New Release: Tor Browser 9.0.1

Tor Browser 9.0.1 is now available from the Tor Browser download page and also from our distribution directory.

Tor Browser 9.0.1 is the first bugfix release in the 9.0 series and aims to mostly fix regressions and provide small improvements related to our 9.0 release. Additionally, we are adding a banner on the starting page for our fundraising campaign Take Back the Internet with Tor.

Known Issue

For each new release, two members from our team are building the release separately and compare the result to make sure that it is reproducible. For the 9.0 and 9.0.1 releases, however, an issue that we are still investigating is making our build not completely deterministic. As a workaround for this issue, we had to do multiple builds until we got matching builds. You might need to do the same if you are trying to reproduce our build.

Note: due to some delay with the signing, the Android version is not yet available. We expect to be able to publish the signed Android version in a few hours. Update: the Android version has been published.

ChangeLog

The full changelog since Tor Browser 9.0 is:

  • All Platforms
    • Update NoScript to 11.0.4
      • Bug 21004: Don't block JavaScript on onion services on medium security
      • Bug 27307: NoScript marks HTTP onions as not secure
    • Bug 30783: Fundraising banner for EOY 2019 campain
    • Bug 32321: Don't ping Mozilla for Man-in-the-Middle-detection
    • Bug 27268: Preferences clean-up
  • Windows + OS X + Linux
    • Update Tor Launcher to 0.2.20.2
      • Bug 32164: Trim each received log line from tor
      • Translations update
    • Bug 31803: Replaced about:debugging logo with flat version
    • Bug 31764: Fix for error when navigating via 'Paste and go'
    • Bug 32169: Fix TB9 Wikipedia address bar search
    • Bug 32210: Hide the tor pane when using a system tor
    • Bug 31658: Use builtin --panel-disabled-color for security level text
    • Bug 32188: Fix localization on about:preferences#tor
    • Bug 32184: Red dot is shown while downloading an update
  • Android
    • Bug 32342: Crash when changing the browser locale
Anon

November 05, 2019

Permalink

Great stuff 9.0.1 ...... only one problem, it doesn't fucking work Blank screen, or a window that is transparent with nothing in it, I've tried to go back to a previous version 4 times but every time it keeps updating the damn thing. So what is going wrong?

after a quick look i noticed the black dark theme, i had nothing against the purple one.
however since you guys have minimized the full window size there are white edges on the sides, those two i would happily and much appreciate to see as black rather than white. it really kills the eyes when sitting in the dark and the only white/light thing are those two edges.

the website theme itself is alright with green and purple :)

thanks in advance!

We have this ticket about changing letterboxing color when dark theme is enabled:
https://trac.torproject.org/projects/tor/ticket/32220

me too

> it really kills the eyes when sitting in the dark

https://blog.torproject.org/comment/284968#comment-284968

restart after this update:
Error: listener not re-registered 8 ExtensionCommon.jsm:2318:24

it's a new regression

Why the duck it updates NoScript 11.0.7 to 11.0.4?

"For the 9.0 and 9.0.1 releases, however, an issue that we are still investigating is making our build not completely deterministic."
Windows builds are not affected, because they're still -O2, right?

No, Windows builds have been affected by this.

Oh shit, you mean we have RUSTC_OPT_LEVEL=2 everywhere, so that all builds are still affected, right?
https://searchfox.org/mozilla-esr68/source/build/moz.configure/toolchai…

What if we enable cross-language LTO as in esr68, and it strips the non-deterministic parts?

George here, my Avira also said it detected a trojan (TR/Crypt.XPACK.Gen3) in file qipcap.dll on updating. What about this?

I watch youtube's video over https://invidio.us. When I have security lever "SAFER" cannot view the video.Noscript unblock invidio.us site but do NOT unblock from youtube.com

For watching videos, you might want to look at Tails (see tails.boum.org), a free open source Linux distribution which provides current Tor Browser and many other useful things in an amnesia way. I think this may provide a significantly safer way to watch videos or do anything else which possibly requires dropping to "Standard" setting in Tor Browser.

(I am not affiliated with either Tails Project or Tor Project, but I use both Tails and Tor Browser.)

