Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.

Note: You can also download the latest final version of Tor Browser here.

Individuals use Tor to keep websites from tracking them and their family members, or to connect to news sites, instant messaging services, or the like when these are blocked by their local Internet providers. Tor's hidden services let users publish web sites and other services without needing to reveal the location of the site. Individuals also use Tor for socially sensitive communication: chat rooms and web forums for rape and abuse survivors, or people with illnesses.

Journalists use Tor to communicate more safely with whistleblowers and dissidents. Non-governmental organizations (NGOs) use Tor to allow their workers to connect to their home website while they're in a foreign country, without notifying everybody nearby that they're working with that organization.

Groups such as Indymedia recommend Tor for safeguarding their members' online privacy and security. Activist groups like the Electronic Frontier Foundation (EFF) recommend Tor as a mechanism for maintaining civil liberties online. Corporations use Tor as a safe way to conduct competitive analysis, and to protect sensitive procurement patterns from eavesdroppers. They also use it to replace traditional VPNs, which reveal the exact amount and timing of communication. Which locations have employees working late? Which locations have employees consulting job-hunting websites? Which research divisions are communicating with the company's patent lawyers?

A branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently. Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.

Welcome Screen

Our old screen had way too much information for the users, leading many of them to spend great time confused about what to do. Some users at the paper experiment spent up to 40min confused about what they needed to be doing here. Besides simplifying the screen and the message, to make it easier for the user to know if they need to configure anything or not, we also did a 'brand refresh' bringing our logo to the launcher.

Censorship circumvention configuration

This is one of the most important steps for a user who is trying to connect to Tor while their network is censoring Tor. We also worked really hard to make sure the UI text would make it easy for the user to understand what a bridge is for and how to configure to use one. Another update was a little tip we added at the drop-down menu (as you can see below) for which bridge to use in countries that have very sophisticated censorship methods.

Proxy help information

The proxy settings at our Tor Launcher configuration wizard is an important feature for users who are under a network that demands such configuration. But it can also lead to a lot of confusion if the user has no idea what a proxy is. Since it is a very important feature for users, we decided to keep it in the main configuration screen and introduced a help prompt with an explanation of when someone would need such configuration.

As part of our work with the UX team, we will also be coordinating user testing of this new UI to continue iterating and make sure we are always improving our users' experience. We are also planning a series of improvements not only for the Tor Launcher flow but for the whole browser experience (once you are connected to Tor) including a new user onboarding flow. And last but not least we are streamlining both our mobile and desktop experience: Tor Browser 7.5 adapted the security slider design we did for mobile bringing the improved user experience to the desktop as well.

What's New

Tor Browser 13.0a2 is now available. This release updates Firefox to 115.1.0esr, including bug fixes, stability improvements and important security updates. We also backported the Android-specific security updates from Firefox 116.

Major Changes

This is our second alpha release in the 13.0 series which represents a transition from Firefox 102-esr to Firefox 115-esr. This builds on a year's worth of upstream Firefox changes, so alpha-testers should expect to run into issues. If you find any issues, please report them on our gitlab or on the Tor Project forum.

We are in the middle of our annual esr transition audit, where we review Mozilla's year's worth of work with an eye for privacy and security issues that would negatively affect Tor Browser users. This will be completed before we transition the 13.0 alpha series to stable. At-risk users should remain on the 102-esr based 12.5 stable series which will continue to receive security updates until 13.0 alpha is promoted to stable.

Desktop

Tor Controller

We have been working on some major refactors and rewrites to the tor daemon controller code in Tor Browser for Desktop. We are unifying and modernizing the competing implementations of various control port interface methods formerly found in the legacy torbutton and tor-launcher components into encapsulated JavaScript modules within the Firefox codebase. This work is part of long-term plan of necessary code-cleanup and lays the groundwork for supporting alternate tor backends besides the legacy tor daemon.

However, all this code-churn does open up opportunity for new behaviour due to fixed bugs or due to the introduction of new ones. If you use Tor Browser in a non-standard/non-default configuration (either via Firefox preferences or custom environment variables) please ensure things are working as expected for your configuration with this alpha release!

The areas affected by these changes include:

  • configuring Tor Browser to use an external system tor service/daemon
  • fetching censorship-circumvention setting using the lyrebird (formerly obfs4proxy) pluggable transport
  • any tor functionality that relies on communicating with the tor daemon via the control port (circuit display, onion auth, bridge+network settings, new identity, etc)

Tor PoW

This is also the first Tor Browser release including a tor daemon with the new onion service proof-of-work ddos prevention feature. See Proposal 327 for background and the gitlab issue regarding the implementation.

