New Release: Tor Browser 9.5a1

by boklm | October 23, 2019

Tor Browser 9.5a1 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This release features important security updates.

Tor Browser 9.5a1 is the first release in the 9.5 alpha series. It contains all the improvements and fixes from the 9.0 release as well as other new features: We enabled WASM on the standard security level, fixed circuit display for bridges without a fingerprint, and we re-enabled jemalloc for Windows users.

The full changelog since Tor Browser 9.0a8 is:

  • All Platforms
    • Update Firefox to 68.2.0esr
    • Bug 31740: Remove some unnecessary RemoteSettings instances
    • Bug 30681: Set security.enterprise_roots.enabled to false
    • Bug 31144: Review network code changes for Firefox 68 ESR
    • Bug 21549: Enable WASM on standard security level
  • Windows + OS X + Linux
    • Update Tor Launcher to 0.2.20.1
      • Bug 32154: Custom bridge field only allows one line of input
      • Bug 32112: Fix bad & escaping in translations
      • Bug 31286: Update to tor settings related strings
      • Translations update
    • Bug 32125: Fix circuit display for bridge without a fingerprint
    • Bug 32076: Upgrade to goptlib v1.1.0
    • Bug 32061: Bump snowflake version to b4f4b29a03
    • Bug 32092: Fix Tor Browser Support link in preferences
    • Bug 32111: Fixed issue parsing user-provided bridge strings
    • Bug 31749: Fix security level panel spawning events
    • Bug 31920: Fix Security Level panel when its toolbar button moves to overflow
    • Bug 31748+31961: Fix 'Learn More' links in Security Level preferences and panel
    • Translations update
  • Android
    • Bug 32097: Fix conflicts in mobile onboarding while rebasing to 68.2.0esr
    • Bug 26529: Notify user about possible proxy-bypass before opening external app
  • Build System
    • Windows
      • Bug 32132: Re-enable jemalloc for Windows users
      • Bug 31989: Backport backout of old mingw-gcc patch
    • Android
      • Bug 30461: Clean up tor-android-service project

Comments

Please note that the comment area below has been archived.

October 23, 2019

Permalink

Thanks for your great work!
What is the status of allowing/disallowing on a webpage the scripts from the linked domains individually?

Currently, when NoScript is not visible, to make a site work, one has to lower the total security for all scripts together (via "3 safety levels"). If I understand correctly, this allows all scripts, even the 3rd party trackers.

I remember earlier this year it was said in this blog that the individual-domain script controls were to return after the new Firefox ESR is ported into TorBrowser.
Is it still planned?

If not, is there a different recommended way to enable only the good scripts on a page, while keeping the trackers disabled?

Thanks.

Yes, it is still planned to have per-site security settings support, and this feature is on our roadmap for the next two months. This is the ticket:
https://trac.torproject.org/projects/tor/ticket/30570

Until this is available, I think the only way to do it is to add back noscript to the toolbar (which you can do by selecting Customize in the hamburger menu).

October 23, 2019

Permalink

Snowflake's speed on windows seems to be capped to just a dozen Kb per second, and restarted the browser many times, is this normal?

October 24, 2019

Permalink

Danger! TOR BROWSER version 9.0 Android -9.* ALPHA Android.

A vulnerability in the Tor Browser (Android) - version 9.0 / 9.*.* (alpha)

The problem description concerns Tor Browser version 9.0 / 9.*.* (alpha) for Android operating system!
The reason for the vulnerability: - after clearing the cache online, cookies and other identification data remain in the browser.

Detailed description of the actions performed and the presence of the problem:
I do not make any changes to the settings, I do not use add-ons.
Using a clean browser
After clearing the cache from the browser menu, necessarily change the tor ID.
And under such conditions, the result is sad.

