Updates from the Tor Project

Arti is our ongoing project to create a next-generation Tor client in Rust. Now we’re announcing the latest release, Arti 1.3.0. This release is a significant milestone: we have achieved parity on most major client features with C Tor. Much other major work is taking place, too! Work on Arti Relay is accelerating, and the RPC system is proceeding too. For full details on what we’ve done, and for information about many smaller and less visible changes as well, please see the CHANGELOG. For more information on using Arti, see our top-level README, and the documentation for the arti binary. Thanks to everybody who’s contributed to this release, including Morgan, and Neel Chauhan. Also, our welcome to Clara Engler as they join the team! And as always, our deep thanks to Zcash Community Grants, the Bureau of Democracy, Human Rights and Labor, and our other sponsors for funding the development of Arti! announcements releases

Changes and updates Update Tor Browser to 14.0.1. Update the Tor client to 0.4.8.13. Update Thunderbird to 115.16.0. Fixed problems Fix automatic upgrades aborting with the error message “The upgrade could not be downloaded” even after a successful download. (#20593) For more details, read our changelog. Get Tails 6.9 To upgrade your Tails USB stick and keep your Persistent Storage Automatic upgrades are available from Tails 6.0 or later to 6.9. If you cannot do an automatic upgrade or if Tails fails to start after an automatic upgrade, please try to do a manual upgrade. To install Tails 6.9 on a new USB stick Follow our installation instructions: Install from Windows Install from macOS Install from Linux Install from Debian or Ubuntu using the command line and GnuPG The Persistent Storage on the USB stick will be lost if you install instead of upgrading. To download only If you don’t need installation or upgrade instructions, you can download Tails 6.9 directly: For USB sticks (USB image) For DVDs and virtual machines (ISO image) Support and feedback For support and feedback, visit the Support section on the Tails website. partners releases

Tor Browser 14.0.1 is now available from the Tor Browser download page and also from our distribution directory. This version includes important security updates to Firefox. Known Issues The tor daemon for aarch64 macOS (M1 and friends) will crash when visiting some onion-service sites, resulting in an inoperable Tor Browser (you can restart Tor Browser to work around this for now, but the particular failing onion-service sites will be inaccessible until we develop a fix). This issue is being tracked in tor-browser#43245 Send us your feedback If you find a bug or have a suggestion for how we could improve this release, please let us know. Full changelog The full changelog since Tor Browser 14.0 is: All Platforms Updated Tor to 0.4.8.13 Bug tor-browser#43231: Rebase Tor Browser 128-based stable and alpha onto 128.4.0esr Bug tor-browser#43240: Backport security fixes from Firefox 132 Windows + macOS + Linux Updated Firefox to 128.4.0esr Android Updated GeckoView to 128.4.0esr Build System All Platforms Bug tor-browser-build#41289: Fix single-browser in relprep.py Linux Bug tor-browser-build#41282: Add SSL to our custom Python for MozBug 1924022 applications releases

Tor Browser 14.0 is now available from the Tor Browser download page and our distribution directory. This is our first stable release based on Firefox ESR 128, incorporating a year’s worth of changes shipped upstream in Firefox. As part of this process we’ve also completed our annual ESR transition audit, where we reviewed and addressed over 200 Bugzilla issues for changes in Firefox that may negatively affect the privacy and security of Tor Browser users. Our final reports from this audit are now available in the tor-browser-spec repository on our Gitlab instance. Firefox’s design also continues to evolve, and the ESR transition is our opportunity to update Tor Browser to reflect the most recent patterns and styles used in Firefox. For example, eagle-eyed Tor Browser users will notice updates to Tor Browser’s typography that we’ve inherited from Firefox, including heavier headings and changes to line heights intended to improve font compatibility and accessibility. In addition to the ESR, we overcame many other technical challenges that you can read more about in Morgan’s series of blog posts chronicling the team’s progress with Tor Browser Alpha, including: unifying Tor Browser for Android’s codebase into a monorepo, addressing reproducibility issues in our Android APK generation, reducing