Bug tor-browser-build#40824: dmg2mar script using hardcoded project names for paths
Bug tor-browser-build#40844: DMG reproducibility problem on 12.0.5
Linux:
Bug tor-browser-build#40835: Update faketime URLs in projects/container-image/config
Android
Bug tor-browser#41684: Android improvements for local dev builds

New in Tor Browser 12.0.5 (Apr 20, 2023)

New in Tor Browser 12.5 Alpha 4 (Mar 24, 2023)

ALL PLATFORMS:
Updated Translations
Updated NoScript to 11.4.20
Bug tor-browser-build#40353: Re-enable rlbox
Bug tor-browser-build#40810: Enable Finnish (fi) in alpha builds
Bug tor-browser-build#40817: Add basebrowser-incrementals-nightly makefile target
Bug tor-browser#41599: about:networking#networkid should be normalized
Bug tor-browser#41635: Disable the Normandy component at compile time
Bug tor-browser#41636: Disable back webextension.storage.sync after ensuring NoScript settings won't be lost
Bug tor-browser#41646: Regression in 12.5a3: the system font patch should also set a font-size
Bug tor-browser#41647: Turn --enable-base-browser in --with-base-browser-version
Bug tor-browser#41659: Add canonical color definitions to base-browser
Bug tor-browser#41662: Disable about:sync-logs
Bug tor-browser#41670: Rebase Tor Browser Alpha to 102.9.0esr
Bug tor-browser#41671: Turn media.peerconnection.ice.relay_only to true as defense in depth against WebRTC ICE leaks
Windows + macOS + Linux:
Updated Firefox to 102.9esr
Bug tor-browser#40144: about:privatebrowsing Firefox branding
Bug tor-browser-build#40788: Remove all languages but en-US for privacy-browser build target
Bug tor-browser-build#40808: Set update URL for nightly base-browser
Bug tor-browser#41085: Refactor the UI to remove all bridges
Bug tor-browser#41093: Users don't understand the purpose of bridge-moji
Bug tor-browser#41574: Use --warning-color variable for the "Custom" label in the security level popup.
Bug tor-browser#41657: Remove --enable-tor-browser-data-outside-app-dir
Windows:
Bug tor-browser-build#40793: Add some metadata also to the Windows installer
Bug tor-browser-build#40801: Correct the ExecShell for system-wide installs in the NSIS script
Android:
Updated GeckoView to 102.9esr
Bug tor-browser-build#40800: WebTunnel Integration in Tor Browser mobile
Bug tor-browser#41667: Enable media.peerconnection.ice.obfuscate_host_addresses on Android for defense-in-depth
Bug tor-browser#41677: Remove the --disable-tor-browser-update flag on Android
BUILD SYSTEM:
All Platforms:
Updated Go to 1.19.7
Bug tor-browser-build#40750: Find why rlbox hurts reproducibility
Bug tor-browser-build#40763: Add support for signing multiple browsers in tools/signing/nightly
Bug tor-browser-build#40794: Include the build-id in firefox-l10n output name
Bug tor-browser-build#40795: Trim down tor-browser-build release prep issue templates
Bug tor-browser-build#40796: Bad UX for the changelogs script when using the issue number
Bug tor-browser-build#40805: Define the version flag for all browsers
Bug tor-browser-build#40807: Add config for signing base-browser nightly in tools/signing/nightly
Bug tor-browser-build#40812: Make var/rezip in projects/firefox/config quiet
Bug tor-browser#41649: Create rebase and security backport gitlab issue templates
Bug tor-browser#41682: Add base-browser nightly mar signing key
Windows + macOS + Linux:
Bug tor-browser-build#40809: Remove --enable-tor-browser-update and --enable-verify-mar from projects/firefox/mozconfig
Bug tor-browser-build#40813: Enable var/updater_enabled for basebrowser nightly
macOS:
Bug tor-browser-build#40790: Fix dmg2mar after dmg changes from #28124
Bug tor-browser-build#40791: tools/dmg2mar should exit with an error when there is an error creating the mar file
Bug tor-browser-build#40792: signing scripts missing project name prefix to make rule
Bug tor-browser-build#40798: dmg2mar step also takes care of copying the signed+stabled dmg to the signed directory
Bug tor-browser-build#40806: Update the reference to the macOS mozconfig
Bug tor-browser#41453: Rename mozconfig-macos-x86_64 to mozconfig-macos
Android:
Bug tor-browser-build#40789: Broken mirror links for glean: link 404 for version 5.0.1 hosted at aguestuser's tor people storage

New in Tor Browser 12.0.4 (Mar 19, 2023)

New in Tor Browser 12.5 Alpha 3 (Feb 21, 2023)

We use this opportunity to update various other components of Tor Browser as well:
NoScript 11.4.16
OpenSSL 1.1.1t
go 1.19.6
ALL PLATFORMS:
Updated Translations
Updated OpenSSL to 1.1.1t
Updated NoScript to 11.4.16
Bug tor-browser#40763: Stop using remote localized files in CFR
Bug tor-browser#41351: Move the crypto protection patch earlier in the patchset
Bug tor-browser#41361: Integrate the Conjure PT into alpha versions of Tor Browser
Bug tor-browser#41424: Reduce disk activity by disabling some unnecessary tasks and telemetry
Bug tor-browser#41565: Gate Telemetry Tasks behind AppConstants.MOZ_TELEMETRY_REPORTING
Bug tor-browser#41568: Disable LaterRun
Bug tor-browser#41598: Prevent NoScript from being removed / disabled until core functionality has been migrated to Tor Browser
Bug tor-browser#41601: Apply Snowflake Remove HelloVerify Countermeasure
Bug tor-browser#41603: Customize the creation of MOZ_SOURCE_URL
Bug tor-browser#41624: Disable unused about: pages
Bug tor-browser#41627: Enable network.http.referer.hideOnionSource in base-browser
Bug tor-browser#41637: cherry-pick Mozilla 1814416: Generalize the app name in about:buildconfig. r=ahochheiden
Windows + macOS + Linux:
Updated Firefox to 102.8esr
Bug tor-browser#20497: Improve support for non-portable mode
Bug tor-browser-build#40745: Allow customizing MOZ_APP_BASENAME
Bug tor-browser-build#40773: Copy some documentation files only on Tor Browser
Bug tor-browser-build#40781: Move translations to new paths
Bug tor-browser#41080: Some users are choosing an adjacent country for circumvention settings
Bug tor-browser#41084: Reserve red as a button color for dangerous actions
Bug tor-browser#41540: Confusing build-id date in about:preferences in alphas
Bug tor-browser#41542: Disable the creation of a default profile
Bug tor-browser#41561: Maximize warning is broken (regression)
Bug tor-browser#41577: Disable profile migration
Bug tor-browser#41587: Disable the updater for Base Browser
Bug tor-browser#41588: Use better words for the Tor Network description in the onboarding
Bug tor-browser#41595: Disable pagethumbnails capturing
Bug tor-browser#41606: Move the changes to the hamburger menu out of the Torbutton commit
Bug tor-browser#41609: Move the disabling of Firefox Home (Activity Stream) to base-browser
Bug tor-browser#41613: Skip Drang & Drop filtering for DNS-safe URLs (no hostname, e.g. RFC3966 tel:)
Bug tor-browser#41626: Bridge-emojii tooltips not localized in ES locale
Bug tor-browser#41633: Updating from 12.0.2 to 12.0.3 resets NoScript settings
Windows
Bug tor-browser#40717: UX: hide SSO
Bug tor-browser-build#40772: Check and fix HiDPI issues in the NSIS installer
Android
Updated GeckoView to 102.8esr
Bug tor-browser#40283: Can't upload files with Tor browser on Android
Bug tor-browser#40536: Proxy Refused if link from other app opens Android TBB
Bug tor-browser#41185: Hide learn more about sync
Bug tor-browser#41616: Backport Android-specific security fixes from Firefox 110 to ESR 102.8-based Tor Browser
Bug tor-browser#41634: Google Play incorrectly detects that libTor.so is built with OpenSSL 1.1.1b
BUILD SYSTEM:
All Platforms:
Updated Go to 1.19.6
Bug tor-browser-build#40723: Update upload-update_responses-to-staticiforme step for new tor-browser-update-responses repository
Bug tor-browser-build#40747: Remove empty line at the top of sha256sums-unsigned-build.txt
Bug tor-browser-build#40748: When sha256sums-unsigned-build.txt contains an empty line, tools/dmg2mar prints a warning
Bug tor-browser-build#40751: make signtag-* needs to take project name into account
Bug tor-browser-build#40753: We should not copy mar tools when the updater is disabled
Bug tor-browser-build#40760: Add BSD packager contacts to release prep templates
Bug tor-browser-build#40764: Embed repo URL and git revision in Firefox
Bug tor-browser-build#40782: Update tools/signing/download-unsigned-sha256sums-gpg-signatures-from-people-tpo to fetch from tb-build-04 and tb-build-05
Bug tor-browser-build#40783: Update download-unsigned-sha256sums-gpg-signatures-from-people-tpo to use $projectname prefix directory
Bug tor-browser-build#40784: Fix var_p/nightly_torbrowser_incremental_from after #40737
Windows + macOS + Linux:
Bug tor-browser-build#40778: Disable all translations with testbuilds in Firefox
Windows:
Bug tor-browser-build#29185: NSIS Installer not reproducible when icon has an alpha channel
Bug tor-browser-build#40757: Change projects/browser/windows-installer/torbrowser.nsi to a template file
macOS:
Bug tor-browser-build#40755: libdmg-hfsplus fails to build on debian stable
Linux:
Bug tor-browser-build#40731: Update namecoin patches to apply in tor-browser nightly
Android:
Bug tor-browser-build#40752: Wrong urls in download-android-*.json files

New in Tor Browser 12.5 Alpha 2 (Jan 27, 2023)

ALL PLATFORMS:
Updated tor to 0.4.7.13
Updated NoScript to 11.4.14
Bug tor-browser#40565: do something with security.tls.version.enable-deprecated
Bug tor-browser-build#40727: Update list of Snowflake STUN servers in default bridge line
Bug tor-browser#41066: Circuit Isolation should take containers into account
Bug tor-browser#41428: Check if we can create our own directories for branding
Bug tor-browser#41506: Remove TrustCor root certificates
Windows + macOS + Linux
Updated Firefox to 102.7esr
Bug tor-browser#32274: Bad screen-reader UX for Security Level/Shield button
Bug tor-browser-build#40733: Use the new branding directories
Bug tor-browser#41393: about:tbupdate semantic and accessibility problems
Bug tor-browser#41539: Crypto warning weaknesses
Bug tor-browser#41549: tor freeze when receiving to many http proxy requests on socks port
Bug tor-browser#41561: Maximize warning is broken (regression)
Bug tor-browser#41562: API-triggered fullscreen after F11 causes letterboxing to crop the page
Bug tor-browser#41563: Old placeholders used in TorStrings.jsm
Bug tor-browser#41572: Check for userContextId also in the circuit display
Bug tor-browser#41577: Disable profile migration
WINDOWS + LINUX:
Bug tor-browser-build#40714: Ship NoScript in the distribution directory also for Windows and Linux
WINDOWS:
Bug tor-browser#40717: UX: hide SSO
Bug tor-browser#41578: Disable and lock Windows SSO
macOS:
Bug tor-browser-build#28124: Show Tor Browser icon as macOS volume (dmg) icon
Bug tor-browser-build#40719: Allow non-universal macOS builds also on base-browser
Bug tor-browser#41535: Remove the old, unused and undocumented "-invisible"
macOS CLI flag:
Android
Updated GeckoView to 102.7esr
Bug tor-browser#40283: Can't upload files with Tor browser on Android
Bug tor-browser#41571: Backport Android-specific Firefox 109 to ESR 102.7-based Tor
Browser:
Build System
All Platforms
Updated Go to 1.19.5
Bug tor-browser-build#40720: Update fetch-changelogs.py scripts to support new
Build System label:
Bug tor-browser-build#40735: Add command to list which translation components need to be updated
Bug tor-browser-build#40739: tor-expert-bundle should include ClientTransportPlugin torrc lines for each pluggable transport
Bug tor-browser#41567: Build outputs now going to obj-/dist/torbrower rather than obj-/dist/firefox
Windows + macOS + Linux:
Bug tor-browser-build#40732: Review Bundle-Data and try not to ship the default profile in base browser
macOS:
Bug tor-browser-build#40706: macos-signer-stapler should wait for user interaction before attempting stapling
Bug tor-brower-build#40744: HFS DMG are not deterministic
Android:
Bug tor-browser-build#40738: Update Android git hashes templates

New in Tor Browser 12.0.2 (Jan 20, 2023)

NEW RELEASES: Tor Browser 12.0.2:
Tor Browser 12.0.2 is now available from the Tor Browser download page and also from our distribution directory.
This release updates Firefox to 102.7, including bug fixes, stability improvements and important security updates. There were no Android-specific security updates to backport from the Firefox 109 release.
We use this opportunity to update various components of Tor Browser as well:
tor 0.4.7.13
NoScript 11.4.14
go 1.19.5
We would like to thank user ryotak for identifying a script blocking bypass on local file:// resources.
Send us your feedback:
If you find a bug or have a suggestion for how we could improve this release, please let us know.
FULL CHANGELOG:
The full changelog since Tor Browser 12.0.1 is:
All Platforms:
Updated tor to 0.4.7.13
Updated NoScript to 11.4.14
Bug tor-browser#40565: do something with security.tls.version.enable-deprecated
Bug tor-browser-build#40713: Use the new tor-browser l10n branch in Firefox
Bug tor-browser-build#40727: Update list of Snowflake STUN servers in default bridge line
Bug tor-browser#41506: Remove TrustCor root certificates
Bug tor-browser#41525: Drop locales from torbutton, since we will inject them in tor-browser-build
Windows + macOS + Linux:
Updated Firefox to 102.7esr
Bug tor-browser#26504: Browser version in about:preferences showing the Firefox ESR version
Bug tor-browser#32308: Stop inner letterbox jiggling as border is dragged
Bug tor-browser#41375: Clean unused strings
Bug tor-browser#41393: about:tbupdate semantic and accessibility problems
Bug tor-browser#41522: Backport torbutton -> tor-browser migration to 12.0 series
Bug tor-browser#41524: about:tbupdate needs UTF-8
Bug tor-browser#41539: Crypto warning weaknesses
Bug tor-browser#41549: tor freeze when receiving to many http proxy requests on socks port
Bug tor-browser#41561: Maximize warning is broken (regression)
Bug tor-browser#41563: Old placeholders used in TorStrings.jsm
macOS:
Bug tor-browser-build#40716: Unable to update to 12.0.1 on Apple Silicon-based Mac
Android:
Updated GeckoView to 102.7esr
Bug tor-browser#41571: Backport Android-specific Firefox 109 to ESR 102.7-based Tor
BROWSER:
Build System:
All Platforms
Updated Go to 1.19.5
Bug tor-browser-build#40735: Add command to list which translation components need to be updated
Bug tor-browser-build#40739: tor-expert-bundle should include
ClientTransportPlugin torrc lines for each pluggable transport:
Windows + macOS + Linux:
Bug tor-browser-build#40734: Backport the translation project
macOS:
Bug tor-browser-build#40706: macos-signer-stapler should wait for user interaction before attempting stapling

