New Release: Tor Browser 9.0.7

Tor Browser 9.0.7 is now available from the Tor Browser download page and also from our distribution directory.

This release features important security updates to Tor.

This release updates Tor to 0.4.2.7 and NoScript to 11.0.19.

In addition, this release disables Javascript for the entire browser when the Safest security level is selected. This may be a breaking change for your workflow if you previously allowed Javascript on some sites using NoScript. While you are on "Safest" you may restore the previous behavior and allow Javascript by:

  • Open about:config
  • Search for: javascript.enabled
  • The "Value" column should show "false"
  • Either: right-click and select "Toggle" such that it is now disabled or double-click on the row and it will be disabled.

We are taking this precaution until we are confident recent NoScript versions successfully block Javascript execution, by default, by working around a Firefox ESR vulnerability.

In addition, HTTPS-Everywhere version 2020.3.16 supports a new mode of operation named EASE (Encrypt All Sites Eligible). Tor Browser users should not enable this feature. This new mode allows for adding per-site exceptions (whitelisting), however adding per-site exceptions may increase a user's uniqueness while using Tor Browser. When EASE mode is enabled, the whitelisting feature does not always work correctly, as well. We decided against downgrading the included https-everywhere version.

The full changelog since Tor Browser 9.0.6 is:

  • All Platforms
    • Bump NoScript to 11.0.19
    • Bump Https-Everywhere to 2020.3.16
    • Bug 33613: Disable Javascript on Safest security level
  • Windows + OS X + Linux
    • Bump Tor to 0.4.2.7

 

Update 2020-03-25: Added Https-Everywhere upgrade in ChangeLog and message about EASE mode.

Anonymous

March 23, 2020

Permalink

Oh yeah, one more thing, the search suggestions are showing up in addres bar when you type the website, even if you dont have that option enabled.

"Search suggestions" are those queried from web-based "search engines" and are disabled by default in Tor Browser. The address bar in Firefox autocompletes what you type based on your recent history, tabs, and bookmarks saved in the browser on your device, locally. (Tor Browser is based on Firefox ESR.)

https://support.mozilla.org/en-US/kb/address-bar-autocomplete-firefox

Anonymous

March 23, 2020

Permalink

Hello! Updating Tor Browser for android-9.0.6-arm7 to Tor Browser for android-9.0.7-arm7 is not possible for unknown reasons! The Android device refuses to update. The new version of Tor Browser for android 9.0.7 is not installed. Why?

You should check the Cryptographic Signatures of your Apks.
It is possible that the 9.0.6 or 9.0.7 apk is not the official one, it is modified.
If you have downloaded both of the apks from official resources (PlayStore, F-droid, torproject.org) it is not likely they have been modified by the developers-market admins.
In that case you should search for malware or someone did a MiTM attack against you.

Also mention that if you have downloaded Tor Browser from PlayStore and then tried do update it from F-droid, or reverse, it is not possible to do that. Maybe the same applies with torproject.org and playstore. It has to update if you do the same with F-droid and torproject.org

Anonymous

March 23, 2020

Permalink

> Tor Browser 9.0.7 is now available from the Tor Browser download page

Download links haven't updated and still pointed to the version 9.0.6.

Anonymous

March 23, 2020

Permalink

Why do you seriously mention you ship NoScript v.11.0.19 here, but the NoScript developer turns around to upgrade it in TBB to v.11.0.22, and suppose no one really checks what that changes, and a ticket to prevent this hijacking possibility exists, and nobody cares?

Anonymous

March 24, 2020

Permalink

I take this update to mean NoScript allowed Javascript to be executed despite it being configured to not do so via a Firefox vulnerability? And the fix is to disable Javascript via about:config? If users restore previous behavior, does that mean they are vulnerable?

Noscript includes some workarounds for the Firefox ESR bug that should prevent that from happening, but we don't know for sure if that is enough, so for safety we disabled javascript completely. If users restore the previous behavior, that does not automatically mean they are vulnerable, but we don't know for sure.

An other option is to switch the security level before visiting a website where you want to enable javascript. But you should remember that that it applies to all open tabs, and switch it back to Safest before visiting other websites.

