New Release: Tor Browser 12.0.7

by richard | June 8, 2023

Tor Browser 12.0.7 is now available from the Tor Browser download page and also from our distribution directory.

This release updates Firefox to 102.12.0esr, including bug fixes, stability improvements and important security updates. We also backported the Android-specific security updates from Firefox 114.

Build-Signing Infrastructure Updates

We are once again able to code-sign our executable Windows installer, so new installations on the Windows platform no longer need to perform a build-to-build update from an older version. We apologize for all the inconvenience this caued.

Send us your feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full changelog

The full changelog since Tor Browser 12.0.6 is:

  • All Platforms
    • Updated Translations
    • Updated NoScript to 11.4.22
    • Updated OpenSSL to 1.1.1u
    • Bug tor-browser#41764: TTP-02-004 OOS: No user-activation required to download files (Low)
    • Bug tor-browser#41794: Rebase Tor Browser and Base Browser stable to 102.12esr
  • Windows + macOS + Linux
    • Updated Firefox to 102.12esr
    • Bug tor-browser#41777: Internally shippped manual does not adapt to RTL languages (it always align to the left)
  • Android
    • Updated GeckoView to 102.12esr
    • Bug tor-browser#41805: Backport Android-specific security fixes from Firefox 114 to ESR 102.12-based Tor Browser

This is a companion discussion topic for the original entry at

I have noticed that exe files may not be identical e.g. in…

  • tor-expert-bundle-12.0.5-windows-x86_64.tar
  • tor-expert-bundle-12.0.6-windows-x86_64.tar
  • tor-expert-bundle-12.0.7-windows-x86_64.tar

…downloaded from the official site, even though they’re the same “Tor (git-7c1601fb6edd780f)”.

If I’m not wrong…

  • Between 12.0.6 and 12.0.7: tor.exe & tor-gencert.exe are different while obfs4proxy.exe & snowflake-client.exe are identical;
  • Between 12.0.5 and 12.0.6: obfs4proxy.exe & snowflake-client.exe are (each) different while tor.exe & tor-gencert.exe are identical;

…where by “different” I mean “not bit-identical” - which may or may not imply “different in some essential way”

If they’re compiled from the same source code deterministically (?), even having the same time stamps, why can the same-version ( binaries are sometimes bit-identical and sometimes not? Perhaps the compiler versions are different?

They’re signed by the same PGP key, so the files must be fine. So this is most probably an insignificant question, not related to any real problems; I’m just feeling curious.

Big thanks again, to richard and everyone involved, for your hard work! :slight_smile:

Hi @nimeton

So some sleuthing would be required to determine precisely why/what different versions are the same, but I can give you the following explanations which are true regardless of the current situation above.

You are correct that the tor version is the same, so why would the resulting binaries be different?

There are broadly speaking two different reasons why binaries with the same source-code version can have different build outputs over time:

  • toolchain changes: the suite of tools (compilers, linkers, etc) may have been updated, so we’re building the same tor commits but with different tools resulting in different outputs
  • dependency changes: apart from the standard libc dependencies, tor depends some other libraries as well: libevnet, zlib, and openssl. If these dependencies (which are inputs to the tor build process, even though they are dynamically rather than statically linked) change, then one can expect the tor binary may change as well.

Another consideration is that the pluggable transports are technically separate packages, each with their own source trees and version numbers.

In the stable release there are 2 pluggable transports (snowflake-client and obfs4proxy) whereas in alpha we have 4 (conjure-client and webtunnel-client in addition to the ones in stable). For convenience, we only report the Tor Browser version associated with all of the pluggable transports rather than listing versions or git commits individually. We also reason the individual PT versions aren’t terribly relevant to developers since their usage is more or less transparent/handled by the tor daemon whereas any changes will be easier to find associated with a given Tor Browser release. The tor version on the other hand is useful for developers to know at a glance since major features often are not backported to old releases. For example, the latest tor alpha (which will be in the 13.0 alpha channel) has support for onion service PoW and confluence circuits, whereas the current stable does not have those features.

Now to get down to specifics, off the top of my head the following things have changed over the past few releases that can affect the final PT and tor binaries:

  • openssl updates (a tor dependency a mentioned above)
  • go toolchain updates - used to build all of our PTs

I hope this answers your questions+concenrs and I’m happy to babble more about this if you have further questions.


1 Like

Thanks for taking your precious time for very detailed explanation. Dependencies like openssl (and their version changes) are quite understandable. Also, PoW you mentioned (though not directly related) is something very interesting… Traditionally, many argue that PoW is waste of energy in the context of cryptocurrencies. If the technology works for something else - for making Tor (which many recognize as an important project) better, that may be very nice.

