New Release: Tor Browser 9.0.2

by boklm | December 3, 2019

Tor Browser 9.0.2 is now available from the Tor Browser download page and also from our distribution directory.

This release features important security updates to Firefox.

This new stable release is picks up security fixes for Firefox 68.3.0esr and updates our external extensions (NoScript and HTTPS Everywhere) to their latest versions.

Apart from backports for patches that already landed in alpha releases and fixing an error in our circuit display and improving our letterboxing support, Tor Browser 9.0.2 provides properly localized Android bundles again as well.

Reproducible Builds

The issue with reproducible builds mentioned in the 9.0.1 blog post is still present in this release. We however made progress on understanding the issue and are getting closer to a fix.

ChangeLog

The full changelog since Tor Browser 9.0.1 is:

  • All Platforms
    • Update Firefox to 68.3.0esr
    • Bump NoScript to 11.0.9
      • Bug 32362: NoScript TRUSTED setting doesn't work
      • Bug 32429: Issues with about:blank and NoScript on .onion sites
    • Bump HTTPS Everywhere to 2019.11.7
    • Bug 27268: Preferences clean-up in Torbutton code
    • Translations update
  • Windows + OS X + Linux
    • Bug 32125: Fix circuit display for bridge without a fingerprint
    • Bug 32250: Backport enhanced letterboxing support (bug 1546832 and 1556017)
  • Windows
    • Bug 31989: Backport backout of old mingw-gcc patch
    • Bug 32616: Disable GetSecureOutputDirectoryPath() functionality
  • Android
    • Bug 32365: Localization is broken in Tor Browser 9 on Android
  • Build System
    • All Platforms

Comments

Please note that the comment area below has been archived.

Anon (not verified) said:

December 03, 2019

Permalink

I don't see this post listed on the main Tor Blog page:
https://ocewjwkdco.tudasnich.de

I took a guess that the post might exist when I saw an update was available, then entered the URL of the previous update and made it end in a 2 instead of a 1.

I see the post listed under these tags:
https://ocewjwkdco.tudasnich.de/category/tags/tbb
https://ocewjwkdco.tudasnich.de/aggregation-feed-types/tbb-90

But not under this tag:
https://ocewjwkdco.tudasnich.de/category/tags/tor-browser

In any case, thank you for the update!

Anonymous (not verified) said:

December 03, 2019

Permalink

Was the update released on the 2nd or the 3rd? This blog post lists the 2nd, but Mozilla lists the 3rd for 68.3esr release.

Anonymous (not verified) said:

December 03, 2019

Permalink

Was the update released on the 2nd or the 3rd? This blog post is from the 2nd, but Mozilla's site lists the 3rd.

Anonymous (not verified) said:

December 03, 2019

Permalink

Ty. Apologies for the double post. After hitting submit, the blog post's page kept refreshing repeatedly and automatically without showing the comment. Even with a new identity, the comment didn't show up. I assumed it was bugged.

ion (not verified) said:

December 03, 2019

Permalink

WARNING

When using the Backports torbrowser-laucher package at Debian GNU/Linux 10, make sure you backup your user Library bookmarks list first, as they'll be erased during the automatic Tor Browser update process. To make and restore the bookmarks backup, follow these steps:

Settings >> Library >> Bookmarks >> Show All Bookmarks (below the menu)
>> Import and Backup >> Backup...

The usual default setting of the Tor Browser $USER directory, when using Debian torbrowser-laucher, is:

~/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US

BEWARE

Because of the fact that the contents of the ../tor-browser-en-US/ directory will be cleared (the exact name depends on your particular language localisation, of course), you should place the bookmarks .JSON backup file at another elsewhere, otherwise you'll lose it.

Anonymous (not verified) said:

December 03, 2019

Permalink

Usually the update is downloaded automatically in the background and then it prompts me to restart. But this time (9.0.1) I got a dialog with a "download update" button which just took me to the download page. Is something wrong with the updater?

OP here. Nevermind. I just ignored the update last night and left the browser open, and this morning it gave me the "Restart to update TB" prompt. So I guess it just took a while.

> But this time (9.0.1) I got a dialog with a "download update" button which just took me to the download page.

Open about:config and type app.update. In a new tab, search the web for the meanings of those names. Notably, *.badge, *.doorhanger, *.notifyDuringDownload.

