New Release: Tor Browser 9.0.1

by boklm | November 5, 2019

Tor Browser 9.0.1 is now available from the Tor Browser download page and also from our distribution directory.

Tor Browser 9.0.1 is the first bugfix release in the 9.0 series and aims to mostly fix regressions and provide small improvements related to our 9.0 release. Additionally, we are adding a banner on the starting page for our fundraising campaign Take Back the Internet with Tor.

Known Issue

For each new release, two members from our team are building the release separately and compare the result to make sure that it is reproducible. For the 9.0 and 9.0.1 releases, however, an issue that we are still investigating is making our build not completely deterministic. As a workaround for this issue, we had to do multiple builds until we got matching builds. You might need to do the same if you are trying to reproduce our build.

Note: due to some delay with the signing, the Android version is not yet available. We expect to be able to publish the signed Android version in a few hours. Update: the Android version has been published.

ChangeLog

The full changelog since Tor Browser 9.0 is:

  • All Platforms
    • Update NoScript to 11.0.4
      • Bug 21004: Don't block JavaScript on onion services on medium security
      • Bug 27307: NoScript marks HTTP onions as not secure
    • Bug 30783: Fundraising banner for EOY 2019 campain
    • Bug 32321: Don't ping Mozilla for Man-in-the-Middle-detection
    • Bug 27268: Preferences clean-up
  • Windows + OS X + Linux
    • Update Tor Launcher to 0.2.20.2
      • Bug 32164: Trim each received log line from tor
      • Translations update
    • Bug 31803: Replaced about:debugging logo with flat version
    • Bug 31764: Fix for error when navigating via 'Paste and go'
    • Bug 32169: Fix TB9 Wikipedia address bar search
    • Bug 32210: Hide the tor pane when using a system tor
    • Bug 31658: Use builtin --panel-disabled-color for security level text
    • Bug 32188: Fix localization on about:preferences#tor
    • Bug 32184: Red dot is shown while downloading an update
  • Android
    • Bug 32342: Crash when changing the browser locale

Comments

Please note that the comment area below has been archived.

November 05, 2019

Permalink

torbrowser-launcher developer very bad. Must disable apparmor torbrowser.Browser.firefox for 9.01 upgrade for work.

sudo apparmor_parser -R /etc/apparmor.d/torbrowser.Browser.firefox

noscript and httpseverywhere plugin icon no show top bar. Please fix.

November 05, 2019

In reply to boklm

Permalink

9.01 new bug. Not black window bug. micahflee/torbrowser-launcher bad developer. micahflee/torbrowser-launcher bug not let 9.0 upgrade 9.01

micahflee/torbrowser-launcher still other bug. noscript and httpswhere icon no show on top bar with ubuntu apparmor. micahflee/torbrowser-launcher always lots bugs. Make bad look tor.

> still other bug. noscript and httpswhere icon no show on top bar with ubuntu apparmor.

Are you sure apparmor is causing that? The icons for NoScript and HTTPS Everywhere were moved from the toolbar a long time ago. Open the 3-lines "hamburger" menu --> Customize --> Drag the icons you want into the toolbar.

November 05, 2019

Permalink

Layman here, my Avira said it detected a trojan (TR/Crypt.XPACK.Gen3) in file qipcap.dll on updating. Kindly look into that!

>Avira detected a trojan (TR/Crypt.XPACK.Gen3) in file qipcap.dll on updating to 9.0.1
Confirmed.
Could you lovely Tor developers please make sure to thoroughly scan all files with the major current virus scanners and make sure that everything is actually clean and also shows up as clean. You're completely ruining the reputation of Tor if you don't. Thank you

November 08, 2019

In reply to boklm

Permalink

Anxious reports about a (false positive we presume) antivirus flag seem to be very common.

A post in this blog explaining how antivirus programs work and why they too often give a false positive for the latest version of Tor Browser might be helpful.

On a related point, someone said that if you DL TB from torproject.org, an antivirus flag should be a false positive which can be ignored, which reminds me of something I have been wondering about: how often to people DL "TB" (?) from a site other than torbrowser.org and why would they do that? Because censorship regimes prevent their reaching torproject.org?

> Anxious reports about a (false positive we presume) antivirus flag seem to be very common.

Yes, unfortunately for many releases since the beginning.

> DL "TB" (?)

It means "download Tor Browser". (Also, TBB means "Tor Browser Bundle" which is technically the correct name and description of the combined package of tor.exe binary + browser application instead of simply the browser.) You asked good questions about other sites and censorship; I haven't seen them discussed. Users for whom this torproject.org website is censored are urged to use GetTor or a mirror.

> A post in this blog might be helpful.

We should point them to the Support FAQ and the Tor Browser manual:

> Could you lovely Tor developers please make sure to thoroughly scan all files with the major current virus scanners and make sure that everything is actually clean and also shows up as clean.

In an ideal world, this would clearly be a good idea. But in the real world, virus scanners cost money, as does developer time, and Tor Project does not have nearly as much money as it would in an ideal world. (If you happen to be a billionare, I guess you can help change that!)

> You're completely ruining the reputation of Tor if you don't.

I hope it's not as bad as that. I use Linux so am spared from worrying about antivirus (partly because in principle Linux is somewhat "immune" to viruses, partly because Linux security tools tend to lag behind--- hopefully because there is less need!) but you have my sympathy because I often feel frustrated by cybersecurity shortcomings. I try to keep in mind that cybersecurity is a process, not a state, and that we are all involuntarily engaged in an arms race. Some days we get a bit ahead, other days we fall behind.

We used to upload new Tor Browser releases to https://www.virustotal.com/ which scans them with many anti-virus. However it's unclear whether that really helps. It allows us to see that some antivirus detect it as a virus, but then there is not much we can do to fix that. Some antivirus also flag as suspicious any program that has not been seen by many of their users. Maybe uploading to virustotal helps with that, but not sure how much.