> But you should remember that that it applies to all open tabs, and switch it back to Safest before visiting other websites.

If a background tab on Safest has <meta http-equiv="refresh" content="5"> and I drop my active tab to Safer, does the background tab begin refreshing? Tor Browser's defaults for accessibility.blockautorefresh and browser.meta_refresh_when_inactive.disabled are false.

Normalmente, guardi l'impostazione del tuo livello di sicurezza.
https://tb-manual.torproject.org/it/security-settings/

Ma il post sul blog spiega che gli sviluppatori hanno implementato precauzioni per impedire a NoScript di gestire gli script in modalità "Sicurissimo" a causa di un bug in NoScript. L'impostazione precauzionale può essere vista da:

  • Aprire about:config
  • Cercare: javascript.enabled Questo è ora falso in modalità "Sicurissimo" fino a quando il bug non viene corretto.
Anonymous

March 24, 2020

Permalink

Have you fixed the problem with NoScript? For a long time it has been suddenly, for no reason. cancelling settings for individual tabs and reverting to "safest"

This is a NoScript problem, I believe it happens in my non-Tor Firefox browser as well.

My use case is having a Protonmail inbox tab open at all times. Tor security = safest, "Temp TRUSTED" turned on for the Protonmail JS. Every so often (haven't figured out what kind of interval, sometimes seems to be after hours of use sometimes seems to be in under an hour), Protonmail will get a "cannot connect to server" message. The Noscript button will now show the JS permission for the page as "Default" instead of "Temp Trusted".

Hot tip for others with this problem: I can make the JS in the tab work again without reloading (and thus avoid having to log in again) by opening a new tab with Protonmail, enabling JS, and closing it.

PS Thanks for detailing why changing the JS trust permissions using the Noscript button doesn't work this update! I was a little >:( for a minute until I saw it was working as expected.

Then remember to clear your clipboard when you close the Tor browser as the below was copied form my clipboard (after I closed the Tor brower).. "A persons information should beprivate"

*Its about time that Tor cleared the clipboard after exit as the above could of been a Journalists whole sensitive email, then heads can roll*

> Its about time that Tor cleared the clipboard after exit

Long ago, it did in Windows because it inherited something from Firefox.

What if your clipboard is something you did not copy from Tor Browser? I clear the clipboard myself by copying nonsense. This way, I control when it is cleared and verify it is cleared. I paste into a plain text editor like Notepad or into Tor Browser address bar before I close it. Make sure the plain text editor does not automatically save backups, and make sure not to press Enter in address bar.

https://trac.torproject.org/projects/tor/query?status=accepted&status=a…

https://blog.torproject.org/comment/189604#comment-189604

Running this command seems to be working fine

C:\Windows\System32\cmd.exe /c echo. | clip

Thanks.

Is there one for Android? As Android seems to save something like the last ten things that you copy.

I suppose my concern is if everything that is copied while using Tor gets copied to a program that is outside of Tor then can it just be accessed and collected each time that something is copied?.
If so then it makes me think that nothing should be copied while using Tor.

Long ago, it did in Windows because it inherited something from Firefox.

Ah!, that's probably why I was shocked to find out that it was doing this when I tested it recently, as I'm sure that I would of tested it in the past.

Lesson learned "take nothing for granted" things can change.

Good advise and thanks for the links.

My concern is that this is not commonly known by users and I really don't think that users would expect things to be copied by default outside of a browser designed for privacy.

Even if known about just forgetting to clear the clipboard once might not be good.

Hopefully Jounelists wouldn't even use Android or Windows : )

*spooky* "sorry there was an error blah, blah, message not posted".

So I had to copy my entire message from the error page then post it out of the clipboard, great! haha o_0

Anonymous

March 24, 2020

Permalink

This update breaks Tor, at least in win64, with the following startup error:

The procedure entry point RSA_get0_d could not be located in the dynamic link library C:\Users\MyUser\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe

Anonymous

March 24, 2020

Permalink

I understand the precaution with disabling JavaScript entirely. I just want to ask whether uMatrix is affected by this Firefox ESR vuln as well? If not, wouldn't it be preferable to simply replace NoScript with uMatrix instead of disabling JavaScript entirely?

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

6 + 9 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.