Anonymous (not verified) said:

December 03, 2019

Permalink

uncaught exception: 2147746065 SessionStore.jsm:1325:22
Error: listener not re-registered 8 ExtensionCommon.jsm:2318:24

geeyp (not verified) said:

December 03, 2019

Permalink

Hello, usually I download the updates smoothly. In this 9.0.2 update, the screen stated "Something went wrong! Tor does not work...", etc., etc.,. So, instead of panicking, I went ahead and tried to access the current page. As with most of this evening's surfing, everything stalled and the constant tick-tock at the top of the page wouldn't load. Fed up, I took Tor off screen. I reloaded, and now I am here. So, does this mean I have a safe, okay Tor or do I need to download a new one? Please advise. Thank you.

geeyp (not verified) said:

December 03, 2019

Permalink

ADDENDUM: I should have said, I got the red page! Thank you and I will look for your response.

> etc., etc.,.

Did what you left out give any specific technical information or numbers that could narrow down the issue? Which "current page"? What "tick-tock"? Do you mean the circular "loading" animation on tabs? The browser does not display a clock. I don't know if your system is "safe", but if there is no longer an issue with tor browser, that's good. If you want to download a new one, download it, export your bookmarks if you have any, delete the tor-browser folder, install the new one, and finally import your bookmarks.
https://ijpaagiacu.tudasnich.de/tbb/how-to-verify-signature/

What did I "left out"? I name the left/right tick-tock as it does that like a grandfather clock when page does not finish loading. If it was a clock, I would have identified it as one. In order of your suggestions, how does one download it without it automatically installing?

If you restarted Tor Browser and it connected to the Tor network (like it did before the update), and you are able to load webpages, then it seems Tor Browser is working correctly. One common cause of errors like this come from the hard drive becoming full during upgrade. Tor Browser (and Firefox) do not handle this situation well.

geeyp (not verified) said:

December 05, 2019

Permalink

To sysrq_ (letter _ is fried in my computer)..... Thank you so much for your assurance! I appreciate it.

User (not verified) said:

December 03, 2019

Permalink

When I quit Tor there is a red box that says,"Tor browser quit unusually and Windows Runtime had errors in shutting down" and had some other jibberish below it. Should I be worried about this? I am in Korea and everybody tries to spy on you here.

what (not verified) said:

December 03, 2019

Permalink

Where is the NoAutomaticUpdates option?
The impudence that Firefox is phoning home to aus1.torproject.org without
the easy option to switch off is .....think about.

And when you have found the hidden option(DisableAppUpdate.Prevent the browser from updating.) for in about:policies, playing games with users,
Enterprise Policies(what?Only for Enterprices), and the place for this ...funny thing,
mozilla write this:
view-source:jar:file:///X:/xxxxxxxx/omni.ja!/components/EnterprisePolicies.js
// Check if we are in automation *before* we use the synchronous
// nsIFile.exists() function or allow the config file to be overriden
// An alternate policy path can also be used in Nightly builds (for
// testing purposes), but the Background Update Agent will be unable to
// detect the alternate policy file so the DisableAppUpdate policy may not
// work as expected.

Unintentional phoning home or they call it telemetry is an unfriendly act.Point.

To be forced for, everytime i open TB or other browser action, that is crap and nothing else.
Especially there is no need for to hide this -no automatic updates.
The boring thing was the flood of "my so old Torbrowser version need no update ever" troll campaign to bore the developers and nudge them to hide this option.

Generally, it's intuitively correct that people don't like phoning-home and auto-update checking, esp. forced updates, feeling it may have privacy issues (and at least it's psychologically invasive).
However, Tor Browser is somewhat exceptional. If you use Tor Browrse, you'll have to trust the whole Tor System (though you don't need to trust every single nodes). Hypothetically speaking, if its auto-update checking has privacy issues, its normal initial connection COULD have much bigger privacy problems, as it could record everything you do online (and possibly tells that to the government or something). In other words, the whole Tor system COULD be a honey pot. Hypothetically speaking, of course.