November 13, 2019

In reply to boklm

Permalink

Knowing what antivirus researchers do with the files that get uploaded there, I'd be surprised if it didn't help false positives get fixed.

> partly because Linux security tools tend to lag behind--- hopefully because there is less need!

Linux and BSD are basically developed by hackers -- as in the general tinkering definition of the word. I find that most people interested in bugs in Linux spend their time sharing their findings and actually fixing them precisely because it has a usually welcoming share-alike community that accepts their energy and reciprocates it for usually positive general interests. It's organic and inviting. Further, the licenses they and other free-libre open source developers invented have played a huge role in refining general attitudes and ideals over time.

November 05, 2019

Permalink

why have you released 9.0 and 9.0.1 if the builds are not reproducible? the point of building by two different persons is to not release anything and investigate if the builds are different
also you could consider having more than two people and two builds, two are easy to bribe

The build is still reproducible. The issue is that it can take more than one build to get a matching build. That's not ideal as it makes reproducing the build more difficult, but not releasing anything would not be a good idea as 9.0 includes important security fixes, and fixing the build issue is going to take some time.

As for having more than two people building, anybody is welcome to build the releases too.

November 07, 2019

In reply to boklm

Permalink

> The issue is that it can take more than one build to get a matching build. That's not ideal as it makes reproducing the build more difficult, but not releasing anything would not be a good idea as 9.0 includes important security fixes, and fixing the build issue is going to take some time.

That makes sense.

Sometimes critical comments denigrating Tor devs seem to be over-reaching, which makes me think of an acronym similar to IRS but not IRS.

November 05, 2019

Permalink

For me two things are a little inconvenient in TB9:
1. Cookie preference is no more in Tools | Options. Though you can still edit network.cookie.cookieBehavior manually, I think there are many users who disable all cookies by default and enable cookies temporarily only when they have to.
2. You can no longer open a new window as Blank page & go to your Home page by hitting the Home page button. This change has rendered the Home page button totally useless.

Thank you very much for your hard work. I'll keep trying to support you via donations etc.

1. If there really are many users customizing their cookie permissions, they are making other users less safe and should be dissuaded. Cookies are enabled by default because many websites don't work properly without them. Many other patches such as first-party isolation have been developed and applied to mitigate most of the dangers of enabled cookies. More patches are coming soon for per-tab security levels. I think they include Javascript isolation. If you have ideas, please tell the developers.
2. Do you mean a New Window opens a page different from your Home button? I have never heard of them being different in any browser. If it was possible before, then it's from Firefox and Mozilla is who changed it. Tor Project most likely would not change that sort of thing. Be careful setting an uncommon URL because it could be noticed by exit eavesdroppers to discover your traffic in a new identity. Every site goes through a new circuit, so an uncommon URL probably is safe, but if a bug is found that makes it unsafe, it's better if chance favors Tor Browser's principles. The Home button was not rendered useless, it opens your home page at any time no matter what is open in your tab.

November 05, 2019

Permalink

Am I correct in guessing that Tor Browser 9.1 is immune to the following bug affecting Windows versions of Firefox?

arstechnica.com
Actively exploited bug in fully updated Firefox is sending users into a tizzy
Fraudulent tech-support sites cause Firefox to freeze while displaying scary message.
Dan Goodin
5 Nov 2019

November 05, 2019

Permalink

Windows 10 1903 fresh install of 9.0 a week ago then updated to 9.0.1 several hours ago is running rock solid.

November 05, 2019

Permalink

> Bug 31764: Fix for error when navigating via 'Paste and go'
mozilla seems to have a different fix...

November 05, 2019

Permalink

Bug 27268: Preferences clean-up

"-pref("datareporting.healthreport.service.enabled", false); // Yes, all three of these must be set"
pref was removed, because now it is enabled unconditionally.

"pref("browser.fixup.alternate.enabled", false); // Bug #16783: Prevent .onion fixups"
remove

November 05, 2019

Permalink

Great stuff 9.0.1 ...... only one problem, it doesn't fucking work Blank screen, or a window that is transparent with nothing in it, I've tried to go back to a previous version 4 times but every time it keeps updating the damn thing. So what is going wrong?

November 05, 2019

Permalink

after a quick look i noticed the black dark theme, i had nothing against the purple one.
however since you guys have minimized the full window size there are white edges on the sides, those two i would happily and much appreciate to see as black rather than white. it really kills the eyes when sitting in the dark and the only white/light thing are those two edges.

the website theme itself is alright with green and purple :)

thanks in advance!

November 06, 2019

Permalink

"For the 9.0 and 9.0.1 releases, however, an issue that we are still investigating is making our build not completely deterministic."
Windows builds are not affected, because they're still -O2, right?

November 07, 2019

In reply to boklm

Permalink

What if we enable cross-language LTO as in esr68, and it strips the non-deterministic parts?

November 06, 2019

Permalink

George here, my Avira also said it detected a trojan (TR/Crypt.XPACK.Gen3) in file qipcap.dll on updating. What about this?

For watching videos, you might want to look at Tails (see tails.boum.org), a free open source Linux distribution which provides current Tor Browser and many other useful things in an amnesia way. I think this may provide a significantly safer way to watch videos or do anything else which possibly requires dropping to "Standard" setting in Tor Browser.

(I am not affiliated with either Tails Project or Tor Project, but I use both Tails and Tor Browser.)

> Noscript unblock invidio.us site but do NOT unblock from youtube.com

I don't understand what you mean. Is that an observation or a request? Anyway, Invidio simply embeds videos from googlevideo.com, AKA YouTube's CDN. In NoScript, you have to allow "media" from invidio.us and googlevideo.com. Hamburger menu -> Customize -> Drag the NoScript icon to your toolbar. -> Refresh an invidio player page. -> Click the NoScript icon -> Click "Temp. Trusted" for both sites, or click "Custom" and allow "media" for both sites.

