New Release: Tor Browser 9.0.1

Tor Browser 9.0.1 is now available from the Tor Browser download page and also from our distribution directory.

Tor Browser 9.0.1 is the first bugfix release in the 9.0 series and aims to mostly fix regressions and provide small improvements related to our 9.0 release. Additionally, we are adding a banner on the starting page for our fundraising campaign Take Back the Internet with Tor.

Known Issue

For each new release, two members from our team are building the release separately and compare the result to make sure that it is reproducible. For the 9.0 and 9.0.1 releases, however, an issue that we are still investigating is making our build not completely deterministic. As a workaround for this issue, we had to do multiple builds until we got matching builds. You might need to do the same if you are trying to reproduce our build.

Note: due to some delay with the signing, the Android version is not yet available. We expect to be able to publish the signed Android version in a few hours. Update: the Android version has been published.

ChangeLog

The full changelog since Tor Browser 9.0 is:

  • All Platforms
    • Update NoScript to 11.0.4
      • Bug 21004: Don't block JavaScript on onion services on medium security
      • Bug 27307: NoScript marks HTTP onions as not secure
    • Bug 30783: Fundraising banner for EOY 2019 campain
    • Bug 32321: Don't ping Mozilla for Man-in-the-Middle-detection
    • Bug 27268: Preferences clean-up
  • Windows + OS X + Linux
    • Update Tor Launcher to 0.2.20.2
      • Bug 32164: Trim each received log line from tor
      • Translations update
    • Bug 31803: Replaced about:debugging logo with flat version
    • Bug 31764: Fix for error when navigating via 'Paste and go'
    • Bug 32169: Fix TB9 Wikipedia address bar search
    • Bug 32210: Hide the tor pane when using a system tor
    • Bug 31658: Use builtin --panel-disabled-color for security level text
    • Bug 32188: Fix localization on about:preferences#tor
    • Bug 32184: Red dot is shown while downloading an update
  • Android
    • Bug 32342: Crash when changing the browser locale
Anonymous

November 05, 2019

Permalink

torbrowser-launcher developer very bad. Must disable apparmor torbrowser.Browser.firefox for 9.01 upgrade for work.

sudo apparmor_parser -R /etc/apparmor.d/torbrowser.Browser.firefox

noscript and httpseverywhere plugin icon no show top bar. Please fix.

9.01 new bug. Not black window bug. micahflee/torbrowser-launcher bad developer. micahflee/torbrowser-launcher bug not let 9.0 upgrade 9.01

micahflee/torbrowser-launcher still other bug. noscript and httpswhere icon no show on top bar with ubuntu apparmor. micahflee/torbrowser-launcher always lots bugs. Make bad look tor.

> still other bug. noscript and httpswhere icon no show on top bar with ubuntu apparmor.

Are you sure apparmor is causing that? The icons for NoScript and HTTPS Everywhere were moved from the toolbar a long time ago. Open the 3-lines "hamburger" menu --> Customize --> Drag the icons you want into the toolbar.

Anonymous

November 05, 2019

Permalink

Layman here, my Avira said it detected a trojan (TR/Crypt.XPACK.Gen3) in file qipcap.dll on updating. Kindly look into that!

>Avira detected a trojan (TR/Crypt.XPACK.Gen3) in file qipcap.dll on updating to 9.0.1
Confirmed.
Could you lovely Tor developers please make sure to thoroughly scan all files with the major current virus scanners and make sure that everything is actually clean and also shows up as clean. You're completely ruining the reputation of Tor if you don't. Thank you

Anonymous

November 08, 2019

In reply to by boklm

Permalink

Anxious reports about a (false positive we presume) antivirus flag seem to be very common.

A post in this blog explaining how antivirus programs work and why they too often give a false positive for the latest version of Tor Browser might be helpful.

On a related point, someone said that if you DL TB from torproject.org, an antivirus flag should be a false positive which can be ignored, which reminds me of something I have been wondering about: how often to people DL "TB" (?) from a site other than torbrowser.org and why would they do that? Because censorship regimes prevent their reaching torproject.org?

> Anxious reports about a (false positive we presume) antivirus flag seem to be very common.

Yes, unfortunately for many releases since the beginning.

> DL "TB" (?)

It means "download Tor Browser". (Also, TBB means "Tor Browser Bundle" which is technically the correct name and description of the combined package of tor.exe binary + browser application instead of simply the browser.) You asked good questions about other sites and censorship; I haven't seen them discussed. Users for whom this torproject.org website is censored are urged to use GetTor or a mirror.

> A post in this blog might be helpful.

We should point them to the Support FAQ and the Tor Browser manual:

> Could you lovely Tor developers please make sure to thoroughly scan all files with the major current virus scanners and make sure that everything is actually clean and also shows up as clean.

