New Release: Tor Browser 9.5a4

Tor Browser 9.5a4 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: This is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

This release features important security updates to Firefox.

This new alpha release picks up security fixes for Firefox 68.4.0esr and 68.4.1esr. In addition, this release updates the bundled NoScript extension to its latest version.

Reproducible Builds

The issue with reproducible builds mentioned in the 9.0.1 blog post is now resolved in this release.

ChangeLog

The full changelog since Tor Browser 9.5a3 is:

  • All Platforms
    • Update Firefox to 68.4.1esr
    • Bump NoScript to 11.0.11
    • Translations update
    • Update OpenPGP keyring
    • Bug 31134: Govern graphite again by security settings
    • Bug 31855: Remove End of Year Fundraising Campaign from about:tor
    • Bug 32053: Fix LLVM reproducibility issues
    • Bug 32547: Add new default bridge at UMN
    • Bug 32659: Remove IPv6 address of default bridge
  • Windows + OS X + Linux
    • Update Tor to 0.4.2.5
    • Update Tor Launcher to 0.2.21
      • Bug 32636: Clean up locales shipped with Tor Launcher
      • Translations update
    • Bug 32674: Point the about:tor "Get involved" link to the community portal
  • Build System
    • All Platforms
    • Linux
      • Bug 32676: Create a tarball with all Linux x86_64 language packs
Ferri

January 11, 2020

Permalink

> In addition, this release updates the bundled NoScript extensions to its latest version.
Not sure how many extensions you have, but this release downgrades NoScript from 11.0.12 to 11.0.11...

That is unfortunate. There is only one NoScript extension, but I see version 11.0.12 was released within the last few days. The Tor Browser release was frozen earlier in the week. Tor Browser should automatically upgrade NoScript to version 11.0.12 (again).

Ferri

January 11, 2020

Permalink

browser.display.document_color_use is still broken, and does not honor '2' the way ESR does.
IE, "colors" dialog page still broken.

Ferri

January 13, 2020

In reply to by boklm

Permalink

For many different reasons... (each version of windows has its own version of that component, it is not recommended to ship windows components, you have to maintain it, etc)

See how MS handles it:
• All updates for .NET Framework 4.7.2, 4.7.1, 4.7, 4.6.2, 4.6.1, and 4.6 require that the d3dcompiler_47.dll update is installed. We recommend that you install the included d3dcompiler_47.dll update before you apply this update. For more information about the d3dcompiler_47.dll, see KB 4019990.
https://support.microsoft.com/en-us/help/4535102/kb4535102

The alpha releases include new changes that have been less tested. Those changes are usually improvements, but they can sometime cause unexpected issues.

In case of critical security issue, we fix the stable release in priority.

Also, there are many stable release users, but only a small number of alpha users. So you are part of a larger group when using the stable release.

If security and anonymity is critical to you, you should stay on the stable release. If you want to see the new changes in advance, and help test them, you should use the alpha.

Ferri

January 12, 2020

Permalink

Does anyone else notice that seemingly NoScript releases its new version shortly after the TorBrowser comes out?

Knowing that the TB users will get this update directly from the 3rd party (George) and automatically - without the Tor developer review process - is a concern.
Hope I'm wrong, but it looks like NoScript likes immediately overwriting some anonymity sanitizing that the Tor people configure in NoScript that ships in the TB bundle. Anyone to review?

Even if not, this fore-trusted add-on updating for such a critical plug-in seems to be a security loophole.
Consider disabling the No-Script auto-updating (just release new TB with the updated NoScript). Or make replacing it with an in-house solution a higher priority?

It's great to see someone else has reopened this issue, but...
This ticket has been open for 6 years!!?
Even the slightest chance of a subversion - is not that kind of critical?
Hope the programmers out there get a signal of urgency and step out to help.
Thanks to all who can.

This is pro-privacy proposal:
Intent to Deprecate and Freeze: The User-Agent string
Summary

We want to freeze and unify (but not remove) the User Agent string in HTTP requests as well as in `navigator.userAgent`

Motivation

The User-Agent string is an abundant source of passive fingerprinting information about our users. It contains many details about the user’s browser and device as well as many lies ("Mozilla/5.0", anyone?) that were or are needed for compatibility purposes, as servers grew reliant on bad User Agent sniffing.

Ferri

January 16, 2020

Permalink

When I installed Tor, at the beginning the last hop of the e-mail rout was:
WhoIs 81.17.27.133? MailHops API Info Location: TZ: Europe/Zurich, , Switzerland Host:
now is mysteriously changed compromising the system because it appears:
WhoIs 109.70.100.20? MailHops API Info Location: Vienna, Austria, Austria Host: tor-exit-anonymizer.appliedprivacy.net
Do you have any advice to restore the previous settings, please?

Ferri

January 17, 2020

Permalink

Ich kann machen was ich will es gibt keine Verbindung zum möglichen Horst auch alle Kontakte zur Webseite sind unterbrochen und werden mit unsicher und veraltete Sicherheitsbestimmungen geblockt!

Ferri

January 18, 2020

Permalink

Keine Verbindung von einen Tag auf den anderen hier aus deutschland mehr möglich möglich alle Möglichkeiten wurden ausgeschöpft

Ferri

January 18, 2020

Permalink

links not working correctly

.onion links sometimes don't work. It's like refreshing the page but it works the second time.
and please add more video file types. Some videos does not load when I try to.

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

15 + 0 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.