NoScript's click-to-play blue popup might not allow them to play because its Options enable "Cascade top document's restrictions to subdocuments." On youtube.com, you only have to enable "media" for youtube.com. But on domains that embed youtube videos, you have to enable "media" on the first-party domain. Click-to-play might not offer an option for the first-party domain and therefore be misleading and not work.

> Click-to-play might not offer an option for the first-party domain and therefore be misleading and not work.

I just had that happen on a different site. This is important, developers. "Cascade top" and click-to-play are incompatible when media is embedded. Click-to-play should allow the embedded third-party and first-party together if "cascade" is checked. It doesn't play unless you allow both parties.

November 06, 2019

Permalink

about:tor crashes Tor Browser 9.0.1 on Windows:
"Gah. Your tab just crashed. We can help! Choose Restore This Tab to reload the page."

I think we don't know about this issue.

Is this an issue that is new with version 9.0.1, or did you have it with previous versions too? Is it an issue that happens every time you open the browser, or only sometimes? Do you have the issue on other pages than about:tor?

November 25, 2019

In reply to boklm

Permalink

this happens everytime i open tor on every page. it should says "Gah, your tab just crashed"older version works fine but as soon as i update to this version it gives out error.

Why should Tor Browser report the real OS to sites? In terms of privacy, it doesn't make sense, and I don't care if the GNU/Linux "market share" "shrinks" as a result of more protection against fingerprinting.

November 06, 2019

Permalink

May someone please answer about "Trojan Positive" in this release? I've tested on VM in Ubuntu, with two pro AV, both gave the same result.

Tested on VM - Windows10 - Avira AV - Detected Trojan on - "qipcap.dll"
Tested on VM - Windows7 - Norton AV - Detected Unsafe File -"qipcap.dll" (norton didn't detected as trojan, but as unsafe file, which mean it could be false-positive, or not...)

Many users have reported this but still no answer from anyone, and there are many answers on less important questions. This is something that should be tested and explained to users why it's happening, if that is false positive then why. As someone said, this totally ruin a TOR reputation, and I am sure nobody want's that. Thanks for your time and hard work to keep the online privacy possible for regular users.

If you downloaded Tor Browser from the torproject website, then this is a false positive. Some antivirus consider that files that have not been seen by a lot of users are suspicious.

November 06, 2019

Permalink

Please bring back the "Do not check for updates"
Very tired of having to rebuild a previous version thanks to bugs in latest release e.g. Noscript does not work in 9.01

November 06, 2019

In reply to boklm

Permalink

I have checked the preference for "Check for updates but let you choose to install them".
Tor still automatically installs 9.01, and wipes out all my settings as well.

November 06, 2019

In reply to boklm

Permalink

"should be possible to select in the preferences: "Check for updates but let you choose to install them"."

Is 9.0.1. still Phoning Home everytime you open the Preferences menu?
When yes this would be .....very ...inconvenient.

November 07, 2019

In reply to boklm

Permalink

If you really wan't to bring back "Do not check for updates",
"Check for updates but let you choose to install them" is in NO way
the same.
Everytime the user is opening about:preferences/Tools->Options, 'Security Level',
TBB is phoning home! This isn't funny. Do you wanna have the user is trusting you?
The same s..t you have with vanilla Firefox.

+1 - "Do not check for updates" much appreciated.
i don't wanna ping you every launch of TBB!
i've tried different settings in about:config and there's still this update prompt.
how to disable TBB version check?
extensions.torbutton.versioncheck_enabled;false does not work!

November 08, 2019

In reply to boklm

Permalink

"See how Tails is disabling the updates"

Ok -i hope it works.
But, why torproject and Mozills Corp. think all Torbrowser users, all
Firefox users want to ping yourand their servers, everytime they open Options
or 'About Tor Browser'?
Without loosing trust because it's US-software under US-law?
Can you explain that, why there is no simple No Update option? Logically(-:?

November 11, 2019

In reply to boklm

Permalink

+1: how to?

November 11, 2019

In reply to boklm

Permalink

>Can you explain that, why there is no simple No Update option? Logically(-:?
>You can read the discussions in the mozilla ticket where they implemented this

Clap, clap (-:, i have read it. If the distributors don't want explain, don't want discussion, they shouldn't pretend they wan't.
They don't want because there is NO logical explanation why users should accept they have no choice. Manually update shouldn't be sport.
The spirit of Tor - you should know this. It is not much space between trust and distrust.

We did not decide to remove this option. Mozilla did it, and they explained why.

I don't really like it myself, but there are still some ways to do it, although not as easy as before. I think it's not perfect, but we don't have unlimited time, and already many other things to work on, so if someone who think that's important wants to spend the time to investigate this and document the best way to do it, then that would be useful.

November 09, 2019

In reply to boklm

Permalink

ok, i surrender.
i've copied an edited pref.js file into .../tor-browser_en-US/Browser/TorBrowser/Data/Browser/profile.default
before firstrun of a TBB 9.0 and tried to disable 'check for updates' with this varying settings:

user_pref("app.update.auto", false);
user_pref("app.update.disabledForTesting", true); boolean; DOES NOT EXIST in TBB 9.0
user_pref("app.update.doorhanger", false);
* user_pref("app.update.enabled", false); boolean; DOES NOT EXIST in TBB 9.0

user_pref("app.update.url", "https://non-existent.org"); or "/dev/null"
* user_pref("app.update.url.details", ""); or "/dev/null"
* user_pref("app.update.url.manual", ""); or "/dev/null"

* user_pref("extensions.torbutton.versioncheck_url", ""); or "/dev/null"

* user_pref("browser.policies.testing.disallowEnterprise", false);

there is no update prompt anymore but still showing the
'Update to 9.0.1' button in about:preferences and the best:
it downloads (!) the update from somewhere even if ALL urls in about:config are deleted.

is there a hidden fallback url or WHAT IS IT that still checks and even downloads an update?

exact advices please!

