New Release: Tor Browser 9.0a6

Update 6/9 0600UTC: Added another known issue.

Tor Browser 9.0a6 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This release features important security updates to Firefox.

This is the first alpha release based on Firefox ESR68, and therefore contains several important changes such as the rebasing of our Firefox patches, toolchain updates, integration of Torbutton directly into the browser and updates to Tor Launcher to make it compatible with ESR68.

If you find any issue with this release, please help us by reporting them so we can fix as much as we can before the first stable release based on ESR68, which is planned for October 22.

Known issues:

  • Tor Browser 9.0a6 is not reproducible on some platforms right now: We have issues on 32bit Linux, Windows, and Android. Those are planned to be fixed in the next alpha release, though, to give the usual guarantees reproducible builds aim to provide.
  • New Identity and the bridge configuration in the browser are not easily accessible anymore as we removed the onion button. We are currently working on a replacement for both: New Identity will be exposed directly in the toolbar and the bridge configuration gets integrated in the Firefox settings. For New Identity please use the shortcut (Ctrl+Shift+U) for now or the item in the hamburger menu.
  • We already have a number of known tickets we need to work on in the coming weeks. The most important ones are tagged with the tbb-9.0-must-alpha keyword. Moreover, we have accumulated Firefox 68 ESR related issues over the time that can easily be queried with our ff68-esr keyword.

The full changelog since Tor Browser 9.0a5 is:

  • All platforms
    • Update Firefox to 68.1.0esr
    • Update NoScript to 11.0.3
      • Bug 26847: NoScript pops up a full-site window for XSS warning
      • Bug 31287: NoScript leaks browser locale
    • Bug 30429: Rebase patches for Firefox 68 ESR
    • Bug 10760: Integrate Torbutton into Tor Browser directly
    • Bug 25856: Remove XUL overlays from Torbutton
    • Bug 31322: Fix about:tor assertion failure debug builds
    • Bug 31520: Remove monthly giving banner from Tor Browser
    • Bug 29430: Add support for meek_lite bridges to bridgeParser
    • Bug 28561: Migrate "About Tor Browser" dialog to tor-browser
    • Bug 30683: Prevent detection of locale via some *.properties
    • Bug 31298: Backport patch for #24056
    • Bug 9336: Odd wyswig schemes without isolation for browserspy.dk
    • Bug 27601: Browser notifications are not working anymore
    • Bug 30845: Make sure internal extensions are enabled
    • Bug 28896: Enable extensions in private browsing by default
    • Bug 31563: Reload search extensions if extensions.enabledScopes has changed
    • Bug 31396: Fix communication with NoScript for security settings
    • Bug 31142: Fix crash of tab and messing with about:newtab
    • Bug 29049: Backport JS Poison Patch
    • Bug 25214: Canvas data extraction on locale pdf file should be allowed
    • Bug 30657: Locale is leaked via title of link tag on non-html page
    • Bug 31015: Disabling SVG hides UI icons in extensions
    • Bug 31357: Retire Tom's default obfs4 bridge
  • Windows + OS X + Linux
    • Update Tor to 0.4.1.5
    • Update Tor Launcher to 0.2.19.3
      • Bug 29197: Remove use of overlays
      • Bug 31300: Modify Tor Launcher so it is compatible with ESR68
      • Bug 31487: Modify moat client code so it is compatible with ESR68
      • Bug 31488: Moat: support a comma-separated list of transports
      • Translations update
    • Bug 29430: Use obfs4proxy's meek_lite with utls instead of meek
    • Bug 31251: Security Level button UI polish
    • Bug 31344: Register SecurityLevelPreference's 'unload' callback
    • Bug 12774: Selecting meek in the browser UI is broken
    • Build System:
  • Windows
    • Bug 31547: Back out patch for Mozilla's bug 1574980
    • Bug 31141: Fix typo in font.system.whitelist
    • Backport fix for bug 1572844 to fix broken build
  • OS X
  • Linux
    • Bug 31403: Bump snowflake commit to cd650fa009
  • Android
    • Bug 31010: Rebase mobile patches for Fennec 68
    • Bug 31010: Don't use addTrustedTab() on mobile
  • Build System:
    • All Platforms:
      • Bug 30585: Provide standalone clang 8 project across all platforms
      • Bug 30376: Use Rust 1.34 for Tor Browser 9
      • Bug 30490: Add cbindgen project for building Firefox 68 ESR/Fennec 68
      • Bug 30701: Add nodejs project for building Firefox 68 ESR/Fennec 68
      • Bug 30734: Add nasm project for building Firefox 68 ESR/Fennec 68
    • Windows
      • Bug 30322: Windows toolchain update for Firefox 68 ESR
        • Bug 28716: Create mingw-w64-clang toolchain
        • Bug 28238: Adapt firefox and fxc2 projects for Windows builds
        • Bug 28716: Optionally omit timestamp in PE header
        • Bug 31567: NS_tsnprintf() does not handle %s correctly on Windows
        • Bug 31458: Revert patch for #27503 and bump mingw-w64 revision used
      • Bug 9898: Provide clean fix for strcmpi issue in NSPR
    • OS X
      • Bug 30323: MacOS toolchain update for Firefox 68 ESR
      • Bug 31467: Switch to clang for cctools project
      • Bug 31465: Adapt tor-browser-build projects for macOS notarization
    • Linux
      • Bug 30321: Linux toolchain update for Firefox ESR 68
        • Bug 30736: Install yasm from wheezy-backports
        • Bug 31447: Don't install Python just for Mach
      • Bug 31394: Replace "-1" with "−1" in start-tor-browser.desktop.
    • Android
      • Bug 30324: Android toolchain update for Fennec 68
        • Bug 31173: Update android-toolchain project to match Firefox
        • Bug 31389: Update Android Firefox to build with Clang
        • Bug 31388: Update Rust project for Android
        • Bug 30665: Get Firefox 68 ESR working with latest android toolchain
        • Bug 30460: Update TOPL project to use Firefox 68 toolchain
        • Bug 30461: Update tor-android-service project to use Firefox 68 toolchain
      • Bug 28753: Use Gradle with --offline when building the browser part
Anonymous

