New Release: Tor Browser 9.0.5

by boklm | February 12, 2020

Tor Browser 9.0.5 is now available from the Tor Browser download page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates Firefox to 68.5.0esr, NoScript to 11.0.13, and on desktop, Tor to 0.4.2.6. We also added a new default bridge and backported a few improvements from the alpha series.

The full changelog since Tor Browser 9.0.4 is:

  • All Platforms
    • Update Firefox to 68.5.0esr
    • Bump NoScript to 11.0.13
    • Bug 32053: Fix LLVM reproducibility issues
    • Bug 32255: Missing ORIGIN header breaks CORS
    • Bug 32891: Add new default bridges
  • Windows + OS X + Linux
    • Bump Tor to 0.4.2.6
  • Windows
    • Bug 32132: Re-enable jemalloc for Windows users
  • Build System
    • All Platforms
    • OS X
      • Bug 33200: Fix permissions on bookmarks.html

Comments

Please note that the comment area below has been archived.

Anonymous (not verified) said:

February 12, 2020

Permalink

are you thinking about a solution when the entrynode is overloaded? like switching to another?

Jordan (not verified) said:

February 12, 2020

Permalink

With the new update, when I go into the Responsive Design Mode the option to change from responsive to a different type of selection will not show up anymore. fix please

Anonymous (not verified) said:

February 12, 2020

Permalink

Main 3-lines menu -> Web Developer -> Responsive Design Mode

It has been in Firefox for a long time now. Yes, it is in ESR.

Anonymous (not verified) said:

February 12, 2020

Permalink

I keep going to full screen accidentally with clicking the mouse, I assume it thinks I did "double click"

Is there a way to disable Full Screen mode?
or at least disable the gesture to go to Full Screen mode with "double click"?

BeMe (not verified) said:

February 12, 2020

Permalink

I just now heard about this letterboxing technique for the first time; great idea!
Once more, kudos to the Tor team for all their effort!

Anonymous (not verified) said:

February 12, 2020

Permalink

@boklm, fix the link to wikipedia's Letterboxing (filming) on that support page. Its end parenthesis is outside the [a] tag. ".../wiki/Letterboxing_(filming"

Good point! I don't know if there are techniques to fingerprint the user's dimensions in the video API or PDF display like there are in CSS. I don't know if there are special techniques in Responsive Design Mode, either.

It sounds like you have double-click mapped to full screen or maximize in your OS configuration for window display or mouse buttons. I couldn't find anything in Firefox or Tor Browser about:config that affects it, but you can take a look if you want and search there for "full" or "gesture" and look up what those variables do. On most platforms, browser full screen toggle is mapped to the F11 key, and middle-click is mapped to auto-scroll toggle. Or it could be a different feature in your OS. Or your mouse could be broken.

Anonymous (not verified) said:

February 12, 2020

Permalink

Am I missing something? When will TB4A come to f-droid? Guardian project repo is outdated and the webpage points to a broken link on f-droid. The past two versions I had to download the apk on my desktop, verify the signature, then transfer to my phone and install. I have OpenKeychain but I haven't figured out how to verify a detached signature on my phone. You guys went to all this work to make an awesome replacement for Orfox, seems dumb we can't get it through f-droid.

https://support.torproject.org/tormobile/tormobile-7/
https://guardianproject.info/apps/org.torproject.torbrowser/
https://f-droid.org/packages/org.torproject.torbrowser

Please I am not trying to be rude, but to help others who read this.

You can connect direct to the Guardian Project's Repository using the F-Droid client

see "https://support.torproject.org/tormobile/tormobile-7/" which is better as it is more direct.

"In the meantime you can use [the] F-Droid [client] to download Tor Browser for Android by enabling the Guardian Project's Repository."
In the F-Droid Client
F-Droid Client > Settings > Repositories > and enable "Guardian Project Official Releases"

Yes I have the GP repo enabled in f-droid, but at the time I wrote that, it was still two versions behind (9.0.3). I had to manually download 9.0.4 & .5, check signatures and sideload apk. It looks like it's up to date now but it takes way too long

Uploading to f-droid is still a manual process, where we ask a person from the guardian project to do it for us. In the future we hope to automate the process more, so it can be done faster.

