New Release: Tor Browser 9.0.5

by boklm | February 12, 2020

Tor Browser 9.0.5 is now available from the Tor Browser download page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates Firefox to 68.5.0esr, NoScript to 11.0.13, and on desktop, Tor to 0.4.2.6. We also added a new default bridge and backported a few improvements from the alpha series.

The full changelog since Tor Browser 9.0.4 is:

  • All Platforms
    • Update Firefox to 68.5.0esr
    • Bump NoScript to 11.0.13
    • Bug 32053: Fix LLVM reproducibility issues
    • Bug 32255: Missing ORIGIN header breaks CORS
    • Bug 32891: Add new default bridges
  • Windows + OS X + Linux
    • Bump Tor to 0.4.2.6
  • Windows
    • Bug 32132: Re-enable jemalloc for Windows users
  • Build System
    • All Platforms
    • OS X
      • Bug 33200: Fix permissions on bookmarks.html
Tags
tor browser
tbb
tbb-9.0
Jason

Anonymous (not verified) said:

February 12, 2020

Permalink

are you thinking about a solution when the entrynode is overloaded? like switching to another?

Jason

Jordan (not verified) said:

February 12, 2020

Permalink

With the new update, when I go into the Responsive Design Mode the option to change from responsive to a different type of selection will not show up anymore. fix please

Jason

Anonymous (not verified) said:

February 12, 2020

Permalink

I keep going to full screen accidentally with clicking the mouse, I assume it thinks I did "double click"

Is there a way to disable Full Screen mode?
or at least disable the gesture to go to Full Screen mode with "double click"?

Good point! I don't know if there are techniques to fingerprint the user's dimensions in the video API or PDF display like there are in CSS. I don't know if there are special techniques in Responsive Design Mode, either.

It sounds like you have double-click mapped to full screen or maximize in your OS configuration for window display or mouse buttons. I couldn't find anything in Firefox or Tor Browser about:config that affects it, but you can take a look if you want and search there for "full" or "gesture" and look up what those variables do. On most platforms, browser full screen toggle is mapped to the F11 key, and middle-click is mapped to auto-scroll toggle. Or it could be a different feature in your OS. Or your mouse could be broken.

Jason

Anonymous (not verified) said:

February 12, 2020

Permalink

Am I missing something? When will TB4A come to f-droid? Guardian project repo is outdated and the webpage points to a broken link on f-droid. The past two versions I had to download the apk on my desktop, verify the signature, then transfer to my phone and install. I have OpenKeychain but I haven't figured out how to verify a detached signature on my phone. You guys went to all this work to make an awesome replacement for Orfox, seems dumb we can't get it through f-droid.

https://support.torproject.org/tormobile/tormobile-7/
https://guardianproject.info/apps/org.torproject.torbrowser/
https://f-droid.org/packages/org.torproject.torbrowser

Please I am not trying to be rude, but to help others who read this.

You can connect direct to the Guardian Project's Repository using the F-Droid client

see "https://support.torproject.org/tormobile/tormobile-7/" which is better as it is more direct.

"In the meantime you can use [the] F-Droid [client] to download Tor Browser for Android by enabling the Guardian Project's Repository."
In the F-Droid Client
F-Droid Client > Settings > Repositories > and enable "Guardian Project Official Releases"

Yes I have the GP repo enabled in f-droid, but at the time I wrote that, it was still two versions behind (9.0.3). I had to manually download 9.0.4 & .5, check signatures and sideload apk. It looks like it's up to date now but it takes way too long

Uploading to f-droid is still a manual process, where we ask a person from the guardian project to do it for us. In the future we hope to automate the process more, so it can be done faster.

I see. Thanks for the explanation. Is there a reason TB can't be uploaded to the default f-droid repo? Would it not be accepted? On the f-droid repo, developers can do the uploads themselves, so I imagine you could integrate that into the existing release process pretty easily. Otherwise, I guess TP would have to run its own repo server? (Which is not all that difficult, from what I remember)

Jason

Anonymous (not verified) said:

February 12, 2020

Permalink

Right now I'm in China and using OBFS4 connect to Tor network, is this because OBFS4 get developed that the Chinese party couldn't detected OBFS4 again?

Yes, obfs4 (and its predecessor, ScrambleSuit) were specifically developed to defend against "active probing attacks" which the Great Firewall invented to detect and block circumvention protocols.