November 06, 2019

Permalink

Where are my bookmarks, I've tried all the steps that are supposed to restore them, I can't even restore from a back up

Open hamburger menu --> Library --> Bookmarks --> Show All Bookmarks (Ctrl+Shift+O). Click things in the folder tree to find them after you restored. Restoration does not put them in the normal places so you can edit/merge them as you wish. Or are you talking about Android?

November 06, 2019

Permalink

Hey Tor Project, i'm french.
Your wallpaper take back the internet with Tor & theme are ++++ beautifull!!
Thank for the général évolution of Tor!
French user

November 06, 2019

Permalink

There seems to be a bug where launching tor from the gui shortcut in Ubuntu hangs for the longest time. Sometimes as long as 10 minutes before the connection dialog begins. It's affected me since at least 2 or 3 updates ago.

Do you mean Tor Browser? "Tor" (capital T, the network), "tor(.exe)" (the network daemon), and "Tor Browser Bundle" are different things. Did you install Tor Browser from torproject.org? (Don't use tor from Ubuntu's repository.) Are you trying to use the torbrowser-launcher package? Did you configure to connect through a bridge that could be down? Is your network known to censor traffic? Are applications besides Tor Browser having the problem?

I've seen the same thing a few times while using Tor Browser 9.0 in Tails 4.0.

Kinda irreproducible but it seems to happen when I am trying to click on some button or something and just miss, possibly causing an almost invisible change in window size which possibly (?) invokes letterboxing. I am seeing only a slight *decrease* in window size.

November 07, 2019

Permalink

I had to manually install the noscript browser extension to use noscript. Should this have been necessary and why was Noscript removed from the new tor release?

noscript is still included. What has been removed is the toolbar button, as not all options from this button are safe to use. It is however possible to add it back by selecting "Customize" in the hamburger menu.

We have some plans to implement per-site security settings support which should remove the need for the noscript button:
https://trac.torproject.org/projects/tor/ticket/30570

November 14, 2019

In reply to boklm

Permalink

Which options are not safe and why?
Could I request that, if you or your colleagues are going to state such things, esp. warnings, in the future could you/they expand on what they are saying so that users are better informed and can take action?

Thank you

> in the future could you/they expand on what they are saying so that users are better informed

The post for version 8.5(.0), when NoScript's icon was hidden, did not contain a paragraph explaining where the icons had gone, so it ended up being repeatedly discussed in comments in every release post since version 8.5. It was mentioned in an onboarding card inside Tor Browser, the "What's New" circle icon on about:tor that many users don't notice or read. During development (Bug 25658), antonela repeatedly brought up the need to inform users but appears to have been forgotten. From this lowly user, thank you, unsung antonela.

November 07, 2019

Permalink

The "about:tor" page crashes even on fresh install of Tor Browser 9.0.1 on Windows 10 Release 1903 32-bit :
"Gah. Your tab just crashed. We can help! Choose Restore This Tab to reload the page."

Sadly Tor Browser has become really frustrating :

  • Permanent letterboxing, when Firefox does it right, only on page load.
  • Obscure management of cookies.
  • Low privacy settings, example: network.http.referer.XOriginPolicy = 0!
  • NoScript is garbage and has an awful UI. Should be replaced with uBlock Origin by default.
  • NoScript and HTTPS Everywhere icons are hidden by default on fresh install.

November 08, 2019

In reply to boklm

Permalink

Crash is new to 9.0.1, right after update, fresh install (new profile) also crashes. I didn't encounter any crash on 9.0.

> Permanent letterboxing, when Firefox does it right, only on page load.

Where does Firefox do any letterboxing whatsoever? I don't see privacy.resistFingerprinting.letterboxing in the most recent version 70.0.1 at all.

> Obscure management of cookies.

Cookie preferences affect the browser's fingerprint but also collateral damage. The functionality of many websites depends on cookies even more than JavaScript. In the Preferences UI, "Cookies and Site Data" management buttons are there, identical to Firefox, for advanced users.

> Low privacy settings, example: network.http.referer.XOriginPolicy = 0!

That is the default in Firefox. Tor Project may have left it alone if its other values cause collateral damage, but I don't know their reasoning. Unfortunately, some login forms and other functionality of some websites depend on cross-origin referer headers. I don't know if patches were created that lower the risk.

> NoScript is garbage and has an awful UI. Should be replaced with uBlock Origin by default.

Its UI was forced to change a long time ago because of Mozilla's move to WebExtensions. Its important features from before are all there. Its menu sometimes is a little slow to render, but I don't have any major dislikes of it.

> NoScript and HTTPS Everywhere icons are hidden by default on fresh install.

That's because customizing them gives your traffic a unique fingerprint, so doing so is for advanced users. NoScript in particular has always been complicated and confused newbies who are better served by changing the security level.

November 08, 2019

Permalink

> qipcap.dll
Avira
The definition file was updated, and it was determined that there was no problem.

Tell that to Mozilla. Tor Project wasn't involved. According to about:config, the most frequently it prompts you is once every 3600 seconds (1 hour).

To disable all reminders of updates,
https://support.mozilla.org/en-US/questions/1197474
app.update.silent;false

Or to disable certain types of reminders,
app.update.badge;false - for the green dot on the 3-bar menu icon
app.update.doorhanger;false - for the Yes/No prompt that drops down from the menu icon

November 09, 2019

Permalink

I have a somewhat disturbing issue with NoScript.

I don't like it's not automatically in the browser tab so after setting Tor's security to high it's always my second step to customize it that way.

Lately though it disappeared from there all of a sudden after a restart, was obviously disabled even though Tor was set to high security and it's icon nowhere to be found in the customizer, so I had to install everything completely anew. The same happened already with 9.0 once. I'm on a linux system if that is a factor.