Anonymous (not verified) said:

March 13, 2020

Permalink

I see. Thanks for the explanation. Is there a reason TB can't be uploaded to the default f-droid repo? Would it not be accepted? On the f-droid repo, developers can do the uploads themselves, so I imagine you could integrate that into the existing release process pretty easily. Otherwise, I guess TP would have to run its own repo server? (Which is not all that difficult, from what I remember)

Anonymous (not verified) said:

February 12, 2020

Permalink

Right now I'm in China and using OBFS4 connect to Tor network, is this because OBFS4 get developed that the Chinese party couldn't detected OBFS4 again?

Yes, obfs4 (and its predecessor, ScrambleSuit) were specifically developed to defend against "active probing attacks" which the Great Firewall invented to detect and block circumvention protocols.

Anonymous (not verified) said:

February 13, 2020

Permalink

Twitter is acting differently. It keeps returning "Something went wrong" and "Sorry, you are rate limited. Please wait a few moments then try again" when I try to look at tweets, searches, and settings. The search page and settings page look different, too. Try searching for something by the Twitter search icon in the address bar. Here's a screenshot https://i.postimg.cc/sxmtQ8TB/twitter.png

SF (not verified) said:

February 13, 2020

Permalink

Since approx 2300 hrs GMT on Feb 12th, my Tor has been disrupted - losing its connections every few minutes. My other browsers are not having this problem. I'm assuming this is due a problem in the new updated Tor

Anonymous (not verified) said:

February 13, 2020

Permalink

How are referers handled in one tab? How are they handled if I open a link in a new tab? If referers are enabled, what good is creating a new separate circuit for the second domain if the second domain is told about the first domain?

Click here and find out: https://www.whatismyreferer.com/

To answer your question, I think TB uses the same referer behavior as regular Firefox with Tracking Protection. It looks like referers are sent any time you click a link, even in a new window or tab. For cross-domain referers, only the domain part is sent, not the path or query string.

Also, I don't think TB does create a new circuit for each domain? I'm pretty sure by default it reuses the same circuit(s) for up to 10 minutes across all tabs/windows of the same TB instance. Each browser session is considered a single "anonymity zone", it doesn't try to prevent tabs/windows from being linked until you press new identity. TB is not meant to provide per-domain isolation within the same session. If you need that feature, you have to run multiple TB instances.

> I don't think TB does create a new circuit for each domain?

It does. My circuit display changes, and this says every new domain gets its own circuit. https://support.torproject.org/tbb/tbb-40/ That also links to a design document section on Cross-Origin Identifier Unlinkability. It doesn't mention referers directly, and it's a little too complicated for me to understand.

Yes. Each first-party gets its own circuit (where first-party is roughly the the top-level domain plus the subdomain you see in the URL bar, such as "example.org", "google.com"). When you go to www.example.org Tor Browser uses the same circuit for the requests as when you visited accounts.example.org five minutes ago. If you visit both sites at the same time, then the requests/responses will use the same circuit.

For the referer header, as the previous response said, Tor Browser sends the entire URL when you move from one page to another on the same domain. When you move from one domain to another, then the destination only receives the "origin" in the referer header.

You can see some of the (more technical) options here:
https://wiki.mozilla.org/Security/Referrer

In particular, we set `network.http.referer.defaultPolicy` as `2`, which is `strict-origin-when-cross-origin`. From https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Poli… :

"Send the origin, path, and querystring when performing a same-origin request, only send the origin when the protocol security level stays the same while performing a cross-origin request (HTTPS→HTTPS), and send no header to any less-secure destinations (HTTPS→HTTP)."

If you use onion services, then Tor Browser does not send a referer headed from one onion serivce to another.

Anonymous (not verified) said:

February 17, 2020

Permalink

But why? Why does Tor Browser send referer by default at all?

Yes it might break a few pages on the internets, maybe some search engines and banking and stuff like that, but the referer option should be up to the user to decide, not Tor Browser.

I like how the direction of Tor within the past decade has been 'one-click' to accomodate the masses, but it might be nice to have clickable menu options with these type settings to give users more fine tune control over their session anonymity, without having to delve into the torrc file, the registry or messing with proxies to strip headers out.

The referer option is still up to the user to decide, there is nothing preventing you from changing the pref controlling this. However it is not recommended to change it as it will make your fingerprint different from most other users.

Scott J (not verified) said:

February 14, 2020

Permalink

Good day. new to this and I am not able to access select sites, receiving error codes where it is NOT ALLOWED, especially with financial institutions.
Is this what a Bridge is for? Never used your site before, new to this and would appreciate some guidance & education.

thank you.