In an ideal world, this would clearly be a good idea. But in the real world, virus scanners cost money, as does developer time, and Tor Project does not have nearly as much money as it would in an ideal world. (If you happen to be a billionare, I guess you can help change that!)

> You're completely ruining the reputation of Tor if you don't.

I hope it's not as bad as that. I use Linux so am spared from worrying about antivirus (partly because in principle Linux is somewhat "immune" to viruses, partly because Linux security tools tend to lag behind--- hopefully because there is less need!) but you have my sympathy because I often feel frustrated by cybersecurity shortcomings. I try to keep in mind that cybersecurity is a process, not a state, and that we are all involuntarily engaged in an arms race. Some days we get a bit ahead, other days we fall behind.

We used to upload new Tor Browser releases to https://www.virustotal.com/ which scans them with many anti-virus. However it's unclear whether that really helps. It allows us to see that some antivirus detect it as a virus, but then there is not much we can do to fix that. Some antivirus also flag as suspicious any program that has not been seen by many of their users. Maybe uploading to virustotal helps with that, but not sure how much.

> partly because Linux security tools tend to lag behind--- hopefully because there is less need!

Linux and BSD are basically developed by hackers -- as in the general tinkering definition of the word. I find that most people interested in bugs in Linux spend their time sharing their findings and actually fixing them precisely because it has a usually welcoming share-alike community that accepts their energy and reciprocates it for usually positive general interests. It's organic and inviting. Further, the licenses they and other free-libre open source developers invented have played a huge role in refining general attitudes and ideals over time.

Anonymous

November 05, 2019

Permalink

why have you released 9.0 and 9.0.1 if the builds are not reproducible? the point of building by two different persons is to not release anything and investigate if the builds are different
also you could consider having more than two people and two builds, two are easy to bribe

The build is still reproducible. The issue is that it can take more than one build to get a matching build. That's not ideal as it makes reproducing the build more difficult, but not releasing anything would not be a good idea as 9.0 includes important security fixes, and fixing the build issue is going to take some time.

As for having more than two people building, anybody is welcome to build the releases too.

> The issue is that it can take more than one build to get a matching build. That's not ideal as it makes reproducing the build more difficult, but not releasing anything would not be a good idea as 9.0 includes important security fixes, and fixing the build issue is going to take some time.

That makes sense.

Sometimes critical comments denigrating Tor devs seem to be over-reaching, which makes me think of an acronym similar to IRS but not IRS.

Anonymous

November 05, 2019

Permalink

For me two things are a little inconvenient in TB9:
1. Cookie preference is no more in Tools | Options. Though you can still edit network.cookie.cookieBehavior manually, I think there are many users who disable all cookies by default and enable cookies temporarily only when they have to.
2. You can no longer open a new window as Blank page & go to your Home page by hitting the Home page button. This change has rendered the Home page button totally useless.

Thank you very much for your hard work. I'll keep trying to support you via donations etc.

1. If there really are many users customizing their cookie permissions, they are making other users less safe and should be dissuaded. Cookies are enabled by default because many websites don't work properly without them. Many other patches such as first-party isolation have been developed and applied to mitigate most of the dangers of enabled cookies. More patches are coming soon for per-tab security levels. I think they include Javascript isolation. If you have ideas, please tell the developers.
2. Do you mean a New Window opens a page different from your Home button? I have never heard of them being different in any browser. If it was possible before, then it's from Firefox and Mozilla is who changed it. Tor Project most likely would not change that sort of thing. Be careful setting an uncommon URL because it could be noticed by exit eavesdroppers to discover your traffic in a new identity. Every site goes through a new circuit, so an uncommon URL probably is safe, but if a bug is found that makes it unsafe, it's better if chance favors Tor Browser's principles. The Home button was not rendered useless, it opens your home page at any time no matter what is open in your tab.

Anonymous

November 05, 2019

Permalink

Am I correct in guessing that Tor Browser 9.1 is immune to the following bug affecting Windows versions of Firefox?

arstechnica.com
Actively exploited bug in fully updated Firefox is sending users into a tizzy
Fraudulent tech-support sites cause Firefox to freeze while displaying scary message.
Dan Goodin
5 Nov 2019

Anonymous

November 05, 2019

Permalink

Windows 10 1903 fresh install of 9.0 a week ago then updated to 9.0.1 several hours ago is running rock solid.

Anonymous

November 05, 2019

Permalink

> Bug 31764: Fix for error when navigating via 'Paste and go'
mozilla seems to have a different fix...

Anonymous

November 05, 2019

Permalink

Bug 27268: Preferences clean-up

"-pref("datareporting.healthreport.service.enabled", false); // Yes, all three of these must be set"
pref was removed, because now it is enabled unconditionally.

"pref("browser.fixup.alternate.enabled", false); // Bug #16783: Prevent .onion fixups"
remove