New Release: Tor Browser 9.0.4

Tor Browser 9.0.4 is now available from the Tor Browser download page and also from our distribution directory.

This release fixes a critical security issue in Firefox: CVE-2019-17026.

The full changelog since Tor Browser 9.0.3 is:

  • All Platforms
    • Update Firefox to 68.4.1esr
Ferri

January 09, 2020

Permalink

Is TB 9.0.3 vulnerable to CVE-2019-17026 if security slider is set to safer level? javascript.options.ion is set to false with this configuration which indicates not, but my layman interpretation may be wrong.

If anyone has information on who was the target of this attack and IOCs please share.

For several years, some Tor Browser users have urged Tor Project to consider relabeling the security levels as "Safest", "Safer", "LessSafe" and to set the default security setting at "Safer" or even "Safest".

The fact that this particular exploit appears to only work against TB at the default setting once again underlines the fact that it would help keep many users safer if Tor Project set the default security level higher and educated users about the possibility of dropping down to the unsafe level if they really need it to use a particular website on a particular day.

I understand the caution and why you don't want to disable javascript by default.

I make the counter argument that if a user is not aware enough of the issues involved to know that some websites will not function without JavaScript enabled, they would also not be aware of the security risk present when JavaScript is enabled by default.

Perhaps a good have-your-cake-and-eat-it-too option would be to:
Disable JavaScript by default .
When a user tries to load any page with JavaScript, display a message saying that it is disabled, explain why, explain that some pages will work poorly or not at all without it, then tell how to reenable it (possibly include a link to the control).

Not everyone who has a car knows anout engines, but if you buy a muscle car with a customized engine, then you are likely a little bit more interested in how engines work...

Ferri

January 09, 2020

Permalink

Why Torbrowser is trying to update automatically despite i
DON'T want this?
How can i switch 'automatic update'/notification off reliably?

"Why Torbrowser is trying to update automatically despite i DON'T want this?"

Because Tor Browser aims to keep its users safe. As shocking as this may seem to you, but you as a tinkerer are not the principal target audience, so a random feature that you wish for them to implement, that doesn't make any sense for regular users but instead would even be detrimental to them, is obviously not going to find its way into the browser.

"so a random feature that you wish for them to implement,"

It's OK to set autoupdate as default but not to full force that compulsorily for all users and tell nudging fairy tales about random feature for shocked tinkerer.
This in your words "random feature" is a standard of ones choice.

To CHOOSE between autoupdate/telemetry and no-backchannel is essential for trust. No one is talking against autoupdate as standard for "regular users".

"is obviously not going to find its way into the browser."
Sounds ideologically and not technological.
By the way, do you remember the rofl from the NSA about MSWindows is sending all infos about your sys everytime it crashs?You could stop this behaviour with a click(-:.

Ferri

January 09, 2020

Permalink

Can you please disable that spinning screen when clicking on the Security Level icon, then click "Advanced Security Settings". Also it was more efficient in prior versions when you could change the Security Level without going into a separate tab and menu. Thank you.

Relay nicknames are less unique than IP addresses. Operators could agree to name them all "Unnamed" if they wanted to. IP addresses are the basic thing to tell them apart because you have to know them to connect, and they are the key field to many other things like country names. Is there a reason why nicknames should be shown? Metrics.torproject.org is searchable by many flags including name or IP.

Ferri

January 09, 2020

Permalink

Privacy Pass has stopped working in Tor. Used to work. Stopped working a few releases ago. When a captcha has been solved, the check mark comes on, but does not advance. An error message comes on after a while that the solution has expired. No passes are added either. Tor only continues to work if the privacy pass is removed using the Add On Manager

Ferri

January 09, 2020

Permalink

What's actually going on in China now? The number of meek users has decreased drastically recently, and there are now either 0 or next to 0 obfs4 users. Furthermore, how can there be thousands of relay users (apparently more than bridge users) there?
Is something going on with Microsoft Azure in China right now? Are Azure websites also only intermittently available there now?

I too see a trend inversion for the number of users over meek. It starts around mid 2019. But it's not only in China, but worldwide. There are also 5 short periods afterwards that are statistically abnormal. Default OR bridge and meek bridge suddenly have their upper and lower bound for user count estimation diverge massively. At the same time the directories report huge swings in the activity over default OR bridges. [1][2] Maybe that breaks ther estimation heuristics. What causes those swings?

Meek-azure still works in China in at least some places with at least some providers, but it is very slow. It can take over half a minute to load duckduckgo. People would probably instead first tunnel over VPN.

Obfs4 does work in China but only with unpublished bridges. [3] The authorities are somehow able to reveal and block everything in the BridgeDB. The low obfs4 statistics can mean two things:
- Setting up a private server to run a private bridge with obfs4 is a bad investment. You could use other protocols to escape the Chinese internet instead (e.g. V2RAY). You get an optional faster clearnet connection and your protocol is less suspicious.
- People are actually using private obfs4 bridges but they don't arrive in the statistics.

There can't be any normal relay users. Tor is blocked and I am not going to test a direct connection. The GFW messes with all your connections afterwards for some time (slowing and time-outs). They must be from the government or not actually in China.

