New Release: Tor Browser 9.0.6
Tor Browser 9.0.6 is now available from the Tor Browser download page and also from our distribution directory.
This release features important security updates to Firefox.
This release updates Firefox to 68.6.0esr and NoScript to 11.0.15.
Note: We are aware of a bug that allows javascript execution on the Safest security level (in some situations). We are working on a fix for this. If you require that javascript is blocked, then you may completely disable it by:
- Open about:config
- Search for: javascript.enabled
- If the "Value" column says "false", then javascript is already disabled.
- If the "Value" column says "true", then either right-click and select "Toggle" such that it is now disabled or double-click on the row and it will be disabled.
Update: Noscript 11.0.17 should solve this issue. Automatic updates of Noscript are enabled by default, so you should get this fix automatically.
Update 2: We received a report that the noscript update is not completely mitigating the issue. We are working on an update that will completely disable javascript using the javascript.enabled pref.
The full changelog since Tor Browser 9.0.5 is:
Comments
Please note that the comment area below has been archived.
tor-browser-9.0.6-android-**…
tor-browser-9.0.6-android-****-multi.apk
tor-browser-9.0.6-android-****-multi-qa.apk
How do the "qa" versions differ from the standard version?
the -qa version is not…
the -qa version is not signed.
Is that the only difference?…
Is that the only difference? What's the benefit of having a signed and unsigned release?
Android uses apk signing for…
Android uses apk signing for accomplishing (at least) two goals: 1) verify if the apk was modified after the developer published it, 2) ensure an apk that claims to be a newer version of an app you already installed is actually produced by the same developer (the person who controls the required cryptographic signing key).
To answer your question, the "multi-qa.apk" file is cryptographically signed using a key that is available to everyone (https://gitweb.torproject.org/builders/tor-browser-build.git/tree/proje…). The "-multi.apk" version is signed by a key only controlled by a few Tor Browser developers. Therefore, you should only install the "-multi.apk" version, unless you are not concerned with installing a modified/tampered/backdoored version of Tor Browser. (You can use the PGP signature separately to verify the authenticity of the multi-qa.apk file, but Android won't have any way of verifying the authenticity, so you must be extra careful in that case.)
So the -qa version is signed…
So the -qa version is signed using a publicly available key, but what for? Is it for developers?
Yes. The -qa version is the…
Yes. The -qa version is the version we generate during our builds, before the signing process.
Why doesn't FlagFox work on…
Why doesn't FlagFox work on Tor? I get a popup about 'Your current proxy settings do not allow local DNS requests."
How do I get these messages corrected?
You probably shouldn't…
You probably shouldn't install addons in the Tor Browser. It can make your browser fingerprint unique or at least less anonymous. That makes it easy to correlate all your activities.
This addon even seems to do dangerous stuff such as bypassing Tor to resolve DNS. That likely sends the names of all the websites you visit straight to your internet provider.
Configure FlagFox to make…
Configure FlagFox to make DNS requests through Tor instead of telling your ISP the sites you browse. Or find a different way to get FlagFox's features. Or don't use Tor Browser.
https://en.wikipedia.org/wiki/DNS_leak
https://ijpaagiacu.tudasnich.de/tbb/tbb-14/
https://2019.sedvblmbog.tudasnich.de/projects/torbrowser/design/#proxy-obedi…
https://trac.torproject.org/projects/tor/wiki/WikiStart#DNSleakpreventi…
Why would anybody want to do…
Why would anybody want to do local DNS requests when using TOR? If you are using clear DNS, well, then your ISP can see which websites you are visiting, as if you weren't using TOR at all. And if you are using DNS over HTTPS, then one who manages the DNS server can track you, again, as if you weren't using TOR at all.
You shouldn't use other…
You shouldn't use other extensions with the TOR Browser, especially ones that send requests, and privacy tools. Just don't use FlagFox, you give up your anonymity that way since it connects to a service with each website you visit to determine the location, which essentially gives the service access to every site you visit which ruins the purpose of using TOR in the first place.
Im very happy
Im very happy
Hello, when will the Android…
Hello, when will the Android version be pushed. Thanks & love your project.
Automatic update disabled…
Automatic update disabled for this release?
Updates are enabled.
Updates are enabled.
Is there any more…
Is there any more information regarding the javascript bug?
We are working on a fix. We…
We are working on a fix. We will provide more information when the issue is fixed.
The "about tor browser"…
The "about tor browser" dialog reports that it's up to date, but displays "9.0.5" as the version (68.5.0esr, 64-bit) both on Windows and Linux.
