New Release: Tor Browser 9.5a2

by boklm | November 12, 2019

Tor Browser 9.5a2 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This new alpha release contains various bug fixes and improvements. Among them, we improved the letterboxing experience. Additionally, we added a banner on the starting page for our fundraising campaign Take Back the Internet with Tor.

Known Issue

As with the stable release, we currently have a reproducible build issue. We recently made some progress on the issue and are getting closer to having a fix.

The full changelog since Tor Browser 9.5a1 is:

  • All Platforms
    • Update NoScript to 11.0.7
      • Bug 21004: Don't block JavaScript on onion services on medium security
      • Bug 27307: NoScript marks HTTP onions as not secure
    • Bug 30783: Fundraising banner for EOY 2019 campain
    • Bug 32321: Don't ping Mozilla for Man-in-the-Middle-detection
    • Bug 32318: Backport Mozilla's fix for bug 1534339
    • Bug 32250: Backport enhanced letterboxing support (bug 1546832 and 1556017)
    • Bug 31573: Catch SessionStore.jsm exception
    • Bug 27268: Preferences clean-up
  • Windows + OS X + Linux
    • Update Tor to 0.4.2.3-alpha
    • Update Tor Launcher to 0.2.20.2
      • Bug 32164: Trim each received log line from tor
      • Translations update
    • Bug 31803: Replaced about:debugging logo with flat version
    • Bug 31764: Fix for error when navigating via 'Paste and go'
    • Bug 32169: Fix TB9 Wikipedia address bar search
    • Bug 32210: Hide the tor pane when using a system tor
    • Bug 31658: Use builtin --panel-disabled-color for security level text
    • Bug 32188: Fix localization on about:preferences#tor
    • Bug 32184: Red dot is shown while downloading an update
    • Bug 27604: Fix broken Tor Browser after moving it to a different directory
    • Bug 32220: Improve the letterboxing experience
    • Bug 30683: Backport upstreamed fix from Mozilla (bug 1581537)
  • Android
    • Bug 32342: Crash when changing the browser locale
    • Bug 32303: Obfs4 is broken on Android Q
  • Build System
    • All Platforms
    • Android
      • Bug 28803: Integrate building Pluggable Transports for Android

Comments

Please note that the comment area below has been archived.

Anonymous (not verified) said:

November 12, 2019

Permalink

The most annoying error is still:
[Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMWindowUtils.removeSheetUsingURIString]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: resource://gre/modules/ExtensionCommon.jsm :: runSafeSyncWithoutClone :: line 75" data: no] 7 ExtensionCommon.jsm:75:12
runSafeSyncWithoutClone resource://gre/modules/ExtensionCommon.jsm:75
cleanup resource://gre/modules/ExtensionContent.jsm:403
close resource://gre/modules/ExtensionContent.jsm:913
destroyed resource://gre/modules/ExtensionContent.jsm:998
observe resource://gre/modules/ExtensionContent.jsm:1016

Anonymous (not verified) said:

November 12, 2019

Permalink

Thanks for your hard work!

A long-standing wish: it would help if your GPG signature filenames ended in '.sig' instead of the current '.asc'.
Some gpg linux software (like KGpg) is associated with '.sig', so clicking on the files in file manager nicely performs the verification.
In contrast, when your '.asc' files are clicked, it always causes the prompt to provide a new name to overwrite the files.

Thanks to the Tails devs for already using '.sig' and thus avoiding this annoyance!

There is a ticket open for changing Firefox's behavior when a .asc is requested. I agree it is annoying that the world uses two different file extensions for the same type of file, but gpg produces .asc files by default - it seems silly that other PGP/GPG tools do not handle that correctly. On the other hand, .sig is more explicit about what the file contains (a signature), instead of some-ascii-armored textblob.

I opened a ticket for this - https://trac.torproject.org/projects/tor/ticket/32479

Anonymous (not verified) said:

November 12, 2019

Permalink

My letter box is 1cm each side but 3 cm at bottom of screen. Means I lose lot of screnn! any way to change this setting manually? I dont like it too big.

Is that the default configuration? You see letterboxing when you start the browser? Did you customize the browser? Did you add a toolbar, like the bookmarks bar?

Anonymous (not verified) said:

November 12, 2019

Permalink

Yes default. I didn;t touch any thing new. Only make the browser full size on screen by click box in top corner.

> Yes default. I didn;t touch any thing new. Only make the browser full size on screen by click box in top corner.

"full size" (called "maximizing the window") is not the default when you start the browser. sysrqb was asking about the state of the window when you first open Tor Browser or after you start a "new identity" by clicking the broom icon. The letterbox frame is intended to appear when you resize from that initial size such as when you maximize the window. It is not intended to appear on the default state of the window when you first open Tor Browser or after you start a new identity.