New in Tor Browser 12.5 Alpha 1 (Dec 22, 2022)

New Alpha Release: Tor Browser 12.5a1 (Android, Windows, macOS, Linux)
by richard | December 21, 2022:
Tor Browser 12.5a1 is now available from the Tor Browser download page and also from our distribution directory.
Tor Browser 12.5a1 updates Firefox on Android, Windows, macOS, and Linux to 102.6.0esr.
We use this opportunity to update various other components of Tor Browser as well:
tor 0.4.7.12
go 1.19.4
This version includes important security updates to Firefox and GeckoView. There were no Android-specific security updates to backport from the Firefox 108 release.
The full changelog since Tor Browser 12.0a5 is:
All Platforms:
Updated tor to 0.4.7.12
Bug tor-browser-build#40711: Review and expand the stakeholders we communicate major changes to
Bug tor-browser#41478: Drop the torbutton submodule in 12.5
Bug tor-browser#41514: eslint broken since migrating torbutton
Windows + macOS + Linux:
Updated Firefox to 102.6esr
Bug tor-browser#26504: about:preferences shows Firefox's version instead of Tor Browser's
Bug tor-browser#32308: Stop inner letterbox jiggling as border is dragged
Bug tor-browser#40347: URL bar lock icon says connection is not secure when on "view-source:[...].onion" URLs
Bug tor-browser-build#40678: Force all 11.5 users to update through 11.5.8 before 12.0
Bug tor-browser#41375: Clean unused strings
Bug tor-browser#41435: Add a Tor Browser migration function
Bug tor-browser#41448: User danger style for primary button in new identity modal
Bug tor-browser#41483: Tor Browser says Firefox timed out, confusing users
Bug tor-browser#41503: Disable restart in case of reboot and restore in case of crash
Bug tor-browser#41520: Regression: rearranging bookmarks / place items by drag & drop doesn't work anymore
Bug tor-browser#41524: about:tbupdate needs UTF-8
Bug tor-browser#41525: Drop locales from torbutton, since we will inject them in tor-browser-build
macOS + Linux:
Bug tor-browser#41519: TOR_SOCKS_IPC_PATH environment variable not honored
Windows
Bug tor-browser-build#40708: tor.exe in tor-expert-bundle not writing stdout even when run from cmd.exe
macOS:
Bug tor-browser-build#40716: Unable to update to 12.0.1 on Apple Silicon-based Mac
Android:
Updated GeckoView to 102.6esr
Bug tor-browser#41001: Remove remaining security slider code
Build System:
All Platforms:
Updated Go to 1.19.4
Bug tor-browser-build#40645: Verify we no longer depend on any signed tags from sysrqb and gk, and remove them from torbutton.gpg
Bug tor-browser-build#40679: Use the latest translations for nightly builds
Bug tor-browser-build#40681: Run apt-get clean, after installing packages in projects/container-image/config
Bug tor-browser-build#40683: Install more packages in the default containers to reduce the number of custom containers
Bug tor-browser-build#40689: Update Ubuntu version from projects/mmdebstrap-image/config to 22.04.1
Bug tor-browser-build#40717: Create a script to prepare changelogs
Windows + macOS + Linux:
Bug tor-browser-build#40707: Update update_responses_config.yml to allow 11.5.8 to update to whatever latest is
Bug tor-browser-build#40713: Use the new tor-browser l10n branch in Firefox
Linux + Android:
Bug tor-browser-build#40653: Build compiler-rt with runtimes instead of the main LLVM build
macOS:
Bug tor-browser-build#40694: aarch64 tor-expert-bundle for macOS is not exported as part of the browser build
Bug tor-browser-build#40704: Building nightly macos incrementals fails
Linux:
Bug tor-browser-build#40693: Can't build container-image in main
Android:
Bug tor-browser-build#40702: Nightly builds fails with "error: pathspec 'tor-browser-102.5.0esr-12.0-2' did not match any file(s) known to git"

New in Tor Browser 12.0.1 (Dec 20, 2022)

New in Tor Browser 12.0 (Dec 8, 2022)

Tor Browser 12.0 is now available from the Tor Browser download page and also from our distribution directory. This new release updates Tor Browser to Firefox Extended Support Release 102.
WHAT'S NEW:
Upgraded to Extended Support Release 102:
Once again, the time has come to upgrade Tor Browser to Firefox's newest Extended Support Release. We've spent the past few months since Tor Browser 11.5's release reviewing ESR 102's release notes to ensure each change is compatible with Tor Browser. As part of that process, anything that may conflict with Tor Browser's strict privacy and security principles has been carefully disabled.
Multi-locale support for desktop:
Previously, if you wanted to use Tor Browser for desktop in a language other than English, you needed to find and download one of the matching language versions from our download page. Switching language after installing Tor Browser wasn't an easy task either, and would either require adding the new language pack to your existing installation, or redownloading Tor Browser from scratch.
As of today we're pleased to announce that this is a thing of the past: Tor Browser for desktop is now truly multi-locale, meaning all supported languages are now included in a single bundle. For new users, Tor Browser 12.0 will update itself automatically when launched to match your system language. And if you've upgraded from Tor Browser 11.5.8, the browser will attempt to maintain your previously chosen display language.
Either way, you can now switch display language without any additional downloads via the Language menu in General settings – but we'd still recommend giving Tor Browser a quick restart before the change can take complete effect.
Naturally, bundling multiple languages in a single download should increase Tor Browser's filesize – we are very conscious of this; however, we've found a way to make efficiency savings elsewhere, meaning the difference in filesize between Tor Browser 11.5 and 12.0 is minor.
Native Apple Silicon support:
This was no small task, but we're happy to say that Tor Browser 12.0 now supports Apple Silicon natively. Like Mozilla's approach for Firefox, we've opted for a Universal Binary too – meaning both x86-64 (i.e. Intel compatible) and ARM64 (i.e. Apple Silicon compatible) builds are bundled together with the correct version chosen automatically when run.
HTTPS-Only by default for Android
Image reading "HTTPS Only Mode" and a switch turned on:
Back in July, we shared an update about Tor Browser for Android and our aspirations for its near future in the Tor Browser 11.5 release post. Since the beginning of the year our developers have been working hard to recommence regular updates for Android, improve the app's stability, and catch up to Fenix's (Firefox for Android's) release cycle.
The next phase in our plan for Android is to begin porting selected, high-priority features that have recently been launched for desktop over to Android – starting with enabling HTTPS-Only Mode by default. This change will help provide the same level of protection against SSL stripping attacks by malicious exit relays that we introduced to desktop in Tor Browser 11.5.
Prioritize .onion sites for Android:
![Visualization of the option to prioritize onion sites in Tor Browser for Android's Privacy and Security settings screen]
Another small but mighty improvement to Tor Browser 12.0 for Android is the option to "prioritize .onion sites" where available. When enabled, you will be redirected automatically to the matching .onion site for any web site that has Onion-Location configured – helping you to discover new .onion sites in the wild.
You can turn "Prioritize .onion sites" on under the Privacy and Security section within Tor Browser for Android's Settings menu. Please note that this update does not include the purple ".onion avilable" button in the address bar, which is still unique to Tor Browser for desktop.
12.0 is the first stable release of Tor Browser that supports Albanian (sq) and Ukranian (uk). We owe a huge thank you to all the volunteers who worked hard to translate Tor Browser into each language:
If you spot a string that still needs to be translated, or would like to contribute towards the localization of another language, please visit our Community portal to find out how to get started.
We've also been busy making various behind-the-scenes improvements to features like tor-launcher (which starts tor within Tor Browser), the code for which has undergone a significant refactoring. As such, if you run a non-standard Tor Browser setup (like using system tor in conjunction with Tor Browser, or very partiular network settings) and experience an unexpected error message when launching Tor - please let us know by filing an issue in our Gitlab repo.
Lastly, Tor Browser's letterboxing feature has received a number of minor improvements to its user experience, including (but not limited to) fixing potantial leaks and bypasses, removing the 1px border in fullscreen videos, and disabling the feature entirely on trusted pages like the Connect to Tor screen, among others.
Send us your feedback:
If you find a bug or have a suggestion for how we could improve this release, please let us know. Thanks to all of the teams across Tor, and the many volunteers, who contributed to this release.
FULL CHANGELOG:
The full changelog since Tor Browser 11.5.10 is:
All Platforms:
Update Translations
Update tor to 0.4.7.12
Bug tor-browser#17228: Consideration for disabling/trimming referrers within TBB
Bug tor-browser#24686: In Tor Browser context, should network.http.tailing.enabled be set to false?
Bug tor-browser#27127: Audit and enable HTTP/2 push
Bug tor-browser#27258: font whitelist means we don't have to set gfx.downloadable_fonts.fallback_delay
Bug tor-browser#40057: ensure that CSS4 system colors are not a fingerprinting vector
Bug tor-browser#40058: ensure no locale leaks from new Intl APIs
Bug tor-browser#40183: Consider disabling TLS ciphersuites containing SHA-1
Bug tor-browser#40251: Clear obsolete prefs after torbutton!27
Bug tor-browser#40406: Remove Presentation API related prefs
Bug tor-browser#40491: Don't auto-pick a v2 address when it's in Onion-Location header
Bug tor-browser#40494: Update Startpage and Blockchair onion search providers
Bug tor-browser-build#40580: Add support for Ukranian (uk)
Bug tor-browser-build#40646: Don't build Español AR anymore
Bug tor-browser-build#40674: Add Secondary Snowflake Bridge
Bug tor-browser#40783: Review 000-tor-browser.js and 001-base-profile.js for 102
Bug tor-browser#41098: Compare Tor Browser's and GeckoView's profiles
Bug tor-browser#41125: Review Mozilla 1732792: retry polling requests without proxy
Bug tor-browser#41154: Review Mozilla 1765167: Deprecate Cu.import
Bug tor-browser#41164: Add some #define for the base-browser section
Bug tor-browser#41306: Typo "will not able" in "Tor unexpectedly exited" dialog
Bug tor-browser#41317: Tor Browser leaks banned ports in network.security.ports.banned
Bug tor-browser#41345: fonts: windows whitelist contains supplemental fonts
Bug tor-browser#41398: Disable Web MIDI API
Bug tor-browser#41406: Do not define --without-wasm-sandboxed-libraries if WASI_SYSROOT is defined
Bug tor-browser#41420: Remove brand.dtd customization on nightly
Bug tor-browser#41457: Remove more Mozilla permissions
Bug tor-browser#41473: Add support for Albanian (sq)
Windows + macOS + Linux
Update Firefox to 102.5.0esr
Bug tor-browser#17400: Decide how to use the multi-lingual Tor Browser in the alpha/release series
Bug tor-browser-build#40595: Migrate to 102 on desktop
Bug tor-browser-build#40638: Visit our website link after build-to-build upgrade in Nightly channel points to old v2 onion
Bug tor-browser-build#40648: Do not customize update.locale in multi-lingual builds
Bug tor-browser#40853: use Subprocess.jsm to launch tor
Bug tor-browser#40933: Migrate remaining tor-launcher functionality to tor-browser
Bug tor-browser#41011: The Internet and Tor status are visible when opening the settings
Bug tor-browser#41044: Content exceeding the height of the connection settings modals
Bug tor-browser#41116: Review Mozilla 1226042: add support for the new 'system-ui' generic font family
Bug tor-browser#41117: Review Mozilla 1512851: Add Share Menu to File Menu on macOS
Bug tor-browser#41283: Toolbar buttons missing their label attribute
Bug tor-browser#41284: Stray security-level- fluent ids
Bug tor-browser#41287: New identity button inactive if added after customization
Bug tor-browser#41292: moreFromMozilla pane in about:preferences in 12.0a2
Bug tor-browser#41293: Incomplete branding in German with 12.0a2
Bug tor-browser#41337: Add a title to the new identity confirmation
Bug tor-browser#41342: Update the New Identity dialog to the proton modal style
Bug tor-browser#41344: Authenticated Onion Services do not prompt for auth key in 12.0 alpha series
Bug tor-browser#41352: Update or drop the show manual logic in torbutton
Bug tor-browser#41369: Consider a different list-order for locales in language menu
Bug tor-browser#41374: Missing a few torconnect strings in the DTD
Bug tor-browser#41377: Hide Search for more languages... from Language selector in multi-locale build
Bug tor-browser#41378: Inform users when Tor Browser sets their language automatically
Bug tor-browser#41385: Bootstrap failure is logged but not raised up to about:torconnect
Bug tor-browser#41386: The new tor-launcher has a problem when another Tor is running
Bug tor-browser#41387: New identity and new circuit ended up inside history
Bug tor-browser#41400: Missing onionAuthViewKeys causes "Onion Services Keys" dialog to be empty.
Bug tor-browser#41401: Missing some mozilla icons because we still loading them from "chrome://browser/skin" rather than "chrome://global/skin/icons"
Bug tor-browser#41404: Fix blockchair-onion search extension
Bug tor-browser#41409: Circuit display is broken on Tails
Bug tor-browser#41410: Opening and closing HTTPS-Only settings make the identity panel shrink
Bug tor-browser#41412: New Identity shows "Tor Browser" instead of "Restart Tor Browser" in unstranslated locales
Bug tor-browser#41417: Prompt users to restart after changing language
Bug tor-browser#41429: TorConnect and TorSettings are initialized twice
Bug tor-browser#41435: Add a Tor Browser migration function
Bug tor-browser#41436: The new tor-launcher handles arrays in the wrong way
Bug tor-browser#41437: Use the new media query for dark theme for the "Connected" pill in bridges
Bug tor-browser#41449: Onion authentication's learn more should link to the offline manual
Bug tor-browser#41451: Still using requestedLocales in torbutton
Bug tor-browser#41455: Tor Browser dev build cannot launch tor
Bug tor-browser#41458: Prevent mach package-multi-locale from actually creating a package
Bug tor-browser#41462: Add anchors to bridge-moji and onion authentication entries
Bug tor-browser#41466: Port YEC 2022 campaign to Tor Browser 12.0 (Desktop)
Bug tor-browser#41495: Clicking on "View Logs" in the "Establishing Connection" page takes you to about:preferences#connection and not logs
Bug tor-browser#41498: The Help panel is empty in 12.0a4
Bug tor-browser#41508: Update the onboarding link for 12.0
Windows
Bug tor-browser#41149: Review Mozilla 1762576: Firefox is not allowing Symantec DLP to inject DLL into the browser for Data Loss Prevention software
Bug tor-browser#41278: Create Tor Browser styled pdf logo similar to the vanilla Firefox one
Bug tor-browser#41426: base-browser nightly fails to build for windows-i686
macOS
Bug tor-browser#23451: Adapt font whitelist to changes on macOS (zh locales)
Bug tor-browser#41004: The Bangla font does not display correctly on MacOs
Bug tor-browser#41108: Remove privileged macOS installation from 102
Bug tor-browser#41294: Bookmarks manager broken in 12.0a2 on MacOS
Bug tor-browser#41348: cherry-pick macOS OSSpinLock replacements
Bug tor-browser#41370: Find a way to ship custom default bookmarks without changing language-packs on macOS
Bug tor-browser#41372: "Japanese" language menu item is localised in multi-locale testbuild (on mac OS)
Bug tor-browser#41379: The new tor-launcher is broken also on macOS
Linux
Bug tor-browser#40359: Tor Browser Launcher has Wrong Icon
Bug tor-browser-build#40626: Define the replacements for generic families on Linux
Bug tor-browser#41163: Fixing loading of bundled fonts on linux
Android
Update GeckoView to 102.5.0esr
Bug tor-browser#40014: Check which of our mobile prefs and configuration changes are still valid for GeckoView
Bug tor-browser-build#40631: Stop bundling HTTPS Everywhere on Android
Bug tor-browser#41394: Implement a setting to always prefer onion sites
Bug tor-browser#41465: Port YEC 2022 campaign to Tor Browser 12.0 (Android)
Build System
All Platforms
Update Go to 1.19.3
Bug tor-browser-build#23656: Use .mozconfig files in tor-browser repo for rbm builds
Bug tor-browser-build#28754: make testbuild-android-armv7 stalls during sha256sum step
Bug rbm#40049: gpg_keyring should allow for array of keyrings
Bug tor-browser-build#40397: Create a new build target to package tor daemon, pluggable transports and dependencies
Bug tor-browser-build#40407: Bump binutils version to pick up security improvements for Windows users
Bug tor-browser-build#40585: Prune the manual more
Bug tor-browser-build#40587: Migrate tor-browser-build configs from gitolite to gitlab repos
Bug tor-browser-build#40591: Rust 1.60 not working to build 102 on Debian Jessie
Bug tor-browser-build#40592: Consider re-using our LLVM/Clang to build Rust
Bug tor-browser-build#40593: Update signing scripts to take into account new project names and layout
Bug tor-browser-build#40607: Add alpha-specific release prep template
Bug tor-browser-build#40610: src-*.tar.xz tarballs are missing in https://dist.torproject.org/torbrowser/12.0a1/
Bug tor-browser-build#40612: Migrate Release Prep template to Release Prep - Stable
Bug tor-browser-build#40619: Make sure translations are taken from gitlab.tpo and not git.tpo
Bug torbrowser-build#40627: Add boklm to torbutton.gpg
Bug tor-browser-build#40634: Update the project/browser path in tools/changelog-format-blog-post and other files
Bug tor-browser-build#40636: Remove https-everywhere from projects/browser/config
Bug tor-browser-build#40639: Remove tor-launcher references
Bug tor-browser-build#40643: Update Richard's key in torbutton.gpg
Bug tor-browser-build#40645: Remove unused signing keys and create individual keyrings for Tor Project developers
Bug tor-browser-build#40655: Published tor-expert-bundle tar.gz files should not include their tor-browser-build build id
Bug tor-browser-build#40656: Improve get_last_build_version in tools/signing/nightly/sign-nightly
Bug tor-browser-build#40660: Update changelog-format-blog-post script to point gitlab rather than gitolite
Bug tor-browser-build#40662: Make base-browser nightly build from tag
Bug tor-browser-build#40663: Do not ship bookmarks in tor-browser-build anymore
Bug tor-browser-build#40667: Update Node.js to 12.22.12
Bug tor-browser-build#40669: Remove HTTPS-Everywhere keyring
Bug tor-browser-build#40671: Update langpacks URL
Bug tor-browser-build#40675: Update tb_builders list in set-config
Bug tor-browser-build#40690: Revert fix for zlib build break
Bug tor-browser#41308: Use the same branch for Desktop and GeckoView
Bug tor-browser#41321: Delete various master branches after automated build/testing scripts are updated
Bug tor-browser#41340: Opt in to some of the NIGHTLY_BUILD features
Bug tor-browser#41357: Enable browser toolbox debugging by default for dev builds
Bug tor-browser#41446: Multi-lingual alpha bundles break make fetch
Windows + macOS + Linux
Bug tor-browser-build#40499: Update firefox to enable building from new 'base-browser' tag
Bug tor-browser-build#40500: Add base-browser package project
Bug tor-browser-build#40501: Makefile updates to support building base-browser packages
Bug tor-browser-build#40503: Update Release Prep issue template with base-browser and privacy browser changes
Bug tor-browser-build#40547: Remove container/remote_* from rbm.conf
Bug tor-browser-build#40581: Update reference to master branches
Bug tor-browser-build#40641: Fetch Firefox locales from l10n-central
Bug tor-browser-build#40678: Force all 11.5 users to update through 11.5.8 before 12.0
Bug tor-browser-build#40685: Remove targets/nightly/var/mar_locales from rbm.conf
Bug tor-browser-build#40686: Add a temporary project to fetch Fluent tranlations for base-browser
Bug tor-browser-build#40691: Update firefox config to point to base-browser branch rather than a particular tag in nightly
Bug tor-browser-build#40699: Fix input_files in projects/firefox-l10n/config
Bug tor-browser#41099: Update+comment the update channels in update_responses.config.yaml
Windows
Bug tor-browser-buid#29318: Use Clang for everything on Windows
Bug tor-browser-build#29321: Use mingw-w64/clang toolchain to build tor
Bug tor-browser-build#29322: Use mingw-w64/clang toolchain to build OpenSSL
Bug tor-browser-build#40409: Upgrade NSIS to 3.08
Bug tor-browser-build#40666: Fix compiler depedencies for Firefox on Windows
macOS
Bug tor-browser-build#40067: Rename "OS X" to "macOS"
Bug tor-browser-build#40158: Add support for macOS AArch64
Bug tor-browser-build#40439: Create universal x86-64/arm64 mac builds
Bug tor-browser-build#40605: Reworked the macOS toolchain creation
Bug tor-browser-build#40620: Update macosx-sdk to 11.0
Bug tor-browser-build#40687: macOS nightly builds with packaged locales fail
Bug tor-browser-build#40694: aarch64 tor-expert-bundle for macOS is not exported as part of the browser build
Linux
Bug tor-browser-build#31321: Add cc -> gcc link to projects/gcc
Bug tor-browser-build#40621: Update namecoin patches for linted TorButton
Bug tor-browser-build#40659: Error building goservice for linux in nightly build
Bug tor-browser#41343: Add -without-wam-sandboxed-libraries to mozconfig-linux-x86_64-dev for local builds
Android
Bug tor-browser-build#40574: Improve tools/signing/android-signing
Bug tor-browser-build#40604: Fix binutils build on android
Bug tor-browser-build#40640: Extract Gradle in the toolchain setup
Bug tor-browser#41304: Add Android-specific targets to makefiles

