New Release: Tor Browser 9.5a1

Tor Browser 9.5a1 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This release features important security updates.

Tor Browser 9.5a1 is the first release in the 9.5 alpha series. It contains all the improvements and fixes from the 9.0 release as well as other new features: We enabled WASM on the standard security level, fixed circuit display for bridges without a fingerprint, and we re-enabled jemalloc for Windows users.

The full changelog since Tor Browser 9.0a8 is:

  • All Platforms
    • Update Firefox to 68.2.0esr
    • Bug 31740: Remove some unnecessary RemoteSettings instances
    • Bug 30681: Set security.enterprise_roots.enabled to false
    • Bug 31144: Review network code changes for Firefox 68 ESR
    • Bug 21549: Enable WASM on standard security level
  • Windows + OS X + Linux
    • Update Tor Launcher to 0.2.20.1
      • Bug 32154: Custom bridge field only allows one line of input
      • Bug 32112: Fix bad & escaping in translations
      • Bug 31286: Update to tor settings related strings
      • Translations update
    • Bug 32125: Fix circuit display for bridge without a fingerprint
    • Bug 32076: Upgrade to goptlib v1.1.0
    • Bug 32061: Bump snowflake version to b4f4b29a03
    • Bug 32092: Fix Tor Browser Support link in preferences
    • Bug 32111: Fixed issue parsing user-provided bridge strings
    • Bug 31749: Fix security level panel spawning events
    • Bug 31920: Fix Security Level panel when its toolbar button moves to overflow
    • Bug 31748+31961: Fix 'Learn More' links in Security Level preferences and panel
    • Translations update
  • Android
    • Bug 32097: Fix conflicts in mobile onboarding while rebasing to 68.2.0esr
    • Bug 26529: Notify user about possible proxy-bypass before opening external app
  • Build System
    • Windows
      • Bug 32132: Re-enable jemalloc for Windows users
      • Bug 31989: Backport backout of old mingw-gcc patch
    • Android
      • Bug 30461: Clean up tor-android-service project
Anonymous

October 23, 2019

Permalink

Thanks for your great work!
What is the status of allowing/disallowing on a webpage the scripts from the linked domains individually?

Currently, when NoScript is not visible, to make a site work, one has to lower the total security for all scripts together (via "3 safety levels"). If I understand correctly, this allows all scripts, even the 3rd party trackers.

I remember earlier this year it was said in this blog that the individual-domain script controls were to return after the new Firefox ESR is ported into TorBrowser.
Is it still planned?

If not, is there a different recommended way to enable only the good scripts on a page, while keeping the trackers disabled?

Thanks.

Yes, it is still planned to have per-site security settings support, and this feature is on our roadmap for the next two months. This is the ticket:
https://trac.torproject.org/projects/tor/ticket/30570

Until this is available, I think the only way to do it is to add back noscript to the toolbar (which you can do by selecting Customize in the hamburger menu).

Anonymous

October 23, 2019

Permalink

Snowflake's speed on windows seems to be capped to just a dozen Kb per second, and restarted the browser many times, is this normal?

Anonymous

October 24, 2019

Permalink

Danger! TOR BROWSER version 9.0 Android -9.* ALPHA Android.

A vulnerability in the Tor Browser (Android) - version 9.0 / 9.*.* (alpha)

The problem description concerns Tor Browser version 9.0 / 9.*.* (alpha) for Android operating system!
The reason for the vulnerability: - after clearing the cache online, cookies and other identification data remain in the browser.

Detailed description of the actions performed and the presence of the problem:
I do not make any changes to the settings, I do not use add-ons.
Using a clean browser
After clearing the cache from the browser menu, necessarily change the tor ID.
And under such conditions, the result is sad.

My action:

1) launch Tor Browser
2) on the main page about:tor in the "address input field" window, I register the site address
3) click, activate the link
4) the site page opens
5) enter login and password
6) click, for the authorization process.
7) the page is reloaded, authorization occurs
8) I make any actions necessary for me on the site under my login and password.
9) the site page is open, do not click (do not click) on the exit button - do not touch anything.
10) click, browser menu
11) I go to the browser settings menu, click: "clear private data"
12) browser reports: "personal data deleted"
13) close the browser menu
14) in the opened main browser window (about: tor) in the address input field, I register the address of the site where I just was.
15) click
16) the site page is loaded and opened
17) I see on the opened main page of the site that I am authorized and online!
18) I click for example: on the link to enter the personal account, and freely enter without entering the login and password, I can perform any actions without authorization.

THIS IS A SIGN THAT PERSONAL IDENTIFICATION DATA HAS BEEN STORED IN THE CACHE AFTER CLEANING!

I do not recommend using version 9.0 / 9.* - (alpha).

Hi Tor-Team, regarding Letterboxing: The bad contrast on dark themed websites forced me to disable it completely for now (set privacy.resistFingerprinting.letterboxing to false).

It would be really great if one could set the background color of the Letterboxing borders (f.e.: privacy.resistFingerprinting.letterboxing.border_background_color: #000000).

Keep up the good work!

I totally agree with that. We have https://trac.torproject.org/projects/tor/ticket/32220 to track the work and are hopefully able to release a bugfix release shortly with that issue addressed.

[10-24 12:26:26] Torbutton INFO: tor SOCKS: https://tb-manual.torproject.org/en-US via
about.ef2a7dd5-93bc-417f-a698-142c3116864f.mozilla:c770eab8f479cdb8b639dc87d9025163
[10-24 12:26:26] Torbutton INFO: New tab
[10-24 12:26:26] Torbutton NOTE: no SOCKS credentials found for current document.
[10-24 12:26:26] Torbutton INFO: tor SOCKS: https://tb-manual.torproject.org/en-US via
torproject.org:da45deac185a2fc6963c91aa623265ca
Hrm, looks like a race condition.

> Bug 21549: Enable WASM on standard security level
And how does it go for HTTPS Everywhere when temporarily enabled by lowering the security level?

Lowering to standard is cool. :) We are not there yet for WASM on safer and safest levels for extensions, but close, see: https://trac.torproject.org/projects/tor/ticket/23719.

For testing only :) Seems it doesn't work until restart.

What have you tested exactly? Starting with a slider on a higher level and then lowering it + running some WASM code afterwards? What code did you try to run?

A bug? In this new version (9.0) is just disappeared the option to block or unblock cookies from all sites.What did happen with it? How I do that now?

You set the respective preference (network.cookie.cookieBehavior) directly on your about:config page now to the value you want to have.

Making it harder for normal users to block cookies is a problem.

Here is the ticket and patch that caused this:
https://trac.torproject.org/projects/tor/ticket/26345

GK, would you please consider it?

Hi Phil303

Here is the link to the relevant patch and issue in the bug tracker that caused the cookie button to disappear:
https://trac.torproject.org/projects/tor/ticket/26345

You guys need to change the letterboxing bars to black or dark grey... Some of us have ELS or simply don't like being blinded ;)

It was not possible to install this release (Tor 9.0 for Win64) because its file nssdbm3.dll was infected with the virus Win64:Evo-gen.. That is, the setup file downloaded from the Tor site is infected with this mentioned virus. Could you please check this?

I think that's very likely a false positive from whatever tool you are using.

Please return the option to enable/disable cookies and types of cookies. Even if temporarily, no site should be allowed to store files, (such as cookies, etc) in the user's machine without explicit permission of this user. I have read above a reply about that, which nevertheless which is completely an unpractical measure; I mean this should be available to the user's criterion, and easy as used to be in the earlier versions of Tor.

I don't think this should be as easily available as before. Mozilla integrated that functionality tightly into their Tracking Protection UI which we don't want to have right now as it claims to be a privacy feature (among others). Thus, we removed the UI. However, as said above you still can set the respective preference directly.

??? Sorry I don't get this justification. It was meant that now the Tor users don't have more right to this kind of privacy (block of cookies)?

Anyway I've tried the indicated manual alteration in "network.cookie.cookieBehavior". The default value seen there is set as "1" . ??? So, What value (0, 2,3, what?) should be set to recover the feature like was in the previous version of Tor?

We did not remove the options to adjust your cookie settings to a value you like nor won't we. The issue is that those cookie settings UI got integrated into the Tracking Protection UI we don't want right now. More importantly, it is highly misleading and by users clicking on different options they might be distinguishable without intending so.

For the value you want have a look at http://kb.mozillazine.org/Network.cookie.cookieBehavior. There four different values are shown and I hope what you have in mind is one of them. If not, then you'd need to search a bit harder as I think there are more values possible nowadays.

I downloaded "torbrowser-install-9.0_en-US.exe" 32bit several times and verified it.
when I'm trying to install, it just gives me the options of Arabic and Farsi to choose!
Please fix this.

Where are you seeing only those options? When starting the installer? What is your locale on your Windows machine? Does it work for you if you test an older installer, say, the one from Tor Browser 8.5.5 (see: https://archive.torproject.org/tor-package-archive/torbrowser/8.5.5/ for older bundles).

not OP but getting a similar thing, when starting the 32 bit installer it gives two language options one of which is my system locale and the other is an unofficial language spoken by some people in this region. checking past versions, the change seems to have happened around version 8.0 (7.5.6 installer shows 6 languages including English). I haven't noticed this before because I only use the 64 bit installers and they always show a long list of languages to choose from unlike 32 bit installers

Could you pin down the first Tor Browser version where this happened? Older installers are at: https://archive.torproject.org/tor-package-archive/torbrowser/. If the result is a major version, like 8.0 it would be helpful to track the issue further down in the alpha versions belonging to that stable one. In the 8.0 case this would be 8.0a1-8.0a10. Thanks. I am filing a ticket meanwhile.

[10-25 07:50:12] Torbutton INFO: tor SOCKS: https://mitmdetection.services.mozilla.com/ via
--unknown--:3c6a3286392291d7459b9e131ebc8f73

Any steps to reproduce this issue?

Media resource blob:https://www.xxx.com/111 could not be decoded, error: Error Code: NS_ERROR_DOM_MEDIA_FATAL_ERR (0x806e0005)
Details: RefPtr mozilla::MediaSourceTrackDemuxer::DoSeek(const mozilla::media::TimeUnit &): manager is detached.

Any steps to reproduce this issue?

NetworkHelper.getReasonsForWeakness threw an exception: STATE_IS_BROKEN without a known reason. Full state was: 1 2 ThreadSafeDevToolsUtils.js:90:13
reportException resource://devtools/shared/ThreadSafeDevToolsUtils.js:90
getReasonsForWeakness resource://devtools/shared/webconsole/network-helper.js:795
parseSecurityInfo resource://devtools/shared/webconsole/network-helper.js:620
_getSecurityInfo resource://devtools/server/actors/network-monitor/network-response-listener.js:329
makeInfallible resource://devtools/shared/ThreadSafeDevToolsUtils.js:111
onStartRequest resource://devtools/server/actors/network-monitor/network-response-listener.js:226

Any steps to reproduce this issue?

Handler function threw an exception: [Exception... "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsICacheInfoChannel.isRacing]" nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)" location: "JS frame :: resource://devtools/server/actors/network-monitor/network-response-listener.js :: NetworkResponseListener.prototype._getSecurityInfo< :: line 334" data: no]
Stack: NetworkResponseListener.prototype._getSecurityInfo<@resource://devtools/server/actors/network-monitor/network-response-listener.js:334:26
exports.makeInfallible/<@resource://devtools/shared/ThreadSafeDevToolsUtils.js:111:22
onStartRequest@resource://devtools/server/actors/network-monitor/network-response-listener.js:226:10
Line: 334, column: 0 ThreadSafeDevToolsUtils.js:90:13
reportException resource://devtools/shared/ThreadSafeDevToolsUtils.js:90
makeInfallible resource://devtools/shared/ThreadSafeDevToolsUtils.js:117
onStartRequest resource://devtools/server/actors/network-monitor/network-response-listener.js:226

Any steps to reproduce this issue?

Some site hung the browser with
[10-25 10:18:10] Torbutton INFO: controlPort >> 650 STREAM 7389 NEW 0 cflares35lvdlczhy3r6qbza5jjxbcplzvdveabhf7bsp7y4nzmn67yd.onion:443 SOURCE_ADDR=127.0.0.1:65499 PURPOSE=USER
7389 alt-svc requests? madness..

CRAP! IT IS STILL RAPING MY PC EVEN WITH ALL TABS CLOSED! 238741 TIMES!!!
[10-30 08:44:55] Torbutton INFO: controlPort >> 650 STREAM 238741 NEW 0 cflares35lvdlczhy3r6qbza5jjxbcplzvdveabhf7bsp7y4nzmn67yd.onion:443 SOURCE_ADDR=127.0.0.1:56101 PURPOSE=USER
[10-30 08:44:55] Torbutton INFO: controlPort >> 650 STREAM 238741 SENTCONNECT 168 cflares35lvdlczhy3r6qbza5jjxbcplzvdveabhf7bsp7y4nzmn67yd.onion:443
[10-30 08:44:55] Torbutton INFO: controlPort >> 650 STREAM 238706 CLOSED 156 cflareusni3s7vwhq2f7gc4opsik7aa4t2ajedhzr42ez6uajaywh3qd.onion:443 REASON=DONE

[10-26 11:23:49] Torbutton INFO: controlPort >> 650 STREAM 138 FAILED 36 sync-messages.invalid:443 REASON=END REMOTE_REASON=RESOLVEFAILED
[10-26 11:23:49] Torbutton INFO: controlPort >> 650 STREAM 138 CLOSED 36 sync-messages.invalid:443 REASON=END REMOTE_REASON=RESOLVEFAILED

NoScript is going mad :(

With the new version of Tor Browser there is a white border around webpages which is super annoying. I understand it is kind of a anti-fingerprinting feature. Can I change the color of those borders to grey or black?

Why does allowing of canvas change the hash of WebGL fingerprint?

love it

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

7 + 4 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.