In reality, if one uses Tor, one has to trust torproject.org; if one thinks auto update-checking is suspicious, one can't (shouldn't) use Tor Browser in the first place. So you're right - it is reasonable to accept automatic update-checking in this case. On the other hand, it's obviously a bad idea to blindly believe every automatic update (in general, not about Tor Browser) is okay and privacy-aware.

I will add that you don't have to trust blindly what we publish. The full source code of everything included in Tor Browser is available (this page has information about where to find it: https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking), and we do reproducible builds (see https://reproducible-builds.org/) which gives a verifiable path from source to binary code.

"you'll have to trust the whole" "Hypothetically speaking," "In reality,[...], one has to trust"

Trust in? What? Why?

"if one thinks auto update-checking is suspicious, one can't (shouldn't) use Tor Browser" "obviously a bad idea to blindly believe"

O boy, more you/i show that full forced automatic updates, telemetry, isn't a good, popular idea, the comments against freedom of choice go more to a matter of faith and devotion.
If i want to believe in, e.g. may tot he church of Intel CPU security or pray to the telemetry of Microsoft?
Beside open source, the user can choose, can config what the software do and don't is base of trust.
Ask your information scientist next campus about software, security and believe *LOL*

Anonymous (not verified) said:

December 04, 2019

Permalink

How do I get rid of the donation banner? Hate it. Don't want to see a G-string when I open my browser.

Anonymous (not verified) said:

December 16, 2019

Permalink

Of course. NODEFAMILY now seems to break TorBrowser when a country code matches the country of an entry guard or bridge.

Not trying to do anything in particular except for testing random command line options and client options to report on possible bugs. Not even sure if this qualifies as a bug, if it is expected behavior or not.

Space Ghost (not verified) said:

December 06, 2019

Permalink

I've noticed a big change recently, not with this TOR release, but in say, the last month, that the stupid Google captchas are failing out almost 50% of the time with the stupid, "received too many automated queries" message. This has gotten to the point now that I have to make 10 connections to find an IP on which the captcha will work. I've used TOR for years, and previously, this error was rare. Let's say perhaps 10% or less of the time.

First of all, why are so many websites using Google garbage. Google hates TOR. when you try to use Google with TOR you hit a captcha (not the familiar captcha I just mentioned, but another one), and sometimes it's an endless loop, where you solve it correctly and are bought right back to the same page. UploadBank seems to have a good non-Google captcha. Why isn't that being embraced? And why the Hell would a captcha system report an error for "too many automated queries" in the first place - it's designed to check whether you're human so it should be immune to noise packets.

Is this change something Google has done to make TOR users suffer, or is someone else to blame. Perhaps a State actor like China, attacking the captcha system to shut down or de-anonymize TOR users?

Newbie (not verified) said:

December 06, 2019

Permalink

When running version 9.0.2 (Android) the first few times it was possible to "start a new identity" whenever. Since yesterday the notice-bar Tor Browser, which also shows down- and uploading speed, is lacking this function to start a new identity. ???? Instead, but first after a while, Orbot tries to start (given notice by the tor browser bar) but fails later.

I think I downloaded my Tor Browser (under another name) a few years back from the Guardian site. Still I really don't know (remember) how the updating was working until it was done via Google Play. I also have some apps from Fdroid. They show my Tor Browser with the latest update but their version-history seems a bit odd!

Checking the Tor Browser's PGP signature seems almost impossible. The GnuPG does not work for Android (only Linux) and the Guardian Project version for Android is no longer updated or even possible to find. The closest link I found is this: https://github.com/guardianproject/gnupg-for-android, and being more or less a layman in computing I understand that there is no simple app to install onto my tablet to do the verifying process? Any suggestions? Installation of GPG via a terminal seems to involve the process of building apps. For app-developers and not for app-users? I have this terminal installed but GPG is not built into it!
Conclusion: The verification-process is part of Google Play and not the user! Right? Can I be sure? Or should I use the "workaround" with a public key?

Another odd thing. My tor browser use google as search engine as default. I read you use DuckDuckGo since 6.0.6. Strange! I have now changed.