Welcome! On top of the purple homepage, you'll see links to Support and Documentation. You should also read the Tor Browser User Manual. Here are two good introductions:

About error codes returned by some websites you visit, see the Support site:

There are some details and examples on the development wiki's ListOfServicesBlockingTor.

About bridges, see the following. Some things they don't say (but should, boklm!) are that if you configure a bridge relay, it takes the place of your normal guard relay. Both of these types of relays, guard and bridge, are types of the first relay (node) in your 3-relay Tor circuits.

Anonymous (not verified) said:

February 14, 2020

Permalink

Recently I had to start using a bridge, otherwise I couldn't open websites. This is happening in Portugal.

A bridge should not affect opening websites once you are connected to Tor. A bridge is supposed to help if you can't connect to Tor at all. The first connection to Tor is shown by a progress bar before the browser opens. If you can connect Tor without a bridge, then the websites that wouldn't open probably were blocking the exit node (last node) of your circuit. In that situation, the proper thing to do is click on the lock icon in the address bar -> blue button New Circuit for this Site. If other websites open, then that one website is blocking Tor.

https://tb-manual.torproject.org/managing-identities/
https://support.torproject.org/tbb/tbb-29/
https://support.torproject.org/misc/glossary/#new-tor-circuit-for-this-…
https://support.torproject.org/tbb/

PacoBell (not verified) said:

February 15, 2020

Permalink

I'm seeing this error in Android 10 when I try to connect via bridges and it just can't connect:

"- WARN: Managed proxy at '/data/app/org.torproject.torbrowser-KiFX6x3o-sapD1j17SI96w==/lib/arm64/libObfs4proxy.so' reported: error: "/data/app/org.torproject.torbrowser-KiFX6x3o-sapD1j17SI96w==/lib/arm64/libObfs4proxy.so": executable's TLS segment is underaligned: alignment is 8, needs to be at least 64 for ARM64 Bionic
- WARN: Pluggable Transport process terminated with status code 6"

What's that about?

ocsp.digicert… (not verified) said:

February 18, 2020

Permalink

When I navigate in my browser to:

about:networking#http

I see port ocsp.digicert.com on port 80.

Isn't this kind of a leak of sorts?

Anon (not verified) said:

February 19, 2020

Permalink

Can a Tor browser user configure how often exit nodes are changed?
I need longer time with the same IP address...

> Can a Tor browser user configure how often exit nodes are changed? I need longer time with the same IP address...

Timeout length of stale circuits could be interesting if you also consider the thread about referers on page 1. https://blog.torproject.org/comment/286734#comment-286734 For instance, how much information is a fresh second exit told about your session on the same domain that was on its stale first exit? People spend a lot longer than 10 minutes on some sites.

This page has some information about this:
https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user…

On Windows and Linux you can find the profile directory inside the Tor Browser directory, in Browser/TorBrowser/Data/Browser/profile.default/. On macOS it is in a TorBrowser-Data directory: https://tb-manual.torproject.org/uninstalling/

You might also be able to set the TOR_SKIP_LAUNCH=1 environment variable to start Tor Browser without connecting to Tor, and then use the browser to export bookmarks.

Anonymous (not verified) said:

February 20, 2020

Permalink

Questions about bookmarks deserve to be added to the Support site and/or TB manual. Many users ask how to backup bookmarks. Search old posts for them and their answers. Here are a few from 2019 to expand the answer:

Anonymous (not verified) said:

February 21, 2020

Permalink

I am unable to download the latest TOR browser update as I cannot connect to the main web page or the download page on any browser; I receive an error stating that a secure connection could not be established, and that the security certificate exceeds the maximum length. All of my browsers are up to date and all of them give the same error. Is this still an issue on my end or is it something that needs to be fixed on the website itself?

non-rotational (not verified) said:

February 21, 2020

Permalink

Since the 12 February Tor update I can no longer access my ProtonMail account, but have no problem if I go through regular Firefox. The login screen just cycles endlessly, and I also get a pop-up message across the top that says a web page is slowing down my browser - even if nothing else is open whatsoever.

Also can't make the Tor browser the default.

Any ideas on how to fix these issues?

yuradufus (not verified) said:

February 22, 2020

Permalink

Unable to click on checkboxes and unable to highlight & copy with new Tor update.

Flipstirfry (not verified) said:

February 23, 2020

Permalink

Hi! New to TOR!

