New Release: Tor Browser 9.0a3

by boklm | June 24, 2019

Tor Browser 9.0a3 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

Similarly to Tor Browser 8.5.2 and Tor Browser 8.5.3 on the stable series, this release is fixing critical security updates in Firefox (mfsa2019-18 and mfsa2019-19).

Users of the safer and safest security levels were not affected by mfsa2019-18.

The full changelog since Tor Browser 9.0a2 is:

  • All platforms
    • Pick up fixes for Mozilla's bug 1544386 and 1560192
    • Update NoScript to 10.6.3

Comments

Please note that the comment area below has been archived.

June 24, 2019

Permalink

What took you so long? This is unacceptable. If your build+release process takes this much then you should seriously consider improving it. Not enough bandwidth speed? Upgrade those damn machines. Build taking too long? Upgrade to an AMD EPYC 64 cores.

It took so long as we were prioritizing stable releases. Additionally, 2/3 of our team working on releases once a release is coming up was at a conference and could not help with the chemspills. If that's not acceptable to you for an alpha series, use the stable series instead.

June 24, 2019

In reply to gk

Permalink

It’s crazy to complain, when you can just drop back from the alpha channel to the stable channel. I guess the complaining poster doesn’t know the time and effort needed to get a new build out the door.

What would be nice is, if the alpha channel could warn the user that the stable channel has received an important security update. Could the standard Firefox update notification system be co-opted to tell the user about the stable update? Something like when app.update.auto is turned off, but without the ability to start an upgrade from within the browser. The warning could be something like, “The stable series of Tor Browser has received an important security update. The Tor Project is working to update the alpha series. In the mean time, we recommend you download and use the latest stable Tor Browser.”

I appreciate there would be a problem notifying users who move to the stable channel, once the alpha channel has been updated.

June 24, 2019

Permalink

Dear Tor team ,
i just everyday search for new news about darkweb and cybersecurity and hacking news
but i could not find anything new after darkwebnews and deepdotwebnews shutdown i only go to
reddit and 4chan and 8chan and darknetlive and dread and freshonions i feel lost i hope tor teams to create
tornews web site or forum or darkweb news only for research and education just want to learn new things and be up to date .

thank you

Love Tor team and Love USA .

Tor is just a tool to help you defend yourself against tracking and surveillance on the internet. We don't have anything to do with that thing some people call "the darkweb" so we have no plan to create any website or forum about this.

June 24, 2019

Permalink

Any ETA on when the patches for Mozilla's bug 1544386 and 1560192 will be released for android? I know earlier you said that you didn't currently have access to the signing key (b/c person who had it was away at a conference) and the patches would probably come during the weekend... Would love to know, as it kinda sucks being forced to use safest for now. Thank you!

June 24, 2019

Permalink

Did either of those two bugs affect the Android Tor Browser?

Also.. on that note, is there any sandboxing protections for the Android app? Does there even need to be since Android has its own basic sandboxing of processes?

Thanks for your hard work!

Yes, we think those bugs affect Android as well and hope to get finally updates out today. There currently is no sandboxing available on Android like on desktop platforms. As to whether it is needed I don't know to be honest.

June 24, 2019

Permalink

the fingerprinting is still not blocked in browser. still high bits of info from browser shown. if you use the eff panop fingerprint it shows 17 bits instead of near 0.

The Panopticlick test is heavily biased as all other browsers like Edge and Chrome count here as well. What you'd need is a test where only Tor Browser users would get tested and then the entropy calculated as the goal is not to blend in all the other browsers (which is probably not possible) but in all other Tor Browser users.