My action:

1) launch Tor Browser
2) on the main page about:tor in the "address input field" window, I register the site address
3) click, activate the link
4) the site page opens
5) enter login and password
6) click, for the authorization process.
7) the page is reloaded, authorization occurs
8) I make any actions necessary for me on the site under my login and password.
9) the site page is open, do not click (do not click) on the exit button - do not touch anything.
10) click, browser menu
11) I go to the browser settings menu, click: "clear private data"
12) browser reports: "personal data deleted"
13) close the browser menu
14) in the opened main browser window (about: tor) in the address input field, I register the address of the site where I just was.
15) click
16) the site page is loaded and opened
17) I see on the opened main page of the site that I am authorized and online!
18) I click for example: on the link to enter the personal account, and freely enter without entering the login and password, I can perform any actions without authorization.

THIS IS A SIGN THAT PERSONAL IDENTIFICATION DATA HAS BEEN STORED IN THE CACHE AFTER CLEANING!

I do not recommend using version 9.0 / 9.* - (alpha).

October 24, 2019

Permalink

Hi Tor-Team, regarding Letterboxing: The bad contrast on dark themed websites forced me to disable it completely for now (set privacy.resistFingerprinting.letterboxing to false).

It would be really great if one could set the background color of the Letterboxing borders (f.e.: privacy.resistFingerprinting.letterboxing.border_background_color: #000000).

Keep up the good work!

October 24, 2019

Permalink

[10-24 12:26:26] Torbutton INFO: tor SOCKS: https://tb-manual.torproject.org/en-US via
about.ef2a7dd5-93bc-417f-a698-142c3116864f.mozilla:c770eab8f479cdb8b639dc87d9025163
[10-24 12:26:26] Torbutton INFO: New tab
[10-24 12:26:26] Torbutton NOTE: no SOCKS credentials found for current document.
[10-24 12:26:26] Torbutton INFO: tor SOCKS: https://tb-manual.torproject.org/en-US via
torproject.org:da45deac185a2fc6963c91aa623265ca
Hrm, looks like a race condition.

October 24, 2019

Permalink

> Bug 21549: Enable WASM on standard security level
And how does it go for HTTPS Everywhere when temporarily enabled by lowering the security level?

October 24, 2019

Permalink

A bug? In this new version (9.0) is just disappeared the option to block or unblock cookies from all sites.What did happen with it? How I do that now?

October 24, 2019

Permalink

You guys need to change the letterboxing bars to black or dark grey... Some of us have ELS or simply don't like being blinded ;)

October 24, 2019

Permalink

It was not possible to install this release (Tor 9.0 for Win64) because its file nssdbm3.dll was infected with the virus Win64:Evo-gen.. That is, the setup file downloaded from the Tor site is infected with this mentioned virus. Could you please check this?

October 24, 2019

Permalink

Please return the option to enable/disable cookies and types of cookies. Even if temporarily, no site should be allowed to store files, (such as cookies, etc) in the user's machine without explicit permission of this user. I have read above a reply about that, which nevertheless which is completely an unpractical measure; I mean this should be available to the user's criterion, and easy as used to be in the earlier versions of Tor.

I don't think this should be as easily available as before. Mozilla integrated that functionality tightly into their Tracking Protection UI which we don't want to have right now as it claims to be a privacy feature (among others). Thus, we removed the UI. However, as said above you still can set the respective preference directly.

October 24, 2019

In reply to gk

Permalink

??? Sorry I don't get this justification. It was meant that now the Tor users don't have more right to this kind of privacy (block of cookies)?

Anyway I've tried the indicated manual alteration in "network.cookie.cookieBehavior". The default value seen there is set as "1" . ??? So, What value (0, 2,3, what?) should be set to recover the feature like was in the previous version of Tor?

We did not remove the options to adjust your cookie settings to a value you like nor won't we. The issue is that those cookie settings UI got integrated into the Tracking Protection UI we don't want right now. More importantly, it is highly misleading and by users clicking on different options they might be distinguishable without intending so.

For the value you want have a look at http://kb.mozillazine.org/Network.cookie.cookieBehavior. There four different values are shown and I hope what you have in mind is one of them. If not, then you'd need to search a bit harder as I think there are more values possible nowadays.

October 24, 2019

Permalink

I downloaded "torbrowser-install-9.0_en-US.exe" 32bit several times and verified it.
when I'm trying to install, it just gives me the options of Arabic and Farsi to choose!
Please fix this.