Is it still the case now? …
Is it still the case now?
Updates to 9.0.6 are enabled, and it is working for me.
> The "about tor browser"…
> The "about tor browser" dialog reports that it's up to date, but displays "9.0.5"
I had a problem like yours with 9.0.2. https://ocewjwkdco.tudasnich.de/comment/286480#comment-286480 But I didn't have a problem updating 9.0.5 to 9.0.6.
9.0.6 is not showing up in…
9.0.6 is not showing up in the auto-update yet.
it is okay now
it is okay now
When will Snowflake bridge…
When will Snowflake bridge be included in the stable release of the Tor browser?
There's no schedule for it…
There's no schedule for it yet, but we are working on changes that may make Snowflake usable enough to be included in the stable browser. You can follow that work here:
* https://bugs.torproject.org/33336
* https://bugs.torproject.org/33336
* https://lists.torproject.org/pipermail/anti-censorship-team/2020-Februa…
How can i get "Updates…
How can i get "Updates disabled by your system administrator"(about:preferences#general) reliable in the Tor Browser like in Firefox?
I don't understand what you…
I don't understand what you are asking. What is the issue exactly?
Exact working definite…
Exact working definite instruction to SWITCH OFF Automatic Updates -for TBB there seems to be only babble.
With Enterprise Policies -the only way for- in Firefox i can switch off Updates. FF notes "Your browser is being managed by your organization" and "Updates disabled by your system administrator" and no Hostname/notice in about:networking about the updateserver address.
In TBB Enterprise policies aren't working and browser.policies.testing.disallowEnterprise, app.update.disabledForTesting has no function? How can i switch off all automatic updates in TBB?
Are you aware that TBB…
Are you aware that TBB downloads and verifies its updates through Tor and not through the normal internet?
How can i switch off all…
How can i switch off all automatic updates in TBB?
Yes.
Yes.
Why no 'tbb-backport' from…
Why no 'tbb-backport' from alphas in this release?
Note: We are aware of a bug…
Ticket?
We don't have a ticket yet…
We don't have a ticket yet. We are working on a fix and will publish more information when it is fixed.
Bug 33535: Patch openssl to…
Windows only?
Yes, the file we patched is…
Yes, the file we patched is only used in Windows builds.
When will the fix for the…
When will the fix for the android bridges will be patched into a stable version?
где искать для 32 бит
где искать для 32 бит
https://sedvblmbog.tudasnich.de…
https://sedvblmbog.tudasnich.de/download/languages/
Why no backport of Bug 32493?
Why no backport of Bug 32493?
Nice work!
Nice work!
Win32 TBB doesn't play mp4…
Win32 TBB doesn't play mp4 videos: https://www.dailymotion.com/video/x73vs6r
Win32 isn't alone. It's…
Win32 isn't alone. It's Dailymotion or mp4s. I think it's Dailymotion.
it is playing them fine for…
it is playing them fine for me on 9.0.6, try a reinstall?
32-bit TBB for Win? On what…
32-bit TBB for Win? On what Win?
Upon opening the TBB (Linux)…
Upon opening the TBB (Linux) prior to the 9.0.6 update, it did not inform me that there was an update to 9.0.6, or any update at all, it just simply refused to load any page. It was only when I tried Help/About that it said I needed to restart for the update to install. Had I not thought to check Help/About just for the hell of it, I'd still be sitting here with the older version and sites which wouldn't load.
Please address this. Thank you.
tor is the greatest…
tor is the greatest protection thank you.
my pet goose has been…
my pet goose has been talking about this update all day! honk honk honk and that's the truth!
What mean 'copyright year?'
What mean 'copyright year?'
openssl is embedding a…
openssl is embedding a string like "Copyright (c) 1998-2020" where 2020 is the year when it was built.
I checked about:config and…
I checked about:config and woff2 fonts are stll on true, even on highest security level.?
In your instructions to…
In your instructions to disable javascript, you should mention that
false
will deviate from the fingerprint camouflage if you're in Safer and Standard modes. It's intended to be done in Safest mode. Toggle it back totrue
(default, not bold) after the patch is released for it.> Note: We are aware of a…
> Note: We are aware of a bug that allows javascript execution on the Safest security level (in some situations). We are working on a fix for this.
Does this explain why my Tor circuits appear to always use the same family of exit nodes? :-(
No, this is unrelated.
No, this is unrelated.
Thanks for the reply, but…
Thanks for the reply, but can you say anything at all about what might lie behind the experience I reported?
