New Release: Tor Browser 9.5a6

by sysrqb | March 2, 2020

Tor Browser 9.5a6 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: This is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

The main improvement in this release is the possibility to add an authentication key for an onion site, without editing the torrc configuration file.

Note: We found after releasing this update that due to a bug the non-en-US versions are not starting up. We are currently working on a 9.5a7 update, and temporarily disabled updates to 9.5a6.

The full changelog since Tor Browser 9.5a5 is:

  • All Platforms
    • Translations update
  • Windows + OS X + Linux
    • Update Tor Launcher to 0.2.21.2
      • Translations update
      • Bug 19757: Support on-disk storage of v3 client auth keys
    • Bug 19757: Support on-disk storage of v3 client auth keys
    • Bug 32493: Disable MOZ_SERVICES_HEALTHREPORT
    • Bug 32658: Create a new MAR signing key
  • Build System
    • All Platforms
      • Bug 33380: Add *.json to sha256sums-unsigned-build.txt

Comments

Please note that the comment area below has been archived.

March 03, 2020

Permalink

Errore interpretazione XML: entità non definita
Indirizzo: chrome://browser/content/browser.xul
Riga numero 3173, colonna 7:

March 03, 2020

Permalink

Hello,

I have been using TOR for many years on Debian and the updates have always gone well. But the new update 9.5-a6 has a problem (it doesn't boot). So I downloaded the complete tor-browser-linux64-9.5a6_fr.tar.xz archive and installed it. But it doesn't boot either. And it's not a problem with "profile.default" because with my own "profile.default" or with the one installed by default, TOR doesn't boot.

So I went back to version 9.5-a5 and everything works perfectly ;-)

Translated with www.DeepL.com/Translator (free version)

A somewhat related problem regularly experienced by another Debian/Tor user:

Many thanks to Tor Project (TP) and Debian Project (DP) for responding to many user requests over the years by creating the onion mirrors for the Debian software repository, which I have used to maintain my Debian systems since the onions were introduced a few years ago, but it is obvious that these onions need some love. Either they are regularly overloaded (in which case TP and DP need to provide additional servers) or else no-one is maintaining them.

I contribute to TP as my strained finance permit, which may or may not increase the likelihood that someone at TP will look into the problems. TIA!

@ poster: has DeepL been audited for security issues? Can it be used with Tor? What was the original language?

March 03, 2020

Permalink

[time] qwebirc v0.92
[time] Copyright (C) 2008-2012 Chris Porter and the qwebirc project.
[time] http://www.qwebirc.org
[time] Licensed under the GNU General Public License, Version 2.
[time] == ERROR: Anonymous TOR usage is unavailable
I've tried to use a nickname on IRC channel.
https://support.torproject.org/get-in-touch/
'OFTC often doesn't allow people to use their webchat over Tor. For this reason, and because many people end up preferring it anyway, you should also consider using an IRC client.' How often? Every amount? Or now always? Where I can find IRC client? How safe to use that client with Tor?

you can get IRC client here http://hexchat.github.io/
don't forget to configure it's options to use Tor:
Settings -> Preferences -> Network -> Network setup
Hostname: 127.0.0.1
Port: 9150 or 9050 (try which one works)
Type: Socks5
Use proxy for: all connections
click OK

Hexchat -> Network list
then connect to OFTC network: irc.oftc.net/6667

info
https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IRC

March 03, 2020

Permalink

I figured out how to view authentication key for an onion site that is already saved but not how to add a new key?

March 03, 2020

Permalink

Strict Nodes values ignored on Facebook.
torrc values of strict nodes are not used if a user visits facebook and changes to any random node.

Any ideas?

March 04, 2020

Permalink

Secure Connection Failed

An error occurred during a connection to torproject.org. SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

March 06, 2020

In reply to boklm

Permalink

https://trac.torproject.org/projects/tor/ticket/27268 removed these redundant prefs: they are covered under RFP
- media.webspeech.synth.enabled
- dom.gamepad.enabled

So the APIs are now enabled but they do not leak anything: e.g.
was
> SpeechSynthesis
> API Status × Disabled / Not Supported
now
> SpeechSynthesis
> API Status ✔ Enabled
> Speech Voices empty

was
> Rest of window.navigator
> getGamepads not listed
now
> getGamepads function getGamepads() { [native code] }

That's all it is. The fingerprint of what window.navigator objects [1] is still the same for everyone, and interrogating those objects (speech engines, gamepads) is mitigated by RFP

March 05, 2020

Permalink

Twitter has now blocked Tor with the asinine message "Sorry, you are rate limited. Please wait a few moments then try again." As stupid as Google and their "Your device may be part of a bot network". Bye, bye Twitter :D

March 05, 2020

Permalink

I am not sure if my case is relevant to this topic, but now Tor keeps saying: unable to find the proxy server. when last time i was opening tor, it was working properly, now I see that it removed my add-ons, after refreshing Tor kept my old data in a folder and said to sart it fresh,then I realised that it's not all I was expecting.kept saying(unable to find proxy) so I changed the settings to detect proxy manually, but still have that problem, I user tor only for some websites I frequently use. i am affraid if I remove the whole Tor, so my computer is an old one(Vista) ,[for some reasons I do not use win10] so i can not have the new Tor-app so I do not dare to remove it.Please tell me what to do now?(allready changed settings more than10 times)

> my computer is an old one(Vista) ,[for some reasons I do not use win10] so i can not have the new Tor-app so I do not dare to remove it.Please tell me what to do now?

