New Release: Tor Browser 9.0.1

Tor Browser 9.0.1 is now available from the Tor Browser download page and also from our distribution directory.

Tor Browser 9.0.1 is the first bugfix release in the 9.0 series and aims to mostly fix regressions and provide small improvements related to our 9.0 release. Additionally, we are adding a banner on the starting page for our fundraising campaign Take Back the Internet with Tor.

Known Issue

For each new release, two members from our team are building the release separately and compare the result to make sure that it is reproducible. For the 9.0 and 9.0.1 releases, however, an issue that we are still investigating is making our build not completely deterministic. As a workaround for this issue, we had to do multiple builds until we got matching builds. You might need to do the same if you are trying to reproduce our build.

Note: due to some delay with the signing, the Android version is not yet available. We expect to be able to publish the signed Android version in a few hours. Update: the Android version has been published.

ChangeLog

The full changelog since Tor Browser 9.0 is:

  • All Platforms
    • Update NoScript to 11.0.4
      • Bug 21004: Don't block JavaScript on onion services on medium security
      • Bug 27307: NoScript marks HTTP onions as not secure
    • Bug 30783: Fundraising banner for EOY 2019 campain
    • Bug 32321: Don't ping Mozilla for Man-in-the-Middle-detection
    • Bug 27268: Preferences clean-up
  • Windows + OS X + Linux
    • Update Tor Launcher to 0.2.20.2
      • Bug 32164: Trim each received log line from tor
      • Translations update
    • Bug 31803: Replaced about:debugging logo with flat version
    • Bug 31764: Fix for error when navigating via 'Paste and go'
    • Bug 32169: Fix TB9 Wikipedia address bar search
    • Bug 32210: Hide the tor pane when using a system tor
    • Bug 31658: Use builtin --panel-disabled-color for security level text
    • Bug 32188: Fix localization on about:preferences#tor
    • Bug 32184: Red dot is shown while downloading an update
  • Android
    • Bug 32342: Crash when changing the browser locale
Anonymous

November 05, 2019

Permalink

torbrowser-launcher developer very bad. Must disable apparmor torbrowser.Browser.firefox for 9.01 upgrade for work.

sudo apparmor_parser -R /etc/apparmor.d/torbrowser.Browser.firefox

noscript and httpseverywhere plugin icon no show top bar. Please fix.

9.01 new bug. Not black window bug. micahflee/torbrowser-launcher bad developer. micahflee/torbrowser-launcher bug not let 9.0 upgrade 9.01

micahflee/torbrowser-launcher still other bug. noscript and httpswhere icon no show on top bar with ubuntu apparmor. micahflee/torbrowser-launcher always lots bugs. Make bad look tor.

Anonymous

November 05, 2019

Permalink

Layman here, my Avira said it detected a trojan (TR/Crypt.XPACK.Gen3) in file qipcap.dll on updating. Kindly look into that!

>Avira detected a trojan (TR/Crypt.XPACK.Gen3) in file qipcap.dll on updating to 9.0.1
Confirmed.
Could you lovely Tor developers please make sure to thoroughly scan all files with the major current virus scanners and make sure that everything is actually clean and also shows up as clean. You're completely ruining the reputation of Tor if you don't. Thank you

Anonymous

November 08, 2019

In reply to by boklm

Permalink

Anxious reports about a (false positive we presume) antivirus flag seem to be very common.

A post in this blog explaining how antivirus programs work and why they too often give a false positive for the latest version of Tor Browser might be helpful.

On a related point, someone said that if you DL TB from torproject.org, an antivirus flag should be a false positive which can be ignored, which reminds me of something I have been wondering about: how often to people DL "TB" (?) from a site other than torbrowser.org and why would they do that? Because censorship regimes prevent their reaching torproject.org?

> Could you lovely Tor developers please make sure to thoroughly scan all files with the major current virus scanners and make sure that everything is actually clean and also shows up as clean.

In an ideal world, this would clearly be a good idea. But in the real world, virus scanners cost money, as does developer time, and Tor Project does not have nearly as much money as it would in an ideal world. (If you happen to be a billionare, I guess you can help change that!)

> You're completely ruining the reputation of Tor if you don't.

I hope it's not as bad as that. I use Linux so am spared from worrying about antivirus (partly because in principle Linux is somewhat "immune" to viruses, partly because Linux security tools tend to lag behind--- hopefully because there is less need!) but you have my sympathy because I often feel frustrated by cybersecurity shortcomings. I try to keep in mind that cybersecurity is a process, not a state, and that we are all involuntarily engaged in an arms race. Some days we get a bit ahead, other days we fall behind.

We used to upload new Tor Browser releases to https://www.virustotal.com/ which scans them with many anti-virus. However it's unclear whether that really helps. It allows us to see that some antivirus detect it as a virus, but then there is not much we can do to fix that. Some antivirus also flag as suspicious any program that has not been seen by many of their users. Maybe uploading to virustotal helps with that, but not sure how much.

+1

I have the same issure. qipcap.dll = trojaner warning from program Antivirus.