This isn't working for me: "api ms win crt convert 1-1-0 dll is missing"

Please advise.
Thanks

Change your security level shield to Safer or Standard, and open the video page. You will see a yellow panel with a blue "S" covering video players. That's NoScript doing its job. Click the yellow panel on a player to pop-up a blue dialog window where you can allow the [MEDIA] tag so videos will play. If the blue window doesn't work on Standard, you may have to open NoScript's options and set a custom, temporary (clock icon) permission to allow [MEDIA] on that first-party domain (youtube.com) and/or the third-party domain that hosts the video file (Youtube is a third party on sites that embed youtube videos into their pages). If you want to allow everything from a domain, simply click "Temp. Trusted". Don't change anything in NoScript unless you have familiarized yourself with it already in browsers like Chrome or Firefox because customized configurations can make you distinguishable on Tor. You can reset NoScript's per-site permissions to Tor Browser default by changing your security level shield.
https://tb-manual.torproject.org/security-settings/
https://noscript.net/

If you're getting CAPTCHAs or "Our systems have detected unusual traffic from your computer network" (a different issue from above), either wait ten minutes and try again, or click ⓘ (i) in the address bar -> "New Circuit for this Site", or click the New Identity broom icon next to the address bar. Then, try opening Youtube again. I seem to have better luck if I open youtube's home page before I open a video page.

As always, read Tor Project's Support and Documentation.
https://support.torproject.org/
https://tb-manual.torproject.org/managing-identities/

More answers:
https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlo…
https://duckduckgo.com/?q="tor"+"unusual+traffic+from+your+computer+network"
https://duckduckgo.com/?q="unusual+traffic+from+your+computer+network"

Really great answer; thank you!

I rarely try to watch videos myself, but when I try to encourage others who need Tor but do not yet recognize the fact that they need Tor to try Tor Browser, the most common complaint I hear is "Youtube didn't work".

@ Tor Project:

Please, please, please: as we all recall, the long-promised site revamp did NOT go down well with the user base and did not help resolve the difficulty of finding the most recent and best advice on how to use Tor. I ask that someone be assigned to try again.

Please bear in mind:

  • informational pages should always begin with "last updated on [date]"
  • each page should
    • begin with concise presentation of the most useful information
    • drill down into more complex issues second
    • add important caveats and warnings as needed
    • be edited by someone who tries to mimic the mental state of a possibly confused or frustrated newbie which "just wants this thing to work", and who might not yet be ready to hear about all the awful FAILS more experienced users are familiar with

Further suggestions:

  • Google Summer of Code intern can try to write a good/safe TB friendly site search?
  • I think the way Tails organizes its documentation is smart and effective

BTW, in the blog preview does not work. Plus NSA must find it very informative to watch posters manually write HTML code.

> begin with "last updated on [date]"

Wikis and generally most places that have those put it in the footer. Tor Project's Trac wiki does too.

> begin with concise presentation of the most useful information
> drill down into more complex issues second

https://en.wikipedia.org/wiki/BLUF_(communication)
https://en.wikipedia.org/wiki/Spiral_approach
https://en.wikipedia.org/wiki/Inverted_pyramid_(journalism)

However, in a documentation paradigm, the information is a reference rather than an interjection like a press release. Reference documents can't predict what the reader will be asking or looking for, so instead, they organize by category and/or prioritize by what readers most frequently ask. For another example, look at https://docs.python.org/

Others have proposed search features:
https://trac.torproject.org/projects/tor/ticket/24376
https://trac.torproject.org/projects/tor/ticket/32932

Yes to everything else you said. This thread should be forwarded to the Website team.

https://en.wikipedia.org/wiki/Wikipedia:Make_technical_articles_underst…
https://en.wikipedia.org/wiki/Wikipedia:Writing_better_articles#Informa…
https://en.wikipedia.org/wiki/Wikipedia:Manual_of_Style/Computing
https://en.wikipedia.org/wiki/Wikipedia:WikiProject_Computer_science/Ma…
https://en.wikipedia.org/wiki/Wikipedia:Accessibility_dos_and_don%27ts

Jaybird (not verified) said:

February 23, 2020

Permalink

I'm using Tor version 9.0.5 on android phone using Android 9. Is there a way to view Tor logs regarding server names? I slide the screen to the left while connecting to read the logs but towards the end everything closes so fast that I cannot read anything about what country I'm connected to or what servers I'm using etc. Thank you!