September 05, 2019

Permalink

I feel like something is wrong with this release.
not only did features like the "new identity" button disappear. and the browser feels more like a vanilla firefox than torbrowser (with stuff like pocket enabled, and settings changed).
but firefox.exe is also suddenly creating a firewall alert, trying to connect to a few IPs at port 80.

Which Windows version are you on? And, yes, this is one of the rare alpha releases which are really an alpha release: A New Identity button will appear (see: https://trac.torproject.org/projects/tor/ticket/27511), hopefully in the next alpha, while the onion button will be gone for good. Pocket still needs to get disabled, yes.

What settings did get changed?

Anonymous

September 05, 2019

Permalink

Can you tell phony Cloudflare to add the Firefox 68 UA to the whitelisted ones? We don't want to have to deal with captchas all the time again... Thanks!

Anonymous

September 05, 2019

Permalink

Thank you for linking to those bug reports in the blog post! I found issues #30662 and #31601 useful for understanding the (temporary) visual changes in the browser.

Just installed /updated my Tor Browswer to 9.0.a6

And now all of the comments im Bookmarks are gone! Why is that ?!?
There were essential comments/infos on the related pages!
How can i get back these informations?

You mean your bookmarks are gone? Or something else? How did you create those comments?
Which operating system are you on?

Thanks for the reply.
No, no not the bookmarks themelves - but the description fields are empty
Right-click on a bookmark -> Properties -> and then you get several fields (Name, Location, Tags, Keyword, Description) for each bookmark. Most essential one, of course, is "location"

For example: in my Tor-Blog Bookmark you can find the Description "Best Anonymous Browser in the world!".
And it's gone!
Other comments/description are way more important - and they are also gone.

I switched back to Tor-Browser 8.5.5 - and eyerthing is fine. All the fields filled with the information I hacked in over the last years.

OS is Linux (Fedora 5.2.11-200.fc30.x86_64 ) .

The field "Description" was replaced by "Keyword" in the properties of each bookmark. Guess that's the problem.

If you ment descriptions then see this

https://www.mozilla.org/en-US/firefox/62.0/releasenotes/

still broken in sandboxie

> Bug 31465: Bump Go to 1.12.9
Wrong ticket number.

