New Release: Tor Browser 9.0.5

Tor Browser 9.0.5 is now available from the Tor Browser download page and also from our distribution directory.
This release features important security updates to Firefox.
This release updates Firefox to 68.5.0esr, NoScript to 11.0.13, and on desktop, Tor to 0.4.2.6. We also added a new default bridge and backported a few improvements from the alpha series.
The full changelog since Tor Browser 9.0.4 is:
- All Platforms
- Windows + OS X + Linux
- Bump Tor to 0.4.2.6
- Windows
- Bug 32132: Re-enable jemalloc for Windows users
- Build System
are you thinking about a…
are you thinking about a solution when the entrynode is overloaded? like switching to another?
No
No
With the new update, when I…
With the new update, when I go into the Responsive Design Mode the option to change from responsive to a different type of selection will not show up anymore. fix please
What is the "Responsive…
What is the "Responsive Design Mode"? Does it work in the latest Firefox ESR?
Main 3-lines menu -> Web…
Main 3-lines menu -> Web Developer -> Responsive Design Mode
It has been in Firefox for a long time now. Yes, it is in ESR.
it's one of the web dev…
it's one of the web dev tools. Also can be disabled in Style editor options
https://developer.mozilla.org/en-US/docs/Tools/Responsive_Design_Mode
https://developer.mozilla.org/en-US/docs/Learn/CSS/CSS_layout/Responsiv…
in regular browser view, ctrl+shift+m squeezes the web page into a phone/tablet size view
Really cool ! :D
Really cool ! :D
Snowflake is available as…
Snowflake is available as bridge?
Not yet in the stable…
Not yet in the stable release. It is however available in the alpha:
https://www.torproject.org/download/alpha/
I keep going to full screen…
I keep going to full screen accidentally with clicking the mouse, I assume it thinks I did "double click"
Is there a way to disable Full Screen mode?
or at least disable the gesture to go to Full Screen mode with "double click"?
I don't think there is a way…
I don't think there is a way to disable maximizing. Maybe in the configuration of your window manager (depending on which OS you are using).
However, having the Tor Browser window maximized should not be an issue with letterboxing:
https://support.torproject.org/tbb/maximized-torbrowser-window/
I just now heard about this…
I just now heard about this letterboxing technique for the first time; great idea!
Once more, kudos to the Tor team for all their effort!
@boklm, fix the link to…
@boklm, fix the link to wikipedia's Letterboxing (filming) on that support page. Its end parenthesis is outside the [a] tag. ".../wiki/Letterboxing_(filming"
what about video playback?…
what about video playback? there is no letterboxing in that
Good point! I don't know if…
Good point! I don't know if there are techniques to fingerprint the user's dimensions in the video API or PDF display like there are in CSS. I don't know if there are special techniques in Responsive Design Mode, either.
It sounds like you have…
It sounds like you have double-click mapped to full screen or maximize in your OS configuration for window display or mouse buttons. I couldn't find anything in Firefox or Tor Browser about:config
that affects it, but you can take a look if you want and search there for "full" or "gesture" and look up what those variables do. On most platforms, browser full screen toggle is mapped to the F11 key, and middle-click is mapped to auto-scroll toggle. Or it could be a different feature in your OS. Or your mouse could be broken.
Am I missing something? When…
Am I missing something? When will TB4A come to f-droid? Guardian project repo is outdated and the webpage points to a broken link on f-droid. The past two versions I had to download the apk on my desktop, verify the signature, then transfer to my phone and install. I have OpenKeychain but I haven't figured out how to verify a detached signature on my phone. You guys went to all this work to make an awesome replacement for Orfox, seems dumb we can't get it through f-droid.
https://support.torproject.org/tormobile/tormobile-7/
https://guardianproject.info/apps/org.torproject.torbrowser/
https://f-droid.org/packages/org.torproject.torbrowser
Without trying to be rude,…
Please I am not trying to be rude, but to help others who read this.
You can connect direct to the Guardian Project's Repository using the F-Droid client
see "https://support.torproject.org/tormobile/tormobile-7/" which is better as it is more direct.
"In the meantime you can use [the] F-Droid [client] to download Tor Browser for Android by enabling the Guardian Project's Repository."