New in Tor Browser 11.5.8 (Nov 23, 2022)

New Release: Tor Browser 11.5.8 (Android, Windows, macOS, Linux):
Tor Browser 11.5.8 is now available from the Tor Browser download page and also from our distribution directory. This release will not be published on Google Play due to their target API level requirements. Assuming we do not run into any major problems, Tor Browser 11.5.9 will be an Android-only release that fixes this issue.
Tor Browser 11.5.8 backports the following security updates from Firefox ESR 102.5 to to Firefox ESR 91.13 on Windows, macOS and Linux:
CVE-2022-43680: In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.
CVE-2022-45403: Service Workers might have learned size of cross-origin media files
CVE-2022-45404: Fullscreen notification bypass
CVE-2022-45405: Use-after-free in InputStream implementation
CVE-2022-45406: Use-after-free of a JavaScript Realm
CVE-2022-45408: Fullscreen notification bypass via windowName
CVE-2022-45409: Use-after-free in Garbage Collection
CVE-2022-45410: ServiceWorker-intercepted requests bypassed SameSite cookie policy
CVE-2022-45411: Cross-Site Tracing was possible via non-standard override headers
CVE-2022-45412: Symlinks may resolve to partially uninitialized buffers
CVE-2022-45416: Keystroke Side-Channel Leakage
CVE-2022-45420: Iframe contents could be rendered outside the iframe
CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5
The full changelog since Tor Browser 11.5.7 is:
ALL PLATFORMS:
Update Translations
Update OpenSSL to 1.1.1s
Update NoScript to 11.4.12
Update tor to 0.4.7.11
Update zlib to 1.2.13
Bug tor-browser-build#40622: Update obfs4proxy to 0.0.14 in Tor Browser
Windows + macOS + Linux:
Bug tor-browser#31064: Letterboxing is enabled in priviledged contexts too
Bug tor-browser#32411: Consider adding about:tor and others to the list of pages that do not need letterboxing
Bug tor-browser#41413: Backup intl.locale.requested in 11.5.x
Bug tor-browser#41434: Letterboxing bypass through secondary tab (popup/popunder...)
Bug tor-browser#41456: Backport ESR 102.5 security fixes to 91.13-based Tor Browser
Bug tor-browser#41460: Migrate new identity and security level preferences in 11.5.8
Bug tor-browser#41463: Backport fix for CVE-2022-43680
Android:
Update GeckoView to 102.5.0esr
Bug tor-browser#41461: Backport Android-specific 107-rr security fixes to 102.5-esr based Geckoview
BUILD:
All Platforms:
Update Go to 1.18.8
Bug tor-browser-build#40658: Create an anticensorship team keyring
Bug tor-browser-build#40690: Revert fix for zlib build break

New in Tor Browser 11.5.7 (Nov 4, 2022)

New in Tor Browser 12.0 Alpha 4 (Nov 1, 2022)

Tor Browser 12.0a4 includes a number of changes that require testing and feedback:
Multi-locale bundles (Desktop):
This is the first multi-locale release of Tor Browser Alpha for desktop. All supported languages are now included in a single bundle, and can be changed without requiring additional downloads via the Language menu in General settings.
What to test: Tor Browser Alpha should default to your system language on first launch if it matches a language we support. Alpha testers are also encouraged to test changing language within about:preferences#general, and to report any new bugs with localization in general.
tor-launcher migration (Desktop):
Parts of the code that power tor-launcher – which starts tor within Tor Browser – have been refactored. Although this work doesn't include any changes to the user experience, those who run non-standard Tor Browser setups are encouraged to test 12.0a4 on their systems.
What to test: Alpha testers who run non-standard Tor Browser setups (including, but not limited to, those who use system tor in conjunction with Tor Browser) should test starting and connecting to Tor, and report any unexpected error messages they encounter. All of the previously supported environment variables should still behave the same way as in the stable series.
Onion Auth fixes (Desktop):
12.0a4 includes two fixes to Onion Service client authorization:
A fix to the auth window itself, which was broken in Alpha due to a regression caused by the esr102 transition: tor-browser#41344
Another fix to a longstanding issue with Onion Auth failing on subdomains, which has also been backported to 11.5.5: tor-browser#40465
What to test: Accessing client authorized Onion Services on both top-level and subdomains.
The full changelog since Tor Browser 12.0a3 is:
ALL PLATFORMS:
Update Translations
Bug tor-browser#24686: In Tor Browser context, should network.http.tailing.enabled be set to false?
Bug tor-browser#27127: Audit and enable HTTP/2 push
Bug tor-browser#40057: ensure that CSS4 system colors are not a fingerprinting vector
Bug tor-browser#40058: ensure no locale leaks from new Intl APIs
Bug tor-browser#40251: Clear obsolete prefs after torbutton!27
Bug tor-browser#40406: Remove Presentation API related prefs
Bug tor-browser#40465: Onion Authentication fails when connecting to a subdomain
Bug tor-browser#40491: Don't auto-pick a v2 address when it's in Onion-Location header
Bug tor-browser#40494: Update Startpage and Blockchair onion search providers
Bug tor-browser-build#40629: Bump snowflake version to 9ce1de4eee4e
Bug tor-browser-build#40633: Remove Team Cymru hard-coded bridges
Bug tor-browser-build#40646: Don't build Español AR anymore
Bug tor-browser-build#40649: Update meek default bridge
Bug tor-browser-build#40654: Enable uTLS and use the full bridge line for snowflake
Bug tor-browser-build#40665: Snowflake bridge parameters are too long (535 bytes) in 11.5.5
Bug tor-browser#41098: Compare Tor Browser's and GeckoView's profiles
Bug tor-browser#41154: Review Mozilla 1765167: Deprecate Cu.import
Bug tor-browser#41164: Add some #define for the base-browser section
Bug tor-browser#41306: Typo "will not able" in "Tor unexpectedly exited" dialog
Bug tor-browser#41317: Tor Browser leaks banned ports in network.security.ports.banned
Bug tor-browser#41326: Update preference for remoteRecipes
Bug tor-browser#41345: fonts: windows whitelist contains supplemental fonts
Bug tor-browser#41398: Disable Web MIDI API
Windows + macOS + Linux:
Update Firefox to 102.4.0esr
Bug tor-browser#17400: Decide how to use the multi-lingual Tor Browser in the alpha/release series
Bug tor-browser-build#40638: Visit our website link after build-to-build upgrade in
Nightly channel points to old v2 onion:
Bug tor-browser-build#40648: Do not customize update.locale in multi-lingual builds
Bug tor-browser#40853: use Subprocess.jsm to launch tor
Bug tor-browser#40933: Migrate remaining tor-launcher functionality to tor-browser
Bug tor-browser#41117: Review Mozilla 1512851: Add Share Menu to File Menu on
macOS:
Bug tor-browser#41323: Tor-ify notification bar gradient colors (branding)
Bug tor-browser#41337: Add a title to the new identity confirmation
Bug tor-browser#41342: Update the New Identity dialog to the proton modal style
Bug tor-browser#41344: Authenticated Onion Services do not prompt for auth key in
12.0 alpha series:
Bug tor-browser#41352: Update or drop the show manual logic in torbutton
Bug tor-browser#41369: Consider a different list-order for locales in language menu
Bug tor-browser#41374: Missing a few torconnect strings in the DTD
Bug tor-browser#41377: Hide Search for more languages... from Language selector in
multi-locale build:
Bug tor-browser#41385: Bootstrap failure is logged but not raised up to
about:torconnect:
Bug tor-browser#41386: The new tor-launcher has a problem when another Tor is
running:
Bug tor-browser#41387: New identity and new circuit ended up inside history
Bug tor-browser#41400: Missing onionAuthViewKeys causes "Onion Services Keys" dialog to be empty.
Bug tor-browser#41401: Missing some mozilla icons because we still loading them from "chrome://browser/skin" rather than "chrome://global/skin/icons"
Bug tor-browser#41404: Fix blockchair-onion search extension
Windows:
Bug tor-browser#41149: Review Mozilla 1762576: Firefox is not allowing Symantec DLP to inject DLL into the browser for Data Loss Prevention software
Bug tor-browser#41278: Create Tor Browser styled pdf logo similar to the vanilla Firefox one
macOS:
Bug tor-browser#41294: Bookmarks manager broken in 12.0a2 on MacOS
Bug tor-browser#41348: cherry-pick macOS OSSpinLock replacements
Bug tor-browser#41370: Find a way to ship custom default bookmarks without changing language-packs on macOS
Bug tor-browser#41372: "Japanese" language menu item is localised in multi-locale testbuild (on mac OS)
Bug tor-browser#41379: The new tor-launcher is broken also on macOS
Linux:
Bug tor-browser#40359: Tor Browser Launcher has Wrong Icon
Android:
Update GeckoView to 102.4.0esr
Bug tor-browser-build#40631: Stop bundling HTTPS Everywhere on Android
Bug tor-browser#41360: Backport Android-specific Firefox 106 to ESR 102.4-based Tor
Browser:
Bug tor-browser#41394: Implement a setting to always prefer onion sites
Build:
All Platforms:
Update Go to 1.19.2
Bug tor-browser-build#23656: Use .mozconfig files in tor-browser repo for rbm builds
Bug tor-browser-build#28754: make testbuild-android-armv7 stalls during sha256sum step
Bug tor-browser-build#40397: Create a new build target to package tor daemon, pluggable transports and dependencies
Bug tor-browser-build#40619: Make sure translations are taken from gitlab.tpo and not git.tpo
Bug torbrowser-build#40627: Add boklm to torbutton.gpg
Bug tor-browser-build#40634: Update the project/browser path in tools/changelog-format-blog-post and other files
Bug tor-browser-build#40636: Remove https-everywhere from projects/browser/config
Bug tor-browser-build#40639: Remove tor-launcher references
Bug tor-browser-build#40643: Update Richard's key in torbutton.gpg
Bug tor-browser-build#40655: Published tor-expert-bundle tar.gz files should not include their tor-browser-build build id
Bug tor-browser-build#40656: Improve get_last_build_version in tools/signing/nightly/sign-nightly
Bug tor-browser-build#40658: Create an anticensorship team keyring
Bug tor-browser-build#40660: Update changelog-format-blog-post script to point gitlab rather than gitolite
Bug tor-browser-build#40662: Make base-browser nightly build from tag
Bug tor-browser-build#40671: Update langpacks URL
Bug tor-browser#41308: Use the same branch for Desktop and GeckoView
Bug tor-browser#41340: Opt in to some of the NIGHTLY_BUILD features
Bug tor-browser#41343: Add -without-wam-sandboxed-libraries to mozconfig-linux-x86_64-dev for local builds
Bug tor-browser-build#40585: Prune the manual more
Bug tor-browser-build#40663: Do not ship bookmarks in tor-browser-build anymore
Bug tor-browser-build#40669: Remove HTTPS-Everywhere keyring
Bug tor-browser#41357: Enable browser toolbox debugging by default for dev builds
macOS:
Bug tor-browser-build#40158: Add support for macOS AArch64
Bug tor-browser-build#40464: go 1.18 fails to build on macOS
Linux
Bug tor-browser-build#40659: Error building goservice for linux in nightly build
Android
Bug tor-browser-build#40640: Extract Gradle in the toolchain setup