October 25, 2019

In reply to gk

Permalink

not OP but getting a similar thing, when starting the 32 bit installer it gives two language options one of which is my system locale and the other is an unofficial language spoken by some people in this region. checking past versions, the change seems to have happened around version 8.0 (7.5.6 installer shows 6 languages including English). I haven't noticed this before because I only use the 64 bit installers and they always show a long list of languages to choose from unlike 32 bit installers

Could you pin down the first Tor Browser version where this happened? Older installers are at: https://archive.torproject.org/tor-package-archive/torbrowser/. If the result is a major version, like 8.0 it would be helpful to track the issue further down in the alpha versions belonging to that stable one. In the 8.0 case this would be 8.0a1-8.0a10. Thanks. I am filing a ticket meanwhile.

October 25, 2019

Permalink

Media resource blob:https://www.xxx.com/111 could not be decoded, error: Error Code: NS_ERROR_DOM_MEDIA_FATAL_ERR (0x806e0005)
Details: RefPtr mozilla::MediaSourceTrackDemuxer::DoSeek(const mozilla::media::TimeUnit &): manager is detached.

October 25, 2019

Permalink

NetworkHelper.getReasonsForWeakness threw an exception: STATE_IS_BROKEN without a known reason. Full state was: 1 2 ThreadSafeDevToolsUtils.js:90:13
reportException resource://devtools/shared/ThreadSafeDevToolsUtils.js:90
getReasonsForWeakness resource://devtools/shared/webconsole/network-helper.js:795
parseSecurityInfo resource://devtools/shared/webconsole/network-helper.js:620
_getSecurityInfo resource://devtools/server/actors/network-monitor/network-response-listener.js:329
makeInfallible resource://devtools/shared/ThreadSafeDevToolsUtils.js:111
onStartRequest resource://devtools/server/actors/network-monitor/network-response-listener.js:226

October 25, 2019

Permalink

Handler function threw an exception: [Exception... "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsICacheInfoChannel.isRacing]" nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)" location: "JS frame :: resource://devtools/server/actors/network-monitor/network-response-listener.js :: NetworkResponseListener.prototype._getSecurityInfo< :: line 334" data: no]
Stack: NetworkResponseListener.prototype._getSecurityInfo<@resource://devtools/server/actors/network-monitor/network-response-listener.js:334:26
exports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:111:22
onStartRequest@resource://devtools/server/actors/network-monitor/network-response-listener.js:226:10
Line: 334, column: 0 ThreadSafeDevToolsUtils.js:90:13
reportException resource://devtools/shared/ThreadSafeDevToolsUtils.js:90
makeInfallible resource://devtools/shared/ThreadSafeDevToolsUtils.js:117
onStartRequest resource://devtools/server/actors/network-monitor/network-response-listener.js:226

October 25, 2019

Permalink

Some site hung the browser with
[10-25 10:18:10] Torbutton INFO: controlPort >> 650 STREAM 7389 NEW 0 cflares35lvdlczhy3r6qbza5jjxbcplzvdveabhf7bsp7y4nzmn67yd.onion:443 SOURCE_ADDR=127.0.0.1:65499 PURPOSE=USER
7389 alt-svc requests? madness..

CRAP! IT IS STILL RAPING MY PC EVEN WITH ALL TABS CLOSED! 238741 TIMES!!!
[10-30 08:44:55] Torbutton INFO: controlPort >> 650 STREAM 238741 NEW 0 cflares35lvdlczhy3r6qbza5jjxbcplzvdveabhf7bsp7y4nzmn67yd.onion:443 SOURCE_ADDR=127.0.0.1:56101 PURPOSE=USER
[10-30 08:44:55] Torbutton INFO: controlPort >> 650 STREAM 238741 SENTCONNECT 168 cflares35lvdlczhy3r6qbza5jjxbcplzvdveabhf7bsp7y4nzmn67yd.onion:443
[10-30 08:44:55] Torbutton INFO: controlPort >> 650 STREAM 238706 CLOSED 156 cflareusni3s7vwhq2f7gc4opsik7aa4t2ajedhzr42ez6uajaywh3qd.onion:443 REASON=DONE

October 26, 2019

Permalink

[10-26 11:23:49] Torbutton INFO: controlPort >> 650 STREAM 138 FAILED 36 sync-messages.invalid:443 REASON=END REMOTE_REASON=RESOLVEFAILED
[10-26 11:23:49] Torbutton INFO: controlPort >> 650 STREAM 138 CLOSED 36 sync-messages.invalid:443 REASON=END REMOTE_REASON=RESOLVEFAILED

NoScript is going mad :(

October 26, 2019

Permalink

With the new version of Tor Browser there is a white border around webpages which is super annoying. I understand it is kind of a anti-fingerprinting feature. Can I change the color of those borders to grey or black?