I will check and report back. Si, it desktop (Windows 10, ASUS laptop) but didnt happen before. I have no toolbar showing. TBB stable not do. TBB alpha was ok before 9.5a2 for me. Sorry to be pain in ass, I love your TBB and Tails friends and gracias for all help every day.

Anonymous (not verified) said:

November 12, 2019

Permalink

Are there any plans for an Anti-DDoS functionality in Tor and Tor-Browser?

This could be done by requiring proof of work every N requests/minutes to be able to access an .onion site (see hashcash). Doing this via JS is not really an option because many people disable it for security reasons.

If not, please consider this for an upcoming version. Many websites suffer from DDoS and I think this could be an effective solution to the problem.

Anonymous (not verified) said:

November 15, 2019

Permalink

opening about:preferences#privacy from the security toolbar button leads to adding about:preferences#tor items at the end of about:preferences#privacy

Anonymous (not verified) said:

November 15, 2019

Permalink

Handler function threw an exception: [Exception... "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsICacheInfoChannel.isRacing]" nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)" location: "JS frame :: resource://devtools/server/actors/network-monitor/network-response-listener.js :: NetworkResponseListener.prototype._getSecurityInfo< :: line 334" data: no]
Stack: NetworkResponseListener.prototype._getSecurityInfo<@resource://devtools/server/actors/network-monitor/network-response-listener.js:334:26
exports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:111:22
onStartRequest@resource://devtools/server/actors/network-monitor/network-response-listener.js:226:10
Line: 334, column: 0 2 ThreadSafeDevToolsUtils.js:90:13
reportException resource://devtools/shared/ThreadSafeDevToolsUtils.js:90
makeInfallible resource://devtools/shared/ThreadSafeDevToolsUtils.js:117
onStartRequest resource://devtools/server/actors/network-monitor/network-response-listener.js:226

Anonymous (not verified) said:

November 17, 2019

Permalink

New Browser Console is outstanding in its CPU usage and freezes the entire browser:
Script: resource://devtools/client/webconsole/reducers/messages.js:1341
Script: resource://devtools/client/webconsole/components/ConsoleOutput.js:150

Anonymous (not verified) said:

November 17, 2019

Permalink

NoScript is still fucking computers with thousands of:
[11-17 10:59:15] Torbutton INFO: controlPort >> 650 STREAM 26704 CLOSED 133 cflarenuttlfuyn7imozr4atzvfbiw3ezgbdjdldmdx7srterayaozid.onion:443 REASON=DONE

Willi wonke (not verified) said:

November 18, 2019

Permalink

Tor browser android version 9.*.* cache is not cleared by standard methods in online mode. Cleaning is possible only after closing the program. Each time after authorization it is necessary to close the program and start again. Can you fix it so that the full cache cleanup works online? Or is it impossible to fix?

Anonymous (not verified) said:

November 18, 2019

Permalink

HTTPS Everywhere Options in about:addons

TypeError: chromeWin.gBrowserInit is undefined ext-webNavigation.js:140:1

Anonymous (not verified) said:

November 18, 2019

Permalink

Thank you for fixing the wiki search bar issue. I thought it was just me.

But, isn't the window size supposed to be a configured size due to fingerprinting concerns? Mine does not seem to be, & I wasn't sure if that was no longer a concern.

Anonymous (not verified) said:

November 18, 2019

Permalink

Please disregard my previous comment regarding window size. It seems to work now... weird. I didn't change anything, but it didn't seem to work on one page, but did on another.

Which page? Are you using Tor Browser 9.5a2? If letterboxing is enabled, which it is by default, window size does not contribute to fingerprinting as much as it does without letterboxing. You should see bars or margins of blank space around the edges the web page display area. If your first try was in a window whose size you changed, then your description is normal behavior. But if your first and second tries were in a window of the same size, you may have found a bug that you should provide more information about.

> You don't know specs for UA o_0
> You are not allowed to report mix of arches.

We're allowed to do anything we want. I'll just let tom explain it

"RFP violates web standards all over the place actually. We explicitly do so in the name of user intervention - the user has opted into a mode that has reduced compatibility on the web and breaks some features but provides greater privacy. At some point in the future it would be wonderful if RFP and Web Standards converged again - but it's going to have to be Web Standards that come to meet RFP - not the other way around"

Source: https://bugzilla.mozilla.org/show_bug.cgi?id=1535189#c12

Anonymous (not verified) said:

November 19, 2019

Permalink

Tor Browser with js reports
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
without js
Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
fix this nonsense!

demidrol (not verified) said:

November 19, 2019

Permalink

Developer!

In all versions of 9.. *. * For android devices, the following vulnerabilities were discovered:

1) The cache is not cleared from the standard browser menu in online mode!