Android’s APK size for x86 and x86_64 platforms, and changes to how we spoof Tor Browser’s user agent, to name a few. This release also includes a series of improvements to the usability and compatibility of our fingerprinting protections without compromising their effectiveness, allowing us to enable useful features like picture-in-picture, screenshots and more. The ongoing development of Tor Browser is made possible thanks to the support of our community. If Tor Browser is important to you, now is a great time to support our mission, as all donations will be matched through the end of the year. What’s new? New circuit for Android In previous versions of Tor Browser for Android, users could request a “New identity” by interacting with a persistent notification that appeared while Tor Browser was running. However this was unusual for a couple of reasons – firstly, no such feature was available in the app’s user interface itself, and it could only be enabled outside the app via Android’s notification drawer. Secondly, this feature did not perform the same steps as Tor Browser for desktop to reset your identity, such as closing all tabs, clearing all cookies and wiping your browsing history. In actuality, it functioned more like a “refresh all circuits” button. We’ve since learned that most Android users were relying on this feature as workaround to request a new circuit for a broken website, rather than reset their identity as such. So when this notification inadvertently disappeared in Tor Browser 13.5, we didn’t rush to bring it back in its original state. Instead, we chose to focus our efforts on porting the desktop feature “New circuit for this site” to Android, allowing our mobile users to request a new circuit in a more targeted fashion. Extended support for legacy platforms With the release of Tor Browser 13.5, we began warning users of Windows 7, 8 and 8.1 and macOS 10.12, 10.13 and 10.14 that this would be the last major release to support their platforms. In short, that situation has now changed, and users of these legacy platforms will continue to receive critical security updates updates on a temporary basis until at least March 2025. Microsoft ended support for Windows 7, 8 and 8.1 in January of 2023, and Apple typically provides support for the previous three versions of macOS. In turn, Mozilla moved support for these versions to the Extended Support Release (ESR) of Firefox last year, and ESR 115 will be the final version of Firefox to support these platforms. However, Mozilla have since announced that ESR 115 will continue to receive critical security updates until at least March 2025, with the intention to re-evaluate the situation at the beginning of the year. So how does this affect Tor Browser users? That’s where it gets a little complicated: Tor Browser 13 is currently based on Firefox ESR 115, whereas Tor Browser 14 is based on ESR 128 – which doesn’t support these legacy platforms. This means that the Tor Browser user base will be split across two update paths: Users of Windows 10 or later and macOS 10.15 or later will be updated to Tor Browser 14.0. User of Windows 7, 8 and 8.1 and macOS 10.12, 10.13 and 10.14 will remain on Tor Browser 13.5. In turn, the Tor Project will continue to release new versions of Tor Browser 13.5 whenever critical security updates are made available for Firefox ESR 115. Ultimately, this support is only temporary, and is dependent on Mozilla’s timetable. Therefore we strongly recommend users of legacy Windows and macOS platforms upgrade their operating systems in order to update to Tor Browser 14.0 before the extended support window ends. Keeping Tor Browser up to date is critical to protect your privacy, security and anonymity online. Known issues Tor Browser 14.0 comes with a number of known issues that are searchable on Tor Browser’s Gitlab project. In particular, Windows and Android users should be aware of the following: Android We are currently working on a fix for an issue with Guardian Project’s F-Droid repo that’s been preventing F-Droid users from updating since Tor Browser 13.5.3’s release. Until this issue is resolved, Android users who have installed Tor Browser via Guardian Project’s F-Droid repo will not receive the 14.0 update. Google Play is unaffected by this issue, and Tor Browser 14.0 can be downloaded from there in the interim. Alternatively, affected users may download and install the APK for Tor Browser 14.0 directly from our download page, however please note that APKs do not update automatically. For more details, see tor-browser#43208. Windows Running