October 28, 2019

Permalink

I'am so extremly disapointed about the latest tor-browser releases:
Without the posibility to allow 'third-party-cookies' you cannot log into several websites like any disqus based forums.
That makes tor-browser totally useless! Who the hell has decided this bunk?!
It is like removing the wheels from a car in order to make driving more secure!
I hope I will find an older version somewhere which allows the user at last to make some decisions on himself...

So, first of all: we did not touch any of the per-site cookie settings. You should probably use those anyway as you very likely do not want to allow third party cookies on any website just because you need to log in to some.

But even if you think that's okay and are fine with third-party cookies generally then you still have the option to allow those. You need to adjust the respective preference, network.cookie.cookieBehavior in about:config to the value you want to have. http://kb.mozillazine.org/Network.cookie.cookieBehavior has possible values and 0 seems to be the one you are looking for.

Finally, if you already had third party cookies enabled the update did not touch anything in that regard.

October 29, 2019

In reply to gk

Permalink

"I am fine" --> "and am fine"

And to help clarify, per-site cookie settings are in Preferences --> Privacy & Security --> Cookies and Site Data --> Manage Permissions button.

November 19, 2019

In reply to gk

Permalink

Will the future per-site security levels make it possible to allow third-party cookies (or "per-site cookie settings") on a specific first-party website only? The other person asked about Disqus for example.

maybe, because of:
Loading failed for the with source “chrome://global/content/TopLevelVideoDocument.js”. Volcano_Lava_Sample.webm.360p.vp9.webm:1:1

(not opening tickets for real regressions is rude)

November 15, 2019

In reply to boklm

Permalink

is that a joke or what?
"doesn't work on Safest"
"black screen on my win 7"
doesn't work on any security level

It's not a joke, we need clear information about an issue in order to investigate it without wasting too much time looking into the wrong direction. For example the first comment talked about "Safest" but now it doesn't seem related to the security level anymore.

Anyway, I opened a ticket to track this issue:
https://trac.torproject.org/projects/tor/ticket/32530#ticket

Is this a new issue with Tor Browser 9.0, or did this happen with older versions of Tor Browser too?

November 18, 2019

In reply to boklm

Permalink

new issue

November 19, 2019

In reply to boklm

Permalink

yeah

November 18, 2019

In reply to boklm

Permalink

reproduced that on a clean new 9.5a2 Win 7 32-bit, console error appeared on safer levels.

November 19, 2019

In reply to boklm

Permalink

yes

According to that post, the panel is titled "Site Information". The post's author uses the word "identity" simply to describe some things in the panel. Moreover, the panel is clearly about the site's credentials and not the user. I don't think renaming is necessary.

October 29, 2019

Permalink

Hallo Leute
Nachdem ich euren neuen tor browser auf mein Handy samsung s2 neu installiert habe funktioniert er nicht mehr!
Der Tor browser bleibt mit der Meldung:Tor Programm wird gestartet...
Abgeschlossen
stehen.
Was ist passiert?
Vier mal neu installiert und geht nicht. ...

Do you see any log messages if you swipe on your screen from the right to the left? There should be status messages visible about what Tor is trying to do.

October 29, 2019

Permalink

Since the new version (9x) my about:config settings like (proxy.type, remote_dns) get reset every browser re-start.

Please tell me how to make them stick. What is resetting them to defaults?

