New Release: Tor Browser 9.0a3

Tor Browser 9.0a3 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

Similarly to Tor Browser 8.5.2 and Tor Browser 8.5.3 on the stable series, this release is fixing critical security updates in Firefox (mfsa2019-18 and mfsa2019-19).

Users of the safer and safest security levels were not affected by mfsa2019-18.

The full changelog since Tor Browser 9.0a2 is:

  • All platforms
    • Pick up fixes for Mozilla's bug 1544386 and 1560192
    • Update NoScript to 10.6.3
khled.8@hotmai.com

June 24, 2019

Permalink

What took you so long? This is unacceptable. If your build+release process takes this much then you should seriously consider improving it. Not enough bandwidth speed? Upgrade those damn machines. Build taking too long? Upgrade to an AMD EPYC 64 cores.

It took so long as we were prioritizing stable releases. Additionally, 2/3 of our team working on releases once a release is coming up was at a conference and could not help with the chemspills. If that's not acceptable to you for an alpha series, use the stable series instead.

It’s crazy to complain, when you can just drop back from the alpha channel to the stable channel. I guess the complaining poster doesn’t know the time and effort needed to get a new build out the door.

What would be nice is, if the alpha channel could warn the user that the stable channel has received an important security update. Could the standard Firefox update notification system be co-opted to tell the user about the stable update? Something like when app.update.auto is turned off, but without the ability to start an upgrade from within the browser. The warning could be something like, “The stable series of Tor Browser has received an important security update. The Tor Project is working to update the alpha series. In the mean time, we recommend you download and use the latest stable Tor Browser.”

I appreciate there would be a problem notifying users who move to the stable channel, once the alpha channel has been updated.

> Are there still plans to port to Chromium now?

And port back when Chromium gets a zero-day? Changing the browser over occasional security bugs makes little sense.

Dear Tor team ,
i just everyday search for new news about darkweb and cybersecurity and hacking news
but i could not find anything new after darkwebnews and deepdotwebnews shutdown i only go to
reddit and 4chan and 8chan and darknetlive and dread and freshonions i feel lost i hope tor teams to create
tornews web site or forum or darkweb news only for research and education just want to learn new things and be up to date .

thank you

Love Tor team and Love USA .

Tor is just a tool to help you defend yourself against tracking and surveillance on the internet. We don't have anything to do with that thing some people call "the darkweb" so we have no plan to create any website or forum about this.

Thank you so much for the update! <3

Any ETA on when the patches for Mozilla's bug 1544386 and 1560192 will be released for android? I know earlier you said that you didn't currently have access to the signing key (b/c person who had it was away at a conference) and the patches would probably come during the weekend... Would love to know, as it kinda sucks being forced to use safest for now. Thank you!

Those should get out today, sorry for the inconvenience.

Did either of those two bugs affect the Android Tor Browser?

Also.. on that note, is there any sandboxing protections for the Android app? Does there even need to be since Android has its own basic sandboxing of processes?

Thanks for your hard work!

Yes, we think those bugs affect Android as well and hope to get finally updates out today. There currently is no sandboxing available on Android like on desktop platforms. As to whether it is needed I don't know to be honest.

the fingerprinting is still not blocked in browser. still high bits of info from browser shown. if you use the eff panop fingerprint it shows 17 bits instead of near 0.

The Panopticlick test is heavily biased as all other browsers like Edge and Chrome count here as well. What you'd need is a test where only Tor Browser users would get tested and then the entropy calculated as the goal is not to blend in all the other browsers (which is probably not possible) but in all other Tor Browser users.

>What you'd need is a test where only Tor Browser users would get tested

Seems like a good idea for a .onion Panopticlick-like website

I'm working on it (with my limited skills). What we do not need are entropy figures, because we know we are working in a closed set and can rely on math and our strategy of lowering entropy. The idea is down the track to be able to copy-to-clipboard/export the results locally and paste/import two results into a comparison page and highlight/output the differences. Initially I started this to be able to compare and test RFP in Firefox vs TB. If anyone wishes to help out, I could do with some :)

[1] https://github.com/ghacksuserjs/TorZillaPrint

> Seems like a good idea for a .onion Panopticlick-like website

https://blog.torproject.org/comment/280966#comment-280966
and others below it

> the goal is not to blend in all the other browsers (which is probably not possible)

Accept data from exit addresses only and/or run it on an onion. Accept data from useragents matching tuned regexes of former TBB versions only. Before deploying another filter, use it to clean a new copy of the old database. Not perfect but better.

How can I see my version info on Android? Also, starting last night,I'm getting a script loading error message after my Tor connction is complete. Is there a debug log I can post?

For the Android version, no, that's currently not easily possible. We have https://trac.torproject.org/projects/tor/ticket/30943 for that, though.

found problem after starting android arm
"unresponsive script
It's "https everywhere"
rules.js.308

i disabled https everywhere, restart and the error still shows.

These are just a couple things Tor does that makes me wanna avoid it
1. you disable the ability to control java on certain sites of your choice
2. You often make the answers to simple questions so complicated most people give up
3. you tell us to click on something and you don't tell us where to find it to click on it.
4. I often times find an answer much quicker and simpler from a windows site or user.
These are simple things to fix but after all this you ask for donations when a person is so frustrated he wants to toss his computer out the window. You have the computer thing down. Now all you have to do is develop some social skills. And if you think I'm the only one who feels this way you need to do a survey.

Thanks for the feedback. Do you have examples for 2. and 3.? For 1., you mean JavaScript? If so, that feature is not disabled. If you need it before we get to adding direct support into the browser for it, just re-add your NoScript button to the toolbar by clicking on the hamburger menu -> Customize and then drag the NoScript icon to the place at the toolbar where you want to have it and then click on "Done". That gives you the old interface back.

2. simple questions don't automatically have simple answers. depending on the question, sometimes someone believes it's simple because they don't know enough about the topic to realize how complicated or risky it really is. most new people have to learn as I did that tor is a tool and is neither safe nor effective unless they also adjust their behavior toward it. the old website warned about that under the download links, but the new site doesn't. sometimes, the question (issue/ticket) has gaps in relevant information, so it can't be answered or has several possible answers. sometimes, the person answering infers from the question an appropriate skill level for the answer or writes to supplement previous answers. it's basically helping each other with tech support. have a go at browsing https://stackexchange.com and https://what-if.xkcd.com/archive

4. tor browser is cross platform, built to run on linux, macos, android, and windows. and it's based on firefox esr that's also cross platform. some questioners ask about things in windows or firefox they use alongside tor browser or that were carried over from firefox. tor project is not expected to know answers for things they don't make or regularly interact with. for those, peers of yours such as me are the ones who usually end up answering. you could help to answer questions, too.

I have some basic "Tor For Dummies" questions...

1. Is it possible to... / How can I... pin an onion protected website navigated to through the Tor Browser to my Windows 10 desktop/taskbar/start tiles as a shortcut ?

2. Where is the cute half yellow/half purple onion icon (that accompanies the install folder) stored in windows 10 so I can point to it for my folder options in Windows 10 Explorer ?

Thanks for your help and all your hard work !

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our ​support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

11 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.