New Release: Tor Browser 9.5a4

by sysrqb | January 11, 2020

Tor Browser 9.5a4 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: This is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This release features important security updates to Firefox.

This new alpha release picks up security fixes for Firefox 68.4.0esr and 68.4.1esr. In addition, this release updates the bundled NoScript extension to its latest version.

Reproducible Builds

The issue with reproducible builds mentioned in the 9.0.1 blog post is now resolved in this release.

ChangeLog

The full changelog since Tor Browser 9.5a3 is:

  • All Platforms
    • Update Firefox to 68.4.1esr
    • Bump NoScript to 11.0.11
    • Translations update
    • Update OpenPGP keyring
    • Bug 31134: Govern graphite again by security settings
    • Bug 31855: Remove End of Year Fundraising Campaign from about:tor
    • Bug 32053: Fix LLVM reproducibility issues
    • Bug 32547: Add new default bridge at UMN
    • Bug 32659: Remove IPv6 address of default bridge
  • Windows + OS X + Linux
    • Update Tor to 0.4.2.5
    • Update Tor Launcher to 0.2.21
      • Bug 32636: Clean up locales shipped with Tor Launcher
      • Translations update
    • Bug 32674: Point the about:tor "Get involved" link to the community portal
  • Build System
    • All Platforms
    • Linux
      • Bug 32676: Create a tarball with all Linux x86_64 language packs

Comments

Please note that the comment area below has been archived.

Anonymous (not verified) said:

January 11, 2020

Permalink

> In addition, this release updates the bundled NoScript extensions to its latest version.
Not sure how many extensions you have, but this release downgrades NoScript from 11.0.12 to 11.0.11...

That is unfortunate. There is only one NoScript extension, but I see version 11.0.12 was released within the last few days. The Tor Browser release was frozen earlier in the week. Tor Browser should automatically upgrade NoScript to version 11.0.12 (again).

Anonymous (not verified) said:

January 11, 2020

Permalink

browser.display.document_color_use is still broken, and does not honor '2' the way ESR does.
IE, "colors" dialog page still broken.

Anonymous (not verified) said:

January 13, 2020

Permalink

For many different reasons... (each version of windows has its own version of that component, it is not recommended to ship windows components, you have to maintain it, etc)

Anonymous (not verified) said:

January 13, 2020

Permalink

I know about this ticket, and that bunch of users are out of scope as with UCRT. Up-to-date Windows has it, other configurations are not secure and shouldn't be supported.

If d3dcompiler_47.dll is available on the system, then this is the version that gets used. We ship it for the Windows 7 users who don't have it on their system, doing the same as what Mozilla is doing.

Anonymous (not verified) said:

January 17, 2020

Permalink

Exactly, but you shouldn't. Security and Mozilla are incompatible. You shouldn't do what they are doing. It's like using Firefox instead of Tor Browser.

Anonymous (not verified) said:

January 11, 2020

Permalink

> Bug 32676: Create a tarball with all Linux x86_64 language packs 68.3.0esr
68.3.0esr?

The alpha releases include new changes that have been less tested. Those changes are usually improvements, but they can sometime cause unexpected issues.

In case of critical security issue, we fix the stable release in priority.

Also, there are many stable release users, but only a small number of alpha users. So you are part of a larger group when using the stable release.

If security and anonymity is critical to you, you should stay on the stable release. If you want to see the new changes in advance, and help test them, you should use the alpha.

Anonymous (not verified) said:

January 12, 2020

Permalink

Does anyone else notice that seemingly NoScript releases its new version shortly after the TorBrowser comes out?

Knowing that the TB users will get this update directly from the 3rd party (George) and automatically - without the Tor developer review process - is a concern.
Hope I'm wrong, but it looks like NoScript likes immediately overwriting some anonymity sanitizing that the Tor people configure in NoScript that ships in the TB bundle. Anyone to review?

Even if not, this fore-trusted add-on updating for such a critical plug-in seems to be a security loophole.
Consider disabling the No-Script auto-updating (just release new TB with the updated NoScript). Or make replacing it with an in-house solution a higher priority?

Anonymous (not verified) said:

January 15, 2020

Permalink

It's great to see someone else has reopened this issue, but...
This ticket has been open for 6 years!!?
Even the slightest chance of a subversion - is not that kind of critical?
Hope the programmers out there get a signal of urgency and step out to help.
Thanks to all who can.

This is pro-privacy proposal:
Intent to Deprecate and Freeze: The User-Agent string
Summary

We want to freeze and unify (but not remove) the User Agent string in HTTP requests as well as in `navigator.userAgent`

Motivation

The User-Agent string is an abundant source of passive fingerprinting information about our users. It contains many details about the user’s browser and device as well as many lies ("Mozilla/5.0", anyone?) that were or are needed for compatibility purposes, as servers grew reliant on bad User Agent sniffing.

brix (not verified) said:

January 16, 2020

Permalink

When I installed Tor, at the beginning the last hop of the e-mail rout was:
WhoIs 81.17.27.133? MailHops API Info Location: TZ: Europe/Zurich, , Switzerland Host:
now is mysteriously changed compromising the system because it appears:
WhoIs 109.70.100.20? MailHops API Info Location: Vienna, Austria, Austria Host: tor-exit-anonymizer.appliedprivacy.net
Do you have any advice to restore the previous settings, please?

