New Release: Tor Browser 9.0.7

Tor Browser 9.0.7 is now available from the Tor Browser download page and also from our distribution directory.
This release features important security updates to Tor.
This release updates Tor to 0.4.2.7 and NoScript to 11.0.19.
In addition, this release disables Javascript for the entire browser when the Safest security level is selected. This may be a breaking change for your workflow if you previously allowed Javascript on some sites using NoScript. While you are on "Safest" you may restore the previous behavior and allow Javascript by:
- Open about:config
- Search for: javascript.enabled
- The "Value" column should show "false"
- Either: right-click and select "Toggle" such that it is now disabled or double-click on the row and it will be disabled.
We are taking this precaution until we are confident recent NoScript versions successfully block Javascript execution, by default, by working around a Firefox ESR vulnerability.
In addition, HTTPS-Everywhere version 2020.3.16 supports a new mode of operation named EASE (Encrypt All Sites Eligible). Tor Browser users should not enable this feature. This new mode allows for adding per-site exceptions (whitelisting), however adding per-site exceptions may increase a user's uniqueness while using Tor Browser. When EASE mode is enabled, the whitelisting feature does not always work correctly, as well. We decided against downgrading the included https-everywhere version.
The full changelog since Tor Browser 9.0.6 is:
- All Platforms
- Bump NoScript to 11.0.19
- Bump Https-Everywhere to 2020.3.16
- Bug 33613: Disable Javascript on Safest security level
- Windows + OS X + Linux
- Bump Tor to 0.4.2.7
Update 2020-03-25: Added Https-Everywhere upgrade in ChangeLog and message about EASE mode.
I don't think uMatrix would…
I don't think uMatrix would solve that issue, but I am not sure.
However we have already been looking at uMatrix:
https://trac.torproject.org/projects/tor/ticket/30570#comment:16
Interestingly, this ticket…
Interestingly, this ticket mentions that uMatrix is undesirable because it doesn't block WebGL as NoScript does. Well, by default NoScript also allows WebGL as soon as you allow scripts from a certain site (Trusted zone in NoScript).
IMHO, the NoScript config that ships in TorBrowser must not enable WegGL by default for all NoScript Trusted sites. Make that setting controlled by Security Level, etc.
When will Snowflake get…
When will Snowflake get available in the stable Tor browser?
then why on your download…
then why on your download page is still the 9.0.6 version ?
hope you will fix this asap, thanks
Javascript is not work, I'm…
Javascript is not work, I'm in the safest mode
Yes, Javascript is supposed…
Yes, Javascript is supposed to not work in Safest mode.
https://tb-manual.torproject.org/security-settings/
Thanks for the javascript…
Thanks for the javascript workaround, allowing us to tweak java script permissions on a per-site basis whilst staying on the safest mode. It was driving me nuts!
That was never a good idea…
That was never a good idea in the first place. Changing any per-site settings, or any settings besides the security level, gives your browser a unique fingerprint.
But the "security level"…
But the "security level" easement allows ALL spying and 3-rd party scripts as well. Isn't it a bigger problem?
Do you want to be slightly fingerprinted or completely profiled? Your choice.
For comparison, Tails adds to TorBrowser an add-on to disable the known bad scripts - uBlock Origin. And since it's included for all users, the fingerprinting is not an issue.
> Isn't it a bigger problem?…
> Isn't it a bigger problem? Do you want to be slightly fingerprinted or completely profiled?
Yes, it is a bigger problem for a community using Tor Browser because a unique fingerprint makes you stand out immediately from other Tor Browser users, but allowing scripts makes you stand out slower from the community unless you volunteer personal information to the site. Scripts and site content are restricted as well by cross-origin settings, first-party isolation, and so on. Tor Browser also resets to default configuration whenever you open it or click New Identity. The important word there is "identity".
https://support.torproject.org/tbb/tbb-34/
https://2019.www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled
https://2019.www.torproject.org/projects/torbrowser/design/
> uBlock Origin. And since it's included for all users, the fingerprinting is not an issue.
uBlock depends on lists of filters managed by third parties beyond the developers of uBlock. Some blacklist filters break specific sites, so third parties started managing whitelist filters to patch the sites broken by blocking filters. Additionally, while ad servers can be malicious and measures are taken by Tor Browser to reduce fingerprinting, an outright ad blocker would give site owners yet another reason to want to block all Tor users.
https://support.torproject.org/faq/faq-3/
You have written news on a…
You have written news on a blog, but distributions Tor Browser are not available for download.
The download links on the…
The download links on the website have been fixed.
They haven't been fixed on…
They haven't been fixed on GitHub:
https://github.com/TheTorProject/gettorbrowser/releases
And the link to GitLab here (https://github.com/TheTorProject/gettorbrowser) is a broken link.
But Half Life Alyx has just…
But Half Life Alyx has just come out, so... does Tor work with VR?
