New Release: Tor Browser 9.0a4

Tor Browser 9.0a4 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This release features important security updates to Firefox.

Tor Browser 9.0a4 contains updates to a number of bundle parts, most importantly Firefox (60.8.0esr) and Tor (0.4.1.3-alpha).

In our ongoing efforts to reach more users with Tor Browser, we include native Macedonian bundles for the first time and ship Tor Browser for the aarch64 architecture on mobile (note: the aarch64 build is not currently available on Google Play. You can however download it from our distribution directory, along with its signature). Additionally, we have implemented fixes for accessibility support on Windows systems (big thanks to Richard Pospesel for the hard work here), which now deserve a wider testing. Finally, letterboxing is now being enabled by default. Please give it a try if you can, so we can iron out bugs before we ship it to all users starting with Tor Browser 9.

Similarly to the stable series we include a fundraising banner to help us getting more donations. Please donate if you can!

The full changelog since Tor Browser 9.0a3 is:

  • All platforms
    • Update Firefox to 60.8.0esr
    • Update Torbutton to 2.2.1
    • Update Tor Launcher to 0.2.19.2
      • Bug 30468: Add mk locale
      • Translations update
    • Update HTTPS Everywhere to 2019.6.27
    • Bug 31055+31058: Remove four default bridges
    • Bug 30849: Backport fixes for Mozilla's bug 1552627 and 1549833
  • Windows + OS X + Linux
  • Windows
    • Bug 27503: Provide full support for accessibility tools
    • Bug 30575: Don't allow enterprise policies in Tor Browser
  • OS X
    • Bug 30631: Blurry Tor Browser icon on macOS app switcher
  • Android
Mateus

July 17, 2019

Permalink

RED ALERT

Tor Project's certificate is poisoned.

https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f

For a specific example, take a look at the Tor Project signing key:

$ apt-key adv --recv-keys --keyserver keys.gnupg.net 886DDD89
gpg: requesting key 886DDD89 from hkp server keys.gnupg.net
gpg: packet(13) too large
gpg: read_block: read_error: invalid packet
gpg: Total number processed: 0
gpg: no valid OpenPGP data found.

This SKS keyserver poisoning is going to destroy the entire PGP system:

https://www.gentoo.org/news/2019/07/03/sks-key-poisoning.html

Impact of SKS keyserver poisoning on Gentoo (Jul 3, 2019)

The SKS keyserver network has been a victim of certificate poisoning attack lately. The OpenPGP verification used for repository syncing is protected against the attack. However, our users can be affected when using GnuPG directly. In this post, we would like to shortly summarize what the attack is, what we did to protect Gentoo against it and what can you do to protect your system.

Mateus

July 17, 2019

Permalink

Will Tor Project give users any advice on how to verify future releases of Tor Browser without breaking their GPG keyring? See the posts by RJH and DKG at their blogs on the keyspamming attacks on themselves and on Tor Project.

Mateus

July 18, 2019

Permalink

Hi!
What did you do with view of comments at this bolg? They become look ugly and unreadable.
(Tor Browser 8.5.4 Win7 32bit)
WTF???

Mateus

July 21, 2019

Permalink

Tor Browser (8.5.4) has become unusable for me, because it crashes after a while and also crashes my entire system (no mouse or keyboard input possible anymore). My system is Arch Linux with XFCE. Never had this problem before, have been using Tor Browser for years.

Mateus

July 22, 2019

Permalink

Default Moat on default Windows 10:

[07-23 04:57:10] TorLauncher WARN: meek client stderr: 2019/07/23 04:57:10 running firefox command ["C:\\Tor Browser\\Browser\\firefox.exe" "--invisible" "-no-remote" "-profile" "C:\\Tor Browser\\Browser\\TorBrowser\\Data\\Browser\\profile.moat-http-helper"]

[07-23 04:57:10] TorLauncher WARN: meek client stderr: 2019/07/23 04:57:10 firefox started with pid 14832

[07-23 04:57:12] TorLauncher WARN: meek client stderr: 2019/07/23 04:57:12 running meek-client command ["TorBrowser\\Tor\\PluggableTransports\\meek-client.exe" "--helper" "127.0.0.1:50861"]

[07-23 04:57:13] TorLauncher WARN: meek client stderr: 2019/07/23 04:57:13 meek-client started with pid 4896

[07-23 04:57:13] TorLauncher WARN: meek client stderr: 2019/07/23 04:57:13 using helper on 127.0.0.1:50861