> Noscript unblock invidio.us site but do NOT unblock from youtube.com

I don't understand what you mean. Is that an observation or a request? Anyway, Invidio simply embeds videos from googlevideo.com, AKA YouTube's CDN. In NoScript, you have to allow "media" from invidio.us and googlevideo.com. Hamburger menu -> Customize -> Drag the NoScript icon to your toolbar. -> Refresh an invidio player page. -> Click the NoScript icon -> Click "Temp. Trusted" for both sites, or click "Custom" and allow "media" for both sites.

NoScript's click-to-play blue popup might not allow them to play because its Options enable "Cascade top document's restrictions to subdocuments." On youtube.com, you only have to enable "media" for youtube.com. But on domains that embed youtube videos, you have to enable "media" on the first-party domain. Click-to-play might not offer an option for the first-party domain and therefore be misleading and not work.

> Click-to-play might not offer an option for the first-party domain and therefore be misleading and not work.

I just had that happen on a different site. This is important, developers. "Cascade top" and click-to-play are incompatible when media is embedded. Click-to-play should allow the embedded third-party and first-party together if "cascade" is checked. It doesn't play unless you allow both parties.

about:tor crashes Tor Browser 9.0.1 on Windows:
"Gah. Your tab just crashed. We can help! Choose Restore This Tab to reload the page."

I have same problem, is there a fix?

I think we don't know about this issue.

Is this an issue that is new with version 9.0.1, or did you have it with previous versions too? Is it an issue that happens every time you open the browser, or only sometimes? Do you have the issue on other pages than about:tor?

Also, are you using the en-US browser, or an other locale?

this happens everytime i open tor on every page. it should says "Gah, your tab just crashed"older version works fine but as soon as i update to this version it gives out error.

Which version of Windows are you using?

just

navigator.userAgent
"Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"

8.0 bug

fix https://trac.torproject.org/projects/tor/ticket/28290

Why should Tor Browser report the real OS to sites? In terms of privacy, it doesn't make sense, and I don't care if the GNU/Linux "market share" "shrinks" as a result of more protection against fingerprinting.

May someone please answer about "Trojan Positive" in this release? I've tested on VM in Ubuntu, with two pro AV, both gave the same result.

Tested on VM - Windows10 - Avira AV - Detected Trojan on - "qipcap.dll"
Tested on VM - Windows7 - Norton AV - Detected Unsafe File -"qipcap.dll" (norton didn't detected as trojan, but as unsafe file, which mean it could be false-positive, or not...)

Many users have reported this but still no answer from anyone, and there are many answers on less important questions. This is something that should be tested and explained to users why it's happening, if that is false positive then why. As someone said, this totally ruin a TOR reputation, and I am sure nobody want's that. Thanks for your time and hard work to keep the online privacy possible for regular users.

"if that is false positive then why"
false positive
because AV is a piece of crap

"but still no answer from anyone"
because they are tired answering stupid questions

same security warning with me. Avira sanitized qipcap.dll. Trojan or false positive?

If you downloaded Tor Browser from the torproject website, then this is a false positive. Some antivirus consider that files that have not been seen by a lot of users are suspicious.

Please bring back the "Do not check for updates"
Very tired of having to rebuild a previous version thanks to bugs in latest release e.g. Noscript does not work in 9.01

It should be possible to select in the preferences: "Check for updates but let you choose to install them".

Do you have more details about the noscript issue?

I have checked the preference for "Check for updates but let you choose to install them".
Tor still automatically installs 9.01, and wipes out all my settings as well.

"should be possible to select in the preferences: "Check for updates but let you choose to install them"."

Is 9.0.1. still Phoning Home everytime you open the Preferences menu?
When yes this would be .....very ...inconvenient.

If you really wan't to bring back "Do not check for updates",
"Check for updates but let you choose to install them" is in NO way
the same.
Everytime the user is opening about:preferences/Tools->Options, 'Security Level',
TBB is phoning home! This isn't funny. Do you wanna have the user is trusting you?
The same s..t you have with vanilla Firefox.

+1 - "Do not check for updates" much appreciated.
i don't wanna ping you every launch of TBB!
i've tried different settings in about:config and there's still this update prompt.
how to disable TBB version check?
extensions.torbutton.versioncheck_enabled;false does not work!