June 26, 2019

In reply to gk

Permalink

>What you'd need is a test where only Tor Browser users would get tested

Seems like a good idea for a .onion Panopticlick-like website

I'm working on it (with my limited skills). What we do not need are entropy figures, because we know we are working in a closed set and can rely on math and our strategy of lowering entropy. The idea is down the track to be able to copy-to-clipboard/export the results locally and paste/import two results into a comparison page and highlight/output the differences. Initially I started this to be able to compare and test RFP in Firefox vs TB. If anyone wishes to help out, I could do with some :)

[1] https://github.com/ghacksuserjs/TorZillaPrint

June 29, 2019

In reply to gk

Permalink

> the goal is not to blend in all the other browsers (which is probably not possible)

Accept data from exit addresses only and/or run it on an onion. Accept data from useragents matching tuned regexes of former TBB versions only. Before deploying another filter, use it to clean a new copy of the old database. Not perfect but better.

June 24, 2019

Permalink

How can I see my version info on Android? Also, starting last night,I'm getting a script loading error message after my Tor connction is complete. Is there a debug log I can post?

June 24, 2019

Permalink

found problem after starting android arm
"unresponsive script
It's "https everywhere"
rules.js.308

i disabled https everywhere, restart and the error still shows.

June 28, 2019

Permalink

These are just a couple things Tor does that makes me wanna avoid it
1. you disable the ability to control java on certain sites of your choice
2. You often make the answers to simple questions so complicated most people give up
3. you tell us to click on something and you don't tell us where to find it to click on it.
4. I often times find an answer much quicker and simpler from a windows site or user.
These are simple things to fix but after all this you ask for donations when a person is so frustrated he wants to toss his computer out the window. You have the computer thing down. Now all you have to do is develop some social skills. And if you think I'm the only one who feels this way you need to do a survey.

Thanks for the feedback. Do you have examples for 2. and 3.? For 1., you mean JavaScript? If so, that feature is not disabled. If you need it before we get to adding direct support into the browser for it, just re-add your NoScript button to the toolbar by clicking on the hamburger menu -> Customize and then drag the NoScript icon to the place at the toolbar where you want to have it and then click on "Done". That gives you the old interface back.

2. simple questions don't automatically have simple answers. depending on the question, sometimes someone believes it's simple because they don't know enough about the topic to realize how complicated or risky it really is. most new people have to learn as I did that tor is a tool and is neither safe nor effective unless they also adjust their behavior toward it. the old website warned about that under the download links, but the new site doesn't. sometimes, the question (issue/ticket) has gaps in relevant information, so it can't be answered or has several possible answers. sometimes, the person answering infers from the question an appropriate skill level for the answer or writes to supplement previous answers. it's basically helping each other with tech support. have a go at browsing https://stackexchange.com and https://what-if.xkcd.com/archive

4. tor browser is cross platform, built to run on linux, macos, android, and windows. and it's based on firefox esr that's also cross platform. some questioners ask about things in windows or firefox they use alongside tor browser or that were carried over from firefox. tor project is not expected to know answers for things they don't make or regularly interact with. for those, peers of yours such as me are the ones who usually end up answering. you could help to answer questions, too.

July 19, 2019

Permalink

I have some basic "Tor For Dummies" questions...

1. Is it possible to... / How can I... pin an onion protected website navigated to through the Tor Browser to my Windows 10 desktop/taskbar/start tiles as a shortcut ?

2. Where is the cute half yellow/half purple onion icon (that accompanies the install folder) stored in windows 10 so I can point to it for my folder options in Windows 10 Explorer ?

Thanks for your help and all your hard work !

1. I don't know if it's possible, but it's definitely not safe. For a system to open desktop shortcuts in Tor Browser, you would have to set Tor Browser as your system's default browser that will be used to open all URL links that you click from outside a browser, but TBB is built as a portable app intended not to customize the system it runs on, and it isn't started from a browser EXE but scripts (batch files). You can try to follow these steps, but Tor Browser might not write the change or open the links:
https://support.mozilla.org/en-US/kb/how-change-your-default-browser-wi…

It is possible though not safe to save websites as bookmarks inside the browser:
https://support.mozilla.org/en-US/kb/bookmarks-firefox

2. I've never seen a half yellow Tor Browser icon. Icons are stored in your Tor Browser install folder:
.\tor-browser_en-US\Browser\browser\chrome\icons\default\