My Avira too!

xpack.gen3 warning too - both with the in-browser-update and (after deinstallation) via the German website CHIP - what's happening?

+1 Avira discovers xpack.gen3 in both the in-browser-update and new installation pack from German website CHIP - please react asap to reinstate credibility!

why have you released 9.0 and 9.0.1 if the builds are not reproducible? the point of building by two different persons is to not release anything and investigate if the builds are different
also you could consider having more than two people and two builds, two are easy to bribe

The build is still reproducible. The issue is that it can take more than one build to get a matching build. That's not ideal as it makes reproducing the build more difficult, but not releasing anything would not be a good idea as 9.0 includes important security fixes, and fixing the build issue is going to take some time.

As for having more than two people building, anybody is welcome to build the releases too.

> The issue is that it can take more than one build to get a matching build. That's not ideal as it makes reproducing the build more difficult, but not releasing anything would not be a good idea as 9.0 includes important security fixes, and fixing the build issue is going to take some time.

That makes sense.

Sometimes critical comments denigrating Tor devs seem to be over-reaching, which makes me think of an acronym similar to IRS but not IRS.

For me two things are a little inconvenient in TB9:
1. Cookie preference is no more in Tools | Options. Though you can still edit network.cookie.cookieBehavior manually, I think there are many users who disable all cookies by default and enable cookies temporarily only when they have to.
2. You can no longer open a new window as Blank page & go to your Home page by hitting the Home page button. This change has rendered the Home page button totally useless.

Thank you very much for your hard work. I'll keep trying to support you via donations etc.

Orbot VPN is not working on Android Oreo 8.1
Can you please fix that?

Am I correct in guessing that Tor Browser 9.1 is immune to the following bug affecting Windows versions of Firefox?

arstechnica.com
Actively exploited bug in fully updated Firefox is sending users into a tizzy
Fraudulent tech-support sites cause Firefox to freeze while displaying scary message.
Dan Goodin
5 Nov 2019

No, I don't think Tor Browser is immune to that bug. This is the Mozilla ticket:
https://bugzilla.mozilla.org/show_bug.cgi?id=1571003

Crap. Bad news but thanks for the link.

Windows 10 1903 fresh install of 9.0 a week ago then updated to 9.0.1 several hours ago is running rock solid.

torbirdy update please

> Bug 21004: Don't block JavaScript on onion services on medium security
http://zsolxunfmbfuq7wf.onion/rc/
Warning: This webmail service requires Javascript! In order to use it please enable Javascript in your browser's settings.

Which security level are you using?
I can't reproduce this in the "Safer" security level.

hm, seems to work after the restart

This might be related to this issue:
https://trac.torproject.org/projects/tor/ticket/32362

very minor:
http://yjuwkcxlgo7f7o6s.onion/
The connection has timed out
No circuit display (bcs it can't find a path), but some users are worrying.

XHRGEThttps://www.torproject.org/projects/torbrowser/RecommendedTBBVersions
[HTTP/1.1 301 Moved Permanently 1729ms]

> Bug 32321: Don't ping Mozilla for Man-in-the-Middle-detection
hah https://bugzilla.mozilla.org/show_bug.cgi?id=1538644#c0

> Bug 31764: Fix for error when navigating via 'Paste and go'
mozilla seems to have a different fix...

Do you have more infos about this fix?

The link is in your ticket.

Thanks so much for fixing Bug 27307!

Bug 27268: Preferences clean-up

"-pref("datareporting.healthreport.service.enabled", false); // Yes, all three of these must be set"
pref was removed, because now it is enabled unconditionally.

"pref("browser.fixup.alternate.enabled", false); // Bug #16783: Prevent .onion fixups"
remove

What makes you think so?
This ticket did not remove the prefs only:
https://bugzilla.mozilla.org/show_bug.cgi?id=1234526

NoScript now is 11.0.7 and still sucks!

Great stuff 9.0.1 ...... only one problem, it doesn't fucking work Blank screen, or a window that is transparent with nothing in it, I've tried to go back to a previous version 4 times but every time it keeps updating the damn thing. So what is going wrong?

Which version were you using before?
Does it work better if you do a new install of 9.0.1 instead of doing an update?

after a quick look i noticed the black dark theme, i had nothing against the purple one.
however since you guys have minimized the full window size there are white edges on the sides, those two i would happily and much appreciate to see as black rather than white. it really kills the eyes when sitting in the dark and the only white/light thing are those two edges.

the website theme itself is alright with green and purple :)

thanks in advance!

We have this ticket about changing letterboxing color when dark theme is enabled:
https://trac.torproject.org/projects/tor/ticket/32220

me too

restart after this update:
Error: listener not re-registered 8 ExtensionCommon.jsm:2318:24

it's a new regression

Why the duck it updates NoScript 11.0.7 to 11.0.4?

"For the 9.0 and 9.0.1 releases, however, an issue that we are still investigating is making our build not completely deterministic."
Windows builds are not affected, because they're still -O2, right?

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

6 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.