In the F-Droid Client
F-Droid Client > Settings > Repositories > and enable "Guardian Project Official Releases"
Yes I have the GP repo…
Yes I have the GP repo enabled in f-droid, but at the time I wrote that, it was still two versions behind (9.0.3). I had to manually download 9.0.4 & .5, check signatures and sideload apk. It looks like it's up to date now but it takes way too long
Uploading to f-droid is…
Uploading to f-droid is still a manual process, where we ask a person from the guardian project to do it for us. In the future we hope to automate the process more, so it can be done faster.
I see. Thanks for the…
I see. Thanks for the explanation. Is there a reason TB can't be uploaded to the default f-droid repo? Would it not be accepted? On the f-droid repo, developers can do the uploads themselves, so I imagine you could integrate that into the existing release process pretty easily. Otherwise, I guess TP would have to run its own repo server? (Which is not all that difficult, from what I remember)
We are planning to do this…
We are planning to do this at some point. However we are currently busy with the switch from Fennec to Fenix.
crashing on startup macos 10…
crashing on startup
macos 10.14.5
((
Is there an error message?
Is there an error message?
Where is the dark letterbox…
Where is the dark letterbox theme? I went to Customize, Themes, Dark, and it's still white.
Dark letterbox theme will be…
Dark letterbox theme will be in version 9.5.
https://trac.torproject.org/projects/tor/ticket/32220#comment:20
Right now I'm in China and…
Right now I'm in China and using OBFS4 connect to Tor network, is this because OBFS4 get developed that the Chinese party couldn't detected OBFS4 again?
Yes, obfs4 (and its…
Yes, obfs4 (and its predecessor, ScrambleSuit) were specifically developed to defend against "active probing attacks" which the Great Firewall invented to detect and block circumvention protocols.
I thought that obfs4 did not…
I thought that obfs4 did not work for a while in China and that is why people were using Meek which no longer works because of Google shenanigans.
yay i'm happy ( i don't know…
yay i'm happy ( i don't know why)
Debian uses Tor version 0.3…
Debian uses Tor version 0.3.5.8-1, while newest stable release is 0.4.2.6
is this a problem?
No, it's ok. 0.3.5.x is one…
No, it's ok. 0.3.5.x is one of the long-term supported series.
https://gitweb.torproject.org/tor.git/plain/ReleaseNotes
Next time, ask in a post whose title is "tor" rather than this post whose title is "tor browser".
In the short term, it's ok,…
In the short term, it's ok, but in the long term, it is NOT recommended to install tor packages from Debian's or Ubuntu's repositories. Instead, use Tor Project's repository unless your network blocks it or you have some compelling reason not to.
https://support.torproject.org/apt/
https://support.torproject.org/operators/operators-4/
Twitter is acting…
Twitter is acting differently. It keeps returning "Something went wrong" and "Sorry, you are rate limited. Please wait a few moments then try again" when I try to look at tweets, searches, and settings. The search page and settings page look different, too. Try searching for something by the Twitter search icon in the address bar. Here's a screenshot https://i.postimg.cc/sxmtQ8TB/twitter.png
Since approx 2300 hrs GMT on…
Since approx 2300 hrs GMT on Feb 12th, my Tor has been disrupted - losing its connections every few minutes. My other browsers are not having this problem. I'm assuming this is due a problem in the new updated Tor
How are referers handled in…
How are referers handled in one tab? How are they handled if I open a link in a new tab? If referers are enabled, what good is creating a new separate circuit for the second domain if the second domain is told about the first domain?
Click here and find out:…
Click here and find out: https://www.whatismyreferer.com/
To answer your question, I think TB uses the same referer behavior as regular Firefox with Tracking Protection. It looks like referers are sent any time you click a link, even in a new window or tab. For cross-domain referers, only the domain part is sent, not the path or query string.
Also, I don't think TB does create a new circuit for each domain? I'm pretty sure by default it reuses the same circuit(s) for up to 10 minutes across all tabs/windows of the same TB instance. Each browser session is considered a single "anonymity zone", it doesn't try to prevent tabs/windows from being linked until you press new identity. TB is not meant to provide per-domain isolation within the same session. If you need that feature, you have to run multiple TB instances.