[07-23 04:57:13] TorLauncher WARN: meek client stderr: 2019/07/23 04:57:13 listening on 127.0.0.1:50862

[07-23 04:57:20] TorLauncher WARN: meek client stderr: 2019/07/23 04:57:20 status code was 500, not 200; trying again after 30 seconds (9)

[07-23 04:57:50] TorLauncher WARN: meek client stderr: 2019/07/23 04:57:50 error reading from local: EOF

Mateus

July 22, 2019

Permalink

Moat is still unusable (Tor is broken):

Tor NOTICE: Switching to guard context "bridges" (was using "default")
Tor NOTICE: Delaying directory fetches: No running bridges
Tor WARN: Pluggable Transport process terminated with status code 0 [07-23 05:03:36] Torbutton NOTE: no SOCKS credentials found for current document.
Tor NOTICE: new bridge descriptor 'Unnamed' (fresh): $XXX~Unnamed at XX.XX.XX.XX
Tor NOTICE: Our directory information is no longer up-to-date enough to build circuits: We're missing descriptors for 1/2 of our primary entry guards (total microdescriptors: 6328/6328).
Tor WARN: Proxy Client: unable to connect to XX.XX.XX.XX:33189 ("general SOCKS server failure")
Tor WARN: Proxy Client: unable to connect to XX.XX.XX.X:40353 ("general SOCKS server failure")
[07-23 05:04:01] Torbutton NOTE: no SOCKS credentials found for current document.
Tor NOTICE: Application request when we haven't used client functionality lately. Optimistically trying known bridges again.

Moderators, please redact the bridge fingerprint (unhashed) and 3 IP addresses from the "Moat" comment. OP, please keep information that identifies a bridge except its hashed fingerprint a secret.

Mateus

July 23, 2019

Permalink

Hello!

Our phones must stop being gadgets spying on us!

"Stealth mode" for mobile phones.

When this mode is activated, the phone does not receive or send any signals.
Police mode and all such things should be turned off.

This mode can also be added to smart watches, heart rate monitors, cars, etc.

And it will help sell new models of smartphones.
But I doubt that Apple and other IT-companies will stop cooperating with the state.
Most likely the stealth mode in their phones will be incomplete.

Mateus

July 23, 2019

Permalink

That poisoned keys are the reason GET-TOR has stopped working? Apparently, gettor@torproject.org doesn't respond to e-mails from the CarNET web-mail (and it should, since I am not asking for bridges, but for download links).

Mateus

July 24, 2019

Permalink

"HELL YEAH" I'll say "THANK YOU" better believe it, you guys pored heart, mind, soul, blood, sweat & tears,into this upgraded version of tor,,, it seems to be sportier model it fly's through the internet or, outernet (yeah i know "Inter" "enter") I digress, wear was I? OH!! "all the nets out there" super fast! Thank you very much & best wishes

Mateus

July 24, 2019

Permalink

Hello,

since I have download the torbrowser on this site, I have two trojanes on my pc. Is it possible that the filous (agents/police), from france works secretly in your community and did this ?

C:\Users\Benutzername\Downloads\torbrowser-install-win64-8.5.3_de.exe: Win.Malware.Nymeria-6913499-0 FOUND

C:\Windows\System32\SearchIndexer.exe: [Win.Trojan.Agent-7015311-0] FALSE POSITIVE FOUND

Mateus

July 25, 2019

Permalink

The tor-project is infiltrated by secret service agents! I found this malware here on site and my comment is not published!
C:\Users\Benutzername\Downloads\torbrowser-install-win64-8.5.3_de.exe: Win.Malware.Nymeria-6913499-0 FOUND
Each forum that does not publish the comments instantly, makes censorship because they works for ouer enemies!

Please calm down. There is no one censoring your posts here, just devs that are overloaded. That said: what you found is likely either a false positive of your antivirus program or some infection you got from somewhere else. Do you download the .exe files from our website and check that you actually got what you downloaded?

> Do you check that you actually got what you downloaded?

Hard to do in the wake of certificate flooding. Your answer about false positives or third-party infection should be followed by "How can I verify Tor Browser's signature?" and substitute 0x4E2C6E8793298290 that isn't flooded. Then, reinstall the verified exe and "My antivirus or malware protection is blocking me from accessing Tor Browser."