In that regard, I've found the security level button to be completely insufficient in indicating the security status of Tor. It's just a little bit of different gray at the border of one's field of vision. Easy to overlook. Maybe it could be changed to a colored traffic light-like system, though in my case it would've probably not helped at all so this is more a general suggestion.
In any event I would suggest moving back the NoScript button to the browser tab by default so there's no ambiguity here if it's just an issue with customization or worse should it be missing. I really think routines are extremely important here since I didn't notice for some minutes it wasn't there anymore. In fact I noticed only because the site I was surfing was obviously displaying elements not possible with Java script disabled.

Please consider the matter and thanks for reading.

> and it's icon nowhere to be found in the customizer

Did you accidentally right-click on its icon --> Remove Extension? Did you accidentally drag it into the overflow ">>" menu? Was it still listed in the hamburger menu --> Add-ons --> Extensions where it should always be? Please continue monitoring it for steps to reproduce it and details to report if it happens again. Thank you.

> It's just a little bit of different gray at the border of one's field of vision.

Is it that hard to rotate eyeballs a few degrees to look at it straight on for a split second? The different shadings take up most of the icon's visual size. Colors have been proposed several times in years past but are more ambiguous in meaning and have accessibility issues for colorblind users.

> I would suggest moving back the NoScript button to the browser tab by default

It was hidden in 8.5 because it's complicated and confused or, worse, endangered newbies. Advanced users can drag it back.

November 09, 2019

Permalink

Error when using Tor-bridge DB request, when using TB 9.0.1 with torbrowser-launcher v0.3.2, running at Debian 10.1

Tor Network Settings about:preferences#tor

[x] Tor is censored in my country

○ Select a built-in bridge

● Request a bridge from torproject.org

[Request a Bridge...]

After pressing the request button:

Error message:

Unable to obtain a bridge from BridgeDB.

Failed to execute command "/home/$USER/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/./TorBrowser/Tor/PluggableTransports/obfs4proxy"

November 09, 2019

Permalink

TB on Android 9

System language is German but TB settings etc. are in English except the one setting "Sicherheitseinstellungen" (where you find the Security Slider. The Slider options are in German too). Everything else is in English. Problem since TB 9.0.

Even if I change the language in the settings from "System default" - which is German - TB 9.0.1 is still in English.

This problem doesn't occur on Linux and Windows. Android only.

November 09, 2019

Permalink

I am Roxie trying to reach the dark web. I am on an Android phone and i just cant figure it out. Needing help

"Dark web" is a fearmongering term mostly used by willfully ignorant non-techie reporters who are not properly doing their jobs, because they are not fact-checking government punted misinformation.

You probably mean that you want to use Tor on your Android phone to visit "onion sites" (formerly called "hidden services sites"), which can only be reached via the Tor network, which you can join by downloading, installing, and using Tor Browser.

A few points to bear in mind:

o "Tor Browser for Android" may not work with older or cheaper Android phones

o only download it from torproject.org

o verify the detached signature with GPG if at all possible

o only use the latest version

If you also have a laptop or desktop, you may also want to consider using the latest version of Tails. Unfortunately Tails is not available for smart phones but it enables you to boot a computer with a 64 bit CPU from a DVD or USB. Tails is an "amnesiac" operating system which comes with Tor Browser and much more useful software. It provides extra protections while using Tor Browser so it is a good tool for anyone who is politically active, a government official, scientist, doctor, lawyer, journalist (or maybe I should say: who requires oxygen, water, or food in order to continue to exist). See tails.boum.org.

Welcome! Yes, Tor Browser is able to block some ads and trackers if you click the shield icon to raise the security level. It is not bundled with a normal type of adblocker. Please read the Tor Browser User Manual as well as the Support FAQ and Documentation pages linked in the top header of torproject.org. Near the top of the Documentation page, you can find the old Overview and old General FAQ.

November 10, 2019

Permalink

Tor was running fine. Now when i open Tor all i get is 'Gah! Your tab just crashed'. I uninstalled, reinstalled Tor. Problem still exists every attempt to use Tor.

November 10, 2019

Permalink

I am getting error "firefox.exe"
"Te application was unable to start correctly (0xc000007) Click OK to close the application"

Does this mean the Tor Browser 9.01 is not portable anymore?

I am running Windows 7
I tried both
torbrowser-install-9.0.1_en-US
and torbrowser-install-win64-9.0.1_en-US

Tor Browser 9.0.1 is supposed to work on Windows 7.

A possibility is that a missing Windows update is causing this issue. At least that's what searching this error in a search engine seems to indicate. You can try to install the latest Windows updates if they are not installed yet.

It's not that Avira isn't good, per say. When this happens, it's usually the case that the Tor Browser version was too new for scanners to recognize it. A few days after this version was released, the scanner providers updated their virus definitions and found that Tor Browser, while it may contain what looks like it could be something suspicious to a heuristic scanner, is actually clean. Its first incorrect reaction is called a "false positive". Most of the time, it is resolved simply by waiting a few days and then scanning it again. Regardless, it is recommended to always verify Tor Browser's cryptographic signature for integrity and authenticity which you can do immediately.

If you still want to change you scanner, look at professional research comparisons of them:
https://www.av-comparatives.org/
https://www.av-test.org/
https://www.virusbulletin.com/testing/

November 11, 2019

Permalink

Request to access cookie or storage on “https://....” was blocked because we are blocking
all third-party storage access requests and content blocking is enabled.

...many websites still not loading properly, especially thumbnails are missing.

November 12, 2019

Permalink

How can I export TBB's bookmark without internet? Before version run /tor-browser_en-US/Browser/firefox --safe-mode, but now can't

You can backup the SQLite bookmarks database and later overwrite the database in Tor Browser when you want to restore from your backup. When you restore the backup, this procedure overwrites all bookmarks in Tor Browser with your backup copy. Tor Browser must be closed before these procedures, or the database file could become corrupted. I don't know of an easy way to export and import bookmarks by HTML in Tor Browser without internet.