No. The bump got done in that ticket as it was necessary for the notarization part.

-O1 on clang is unacceptably slow.

-O3 for JS?

hello,
something's definitely wrong.
Operating system Mac OSX (version 10.14.6)!
After update nothing works anymore, Tor freezes, the settings can't be called - in short I can't use it. Had to restore version 9.0a4 (based on Mozilla Firefox 60.8.0esr) (64-bit) from backup.
Do other users also have such problems?

You are the first one reporting that. Does the problem still occur with a clean installation, e.g. to a different location like your Desktop (just drag the app there after double-clicking on the .dmg)?

Yes. Despite a clean installation, the two most obvious things that no longer work are "Quit" (I have to force-quit the application) and the "About" window no longer displays. I've not had it installed for very long, so there may be more discoveries yet to be made. (macOS 10.4.6)...

Developer! In mobile versions of Tor Browser for Android devices there is a vulnerability when using "Privacy Tab". After authorization on the site and further closure of the "Privacy Tab" in the browser remain identification data that are not deleted after clearing the cache!
In tests: Re - visit the site after clearing the cache shows automatic registration on the site! In the process of developing the Tor Browser version 9.0a3 - 9.0.a6 for Android this vulnerability persists in the browser. This vulnerability is a constant security threat to all users of Tor Browser for Android!
Version 9.0a3 - 9.0a6 use is dangerous!

Offered to take a test:

1) log on to the website and complete the authorization.
2) do not click on the "exit" button, and clear the browser cache. Page closes. The browser will report: the data has been deleted.
3) re-enter the site without going through the authorization procedure.

You will see that you are logged into your account without entering a login and password.

******************************************************************
Разработчик! В мобильных версиях Tor Browser для андроид устройств наблюдается уязвимость при использовании "Privacy Tab". После авторизации на сайте и дальнейшего закрытия "Privacy Tab" в браузере остаются идентификационные данные которые не удаляются после чистки кэша!
При тестах : Повторное посещение сайта после чистки кэша показывает автоматическую регистрацию на сайте! В процессе разработки Tor Browser версий 9.0a3 - 9.0.a6 для андроид данная уязвимость в браузере сохраняется. Подобная уязвимость представляет постоянную угрозу безопасности всем пользователям Tor Browser для андроид!
Версиями 9.0a3 - 9.0a6 пользоваться опасно!

Предлагаю пройти тест:

1) войдите на сайт и пройдите авторизацию.
2) не кликайте на кнопку "выход", и очистите кэш браузера. Страница сайта закроется. Браузер сообщит: данные удалены.
3) повторно войдите на сайт не проходя процедуры авторизации.

Вы увидите, что вошли в свой аккаунт без ввода логина и пароля.

#26847 This is not fixed as was stated. This full page pop-up occurs at the oddest of times. As I mentioned awhile ago, it is as relentless as a damn captcha. It even popped up on your email from today with this tor-announce! So please don't claim that it is fixed. Otherwise, thank you again for your work. Let us hope that soon this nuisance will go away. It is difficult to use the computer when it is in the way.

You mean you still get a *full page* popup? (Yes, there is still a popup in case NoScript thinks something is wrong, but it should be way smaller). Which NoScript version are you on? What is the suspicious URL NoScript is reporting?

Thank you gk for your reply. I am on 11.0.3 and yes, there was a full page popup that occurs and holds for a second prior to reducing to a smaller coverage. I don't have the one I mentioned's URL written down, although it came up when I opened your email. It occurs when certain, innocent emails like yours are clicked on and at other times. I usually don't do anything that seemingly causes it. After awhile, you see enough of them that you just want to stop them and get them away as quickly as poss. I know a couple of sights that are guaranteed to make them happen, even though the sites' safety you wouldn't expect compromised. Any thing I can do to help you I will try to do. (I am not as computer savvy as you are, I'm sure). Thanks again.

Do you have an example site which reproduces the problem for you (and does not require logins etc.)?

F.Y.I. - This initial post was meant for under the new 8.5.5 Sorry it is in the wrong spot. (not for under 9.0a6).