> I don't think TB does…
> I don't think TB does create a new circuit for each domain?
It does. My circuit display changes, and this says every new domain gets its own circuit. https://support.torproject.org/tbb/tbb-40/ That also links to a design document section on Cross-Origin Identifier Unlinkability. It doesn't mention referers directly, and it's a little too complicated for me to understand.
Yes. Each first-party gets…
Yes. Each first-party gets its own circuit (where first-party is roughly the the top-level domain plus the subdomain you see in the URL bar, such as "example.org", "google.com"). When you go to www.example.org Tor Browser uses the same circuit for the requests as when you visited accounts.example.org five minutes ago. If you visit both sites at the same time, then the requests/responses will use the same circuit.
For the referer header, as the previous response said, Tor Browser sends the entire URL when you move from one page to another on the same domain. When you move from one domain to another, then the destination only receives the "origin" in the referer header.
You can see some of the (more technical) options here:
https://wiki.mozilla.org/Security/Referrer
In particular, we set `network.http.referer.defaultPolicy` as `2`, which is `strict-origin-when-cross-origin`. From https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Poli… :
"Send the origin, path, and querystring when performing a same-origin request, only send the origin when the protocol security level stays the same while performing a cross-origin request (HTTPS→HTTPS), and send no header to any less-secure destinations (HTTPS→HTTP)."
If you use onion services, then Tor Browser does not send a referer headed from one onion serivce to another.
But why? Why does Tor…
But why? Why does Tor Browser send referer by default at all?
Yes it might break a few pages on the internets, maybe some search engines and banking and stuff like that, but the referer option should be up to the user to decide, not Tor Browser.
I like how the direction of Tor within the past decade has been 'one-click' to accomodate the masses, but it might be nice to have clickable menu options with these type settings to give users more fine tune control over their session anonymity, without having to delve into the torrc file, the registry or messing with proxies to strip headers out.
The referer option is still…
The referer option is still up to the user to decide, there is nothing preventing you from changing the pref controlling this. However it is not recommended to change it as it will make your fingerprint different from most other users.
OCHs like k2s are blocking…
OCHs like k2s are blocking Noscript.
Drop the acronyms to…
Drop the acronyms to unfamiliar audiences. Spell it out. Ambiguity prevents solutions.
Happy "I love Free Software"…
Happy "I love Free Software" Day. It's a celebration started by Free Software Foundation Europe. Thank you, Tor Project.
Good day. new to this and I…
Good day. new to this and I am not able to access select sites, receiving error codes where it is NOT ALLOWED, especially with financial institutions.
Is this what a Bridge is for? Never used your site before, new to this and would appreciate some guidance & education.
thank you.
No, bridges do not change…
No, bridges do not change your exit IP address, so this makes no difference for the websites you visit.
Welcome! On top of the…
Welcome! On top of the purple homepage, you'll see links to Support and Documentation. You should also read the Tor Browser User Manual. Here are two good introductions:
- Tor: Overview on the Documentation pages of the old website
- The diagram under Secure Connections in the Tor Browser manual. On the top left of the diagram, click the grey buttons labeled "Tor" and "HTTPS," and watch what happens. (The original source of the diagram is EFF's article, How HTTPS and Tor Work Together to Protect Your Anonymity and Privacy.)
About error codes returned by some websites you visit, see the Support site:
- A website (bank, email provider, etc..) locks me out whenever I use Tor, what can I do?
- A website I am trying to reach is blocking access over Tor.
- Google makes me solve a CAPTCHA or tells me I have spyware installed
- Gmail warns me that my account may have been compromised
- Can you get rid of all the CAPTCHAs?
There are some details and examples on the development wiki's ListOfServicesBlockingTor.
About bridges, see the following. Some things they don't say (but should, boklm!) are that if you configure a bridge relay, it takes the place of your normal guard relay. Both of these types of relays, guard and bridge, are types of the first relay (node) in your 3-relay Tor circuits.
- I can’t connect to Tor Browser, is my network censored?
- What is a bridge?
- Support page's glossary: bridge
- Circumvention in the Tor Browser manual
- I installed Tor but it's not working. on the old website's General FAQ
- Tor: bridges on the old website
Maraming salamat po Tor…
Maraming salamat po Tor Project!