Backup:
Close Tor Browser. Open the folder where tor-browser was installed. Go to ./Browser/TorBrowser/Data/Browser/ Copy places.sqlite to a folder outside of the Tor Browser folder.

Restore:
Close Tor Browser. Go to that folder inside the tor-browser folder. Copy your backup places.sqlite into that folder and overwrite the file there.

November 20, 2019

In reply to sysrqb

Permalink

because they said it wouldn't run (TB doesn't open) without internet. the library UI is not accessible.

November 14, 2019

Permalink

Hello torproject,

what's the reason for, everytime clicking on the Security level icon, want to see Optoins,
the tor Logs, the Tor Browser is Phoning Home to torproject. For what? Why? Is phoning home, telemetry the new must have?

November 14, 2019

In reply to boklm

Permalink

I'm not you(-: but i have the same problem.
All updates within about:config are off but Torbrowser is phoning home in the same form to aus1.torproject.org .
Phoning home is ALL unwanting automated connection, all unwanted automatic updating to a server/machine you don't want and you can't switch it off. Switch it off without tricks, without hack the programm. Try to switch off all phoning home -unwanted telemetry- in MicrosoftWindows10, and you know what i mean with phoning home, hardcore.
Torbrowser/FirefoxESR should not going the same way. I am really not the only one who think so. A lot of professionals think so too, because its logic.

November 15, 2019

In reply to boklm

Permalink

"find if an update"

Thats Ok when you want it, automated updating. But it's not you can't switch off. Normal browser interaction start this updating -not ok.

In other words, you all want it to "phone home" as you call it, only when you tell it to phone home? There are too many misunderstandings here to sort through. Your traffic is mixed in the Tor network. It's not like regular internet routing. "Phoning home" implies sending your data to them, but it doesn't do that. The worst I see from it is a regular timed heartbeat through the exit relays that, if all exits in all countries are ever monitored by the same group which is not feasible anyway, could merely estimate how long that browser has been open and predict when the next beat will occur. The heartbeat looks exactly like everyone else's except shifted by a unique phase time. I don't know if its phase shifts when the browser starts a new identity or how much randomness is added by the browser, the Tor protocol, and the network. If it's triggered when the user opens the Preferences tab as comments said, that's more randomness.

November 14, 2019

Permalink

Tor browser 9.0.1 is connecting to:

firefox.settings.services.mozilla.com:443

It connects consistently to this address. Seems to be some kind of hardcoded telemetry. This needs to be fixed.
There is also a mozilla CDN connection that happens sometimes but couldn't copy url fast enough.

>Tor browser 9.0.1 is connecting to:
>firefox.settings.services.mozilla.com:443

Easy to solve yet unlike the problem with unwanted automated updating.
about:config, delete these entries.Solved.

November 14, 2019

Permalink

Tor Browser 9.01 only works in safe mode. When I star tor browser normaly the application hang

Depósito con errores , tipo 0
Nombre de evento: AppHangB1
Respuesta: No disponible
Identificador de archivo .cab: 0

Firma del problema:
P1: firefox.exe
P2: 68.2.0.7031
P3: 00000000
P4: c966
P5: 67246080
P6:
P7:
P8:
P9:
P10:

November 18, 2019

Permalink

In response to Boklm’s comment on November 8, in relation to the NoScript toolbar button that “not all options from this button are safe to use”
A user asked the question:
“Which options are not safe and why?
Could I request that, if you or your colleagues are going to state such things, esp. warnings, in the future could you/they expand on what they are saying so that users are better informed and can take action?”

Apart from the specific subject of that user’s question, the user has raised a good point in relation to apparent ‘warnings’.
Could Boklm please respond to the specific point and anyone who offers ‘advice’ please say exactly what they mean, with examples?

Thanks

Noscript comes with a myriad of configuration options and it's unclear which ones are safe to use. So we plan to replace it with a new button providing a limited set of options.

You can read the proposal for more details about this:
https://gitweb.torproject.org/tor-browser-spec.git/tree/proposals/101-s…

And the latest discussions on the ticket about per-site security settings support:
https://trac.torproject.org/projects/tor/ticket/30570

November 19, 2019

In reply to boklm

Permalink

That's a really good idea, given NoScript's behavior contributes to browser fingerprint, it is hard to stay indistinguishable with such fine-tuning. Actually, NoScript also learns unique behavior eg,when one decides to "always block this potential XSS" in the popup dialog. As unbiggest NoScript fan I'm hoping for replacement with some simple (High/Medium/Low/Trusted IE style) reputable (can't forgive NoScript hacking other extension's data) control for JS execution

November 19, 2019

Permalink

REALLY unhappy about this update. Some servers are blocking exit nodes in the nasty way - by spewing an error page for the GET request (eg. Cisco, anything running varsnish etc etc). But... if page summary presented by eg. DuckDuckGo is really promising, one can roll the dice by clicking "new curcuit" button in the UI provided by Torbutton, so given much enough desire (read patience and time wasted) to read the contents, one could actually reach the page in question. Life's pretty bad, isn't it?
But I stumbled upon catastrophically worse case: firewall.cx decided to be even more nasty to tor users - they are firewalling exit nodes and... there is no UI to try a luck at another node! Torbutton doesn't recognizes an Firefox's internal "problem loading" page as "site" for which it could request a new virtual circuit!
And the worst: the issue described above also applies to usual cases when your randomly selected exit node having some network health issues, so there is no escape, site becomes inaccessible until MaxCircuitDirtiness timeout expires (or you have to do "new identity" or restart tor)

November 20, 2019

Permalink

I keep getting the error message "x was blocked because we are blocking all third-party storage access requests and content blocking is enabled." It caused an infinite loop and prevented me from logging into Facebook comments plugin. How do I disable blocking of third-party cookies?

