New Release: Tor Browser 9.5.4

by sysrqb | August 25, 2020

Tor Browser 9.5.4 is now available from the Tor Browser download page and also from our distribution directory.

This version is expected to be the final version of the Tor Browser 9.5 series. Watch for Tor Browser 10.0 near the end of September.

This release updates Firefox to 68.12.0esr, NoScript to 11.0.38, and HTTPS Everywhere to 2020.08.13.

Also, this release features important security updates to Firefox.

Note: The Tor Browser OpenPGP signing key was recently updated. Be sure you have the updated version when verifying the OpenPGP signatures

The full changelog since Tor Browser 9.5.3 is:

  • All Platforms
    • Update Firefox to 68.12.0esr
    • Update HTTPS Everywhere to 2020.08.13
    • Update NoScript to 11.0.38
  • Windows + MacOS X + Linux
    • Bug 40019: Onion-Location should not be processed on .onion webpages
  • MacOS X
    • Bug 40015: Tor Browser is broken on MacOS 11 Big Sur

Comments

Please note that the comment area below has been archived.

Anonymous (not verified) said:

August 25, 2020

Permalink

NoScript Why are the default boxes in NS ticked? The first thing I do is to go into default and delete the ticks leaving the option blank with the exception of the first otherwise the web pages do not work. There is probably a simple answer which I do not know as I am not a technician

cheers

PS for those who read my unanswered question in the 9.5.3 update FF v80 is working outside TOR when V79 did not work for me

cheers again

The default options of NoScript change when you change your security level in the shield icon. Do not change the options through NoScript's interface unless you accept that it will make your traffic look less like other users and more trackable. The "first tick", widely called a checkbox, allows JavaScript and is ticked by default when you change your security level to Standard or Safer. Change your security level rather than changing NoScript.

Since long ago, Tor Browser hides NoScript's icon in fresh installations because it was the source of many problems including that novice users were unwittingly making themselves less anonymous and that NoScript is very complicated at first to use. Its icon can be dragged onto the toolbar by selecting "Customize..." in the main menu or right-click menu on the toolbar.

TorTech211 (not verified) said:

August 25, 2020

Permalink

When will Tor allow us to edit our "OS strings" before this was possible to do by going straight into the "about:config" settings and editing the strings so our operating system and version info would not show. This is a privacy and security risk and has been for awhile now and still nothing has been done about it?

It is not a privacy risk, your computer is in the same bucket as every other user with the same operating system. The security argument is very minimal - yes, you can lie and maybe you will be sent a vulnerability exploit for another OS (or arch), but this likely makes you unique among all Tor Browser users.

Anonymous (not verified) said:

September 15, 2020

Permalink

What happened to my comment? I'll try again. Don't censor me please, after your long delay verifying. You're 'unique' as soon as you log into a service, etc anyway. Many Tor users use add-ons and about:config tweaks such as https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js anyway. It would be better if the browser didn't require so many changes to work securely. You have 'safest' mode without javascript, yet it's not the default and of course nothing works properly without javascript.

Human Readable… (not verified) said:

August 25, 2020

Permalink

The attempt to create human readable addresses by partly centralizing the service is just a slippery slope towards the status-quo of the clearnet.

How about just integrating eschalot into Tor Browser's home page? When someone opens the browser they might get an option to generate an address like so...

fledarmyusertvmu.onion
wifefeelkillwovk.onion
ladyfirehikehs66.onion
woodcubabitenem2.onion

MORE INFO HERE - https://security.stackexchange.com/questions/29772/how-do-you-get-a-spe…

There are ways to easily deal with this problem that do not require centralized authorities.

Anonymous (not verified) said:

August 25, 2020

Permalink

Hello. Sorry, I think I lost my comment here. I'll try again. I installed TBB 9.5.4 and had the same problem that I did with TBB 9.5.3. That is: "The bookmarks and history system will not be functional because one of Firefox's files is in use by another application. Some security software can cause this problem.". Bookmarks and history were not present. The same fix worked for TBB 9.5.4 as it did for TBB 9.5.3. I deleted the browser folder, disabled my antivirus and reinstalled TBB 9.5.4. All was well with the new installation, antivirus was re-enabled and no more problems were found. Thanks for the new TBB.

It would help if you link to your original comment. I assume this is it.
https://ocewjwkdco.tudasnich.de/comment/288886#comment-288886

> disabled my antivirus

Yes, someone else reported that disabling their virus scanner resolved the problem for them, too.
https://ocewjwkdco.tudasnich.de/comment/288901#comment-288901

Other people quoted the error message but apparently didn't read it, didn't understand it, or didn't follow through with disabling their security software as it implied.
https://ocewjwkdco.tudasnich.de/comment/288854#comment-288854
https://ocewjwkdco.tudasnich.de/comment/288912#comment-288912
https://ocewjwkdco.tudasnich.de/comment/288914#comment-288914

Oddly, Mozilla's support page for the error doesn't suggest doing what the error itself implies. Namely, disable security software.
https://support.mozilla.org/en-US/kb/fix-bookmarks-and-history-will-not…

But the problem continued for you in 9.5.4, so this Tor blog post needs a note added to it.