I should have mentioned that I use Tails booted from a live DVD (verified the ISO before burning). Fortunately, just as Tails 4.4 was published and I (immediately) started using it, the misbehaving large family of fast exit nodes seems to have largely vanished. I'd like to know whether it was caught spying and kicked off the Tor network by TP, or if there is some other explanation.
If TP had anything to do with getting that family out of (almost all) of my circuits, thanks much, because something was obviously very wrong.
Tails 4.4 with security slider on "most secure" may not entirely block Noscript? Could the same issue with Tails 4.3 help explain what I saw? If so, continued monitoring of the suspect family will be needed, assuming it has not been banned.
Could this have been the latest Carnegie-Mellon SEI attack on the Tor network?
The exit node is selected by…
The exit node is selected by the client, randomly. There is no reason that it would select an exit node from the same family all the time. And whether or not javascript is allowed to run in the browser does not affect at all the selection of exit nodes.
> There is no reason that it…
> There is no reason that it would select an exit node from the same family all the time.
Could a malicious guard or bridge filter or degrade the available selections or randomness?
Why weren't translations…
Why weren't translations updated before release?
Which translations weren't…
Which translations weren't updated?
Swedish
Swedish
Where?
Where?
We don't usually update the…
We don't usually update the translations in the stable Tor Browser because only one version of the strings is available for localization, so new strings and their localizations are included in the alpha versions. In some situations translations are updated in the stable Tor Browser, but this does not happen for every release.
NoScript 11.0.17 Released…
NoScript 11.0.17 - Released Mar-13-2020
https://addons.mozilla.org/en-US/firefox/addon/noscript/?src=search
What a boring release. :)
What a boring release. :)
:-)
:-)
Hello, when does the android…
Hello, when does the android version of 9.0.6 get pushed to the google play store as it contains important fixes to firefox...
Sorry for the delay, Google…
Sorry for the delay, Google Play is distributing it now.
It is a good and neccessary…
It is a good and neccessary thing that TP continues to fix bugs and push development of Tor software, but we desperately need a plan to combat an existential political/legislative threat which appears intended to effectively make strong civilian cryptotography illegal:
eff.org
The EARN IT Bill Is the Government’s Plan to Scan Every Message Online
The Graham-Blumenthal bill is anti-speech, anti-security, and anti-innovation.
Joe Mullin
12 Mar 2020
> Imagine an Internet where the law required every message sent to be read by government-approved scanning software. Companies that handle such messages wouldn’t be allowed to securely encrypt them, or they’d lose legal protections that allow them to operate. That’s what the Senate Judiciary Committee has proposed and hopes to pass into law. The so-called EARN IT bill, sponsored by Senators Lindsay Graham (R-SC) and Richard Blumenthal (D-CT), will strip Section 230 protections away from any website that doesn’t follow a list of “best practices,” meaning those sites can be sued into bankruptcy. The “best practices” list will be created by a government commission, headed by Attorney General Barr, who has made it very clear he would like to ban encryption, and guarantee law enforcement “legal access” to any digital message.
So what is our plan? Can TP leadership please explain what TP is doing to combat the EARN-IT bill, "Going Dark" FUD, and all that?
These legislative initiatives in the US Congress targeting encrypted services such as Tor are by quite some distance the most urgent existential threat facing the Tor community, and also the most urgent existential threat to all network security (including the security of the US power grid, US elections, US health providers, journalists, civil liberties and human rights NGOs, etc.)
If Tor users fail to make their concerns known, we could suddenly find ourselves in a situation where TP faces the choice of
It is a good and neccessary…
This isn't a very good forum for discussing this topic (and this blog post isn't particularly relevant), however it is an important topic and it is something we are watching very closely. We are in contact with other civil society groups about this development, but we don't have any more information available than that. Obviously Tor cannot exist without strong cryptography (otherwise, what's the point?) and we will not produce or distribute software for which we know a backdoor exists within it. Please see the Support page, for reference: https://ijpaagiacu.tudasnich.de/about/backdoor/
Of course we hope the situation won't come to making the decision of halting development of Tor and Tor Browser.
https://en.wikipedia.org…
https://en.wikipedia.org/wiki/Micronation
(half joking)
when will you add a new…
when will you add a new bridge or ask another company to provide meek ,china nowday connunication(even the ones GFW doesn't ban are three cut one (because of the cov)),i have to use an VPN to connect to tor network. would you just provide obfs4a or sth like that
NoScript 11.0.18 - Released…
NoScript 11.0.18 - Released Mar-16-2020 : https://addons.mozilla.org/en-US/firefox/addon/noscript/?src=search
HTTPS Everywhere - Version…
HTTPS Everywhere - Version 2020.3.16 Released : https://www.eff.org/https-everywhere
: https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/?src=se…
Why did https everywhere…
Why did https everywhere auto update? I thought that shouldn't happen
Windows 8.1 32 bit - TBB 9.0…
Windows 8.1 32 bit - TBB 9.0.6 upgraded from previous version + All settings default.:
In 9.0.6 stopped usage of Youtube. I am opening tab with Youtube... waiting... and nothing happenns. In early versions all worked fine.
looking forward to the…
looking forward to the ability to download pics
It should be possible to…
It should be possible to download/save pictures with Tor Browser.
NoScript 11.0.19 - Released…
NoScript 11.0.19 - Released Mar-18-2020 : https://addons.mozilla.org/en-US/firefox/addon/noscript/?src=search
NoScript 11.0.20 - Released…
NoScript 11.0.20 - Released Mar-20-2020 : https://addons.mozilla.org/en-US/firefox/addon/noscript/?src=search
this sh*t is fu*ked *p. 1…
this sh*t is fu*ked *p.
1. create account on reddit, log in, post, comment, whatever you like to do.
2. be done, log out (but dont close the reddit from where you logged out)
3. new tab > reddit = logged out
3.1 old tab (from where you supposedly were logged out and also not refreshed) allows to access account (so far i edited post successfully while "logged out")
3.2 reddit log out does not trigger page refresh on active page, but visiting this on separate page gives "not logged in" result.
4. in imagary world when someone logged in, posted, logged out, and then (without closing active tab) got caught, it might add significant amount of unwantedness.
and btw resurrect clear history in private mode pls
Does reddit behave that way…
Does reddit behave that way in other browsers? If so, Tor Browser is not the problem, so tell reddit's developers.
Tor Browser enables Private Browsing by default. Since private mode does not save history, there is nothing to clear. As for disabling the lists of Recently Closed tabs and windows in the History menu that allow you to Undo closing, read here https://support.mozilla.org/en-US/questions/1238049
NoScript 11.0.21 - Released…
NoScript 11.0.21 - Released Mar-21-2020
: https://addons.mozilla.org/en-US/firefox/addon/noscript/?src=search
is there any extension that…
is there any extension that adds vim controls to firefox that i can use with tor browser while being as anonymous as without it?
NoScript 11.0.22 - Released…
NoScript 11.0.22 - Released Mar-22-2020 : https://addons.mozilla.org/en-US/firefox/addon/noscript/?src=search
I am new to this Tor Browser…
I am new to this Tor Browser and all that and my first question is what is the difference between "Tor Browser Alpha" and "Tor Browser"?
The alpha is an experimental…
The alpha is an experimental version for users who want to help us test new features. Most people should use the standard Tor Browser.
If your use of Tor Browser is not critical, and if you want to help us testing new features, or if you are curious about what is coming, you can use the alpha.
For an even more experimental version you can use the Nightly:
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#Ni…
none
none
Thank you for your big…
Thank you for your big efforts to keep it safer. I know how difficult the task is, even more so when dealing with other people's add-ons. You are the true White Hat Heros. Government + Google et al + commercialized companies are the true hackers and thieves.
HI, I just installed TOR…
HI, I just installed TOR browser, the moment i start tor browser it says " GAH, your tab crashed" i am unable to open any sites. can anyone please give a proper guide.
Which OS are you using?
Which OS are you using?
This looks similar to those…
This looks similar to those tickets:
https://trac.torproject.org/projects/tor/ticket/33186
https://trac.torproject.org/projects/tor/ticket/32454
Not sure if that will solve it, but if you were installing it to desktop, you can try installing it to an other path, for example c:/torbrowser/.
After instalation I start…
After instalation I start TOR and I have this info on the screen:
~ Aplication dont start properly (0xc000007b) click ok to shut down aplication.
How fix this?
Good Day
this page needs update
this page needs update
Which page?
Which page?
苹果手机可以使用TOR?
苹果手机可以使用TOR?
https://support.torproject…
https://ijpaagiacu.tudasnich.de/tormobile/tormobile-3/
What about umatrix or ublock…
What about umatrix or ublock for blocking javascript?
what can i do if i have…
what can i do if i have windows 7?
Tor Browser should work on…
Tor Browser should work on Windows 7.
This bug was so predictable…
This bug was so predictable years ago (javascript not disabled by noscript or anything else, but about:config).