November 22, 2019

Permalink

I need to know if you are going to produce a "Black Screen of Death" Fix.
*BOTH* of my multi-user Development VMs have been hit by this poor QA update to v9.0.1
Ironically preventing completion and release to the community of privacy related software.

NONE of my diverted time fiddling around with AppArmor settings fixed this.

Thankfully my practice of not having monoculture single points of failure ( using chromium based browsers)
is the ONLY way I can get this to you!

It is the last straw for me; I have been concerned for some time at the egregious resource (CPU) demand at startup
suspicious that it is attempting rowhammer or spectre/meltdown class base processor games.
All of my VMs, including Fresh Builds are equally affected. It is not some extension update
poison that is responsible.

But I will retain torbrowser on end user VMs used for technology demonstrations.

When the QA quality of updates returns to what I was happy to immediately add when busy!

My compliments to the Dev team. I hope that this instigates a learning process so that
this catch22 lockout NEVER happens again...

I cant update it. I cant reload it from scratch tarballs off your site (Whonix Workstation instances)

Those systems are now SOL for torbrowser, and a VERY poor or negative choice example at demo time.

Please advise here and put up a permanent page that gets listed at the head of typically serach engines.

THANKS

November 24, 2019

Permalink

Sometimes, when I start Tor Browser, the start page states that "Tor is not working in this browser". However, when I go to the URL "check.torproject.org", The site said that "This browser is configured to use Tor."

I want to know if there are other users that encountered similar issues.

Thank you.

Information:
OS: Windows 10
Browser Version: 9.0.1

November 24, 2019

Permalink

i have new windows 7 install when i try to open TB9,901,95a2Alpha it says:

The program can't start because api-ms-win-crt-convert-l1-1-0.dll is missing from your Computer. Try reinstalling the program to fix this problem.

TB8 and latest firefox is working fine. No other program is showing this error.

November 24, 2019

Permalink

I have a question.
It still uses HTTP circuit rather than HTTPS when starting and even when HTTPS everywhere is enabled is enabled while browsing, check for port and it shows using port 80.

November 25, 2019

Permalink

After updating to this version the new tab crashes every time. It displays "Gah, your tab just crashed" tried re-installing, disabling add ons and all that. The older version works fine but as soon as it updates it gives above mentioned error. please help ASAP.

November 25, 2019

In reply to boklm

Permalink

@boklm. I see the same problem on Windows10-32bits on an AMD Athlon CPU. Maybe it is just a problem of compiler. Sometimes a program can crash because:
- Compiler has a bug, producing invalid code on rare occasions.
- Source code has a bug only revealed on certain compilations (ex. use after free).
- Too aggressive compiler flags (ex. -Ofast).
- Uses unsupported instructions (ex. SSE4.2 when CPU only supports SSE4.1).
Maybe ask the other users also what CPU they are running on.

No Antivirus ever here (Windows Defender also disabled) !
I like it when my PCs are infected and malwares ruin my UX, including a crash on the TB about:tor page ! ;)
TB 9.0.1 tested on the same AMD Athlon PC on Debian 10 x64 and no crash on about:tor page, so it looks like the bug is limited to the 32-bit version of TB.

You can run Windows Defender scan to be sure ;)
The bug is limited to the 32-bit version of Windows 10 on AMD Athlon PC, FWIW.
What error code do you see in the Windows Event Viewer for that crash?

November 26, 2019

In reply to boklm

Permalink

Firefox 68 works fine. In fact, on TB 9.0.0, the about:tor page does not crash and TB 9.0.1 seems to work fine apart from this crash.

  1. CPU-Z info (extract)<br />
  2. -------------------------------------------------------------------------<br />
  3. Windows Version Microsoft Windows 10 (10.0) Professional 32-bit (Build 18362)<br />
  4. Specification AMD Athlon(tm) 64 X2 Dual Core Processor 3800+<br />
  5. Instructions sets MMX (+), 3DNow! (+), SSE, SSE2, SSE3, x86-64<br />

November 27, 2019

Permalink

Right now I use Tor for Windows but I want to change to Linux Mint.

For Windows, since you have had those ‘new’ pages, all I have to do is download the files from https://www.torproject.org/download/ and verify the signature by following the instructions on the page: https://support.torproject.org/tbb/how-to-verify-signature/

If all is OK I double-click the ‘exe’ file, everything starts and I am using TOR.

I have just downloaded and installed Linux for the first time.

I have downloaded and verified the TOR Linux files in the same way that I have for Windows – all is OK - but I can’t make them run.

I have found the instructions for Debian and Ubuntu under your ‘Expert Guides’. Since my version of Linux is based on Ubuntu I thought these instructions would help but as I am new to Linux I don’t understand them.

I see that the TOR file for Linux has the extension tar.xz. Can anyone please tell me how I install it so that it works with Linux?

Or can someone please give me step-by-step instructions to download, install and run the TOR Linux files under Ubuntu?

Thank you

"I have found the instructions for Debian and Ubuntu under your ‘Expert Guides’."

Do you mean this? The new site may have confused you because the "Documentation" link in the top header goes to the old 2019.* site.
https://2019.www.torproject.org/docs/debian.html.en

Those instructions are for tor, the network daemon, not for the Tor Browser Bundle that contains the daemon and a modified Firefox. Also, torproject.org URLs beginning with "2019" go to the old website which is there in case the new purple-colored site doesn't answer the question. Follow the Tor Browser Manual that boklm posted. You can find the manual from a Support question too: How do I install Tor Browser?

November 29, 2019

Permalink

Why are comments turned off on some of these blogs? Like with

"We Can Choose an Internet Without Surveillance"

I have an opinion that none of this is true. Tor is not what it once was, an I am thinking that is why so many people left.