No worries, our blog is still quite confusing. :(

After updating, this Tor Browser does not start in Whonix anymore (the script says "Exited with code 255").
And the freshly downloaded instance does not run either.
And the manual "sh -c ..." launch command appeas to launch it, but nothing really opens up.
Script changes?

I suspect that's https://trac.torproject.org/projects/tor/ticket/31646. Does the workaround mentioned in the ticket help for the time being?

Thanks for the possible fix.
I already downgraded this alpha to the stable version. That still runs good in the same system, as before.
I'll be looking for the next great alpha, though.
Thanks for your work!

Georg, can we get an official statement on whether it's safe to switch to the black Firefox theme when we click on Hamburger Menu > Customize or does it engender fingerprinting concerns? (though I have 0 idea how it could be possible to determine the theme that one is using by JS unless of a potential bug)

OS: Windows_10 x64 Enterprise 1903 18362.239
Tor 8.8.5
--------------

I can't connect to TOR.
How can I connect to TOR ?

However
Connection is possible when Windows Firewall is disabled.

(I use Maiwarebyte Firewall controll.
Usually set as follows.
Medium Filtering
   Outgoing connections that do not match a rule are blocked)

[img]https://i.imgur.com/MDzqX1b.jpg[/img]

Tor is installed below.
C: \ Tor Browse \ Browser

When installing to the original desktop directory,
it was possible to connect to TOR.

-------------------------
[img]https://i.imgur.com/3OoHUIU.jpg[/img]
--------------------------

Error Log:

9/7/19, 02:42:56.770 [WARN] Problem bootstrapping.
Stuck at 0% (starting):
Starting. (Permission denied [WSAEACCES ];
RESOURCELIMIT; count 10;
recommendation warn;
XXX)
9/7/19, 02:42:56.950 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
9/7/19, 02:42:56.960 [NOTICE] DisableNetwork is set.
Tor will not make or accept non-control network connections.
Shutting down all existing connections.
9/7/19, 02:42:56.960 [NOTICE] Delaying directory fetches: DisableNetwork is set.

-------------------

I have to correct, not *all* of the fields are empty, but the "Description" field, where I used to store my notes.

This release doesn't start as a native wayland client, even with the GDK_BACKEND=wayland variable. Sad.

> Tor Browser must be run within the X Window System.

I'm using tor android. Browser has an option to play video on browser's player from websites. Also have an option to save the video. The problem is when i save a video by choosing that option nothing happened. I repeatedly complained on Google play review since more than 1 years. Please help me. What was the problem.

On MacOS 10.13.x, nothing happens when clicking Tor Browser > About Tor Browser.

On MacOS, in the Tor Browser menu, the following items don't work: About Tor Browser, Preferences, Hide Tor Browser, Hide Others, Show All, & Quit Tor Browser.

All of that is tracked in https://trac.torproject.org/projects/tor/ticket/31607 and we are working on it, thanks!

Already told you but i say it again, it's impossible to close the app Tor, I have to do Alt+Cmd+Esc to close it. I am on Mac OX 10.13.6.
I hope a new release soon. Thanks

Configuring an Android-based mobile device for authenticated Version 2 Onion Services

how does it works with the new Tor Browser 8.5.5
i cannot find the torrc and with orbot is doesn't work

How did you used to configure authenticated v2 versions? And what do you mean with Orbot it does not work? We did not change anything in Orbot. In fact, we are not even using Orbot (anymore) in the browser.

In April of this year @gkgk assured us releasing a separate APK of new Tor Browser (not Orfox) for Android devices. What happened to it? You very well know that new Tor Browser does not support Alwasy-on VPN functionality and the entire Tor network shuts down when you exit new Tor Browser.

Also, Orbot and new Tor Browser do not work together.

Orbot on the other hand, has supported such features and no data leak is possible due to Android's new "Block connection without VPN" function. This is right now the only way to completely tunnel entire Android over Tor network.

We just need a separate APK of Tor Browser which can be used over Orbot.

Looking forward to your response.

Ref.: Reddit Post That Inspired Me!

Latest version added a permission in android to change audio settings. What's the purpose of that?

Which permission do you mean? Any example to trigger this?

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

2 + 7 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.