Tor Browser in compatibility mode in Windows 10 and 11 can make it appear as though you’re using Windows 7 instead. Given the minimum support requirements for Tor Browser 14.0 described above, Windows 10 and 11 users will need to ensure compatibility mode is switched off before they can update to 14.0. Contributors <3 Thanks to all of the teams across Tor, and the wider community, who contributed to this release. In particular we’d like to extend our gratitude to the following volunteers who have contributed their expertise, labor, and time to this release: cypherpunks1 Thank you for tackling the (now shrinking) list of Android bugs, UI discrepancies, and packaging problems. The Android release is more polished than it otherwise would be because of your help. tor-browser#41550 tor-browser#43052 tor-browser#43129 tor-browser#43146 tor-browser#43147 tor-browser#43202 tor-browser#43223 tor-browser#43225 tor-browser#43227 tor-browser#43228 tor-browser-build#41261 NoisyCoil Thank you for bringing us one step closer to reproducible aarch64 Linux builds. This merge-request was long in the making. tor-browser-build#41142 thorin Last but not least, a big thank you to thorin for your help keeping track of and flagging upstream issues, developing tests, verifying our fixes, maximizing Tor Browser’s fingerprinting protections, and for being an ever present advocate for user privacy in general. If you would like to contribute to a future release, please see our guide for new contributors to get started. If you find a bug or have a suggestion for how we could improve this release, we’d love to hear your feedback. Full changelog The full changelog since Tor Browser 13.5.7 for desktop and Tor Browser 13.5.8 for Android is: All Platforms Bug tor-browser#30543: compat: make spoofed orientation reflect spoofed screen dimensions Bug tor-browser#30862: 10ms time precision via EXSLT date-time function Bug tor-browser#41328: Follow firefox ESMify for Bug 1308512 Bug tor-browser#42054: ESR128: investigate – thorin’s list Bug tor-browser#42220: Flip all the possible preferences to prevent any automatic download Bug tor-browser#42255: pdfjs.disabled used to be part of RFP until Bug 1838415; lock pref to false in stable Bug tor-browser#42356: Review 000-tor-browser.js and 001-base-profile.js for 128 Bug tor-browser#42601: Check Bug 1894779: Allow font-face urls to be resource:// urls and relax CORS for resource:// URLs Bug tor-browser#42611: Set clipboard.imageAsFile.enabled to false Bug tor-browser#42646: Drop patch for tor-browser#40166 Bug tor-browser#42683: Create script to generate issue triage csv’s from bugzilla query and git scraping Bug tor-browser#42684: Disable network prefetch Bug tor-browser#42685: compat: ESR128: enable textmetrics Bug tor-browser#42716: Disable unwanted about:* pages Bug tor-browser#42730: Make RemoteSettings use only local dumps Bug tor-browser#42746: Extend prefers-contrast rules to include forced-colors Bug tor-browser#42759: CI: remove localization file names that are in neither 14.0 nor 13.5 branches Bug tor-browser#42814: Opt out from Firefox relay by default. Bug tor-browser#42830: Enable WebAudio APIs Bug tor-browser#42831: Remove the shopping components Bug tor-browser#42867: Disable contentRelevancy component Bug tor-browser#43011: Ship only one copy of the MIT license, like upstream. Bug tor-browser#43012: Mixed content: browser requests HTTPS images from onion domain accessed via HTTP Bug tor-browser#43013: security.mixed_content.upgrade_display_content.image is true by default Bug tor-browser#43054: check bounceTrackingProtection in PB mode does not persist to disk Bug tor-browser#43074: Pass the browser to TorDomainIsolator.newCircuitForBrowser Bug tor-browser#43144: Ensure non-privacy browsing also sets the GPC header Bug tor-browser#43163: Disable offscreen canvas until verified it is not fingerprintable Bug tor-browser#43170: Disable user-agent spoofing in HTTP header Bug tor-browser#43178: Audit fingerprinting overrides (MozBug 1834274) Bug tor-browser#43184: Backport Bugzilla 1922294: RFP: fixup square spoofed orientation Bug tor-browser#43197: Disable automatic exception for HTTPS-First Windows + macOS + Linux Updated Firefox to 128.3.0esr Updated NoScript to 11.4.42 Bug tor-browser#40147: Re-enable Picture-in-Picture mode Bug tor-browser#41309: Re-enable screenshots component Bug tor-browser#41811: Primary buttons that result in a connection attempt should be purple Bug tor-browser#41817: Add more color aliases that take dark mode into account Bug tor-browser#41820: Downloads warning styling improvements (use moz-message-bar) Bug tor-browser#42070: Backport Bugzilla 1834307 and hide smooth-scroll UX Bug tor-browser#42212: Fluent migration: onion services Bug tor-browser#42362: “New window” missing from File menu Bug tor-browser#42441: Evaluate RR version-by-RR version rebases instead of ESR-to-ESR Bug tor-browser#42488: ESR 128: Remove role=”code” from tor circuit panel Bug tor-browser#42603: Remove safebrowsing URLs Bug tor-browser#42612: Re-implement moz-toggle customizations for ESR 128 Bug tor-browser#42617: Restore the HTML form on DDG when using safest in 128 Bug tor-browser#42629: Tweak isOnNewTabPage patch Bug tor-browser#42630: Review LaterRun in 128 Bug tor-browser#42640: Disable Firefox Flame button due to unknown interactions with New Identity Bug tor-browser#42641: Move from panel-footer class to moz-button-group Bug tor-browser#42643: downloads panel separator has mismatched margin Bug tor-browser#42644: toolbar rules in panelUI-shared.css are unneccessary Bug tor-browser#42647: “Switching to a new device” regressed on 128 Bug tor-browser#42653: The Neterror page has a checkbox to report iframe origin errors to TPO Bug tor-browser#42662: Use data-hidden-from-search for hiding the firefox connection settings Bug tor-browser#42663: Tor Browser “Connection” settings missing a tooltip Bug tor-browser#42665: Drop “Learn More” spacing Bug tor-browser#42667: Add description-deemphasized class to our additions to about:preferences Bug tor-browser#42679: Use a more robust approach to hide the “tracking protection” urlbar button Bug tor-browser#42687: Disable Privacy-Preserving Attribution Bug tor-browser#42695: Use –arrowpanel- variables for tor circuit panel spacing Bug tor-browser#42698: Bridge card background contrast is low for bridge-moji Bug tor-browser#42699: Drop level=”top” attribute from panels Bug tor-browser#42700: Remove !nodes condition from gTorCircuitPanel._updateCurrentBrowser Bug tor-browser#42704: Drop the badged=”true” attribute from security level button Bug tor-browser#42705: Update our preferences to account for new line height Bug tor-browser#42713: Some –in-content CSS variables were renamed/removed Bug tor-browser#42718: Remove the firefox-view button from UI, even when always-on private-browsing mode is disabled Bug tor-browser#42735: Disable recent search suggestions Bug tor-browser#42740: Stop trying to hide “Restore previous session” Bug tor-browser#42742: Inconsistent use of “New private window” vs “New window” Bug tor-browser#42743: Invalid onion sites are shown as secure in the page info window Bug tor-browser#42744: Light theme override for “about:tor” is inherited by chrome error pages. Bug tor-browser#42745: Remove some residuals from update scripts Bug tor-browser#42764: Unconditionally disable find-bar transition animation Bug tor-browser#42777: Remove ‘Website Privacy Preferences’ and ensure sensible default prefs Bug tor-browser#42803: Lost focus styling for built-in bridges radio options Bug tor-browser#42806: Use the lh CSS unit Bug tor-browser#42872: Disable translations until audited and solved the UX problems Bug tor-browser#43015: Missing region-name-skr fluent entry when fetching TorConnect country names Bug tor-browser#43067: Use html:link rather than xml-stylesheet in our dialogs Bug tor-browser#43071: Make sure “tor-button” elements that are also “primary” still use the tor colors Bug tor-browser#43072: moz-message-bar does not get announced on Orca screen-reader Bug tor-browser#43075: Should we drop link spacing in about:tor Bug tor-browser#43081: Remove hard-coded CSS line-height Bug tor-browser#43082: Search engine icon is not shown while typing in the address bar Bug tor-browser#43083: Backport fix for Mozilla 1436462 Bug tor-browser#43087: Onion pattern on about:torconnect needs a dark theme asset Bug tor-browser#43103: Verify whether an update is unsupported before choosing one Bug tor-browser#43104: Local files and extensions can’t be loaded in new windows before bootstrap Bug tor-browser#43105: Migrating Disconnect is not needed anymore Bug tor-browser#43109: Remove mention of Firefox Relay from settings Bug tor-browser#43115: Height of search bar has collapsed on about:tor Bug tor-browser#43117: Hide ‘Always underline links’ option Bug tor-browser#43118: hide CFR Bug tor-browser#43131: Reduce layout jank when loading about:tor Bug tor-browser#43134: Backport Bugzilla 1436226 Hardcode VP8/VP9 Bug tor-browser#43164: Prevent search-bar from being auto-hidden when not used for awhile Bug tor-browser#43169: compat: align userAgent in navigator + HTTP Header Bug