Tor has higher latency by…
Tor has higher latency by design to defend against traffic analysis. Tor is not designed for real-time multi-player games or high-resolution livestreaming. If you can proxy it, Tor can work with it up to a point. It may not work if it wants your location for DRM or geofencing, reacts sensitively for anti-cheating, or otherwise decides to block Tor. Multi-player real-time games may nonetheless suffer from response times higher than sufficient to play comfortably. In contrast, turn-based games are less sensitive to latency. Single-player games whose assets are loaded completely from your machine should not be affected by network latency while playing.
no script is broken here in…
no script is broken here in linux - cant switch on for single sides - so those sides wont function anymore - either i go back to former version or i remove no script at all.
What do u recommend?
Have you tried shield icon -…
Have you tried shield icon -> Advanced security settings -> Standard security level?
https://tb-manual.torproject.org/security-settings/
Have you set javascript…
Have you set javascript.enabled to true as described in the blog post?
A long time ago the Tor team…
A long time ago the Tor team pulled out two very useful options to turn on and off images and javascript. They replaced this with the Security Level system.
In my mind, it was deceitful to claim "JavaScript is disabled by default on all sites" with the "safest" setting when in fact javascript was not disabled in-browser, but only through a third-party plugin. This third-party plugin turned out to be faulty, making the "safest" setting UNSAFE.
This is completely unacceptable behavior and messaging from a security product.
Now we are all reaping the rewards of the Tor team's bad decision to hide the options to turn off images and javascript. Now, instead of having an option ready at hand, as we used to, the general user either has to hack into the about:config or wait for a browser update.
Why was the javascript button removed? It was because the Tor team subscribed to a STUPID IDEOLOGY OF USABILITY that focused on the supposed needs of the LOWEST IQ user. And yet it is precisely these people who were let down the most by this critical bug. The Tor team decided that this group of users were too stupid, too confused to be offered a simple global browser-level javascript on-off option.
Who is looking stupid now? The Tor team.
In addition to the Security Level system already in place, which works for most users most of the time, the Tor team MUST implement a more sophisticated security panel that offers choices, minimally the ability to turn on and off images, HTML5 multimedia, and javascript. If you want to hide it behind a warning, fine. But it needs to be there. We have just witnessed what happens when you take basic options away from users.
I don't know which…
I don't know which javascript button you are talking about.
Before the security slider was added, the disabling of javascript was done with noscript.
It was Mozilla who did that…
It was Mozilla who did that. Tor Browser is built upon Firefox and whatever is the latest incarnation of it.
There is so much garbage spy behavior built into default Firefox now, that it takes awhile to clear it all out (telemetry, studies, reporting, broadcast location, social, etc). Tor continues to remove all of that nonsense as it should. If you've ever taken to time to read the default Firefox privacy policy lately, it reads like an Orwellian nightmare. Still, its the best platform available to build Tor on right now due to the license, etc.
The NoScript plugin was popularized as an answer to counter Mozilla's unwillingness to allow users to disable their js manually, I recall this happened a long while ago.
The dumbing down of options is to bring aboard more average users, which is good for overall anonymity.
https://2019.www.torproject…
https://2019.www.torproject.org/docs/faq.html.en#DisableJS
"Alas, Mozilla decided to get rid of the config checkbox for JavaScript from earlier Firefox versions."
Dear, boklm. Does parameter…
Dear, boklm.
Does parameter ExcludeNodes {cc} gives my browser a unique fingerprint?
This can makes the behavior…
This can make the behavior of your tor client recognizable, so could be used as a fingerprinting vector.
More of a fingerprint than…
More of a fingerprint than if Javascript is running accidentally?
Any chance to add an option…
Any chance to add an option to blacklist some countries for the circuit?
I would like to blacklist the USA and UK because of their mass surveillance policies which makes me not trust them even a bit when it comes to privacy and security.
Thanks!
We are not planning add an…
We are not planning add an option for this as this is not a good idea:
https://support.torproject.org/tbb/tbb-16/
Caveat: it can decrease your…
Caveat: it can decrease your anonymity, make you more vulnerable to malicious servers and increase your fingerprint. However, it is very useful for testing and for specific instances, for instance when you want to access georestricted resources whilst staying on the tor network:
1. To apply these changes to the tor browser, edit the file: tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc
(NB: to apply the settings to the tor binary in your system, you need to edit: /etc/tor/torrc)
2. To specify the entry node, add to the end of the file the following line:
EntryNode {**}
(where {**} is the country code; you can also add a server's fingerprint)
3. To specify an exit node, add:
ExitNode {**}
-To exclude a country as an exit node:
ExcludeExitNodes {us}
-To exclude a country as any kind of node:
ExcludeNodes {us}
Once again, you probably don't want to mess with these settings for your everyday browsing, just for testing or ad hoc scenarios.
torrc-file : DataDirectory …
torrc-file :
DataDirectory ...
EntryNodes yourchoice1,yourchoice2
ExcludeNodes badnode1,{us},{cn},{??}
ExcludeExitNodes badnode2,{??}
GeoIPFile ...
GeoIPv6File ...
