Tor Browser 14.5.8 Fixes Firefox Bugs and Snowflake Bridges

What Changed

The update patches three layers: the browser shell, the onion routing daemon, and the encryption library underneath.

Firefox security fixes from version 144 landed in Tor Browser's ESR (Extended Support Release) base. Mozilla tags these as "important," which typically means memory corruption bugs or sandbox escapes. The Tor Project backports these patches to keep the anonymity browser in sync with upstream security work.

Tor itself jumped to version 0.4.8.19. This is the onion routing daemon that handles circuit construction and traffic encryption. Version bumps in the 0.4.8.x series usually mean bug fixes rather than new features—the stable branch focuses on reliability.

OpenSSL moved to 3.5.4. This is the library handling TLS connections to clearnet sites before traffic enters the Tor network. OpenSSL 3.x brought API changes and performance improvements over the legacy 1.1.1 line, which reached end-of-life in September 2023.

Bug Fixes

Four tracked issues got closed in this release.

Bug 44239 fixed DuckDuckGo rendering under the "Safest" security setting. Tor Browser ships three hardening levels: Standard, Safer, and Safest. Safest disables JavaScript entirely and breaks most modern web apps. DuckDuckGo is Tor Browser's default search engine (instead of Google, which fingerprints users). The bug caused the HTML page and search results to display incorrectly when JavaScript was off. The fix ensures anonymous search works even in the highest security mode.

Bug 44240 corrected a typo in dom.security.https_first_add_exception_on_failure. This preference controls whether Tor Browser remembers HTTP fallback decisions when HTTPS fails. A typo in the config key would prevent the setting from working. HTTPS-First mode automatically upgrades HTTP connections to HTTPS and warns users before loading unencrypted sites. The fix ensures the exception handling works as designed.

Bug 41574 updated Snowflake bridge lines. Snowflake is a pluggable transport that routes Tor traffic through temporary proxies run by volunteers in their browsers. It defeats censors who block Tor's public relay IPs by using ephemeral WebRTC connections that look like video calls. Built-in bridge lines let users in censored regions connect to Tor without manually finding bridge addresses. The update refreshes these addresses as infrastructure changes.

Bug 44032 and Bug 44031 implemented the Year-End Campaign 2025 takeover for desktop and Android. This is a fundraising prompt. The Tor Project is a nonprofit funded by donations and grants. The YEC takeover likely shows a banner or modal asking users to contribute. It runs on both the desktop browser (Windows, macOS, Linux) and the Android version.

Why This Matters

Tor Browser decouples anonymity from trust. You don't have to trust your ISP, government, or website operators to hide your traffic patterns. But that protection depends on patching the software before adversaries exploit known bugs.

Firefox releases security updates every 4 weeks. Tor Browser tracks the ESR branch, which updates less frequently but requires backporting critical fixes between releases. Version 14.5.8 closes the gap between Firefox 144's patches and Tor Browser's last stable release.

The OpenSSL update matters because TLS vulnerabilities can leak metadata or enable man-in-the-middle attacks before traffic enters the Tor network. Onion services (sites ending in .onion) bypass this risk by staying entirely within Tor's encrypted layers, but most users still access clearnet sites where TLS is the first line of defense.

Snowflake bridge updates keep censorship circumvention working in countries that block Tor. China, Iran, Turkmenistan, and Russia actively interfere with Tor connections. Snowflake's ephemeral proxy design makes blocking expensive because censors can't maintain a denylist of constantly changing IPs. Refreshing the built-in bridge lines ensures users in these regions can bootstrap a connection without technical skills.

The DuckDuckGo fix is operationally significant. Users who pick "Safest" mode are maximizing security at the cost of usability—they're likely operating under high threat models. Broken search degrades their operational security by forcing them to either lower their security settings or use clearnet search engines that correlate queries with circuit IPs.

Getting the Update

Tor Browser auto-updates by default. Users can manually download version 14.5.8 from the official download page or verify signatures against the distribution directory.

The Tor Project recommends verifying PGP signatures on downloads to prevent tampering. The signing key is available on the project's website and major keyservers. This blocks supply chain attacks where adversaries replace legitimate downloads with modified versions that log traffic or inject malware.

Users experiencing issues can report bugs through the support portal. The full changelog lives in the tor-browser-build repository on GitLab.