It's dangerous to install add-ons in Tor Browser.
https://support.torproject.org/tbb/tbb-14/

Tor Browser is based on Firefox ESR. The last Firefox ESR for Windows Vista and XP was 52.9.0esr in June 2018. The last Tor Browser based on Firefox 52.9.0esr was 7.5.6.
https://support.mozilla.org/en-US/kb/end-support-windows-xp-and-vista
https://en.wikipedia.org/wiki/Firefox#Platform_availability
https://gitweb.torproject.org/builders/tor-browser-build.git/plain/proj…

You can download Tor Browser 7.5.6 (caution, old, vulnerable) from:
https://archive.torproject.org/tor-package-archive/torbrowser/7.5.6/
EXEs are at the bottom.

What you really should do is migrate to an OS that's up to date.
https://blog.torproject.org/comment/284876#comment-284876
https://en.wikipedia.org/wiki/Live_USB

March 09, 2020

Permalink

In the thread for the previous version ("New Release: Tor Browser 9.5a5") someone asked about

> IP address: 185.220.101.27

(See https://blog.torproject.org/comment/286822#comment-286822 for the comment.)

The thread in which the cited comment appeared has closed so I am trying to comment in this thread:

Some of us have been trying to raise a concern about the very large family of very high bandwidth exit nodes

https://metrics.torproject.org/rs.html#search/nifty

to which that particular node belongs for several weeks, but so far TP has ignored us and the moderators have even prevented posts submitted to this very thread from appearing.

The basic problems are

1. the family appears to carry too large a fraction of Tor traffic,

2. the family appears to be particularly anxious to watch Tor users who are trying to visit popular news sites such as salon.com, theintercept.com, theguardian.com, etc--- in recent weeks I have found it almost impossible to visit these sites without finding that my exit node belongs to the family you cited.

The worst case scenario is this family has been hijacked (without the operators knowledge) or coerced (without their being permitted to say so) into cooperating with an Carnegie Mellon SEI type attack on Tor users visiting news media sites and social networking sites or other popular sites such as youtube.com (the USG is currently obsessed with alleged RU and ISIL propaganda there). A less dire possibility is that the family is somehow in effect been "hired" by a company such as Looking Glass Cyber Solutions Inc to act as the only family of exit nodes which is accepted by the ubiquitous "content delivery" censors/watchers.

A further concern is that this family appears to be tied to Zweibelfreunde (the two families, "nifty" and Zweibelfreunde, share some IP addresses), which has been considered on our side from the beginning, but which was unfortunately raided by "the authorities" some years ago. This event underscores a legitimate concern about very large families of high bandwidth Tor nodes--- it appears to be not impossible, in principle, that "offers not to be refused" from powerful state-sponsored adversaries of the Tor community might focus on the small number of people who run large families. In principle, it's great that some courageous (and wealthy?) operators run large families, but the concern underscores the need for TP to constantly try to diversify nodes, especially exit nodes.

Further, it may be worth thinking about implementing a policy that entry nodes should not also act as exit nodes. Similarly, possibly exit nodes belong to very high bandwith families should not also be directory nodes. Possibly splitting up the critical functions would make the network less vulnerable to being co-opted by "the authorities", but there might be a tradeoff I do not understand against technical attacks by those same "authorities". If so, TP should think about the tradeoff rather than doing business as usual. IMO.

It sucks that COVID-19 has resulted in cancellation of conferences, but here is an opportunity for Tor Project people to use the time they had intended to use attending them in another way which is no less useful to the user base. It would be particularly useful to make available as a CSV file the current information formerly provided by the invaluable site torstatus.blutmagie.de.

> in recent weeks I have found it almost impossible to visit these sites without finding that my exit node belongs to the family you cited.

That, if thought of by itself, is not necessarily a sign of malice. Nodes do not choose your circuits. Your local tor daemon does using status information from redundant directory authorities. However, it's theoretically possible for any procedure of choosing nodes to be gamed by an APT (advanced persistent threat), wealthy global entity, etc. unless the procedure is robust enough to withstand it.

> The worst case scenario...
> A less dire possibility...

Don't forget network security researchers. Some may be employed by large entities, some research may be done for one-sided or malicious ends, but white-hats run nodes and probe Tor as well. Questions of filtering or censorship or preventative health measures or punishments agreed upon by its population, if thoughtful and not manipulated, often boil down to behavior and accessibility rather than identity. As you hinted, there probably were, are, and will be other operators and families.

> a CSV file the current information formerly provided by the invaluable site torstatus.blutmagie.de.

Much of the same information is provided in CSV or JSON by Metrics' services, sources such as Relay Search, and the Onionoo API. Along the top in the purple heading of the Metrics site are the following pages to name a few:

https://metrics.torproject.org/services.html
https://metrics.torproject.org/sources.html
https://metrics.torproject.org/research.html

March 09, 2020

Permalink

i am having an issue trying to see videos in tor. i get no video with supported format and mime type found is there a way to fix it?

https://blog.torproject.org/comment/286855#comment-286855

When I've gotten mime-type issues from videos, the video is embedded from a third-party domain. One method that works for me is to allow "media" for the third party and first party domains in NoScript and refresh the page. Another method may be to select Standard security level and refresh the page. If the site offers a fallback player for the video, try that next.