ExcludeNodes {US},{UK}
ExcludeNodes {US},{UK}
The tor client tries to…
The tor client tries to treat every exit node with equal distrust. I don't see your point. Furthermore, after your traffic exits Tor and is handed to the plain old internet's routing system to pass it along to wherever the destination server is located, there still are...
https://en.wikipedia.org/wiki/Five_Eyes
https://en.wikipedia.org/wiki/Submarine_communications_cable#Intelligen…
https://www.submarinecablemap.com/
https://en.wikipedia.org/wiki/GCHQ_Bude#Cable_interception
https://en.wikipedia.org/wiki/Hawaii_Cryptologic_Center
https://en.wikipedia.org/wiki/Content_delivery_network#Technology
https://en.wikipedia.org/wiki/Content_delivery_network_interconnection#…
Caveat: it can decrease your…
Caveat: it can decrease your anonymity, make you more vulnerable to malicious servers and increase your fingerprint. However, it is very useful for testing and for specific instances, for instance when you want to access georestricted resources whilst staying on the tor network:
1. To apply these changes to the tor browser, edit the file: tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc
(NB: to apply the settings to the tor binary in your system, you need to edit: /etc/tor/torrc)
2. To specify the entry node, add to the end of the file the following line:
EntryNode {**}
(where {**} is the country code; you can also add a server's fingerprint)
3. To specify an exit node, add:
ExitNode {**}
-To exclude a country as an exit node:
ExcludeExitNodes {us}
-To exclude a country as any kind of node:
ExcludeNodes {us}
Once again, you probably don't want to mess with these settings for your everyday browsing, just for testing or ad hoc scenarios.
https://2019.www.torproject…
https://2019.www.torproject.org/docs/faq.html.en#ChooseEntryExit
https://2019.www.torproject.org/docs/faq.html.en#ChoosePathCountries
Tor Browser 9.0.7 for…
Tor Browser 9.0.7 for Android doesn't work on a Samsung Galaxy S2 (i9100) with Android 4.1.2
+1
+1
Hi, I have HTTPS everywhere…
Hi,
I have HTTPS everywhere updating itself. Is it safe to let it do so, as so far I have only trusted updates from TOR and no one else.
Dear Tor admins, you get…
Dear Tor admins, you get many questions about NoScript and HTTPS Everywhere updating by themselves. Please add their questions to the support FAQ.
I’m brand new to tor. Non…
I’m brand new to tor. Non tech savvy, basically tech illiterate, just want my privacy from big brother and ad folks. I’d also like to know how to text in privacy but I’ll get to that. I use an iPhone and a surface pro 7. Any suggestions on setting up would be appreciated
Did you have a question? …
Did you have a question?
About Tor, the first set of bullets here answers it well:
https://blog.torproject.org/comment/286754#comment-286754
SMS texting is associated to your account and phone number with your mobile carrier. SMS traffic is managed by your mobile carrier, is not private, and cannot be proxied to work with Tor or VPN which go through internet. Look into messengers that are encrypted end-to-end, that try to reduce metadata leaks, and can be used on wifi. Look into Signal, Tox, Wire, FireChat, as well as CoyIM, Mastodon, and Pleroma. Develop a threat model. Decide who to trust, and learn to torify applications.
Your Surface Pro should support most desktop programs, but Microsoft has a long history of invading privacy, particularly in partnership with governments. Apple hardware, iOS, and its App Store are black boxes obscured from security auditors and developers by proprietary licenses and non-disclosure agreements. All companies right now push for vendor lock-in and dependence in their spheres of influence. Tor Browser is available on phones with Android only, but Android has had more malware historically than iOS.
Hallo, was downloading from…
Hallo,
was downloading from dist.torproject.org with TBB9.0.6 and the browser has
FIXED the encryption at (TLS_AES_128_GCM_SHA256, 128 bit keys, TLS1.3).
Setting in security.ssl3.* doesn't matter.
What's the reason for?
Downgrading http-everywhere…
Why not in changelog?
The 9.0.7 does not include…
The 9.0.7 does not include any change for this, so it was not included in the ChangeLog. The new Tor Browser version includes the newer version of https-everywhere and that was absent from the ChangeLog. It is now included. A comment about the bug in https-everywhere's EASE mode is now included in the blog post, as well.
Are there any plans for an…
Are there any plans for an Arm version? I would love to run Tor Browser on a Pinebook.
We have this ticket open…
We have this ticket open:
https://trac.torproject.org/projects/tor/ticket/12631
As of this date NoScript is…
As of this date NoScript is still periodically crashing or switching off my temporary resettings
Reinstall.
Reinstall.
Thanks for the update just…
Thanks for the update just to let you know the embedded PDF reader pdf.js does not work anymore in safest mode because of the JS engine being disabled.
It would be useful to at least serve a fallback message "download PDF" (the pdf.js button for downloading does not work with JS disabled)
Thanks for the report, I…
Thanks for the report, I opened a ticket for this:
https://trac.torproject.org/projects/tor/ticket/33721
Исчезла кнопка блокировки…
Исчезла кнопка блокировки HTML5-отпечатка (надеюсь я правильно выразился и вы меня поняли). Теперь нельзя заблокировать иньекцию отпечатка HTML5 от всех сайтов, которые это пытаются делать.
I'm sorry, I do not…
I'm sorry, I do not understand. Are you referring to the "canvas" permission?
----
Простите, я не понимаю. Вы имеете в виду разрешение «холст»?