tor-browser#43174: Issue with custom home page on local filesystem Bug tor-browser#43209: UI freezes when clipboard is empty after screen lock Bug tor-browser#43217: Fullscreen videos have rounded letterboxing corners Bug tor-browser#43218: Switch to browser.reload, since Browser:Reload signal was dropped upstream Bug tor-browser-build#41248: Check and update bundled font versions Windows + macOS Bug tor-browser#43021: Revert the OS deprecation notification introduced in #42347 macOS + Linux Bug tor-browser#42467: Make OS HTTP User-Agent OS spoofing configurable by pref Windows Bug tor-browser#43051: windows: remove UI for “open Tor Browser automatically when computer starts” macOS Bug tor-browser#42494: mac: add Arial Black and Arial Narrow to allowlist Linux Bug tor-browser#42702: Cannot access the clipboard for the crypto address check (wayland) Bug tor-browser#42773: Replace ~ with the original HOME Bug tor-browser#43092: Disable Wayland by default in 14.0 Bug tor-browser#43101: Security features warning links to Firefox installation support page with incomplete info Bug tor-browser#43141: Hardcode Arimo as a system-ui font Bug tor-browser#43196: Remove the vendor name from the “is playing media” notification on Linux Bug tor-browser-build#41237: Add some aliases to our Linux font config for compatibility Android Updated GeckoView to 128.3.0esr Bug tor-browser#41550: Remove unused extensions from Tor Browser for Android Bug tor-browser#42386: Remove unused assets to reduce APK size Bug tor-browser#42590: “Tor browser” text in top left of home fragment/new tab view gets cut off with larger text sizes Bug tor-browser#42655: Implement “New circuit for this site” on Android Bug tor-browser#42660: Review the patch on Android’s ProxySelector Bug tor-browser#42731: Verify privacy.spoof_english still works once we have Android builds Bug tor-browser#42954: Remove product recommendation API integration (Review Mozilla 1857215) Bug tor-browser#43006: Disable RFP for Font Visibility on Android Bug tor-browser#43016: Re-disable Nimbus Bug tor-browser#43043: Remove credit card autofill UI elements from menu Bug tor-browser#43048: Firefox logo on splash Bug tor-browser#43050: Center text in connect buttons Bug tor-browser#43052: Remove non private tabs icon and “other device tabs” from tab view Bug tor-browser#43057: fenix/…/search/list.json failing linting Bug tor-browser#43078: Disable Sharing Links to TBA Bug tor-browser#43088: Query stripping is disabled on Android Bug tor-browser#43094: Remove “Open in regular tab” button Bug tor-browser#43097: NoScript fails to install on Android Bug tor-browser#43102: Android notifications tell to make Firefox your default browser Bug tor-browser#43108: Backport Android fullscreen notifications refactoring on ESR128 Bug tor-browser#43114: Reader view uses the catch-all circuit on Android Bug tor-browser#43116: The lack of GeoIP databases produces a lot of spam in the console on Android Bug tor-browser#43128: Use DuckDuckGo HTML on the Safest security level for Android Bug tor-browser#43129: about:neterror cannot display SVG on Android with Security Level Safest Bug tor-browser#43132: Enable extensions installation on Tor Browser 14 for Android. Bug tor-browser#43146: Update the icon of DuckDuckGo onion search engine on Android Bug tor-browser#43147: Remove unused search plugins from the apk files Bug tor-browser#43151: MOZ_DATA_REPORTING, MOZ_TELEMETRY_REPORTING, MOZ_CRASHREPORTER, and MOZ_BACKGROUNDTASKS enabled on Android Bug tor-browser#43172: remove remote settings and SERPTelemetry Bug tor-browser#43202: Extensions page unnecessarily fetches recommended addons on Android Bug tor-browser#43223: Hide option to open bookmarks in non-private tabs on Android Bug tor-browser#43225: Hide non-private tab settings and history search on Android Bug tor-browser#43227: Hide the Firefox Suggest label above search suggestions on Android Bug tor-browser#43228: Fix the “What’s new” URL and text on Android Bug tor-browser-build#41223: Tor Browser Alpha version not displayed correctly Build System All Platforms Updated Go to 1.22.8 Bug tor-browser#42722: clang-format and localization linters are not running Bug tor-browser#42799: Do not run lint pipelines on new tag Bug tor-browser#43014: Add purgecaches to the dev build Bug tor-browser#43156: Update translation CI to account for the extended 13.5 release Bug tor-browser#43157: Move tb-dev to base-browser Bug tor-browser#43181: Run translation CI if there is a change in a string.xml file Bug tor-browser-build#41013: Add a README to each project Bug tor-browser-build#41096: Set SOURCE_DATE_EPOCH in the default env variables Bug tor-browser-build#41155: Update toolchains for ESR128 Bug tor-browser-build#41156: Split the Rust configuration options Bug tor-browser-build#41180: Some files do not need to be copied when building tor-expert-bundle Bug tor-browser-build#41188: Upgrade binutils to 2.41 Bug tor-browser-build#41189: Add matzfan to list of downstream projects in alpha release-prep template Bug tor-browser-build#41195: Update Go to 1.22 Bug tor-browser-build#41198: Update release-prep issue template to include notifiying anti-censorship team of package name changes for GetTor distributor Bug tor-browser-build#41203: Tor Blog generation script uses the wrong url scheme for alpha releases Bug tor-browser-build#41236: Remove binutils when not needed Bug tor-browser-build#41273: relprep.py: bump Firefox and GV to a (yet) non-existing tag when the last one does not match HEAD Bug tor-browser-build#41274: Improve fetch_changelogs.py for major releases Bug tor-browser-bundle-testsuite#40078: Update tools/tb-build-06-start-nightly-build after tor-browser-build#40829 Windows + macOS + Linux Bug tor-browser#42668: Drop torconnect rule in eslint-plugin-mozilla Bug tor-browser-build#41247: Adapt tools/update-responses/update_responses to support multiple versions in the same xml files Bug tor-browser-build#41256: tools/signing/upload-update_responses-to-staticiforme should regenerate update-responses when it already exists Bug tor-browser-build#41259: Don’t try to generate incrementals for versions which don’t set incremental_from Bug tor-browser-build#41270: Add updater rewriterules to make 13.5.7 a watershed Windows + macOS Bug tor-browser-build#41197: Modify update-responses to prevent upgrades on unsupported Windows and macOS versions Windows Bug tor-browser-build#29318: Drop mingw-w64/gcc toolchain Bug tor-browser-build#29320: Use mingw-w64/clang toolchain to build Rust Bug tor-browser-build#41185: Drop Windows 7 support for 14.0 from build tools Bug tor-browser-build#41201: Bump the Windows version checked by the installer macOS Bug tor-browser-build#41267: Go dropping support for macOS <= 11.0 in Go 1.23 Android Bug tor-browser#42480: Use translation CI in android Bug tor-browser-build#40544: Bump Java 8 version to something more recent Bug tor-browser-build#41106: Non matching builds after application-services not being rebuilt in a long time Bug tor-browser-build#41123: Drop the firefox-android project Bug tor-browser-build#41171: Switch Android containers to Debian bookworm Bug tor-browser-build#41172: Refactor the android-toolchain project Bug tor-browser-build#41178: Force IPv4 when downloading in fix_gradle_deps.py Bug tor-browser-build#41200: Remove allowed_addons.json and the related tools Bug tor-browser-build#41210: Use tor-expert-bundle-aar in geckoview/build_apk Bug tor-browser-build#41211: The Android license file is not deterministic anymore Bug tor-browser-build#41214: Update geckoview/config to be more like firefox/config Bug tor-browser-build#41217: Update realprep.py script to handle Firefox 128-based Tor Browser Android Bug tor-browser-build#41224: Do not ship Conjure and GeoIP databases on Android x86, x86-64 to save some space Bug tor-browser-build#41232: Re-implement single-arch builds after the monorepo migration Bug tor-browser-build#41234: More dependencies are needed when building Android as a release Bug tor-browser-build#41261: Use an uncompressed NoScript xpi file to improve apk compression applications releases

Tor Browser 13.5.8 is now available from the Tor Browser download page and also from our distribution directory. This version includes important security updates to Firefox. This is an unplanned release which backports the remaining Android-specific security fixes from Firefox 131 to Tor Browser 13.5. This is due to a release-process failure on our part during the 13.5.7 release. How did this happen? The fundamental issue that led to us missing patches in the previous release is that we have two different ways of prepping Android releases, and we forgot a step. To elaborate, Tor Browser 13.5 is based of Firefox 115. This version of Firefox uses a separate source-code repository for the Android-specific functionality. Tor Browser 14.0 is based off of Firefox 128 which has integrated Android and Desktop source-code into a single repository. So, to prep a 13.5 release we have to update two source-code tags, while in 14.0 we only have to update only one. Since we have been mostly prepping 14.0 alpha-channel releases in recent weeks, this extra tag update was