October 30, 2019

Permalink

undefined is not a valid URL. background.js:321
onBeforeRequest moz-extension://[uuid]/background-scripts/background.js:321
apply self-hosted:4417
applySafeWithoutClone resource://gre/modules/ExtensionCommon.jsm:588
fire resource://gre/modules/ExtensionChild.jsm:1171
receiveMessage resource://gre/modules/ExtensionChild.jsm:1175
_callHandlers resource://gre/modules/MessageChannel.jsm:914
_callHandlers resource://gre/modules/MessageChannel.jsm:913
promise resource://gre/modules/MessageChannel.jsm:992
_handleMessage resource://gre/modules/MessageChannel.jsm:989
_handleMessage self-hosted:1005
receiveMessage resource://gre/modules/MessageChannel.jsm:225
forEach self-hosted:266
receiveMessage resource://gre/modules/MessageChannel.jsm:218

untested NoScript jumped in...

November 02, 2019

Permalink

I verified my download of TBB using checksum & signing key. Both passed.
I searched the sha256 sum on DDG and got a mismatch, so I'm concerned I could have a MITM TBB,key ect.

ME =
sha256sum tor-browser-linux64-9.0_en-US.tar.xz
670d5c53d989f70eaffd7052f911c5d36b70b17af6cc5691fd8a5d5acc5c5229 tor-browser-linux64-9.0_en-US.tar.xz

What I see on DDG =
sha256sum tor-browser-linux64-9.0_en-US.tar.xz
072d2a349f7b6dbf465a4600e6e2b68a030aebc4e36a289fa4f4c2933040f161

ps
I dislike the removal of cookie enable/disable option
no access to noscript,https everywhere buttons

I know customization is a threat to fingerprinting but daaamn. cookies on always unless we about:config? that sucks and makes tracking easier imo.

670d5c53d989f70eaffd7052f911c5d36b70b17af6cc5691fd8a5d5acc5c5229 is correct. https://oiyfgiixvl.tudasnich.de/torbrowser/9.0/sha256sums-signed-build.txt (verify the signature, too, if you are concerned). Where did you find the link on DDG?

Regarding cookies, only first party cookies are allowed, third-party cookies are denied. If you are concerned about first-party cookies then restarting the browser or using New Identity will clear them.

> I searched the sha256 sum on DDG and got a mismatch

That's because DDG's instant answer (by typing your SHA command in its search box) takes the hash of the *text string* you typed. You could tell it to find the sha256sum of the nonexistent tor version "alice42-9.9.9" and it will return a hash because it calculates based on the text characters.

On your machine, at a terminal/command prompt, this will calculate the sha256 of the text string of your value and return the 072... hash that DDG returned:
$ echo -n 'tor-browser-linux64-9.0_en-US.tar.xz' | sha256sum -t

In contrast, this will look for the file with that name in your working directory and calculate the sha256 of the *contents* of the file, which is what you actually want:
$ sha256sum tor-browser-linux64-9.0_en-US.tar.xz

November 04, 2019

Permalink

NetworkHelper.getReasonsForWeakness threw an exception: STATE_IS_BROKEN without a known reason. Full state was: 1 ThreadSafeDevToolsUtils.js:90:13
reportException resource://devtools/shared/ThreadSafeDevToolsUtils.js:90
getReasonsForWeakness resource://devtools/shared/webconsole/network-helper.js:795
parseSecurityInfo resource://devtools/shared/webconsole/network-helper.js:620
_getSecurityInfo resource://devtools/server/actors/network-monitor/network-response-listener.js:329
makeInfallible resource://devtools/shared/ThreadSafeDevToolsUtils.js:111
onStartRequest resource://devtools/server/actors/network-monitor/network-response-listener.js:226

November 05, 2019

Permalink

Could you guys add a button to about:tor for checking Tor (opens check.torproject.org in a new tab) like Tails has it on their website when you're using Tails?

That page used to be Tor Browser's new-window homepage as about:tor is today. I don't think there is a reason for it anymore (except for new users) because the browser is not opened until after tor connects, and the browser is configured to make all connections through tor. Once it's open, new installs show introduction slides, and users can check the proxy preferences and drop-down circuit display. Users could bookmark that page or change Preferences to set that page as the browser's homepage and customize the toolbar to drag the Home button into view. If a virus infects the machine and changes the files, you have bigger problems unrelated to Tor.