New Alpha Release: Tor Browser 13.5a4

system · February 1, 2024, 2:49pm

by richard | February 1, 2024

Tor Browser 13.5a4 is now available from the Tor Browser download page and also from our distribution directory.

This version includes important security updates to Firefox.

We would like to thank the following volunteers for their contributions this release:

guest475646844 for their fix to tor-browser#42354
Mynacol for their documentation updates in tor-browser-build#41073 and their ongoing efforts to release Tor Browser for Android on F-Droid
NoisyCoil for their documentation updates in tor-browser-build#41038

Thank you all for your contributions! If you would like to contribute, our contributor guide can be found here.

Connect Assist Android Bug Fixes

As discussed in the 13.5a3 release post, we have brought an initial implmentation of connect assist to Android. This feature helps users connecting from censored networks to automatically apply a tor configuration that allows them to bootstrap and connect to the Tor Network.

We have made some bug fixes this past month so censored users should see some improvements. You can try it out for yourself by navigating to the Settings > Tor Network and selecting Enable beta connection features. So please, give it a go!

Known Issues

This is still feature is still very much a prototype, so there are a few known issues:

The 'Enable beta connection features' toggle currently only allows enabling the 'HTML UI'. Unfortunately the 'Native Android UI' option is still not quite ready, but is under active development.
There is currently a white bar at the bottom of the 'HTML UI' connect assist screen. This 'HTML UI' is actually just the Desktop connect-experience with Android-specific modification to allow us to exercise the backend. It will be replaced with an Android-native frontend before 13.5 stabilises!

Intentional Letterboxing Design

One of the most reported issues we get from users relates to confusion about the browser's letterboxing feature; most think the empty space around the web content is a rendering bug! In reality, the padding provides fingerprinting protections which help prevent adversaries from tracking you across the internet.

We have implemented the new look specified in tor-browser#41917 and will be adding some user customisation to about:preferences in the near future. In the meantime, you can play with the current exposed visual customisations by modifying the following boolean prefs in about:config:

privacy.resistFingerprinting.letterboxing.gradient : enables a gradient in the letterboxing background/tray area (default true)
privacy.resistFingerprinting.letterboxing.vcenter : vertically centers the website content within the browser window (default true)

These options are purely aesthetic and should have no affect on the user's browser fingerprint (though we would love to know if that is not the case).

Send us your feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full changelog

The full changelog since Tor Browser 13.5a3 is:

This is a companion discussion topic for the original entry at https://blog.torproject.org/new-alpha-release-tor-browser-135a4

thorin · February 1, 2024, 3:01pm

good to see a fingerprinting patch in there

LongTree · February 1, 2024, 9:46pm

Shame its for Desktop only though

thorin · February 1, 2024, 9:50pm

What is a shame that’s it’s desktop only? Do you mean the letterboxing changes?

New window sizes and letterboxing have only ever been developed for desktop - on android, apps don’t have the ability to be windowed (IANAE on android), and if we added letterboxing on it’s own (it’s something we could do with much smaller steps) it really eats into real estate and usability and hasn’t been tackled yet (but there is an issue open)

LongTree · February 2, 2024, 4:10pm

I’m sure 99.99% of TBA users would be happy with pinch zooming and scrolling around for a few seconds in exchange for the fingerprint blocking properties. Every update seems to pull TBA further away from its Desktop versions

@PieroV what are your thoughts on this matter? Am I correct in thinking the two versions offer different levels of protection regardless of the security slider level chosen?

thorin · February 2, 2024, 4:11pm

GeckoView is a very different beast to Gecko, and lacks ~~a lot of~~ some fingerprinting parity - it’s just going to take time

LongTree · February 2, 2024, 6:21pm

I feel like your first measurement of a lot is more accurate than some, realistically they should both be 1:1 as the users and threat level to TBA is no different to that of Desktop. If anything TBA users are more likely to need extra security because people under threat, in hiding or on active movement don’t often have the option of using a PC. I personally would either include heavy warnings that TBA isn’t as secure as Desktop and in which ways or just remove TBA from public access until a time which it does match desktop level. No access is better than access with a false sense of security.

thorin · February 2, 2024, 6:27pm

they should both be 1:1

this is impossible. Each OS has it’s own unique set of problems which require different approaches/solutions

extra security

fingerprinting is not security

don’t often have

don’t make assumptions First of all, we care abut all users andf there are different threat models (e.g. TBA to hide traffic from family members is perfectly fine), and secondly we have some metrics in terms of downloads/updates per OS which tells us usage and where to put resources, but it doesn’t say anything about the threat: which is universal and depends on the user (for example SecureDrop recommends using TB desktop, IIRC)

/end of my comments on this