New in Tor Browser 11.5.6 (Oct 29, 2022)

New in Tor Browser 11.5.5 (Oct 26, 2022)

New in Tor Browser 11.5.4 (Oct 13, 2022)

Tor Browser 11.5.4 backports the following security updates from Firefox ESR 102.3 to to Firefox ESR 91.13 on Windows, macOS and Linux:
CVE-2022-40959
CVE-2022-40960
CVE-2022-40958
CVE-2022-40956
CVE-2022-40962
Tor Browser 11.5.4 updates GeckoView on Android to 102.3.0esr. We also backport the following Android-specific security updates from Firefox 104 and 105:
CVE-2022-36317
CVE-2022-38474
CVE-2022-40961
The full changelog since Tor Browser 11.5.3 is:
All Platforms:
Bug tor-browser-build#40629: Bump snowflake version to 9ce1de4eee4e
Bug tor-browser-build#40633: Remove Team Cymru hard-coded bridges
Bug tor-browser#41326: Update preference for remoteRecipes
Windows + macOS + Linux
Bug tor-browser-build#40624: Change placeholder bridge addresses to make snowflake and meek work with ReachableAddresses/FascistFirewall
Bug tor-browser#41303: YEC 2022 Takeover for Desktop Stable
Bug tor-browser#41310: Backport ESR 102.3 security fixes to 91.13-based Tor Browser
Bug tor-browser#41323: Tor-ify notification bar gradient colors (branding)
Bug tor-browser#41338: The arrow on the search bar should be flipped for RTL languages
Windows + macOS:
Bug tor-browser#41307: font whitelist typos
Android:
Updated GeckoView to 102.3.0esr
Bug tor-browser#41089: Add tor-browser build scripts + Makefile to tor-browser
Bug tor-browser#41094: Enable HTTPS-Only Mode by default in Tor Browser Android
Bug tor-browser#41159: Remove HTTPS-Everywhere extension from esr102-based Tor Browser Android
Bug tor-browser#41166: Backport fix for CVE-2022-36317: Long URL would hang Firefox for Android (Bug 1759951)
Bug tor-browser#41167: Backport fix for CVE-2022-38474: Recording notification not shown when microphone was recording on Android (Bug 1719511)
Bug tor-browser#41302: YEC 2022 Takeover for Android Stable
Bug tor-browser#41312: Backport Firefox 105 Android security fixes to 102.3-based
Tor Browser:
Bug tor-browser#41314: Add YEC 2022 strings to torbutton and fenix
Build System:
Android:
Update Go to 1.18.7

New in Tor Browser 12.0 Alpha 3 (Sep 29, 2022)

New in Tor Browser 12.0 Alpha 2 (Sep 12, 2022)

Tor Browser 12.0a2 updates Firefox on Android, Windows, macOS, and Linux to 102.2.0esr.
We use this opportunity to update various other components of Tor Browser as well:
Tor 0.4.7.10
Tor Launcher 0.2.39 (Desktop only)
NoScript 11.4.10
Go 1.18.5 (Android only)
This version includes important security updates to Firefox. We also backport the following Android-specific security updates:
CVE-2022-36317
CVE-2022-38474
Notably, we have also enabled HTTPS-Only mode for Tor Browser for Android (this feature is already enabled for Desktop). This feature, when enabled, overrides HTTPS-Everywhere functionality. For now this can be reverted in the 'Settings > Privacy and security' pane( see: https://gitlab.torproject.org/tpo/applications/fenix/-/merge_requests/151 ).
The full changelog since Tor Browser 12.0a1 is:
ALL PLATFORMS:
Update Firefox to 102.2.0esr
Update Tor to 0.4.7.10
Update NoScript to 11.4.10
Update Translations
Bug tor-browser#40242: Tor Browser has two default bridges that share a fingerprint, and Tor ignores one
WINDOWS + MACOS + LINUX:
Update Tor-Launcher to 0.2.39
Update Manual
Bug tor-browser-build#40580: Add support for uk (ukranian) locale
Bug tor-browser-buid#40595: Migrate to 102 on desktop
Bug tor-browser#41075: The Tor Browser is showing caution sign but your document said it won't
Bug tor-browser#41089: Add tor-browser build scripts + Makefile to tor-browser
macOS:
Bug tor-browser#41108: Remove privileged macOS installation from 102
Android:
Bug fenix#40225: Bundled extensions don't get updated with Android Tor Browser updates (they stay stuck at the first installed version)
Bug tor-browser#41094: Enable HTTPS-Only Mode by default in Tor Browser Android
Bug tor-browser#41156: User-installed addons are broken on Android
Bug tor-browser#41166: Backport fix for CVE-2022-36317: Long URL would hang Firefox for Android (Bug 1759951)
Bug tor-browser#41167: Backport fix for CVE-2022-38474: Recording notification not shown when microphone was recording on Android (Bug 1719511)
BUILD SYSTEM:
All Platforms:
Bug tor-browser-build#40407: Bump binutils version to pick up security improvements for Windows users
Bug tor-browser-build#40591: Rust 1.60 not working to build 102 on Debian Jessie
Bug tor-browser-build#40592: Consider re-using our LLVM/Clang to build Rust
Bug tor-browser-build#40593: Update signing scripts to take into account new project names and layout
Bug tor-browser-build#40607: Add alpha-specific release prep template
Bug tor-browser-build#40610: src-*.tar.xz tarballs are missing in https://dist.torproject.org/torbrowser/12.0a1/
Bug tor-browser-build#40612: Migrate Release Prep template to Release Prep - Stable
Windows + macOS + Linux:
Bug tor-browser#41099: Update+comment the update channels in update_responses.config.yaml
Windows:
Bug tor-browser-buid#29318: Use Clang for everything on Windows
Bug tor-browser-build#29321: Use mingw-w64/clang toolchain to build tor
Bug tor-browser-build#29322: Use mingw-w64/clang toolchain to build OpenSSL
Bug tor-browser-build#40409: Upgrade NSIS to 3.08
macOS:
Bug tor-browser-build#40605: Reworked the macOS toolchain creation
Bug tor-browser-build#40620: Update macosx-sdk to 11.0
Linux:
Bug tor-browser-build#31321: Add cc -> gcc link to projects/gcc
Android:
Update Go to 1.18.5
Bug tor-browser-build#40574: Improve tools/signing/android-signing
Bug tor-browser-build#40582: Prepared TBA to use Mozilla 102 components
Bug tor-browser-build#40604: Bug 40604: Fix binutils build on android

New in Tor Browser 11.5.2 (Aug 30, 2022)

New in Tor Browser 12.0 Alpha 1 (Aug 11, 2022)

Windows + OS X + Linux:
Update Firefox to 91.12.0esr
Update Tor-Launcher to 0.2.38
Update Translations
Update OpenSSL to 1.1.1q
Update Manual
Bug tor-browser#21740: Make sure Mozilla's own emoji font on Windows/Linux does not interfere with our font fingerprinting defense
Bug tor-browser#27719: Treat unsafe renegotiation as broken
Bug tor-browser-build#40584: Update tor-browser manual to latest
Bug tor-browser#40966: Investigate problems with Twemoji Mozilla
Bug tor-browser#41011: The Internet and Tor status are visible when opening the settings
Bug tor-browser#41035: OnionAliasService should use threadsafe ISupports
Bug tor-browser#41036: Add a preference to disable OnionAlias
Bug tor-browser#41037: User onboarding still points to about:preferences#tor
Bug tor-browser#41044: Content exceeding the height of the connection settings modals
Bug tor-browser#41049: QR codes in connection settings aren't recognized by some readers in dark theme
Bug tor-browser#41050: "Continue to HTTP Site" button doesn't work on IP addresses
Bug tor-browser#41053: remove HTTPS-Everywhere entry from browser.uiCustomization.state pref
Bug tor-browser#41054: Improve color contrast of purple elements in connection settings in dark theme
Bug tor-browser#41055: Icon fix from #40834 is missing in 11.5 stable
Bug tor-browser#41058: Hide currentBridges description when the section itself is hidden
Bug tor-browser#41059: Bridge cards aren't displaying, and toggle themselves off
Bug tor-browser#41067: Cherry-pick fixes for HTTPS-Only mode
Bug tor-browser#41070: Google vanished from default search options from 11.0.10 onwards
Bug tor-browser#41089: Add tor-browser build scripts + Makefile to tor-browser
Bug tor-browser#41095: "Learn more" link in onboarding slideshow still points to 11.0 release post
Windows:
Bug tor-browser#30589: Tor Browser on Windows is lacking fonts to render some kind of scripts
Bug tor-browser#41039: Set 'startHidden' flag on tor process in tor-launcher
OS X:
Bug tor-browser#41004: The Bangla font does not display correctly on MacOs
Linux:
Bug tor-browser#41043: Investigate why STIX Two becomes the default font on Linux
Windows + OS X + Linux:
Update Go to 1.17.13
Bug tor-browser-build#40499: Update firefox to enable building from new 'base-browser' tag
Bug tor-browser-build#40500: Add base-browser package project
Bug tor-browser-build#40501: Makefile updates to support building base-browser packages
Bug tor-browser-build#40547: Remove container/remote_* from rbm.conf
Bug tor-browser-build#40581: Update reference to master branches

New in Tor Browser 11.5.1 (Jul 28, 2022)

New in Tor Browser 11.5 (Jul 17, 2022)