[1]: 2019.https://metrics.torproject.org/userstats-bridge-combined.html?start=201…
[2]: https://metrics.torproject.org/userstats-bridge-transport.html?start=20…
[3]: https://trac.torproject.org/projects/tor/ticket/29279

My guess is that many of these alleged direct connections are due to GeoIP inaccuracies. Relays are using Maxmind's GeoLite2 to map client IP addresses to countries. GeoLite2 lags behind modern GeoIP databases in terms of accuracy and may mistakenly map IP addresses from, say, Hong Kong (where Tor works) to China.

Also, when setting up a private bridge, use BridgeDistribution none instead of PublishServerDescriptor 0. Both make your bridge private but the former also makes your bridge publish client statistics, which contribute to Tor Metrics.

As far as I can tell, "blocked by GFW" means "available sometimes, but not most of the time". It's very hard to tell how GFW works, but it's clear it doesn't work consistently. Connection to Facebook and Google succeeds sometimes, but fails the vast majority of the time. Similarly, connections to GitHub succeed most of the time, but they fail sometimes. Connections to Wikipedia also fail very often, but not as often as connections to Google or Facebook. I'd expect the same to be true for TOR relays.
My guess is that those aren't actual users, but malware that connects (or, more likely, tries to connect but fails to bootstrap) to TOR. Given what I know, that appears to be the simplest explanation.

I agree! Why can't the Tor window position and size remember when closing/opening? It's so annoying to always have to resize and reposition.

I really appreciate Tor for being more secure when we are online, and right now, I'm "testing" my usage and will be glad to pay for it, but later, after I am comfortable with my browser experience. Meanwhile, my "Favorites" saved websites and my bookmarks appear somewhat out of sorts. I know that those behind this wonderful and developing browser is still working on 'perfection' so to speak, but meanwhile, it will be a good idea to welcome user surveys/comments.

Meanwhile, keep up the good work! I'm sure there are people that will be glad to pay 'something' to use a secure browser, even if it's $2 a month.

It seems that many Tor users are still disconcerted by the standardized window sizes and positions, but this is an important security/anonymity feature.

One way to think about this is that each place in your computer in which Tor Browser saves data opens up a potential security vulnerability.

More generally, increasing convenience tends to be inconsistent with improving cybersecurity. Bookmarks can be particularly revealing if an attacker is able to reach them.

I hope many more people will adopt Tor Browser in the months to come, and will start following the cybersecurity news (e.g. arstechnica.com, theregister.co.uk and many other sites). I have found that reading about real world exploits helps to maintain my awareness of the need to be very careful in trading away cybersecurity for some not truly necessary convenience.

Same on Linux (and Windows I guess), however, I consider this as expected behavior.

Despite letterboxing the default window size is still the recommended one to avoid fingerprinting, thus preserving custom window size would be a bug rather than a feature.

Ferri

January 11, 2020

Permalink

Why is access to chrome: internal resources possible? For example, sites can detect modifying onboarding extension (TorZilla project).

In non-standard level NoScript overrides disabled webgl2. Maybe, better way is return {} for webgl1 and null for webgl2 for getContext?

Policies fully disabled for now. I edit omni.ja every time to re-enable it (disable updates, change search engines and etc.).
I think, policies.json-only variant is safe (as minimum not lesser then mozilla.cfg and user.js) and it's good to re-enable it (of course, with the system-wide group policies turned off).

TorButton always overrides network.proxy.type in startup-observer.js even if extensions.torbutton.use_nontor_proxy is false.
It's not useful, because I use the same TB instance with another profile for local and loopback network (without proxy and privacy/anonymity purposes).

I don't fully understand how resist font fingerprinting works. Linux doesn't expose fonts in tests in both variants of browser.display.use_document_fonts.
But Windows expose a lot of fonts. Is it garanteed that all of whitelist fonts present in OS? I noticed, Times and Helvetica get from registry via WinAPI advapi32, it's not very reliable.

Do you have any planning solutions or recommendations for FullScreen API screen resolution? In past, I use my own letterboxing protection with getBrowser().maxWidth/maxHeight overrides.

Ferri

January 11, 2020

Permalink

I was using TOR to access sites which for some stupid reasons weren't available in Russia. One example is: http://www.threesocksmedia.com/
All of a sudden I get this error:
Not Acceptable
An appropriate representation of the requested resource /index.html could not be found on this server.
I am not sure if it's related to the latest update, but I started seeing it only today.
The site works perfectly fine in Opera VPN and it's accessible fine from North America.
Regards!

Ferri

January 11, 2020

Permalink

I got a red background screen on startup after install of the latest update. There was a warning message on there that said "Something Went Wrong!" "Tor is not working in this browser."

This despite the install having worked correctly according to that same page displaying the Tor version in use (9.0.4) and my settings showing the newest browser version as being correct (68.4.1esr)

And I have full functionality including a definite Tor circuit.

What's with the warning screen?

which is one of the things that doesn´t work.
Besides, which omni.ja and which .js, cannot find a .js saying anything about "app.update.".. Tried for hours and even the simplest little thing like unpacking and repacking a file makes tor not working.
Someone here must know. Zip doesn´t work.

Ferri

January 13, 2020

Permalink

TOR as been working strange,despite the new update that took place recently the browser has not been displaying the webpage's images/information. I've tried to restart and re-downloaded the browser however the problem still remains the same.Any idea on my why this might be happening?

Ferri

January 13, 2020

Permalink

mega.nz shows my real platform:
BrowserID: mozilla/5.0 (x11; linux x86_64; rv:68.0) gecko/20100101 firefox/68.0
(javascript active)

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

14 + 5 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.