Anonymous (not verified) said:

January 17, 2020

Permalink

Ich kann machen was ich will es gibt keine Verbindung zum möglichen Horst auch alle Kontakte zur Webseite sind unterbrochen und werden mit unsicher und veraltete Sicherheitsbestimmungen geblockt!

Loser (not verified) said:

January 17, 2020

Permalink

Keine Verbindung mehr möglich alles wird mit veraltete Sicherheits Bestimmumgen begründet

loser (not verified) said:

January 18, 2020

Permalink

Keine Verbindung von einen Tag auf den anderen hier aus deutschland mehr möglich möglich alle Möglichkeiten wurden ausgeschöpft

Anonymus (not verified) said:

January 18, 2020

Permalink

links not working correctly

.onion links sometimes don't work. It's like refreshing the page but it works the second time.
and please add more video file types. Some videos does not load when I try to.

Indonesia Here (not verified) said:

January 22, 2020

Permalink

I hv been using the 9.04 and the alpha build for pc.

Before the update to 9.04, TOR Network work really fast from Indonesia using obs4 or meek.

But now after 9.04 update, the network become so slow. Loading a search result from DDG took about 3min.

I try using meek and it fail to connect. When I dont use bridge, it also become more slow. Checking from the log, I just aware Indonesia only have 3 to 4 bridge available.

In the alpha build, the snowflake bridge also failed to connect.

When I try android version, it also took same response.Trying different website and it also slow.

Now back to pc version:
Looking in the hop list, I aware that my final hop always been changing itself every 4sec.

Something seems wrong in bridge network of TOR. Some website also ask my age, seems like the cookies never saved.

Jkarta (not verified) said:

January 23, 2020

Permalink

I use requested bridge from TOR. Allow firewall & turn off controlled access folder.
But TOR still slow loading media (pictures and video).
It even slow loading media from TORproject.org.
The only it fast loading image is from duckduckgo.

Anonymous (not verified) said:

January 24, 2020

Permalink

> Update OpenPGP keyring

What does this mean exactly? Will your keys I saved no longer verify your files I download? Do I have to accept the key from "--locate-keys" as the only source and can't corroborate it?

The Tor Browser build process involves downloading components from various places, which we verify using gpg. This line in the changelog is about updating one the gpg keyring we use for that. Actually I think it should have been in the "Build System" part.

itsme@homecom (not verified) said:

January 25, 2020

Permalink

First, THANKS for all your work TBB Developers!!!

Clicking on the (i) Icon next to the URL bar I can't see the circuits anymore. Why is that?
All I see is "Connection" and "Permissions" ....
Tor Browser is tor-browser-linux64-9.5a4_en-US.tar.xz in Whonix-Workstation.

itsme@home.com (not verified) said:

January 27, 2020

Permalink

I'm sorry I didn't get back to you sooner.
Your are right! Tested TBB (9.0.4 and 9.5a4) on my "normal" Fedora Workstation (non Whonix) - and it works.
It's the first time I gave Whonix a try - and and most likely it has always been so one cannot see the circuits.
Thanks for your anwer! :-)

Security Level (not verified) said:

January 26, 2020

Permalink

Thank you for the privacy sweeper. That is exactly what I often use.

The "security level" shield has practically seen only three alternatives to choose from. Why could it not be a drop down menu? Then I could get through with two clicks instead of five now.

The reason to have the security level in the preferences pane is to reinforce the idea that it is being applied to the whole session and not just to a particular tab or window. A drop down menu could give the impression that it applies only to the current tab or window.

Me Again (not verified) said:

February 01, 2020

Permalink

> idea that it is being applied to the whole
> session and not just to a particular tab or
> window

You are right. The basic options of TorBrowser must meet the needs of very low-level-skilled user of tor.

What if the drop down menu text has a warning like
– this setting affect ALL tabs and running windows

Basically each user has to learn that information only once so the first time they use this drop down they must “qualify” (accept the above rule) or something.

gambino (not verified) said:

February 01, 2020

Permalink

hi thank you for tor project and your hard work but i wish you add tor translate is like google translate really it helps a lot thank you

scaze (not verified) said:

February 08, 2020

Permalink

On Android 8.1 custom pluggable transports dont work at all, only the built - in ones work.
I can only connect to normal custom bridges.
It stucks at 10%, tls handshake cannot be completed for some reason.
I have the same problem even if I connect first to a VPN and then to TOR.
I dont have that problem if I use TOR from Linux in the same router.
Also I dont use any firewall on my android and the device is not rooted.

trhjn4568544 (not verified) said:

February 08, 2020

Permalink

It would be very helpful if an option to request dekstop site by default existed on android.
Enabling dekstop site reduces fingerprinting with javascript disabled.

Peta (not verified) said:

February 09, 2020

Permalink

On Android if I disable cookies the are still enabled; I have to enable and re-disable them in order to be disabled every time I open Tor Browser.

Cookies are automatically cleaned when selecting new identity, or restarting the browser. But disabling cookies completely will make your fingerprint different from most people, so it is not a good idea.

Anonymous (not verified) said:

February 11, 2020

Permalink

In one tab, https:// www . sammobile. com/samsung gives:

The page isn’t redirecting properly

An error occurred during a connection to www . sammobile . com.

This problem can sometimes be caused by disabling or refusing to accept cookies.

but it opens in another tab!