In the short term, it's ok, but in the long term, it is NOT recommended to install tor packages from Debian's or Ubuntu's repositories. Instead, use Tor Project's repository unless your network blocks it or you have some compelling reason not to.

https://support.torproject.org/apt/
https://support.torproject.org/operators/operators-4/

Jason

Anonymous (not verified) said:

February 13, 2020

Permalink

Twitter is acting differently. It keeps returning "Something went wrong" and "Sorry, you are rate limited. Please wait a few moments then try again" when I try to look at tweets, searches, and settings. The search page and settings page look different, too. Try searching for something by the Twitter search icon in the address bar. Here's a screenshot https://i.postimg.cc/sxmtQ8TB/twitter.png

Jason

SF (not verified) said:

February 13, 2020

Permalink

Since approx 2300 hrs GMT on Feb 12th, my Tor has been disrupted - losing its connections every few minutes. My other browsers are not having this problem. I'm assuming this is due a problem in the new updated Tor

Jason

Anonymous (not verified) said:

February 13, 2020

Permalink

How are referers handled in one tab? How are they handled if I open a link in a new tab? If referers are enabled, what good is creating a new separate circuit for the second domain if the second domain is told about the first domain?

Click here and find out: https://www.whatismyreferer.com/

To answer your question, I think TB uses the same referer behavior as regular Firefox with Tracking Protection. It looks like referers are sent any time you click a link, even in a new window or tab. For cross-domain referers, only the domain part is sent, not the path or query string.

Also, I don't think TB does create a new circuit for each domain? I'm pretty sure by default it reuses the same circuit(s) for up to 10 minutes across all tabs/windows of the same TB instance. Each browser session is considered a single "anonymity zone", it doesn't try to prevent tabs/windows from being linked until you press new identity. TB is not meant to provide per-domain isolation within the same session. If you need that feature, you have to run multiple TB instances.

> I don't think TB does create a new circuit for each domain?

It does. My circuit display changes, and this says every new domain gets its own circuit. https://support.torproject.org/tbb/tbb-40/ That also links to a design document section on Cross-Origin Identifier Unlinkability. It doesn't mention referers directly, and it's a little too complicated for me to understand.

Yes. Each first-party gets its own circuit (where first-party is roughly the the top-level domain plus the subdomain you see in the URL bar, such as "example.org", "google.com"). When you go to www.example.org Tor Browser uses the same circuit for the requests as when you visited accounts.example.org five minutes ago. If you visit both sites at the same time, then the requests/responses will use the same circuit.

For the referer header, as the previous response said, Tor Browser sends the entire URL when you move from one page to another on the same domain. When you move from one domain to another, then the destination only receives the "origin" in the referer header.

You can see some of the (more technical) options here:
https://wiki.mozilla.org/Security/Referrer

In particular, we set `network.http.referer.defaultPolicy` as `2`, which is `strict-origin-when-cross-origin`. From https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Poli… :

"Send the origin, path, and querystring when performing a same-origin request, only send the origin when the protocol security level stays the same while performing a cross-origin request (HTTPS→HTTPS), and send no header to any less-secure destinations (HTTPS→HTTP)."

If you use onion services, then Tor Browser does not send a referer headed from one onion serivce to another.

But why? Why does Tor Browser send referer by default at all?

Yes it might break a few pages on the internets, maybe some search engines and banking and stuff like that, but the referer option should be up to the user to decide, not Tor Browser.

I like how the direction of Tor within the past decade has been 'one-click' to accomodate the masses, but it might be nice to have clickable menu options with these type settings to give users more fine tune control over their session anonymity, without having to delve into the torrc file, the registry or messing with proxies to strip headers out.

The referer option is still up to the user to decide, there is nothing preventing you from changing the pref controlling this. However it is not recommended to change it as it will make your fingerprint different from most other users.

Jason

Scott J (not verified) said:

February 14, 2020

Permalink

Good day. new to this and I am not able to access select sites, receiving error codes where it is NOT ALLOWED, especially with financial institutions.
Is this what a Bridge is for? Never used your site before, new to this and would appreciate some guidance & education.

thank you.

Welcome! On top of the purple homepage, you'll see links to Support and Documentation. You should also read the Tor Browser User Manual. Here are two good introductions:

About error codes returned by some websites you visit, see the Support site:

There are some details and examples on the development wiki's ListOfServicesBlockingTor.

About bridges, see the following. Some things they don't say (but should, boklm!) are that if you configure a bridge relay, it takes the place of your normal guard relay. Both of these types of relays, guard and bridge, are types of the first relay (node) in your 3-relay Tor circuits.