Tor Browser 11.5 is now available from the Tor Browser download page and also from our distribution directory. This new release builds upon features introduced in Tor Browser 10.5 to transform the user experience of connecting to Tor from heavily censored regions.
WHAT'S NEW:
Automatic censorship detection and circumvention
We began reshaping the experience of connecting to Tor with the release of Tor Browser 10.5 last year, including the retirement of the Tor Launcher and the integration of the connection flow into the browser window. However, circumventing censorship of the Tor Network itself remained a manual and confusing process – requiring users to dive into Tor Network settings and figure out for themselves how to apply a bridge to unblock Tor. What's more, censorship of Tor isn't uniform – and while a certain pluggable transport or bridge configuration may work in one country, that doesn't mean it'll work elsewhere.
This placed the burden on censored users (who are already under significant pressure) to figure out what option to pick, resulting in a lot of trial, error and frustration in the process. In collaboration with the Anti-Censorship team at the Tor Project, we've sought to reduce this burden with the introduction of Connection Assist: a new feature that when required will offer to automatically apply the bridge configuration we think will work best in your location for you.
Connection assist:
Connection Assist works by looking up and downloading an up-to-date list of country-specific options to try using your location (with your consent). It manages to do so without needing to connect to the Tor Network first by utilizing moat – the same domain-fronting tool that Tor Browser uses to request a bridge from torproject.org.
While Connection Assist has reached the milestone of its first stable release, this is only version 1.0, and your feedback will be invaluable to help us improve its user experience in future releases. Users from countries where the Tor Network may be blocked (such as Belarus, China, Russia and Turkmenistan) can test the most recent iteration of this feature by volunteering as an alpha tester, and reporting your findings on the Tor forum.
Redesigned Tor Network settings:
Connection settings:We hope that the majority of our users living under extreme censorship will be able to connect to Tor at the press of a button, thanks to Connection Assist. However we know there will always be exceptions to that, and there are many users who prefer to configure their connection manually as well.
That's why we've invested time redesigning Tor Network settings too – featuring:
A brand new name: Tor Network settings is now called Connection settings. This change is intended to clarify exactly what settings you can find within this tab.
Connection statuses: Your last known connection status can now be found at the top of the tab, including the option to test your Internet connection without Tor, using moat, to help you untangle the source of your connection woes.
Streamlined bridge options: Gone is the long list of fields and options. Each method to add a new bridge has been tidied away into individual dialog menus, which will help support further improvements to come.
Connection Assist: When Tor Browser's connection to the Tor Network isn't reachable due to suspected censorship, an additional option to select a bridge automatically becomes available.
Brand-new bridge cards: Bridges used to be almost invisible, even when configured. Now, your saved bridges appear in a handy stack of bridge cards – including new options for sharing bridges too.
Bridge card diagram:
This is the anatomy of a bridge card when expanded. In addition to copying and sharing the bridge line, each bridge also comes with a unique QR code that will be readable by Tor Browser for Android (and hopefully other Tor-powered apps too) in a future release – helping facilitate the transfer of a working bridge from desktop to mobile.
When you have multiple bridges configured the cards will collapse into a stack – each of which can be expanded again with a click. And when connected, Tor Browser will let you know which bridge it's currently using with the purple "✔ Connected" pill. To help differentiate between your bridges without needing to compare long, unfriendly bridge lines, we've introduced bridge-moji: a short, four emoji visualization you can use to identify the right bridge at a glance.
Lastly, help links within Connection settings now work offline. To recap – there are two types of help links in Tor Browser's settings: those that point to support.mozilla.org, and those that point to tb-manual.torproject.org (i.e. the Tor Browser Manual). However, since web-based links aren't very useful when you're troubleshooting connection issues with Tor Browser, the manual is now bundled in Tor Browser 11.5 and is available offline. In addition to the help links within Tor Browser's settings, the manual can be accessed via the Application Menu > Help > Tor Browser Manual, and by entering "about:manual" into your browser's address bar too.
HTTPS-Only Mode, by default:
HTTPS-Only Mode:
HTTPS-Everywhere is one of two extensions that previously came bundled in Tor Browser, and has led a long and distinguished career protecting our users by automatically upgrading their connections to HTTPS wherever possible. Now, HTTPS is actually everywhere, and all major web browsers include native support to automatically upgrade to HTTPS. Firefox – the underlying browser on which Tor Browser is based – calls this feature HTTPS-Only Mode.
Starting in Tor Browser 11.5, HTTPS-Only Mode is enabled by default for desktop, and HTTPS-Everywhere will no longer be bundled with Tor Browser.
Why now? Research by Mozilla indicates that the fraction of insecure pages visited by the average users is very low – limiting the disruption caused to the user experience. Additionally, this change will help protect our users from SSL stripping attacks by malicious exit relays, and strongly reduces the incentive to spin up exit relays for Man-in-the-Middle attacks in the first place.
You may or may not know that HTTPS-Everywhere also served a second purpose in Tor Browser, and was partly responsible for making SecureDrop's human-readable onion names work. Well, SecureDrop users can rest assured that we've patched Tor Browser to ensure that human-readable onion names still work in HTTPS-Everywhere's absence.
Note: Unlike desktop, Tor Browser for Android will continue to use HTTPS-Everywhere in the short term. Please see our separate update about Android below.
Improved font support:
More fonts:
One of Tor Browser's many fingerprinting defenses includes protection against font enumeration – whereby an adversary can fingerprint you using the fonts installed on your system. To counter this, Tor Browser ships with a standardized bundle of fonts to use in place of those installed on your system. However some writing scripts did not render correctly, while others had no font available in Tor Browser at all.
To solve this issue and expand the number of writing systems supported by Tor Browser, we've bundled many more fonts from the Noto family in this release. Naturally, we have to find a balance between the number of fonts Tor Browser supports without increasing the size of the installer too much, which is something we're very conscious of. So if you spot a language whose characters don't render correctly in Tor Browser, please let us know!
Tor Browser for Android:
You have no doubt noticed that the features announced above are all for desktop. So, we wanted to share a little update about where we're at with Android:
We know that Tor Browser for Android is quite behind desktop in terms of feature parity. The Tor Project has hit a few bumps in the road over the last couple of years that have delayed our releases, and led us to reassess our roadmap for Android. Since the beginning of the year our priorities for Android have been three-fold:
Start releasing regular updates for Android again
Fix the crashes that many Android users have experienced
Begin catching up with Fenix (Firefox for Android) releases
Since then, Android has averaged one stable update per month, crash reports are down significantly thanks to the patch issued in fenix#40212, and downloads are working again due to the fixes in fenix#40192 and android-components#40075. However we still have work to do to catch up with Fenix, and upgrading Tor Browser to Fenix v102 will be our priority for the next few months.
We've also taken steps to expand the team's capacity in order to dedicate more resources to Android, keep the application stable, and help us bring some of these features described above to Android in the future too.
FULL CHANGELOG:
The full changelog since Tor Browser 11.0.15 is:
All Platforms:
Update OpenSSL to 1.1.1q
Windows + OS X + Linux:
Update Firefox to 91.11.0esr
Update Tor-Launcher to 0.2.37
Update Translations
Bug tor-browser#11698: Incorporate Tor Browser Manual pages into Tor Browser
Bug tor-browser#19850: Disable Plaintext HTTP Clearnet Connections
Bug tor-browser#30589: Allowed fonts to render a bunch of missing scripts
Bug tor-browser#40458: Implement about:rulesets https-everywhere replacement
Bug tor-browser-build#40527: Remove https-everywhere from tor-browser alpha desktop
Bug tor-browser#40562: Reorganize patchset
Bug tor-browser#40598: Remove legacy settings read from TorSettings module
Bug tor-browser#40645: Migrate Moat APIs to Moat.jsm module
Bug tor-browser#40684: Misc UI bug fixes
Bug tor-browser#40773: Update the about:torconnect frontend page to match additional UI flows
Bug tor-browser#40774: Update about:preferences page to match new UI designs
Bug tor-browser#40775: about:ion should not be labeled as a Tor Browser page
Bug tor-browser#40793: moved Tor configuration options from old-configure.in to moz.configure
Bug tor-browser#40825: Redirect HTTPS-Only error page when not connected
Bug tor-browser#40912: Hide screenshots menu since we don't support it
Bug tor-browser#40916: Remove the browser.download.panel.shown preference
Bug tor-browser#40923: Consume country code to improve error report
Bug tor-browser#40966: Render emojis in bridgemoji with SVG files, and added emojii descriptions
Bug tor-browser#41011: Make sure the Tor Connection status is shown only in about:preferences#connection
Bug tor-browser#41023: Update manual URLs
Bug tor-browser#41035: OnionAliasService should use threadsafe ISupports
Bug tor-browser#41036: Add a preference to disable Onion Aliases
Bug tor-browser#41037: Fixed the connection preferences on the onboarding
Bug tor-browser#41039: Set 'startHidden' flag on tor process in tor-launcher
OS X:
Bug tor-browser#40797: font-family: monospace renders incorrectly on macOS
Bug tor-browser#41004: Bundled fonts are not picked up on macOS
Linux:
Bug tor-browser#41015: Add --name parameter to correctly setup WM_CLASS when running as native Wayland client
Bug tor-browser#41043: Hardcode the UI font on Linux
Android:
Update Fenix to 99.0.0b3
Build System:
All Platforms:
Bug tor-browser-build#40288: Bump mmdebstrap version to 0.8.6
Bug tor-browser-build#40426: Update Ubuntu base image to 22.04
Bug tor-browser-build#40519: Add Alexis' latest PGP key to https-everywhere key ring
Android:
Update Go to 1.18.3
Bug tor-browser-build#40433: Bump LLVM to 13.0.1 for android builds
Bug tor-browser-build#40470: Fix zlib build issue for android
Bug tor-browser-build#40485: Resolve Android reproducibility issues
Windows + OS X + Linux:
Bug tor-browser-build#34451: Include Tor Browser Manual in packages during build
Bug tor-browser-build#40525: Update the mozconfig for tor-browser-91.9-11.5-2

New in Tor Browser 11.5 Alpha 13 (Jul 4, 2022)

New in Tor Browser 11.0.14 (Jun 9, 2022)

New in Tor Browser 11.5 Alpha 12 (Jun 2, 2022)

New in Tor Browser 11.0.13 (May 25, 2022)

New in Tor Browser 11.5 Alpha 11 (May 23, 2022)

New in Tor Browser 11.0.11 (May 5, 2022)

New in Tor Browser 11.5 Alpha 9 (Apr 27, 2022)

New in Tor Browser 11.0.10 (Apr 10, 2022)

New in Tor Browser 11.5 Alpha 8 (Mar 24, 2022)

New in Tor Browser 11.0.9 (Mar 21, 2022)

New in Tor Browser 11.5 Alpha 6 (Mar 13, 2022)

New in Tor Browser 11.0.7 (Mar 9, 2022)

New in Tor Browser 11.5 Alpha 4 (Feb 22, 2022)

New in Tor Browser 11.0.6 (Feb 9, 2022)

New in Tor Browser 11.0.5 (Feb 9, 2022)

New in Tor Browser 11.5 Alpha 2 (Jan 31, 2022)

New in Tor Browser 11.0.4 (Jan 12, 2022)

New in Tor Browser 11.0.3 (Dec 21, 2021)

New in Tor Browser 11.5 Alpha 1 (Dec 14, 2021)

New in Tor Browser 11.0.2 (Dec 9, 2021)

New in Tor Browser 11.0.1 (Nov 16, 2021)

New in Tor Browser 11.0 (Nov 9, 2021)

Tor Browser 11.0 is now available from the Tor Browser download page and our distribution directory. This is the first stable release based on Firefox ESR 91, and includes an important update to Tor 0.4.6.8.
NEW:
Tor Browser gets a new look
Earlier this year, Firefox’s user interface underwent a significant redesign aimed at simplifying the browser chrome, streamlining menus and featuring an all-new tab design. Firefox ESR 91 introduces the new design to Tor Browser for the first time.
To ensure it lives up to the new experience, each piece of custom UI in Tor Browser has been modernized to match Firefox’s new look and feel. That includes everything from updating the fundamentals like color, typography and buttons to redrawing each of our icons to match the new thinner icon style.
In addition to the browser chrome itself, the connection screen, circuit display, security levels and onion site errors all received a sprucing-up too – featuring some small but welcome quality of life improvements to each.
Final deprecation of v2 onion services:
Last year we announced that v2 onion services would be deprecated in late 2021, and since its 10.5 release Tor Browser has been busy warning users who visit v2 onion sites of their upcoming retirement. At long last, that day has finally come. Since updating to Tor 0.4.6.8 v2 onion services are no longer reachable in Tor Browser, and users will receive an “Invalid Onion Site Address” error instead.
Should you receive this error when attempting to visit a previously working v2 address, there is nothing wrong with your browser – instead, the issue lies with the site itself. If you wish, you can notify the onion site’s administrator about the problem and encourage them to upgrade to a v3 onion service as soon as possible.
It’s easy to tell if you still have any old v2 addresses saved in your bookmarks that are in need of removal or updating too: although both end in .onion, the more secure v3 addresses are 56 characters long compared to v2’s modest 16 character length.
Known issues:
Tor Browser 11.0 comes with a number of known issues:
Bug 40668: DocumentFreezer & file scheme
Bug 40671: Fonts don't render
Bug 40679: Missing features on first-time launch in esr91 on MacOS
Bug 40689: Change Blockchair Search provider's HTTP method
Bug 40667: AV1 videos shows as corrupt files in Windows 8.1
Bug 40677: Since the update to 11.0a9 some addons are inactive and need disabling-reenabling on each start
Bug 40666: Switching svg.disable affects NoScript settings
Bug 40690: Browser chrome breaks when private browsing mode is turned off
The full changelog since Tor Browser 10.5.10 is:
Windows + OS X + Linux:
Update Firefox to 91.3.0esr
Update Tor to tor-0.4.6.8
Bug 32624: localStorage is not shared between tabs
Bug 33125: Remove xpinstall.whitelist.add* as they don't do anything anymore
Bug 34188: Cleanup extensions.* prefs
Bug 40004: Convert tl-protocol to async.
Bug 40012: Watch all requested tor events
Bug 40027: Make torbutton_send_ctrl_cmd async
Bug 40042: Add missing parameter of createTransport
Bug 40043: Delete all plugin-related protections
Bug 40045: Teach the controller about status_client
Bug 40046: Support arbitrary watch events
Bug 40047: New string for Security Level panel
Bug 40048: Protonify Circuit Display Panel
Bug 40053: investigate fingerprinting potential of extended TextMetrics interface
Bug 40083: Make sure Region.jsm fetching is disabled
Bug 40177: Clean up obsolete preferences in our 000-tor-browser.js
Bug 40220: Make sure tracker cookie purging is disabled
Bug 40342: Set `gfx.bundled-fonts.activate = 1` to preserve current bundled fonts behaviour
Bug 40463: Disable network.http.windows10-sso.enabled in FF 91
Bug 40483: Deutsche Welle v2 redirect
Bug 40534: Cannot open URLs on command line with Tor Browser 10.5
Bug 40547: UX: starting in offline mode can result in difficulty to connect later
Bug 40548: Set network.proxy.failover_direct to false in FF 91
Bug 40561: Refactor about:torconnect implementation
Bug 40567: RFPHelper is not init until after about:torconnect bootstraps
Bug 40597: Implement TorSettings module
Bug 40600: Multiple pages as home page unreliable in 11.0a4
Bug 40616: UX: multiple about:torconnect
Bug 40624: TorConnect banner always visible in about:preferences#tor even after bootstrap
Bug 40626: Update Security Level styling to match Proton UI
Bug 40628: Checkbox wrong color in about:torconnect in dark mode theme
Bug 40630: Update New Identity and New Circuit icons
Bug 40631: site identity icons are not being displayed properly
Bug 40632: Proton'ify Circuit Display Panel
Bug 40634: Style updates for Onion Error Pages
Bug 40636: Fix about:torconnect 'Connect' border radius in about:preferences#tor
Bug 40641: Update Security Level selection in about:preferences to match style as tracking protection option bubbles
Bug 40648: Replace onion pattern divs/css with tiling SVG
Bug 40653: Onion Available text not aligned correctly in toolbar in ESR91
Bug 40655: esr91 is suggesting to make Tor Browser the default browse
Bug 40657: esr91 is missing "New identity" in hamburger menu
Bug 40680: Prepare update to localized assets for YEC
Bug 40686: Update Onboarding link for 11.0
Build System:
Windows + OS X + Linux:
Update Go to 1.16.9
Bug 40048: Remove projects/clang-source
Bug 40347: Make the list of toolchain updates needed for firefox91
Bug 40363: Change bsaes git url
Bug 40366: Use bullseye to build https-everywhere
Bug 40368: Use system's python3 for https-everywhere
Windows + Linux
Bug 40357: Update binutils to 2.35.2
Linux:
Bug 40222: Bump GCC to 10.3.0 for Linux
Bug 40305: Update Linux toolchain to switch to mozilla91
Bug 40353: Temporarily disable rlbox for linux builds

New in Tor Browser 10.5.10 (Oct 27, 2021)

New in Tor Browser 11.0 Alpha 9 (Oct 18, 2021)

New in Tor Browser 10.5.8 (Oct 7, 2021)

New in Tor Browser 11.0 Alpha 7 (Sep 27, 2021)

New in Tor Browser 10.5.6 (Sep 9, 2021)

New in Tor Browser 11.0 Alpha 5 (Aug 25, 2021)

New in Tor Browser 10.5.5 (Aug 20, 2021)

New in Tor Browser 11.0 Alpha 4 (Aug 17, 2021)

New in Tor Browser 10.5.4 (Aug 11, 2021)

New in Tor Browser 10.0.16 (Apr 21, 2021)

New in Tor Browser 10.0.15 (Apr 21, 2021)

New in Tor Browser 10.0.14 (Apr 21, 2021)

New in Tor Browser 10.0.12 (Feb 25, 2021)

New in Tor Browser 10.5 Alpha 2 (Oct 31, 2020)

New in Tor Browser 10.0.2 (Oct 31, 2020)

New in Tor Browser 10.0.1 (Oct 14, 2020)

New in Tor Browser 10.5 Alpha 1 (Sep 27, 2020)

New in Tor Browser 10.0 (Sep 27, 2020)

