by richard | September 14, 2023
Tor Browser 13.0a4 is now available from the Tor Browser download page and also from our distribution directory.
This release updates Firefox to 115.2.1esr, including bug fixes, stability improvements and important security updates. We also backported the Android-specific security updates from Firefox 117.
Major Changes
This is our fourth alpha release in the 13.0 series which represents a transition from Firefox 102-esr to Firefox 115-esr. This builds on a year's worth of upstream Firefox changes, so alpha-testers should expect to run into issues. If you find any issues, please report them on our gitlab or on the Tor Project forum.
We are in the middle of our annual esr transition audit, where we review Mozilla's year's worth of work with an eye for privacy and security issues that would negatively affect Tor Browser users. This will be completed before we transition the 13.0 alpha series to stable. At-risk users should remain on the 102-esr based 12.5 stable series which will continue to receive security updates until 13.0 alpha is promoted to stable.
Build Output Naming Updates
As a reminder from the 13.0a3 release post, we have made the naming scheme for all of our build outputs mutually consistent. If you are a downstream packager or in some other way download Tor Browser artifacts in scripts or automation, you will have a bit more work to do beyond bumping the version number once the 13.0 alpha stabilizes. All of our current build outputs can be found in the distribution directory
UX Refresh of about:tor
The about:tor page you land on after bootstrapping has been rewritten for our Desktop platforms. As part of this process, and as part of the tor integration back-end rewrite, we have removed the automatic tor network connectivity check ( https://check.torproject.org ) which occurred in the about:tor page.
This check was a hold-over from the tor-launcher days when launching and bootstrapping the tor daemon was handled by an extension which ran before the Firefox browser interface was presented to the user. As a result of the tighter tor integration and in-browser bootstrapping experience in about:connection, the legacy logic behind this check would sometimes fail and present some users with the infamous 'red screen of death', even if their tor connection was fine.
That is to say, all of the reports we have received of users hitting this screen were false-positives when using the default configuration. The conditions for which the check on this page made sense no longer exist and now only serve to confuse users. On top of that, the two main environments where Tor Browser is used in a non-default configuration where the check is arguably useful (Tails and Whonix) do not use the built-in about:tor page for home or new-tab.
Tor Browser users with the default configuration who successfully go through the bootstrapping process essentially cannot get into a situation where they are able to load about:tor while not being connected to the process-owned tor daemon. If they are connected to the tor daemon, then the check will either succeed or timeout if the connection to the Tor Network fails after bootstrapping. If the tor daemon has crashed or failed to launch, then the browser's proxy settings prevent web traffic from going anywhere outside the users system
In the short term, we will be adding some ux to the about:tor page for users who are not using a default configuration to easily check that their configuration is correct and using tor as expected.
Longer-term (in the 13.5 time-frame) we plan on integrating this tor check directly into the about:connection state-machine so we can avoid false-positives in the default configuration while also providing peace-of-mind that web traffic is being routed correctly. We will also likely iterate on the about:tor ux for users in non-default configurations.
Android
Our Tor Browser Android release should be pretty close to final in terms of changes, apart from bug fixes or tweaks required by our annual ESR code-audit. The rendering+branding errors from 13.0a3 have been resolved. If you are able, please be sure to take the Tor Browser Android alpha for a spin, and especially try using bridges!
Known Issues
Desktop
Build to build incremental updates are currently failing for some users if you are starting at a version older than 13.0a3. Users on 13.0a2 and 13.0a1 will first download the small incremental update, fail to apply it after a re-launch, and then download the full large update. This should not result in losing anything of value apart from your precious time.
It is being tracked in tor-browser#42101.
Windows
Building generated debug headers are not currently reproducible. This only affects debug info and does not affect users. This issue is being tracked here. It will either be fixed before the 13.0 alpha series transitions to stable later this year, or we will disable this developer feature by default to ensure fully matching builds.
Full changelog
We would like to thank volunteer contributor cypherpunks1 for their fixes for tor-browser#41876 and tor-browser#41740.
The full changelog since Tor Browser 13.0a3 is:
This is a companion discussion topic for the original entry at https://blog.torproject.org/new-alpha-release-tor-browser-130a4