Anonymous (not verified) said:

February 24, 2020

Permalink

I was surprised to find by default that there was no tick in "Prevent accessibility services from accessing your browser" considering what it says on this webpage about third party applications may be monitoring your web surfing activity.

Am I missing something?, like you have already disabled it all by default in about:support ?.

Third party applications may be monitoring your web surfing activity
considering it says

What is the impact of having Firefox Accessibility Service enabled?

Firefox Accessibility Service may negatively impact Firefox browsing performance

Third party applications may be monitoring your web surfing activity

Firefox stability may be adversely affected

I tried to preview this post but I could not see it even even though I allowed NoScript, does it work?.

Anonymous (not verified) said:

March 02, 2020

Permalink

Thanks boklm,

that is understandable, it's good to read that they are looking for Mozilla to fix this.

Could you possibly post a link to problems, advisories about things like this in the future (which may leave people open to tracking or other potential privacy leaks) and place a link on the the Tor download pages and at the top of each new Tor release blog post, so that people can take the necessary steps to work around any new problems until they get fixed? as finding out about things kike this often take a lot of digging to find and most users will probably just go ahead and start browsing.

Otherwise I and other users tend to just stubble across these things, if at all, which are often already known about, but not by the average user who may possibly never even visit the Tor blog, ot other sites, I didn't notice that setting in "Options, Privacy & Security, Permissions section, Prevent accessibility services from accessing your browser checkbox" for a day or two. so it was left turned on.

It is not clearly marked in Firefox (as to what it leaves you open to) until you click further to investigate it.

I think considering that it presently leaves you open to being tracked that Mozilla should separate it and list it under Privacy and Third Party Tracking Data along with its other interned use as it is easily missed, even though I have viewed that setting a few times already I still had to look up where to find it again today after failing to find it again, ts to well hidden sitting at the end of a list looking all Innocent.

Thanks

This option not being checked does not leave you open to being tracked.

This option can prevent a malicious program from monitoring the browser using accessibility services. But a malicious program probably could do it in other ways too, so it's unclear whether this option offer much protection.

Anonymous (not verified) said:

March 03, 2020

Permalink

Ok thanks, I guess I took "Third party applications may be monitoring your web surfing activity" to just mean tracking in general terms.

One unrelated problem which I came across the other day is:

[Show all bookmarks] if you type or paste a search term into the search box then click on it to edit it (because you spelt it wrong) or if you click on a white area of the search box it highlights the entire search term which then it freezes it, you can not un-highlight it by clicking on the white space or the word, you can't even use backspace, all you can do is delete it.

I did find one way out of it today though, if you use the arrow keys after you highlight it, it will un-highlight it and you can then edit away as normal, it does need fixing though.

Anon (how orig… (not verified) said:

February 26, 2020

Permalink

Dont know if its the right place, but still post it here.
in android version of torbrowser, the default language setting is "System default", which causes the system language to appear in the HTTP accept headers. For less populus languages this effectively makes torbrowsers fingerprint quite unique, at least according to panopticlick.
Changing intl.accept-language to something more common like en-Us, en seems to correct it.

noscript untrustable (not verified) said:

February 26, 2020

Permalink

Noscript does not save my "trusted" settings. Every time I load TOR I have to go into Noscript options, trusted, and re-disable the "media" setting.
Even then can't really trust the noscript settings to do what they say. I had 3 tabs loaded each with different "temp trusted" settings, and then the noscript menu went blank, displaying that blankness in a larger noscript window i hadn't seen before.

> the noscript menu went blank, displaying that blankness in a larger noscript window i hadn't seen before

The toolbar icon's list often opens empty for me. Move your mouse arrow up and down on the blankness, and the lines of permissions should appear. I don't know why it happens.

Guarino Elio (not verified) said:

February 28, 2020

Permalink

My TOR Browser is not never default my browser! may-be is not possible to save configuration.
Have you some ideas? I must reload again TOR 9.0.5 ?

Bustle (not verified) said:

February 29, 2020

Permalink

Avast report virus on this version 9.0.5: Win64:Evo-gen in nssdbm3.dll and mozi....dll(forget the name)

user13 (not verified) said:

March 04, 2020

Permalink

Hi
in version 9.0.5 every time i start Tor browser the size of the browser's window, zoom setting of websites and many more setting keep resetting to default values
I enabled history, put browser in standard security mode and disabled "always in private mode" option
but problem still exist
please help me with this