Btw after updating to TB 12.0.7 from 12.0.6 on Windows, I’m getting some security notices that didn’t appear before, when I open a new tab or (sometimes) new page. Does the new version set a (global?) Keyboard Hook e.g. for UI reason? Something triggers “a potential threat to keyboard logging access detected” notification. (I block them and the browser is working fine.) Is this something expected or perhaps it’s just that my environment is somehow not right? I know this kind of hook is useful if used right, as in AutoHotkey.

Seems weird, you should open an issue on our gitlab. There isn’t anything majorly different between the 12.0.6 and 12.0.7 versions beyond security updates, so I would bet on overzealous anti-virus.

ترجمه فارسی ( Persian translate by google translate ):

مرورگر Tor 12.0.7 اکنون از مرورگر Tor صفحه دانلود و همچنین از [دایرکتوری توزیع] ما (Index of /torbrowser) در دسترس است /12.0.7/).

این نسخه فایرفاکس را به 102.12.0esr به‌روزرسانی می‌کند، از جمله رفع اشکال، بهبود پایداری و [به‌روزرسانی‌های امنیتی] مهم (Security Vulnerabilities fixed in Firefox ESR 102.12 — Mozilla). ما همچنین [به‌روزرسانی‌های امنیتی] (Security Vulnerabilities fixed in Firefox 114 — Mozilla) مخصوص اندروید را از Firefox 114 پشتیبان‌گیری کردیم.

به‌روزرسانی‌های زیرساخت امضای ساخت

ما یک بار دیگر می‌توانیم نصب‌کننده اجرایی ویندوز خود را کد امضا کنیم، بنابراین نصب‌های جدید در پلتفرم ویندوز دیگر نیازی به انجام به‌روزرسانی ساخت‌وساز از نسخه قدیمی‌تر ندارند. ما برای تمام ناراحتی های ایجاد شده پوزش می طلبیم.

نظرات خود را برای ما ارسال کنید

اگر اشکالی پیدا کردید یا پیشنهادی برای بهبود این نسخه دارید، [لطفاً به ما اطلاع دهید] (How to Report a Bug or Give Feedback | Tor Project | Support).

تغییرات کامل

تغییرات کامل از [Tor Browser 12.0.6 ]( ChangeLog.txt) این است:

  • همه پلتفرم ها
    • ترجمه های به روز شده
    • NoScript به 11.4.22 به روز شد
    • OpenSSL به 1.1.1u به روز شد
    • اشکال tor-browser#41764 : TTP-02-004 OOS: برای دانلود فایل ها نیازی به فعال سازی کاربر نیست (کم)
    • اشکال tor-browser#41794: مرورگر Tor و مرورگر پایه را به 102.12esr تغییر دهید
  • ویندوز + macOS + لینوکس
    • فایرفاکس به 102.12esr به روز شد
    • اشکال tor-browser#41777: کتابچه راهنمای داخلی ارسال شده با زبان های RTL سازگار نیست (همیشه با ترک کرد)
  • اندروید
    • GeckoView به 102.12esr به روز شد
    • اشکال tor-browser#41805: اصلاحات امنیتی خاص Android از فایرفاکس 114 به Tor مبتنی بر ESR 102.12 در پشت زمینه مرورگر

I did a quick test and the previous version of TB (12.0.6; fx102.11.0) vanilla also tries to “read Keyboard State”. It seems that recent versions of Firefox do this by default. So nothing has changed about it and, you’re right, what I described is probably not a problem at all. It’s just that my instance of TB (non-vanilla) never tried to do this before.

Probably unrelated, I noticed possible UI issues. (1) Do “Search Bar” → “Add search bar in toolbar”. The address bar still does Search, calling a search engine if you type a word and hit enter. Perhaps by design? (2) about:config → keyword.enabled=false. The address bar doesn’t do Search anymore, but still says “Search with DuckDuckGo or enter address”.


  1. I’m aware that using non-vanilla settings may be bad w.r.t. finger-printing.
  2. Just in case someone wonders: actively reading the current state of your keyboard is not necessarily a suspicious behavior, esp. when the process or a related process has keyboard input focus (a legit example: checking if CapsLock is on or off). It couldn’t be used as a keylogger unless doing so repeatedly like every millisecond. A global hook can be used as a keylogger more easily, but if that happens, it’s more likely that you get a maliciously modified version of TB, rather than the official version is malicious.