Windows + OS X + Linux:
Update Firefox to 78.3.0esr
Update Tor to 0.4.4.5
Update Tor Launcher to 0.2.25
Bug 32174: Replace XUL with
Bug 33890: Rename XUL files to XHTML
Bug 33862: Fix usages of createTransport API
Bug 33906: Fix Tor-Launcher issues for Firefox 75
Bug 33998: Use CSS grid instead of XUL grid
Bug 34164: Tor Launcher deadlocks during startup (Firefox 77)
Bug 34206: Tor Launcher button labels are missing (Firefox 76)
Bug 40002: After rebasing to 80.0b2 moat is broken
Translations update
Update NoScript to 11.0.44
Bug 40093: Youtube videos on safer produce an error
Translations update
Bug 10394: Let Tor Browser update HTTPS Everywhere
Bug 11154: Disable TLS 1.0 (and 1.1) by default
Bug 16931: Sanitize the add-on blocklist update URL
Bug 17374: Disable 1024-DH Encryption by default
Bug 21601: Remove unused media.webaudio.enabled pref
Bug 30682: Disable Intermediate CA Preloading
Bug 30812: Exempt about: pages from Resist Fingerprinting
Bug 31918+33533+40024+40037: Rebase Tor Browser esr68 patches for ESR 78
Bug 32612: Update MAR_CHANNEL_ID for the alpha
Bug 32886: Separate treatment of @media interaction features for desktop and android
Bug 33534: Review FF release notes from FF69 to latest (FF78)
Bug 33697: Use old search config based on list.json
Bug 33721: PDF Viewer is not working in the safest security level
Bug 33734: Set MOZ_NORMANDY to False
Bug 33737: Fix aboutDialog.js error for Firefox nightlies
Bug 33848: Disable Enhanced Tracking Protection
Bug 33851: Patch out Parental Controls detection and logging
Bug 33852: Clean up about:logins to not mention Sync
Bug 33856: Set browser.privatebrowsing.forceMediaMemoryCache to True
Bug 33862: Fix usages of createTransport API
Bug 33867: Disable password manager and password generation
Bug 33890: Rename XUL files to XHTML
Bug 33892: Add brandProductName to brand.dtd and brand.properties
Bug 33962: Uplift patch for bug 5741 (dns leak protection)
Bug 34125: API change in protocolProxyService.registerChannelFilter
Bug 40001: Generate tor-browser-brand.ftl when importing translations
Bug 40002: Remove about:pioneer
Bug 40002: Fix generateNSGetFactory being moved to ComponentUtils
Bug 40003: Adapt code for L10nRegistry API changes
Bug 40005: Initialize the identity UI before setting up the circuit display
Bug 40006: Fix new identity for 81
Bug 40007: Move SecurityPrefs initialization to the StartupObserver component
Bug 40008: Style fixes for 78
Bug 40016: Update Snowflake to discover NAT type
Bug 40017: Audit Firefox 68-78 diff for proxy issues
Bug 40022: Update new icons in Tor Browser branding
Bug 40025: Revert add-on permissions due to Mozilla's 1560059
Bug 40036: Remove product version/update channel from #13379 patch
Bug 40038: Review RemoteSettings for ESR 78
Bug 40048: Disable various ESR78 features via prefs
Bug 40059: Verify our external helper patch is still working
Bug 40066: Update existing prefs for ESR 78
Bug 40066: Remove default bridge 37.218.240.34
Bug 40073: Disable remote Public Suffix List fetching
Bug 40073: Repack omni.ja to include builtin HTTPS Everywhere
Bug 40078: Backport patches for bug 1651680 for now
Bug 40082: Let JavaScript on safest setting handled by NoScript again
Bug 40088: Moat "Submit" button does not work
Bug 40090: Disable v3 add-on blocklist for now
Bug 40091: Load HTTPS Everywhere as a builtin addon
Bug 40102: Fix UI bugs in Tor Browser 10.0 alpha
Bug 40106: Cannot install addons in full screen mode
Bug 40109: Playing video breaks after reloading pages
Bug 40119: Enable v3 extension blocklisting again
Windows:
Bug 33855: Don't use site's icon as window icon in Windows in private mode
Bug 40061: Omit the Windows default browser agent from the build
OS X:
Bug 32252: Tor Browser does not display correctly in VMWare Fusion on macOS (mojave)
Build System:
Windows + OS X + Linux:
Bump Go to 1.14.7
Bug 31845: Bump GCC version to 9.3.0
Bug 34011: Bump clang to 9.0.1
Bug 34014: Enable sqlite3 support in Python
Bug 34390: Don't copy DBM libraries anymore
Bug 34391: Remove unused --enable-signmar option
Bug 40004: Adapt Rust project for Firefox 78 ESR
Bug 40005: Adapt Node project for Firefox 78 ESR
Bug 40006: Adapt cbindgen for Firefox 78 ESR
Bug 40037: Move projects over to clang-source
Bug 40026: Fix full .mar creation for esr78
Bug 40027: Fix incremental .mar creation for esr78
Bug 40028: Do not reference unset env variables
Bug 40031: Add licenses for kcp-go and smux.
Bug 40045: Fix complete .mar file creation for dmg2mar
Bug 40065: Bump debootstrap-image ubuntu_version to 20.04.1
Bug 40087: Deterministically add HTTPS Everywhere into omni.ja
Windows:
Bug 34230: Update Windows toolchain for Firefox 78 ESR
Bug 40015: Use only 64bit fxc2
Bug 40017: Enable stripping again on Windows
Bug 40052: Bump NSIS to 3.06.1
Bug 40061: Omit the Windows default browser agent from the build
Bug 40071: Be explicit about no SEH with mingw-w64 on 32bit systems
Bug 40077: Don't pass --no-insert-timestamp when building Firefox
Bug 40090: NSIS 3.06.1 based builds are not reproducible anymore
OS X:
Bug 34229: Update macOS toolchain for Firefox 78 ESR
Bug 40003: Update cctools version for Firefox 78 ESR
Bug 40018: Add libtapi project for cctools
Bug 40019: Ship our own runtime library for macOS
Linux:
Bug 34359: Adapt abicheck.cc to deal with newer GCC version
Bug 34386: Fix up clang compilation on Linux
Bug 40053: Also create the langpacks tarball for non-release builds

New in Tor Browser 9.0.4 (Jan 13, 2020)

New in Tor Browser 9.0.2 (Dec 4, 2019)

New in Tor Browser 9.0.1 (Nov 6, 2019)

New in Tor Browser 9.0 (Oct 23, 2019)

Tor Browser 9.0 is the first stable release based on Firefox 68 ESR and contains a number of updates to other components as well (including Tor to 0.4.1.6 and OpenSSL to 1.1.1d for desktop versions and Tor to 0.4.1.5 for Android).
In addition to all the needed patch rebasing and toolchain updates, we made big improvements to make Tor Browser work better for you.
We want everyone in the world to be able to enjoy the privacy and freedom online Tor provides, and that's why over the past couple years, we've been working hard to boost our UX and localization efforts, with the biggest gains first visible in Tor Browser 8.0.
In Tor Browser 9.0, we continue to build upon those efforts with sleeker integration and additional localization support.
Goodbye, Onion Button:
We want your experience using Tor to be fully integrated within the browser so how you use Tor is more intuitive. That's why now, rather than using the onion button that was in the toolbar, you can see your path through the Tor network and request a New Circuit through the Tor network in [i] on the URL bar.
Hello, New Identity Button:
Instead of going into the onion button to request a New Identity, we've made this important feature easier to access by giving it its own button in the toolbar.
You can also request a New Identity, and a New Circuit, from within the [=] menu on the toolbar.
Torbutton and Tor Launcher Integration:
Now that both extensions are tightly integrated into Tor Browser, they'll no longer be found on the about:addons page.
We redesigned the bridge and proxy configuration dialogs and include them directly into the browser's preference settings as well.
Rather than being a submenu behind the onion button, Tor Network Settings, including the ability to fetch bridges to bypass censorship where Tor is blocked, are easier to access on about:preferences#tor.
Better Localization Support:
If we want all people around the world to be able to use our software, then we need to make sure it's speaking their language. Since 8.0, Tor Browser has been available in 25 languages. Today, we add support for two additional languages: Macedonian (mk) and Romanian (ro), bringing the number of supported languages to 27.
We also fixed bugs in our previously shipped localized bundles (such as ar and ko).

New in Tor Browser 8.5.5 (Sep 5, 2019)

New in Tor Browser 8.5.4 (Jul 12, 2019)

New in Tor Browser 8.5.2 (Jun 21, 2019)

New in Tor Browser 8.5 (May 22, 2019)

All platforms
Update Firefox to 60.7.0esr
Update Torbutton to 2.1.8
Bug 25013: Integrate Torbutton into tor-browser for Android
Bug 27111: Update about:tor desktop version to work on mobile
Bug 22538+22513: Fix new circuit button for error pages
Bug 25145: Update circuit display when back button is pressed
Bug 27749: Opening about:config shows circuit from previous website
Bug 30115: Map browser+domain to credentials to fix circuit display
Bug 25702: Update Tor Browser icon to follow design guidelines
Bug 21805: Add click-to-play button for WebGL
Bug 28836: Links on about:tor are not clickable
Bug 30171: Don't sync cookie.cookieBehavior and firstparty.isolate
Bug 29825: Intelligently add new Security Level button to taskbar
Bug 29903: No WebGL click-to-play on the standard security level
Bug 27290: Remove WebGL pref for min capability mode
Bug 25658: Replace security slider with security level UI
Bug 28628: Change onboarding Security panel to open new Security Level panel
Bug 29440: Update about:tor when Tor Browser is updated
Bug 27478: Improved Torbutton icons for dark theme
Bug 29239: Don't ship the Torbutton .xpi on mobile
Bug 27484: Improve navigation within onboarding (strings)
Bug 29768: Introduce new features to users (strings)
Bug 28093: Update donation banner style to make it fit in small screens
Bug 28543: about:tor has scroll bar between widths 900px and 1000px
Bug 28039: Enable dump() if log method is 0
Bug 27701: Don't show App Blocker dialog on Android
Bug 28187: Change tor circuit icon to torbutton.svg
Bug 29943: Use locales in AB-CD scheme to match Mozilla
Bug 26498: Add locale: es-AR
Bug 28082: Add locales cs, el, hu, ka
Bug 29973: Remove remaining stopOpenSecuritySettingsObserver() pieces
Bug 28075: Tone down missing SOCKS credential warning
Bug 30425: Revert armagadd-on-2.0 changes
Bug 30497: Add Donate link to about:tor
Bug 30069: Use slider and about:tor localizations on mobile
Bug 21263: Remove outdated information from the README
Bug 28747: Remove NoScript (XPCOM) related unused code
Translations update
Code clean-up
Update HTTPS Everywhere to 2019.5.6.1
Bug 27290: Remove WebGL pref for min capability mode
Bug 29120: Enable media cache in memory
Bug 24622: Proper first-party isolation of s3.amazonaws.com
Bug 29082: Backport patches for bug 1469916
Bug 28711: Backport patches for bug 1474659
Bug 27828: "Check for Tor Browser update" doesn't seem to do anything
Bug 29028: Auto-decline most canvas warning prompts again
Bug 27919: Backport SSL status API
Bug 27597: Fix our debug builds
Bug 28082: Add locales cs, el, hu, ka
Bug 26498: Add locale: es-AR
Bug 29916: Make sure enterprise policies are disabled
Bug 29349: Remove network.http.spdy.* overrides from meek helper user.js
Bug 29327: TypeError: hostName is null on about:tor page
Bug 30425: Revert armagadd-on-2.0 changes
Windows + OS X + Linux
Update OpenSSL to 1.0.2r
Update Tor Launcher to 0.2.18.3
Bug 27994+25151: Use the new Tor Browser logo
Bug 29328: Account for Tor 0.4.0.x's revised bootstrap status reporting
Bug 22402: Improve "For assistance" link
Bug 27994: Use the new Tor Browser logo
Bug 25405: Cannot use Moat if a meek bridge is configured
Bug 27392: Update Moat URLs
Bug 28082: Add locales cs, el, hu, ka
Bug 26498: Add locale es-AR
Bug 28039: Enable dump() if log method is 0
Translations update
Bug 25702: Activity 1.1 Update Tor Browser icon to follow design guidelines
Bug 28111: Use Tor Browser icon in identity box
Bug 22343: Make 'Save Page As' obey first-party isolation
Bug 29768: Introduce new features to users
Bug 27484: Improve navigation within onboarding
Bug 25658+29554: Replace security slider with security level UI
Bug 25405: Cannot use Moat if a meek bridge is configured
Bug 28885: notify users that update is downloading
Bug 29180: MAR download stalls when about dialog is opened
Bug 27485: Users are not taught how to open security-slider dialog
Bug 27486: Avoid about:blank tabs when opening onboarding pages
Bug 29440: Update about:tor when Tor Browser is updated
Bug 23359: WebExtensions icons are not shown on first start
Bug 28628: Change onboarding Security panel to open new Security Level panel
Bug 27905: Fix many occurrences of "Firefox" in about:preferences
Bug 28369: Stop shipping pingsender executable
Bug 30457: Remove defunct default bridges
Windows
Bug 27503: Improve screen reader accessibility
Bug 27865: Tor Browser 8.5a2 is crashing on Windows
Bug 22654: Firefox icon is shown for Tor Browser on Windows 10 start menu
Bug 28874: Bump mingw-w64 commit to fix WebGL crash
Bug 12885: Windows Jump Lists fail for Tor Browser
Bug 28618: Set MOZILLA_OFFICIAL for Windows build
Bug 21704: Abort install if CPU is missing SSE2 support
Bug 28002: Fix the precomplete file in the en-US installer
OS X
Bug 27623: Use MOZILLA_OFFICIAL for our builds
Linux
Bug 28022: Use `/usr/bin/env bash` for bash invocation
Bug 27623: Use MOZILLA_OFFICIAL for our builds
Android
Bug 5709: Ship Tor Browser for Android
Build System
All platforms
Bug 29868: Fix installation of python-future package
Bug 25623: Disable network during build
Bug 25876: Generate source tarballs during build
Bug 28685: Set Build ID based on Tor Browser version
Bug 29194: Set DEBIAN_FRONTEND=noninteractive
Bug 29167: Upgrade go to 1.11.5
Bug 29158: Install updated apt packages (CVE-2019-3462)
Bug 29097: Don't try to install python3.6-lxml for HTTPS Everywhere
Bug 27061: Enable verification of langpacks checksums
Windows
Bug 26148: Update binutils to 2.31.1
Bug 27320: Build certutil for Windows
OS X
Bug 27320: Build certutil for macOS
Linux
Bug 26323+29812: Build 32bit Linux bundles on 64bit Debian Wheezy
Bug 26148: Update binutils to 2.31.1
Bug 29758: Build firefox debug symbols for linux-i686
Bug 29966: Use archive.debian.org for Wheezy images
Bug 29183: Use linux-x86_64 langpacks on linux-x86_64
Android
Bug 29981: Add option to build without using containers

New in Tor Browser 8.0.9 (May 7, 2019)

New in Tor Browser 8.0.7 (Mar 21, 2019)

New in Tor Browser 8.0.6 (Feb 14, 2019)

New in Tor Browser 8.0.5 (Jan 30, 2019)

New in Tor Browser 8.0.4 (Dec 13, 2018)

New in Tor Browser 8.0 (Sep 6, 2018)

Tor Browser 8.0 comes with a series of user experience improvements that address a set of long-term Tor Browser issues you’ve told us about. To meet our users' needs, Tor Browser has a new user onboarding experience; an updated landing page that follows our styleguide; additional language support; and new behaviors for bridge fetching, displaying a circuit, and visiting .onion sites.
For the most part, using Tor is like using any other browser (and it is based on Firefox), but there are some usage differences and cool things happening behind the scenes that users should be aware of. Our new onboarding experience aims to better let you know about unique aspects of Tor Browser and how to maximize those for your best browsing experience.
For users where Tor is blocked, we have previously offered a handful of bridges in the browser to bypass censorship. But to receive additional bridges, you had to send an email or visit a website, which posed a set of problems. To simplify how you request bridges, we now have a new bridge configuration flow when you when you launch Tor. Now all you have to do is solve a captcha in Tor Launcher, and you’ll get a bridge IP. We hope this simplification will allow more people to bypass censorship and browse the internet freely and privately.
Better Language Support:
Millions of people around the world use Tor, but not everyone has been able to use Tor in their language. In Tor Browser 8, we’ve added resources and support for nine previously unsupported languages: Catalan, Irish, Indonesian, Icelandic, Norwegian, Danish, Hebrew, Swedish, and Traditional Chinese.
Apart from those highlights, a number of other component and toolchains got an update for this major release. In particular, we now ship Tor 0.3.3.9 with OpenSSL 1.0.2p and Libevent 2.1.8. Moreover, we switched to the pure WebExtension version of NoScript (version 10.1.9.1) which we still need to provide the security slider functionality. Additionally, we start shipping 64bit builds for Windows users which should enhance Tor Browser stability compared to the 32bit bundles.
Providing this many improvements for our users could only be possible with collaboration between the Tor Browser team and Tor's UX team, Community team, Services Admin team, and our volunteers. We would like to thank everyone for working hard over the past year to bring all these new features to our users.