overlooked and these Android-specific updates never made it into the final release. The good news is that this particular error won’t happen again as we will not need to release any more Tor Browser 13.5 for Android after this because Tor Browser 14.0 will stabilise soon. Send us your feedback If you find a bug or have a suggestion for how we could improve this release, please let us know. https://www.mozilla.org/en-US/firefox/131.0.3/releasenotes/ Full changelog The full changelog since Tor Browser 13.5.7 is: Android Updated NoScript to 11.4.42 Bug tor-browser#43099: YEC 2024 Takeover for Android Stable Bug tor-browser#43173: Backport security fixes from Firefox 131 applications releases

Each year during this season, the Tor Project holds a fundraiser during which we ask for your support. We do this because the Tor Project is a nonprofit organization, powered by donations from our community. Donations make it possible for the Tor Project to build tools powered by people—not profit. Over the next few months, we’ll be sharing stories from some of the millions of people you’re helping when you support Tor, the impact we’ve made this year, details about what’s coming next to our suite of privacy and censorship circumvention tools, and ways you can help make privacy online easy and accessible. Now is a great time to give and spread the word about the Tor Project because through the end of the year, all donations will be matched by our supporters at Power Up Privacy. That means when you donate $25, you’re making a $50 impact. Plus, we’ve introduced a brand-new item to our list of gifts you can receive in return for making a donation. 👀 Below is a short preview of the events we’re hosting for you from now until the end of the year. We hope you will save these dates and choose a way to contribute or spread the word about the Tor Project today! Upcoming events Global Encryption Day: Distribute(d) trust – The key to global encryption access (Monday, October 21) For many vulnerable Internet users, the Tor network is the only way to gain access to encrypted services. It’s made possible by relay operators, the thousands of volunteers who donate their time, technical expertise, and hardware. Join us for a roundtable discussion with individual and institutional relay operators to learn more about the ins and outs of powering a safer, more equitable internet. The virtual live event is part of Tor’s contributions to Global Encryption Day. 📺 Stream live on our YouTube channel State of the Onion – the Tor Project (Wednesday, November 13) The State of the Onion is the Tor Project’s annual virtual event where we share updates from the Tor Project and the Tor community. The event on November 13 will focus on the Tor Project and the organization’s work. 📺 Stream live on our YouTube channel State of the Onion – Community (Wednesday, November 20) The State of the Onion is the Tor Project’s annual virtual event where we share updates from the Tor Project and the Tor community. The event on November 20 will focus on organizations in the Tor community and their work. 📺 Stream live on our YouTube channel Human Rights Day (Tuesday, December 10) Every year on December 10, we celebrate the UN’s adoption and proclamation of the Universal Declaration of Human Rights (UDHR) in 1948. The UDHR outlines privacy as one of the human rights everyone should be free to exercise. 📎 Keep an eye on the blog and newsletter for event updates. Ways to contribute Make a donation: Donate through our website (or any other method listed on our FAQ) and your donation will be matched, 1:1, up to $300,000. Ask the company you work for if they will match your donation: Many corporations will match their employees’ donations to charitable organizations. Ask at work if your company will match your gift. Share on social media: Let the people in your networks know that all donations to the Tor Project are currently being matched. You can easily share a post from our social channels: Mastodon, Bluesky, X, and more. Subscribe to Tor News: No ads. No tracking. Just low-traffic Tor updates via email. fundraising