No Script not … (not verified) said:

August 25, 2020

Permalink

Hi, Tor is great but ever since updating I can't enable javascript with NoScript. I try to click the button in NoScript that says "Override Tor Browsers Security slider level preset", but there's nothing that works. I tried to use NoScript on a colleague's machine with different OS but the same happens.

Please fix.

Anonymous (not verified) said:

August 25, 2020

Permalink

When i try to download 32bit Windows version i got this:

ESET Internet Security
Threat removed
A threat (Suspicious) was found when Firefox tried to access a website (oiyfgiixvl.tudasnich.de).
The access has been blocked.

Windows 64bit version is OK to download. What's the problem with 32 bit version?

It could be a false positive. 32-bit anything are not popular downloads, so they are reviewed less in virus signature databases than 64-bit programs. Add Tor Browser's firefox in your antivirus whitelist, and use GPG to verify the PGP signature of the 32-bit exe installer.
https://ijpaagiacu.tudasnich.de/tbb/antivirus-false-positive/

Is this normal? (not verified) said:

August 26, 2020

Permalink

Hi Team,

When I select "Temp. TRUSTED" in NoScript extension, the page reloads as expected, but the Javascript for the page doesn't work. I've tried multiple things. There's a little checkbox to tell Tor to override settings but that isn't working either. Maybe I am I doing something wrong? Or is this normal? I want to be able to continue to block Cloudflare, Google, Amazon, Facebook and Microsoft from loading scripts, as well as others that serve little use.

Isn't this fair and simple use of NoScript a good thing for privacy, especially if it reduces the tor traffic that might be used to track or identify me?

> When I select "Temp. TRUSTED" in NoScript, the Javascript for the page doesn't work

https://ocewjwkdco.tudasnich.de/comment/289453#comment-289453
And on the download page for Tor Browser, under the 4 operating systems, is a note that says, "Disabling Javascript: Please read the latest blog post for more information."

> checkbox to tell Tor to override settings

Developers should rewrite that checkbox to say "(dangerous)" like it says on the checkbox to "Disable restrictions globally" in NoScript's general options. Your comment is the 3rd I've seen talking about overriding settings. Set your security level to "safer" or "standard" instead.

> I want to be able to continue to block Cloudflare, Google, Amazon, Facebook and Microsoft from loading scripts, as well as others that serve little use. Isn't this fair and simple use of NoScript a good thing for privacy, especially if it reduces the tor traffic that might be used to track or identify me?

No. Customizing NoScript makes your traffic patterns distinguishable, trackable, and stand out from other Tor Browser users. Anonymity loves company because a group camouflages one another. To reset your browser fingerprint, change your security setting to reset NoScript, and use "New Identity" or restart the browser. Trackers will obviously identify you if you give out personal information in a session or if you log in to an account associated to your real identity or an account you logged into from a normal non-Tor browser.

https://2019.sedvblmbog.tudasnich.de/docs/faq.html.en#TBBJavaScriptEnabled
https://ijpaagiacu.tudasnich.de/faq/staying-anonymous/
https://ijpaagiacu.tudasnich.de/about/no-data-scrubbing/
https://tb-manual.torproject.org/secure-connections/
https://ocewjwkdco.tudasnich.de/browser-fingerprinting-introduction-and-cha…
https://ocewjwkdco.tudasnich.de/noscript-temporarily-disabled-tor-browser

Anonymous (not verified) said:

August 26, 2020

Permalink

When I go to the Tor download page for android it downloads the 9.5.3 apk and not the 9.5.4 apk.
Please fix this.

Anonymous (not verified) said:

August 26, 2020

Permalink

Can you please put a short version of the signing key on the site for download? There's like a bajillion signatures on it and my phone has been importing for 20 minutes now...

Sad (not verified) said:

August 26, 2020

Permalink

I am running the latest version of Whonix. The TOR autoupdate from 9.5.3 to 9.5.4 resulted in my logins.json becoming logins.json.corrupted and I lost all of my logins and passwords. Lucky I have a backup of some....

This was not a good experience :D

Anonymous (not verified) said:

August 27, 2020

Permalink

Prioritizing onion sites is a real pain in the ass when someone wants to share links.

Anonymous (not verified) said:

September 07, 2020

Permalink

NoScript auto-updated today, September 7, and interrupted my traffic. Please show a notice mark or a confirmation now/wait before it updates if its permissions are customised and will be suddenly reset in the middle of an identity session.

Another thing, the lines of per-site permissions in the icon were not showing after it updated unless I moved my cursor over them. After I restarted tor browser, the lines showed all at once properly. They may have done so if I had started a new identity which I didn't try. Linux 64-bit.

Padawanfr (not verified) said:

September 16, 2020

Permalink

Hello
Ive just installed this version on Android.
Id like to know how to edit the torcc file.
Ive already been through several websites, unfortunately didnt any efficient way to do this.
Thanks for your help.

FRANK (not verified) said:

September 16, 2020

Permalink

BONJOUR lorsque l on utilise ' tor ' on est """ soit disant "" non repérable
ce qui n est pas exact
je vais sur un site (coco.fr ) et suis identifié de suite , ,,, ? ¨
je tenais avous le faire savoir