2) switching cookie management modes does not work. Cookies are accepted even in the "Disabled" mode!

For 1), what do you mean by "online mode"? Currently you have to close the application and open it again to clear the cache. But we are planning to implement a "New Identity" features similar to the Desktop one: https://trac.torproject.org/projects/tor/ticket/28800

For 2), where did you change cookies settings? Preventing cookies completely is not recommended as it will change the fingerprint of your browser.

Anonymous (not verified) said:

November 20, 2019

Permalink

[Exception... "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIContentSniffer.getMIMETypeFromContent]" nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)" location: "JS frame :: resource:///modules/FaviconLoader.jsm :: onStopRequest :: line 277" data: no] FaviconLoader.jsm:277:24
onStopRequest resource:///modules/FaviconLoader.jsm:277
AsyncFunctionNext self-hosted:839

Anonymous (not verified) said:

November 20, 2019

Permalink

Handler function threw an exception: [Exception... "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsICacheInfoChannel.isRacing]" nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)" location: "JS frame :: resource://devtools/server/actors/network-monitor/network-response-listener.js :: NetworkResponseListener.prototype._getSecurityInfo< :: line 334" data: no]
Stack: NetworkResponseListener.prototype._getSecurityInfo<@resource://devtools/server/actors/network-monitor/network-response-listener.js:334:26
exports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:111:22
onStartRequest@resource://devtools/server/actors/network-monitor/network-response-listener.js:226:10
Line: 334, column: 0 ThreadSafeDevToolsUtils.js:90:13
reportException resource://devtools/shared/ThreadSafeDevToolsUtils.js:90
makeInfallible resource://devtools/shared/ThreadSafeDevToolsUtils.js:117
onStartRequest resource://devtools/server/actors/network-monitor/network-response-listener.js:226

Anonymous (not verified) said:

November 22, 2019

Permalink

TypeError: this.messageManager is null 3 browser-custom-element.js:1553:11
purgeSessionHistory chrome://global/content/elements/browser-custom-element.js:1553
observe chrome://global/content/elements/browser-custom-element.js:224
torbutton_do_new_identity chrome://torbutton/content/torbutton.js:933
torbutton_new_identity chrome://torbutton/content/torbutton.js:835
oncommand chrome://browser/content/browser.xul:1

anon (not verified) said:

November 23, 2019

Permalink

Could you guys fix the bad favicons for both DuckDuckGo search engines (regular and Tor)? They have been like this for a long time.

Bad favicons? What do you see? According to the source html of their webpages, these are their favicons:
https://duckduckgo.com/favicon.ico
https://3g2upl4pq6kufc4m.onion/favicon.ico

Those look the same as DDG Onion's button in Tor Browser. DDG's .com button looks like those, but the red circle doesn't have a white line border. I like that I can tell them apart so I don't click the wrong one by accident.

chase (not verified) said:

November 24, 2019

Permalink

I've been trying to download the Tor browser for a couple of days. All the other links on the download page are live, but not the download link. I've tried with multiple browsers and on different computers. I know my ISP doesn't block it. Is there a current issue with the download? Thanks!

Anonymous (not verified) said:

November 24, 2019

Permalink

EFF (Full): A new ruleset bundle has been released, but it is older than the extension-bundled rulesets it replaces. Skipping. util.js:26:15

torbutton (not verified) said:

November 27, 2019

Permalink

Hi. I am using torbrowser with 5-6 opened profiles. And only one of these - use tor connection. the others have different proxy.
I am afraid to upgrade to newest version because of torbutton integrated. Can I use this version for non-tor browsing?

Anonymous (not verified) said:

November 28, 2019

Permalink

WTF?
Dropping text on the webpage resulted in the tab destroyed with

Hmm. That address doesn’t look right.

Please check that the URL is correct and try again.

and no history to go back!
Log:
Ignoring response to aborted listener for 824
[11-29 03:36:19] Torbutton INFO: The DataTransfer is available
[11-29 03:36:21] Torbutton INFO: The DataTransfer is available 2
[11-29 03:36:21] Torbutton INFO: Inspecting the data transfer: 0
[11-29 03:36:21] Torbutton INFO: Type is: text/_moz_htmlcontext
[11-29 03:36:21] Torbutton INFO: Type is: text/_moz_htmlinfo
[11-29 03:36:21] Torbutton INFO: Type is: text/html
[11-29 03:36:21] Torbutton INFO: Type is: text/plain
TypeError: docShell.failedChannel is null NetErrorChild.jsm:844:32

pissed off (not verified) said:

December 08, 2019

Permalink

Please can someone in plain Fu**ing Englih tell me how the fuck you verify tor download for ubuntu, 3 fucking weeks I have been trying to work it out ffs pull your heads out of your arses