Android

This is our first Android release based on the Firefox 115esr series. Some things are still a bit rough around the edges but, to our knowledge, there are not any known regressions to the browser's core functionality.

Known Issues

Windows

To ensure that we are shipping binaries which only contain the functionality we believe they do, we use a reproducible build strategy. The basic idea is that multiple users with build machines running on different networks independently pull down and build the same source code. We then verify that the built binaries we ultimately sign and ship to users are bit for bit identical. This gives us reasonable confidence that our releases have not been compromised and contain only the functionality found in our source code.

During the 13.0a2 release cycle, we have enabled generating debug information for our supported windows platforms to make trouble-shooting windows-specific issues easier. This debug information includes PDB symbols (which map addresses in the binaries to locations in the firefox source code) and generated C/C++ headers. Unfortunately, the header generation is not deterministic, and so different builders will generate different (though semantically equivalent) outputs.

What this means is that, taken as a whole, our builds are not currently matching. However, the mismatched parts only appear in this debug info which is separate from the actual application that is shipped to end-users (this non-matching debug info needs to be actively sought out and is only useful for developers debugging an issue).

This issue is being tracked here. It will either be fixed before the 13.0 alpha series transitions to stable later this year, or we will disable this developer feature by default to ensure fully matching builds.

Android

There are various graphical bugs in the bootstrapping and landing pages in Tor Browser for Android including misaligned text and Firefox branding. The Tor Browser onboarding for first-time users is also missing. These issues (among others) are being tracked here, here and here.

Full changelog

We would like to thank volunteer contributor FlexFoot for their fix for tor-browser-build#40615. The full changelog since Tor Browser 13.0a1 is:

All Platforms

  • Updated Translations
  • Updated NoScript to 11.4.26
  • Updated OpenSSL to 3.0.10
  • Updated tor to 0.4.8.3-rc
  • Bug tor-browser#41909: Rebase 13.0 alpha to 115.1.0 esr

Windows + macOS + Linux

  • Updated Firefox to 115.1.0esr
  • Bug tor-browser#30556: Re-evaluate letterboxing dimension choices
  • Bug tor-browser#33282: Increase the max width of new windows
  • Bug tor-browser#40982: Cleanup maps in tor-circuit-display
  • Bug tor-browser#40983: Move not UI-related torbutton.js code to modules
  • Bug tor-browser#41844: Stop using the control port directly
  • Bug tor-browser#41907: The bootstrap is interrupted without any errors if the process becomes ready when already bootstrapping
  • Bug tor-browser#41922: Unify the bridge line parsers
  • Bug tor-browser#41923: The path normalization results in warnings
  • Bug tor-browser#41924: Small refactors for TorProcess
  • Bug tor-browser#41925: Remove the torbutton startup process
  • Bug tor-browser#41926: Refactor the control port client implementation
  • Bug tor-browser#41964: 'emojiAnnotations' not defined in time in connection preferences

Android

  • Updated GeckoView to 115.1.0esr
  • Bug tor-browser-build#40919: Fix nimbus-fml reproducibility of 13.0a2-build1
  • Bug tor-browser#41928: Backport Android-specific security fixes from Firefox 116 to ESR 102.14 / 115.1 - based Tor Browser
  • Bug tor-browser#41972: Disable Firefox onboarding in 13.0
  • Bug tor-browser#41997: Remove all use and reference to com.adjust.sdk.Adjust which now uses AD_ID

Build System: All Platforms

  • Updated Go to 1.20.7
  • Bug tor-browser-build#31588: Be smarter about vendoring for Rust projects
  • Bug tor-browser-build#40855: Update toolchains for Mozilla 115
  • Bug tor-browser-build#40880: The README doesn't include some dependencies needed for building incrementals
  • Bug tor-browser-build#40905: Go vendor archives ignore the nightly version override on testbuilds
  • Bug tor-browser-build#40908: Enable the --enable-gpl config flag in tor to bring in PoW functionality
  • Bug tor-browser-build#40909: Add dan_b and ma1 to list of taggers in relevant projects
  • Bug tor-browser-build#40913: add boklm back to list of taggers in relevant projects

Windows + macOS + Linux

  • Bug tor-browser-build#40615: Consider adding a readme to the fonts directory
  • Bug tor-browser-build#40907: Mar-tools aren't deterministic on 13.0a1

Windows

  • Bug tor-browser-build#31546: Create and expose PDB files for Tor Browser debugging on Windows

Android

  • Bug tor-browser-build#40867: Create a RBM project for the unified Android repository
  • Bug tor-browser-build#40917: Remove the uniffi-rs project
  • Bug tor-browser#41899: Use LLD for Android
  • Bug tor-browser-build#40920: Non-deterministic generation of baseline.profm file in Android apks