> so many people left.

The numbers don't show that. User counts show fairly steady numbers around 2,000,000 for the last 6 years plus increasing bridge user counts that fluctuate wildly from 30,000 to 180,000. The spikes are usually from botnet malware or big news events such as national internet shutdowns. Perhaps chatter has decreased where *you* spend your time.
https://metrics.torproject.org/userstats-relay-country.html?start=2010-…

November 30, 2019

Permalink

Hi everybody,

It not recommended to use ad-ons to the browser (I am using FF). Standard are HTTPS and NoScript. First time I tried one of my normal webb-sites I saw the site full of ads. NoScript showed zero (0) meaning full blocking when looking at presented scripts. Second time I used the 9.0.1 browser it started to stop ads (reading "connection disabled" in ads-areas). This time though the browser started to utilize much more cpu and not working well. When changing site-pages ads showed up here and there but not everywhere!

How does the ad-free Tor Browser work? The site I tested was a "trusted" http-site. In my normal FF browser I use an anti-ads ad-on and it is working perfect.

Ad-free Tor Browser implies using an adblocker. This is what I would advise at least:

NoScript may conflict with adblockers, so maybe disable it (at your own risk) on the about:addons page.

Then install uBlock Origin from the Firefox Add-ons site.

Then open the uBlock Origin dashboard, go to the settings pane, enable "I am an advanced user", all privacy settings and block remote fonts.

Then in the Filter lists pane, select the filters you really need (to see all filters available, click on the "+" on the left of the line "x network filters + y cosmetic filters from:").

Then close the dashboard, and set uBlock Origin blocking mode to at least Medium.

Finally, install Cookie AutoDelete and set it to "Enable Automatic Cleaning after x seconds" and "Enable Cleanup on Domain Change".

Installing other privacy related add-ons like Decentraleyes or Privacy Badger is rather redundant if you set uBlock Origin to Medium block mode and enable privacy related filters.

ClearURLs is a very nice add-on and may be the most effective to remove tracking elements from URLs, but I am a bit nervous with the fact that it automatically downloads its rules from an external file on Gitlab. uBlock Origin also download filters, but gorhill is an outstandingly good developer and I trust him more than the ClearURLs developer, who still has to prove his worth...

December 03, 2019

In reply to boklm

Permalink

I dream of a Tor Browser including by default more of these privacy related extensions (especially the essential uBlock Origin):
https://www.privacytools.io/browsers/#addons
https://amiunique.org/tools

BTW, my fingerprint tests on Panopticlick and here AmIUnique reveal what makes my Tor Browser mostly unique (30 days period):

  1. Screen resolution (<0.01%) [full screen and repulsive letterboxing disabled]
  2. Navigator properties (0.02%) [Surprise! 30 properties in navigator object]
  3. List of fonts (0.19%)
  4. Permissions (3.74%) [geolocation:denied, notifications:denied, persistent-storage:prompt, push:denied]
  5. User agent (4.63%)

Trying to block fingerprinting through coalescence is a pipe dream !
The only solution according to me is the universal randomization of fingerprints. If every user constantly changes his fingerprint (by randomly changing bits of the sources of fingerprinting) during a session, then it is impossible to uniquely and durably identify users. I hope Firefox will enhance its resistFingerprinting feature and implement randomization of fingerprints in the near future...

The results given by Panotpticlick or AmIUnique are not really meaningful for Tor Browser as those tests are mainly being run by non-Tor Browser users. What is important for Tor Browser is that all Tor Browser users have the same fingerprint, but it doesn't matter if this fingerprint is similar to the one from other browsers.

About randomization of fingerprints, see the section "Strategies for Defense: Randomization versus Uniformity" in the Tor Browser design doc:
https://2019.www.torproject.org/projects/torbrowser/design/

December 03, 2019

In reply to boklm

Permalink

Thank you boklm for the infos and the link. I read the doc carefully and now better understand your "No Filters" design choice.

Concerning the randomization, I still disagree.

Uniformity is a pipe dream, because people always want to customize their tools when possible. But, by customizing their Tor Browser through configuration or add-ons, they weaken their fingerprint uniqueness without always knowing when or by how much. Claiming uniformity brings a false sense of anonymity to the end-user.

If you want uniformity then put the end-users in a jail, where they can't modify the Tor Browser. But then, I guess you won't have many users left. On the contrary, if you let the end-users do some customization, then uniformity is impossible to achieve.

Moreover, dictatorships hate liberty because they can't control people with random behaviors. They hate diversity because they can't control people with random identities. Thus, uniformity is their ultimate dream, whereas randomization is a tool to create diversity therefore liberty.

So I think your mistake is to make your design choices from a technical point of view, whereas it should be from a philosophical point of view. The technical solutions should follow the philosophical guidelines, not the other way around...

December 01, 2019

Permalink

many who updated to 9.0.1 , 32bit are getting a white space between website and tor-browser window ... can anyone tell em why and/or how to fix it?

Yes, I don't know why Tor Browser developers made this ugly design decision. The original Firefox does it right, only on page load.
Anyway, type about:config in the URL bar, then set :
privacy.resistFingerprinting.letterboxing;false

December 03, 2019

In reply to boklm

Permalink

Then please do the letterboxing only on page load, like Firefox. The way it is now is an ugly looking and disturbing hack.
Tor Browser is a great software, it just needs some polishing that would make it awesome !

it's me again .. about white space. The prob is much worse .. resizing tor window ads more white space and jumps between resolutions. It's like a mexican jumpin bean as one resizes window. CPU load on boxes older than 3 yrs goes to max.
Ok .. but is there any way to fix it ?
Another thing = when having open tabs more than window limit [let's say 100] drop down arrow list doesn't let one scroll/jump by using first letter .. as it used to. And mousing over list doesn't show URL either .. which worked before.