New in Tor Browser 7.5.5 (Jun 11, 2018)

New in Tor Browser 7.5.4 (May 10, 2018)

New in Tor Browser 7.5.3 (Mar 27, 2018)

New in Tor Browser 7.5.2 (Mar 19, 2018)

New in Tor Browser 7.5 (Jan 25, 2018)

All Platforms:
Update Firefox to 52.6.0esr
Update Tor to 0.3.2.9
Update OpenSSL to 1.0.2n
Update Torbutton to 1.9.8.5:
Bug 21847: Update copy for security slider
Bug 21245: Add da translation to Torbutton and keep track of it
Bug 24702: Remove Mozilla text from banner
Bug 10573: Replace deprecated nsILocalFile with nsIFile (code clean-up)
Translations update
Update Tor Launcher to 0.2.14.3:
Bug 23262: Implement integrated progress bar
Bug 23261: implement configuration portion of new Tor Launcher UI
Bug 24623: Revise "country that censors Tor" text
Bug 24624: tbb-logo.svg may cause network access
Bug 23240: Retrieve current bootstrap progress before showing progress bar
Bug 24428: Bootstrap error message sometimes lost
Bug 22232: Add README on use of bootstrap status messages
Bug 10573: Replace deprecated nsILocalFile with nsIFile (code clean-up)
Translations update
Update HTTPS Everywhere to 2018.1.11
Update NoScript to 5.1.8.3:
Bug 23104: CSS line-height reveals the platform Tor Browser is running on
Bug 24398: Plugin-container process exhausts memory
Bug 22501: Requests via javascript: violate FPI
Bug 24756: Add noisebridge01 obfs4 bridge configuration
Windows:
Bug 16010: Enable content sandboxing on Windows
Bug 23230: Fix build error on Windows 64
OS X:
Bug 24566: Avoid white flashes when opening dialogs in Tor Browser
Bug 23025: Add some hardening flags to macOS build
Linux:
Bug 23970: Make "Print to File" work with sandboxing enabled
Bug 23016: "Print to File" is broken on some non-english Linux systems
Bug 10089: Set middlemouse.contentLoadURL to false by default
Bug 18101: Suppress upload file dialog proxy bypass (linux part)
Android:
Bug 22084: Spoof network information API
Build System:
All Platforms:
Switch from gitian/tor-browser-bundle to rbm/tor-browser-build
Windows:
Bug 22563: Update mingw-w64 to fix W^X violations
Bug 20929: Bump GCC version to 5.4.0
Linux:
Bug 20929: Bump GCC version to 5.4.0
Bug 23892: Include Firefox and Tor debug files in final build directory
Bug 24842: include libasan.so.2 and libubsan.so.0 in debug builds

New in Tor Browser 7.0.11 (Dec 27, 2017)

New in Tor Browser 7.0.8 (Oct 25, 2017)

New in Tor Browser 7.0.5 (Sep 18, 2017)

New in Tor Browser 7.0.4 (Aug 12, 2017)

New in Tor Browser 7.0.2 (Jul 7, 2017)

New in Tor Browser 7.0.1 (Jun 16, 2017)

New in Tor Browser 7.0 (Jun 7, 2017)

All Platforms:
Update Firefox to 52.1.2esr
Update Tor to 0.3.0.7
Update Torbutton to 1.9.7.3:
Bug 22104: Adjust our content policy whitelist for ff52-esr
Bug 22457: Allow resources loaded by view-source://
Bug 21627: Ignore HTTP 304 responses when checking redirects
Bug 22459: Adapt our use of the nsIContentPolicy to e10s mode
Bug 21865: Update our JIT preferences in the security slider
Bug 21747: Make 'New Tor Circuit for this Site' work in ESR52
Bug 21745: Fix handling of catch-all circuit
Bug 21547: Fix circuit display under e10s
Bug 21268: e10s compatibility for New Identity
Bug 21267: Remove window resize implementation for now
Bug 21201: Make Torbutton multiprocess compatible
Translations update
Update Tor Launcher to 0.2.12.2:
Bug 22283: Linux 7.0a4 broken after update due to unix: lines in torrc
Bug 20761: Don't ignore additional SocksPorts
Bug 21920: Don't show locale selection dialog
Bug 21546: Mark Tor Launcher as multiprocess compatible
Bug 21264: Add a README file
Translations update
Update HTTPS-Everywhere to 5.2.17
Update NoScript to 5.0.5
Update Go to 1.8.3 (bug 22398):
Bug 21962: Fix crash on about:addons page
Bug 21766: Fix crash when the external application helper dialog is invoked
Bug 21886: Download is stalled in non-e10s mode
Bug 21778: Canvas prompt is not shown in Tor Browser based on ESR52
Bug 21569: Add first-party domain to Permissions key
Bug 22165: Don't allow collection of local IP addresses
Bug 13017: Work around audio fingerprinting by disabling the Web Audio API
Bug 10286: Disable Touch API and add fingerprinting resistance as fallback
Bug 13612: Disable Social API
Bug 10283: Disable SpeechSynthesis API
Bug 22333: Disable WebGL2 API for now
Bug 21861: Disable additional mDNS code to avoid proxy bypasses
Bug 21684: Don't expose navigator.AddonManager to content
Bug 21431: Clean-up system extensions shipped in Firefox 52
Bug 22320: Use preference name 'referer.hideOnionSource' everywhere
Bug 16285: Don't ship ClearKey EME system and update EME preferences
Bug 21675: Spoof window.navigator.hardwareConcurrency
Bug 21792: Suppress MediaError.message
Bug 16337: Round times exposed by Animation API to nearest 100ms
Bug 21972: about:support is partially broken
Bug 21726: Keep Graphite support disabled
Bug 21323: Enable Mixed Content Blocking
Bug 21685: Disable remote new tab pages
Bug 21790: Disable captive portal detection
Bug 21686: Disable Microsoft Family Safety support
Bug 22073: Make sure Mozilla's experiments are disabled
Bug 21683: Disable newly added Safebrowsing capabilities
Bug 22071: Disable Kinto-based blocklist update mechanism
Bug 22415: Fix format error in our pipeline patch
Bug 22072: Hide TLS error reporting checkbox
Bug 20761: Don't ignore additional SocksPorts
Bug 21862: Rip out potentially unsafe Rust code
Bug 16485: Improve about:cache page
Bug 22462: Backport of patch for bug 1329521 to fix assertion failure
Bug 21340: Identify and backport new patches from Firefox
Bug 22153: Fix broken feeds on higher security levels
Bug 22025: Fix broken certificate error pages on higher security levels
Bug 21887: Fix broken error pages on higher security levels
Bug 22458: Fix broken `about:cache` page on higher security levels
Bug 21876: Enable e10s by default on all supported platforms
Bug 21876: Always use esr policies for e10s
Bug 20905: Fix resizing issues after moving to a direct Firefox patch
Bug 21875: Modal dialogs are maximized in ESR52 nightly builds
Bug 21885: SVG is not disabled in Tor Browser based on ESR52
Bug 17334: Hide Referer when leaving a .onion domain (improved patch)
Bug 18531: Uncaught exception when opening ip-check.info
Bug 18574: Uncaught exception when clicking items in Library
Bug 22327: Isolate Page Info media previews to first party domain
Bug 22452: Isolate tab list menuitem favicons to first party domain
Bug 15555: View-source requests are not isolated by first party domain
Bug 3246: Double-key cookies
Bug 8842: Fix XML parsing error
Bug 5293: Neuter fingerprinting with Battery API
Bug 16886: 16886: "Add-on compatibility check dialog" contains Firefox logo
Bug 19645: TBB zooms text when resizing browser window
Bug 19192: Untrust Blue Coat CA
Bug 19955: Avoid confusing warning that favicon load request got cancelled
Bug 20005: Backport fixes for memory leaks investigation
Bug 20755: ltn.com.tw is broken in Tor Browser
Bug 21896: Commenting on website is broken due to CAPTCHA not being displayed
Bug 20680: Rebase Tor Browser patches to 52 ESR
Bug 22429: Add IPv6 address for Lisbeth:443 obfs4 bridge
Bug 22468: Add default obfs4 bridges frosty and dragon
Windows:
Bug 22419: Prevent access to file://
Bug 12426: Make use of HeapEnableTerminationOnCorruption
Bug 19316: Make sure our Windows updates can deal with the SSE2 requirement
Bug 21868: Fix build bustage with FIREFOX_52_0_2esr_RELEASE for Windows
OS X:
Bug 21940: Don't allow privilege escalation during update
Bug 22044: Fix broken default search engine on macOS
Bug 21879: Use our default bookmarks on OSX
Bug 21779: Non-admin users can't access Tor Browser on macOS
Bug 21723: Fix inconsistent generation of MOZ_MACBUNDLE_ID
Bug 21724: Make Firefox and Tor Browser distinct macOS apps
Bug 21931: Backport OSX SetupMacCommandLine updater fixes
Bug 15910: Don't download GMPs via the local fallback
Linux:
Bug 16285: Remove ClearKey related library stripping
Bug 22041: Fix update error during update to 7.0a3
Bug 22238: Fix use of hardened wrapper for Firefox build
Bug 21907: Fix runtime error on CentOS 6
Bug 15910: Don't download GMPs via the local fallback
Android:
Bug 19078: Disable RtspMediaResource stuff in Orfox
Build system:
Windows
Bug 21837: Fix reproducibility of accessibility code for Windows
Bug 21240: Create patches to fix mingw-w64 compilation of Firefox ESR 52
Bug 21904: Bump mingw-w64 commit to help with sandbox compilation
Bug 18831: Use own Yasm for Firefox cross-compilation
OS X
Bug 21328: Updating to clang 3.8.0
Bug 21754: Remove old GCC toolchain and macOS SDK
Bug 19783: Remove unused macOS helper scripts
Bug 10369: Don't use old GCC toolchain anymore for utils
Bug 21753: Replace our old GCC toolchain in PT descriptor
Bug 18530: ESR52 based Tor Browser only runs on macOS 10.9+
Bug 22328: Remove clang PIE wrappers
Linux
Bug 21930: NSS libraries are missing from mar-tools archive
Bug 21239: Adapt Linux Firefox descriptor to ESR52 (use GTK2)
Bug 21960: Linux bundles based on ESR 52 are not reproducible anymore
Bug 21629: Fix broken ASan builds when switching to ESR 52
Bug 22444: Use hardening-wrapper when building GCC
Bug 22361: Fix hardening of libraries built in linux/gitian-utils.yml

New in Tor Browser 6.5 (Jan 27, 2017)

Update Firefox to 45.7.0esr
Tor to 0.2.9.9
OpenSSL to 1.0.2j
Update Torbutton to 1.9.6.12
Bug 16622: Timezone spoofing moved to tor-browser.git
Bug 17334: Move referrer spoofing for .onion domains into tor-browser.git
Bug 8725: Block addon resource and url fingerprinting with nsIContentPolicy
Bug 20701: Allow the directory listing stylesheet in the content policy
Bug 19837: Whitelist internal URLs that Firefox requires for media
Bug 19206: Avoid SOCKS auth and NEWNYM collisions when sharing a tor client
Bug 19273: Improve external app launch handling and associated warnings
Bug 15852: Remove/synchronize Torbutton SOCKS pref logic
Bug 19733: GETINFO response parser doesn't handle AF_UNIX entries + IPv6
Bug 17767: Make "JavaScript disabled" more visible in Security Slider
Bug 20556: Use pt-BR strings from now on
Bug 20614: Add links to Tor Browser User Manual
Bug 20414: Fix non-rendering arrow on OS X
Bug 20728: Fix bad preferences.xul dimensions
Bug 19898: Use DuckDuckGo on about:tor
Bug 21091: Hide the update check menu entry when running under the sandbox
Bug 19459: Move resizing code to tor-browser.git
Bug 20264: Change security slider to 3 options
Bug 20347: Enhance security slider's custom mode
Bug 20123: Disable remote jar on all security levels
Bug 20244: Move privacy checkboxes to about:preferences#privacy
Bug 17546: Add tooltips to explain our privacy checkboxes
Bug 17904: Allow security settings dialog to resize
Bug 18093: Remove 'Restore Defaults' button
Bug 20373: Prevent redundant dialogs opening
Bug 20318: Remove helpdesk link from about:tor
Bug 21243: Add links for pt, es, and fr Tor Browser manuals
Bug 20753: Remove obsolete StartPage locale strings
Bug 21131: Remove 2016 donation banner
Bug 18980: Remove obsolete toolbar button code
Bug 18238: Remove unused Torbutton code and strings
Bug 20388+20399+20394: Code clean-up
Translation updates
Update Tor Launcher to 0.2.10.3
Bug 19568: Set CurProcD for Thunderbird/Instantbird
Bug 19432: Remove special handling for Instantbird/Thunderbird
Translation updates
Update HTTPS-Everywhere to 5.2.9
Update NoScript to 2.9.5.3
Bug 16622: Spoof timezone with Firefox patch
Bug 17334: Spoof referrer when leaving a .onion domain
Bug 19273: Write C++ patch for external app launch handling
Bug 19459: Size new windows to 1000x1000 or nearest 200x100 (Firefox patch)
Bug 12523: Mark JIT pages as non-writable
Bug 20123: Always block remote jar files
Bug 19193: Reduce timing precision for AudioContext, HTMLMediaElement, and MediaStream
Bug 19164: Remove support for SHA-1 HPKP pins
Bug 19186: KeyboardEvents are only rounding to 100ms
Bug 16998: Isolate preconnect requests to URL bar domain
Bug 19478: Prevent millisecond resolution leaks in File API
Bug 20471: Allow javascript: links from HTTPS first party pages
Bug 20244: Move privacy checkboxes to about:preferences#privacy
Bug 20707: Fix broken preferences tab in non-en-US alpha bundles
Bug 20709: Fix wrong update URL in alpha bundles
Bug 19481: Point the update URL to aus1.torproject.org
Bug 20556: Start using pt-BR instead of pt-PT for Portuguese
Bug 20442: Backport fix for local path disclosure after drag and drop
Bug 20160: Backport fix for broken MP3-playback
Bug 20043: Isolate SharedWorker script requests to first party
Bug 18923: Add script to run all Tor Browser regression tests
Bug 20651: DuckDuckGo does not work with JavaScript disabled
Bug 19336+19835: Enhance about:tbupdate page
Bug 20399+15852: Code clean-up
Windows:
Bug 20981: On Windows, check TZ for timezone first
Bug 18175: Maximizing window and restarting leads to non-rounded window size
Bug 13437: Rounded inner window accidentally grows to non-rounded size
OS X:
Bug 20590: Badly resized window due to security slider notification bar on OS X
Bug 20439: Make the build PIE on OSX
Linux:
Bug 20691: Updater breaks if unix domain sockets are used
Bug 15953: Weird resizing dance on Tor Browser startup
Build system:
All platforms
Bug 20927: Upgrade Go to 1.7.4
Bug 20583: Make the downloads.json file reproducible
Bug 20133: Don't apply OpenSSL patch anymore
Bug 19528: Set MOZ_BUILD_DATE based on Firefox version
Bug 18291: Remove some uses of libfaketime
Bug 18845: Make zip and tar helpers generate reproducible archives
OS X
Bug 20258: Make OS X Tor archive reproducible again
Bug 20184: Make OS X builds reproducible (use clang for compiling tor)
Bug 19856: Make OS X builds reproducible (getting libfaketime back)
Bug 19410: Fix incremental updates by taking signatures into account
Bug 20210: In dmg2mar, extract old mar file to copy permissions to the new one