For your info: My laptop and router have been compromised. I am not using the laptop and my router is factory restored after being hijacked (scripted). Still my router-values have been changed after reset. Also having dns-problems. Sitting behind a public fibernetwork and a switch run by a small ISP. My network consists of a cheap Asus wifi-router and a single Android 6.0.1 tablet device. I found a second internal ip-address in my network. Without any corresponding MAC-address. To find it I had to change my network settings in the wifi-settings in my tablet. No info under dhcp (dhcp in router btw) but when choosing static new info appeared. A new ip-address which involved google 8.8.8.8 and 8.8.4.4 instead of 9.9.9.9 (in router) . I guess google dns is default in Android but I do not understand the 2nd ip-address and why it is static? Under dhcp I could not see any dns-address! I had to choose static!

How to find logging for the browser's status in the Tor Network? When connecting the browser you can follow the process and read notices during the connection until GO. Then there is no way to check what is happening. When using Orbot and i.e DuckDuckGo I can always check status in orbot log.

A worried user,

xon (not verified) said:

December 06, 2019

Permalink

when i start tor browser it pop up a weird mirror, fix it , instead of choice bridge and shit, it popup a weird mirror and after that the tor browser pops up, that mirror get my windows 10 bluescreen sometime.

Anonymous (not verified) said:

December 08, 2019

Permalink

since I loaded the newest Tor not one single onion site will open, tried downloaded older version of Tor but nothing has worked in a month

Anonymous (not verified) said:

December 09, 2019

Permalink

I recently downloaded tor and wish to install flash player on it. Can anyone tell me the procedure?

Tor Follower (not verified) said:

December 11, 2019

Permalink

Opening regular tabs has been broken in later Android builds leaving only the option to open private tabs which eats up more RAM. Any plans for a fix?

Anonymous (not verified) said:

December 13, 2019

Permalink

  • Finally got updated on f-droid
  • Please add Android apps description and this blog that 9.0.3 is same reliese

68.3.0 (2015620377)
Added on 12/11/19
Repository: Guardian Project Official Releases
Size: 54.0 MiB
Android: 4.1+
Requires: armeabi-v7a

Cointro (not verified) said:

December 19, 2019

Permalink

On Mac Os, Noscript and HTTPS Everywhere disappear on the right of security level. They are activated, but if I am in safest mode, I can't configure noscript. Must personalize the interface to have Noscript and HTTPS Everywhere on the right, not good.

Cointro (not verified) said:

December 22, 2019

Permalink

Ok, but on my Linux Mint computer (Tor Browser 9.0.2 too !) this icons are always in the toolbar. On Tails, the icons are removed since some months. Thank you for your answer.

Circuit Brian Brain (not verified) said:

December 22, 2019

Permalink

Is there a way to request a new identity and/or a new circuit on TOR Orbot for Android?

yuki (not verified) said:

January 02, 2020

Permalink

In recent builds of tbb including tor-laucher built-in I've noticed odd behavior when used with system tor process. Everything appears ok until the system tor process is unavailable. Unavailable could mean many things in this context including a crash of the process due to regression. When the system tor process becomes unavailable it appears tor-launcher may go a bit off-the-rails in scanning for the process. The tbb process utilization maxes out cpe use and does not recover gracefully when the system tor process is later available. This leaves the tbb process unusable until restarted. Known issue? Did not happen in prior builds having tor-launcher as an extension _which could be excluded_ meaning I have not tested tor-launcher present in those builds.

SHA1-Warning (not verified) said:

January 07, 2020

Permalink

WARNING: SHA1 is fully broken!

https://eprint.iacr.org/2020/014.pdf
https://sha-mbles.github.io/
https://arstechnica.com/information-technology/2020/01/pgp-keys-softwar…
"Behold: the world's first known chosen-prefix collision of widely used hash function.
The new collision gives attackers more options and flexibility than were available with the previous technique. It makes it practical to create PGP encryption keys that, when digitally signed using SHA1 algorithm, impersonate a chosen target. More generally, it produces the same hash for two or more attacker-chosen inputs by appending data to each of them. The attack unveiled on Tuesday also costs as little as $45,000 to carry out."

Be prepared.

che (not verified) said:

January 08, 2020

Permalink

i updated to 9.0.2 version and every time i try to load any webpage with tor browser this error comes " Gah, Your tab just crashed” i reinstalled, changed " browser.tab.autstart to false" in about:config as suggested in some sites,ran in safe mode and yet this issue remains..the old tor ran with no issues..anyone have any solutions or know what's casuing it..i have no other version of tor running