+++ Updated: Oct 14, 20:30 UTC +++ An earlier version of this blog post incorrectly stated that “Mozilla is aware of this attack being used in the wild against Tor Browser users.” This has been corrected to accurately reflect Mozilla’s official statement. To be clear, the Tor Project has no evidence that Tor Browser users were targeted specifically. The Firefox vulnerability has since been addressed with Tor Browser releases 13.5.7, 13.5.8 (for Android), and 14.0a9. This release is an emergency release to fix a critical security vulnerability in Tor Browser. Changes and updates Update Tor Browser to 13.5.7, which fixes MFSA 2024-51, a major use-after-free vulnerability. Using this vulnerability, an attacker could take control of Tor Browser , but probably not deanonymize you in Tails. Mozilla is aware that “a Firefox exploit that had been spotted in the wild.” Fixed problems For more details, read our changelog. Get Tails 6.8.1 To upgrade your Tails USB stick and keep your Persistent Storage Automatic upgrades are available from Tails 6.0 or later to 6.8.1. If you cannot do an automatic upgrade or if Tails fails to start after an automatic upgrade, please try to do a manual upgrade. To install Tails 6.8.1 on a new USB stick Follow our installation instructions: Install from Windows Install from macOS Install from Linux Install from Debian or Ubuntu using the command line and GnuPG The Persistent Storage on the USB stick will be lost if you install instead of upgrading. To download only If you don’t need installation or upgrade instructions, you can download Tails 6.8.1 directly: For USB sticks (USB image) For DVDs and virtual machines (ISO image) Support and feedback For support and feedback, visit the Support section on the Tails website. partners releases

Tor Browser 14.0a9 is now available from the Tor Browser download page and also from our distribution directory. This version includes important security updates to Firefox: https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/#CVE-2024-9680 Users should update immediately. Send us your feedback If you find a bug or have a suggestion for how we could improve this release, please let us know. Full changelog The full changelog since Tor Browser 14.0a8 is: All Platforms Bug tor-browser#43197: Disable automatic exception for HTTPS-First Bug tor-browser#43201: Security fixes from Firefox 131.0.2 Android Bug tor-browser#43132: Enable extensions installation on Tor Browser 14 for Android. applications releases

Tor Browser 13.5.7 is now available from the Tor Browser download page and also from our distribution directory. This version includes important security updates to Firefox: https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/#CVE-2024-9680 Users should update immediately. Send us your feedback If you find a bug or have a suggestion for how we could improve this release, please let us know. Full changelog The full changelog since Tor Browser 13.5.6 is: All Platforms Bug tor-browser#43201: Security fixes from Firefox 131.0.2 Bug mullvad-browser#361: SSL_ERROR_NO_CYPHER_OVERLAP on some Brazilian government websites Build System Windows + macOS + Linux Bug tor-browser-build#41254: Drop cryptoSafetyPrompt.properties line applications releases

New features File system repair when unlocking the Persistent Storage When the file system of the Persistent Storage has errors, Tails now offers you to repair the file system when unlocking from the Welcome Screen. Because not all file system errors can be safely recovered this way, we wrote comprehensive documentation on how to recover data from the Persistent Storage using complementary techniques. Changes and updates Update Tor Browser to 13.5.6. Improve the notification when a network interface is disabled because MAC address anonymization failed. Fixed problems Increase the maximum waiting time to 8 minutes when unlocking the Persistent Storage before returning an error. (#20475) Hide shown password while unlocking Persistent Storage. (#20498) Better handle failures in when sending WhisperBack error messages: Fix input fields when Tails is not connected to Tor. (#19731) Fix accessibility of input fields with screen reader. (#19903) For more details, read our changelog. Get Tails 6.8 To upgrade your Tails USB stick and keep your Persistent Storage Automatic upgrades are available from Tails 6.0 or later to 6.8. If you cannot do an automatic upgrade or if Tails fails to start after an automatic upgrade, please try to do a manual upgrade. To install Tails 6.8 on a new USB stick Follow our installation instructions: Install from Windows Install from macOS Install from Linux Install from Debian or Ubuntu using the command line and GnuPG The Persistent Storage on the USB stick will be lost if you install instead of upgrading. To download only If you don’t need installation or upgrade instructions, you can download Tails 6.8 directly: For USB sticks (USB image) For DVDs and virtual machines (ISO image) Support and feedback For support and feedback, visit the Support section on the Tails website. partners releases