New in Tor Browser 6.0.8 (Dec 14, 2016)

New in Tor Browser 6.0.7 (Dec 1, 2016)

New in Tor Browser 6.0.5 (Sep 20, 2016)

New in Tor Browser 6.0.4 (Aug 18, 2016)

New in Tor Browser 6.0.2 (Jun 22, 2016)

New in Tor Browser 6.0.1 (Jun 8, 2016)

New in Tor Browser 5.5.5 (Apr 26, 2016)

New in Tor Browser 5.5.4 (Mar 20, 2016)

New in Tor Browser 5.5.3 (Mar 9, 2016)

New in Tor Browser 5.5.2 (Feb 16, 2016)

New in Tor Browser 5.5.1 (Feb 5, 2016)

New in Tor Browser 6.0 Alpha 1 (Jan 28, 2016)

New in Tor Browser 5.5 (Jan 28, 2016)

All Platforms:
Update Firefox to 38.6.0esr
Update libevent to 2.0.22-stable
Update NoScript to 2.9.0.2
Update Torbutton to 1.9.4.3
Bug 16990: Show circuit display for connections using multi-party channels
Bug 18019: Avoid empty prompt shown after non-en-US update
Bug 18004: Remove Tor fundraising donation banner
Bug 16940: After update, load local change notes
Bug 17108: Polish about:tor appearance
Bug 17568: Clean up tor-control-port.js
Bug 16620: Move window.name handling into a Firefox patch
Bug 17351: Code cleanup
Translation updates
Update Tor Launcher to 0.2.7.8
Bug 18113: Randomly permutate available default bridges of chosen type
Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
Bug 10140: Add new Tor Browser locale (Japanese)
Bug 17428: Remove Flashproxy
Bug 13512: Load a static tab with change notes after an update
Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
Bug 15564: Isolate SharedWorkers by first-party domain
Bug 16940: After update, load local change notes
Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646)
Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646)
Bug 17369: Disable RC4 fallback
Bug 17442: Remove custom updater certificate pinning
Bug 16620: Move window.name handling into a Firefox patch
Bug 17220: Support math symbols in font whitelist
Bug 10599+17305: Include updater and build patches needed for hardened builds
Bug 18115+18104+18071+18091: Update/add new obfs4 bridge
Bug 18072: Change recommended pluggable transport type to obfs4
Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
Bug 16322: Use onion address for DuckDuckGo search engine
Bug 17917: Changelog after update is empty if JS is disabled
Linux:
Bug 16672: Don't use font whitelisting for Linux users
OS X:
Bug 17122: Rename Japanese OS X bundle
Bug 16707: Allow more system fonts to get used on OS X
Bug 17661: Whitelist font .Helvetica Neue DeskInterface
Windows:
Bug 17250: Add localized font names to font whitelist
Bug 16707: Allow more system fonts to get used on Windows
Bug 13819: Ship expert bundles with console enabled
Bug 17250: Fix broken Japanese fonts
Bug 17870: Add intermediate certificate for authenticode signing

New in Tor Browser 5.0.7 (Jan 8, 2016)

New in Tor Browser 5.0.6 (Dec 18, 2015)

New in Tor Browser 5.0.4 (Nov 8, 2015)

New in Tor Browser 5.0.3 (Sep 24, 2015)

New in Tor Browser 5.5 Alpha 1 (Aug 28, 2015)

New in Tor Browser 5.0.1 (Aug 21, 2015)

New in Tor Browser 5.0 Alpha 3 (Jul 13, 2015)

New in Tor Browser 4.5.3 (Jul 9, 2015)

New in Tor Browser 5.0 Alpha 2 (Jun 17, 2015)

New in Tor Browser 4.5.2 (Jun 16, 2015)

New in Tor Browser 4.5.1 (May 13, 2015)

New in Tor Browser 4.5 (Apr 29, 2015)

All Platforms:
Update Tor to 0.2.6.7 with additional patches:
Bug 15482: Reset timestamp_dirty each time a SOCKSAuth circuit is used
Update NoScript to 2.6.9.22
Update HTTPS-Everywhere to 5.0.3
Bug 15689: Resume building HTTPS-Everywhere from git tags
Update meek to 0.17
Include obfs4proxy 0.0.5
Use obfs4proxy for obfs2, obfs3, obfs4, and ScrambleSuit bridges
Pluggable Transport Dependency Updates:
Bug 15265: Switch go.net repo to golang.org/x/net
Bug 15448: Use golang 1.4.2 for meek and obs4proxy
Update Tor Launcher to 0.2.7.4. Changes since 0.2.7.0.2 in 4.0.8:
Bug 11879: Stop bootstrap if Cancel or Open Settings is clicked
Bug 13271: Display Bridge Configuration wizard pane before Proxy pane
Bug 13576: Don't strip "bridge" from the middle of bridge lines
Bug 13983: Directory search path fix for Tor Messanger+TorBirdy
Bug 14122: Hide logo if TOR_HIDE_BROWSER_LOGO set
Bug 14336: Fix navigation button display issues on some wizard panes
Bug 15657: Display the host:port of any connection faiures in bootstrap
Bug 15704: Do not enable network if wizard is opened
Update Torbutton to 1.9.2.2. Changes since 1.7.0.2 in 4.0.8:
Bug 3455: Use SOCKS user+pass to isolate all requests from the same url domain
Bug 5698: Use "Tor Browser" branding in "About Tor Browser" dialog
Bug 7255: Warn users about maximizing windows
Bug 8400: Prompt for restart if disk records are enabled/disabled.
Bug 8641: Create browser UI to indicate current tab's Tor circuit IPs
(Many Circuit UI issues were fixed during 4.5; see release changelogs for those).
Bug 9387: Security Slider 1.0
Include descriptions and tooltip hints for security levels
Notify users that the security slider exists
Make use of new SVG, jar, and MathML prefs
Bug 9442: Add New Circuit button to Torbutton menu
Bug 9906: Warn users before closing all windows and performing new identity.
Bug 10216: Add a pref to disable the local tor control port test
Bug 10280: Strings and pref for preventing plugin initialization.
Bug 11175: Remove "About Torbutton" from onion menu.
Bug 11236: Don't set omnibox order in Torbutton (to prevent translation)
Bug 11449: Fix new identity error if NoScript is not enabled
Bug 13019: Change locale spoofing pref to boolean
Bug 13079: Option to skip control port verification
Bug 13406: Stop directing users to download-easy.html.en on update
Bug 13650: Clip initial window height to 1000px
Bugs 13751+13900: Remove SafeCache cache isolation code in favor of C++ patch
Bug 13766: Set a 10 minute circuit lifespan for non-content requests
Bug 13835: Option to change default Tor Browser homepage
Bug 13998: Handle changes in NoScript 2.6.9.8+
Bug 14100: Option to hide NetworkSettings menuitem
Bug 14392: Don't steal input focus in about:tor search box
Bug 14429: Provide automatic window resizing, but disable for now
Bug 14448: Restore Torbutton menu operation on non-English localizations
Bug 14490: Use Disconnect search in about:tor search box
Bug 14630: Hide Torbutton's proxy settings tab.
Bug 14631: Improve profile access error msgs (strings for translation).
Bugs 14632+15334: Display Cookie Protections only if disk records are enabled
Bug 15085: Fix about:tor RTL text alignment problems
Bug 15460: Ensure FTP urls use content-window circuit isolation
Bug 15502: Wipe blob: URIs on New Identity
Bug 15533: Restore default security level when restoring defaults
Bug 15562: Bind SharedWorkers to thirdparty pref
Bug 3455: Patch Firefox SOCKS and proxy filters to allow user+pass isolation
Bug 4100: Raise HTTP Keep-Alive back to 115 second default
Bug 5698: Fix branding in "About Torbrowser" window
Bug 10280: Don't load any plugins into the address space by default
Bug 11236: Fix omnibox order for non-English builds
Also remove Amazon, eBay and bing; add Youtube and Twitter
Bug 11955: Backport HTTPS Certificate Pinning patches from Firefox 32
Bug 12430: Provide a preference to disable remote jar: urls
Bugs 12827+15794: Create preference to disable SVG images (for security slider)
Bug 13019: Prevent Javascript from leaking system locale
Bug 13379: Sign our MAR update files
Bug 13439: No canvas prompt for content callers
Bug 13548: Create preference to disable MathML (for security slider)
Bug 13586: Make meek use TLS session tickets (to look like stock Firefox).
Bug 13684: Backport Mozilla bug #1066190 (pinning issue fixed in Firefox 33)
Bug 13788: Fix broken meek in 4.5-alpha series
Bug 13875: Spoof window.devicePixelRatio to avoid DPI fingerprinting
Bug 13900: Remove 3rd party HTTP auth tokens via Firefox patch
Bug 14392: Make about:tor hide itself from the URL bar
Bug 14490: Make Disconnect the default omnibox search engine
Bug 14631: Improve startup error messages for filesystem permissions issues
Bugs 14716+13254: Fix issues with HTTP Auth usage and TLS connection info display
Bug 14937: Hard-code meek and flashproxy node fingerprints
Bug 15029: Don't prompt to include missing plugins
Bug 15406: Only include addons in incremental updates if they actually update
Bug 15411: Remove old (and unused) cacheDomain cache isolation mechanism
Bug 15502: Isolate blob: URI scope to URL domain; block WebWorker access
Bug 15562: Disable Javascript SharedWorkers due to third party tracking
Bug 15757: Disable Mozilla video statistics API extensions
Bug 15758: Disable Device Sensor APIs
Linux:
Bug 12468: Only print/write log messages if launched with --debug
Bug 13375: Create a hybrid GUI/desktop/shell launcher wrapper
Bug 13717: Make sure we use the bash shell on Linux
Bug 15672: Provide desktop app registration+unregistration for Linux
Bug 15747: Improve start-tor-browser argument handling
Windows:
Bug 3861: Begin signing Tor Browser for Windows the Windows way
Bug 10761: Fix instances of shutdown crashes
Bug 13169: Don't use /dev/random on Windows for SSP
Bug 14688: Create shortcuts to desktop and start menu by default (optional)
Bug 15201: Disable 'runas Administrator' codepaths in updater
Bug 15539: Make installer exe signatures reproducibly removable
Mac:
Bug 10138: Switch to 64bit builds for MacOS

New in Tor Browser 4.0.6 (Apr 3, 2015)

New in Tor Browser 4.5 Alpha 5 (Apr 3, 2015)

All Platforms:
Update Firefox to 31.6.0esr
Update OpenSSL to 1.0.1m
Update Tor to 0.2.6.6
Update NoScript to 2.6.9.19
Update HTTPS-Everywhere to 5.0
Update meek to 0.16
Update Tor Launcher to 0.2.7.3
Bug 13983: Directory search path fix for Tor Messanger+TorBirdy
Update Torbutton to 1.9.1.0
Bug 9387: "Security Slider 1.0"
Include descriptions and tooltip hints for security levels
Notify users that the security slider exists
Flip slider so that "low" is on the bottom
Make use of new SVG and MathML prefs
Bug 13766: Set a 10 minute circuit lifespan for non-content requests
Bug 15460: Ensure FTP urls use content-window circuit isolation
Bug 13650: Clip initial window height to 1000px
Bug 14429: Ensure windows can only be resized to 200x100px multiples
Bug 15334: Display Cookie Protections menu if disk records are enabled
Bug 14324: Show HS circuit in Tor circuit display
Bug 15086: Handle RTL text in Tor circuit display
Bug 15085: Fix about:tor RTL text alignment problems
Bug 10216: Add a pref to disable the local tor control port test
Bug 14937: Show meek and flashproxy bridges in tor circuit display
Bugs 13891+15207: Fix exceptions/errors in circuit display with bridges
Bug 13019: Change locale hiding pref to boolean
Bug 7255: Warn users about maximizing windows
Bug 14631: Improve profile access error msgs (strings).
Pluggable Transport Dependency Updates:
Bug 15448: Use golang 1.4.2 for meek and obs4proxy
Bug 15265: Switch go.net repo to golang.org/x/net
Bug 14937: Hard-code meek and flashproxy node fingerprints
Bug 13019: Prevent Javascript from leaking system locale
Bug 10280: Improved fix to prevent loading plugins into address space
Bug 15406: Only include addons in incremental updates if they actually update
Bug 15029: Don't prompt to include missing plugins
Bug 12827: Create preference to disable SVG images (for security slider)
Bug 13548: Create preference to disable MathML (for security slider)
Bug 14631: Improve startup error messages for filesystem permissions issues
Bug 15482: Don't allow circuits to change while a site is in use
Linux:
Bug 13375: Create a hybrid GUI/desktop/shell launcher wrapper
Bug 12468: Only print/write log messages if launched with --debug
Windows:
Bug 3861: Begin signing Tor Browser for Windows the Windows way
Bug 15201: Disable 'runas Administrator' codepaths in updater
Bug 14688: Create shortcuts to desktop and start menu by default (optional)