Mateus

July 26, 2019

Permalink

When something wrong happens with tor, it stalls loading tpo in Tor Browser and changes guard node after some time. But there's no reason to do that: tpo is ok, net is ok, guard is ok - https://metrics.torproject.org/rs.html#details/E37724D8AD87B149EAD2F3DF…
The only thing it logs to console is:
Tor NOTICE: We tried for 15 seconds to connect to '[scrubbed]' using exit $9C5AFD49AAE4E0272BAD780C6DD71CE1A36012A6~coffswifi4 at 82.223.14.245. Retrying on a new circuit.
which is a bad notice.

You said it changes the guard node, but your log says it changed the circuit and exit node. Tor is supposed to change exit nodes every 10 minutes if the circuit is idle. Tor is not supposed to change your guard node until months have passed. Are you sure the IP address of your guard node in the circuit display panel is changing?

Mateus

July 30, 2019

Permalink

i try to disable proxy (orbot?) on launch brouser but it back it everytime after restart.
i dont have a root so i cant delete this pluguin in extensions folder. i want use it as general brouser but more "clear".
if devs read this, please fix this problem that we have possible to disable orbot with about:config and it not back into "1" after restart

Mateus

July 30, 2019

Permalink

A fresh install of Ubuntu is unable to run Tor Browser from the repositories because of the SKS key poisoning attack. Don't you think the Tor team should have a blog post on this detailing an official work around? This is very bad.

Mateus

August 02, 2019

Permalink

In alpha versions 9.a03 - 9.a05 android there is a problem posing a threat!
Description of the problem:
I am going through authorization, logging in to the account, I am on the site, closing the page past the "exit" button; After closing the page, I clear the browser cache. I go back to the site, the following happens: I see that I am logging in to my account without authorization. This means that the browser cache is not completely cleared, which can in some cases pose a serious threat.

Mateus

August 12, 2019

Permalink

There is a option to enable DNS over HTTPS and add DoH resolvers in Firefox 62 and later which seems to be not available in this Tor version though its based on Firefox 68.

First, Tor, tor, and Tor Browser are all different things. Capital Tor is the network of volunteer relays. Lowercase tor is the small "expert" binary (exe) configured using a torrc file. The Tor Browser Bundle comes in a large installer containing tor and the Tor Browser based on Firefox ESR.

Second, "this Tor (Browser) version" is not "based on Firefox 68". The post you replied to says, "Update Firefox to 60.8.0esr".

Third, DoH is controversial. Understand it before enabling it.

Mateus

August 12, 2019

Permalink

Hi, it seems to crash on MacOS catalina on start. Makes it a bit further than the stable 8.5.4 release and asks to reopen windows or not and crashes right after.

Process: firefox [1002]
Path: /Applications/Tor Browser.app/Contents/MacOS/firefox
Identifier: org.torproject.torbrowser
Version: 9.0a4 (6019.4.1)
Code Type: X86-64 (Native)
Parent Process: ??? [1]
Responsible: firefox [1002]
User ID: 501

Date/Time: 2019-08-12 19:46:59.798 -0400
OS Version: Mac OS X 10.15 (19A526h)
Report Version: 12
Bridge OS Version: 3.0 (14Y904)
Anonymous UUID: EC1D2359-242C-7D12-66A8-232AC60E0C2F

Time Awake Since Boot: 760 seconds

System Integrity Protection: enabled

Crashed Thread: 0 Dispatch queue: com.apple.main-thread

Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: EXC_I386_GPFLT
Exception Note: EXC_CORPSE_NOTIFY

Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [1002]

On the download page, the first installers you see in the purple circles are 64 bit. You need the 32 bit version. Under the circles, click "Download in another language or platform." On that page, find your language, and click "32-bit". If that doesn't help, reply with details of the problem.

For other help, read the Tor Browser User Manual, Support FAQ, old General FAQ, and old documentation overview.

Mateus

August 17, 2019

Permalink

Can anyone help me With joining?? ive been trying to get on all day and for some reason its not allowing it. ive downloaded a bunch of different browsers, all end up in the same result..

Tor Project controls the torproject.org domain. If you are trying to access another domain, ask the webmasters of that domain. Search for a service that checks if a site is down for everyone or if it's just you.

Mateus

August 22, 2019

Permalink

Hi tor, just letting you know that when I go to a local news site it won't allow me to access, it says that am from another country and gives a phone number to call locally..also one other website says too much traffic is coming from my pc when I use the tor browser.

The Tor network consists of relay servers operated by volunteer users around the world. Your local copy of tor chooses circuits through the network and exit relays that connect your traffic to the normal internet. When your traffic exits the network, it appears to come from the location of the exit node which can be in another country. To see your circuit for a site, click on the padlock or circled "i" icon in the address bar.

General FAQ:

Support FAQ: