New Release: Tor Browser 9.5a1

by boklm | October 23, 2019

Tor Browser 9.5a1 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This release features important security updates.

Tor Browser 9.5a1 is the first release in the 9.5 alpha series. It contains all the improvements and fixes from the 9.0 release as well as other new features: We enabled WASM on the standard security level, fixed circuit display for bridges without a fingerprint, and we re-enabled jemalloc for Windows users.

The full changelog since Tor Browser 9.0a8 is:

  • All Platforms
    • Update Firefox to 68.2.0esr
    • Bug 31740: Remove some unnecessary RemoteSettings instances
    • Bug 30681: Set security.enterprise_roots.enabled to false
    • Bug 31144: Review network code changes for Firefox 68 ESR
    • Bug 21549: Enable WASM on standard security level
  • Windows + OS X + Linux
    • Update Tor Launcher to 0.2.20.1
      • Bug 32154: Custom bridge field only allows one line of input
      • Bug 32112: Fix bad & escaping in translations
      • Bug 31286: Update to tor settings related strings
      • Translations update
    • Bug 32125: Fix circuit display for bridge without a fingerprint
    • Bug 32076: Upgrade to goptlib v1.1.0
    • Bug 32061: Bump snowflake version to b4f4b29a03
    • Bug 32092: Fix Tor Browser Support link in preferences
    • Bug 32111: Fixed issue parsing user-provided bridge strings
    • Bug 31749: Fix security level panel spawning events
    • Bug 31920: Fix Security Level panel when its toolbar button moves to overflow
    • Bug 31748+31961: Fix 'Learn More' links in Security Level preferences and panel
    • Translations update
  • Android
    • Bug 32097: Fix conflicts in mobile onboarding while rebasing to 68.2.0esr
    • Bug 26529: Notify user about possible proxy-bypass before opening external app
  • Build System
    • Windows
      • Bug 32132: Re-enable jemalloc for Windows users
      • Bug 31989: Backport backout of old mingw-gcc patch
    • Android
      • Bug 30461: Clean up tor-android-service project
Tags
tor browser
tbb
tbb-9.5
Jason

Zehr Rot (not verified) said:

October 26, 2019

Permalink

love it

Jason

tep (not verified) said:

October 27, 2019

Permalink

How about starting Tor fullscreen, since it has now antifingerprinting for fullscreen?

Jason

renegat (not verified) said:

October 28, 2019

Permalink

I'am so extremly disapointed about the latest tor-browser releases:
Without the posibility to allow 'third-party-cookies' you cannot log into several websites like any disqus based forums.
That makes tor-browser totally useless! Who the hell has decided this bunk?!
It is like removing the wheels from a car in order to make driving more secure!
I hope I will find an older version somewhere which allows the user at last to make some decisions on himself...

So, first of all: we did not touch any of the per-site cookie settings. You should probably use those anyway as you very likely do not want to allow third party cookies on any website just because you need to log in to some.

But even if you think that's okay and are fine with third-party cookies generally then you still have the option to allow those. You need to adjust the respective preference, network.cookie.cookieBehavior in about:config to the value you want to have. http://kb.mozillazine.org/Network.cookie.cookieBehavior has possible values and 0 seems to be the one you are looking for.

Finally, if you already had third party cookies enabled the update did not touch anything in that regard.

Will the future per-site security levels make it possible to allow third-party cookies (or "per-site cookie settings") on a specific first-party website only? The other person asked about Disqus for example.

maybe, because of:
Loading failed for the with source “chrome://global/content/TopLevelVideoDocument.js”. Volcano_Lava_Sample.webm.360p.vp9.webm:1:1

(not opening tickets for real regressions is rude)

It's not a joke, we need clear information about an issue in order to investigate it without wasting too much time looking into the wrong direction. For example the first comment talked about "Safest" but now it doesn't seem related to the security level anymore.

Anyway, I opened a ticket to track this issue:
https://trac.torproject.org/projects/tor/ticket/32530#ticket

Is this a new issue with Tor Browser 9.0, or did this happen with older versions of Tor Browser too?

According to that post, the panel is titled "Site Information". The post's author uses the word "identity" simply to describe some things in the panel. Moreover, the panel is clearly about the site's credentials and not the user. I don't think renaming is necessary.

Jason

Rakete (not verified) said:

October 29, 2019

Permalink

Hallo Leute
Nachdem ich euren neuen tor browser auf mein Handy samsung s2 neu installiert habe funktioniert er nicht mehr!
Der Tor browser bleibt mit der Meldung:Tor Programm wird gestartet...
Abgeschlossen
stehen.
Was ist passiert?
Vier mal neu installiert und geht nicht. ...

Do you see any log messages if you swipe on your screen from the right to the left? There should be status messages visible about what Tor is trying to do.

Jason

Pepi (not verified) said:

October 29, 2019

Permalink

Since the new version (9x) my about:config settings like (proxy.type, remote_dns) get reset every browser re-start.

Please tell me how to make them stick. What is resetting them to defaults?

Jason

Anonymous (not verified) said:

October 30, 2019

Permalink

undefined is not a valid URL. background.js:321
onBeforeRequest moz-extension://[uuid]/background-scripts/background.js:321
apply self-hosted:4417
applySafeWithoutClone resource://gre/modules/ExtensionCommon.jsm:588
fire resource://gre/modules/ExtensionChild.jsm:1171
receiveMessage resource://gre/modules/ExtensionChild.jsm:1175
_callHandlers resource://gre/modules/MessageChannel.jsm:914
_callHandlers resource://gre/modules/MessageChannel.jsm:913
promise resource://gre/modules/MessageChannel.jsm:992
_handleMessage resource://gre/modules/MessageChannel.jsm:989
_handleMessage self-hosted:1005
receiveMessage resource://gre/modules/MessageChannel.jsm:225
forEach self-hosted:266
receiveMessage resource://gre/modules/MessageChannel.jsm:218

untested NoScript jumped in...

Jason

turdels (not verified) said:

November 02, 2019

Permalink

I verified my download of TBB using checksum & signing key. Both passed.
I searched the sha256 sum on DDG and got a mismatch, so I'm concerned I could have a MITM TBB,key ect.

ME =
sha256sum tor-browser-linux64-9.0_en-US.tar.xz
670d5c53d989f70eaffd7052f911c5d36b70b17af6cc5691fd8a5d5acc5c5229 tor-browser-linux64-9.0_en-US.tar.xz

What I see on DDG =
sha256sum tor-browser-linux64-9.0_en-US.tar.xz
072d2a349f7b6dbf465a4600e6e2b68a030aebc4e36a289fa4f4c2933040f161

ps
I dislike the removal of cookie enable/disable option
no access to noscript,https everywhere buttons

I know customization is a threat to fingerprinting but daaamn. cookies on always unless we about:config? that sucks and makes tracking easier imo.

670d5c53d989f70eaffd7052f911c5d36b70b17af6cc5691fd8a5d5acc5c5229 is correct. https://dist.torproject.org/torbrowser/9.0/sha256sums-signed-build.txt (verify the signature, too, if you are concerned). Where did you find the link on DDG?

Regarding cookies, only first party cookies are allowed, third-party cookies are denied. If you are concerned about first-party cookies then restarting the browser or using New Identity will clear them.

> I searched the sha256 sum on DDG and got a mismatch

That's because DDG's instant answer (by typing your SHA command in its search box) takes the hash of the *text string* you typed. You could tell it to find the sha256sum of the nonexistent tor version "alice42-9.9.9" and it will return a hash because it calculates based on the text characters.

On your machine, at a terminal/command prompt, this will calculate the sha256 of the text string of your value and return the 072... hash that DDG returned:
$ echo -n 'tor-browser-linux64-9.0_en-US.tar.xz' | sha256sum -t

In contrast, this will look for the file with that name in your working directory and calculate the sha256 of the *contents* of the file, which is what you actually want:
$ sha256sum tor-browser-linux64-9.0_en-US.tar.xz

Jason

Anonymous (not verified) said:

November 04, 2019

Permalink

NetworkHelper.getReasonsForWeakness threw an exception: STATE_IS_BROKEN without a known reason. Full state was: 1 ThreadSafeDevToolsUtils.js:90:13
reportException resource://devtools/shared/ThreadSafeDevToolsUtils.js:90
getReasonsForWeakness resource://devtools/shared/webconsole/network-helper.js:795
parseSecurityInfo resource://devtools/shared/webconsole/network-helper.js:620
_getSecurityInfo resource://devtools/server/actors/network-monitor/network-response-listener.js:329
makeInfallible resource://devtools/shared/ThreadSafeDevToolsUtils.js:111
onStartRequest resource://devtools/server/actors/network-monitor/network-response-listener.js:226

Jason

anon (not verified) said:

November 05, 2019

Permalink

Could you guys add a button to about:tor for checking Tor (opens check.torproject.org in a new tab) like Tails has it on their website when you're using Tails?

That page used to be Tor Browser's new-window homepage as about:tor is today. I don't think there is a reason for it anymore (except for new users) because the browser is not opened until after tor connects, and the browser is configured to make all connections through tor. Once it's open, new installs show introduction slides, and users can check the proxy preferences and drop-down circuit display. Users could bookmark that page or change Preferences to set that page as the browser's homepage and customize the toolbar to drag the Home button into view. If a virus infects the machine and changes the files, you have bigger problems unrelated to Tor.